Run Better Meetings

  • Buy Link or Shortcode: {j2store}287|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Voice & Video Management
  • Parent Category Link: /voice-video-management

Your newly hybrid workplace will include virtual, hybrid, and physical meetings, presenting several challenges:

  • The experience for onsite and remote attendees is not equal.
  • Employees are experiencing meeting and video fatigue.
  • Meeting rooms are not optimized for hybrid meetings.
  • The fact is that many people have not successfully run hybrid meetings before.

Our Advice

Critical Insight

  • Successful hybrid workplace plans must include planning around hybrid meetings. Seamless hybrid meetings are the result of thoughtful planning and documented best practices.

Impact and Result

  • Identify your current state and the root cause of unsatisfactory meetings.
  • Review and identify meetings best practices around meeting roles, delivery models, and training.
  • Improve the technology that supports meetings.
  • Use Info-Tech’s quick checklists and decision flowchart to accelerate meeting planning and cover your bases.

Run Better Meetings Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should run better meetings, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Identify the current state of meetings

Understand the problem before you try to fix it. Before you can improve meetings, you need to understand what your norms and challenges currently are.

  • Checklist: Run a Virtual or Hybrid Meeting

2. Publish best practices for how meetings should run

Document meeting roles, expectations, and how meetings should run. Decide what kind of meeting delivery model to use and develop a training program.

  • Meeting Challenges and Best Practices
  • Meeting Type Decision Flowchart (Visio)
  • Meeting Type Decision Flowchart (PDF)

3. Improve meeting technology

Always be consulting with users: early in the process to set a benchmark, during and after every meeting to address immediate concerns, and quarterly to identify trends and deeper issues.

  • Team Charter
  • Communications Guide Poster Template
[infographic]

Workshop: Run Better Meetings

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Identify Current State of Meetings

The Purpose

Understand the current state of meetings in your organization.

Key Benefits Achieved

What you need to keep doing and what you need to change

Activities

1.1 Brainstorm meeting types.

1.2 Document meeting norms.

1.3 Document and categorize meeting challenges.

Outputs

Documented challenges with meetings

Meeting norms

Desired changes to meeting norms

2 Review and Identify Best Practices

The Purpose

Review and implement meeting best practices.

Key Benefits Achieved

Defined meeting best practices for your organization

Activities

2.1 Document meeting roles and expectations.

2.2 Review common meeting challenges and identify best practices.

2.3 Document when to use a hybrid meeting, virtual meeting, or an in-person meeting.

2.4 Develop a training program.

Outputs

Meeting roles and expectations

List of meeting best practices

Guidelines to help workers choose between a hybrid, virtual, or in-person meeting

Training plan for meetings

3 Improve Meeting Technology

The Purpose

Identify opportunities to improve meeting technology.

Key Benefits Achieved

A strategy for improving the underlying technologies and meeting spaces

Activities

3.1 Empower virtual meeting attendees.

3.2 Optimize spaces for hybrid meetings.

3.3 Build a team of meeting champions.

3.4 Iterate to build and improve meeting technology.

3.5 Guide users toward each technology.

Outputs

Desired improvements to meeting rooms and meeting technology

Charter for the team of meeting champions

Communications Guide Poster

Build IT Capabilities to Enable Digital Marketing Success

  • Buy Link or Shortcode: {j2store}553|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Marketing Solutions
  • Parent Category Link: /marketing-solutions
  • Misalignment: Even if IT builds the capabilities to pursue digital channels, the channels will underperform in realizing organizational goals if the channels and the goals are misaligned.
  • Ineffective analytics: Failure to integrate and analyze new data will undermine organizational success in influencer and sentiment identification.
  • Missed opportunity: If IT does not develop the capabilities to support these channels, then lead generation, brand promotion, and engagement opportunities will be lost.
  • Lack of control: Marketing is developing and depending on internal power users and agencies. This practice can isolate IT from digital marketing technology decision making.

Our Advice

Critical Insight

  • Identify and understand the digital marketing channels that can benefit your organization.
  • Get stakeholder buy-in to facilitate collaboration between IT and product marketing groups to identify necessary IT capabilities.
  • Build IT capability by purchasing software, outsourcing, and training or hiring individuals with necessary skillsets.
  • Become transformational: use IT capabilities to support analytics that identify new customer segments, key influencers, and other invaluable insights.
  • Time is of the essence! It is easier to begin strengthening the relationship between marketing and IT today then it will be at any point in the future.
  • Being transformational means more than just enabling the channels marketing wants to pursue; IT must assist in identifying new segments and digital marketing opportunities, such as enabling influencer management.

Impact and Result

  • IT is involved in decision making and has a complete understanding of the digital channels the organization is going to migrate to or phase out if unused.
  • IT has the necessary capabilities to support and enable success in all relevant digital channel management technologies.
  • IT is a key player in ensuring that all relevant data from new digital channels is managed and analyzed in order to maintain a 360 degree view of customers and feed real-time campaigns.
  • This enables the organization to not only target existing segments effectively, but also to identify and pursue new opportunities not presented before.
  • These opportunities include: identifying new segments among social networks, identifying key influencers as a new target, identifying proactive service and marketing opportunities from the public social cloud, and conducting new competitive analyses on the public social cloud.

Build IT Capabilities to Enable Digital Marketing Success Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Make the case for building IT capabilities

Identify the symptoms of inadequate IT support of digital marketing to diagnose the problems in your organization.

  • Storyboard: Build IT Capabilities to Enable Digital Marketing Success

2. Identify digital marketing opportunities to understand the need for action in your organization

Identify the untapped digital marketing value in your organization to understand where your organization needs to improve.

  • Digital Marketing Capability Builder Tool

3. Mobilize for action: get stakeholder buy-in

Develop a plan for communicating with stakeholders to ensure buy-in to the digital marketing capability building project.

  • Digital Marketing Communication Deck

4. Identify the product/segment-specific digital marketing landscape to identify required IT capabilities

Assess how well each digital channel reaches target segments. Identify the capabilities that must be built to enable digital channels.

5. Create a roadmap for building capabilities to enable digital marketing

Assess the people, processes, and technologies required to build required capabilities and determine the best fit with your organization.

[infographic]

Workshop: Build IT Capabilities to Enable Digital Marketing Success

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Identify Digital Marketing Opportunities

The Purpose

Determine the fit of each digital channel with your organizational goals.

Determine the fit of digital channels with your organizational structure and business model.

Compare the fit of digital channels with your organization’s current levels of use to:Identify missed opportunities your organization should capitalize on.Identify digital channels that your organization is wasting resources on.

Identify missed opportunities your organization should capitalize on.

Identify digital channels that your organization is wasting resources on.

Key Benefits Achieved

IT department achieves consensus around which opportunities need to be pursued.

Understanding that continuing to pursue excellent-fit digital channels that your organization is currently active on is a priority.

Identification of the channels that stopping activity on could free up resources for.

Activities

1.1 Define and prioritize organizational goals.

1.2 Assess digital channel fit with goals and organizational characteristics.

1.3 Identify missed opportunities and wasted resources in your digital channel mix.

1.4 Brainstorm creative ways to pursue untapped digital channels.

Outputs

Prioritized list of organizational goals.

Assigned level of fit to digital channels.

List of digital channels that represent missed opportunities or wasted resources.

List of brainstormed ideas for pursuing digital channels.

2 Identify Your Product-Specific Digital Marketing Landscape

The Purpose

Identify the digital channels that will be used for specific products and segments.

Identify the IT capabilities that must be built to enable digital channels.

Prioritize the list of IT capabilities.

Key Benefits Achieved

IT and marketing achieve consensus around which digital channels will be pursued for specific product-segment pairings.

Identification of the capabilities that IT must build.

Activities

2.1 Assess digital channel fit with specific products.

2.2 Identify the digital usage patterns of target segments.

2.3 Decide precisely which digital channels you will use to sell specific products to specific segments.

2.4 Identify and prioritize the IT capabilities that need to be built to succeed on each digital channel.

Outputs

Documented channel fit with products.

Documented channel usage by target segments.

Listed digital channels that will be used for each product-segment pairing.

Listed and prioritized capabilities that must be built to enable success on necessary digital channels.

3 Enable Digital Marketing Capabilities and Leverage Analytics

The Purpose

Identification of the best possible way to build IT capabilities for all channels.

Creation of a plan for leveraging transformational analytics to supercharge your digital marketing strategy.

Key Benefits Achieved

IT understanding of the costs and benefits of capability building options (people, process, and technology).

Information about how specific technology vendors could fit with your organization.

IT identification of opportunities to leverage transformational analytics in your organization.

Activities

3.1 Identify the gaps in your IT capabilities.

3.2 Evaluate options for building capabilities.

3.3 Identify opportunities for transformational analytics.

Outputs

A list of IT capability gaps.

An action plan for capability building.

A plan for leveraging transformational analytics.

Perform an Agile Skills Assessment

  • Buy Link or Shortcode: {j2store}153|cart{/j2store}
  • member rating overall impact (scale of 10): 10.0/10 Overall Impact
  • member rating average dollars saved: $32,166 Average $ Saved
  • member rating average days saved: 15 Average Days Saved
  • Parent Category Name: Development
  • Parent Category Link: /development
  • Your organization is trying to address the key delivery challenges you are facing. Early experiments with Agile are starting to bear fruit.
  • As part of maturing your Agile practice, you want to evaluate if you have the right skills and capabilities in place.

Our Advice

Critical Insight

  • Focusing on the non-technical skills can yield significant returns for your products, your team, and your organization. These skills are what should be considered as the real Agile skills.

Impact and Result

  • Define the skills and values that are important to your organization to be successful at being Agile.
  • Put together a standard criterion for measurement of the attainment of given skills.
  • Define the roadmap and communication plan around your agile assessment.

Perform an Agile Skills Assessment Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should perform an agile skills assessment. review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Take stock of the Agile skills and values important to you

Confirm the list of Agile skills that you wish to measure.

  • Perform an Agile Skills Assessment – Phase 1: Take Stock of the Agile Skills and Values Important to You
  • Agile Skills Assessment Tool
  • Agile Skills Assessment Tool Example

2. Define an assessment method that works for you

Define what it means to attain specific agile skills through a defined ascension path of proficiency levels, and standardized skill expectations.

  • Perform an Agile Skills Assessment – Phase 2: Define an Assessment Method That Works for You

3. Plan to assess your team

Determine the roll-out and communication plan that suits your organization.

  • Perform an Agile Skills Assessment – Phase 3: Plan to Assess Your Team
  • Agile Skills Assessment Communication and Roadmap Plan
  • Agile Skills Assessment Communication and Roadmap Plan Example
[infographic]

Workshop: Perform an Agile Skills Assessment

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Define Agile Skills and Maturity Levels

The Purpose

Learn about and define the Agile skills that are important to your organization.

Define the different levels of attainment when it comes to your Agile skills.

Define the standards on a per-role basis.

Key Benefits Achieved

Get a clear view of the Agile skills important into meet your Agile transformation goals in alignment with organizational objectives.

Set a clear standard for what it means to meet your organizational standards for Agile skills.

Activities

1.1 Review and update the Agile skills relevant to your organization.

1.2 Define your Agile proficiency levels to evaluate attainment of each skill.

1.3 Define your Agile team roles.

1.4 Define common experience levels for your Agile roles.

1.5 Define the skill expectations for each Agile role.

Outputs

A list of Agile skills that are consistent with your Agile transformation

A list of proficiency levels to be used during your Agile skills assessment

A confirmed list of roles that you wish to measure on your Agile teams

A list of experience levels common to Agile team roles (example: Junior, Intermediate, Senior)

Define the skill expectations for each Agile role

Optimize Your SQA Practice Using a Full Lifecycle Approach

  • Buy Link or Shortcode: {j2store}405|cart{/j2store}
  • member rating overall impact (scale of 10): 10.0/10 Overall Impact
  • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
  • member rating average days saved: Read what our members are saying
  • Parent Category Name: Testing, Deployment & QA
  • Parent Category Link: /testing-deployment-and-qa
  • Your software quality assurance (SQA) program is using the wrong set of metrics to measure how process improvements influence product quality improvements.
  • Roles & responsibilities and quality assurance initiatives are not well defined and need to be allocated to individuals that can be held responsible for quality-related issues.
  • You are finding it hard to determine a causation between SQA process improvements and an improvement in product quality.

Our Advice

Critical Insight

  • Your product is only as good as your process. A robust development and SQA process creates artifacts that are highly testable, easily maintained, and strongly traceable across the development lifecycle, ensuring that the product delivered meets expectations set out by the business.
  • A small issue within your development process can have a ripple effect on the level of product quality. Discover what you don’t know and identify areas within your SQA practice that require attention.

Impact and Result

  • SQA must be viewed as more than defect analysis and testing. Instead, place greater emphasis on preventative measures to ensure application quality across the entire development lifecycle.
  • IT must create a comprehensive SQA plan that delineates roles and responsibilities as they relate to quality assurance. Ensure tasks and procedures improve process efficiency and quality, and formalize metrics that help to implement a continuous improvement cycle for SQA.
  • Our methodology provides simple-to-follow steps to develop an SQA plan that provides clear insight into your current quality assurance practices.
  • Establish a synchronous relationship between the business and IT to help stakeholders understand the importance and relative value of quality assurance tasks to current costs.

Optimize Your SQA Practice Using a Full Lifecycle Approach Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should optimize your SQA practice using a full lifecycle approach, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Assess your current SQA capabilities

Evaluate and understand your current SQA capabilities, as well as the degree to which metric objectives are being met.

  • Optimize Your SQA Practice Using a Full Lifecycle Approach – Phase 1: Assess Your Current SQA Capabilities
  • Software Quality Assurance Current State Assessment Tool
  • Software Quality Assurance Assessment Workbook

2. Define SQA target state processes

Identify and define SQA processes and metrics needed to meet quality objectives set by development teams and the business.

  • Optimize Your SQA Practice Using a Full Lifecycle Approach – Phase 2: Define SQA Target State Processes

3. Determine optimization initiatives for improving your SQA practice

Build your SQA plan and optimization roadmap.

  • Optimize Your SQA Practice Using a Full Lifecycle Approach – Phase 3: Determine Optimization Initiatives
  • Software Quality Assurance Plan Template
  • Software Quality Assurance Optimization Roadmap Tool
  • Software Quality Assurance Communication Template
[infographic]

Workshop: Optimize Your SQA Practice Using a Full Lifecycle Approach

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Assess Your Current SQA Capabilities

The Purpose

To help you assess and understand your current SQA capabilities as well as the degree to which metric objectives are being met.

Key Benefits Achieved

An analysis of current SQA practices to provide insight into potential inefficiencies, opportunities, and to provide the business with sufficient rationale for improving current quality assurance initiatives.

Activities

1.1 Conduct a high-level assessment of where to focus your current state analysis.

1.2 Document your high-level development process.

1.3 Create a RACI chart to understand roles and responsibilities.

1.4 Perform a SIPOC-MC analysis for problem areas identified in your SDLC.

1.5 Identify the individual control points involved with passing software artifacts through SDLC stages being assessed.

1.6 Identify problem areas within your SDLC as they relate to SQA.

Outputs

Understanding of current overall development process and where it is most weak in the context of quality assurance

Understanding of assigned roles and responsibilities across development teams, including individuals who are involved with making quality-related decisions for artifact hand-off

Identification of problem areas within SQA process for further analysis

2 Define SQA Target State Processes

The Purpose

To help you identify and define SQA processes and metrics needed to meet quality objectives set out by development teams and the business.

Key Benefits Achieved

A revised list of key SQA tasks along with metrics and associated tolerance limits used universally for all development projects.

Activities

2.1 Establish SQA metrics and tolerance limits across your SDLC.

2.2 Determine your target state for SQA processes within the define/design stage of the SDLC.

2.3 Determine your target state for SQA processes within the development stage of the SDLC.

2.4 Determine your target state for SQA processes within the testing stage of the SDLC.

2.5 Determine your target state for SQA processes within the deploy/release stage of the SDLC.

Outputs

Identification of the appropriate metrics and their associated tolerance limits to provide insights into meeting quality goals and objectives during process execution

Identification of target state SQA processes that are required for ensuring quality across all development projects

3 Prioritize SQA Optimization Initiatives and Develop Optimization Roadmap

The Purpose

Based on discovered inefficiencies, define optimization initiatives required to improve your SQA practice.

Key Benefits Achieved

Optimization initiatives and associated tasks required to address gaps and improve SQA capabilities.

Activities

3.1 Determine optimization initiatives for improving your SQA process.

3.2 Gain the full scope of effort required to implement your SQA optimization initiatives.

3.3 Identify the enablers and blockers of your SQA optimization.

3.4 Define your SQA optimization roadmap.

Outputs

Prioritized list of optimization initiatives for SQA

Assessment of level of effort for each SQA optimization initiative

Identification of enablers and blockers for optimization initiatives

Identification of roadmap timeline for implementing optimization initiatives

Mitigate the Risk of Cloud Downtime and Data Loss

  • Buy Link or Shortcode: {j2store}412|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: DR and Business Continuity
  • Parent Category Link: /business-continuity
  • Senior leadership is asking difficult questions about the organization’s dependency on third-party cloud services and the risk that poses.
  • IT leaders have limited control over third-party incidents and that includes cloud services. Yet they are on the hot seat when cloud services go down.
  • While vendors have swooped in to provide resilience options for the more-common SaaS solutions, it is not the case for all cloud services.

Our Advice

Critical Insight

  • No control over the software does not mean no recovery options. Solutions range from designing an IT workaround using alternate technologies to pre-defined third-party service continuity options (e.g. see options for O365) to business workarounds.
  • Even where there is limited control, you can at least define an incident response plan to streamline notification, assessment, and implementation of workarounds. Leadership wants more options than simply waiting for the service to come back online.
  • At a minimum, IT’s responsibility is to identify and communicate risk to senior leadership. That starts with a vendor review to identify SLA issues and overall resilience gaps.

Impact and Result

  • Follow a structured process to assess cloud resilience risk.
  • Identify opportunities to mitigate risk – at the very least, ensure critical data is protected.
  • Summarize cloud services risk, mitigation options, and incident response for senior leadership.

Mitigate the Risk of Cloud Downtime and Data Loss Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Mitigate the Risk of Cloud Downtime and Data Loss – Step-by-step guide to assess risk, identify risk mitigation options, and create an incident response plan.

Even where there is limited control, you can define an incident response plan to streamline notification, assessment, and implementation of workarounds.

  • Mitigate the Risk of Cloud Downtime and Data Loss Storyboard

2. Cloud Services Incident Risk and Mitigation Review – Review your key cloud vendors’ SLAs, incident preparedness, and data protection strategy.

At a minimum, IT’s responsibility is to identify and communicate risk to senior leadership. That starts with a vendor review to identify SLA and overall resilience gaps.

  • Cloud Services Incident Risk and Mitigation Review Tool

3. SaaS Incident Response Workflows – Use these examples to guide your efforts to create cloud incident response workflows.

The examples illustrate different approaches to incident response depending on the criticality of the service and options available.

  • SaaS Incident Response Workflows (Visio)
  • SaaS Incident Response Workflows (PDF)

4. Cloud Services Resilience Summary – Use this template to capture your results.

Summarize cloud services risk, mitigation options, and incident response for senior leadership.

  • Cloud Services Resilience Summary
[infographic]

Further reading

Mitigate the Risk of Cloud Downtime and Data Loss

Resilience and disaster recovery in an increasingly Cloudy and SaaSy world.

Analyst Perspective

If you think cloud means you don’t need a response plan, then get your resume ready.

Frank Trovato

Most organizations are now recognizing that they can’t ignore the risk of a cloud outage or data loss, and the challenge is “what can I do about it?” since there is limited control.

If you still think “it’s in the cloud, so I don’t need to worry about it,” then get your resume ready. When O365 goes down, your executives are calling IT, not Microsoft, for an answer of what’s being done and what can they do in the meantime to get the business up and running again.

The key is to recognize what you can control and what actions you can take to evaluate and mitigate risk. At a minimum, you can ensure senior leadership is aware of the risk and define a plan for how you will respond to an incident, even if that is limited to monitoring and communicating status.

Often you can do more, including defining IT workarounds, backing up your SaaS data for additional protection, and using business process workarounds to bridge the gap, as illustrated in the case studies in this blueprint.

Frank Trovato
Research Director, Infrastructure & Operations

Info-Tech Research Group

Use this blueprint to expand your DRP and BCP to account for cloud services

As more applications are migrated to cloud-based services, disaster recovery (DR) and business continuity plans (BCP) must include an understanding of cloud risks and actions to mitigate those risks. This includes evaluating vendor and service reliability and resilience, security measures, data protection capabilities, and technology and business workarounds if there is a cloud outage or incident.

Use the risk assessments and cloud service incident response plans developed through this blueprint to supplement your DRP and BCP as well as further inform your crisis management plans (e.g. account for cloud risks in your crisis communication planning).

Overall Business Continuity Plan

IT Disaster Recovery Plan

A plan to restore IT application and infrastructure services following a disruption.

Info-Tech’s Disaster Recovery Planning blueprint provides a methodology for creating the IT DRP. Leverage this blueprint to validate and provide inputs for your IT DRP.

BCP for Each Business Unit

A set of plans to resume business processes for each business unit.

Info-Tech’s Develop a Business Continuity Plan blueprint provides a methodology for creating business unit BCPs as part of an overall BCP for the organization.

Crisis Management Plan

A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.

Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.

Executive Summary

Your Challenge

Common Obstacles

Info-Tech’s Approach

  • Senior leadership is asking difficult questions about the organization’s dependency on third-party cloud services and the risk that poses.
  • Migrating to cloud services transfers much of the responsibility for day-to-day platform maintenance but not accountability for resilience.
  • IT leaders are often responsible for not just the organization’s IT DRP but also BCP and other elements of overall resilience. Cloud risk adds another element IT leaders need to consider.
  • IT leaders have limited control over third-party incidents and that includes cloud services. With SaaS services in particular, recovery or continuity options may be limited.
  • While vendors have swooped in to provide resilience options for the more common SaaS solutions, that is not the case for all cloud services.
  • Part of the solution is defining business process workarounds and that depends on cooperation from business leaders.
  • At a minimum, IT’s responsibility is to identify and communicate risk to senior leadership. That starts with a vendor review to identify SLA and overall resilience gaps.
  • Adapt how you approach downtime and data loss risk, particularly for SaaS solutions where there is limited or no control over the system.
  • Even where there is limited control, you can define an incident response plan to streamline notification, assessment, and implementation of workarounds. Leadership wants more options than simply waiting for the service to come back online.

Info-Tech Insight

Asking vendors about their DRP, BCP, and overall resilience has become commonplace. Expect your vendors to provide answers so you can assess risk. Furthermore, your vendor may have additional offerings to increase resilience or recommendations for third parties who can further assist your goals of improving cloud service resilience.

Key deliverable

Cloud Services Resilience Summary

Provide leadership with a summary of cloud risk, downtime workarounds implemented, and additional data protection.

The image contains a screenshot of the Cloud Services Resilience Summary.

Additional tools and templates in this blueprint

Cloud Services Incident Risk and Mitigation Review Tool

Use this tool to gather vendor input, evaluate vendor SLAs and overall resilience, and track your own risk mitigation efforts.

The image contains a screenshot of the Cloud Services Incident Risk and Mitigation Review Tool.

SaaS Incident Response Workflows

Use the examples in this document as a model to develop your own incident response workflows for cloud outages or data loss.

The image contains a screenshot of the SaaS Incident Response Workflows.

This blueprint will step you through the following actions to evaluate and mitigate cloud services risk

  1. Assess your cloud risk
  • Review your cloud services to determine potential impact of downtime/data loss, vendor SLA gaps, and vendor’s current resilience.
  • Identify options to mitigate risk
    • Explore your cloud vendor’s resilience offerings, third-party solutions, DIY recovery options, and business workarounds.
  • Create an incident response plan
    • Document your cloud risk mitigation strategy and incident response plan, which might include a failover strategy, data protection, and/or business continuity.

    Cloud Risk Mitigation

    Identify options to mitigate risk

    Create an incident response plan

    Assess risk

    Phase 1: Assess your cloud risk

    Phase 1

    Phase 2

    Phase 3

    Assess your cloud risk

    Identify options to mitigate risk

    Create an incident response plan

    Cloud does not guarantee uptime

    Public cloud services (e.g. Azure, GCP, AWS) and popular SaaS solutions experience downtime every year.

    A few cloud outage examples:

    • Microsoft Azure AD outage, March 15, 2022:
      Many users could not log into O365, Dynamics, or the Azure Portal.
      Cause: software change.
    • Three AWS outages in December 2021: December 7 (Netflix and others impacted), December 15 (Duo, Zoom, Slack, others), December 20 (Slack, Epic Games, others). Cause: network issues, power outage.
    • Salesforce outage, May 12, 2022: Users could not access the Lightning platform. Cause: expired certificate.

    Cloud availability

    • Migrating to cloud services can improve availability, as they typically offer more resilience than most organizations can afford to implement themselves.
    • However, having multiple data centers, zones, and regions doesn’t prevent all outages, as we see every year with even the largest cloud vendors.

    DR challenges for IaaS, PaaS, and cloud-native

    While there are limits to what you control, often traditional “failover” DR strategy can apply.

    High-level challenges and resilience options:

    • IaaS: No control over the hardware, but you can failover to another region. This is fairly similar to traditional DR.
    • PaaS: No control over the software platform (e.g. SQL server as a service), but you can back up your data and explore vendor options to replicate your environment.
    • Cloud-native applications: As with PaaS, you can back up your data and explore vendor options to replicate your environment.

    Plan for resilience

    • Include DR requirements when designing cloud service implementation. For example, for IaaS solutions, identify what data would need to be replicated and what services may need to be “always on” (e.g. database services where high-availability is demanded).
    • Similarly, for PaaS and cloud-native solutions, consult your vendor regarding options to build in resilience options (e.g. ability to failover to another environment).

    DR challenges for SaaS solutions

    SaaS is the biggest challenge because you have no control over any part of the base application stack.

    High-level challenges and resilience options:

    • No control over the hardware (or the facility, maintenance processes, and so on).
    • No control over the base application (control is limited to configuration settings and add-on customizations or integrations).
    • Options to back up your data will depend on the service.

    Note: The rest of this blueprint is focused primarily on SaaS resilience due to the challenges listed here. For other cloud services, leverage traditional DR strategies and vendor management to mitigate risk (as summarized on the previous slides).

    Focus on what you can control

    • For SaaS solutions in particular, you must toss out traditional DR. If Salesforce has an outage, you won’t be involved in recovering the system.
    • Instead, DR for SaaS needs to focus on improving resilience where you do have control and implementing business workarounds to bridge the gap.

    Evaluate your cloud services to clarify your specific risks

    Time and money is limited, so focus first on cloud services that are most critical and evaluate the vendors’ SLA and existing resilience capabilities.

    The activities on the next two slides will evaluate risk through two approaches:

    Activity 1: Estimate potential impact of downtime and data loss to quantify the risk and determine which cloud services are most critical and need to be prioritized. This is done through a business impact analysis that assesses:

    • Impact on revenue or costs (if applicable).
    • Impact on reputation (e.g. customer impact).
    • Impact on regulatory compliance and health and safety (if applicable).

    Activity 2: Review the vendor to identify risks and gaps. Specifically, evaluate the following:

    • Incident Management SLAs (e.g. does the SLA include RTO/RPO commitments? Do they meet your requirements?)
    • Incident Response Preparedness (e.g. does the vendor have a DRP, BCP, and security incident response plan?)
    • Data Protection (e.g. does their backup strategy and data security meet your standards?)

    Activity 1: Quantify potential impact and prioritize cloud services using a business impact analysis (BIA)

    1-3 hours

    1. Download the latest version of our DRP BIA: DRP Business Impact Analysis Tool. The tool includes instructions.
    2. Include the cloud services you want to assess in the list of applications/systems (see the tool excerpt below), and follow the BIA methodology outlined in the Create a Right-Sized Disaster Recovery Plan blueprint.
    3. Use the results to quantify potential impact and prioritize your efforts on the most-critical cloud services.

    The image contains a screenshot of the DRP Business Impact Analysis Tool.

    Materials
    • DRP BIA Tool
    Participants
    • Core group of IT management and staff who can provide a well-rounded perspective on potential impact. They will create the first draft of the BIA.
    • Review the draft BIA with relevant business leaders to refine and validate the results.

    Activity 2: Review your key cloud vendors’ SLAs, incident preparedness, and data protection strategy

    1-3 hours

    Use the Cloud Services Incident Risk and Mitigation Review Tool as follows:

    1. Send the Vendor Questionnaire tab to your cloud vendors to gather input, and review your existing agreements.
    2. Copy the vendor responses into the tool (see the instructions in the tool) and evaluate. See the example excerpt below.
    3. Identify action items to clarify gaps or address risks. Some action items might not be defined yet and will need to wait until you have had a chance to further explore risk mitigation options.

    The image contains a screenshot of the Cloud Services Incident Risk and Mitigation Review Tool.

    Materials
    • Cloud Services Incident Risk and Mitigation Review Tool
    Participants
    • Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience.

    Phase 2: Identify options to mitigate risk

    Phase 1

    Phase 2

    Phase 3

    Assess your cloud risk

    Identify options to mitigate risk

    Create an incident response plan

    Consult your vendor to identify options to improve resilience, as a starting point

    Your vendor might also be able to suggest third parties that offer additional support, backup, or service continuity options.

    • The Vendor Questionnaire tab in the Cloud Services Incident Risk and Mitigation Review Tool includes a section at the bottom where your vendor can name additional options to improve resilience (e.g. premium support packages, potentially their own DR services).
    • If your vendor has not completed that part of the questionnaire, meet with them to discuss this. Asking service vendors about resilience has become commonplace, so they should be prepared to answer questions about their own offerings and potentially can name trusted third-party vendors who can further assist you.
    • Leverage Info-Tech’s advisory services to evaluate options outlined by your vendor and potential third-party options (e.g. enterprise backup solutions that support backing up SaaS data).

    Some SaaS solutions have plenty of resilience options; others not so much

    • The pervasiveness of O365 has led vendors to close the service continuity gap, with options to send and receive email during an outage and back up your data.
    • With many SaaS solutions, there isn’t going to be a third-party service continuity option, but you might still be able to at least back up your data and implement business process workarounds to close the service gap.

    Example SaaS risk and mitigation: O365

    Risk

    • Several outages every year (e.g. MS Teams July 20, 2022).
    • SLA exceptions include “Scheduled Downtime,” which can occur with just five days’ notice.
    • The Recycling Bin is your data backup, depending on your setup.

    Options to mitigate risk (not an exhaustive list):

    • Third-party solutions for email service continuity.
    • Several backup vendors (e.g. Veeam, Rubrik) can protect most of your O365 suite.
    • Business continuity workarounds leveraging synced OneDrive, SharePoint, and Outlook (access to calendar invites).

    Example SaaS risk and mitigation: Salesforce

    Risk

    • Downtime has been infrequent, but Salesforce did have a major outage in May 2021 (DNS issue) and May 2022 (expired certificate).
    • At the time of this writing, the Main Services Agreement does not commit to a specific uptime value and specifies the usual exclusions.
    • Similarly, there are limited commitments regarding data protection.

    Options to mitigate risk (not an exhaustive list):

    • Salesforce provides a backup and restore service offering.
    • In addition, some third-party vendors support backing up Salesforce data for additional protection against data corruption or data loss.
    • Business continuity workarounds can further reduce the impact of downtime (e.g. record updates in MS Word and leverage Outlook for contact info until Salesforce is recovered).

    Establish a baseline standard for risk mitigation, regardless of cloud service

    At a minimum, set a goal to review vendor risk at least annually, define standard processes for monitoring outages, and review options to back up your SaaS data.

    Example baseline standard for cloud risk mitigation

    • Review vendor risk at least annually. This includes reviewing SLAs, vendor’s incident preparedness (e.g. do they have a current DRP, BCP, and Security IRP?), and the vendor’s data protection strategy.
    • Incident response plans must include, at a minimum, steps to monitor vendor outage and communicate status to relevant stakeholders. Where possible, business process workarounds are defined to bridge the service gap.
    • For critical data (based on your BIA and an evaluation of risk), maintain your own backups of SaaS data for additional protection.

    Embed risk mitigation standards into existing IT operations

    • Include specific SLA requirements, including incident management processes, in your RFP process and annual vendor review.
    • Define cloud incident response in your incident management procedures.
    • Include cloud data considerations in your backup strategy reviews.

    Phase 3: Create an incident response plan

    Phase 1

    Phase 2

    Phase 3

    Assess your cloud risk

    Identify options to mitigate risk

    Create an incident response plan

    Activity 1: Review the example incident response workflows and case studies as a starting point

    1-3 hours

    1. Review the SaaS Incident Response Workflows examples. The examples illustrate different approaches to incident response depending on the criticality of the service and options available.
    2. Review the case studies on the next few slides, which further illustrate the resilience and incident response solutions implemented.
    3. Note the key elements:
    • Detection
    • Assessment
    • Monitoring status / contacting the vendor
    • Communication with key stakeholders
    • Invoking workarounds, if applicable

    Example SaaS Incident Response Workflow Excerpt

    The image contains a screenshot of an example of the SaaS Incident Response Workflow Excerpt.
    Materials
    • SaaS Incident Response Workflows examples
    Participants
    • Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience.
    • Relevant business process owners to provide input and define business workarounds, where applicable.

    Case Study 1: Recovery plan for critical fundraising event

    If either critical SaaS dependency fails, the following plan is executed:

    1. Donors are redirected to a predefined alternate donation page hosted by a different service. The alternate page connects to the backup payment processing service (with predefined integrations).
    2. Marketing communications support the redirect.
    3. While the backup solution doesn’t gather as much data, the payment details provide enough information to follow up with donors where necessary.

    Criticality justified a failover option

    The Annual Day of Giving generates over 50% of fundraising for the year. It’s critically dependent on two SaaS solutions that host the donation page and payment processing.

    To mitigate the risk, the organization implemented the ability to failover to an alternate “environment” – much like a traditional DR solution – supported by workarounds to manage data collection.

    Case Study 2: Protecting customer data

    Daily exports from a SaaS-hosted donations site reduce potential data loss:

    1. Daily exports to a CRM support donor profile updates and follow-ups (tax receipts, thank-you letters, etc.).
    2. The exports also mitigate the risk of data loss due to an incident with the SaaS-hosted donation site.
    3. This company is exploring more-frequent exports to further reduce the risk of data loss.

    Protecting your data gives you options

    For critical data, do you want to rely solely on the vendor’s default backup strategy?

    If your SaaS vendor is hit by ransomware or if their backup frequency doesn’t meet your needs, having your own data backup gives you options.

    It can also support business process workarounds that need to access that data while waiting for SaaS recovery.

    Case Study 3: Recovery plan for payroll

    To enable a more accurate payroll workaround, the following is done:

    1. After each payroll run, export the payroll data from the SaaS solution to a secure location.
    2. If there is a SaaS outage when payroll must be submitted, the exported data can be modified and converted to an ACH file.
    3. The ACH file is submitted to the bank, which has preapproved this workaround.

    BCP can bridge the gap

    When leadership looks to IT to mitigate cloud risk, include BCP in the discussion.

    Payroll is a good example where the best recovery option might be a business continuity workaround.

    IT often still has a role in business continuity workarounds, as in this case study: specifically, providing a solution to modify and convert the payroll data to an ACH file.

    Activity 2: Run tabletop planning exercises as a starting point to build your incident response plan

    1-3 hours

    1. Follow the tabletop planning instructions provided in the Create a Right-Sized Disaster Recovery Plan blueprint.
    2. Run the exercise for each cloud service. Keep the scenario generic at first (e.g. cloud service is down with no reported root cause) so you can focus on your response. Capture response steps and gaps.
    3. Add complexity in subsequent exercises (e.g. data loss plus downtime), and use that to expand and refine the workflow as needed.
    4. Use the resulting workflows as the core piece of your incident response plan.
    5. Supplement the workflow with relevant checklists or procedures. At this point you can choose to incorporate this into your DRP or BCP or maintain these documents as supplements to those plans.
      See the DRP Case Study and BCP Case Study for an example of DRP-BCP documentation.

    Example tabletop planning results excerpt with gaps identified

    The image contains an example tabletop planning results excerpt with gaps identified.

    Materials
    • SaaS Incident Response Workflows examples
    Participants
    • Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience.
    • Review results with relevant business process owners to provide input and define business workarounds where applicable.

    Activity 3: Summarize cloud services resilience to inform senior leadership of current risks and mitigation efforts

    1-3 hours

    1. Use the Cloud Services Resilience Summary example as a template to capture the following:
    • The results of your vendor review (i.e. incident management SLAs, incident response preparedness, data protections strategy).
    • The current state of your downtime workarounds and additional data loss protection.
    • Your baseline standard for cloud services risk mitigation.
    • Summary of resilience, risks, workarounds, and data loss protection for each individual cloud service that you have reviewed.
  • Present the results to senior leadership to:
    • Highlight risks to inform business decisions to mitigate or accept those risks.
    • Summarize actions already taken to mitigate risks.
    • Communicate next steps (e.g. action items to address remaining risks).

    Cloud Services Resilience Summary – Table of Contents

    The image contains a screenshot of Cloud Services Resilience Summary – Table of Contents.
    Materials
    • Cloud Services Resilience Summary
    Participants
    • Core group of IT management and staff tasked with evaluating and improving cloud services’ resilience.
    • Review results with relevant business process owners to provide input and define business workarounds where applicable.

    Summary: For cloud services, after evaluating risk, IT must adapt how they approach risk mitigation

    1. Identify failover options where possible
    • A failover strategy is possible for many cloud services (e.g. IaaS replication to another region, or failing over SaaS to an alternate solution as in case study 1).
  • At least protect your data
    • Explore supplementary backup options to protect against ransomware, data corruption, or data loss and support business continuity workarounds (see case study 2).
  • Leverage BCP to close the gap
    • This doesn’t absolve IT of its role in mitigating cloud incident risk, but business process workarounds can bridge the gap where IT options are limited (see case study 3).

    Related Info-Tech Research

    IT DRP Maturity Assessment

    Get an objective assessment of your DRP program and recommendations for improvement.

    Create a Right-Sized Disaster Recovery Plan

    Close the gap between your DR capabilities and service continuity requirements.

    Develop a Business Continuity Plan

    Streamline the traditional approach to make BCP development manageable and repeatable.

    Implement Crisis Management Best Practices

    Don’t be another example of what not to do. Implement an effective crisis response plan to minimize the impact on business continuity, reputation, and profitability.

    Prepare for the Upgrade to Windows 11

    • Buy Link or Shortcode: {j2store}166|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices
    • Windows 10 is going EOL in 2025.That is closer than you think.
    • Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft initiated catastrophe?
    • You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

    Our Advice

    Critical Insight

    Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system. Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    Impact and Result

    Windows 11 hardware requirements will result in devices that are not eligible for the upgrade. Companies will be left to spend money on replacement devices. Following the Info-Tech guidance will help clients properly budget for hardware replacements before Windows 10 is no longer supported by Microsoft. Eligible devices can be upgraded, but Info-Tech guidance can help clients properly plan the upgrade using the upgrade ring approach.

    Prepare for the Upgrade to Windows 11 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare for the Upgrade to Windows 11 Deck – A look into some of the pros and cons of Microsoft’s latest desktop operating system, along with guidance on moving forward with this inevitable upgrade.

    Discover the reason for the release of Windows 11, what you require to be eligible for the upgrade, what features were added or updated, and what features were removed. Our guidance will assist you with a planned and controlled rollout of the Windows 11 upgrade. We also provide guidance on how to approach a device refresh plan if some devices are not eligible for Windows 11. The upgrade is inevitable, but you have time, and you have options.

    • Prepare for the Upgrade to Windows 11 Storyboard

    2. What Are My Options If My Devices Cannot Upgrade to Windows 11? – Build a Windows 11 Device Replacement budget with our Hardware Asset Management Budgeting Tool.

    This tool will help you budget for a hardware asset refresh and to adjust the budget as necessary to accommodate any unexpected changes. The tool can easily be modified to assist in developing and justifying the budget for hardware assets for a Windows 11 project. Follow the instructions on each tab and feel free to play with the HAM budgeting tool to fit your needs.

    • HAM Budgeting Tool
    [infographic]

    Further reading

    Prepare for the Upgrade to Windows 11

    The upgrade is inevitable, but you have time, and you have options.

    Analyst Perspective

    Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

    “You hear that Mr. Anderson? That is the sound of inevitability.” ("The Matrix Quotes" )

    The fictitious Agent Smith uttered those words to Keanu Reeves’ character, Neo, in The Matrix in 1999, and while Agent Smith was using them in a very sinister and figurative context, the words could just as easily be applied to the concept of upgrading to the Windows 11 operating system from Microsoft in 2022.

    There have been two common, recurring themes in the media since late 2019. One is the global pandemic and the other is cyber-related crime. Microsoft is not in a position to make an impact on a novel coronavirus, but it does have the global market reach to influence end-user technology and it appears that it has done just that. Windows 11 is a step forward in endpoint security and functionality. It also solidifies the foundation for future innovations in end-user operating systems and how they are delivered. Windows-as-a-Service (WAAS) is the way forward for Microsoft. Windows 10 is living on borrowed time, with a defined end of support date of October 14, 2025. Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

    It is inevitable!

    P.J. Ryan

    Research Director, Infrastructure & Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Windows 10 is going EOL in 2025. That is closer than you think.
    • Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft-initiated catastrophe?
    • You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

    Common Obstacles

    • The difference between Windows 10 and Windows 11 is not clear. Windows 11 looks like Windows 10 with some minor changes, mostly cosmetic. Many online users don’t see the need. Why upgrade? What are the benefits?
    • The cost of upgrading devices just to be eligible for Windows 11 is high.
    • Your end users don’t like change. This is not going to go over well!

    Info-Tech's Approach

    • Spend wisely. Space out your endpoint replacements and upgrades over several years. You do not have to upgrade everything right away.
    • Be patient. Windows 11 contained some bugs when it was initially released. Microsoft fixed most of the issues through monthly quality updates, but you should ensure that you are comfortable with the current level of functionality before you upgrade.
    • Use the upgrade ring approach. Test your applications with a small group first, and then stage the rollout to increasingly larger groups over time.

    Info-Tech Insight

    There is a lot of talk about Windows 11, but this is only an operating system upgrade, and it is not a major one. Understand what is new, what is added, and what is missing. Check your devices to determine how many are eligible and ineligible. Many organizations will have to spend capital on endpoint upgrades. Solid asset management practices will help.

    Insight summary

    Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system.

    Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

    Many organizations will have to spend capital on endpoint upgrades.

    Microsoft now insists that modern hardware is required for Windows 11 for not only security but also for improved stability. That same hardware requirement will mean that many devices that are only three or four years old (as well as older ones) may not be eligible for Windows 11.

    Windows 11 is a virtualization challenge for some providers.

    The hardware requirements for physical devices are also required for virtual devices. The TPM module appears to be the biggest challenge. Oracle VirtualBox and Citrix Hypervisor as well as AWS and Google are unable to support Windows 11 virtual devices as of the time of writing.

    Windows 10 will be supported by Microsoft until October 2025.

    That will remove some of the pressure felt due to the ineligibility of many devices and the need to refresh them. Take your time and plan it out, keeping within budget constraints. Use the upgrade ring approach for systems that are eligible for the Windows 11 upgrade.

    New look and feel, and a center screen taskbar.

    Corners are rounded, some controls look a little different, but overall Windows 11 is not a dramatic shift from Windows 10. It is easier to navigate and find features. Oh, and yes, the taskbar (and start button) is shifted to the center of the screen, but you can move them back to the left if desired.

    The education industry gets extra attention with the release of Windows 11.

    Windows 11 comes with multiple subscription-based education offerings, but it also now includes a new lightweight SE edition that is intended for the K-8 age group. Microsoft also released a Windows 11 Education SE specific laptop, at a very attractive price point. Other manufacturers also offer Windows 11 SE focused devices.

    Why Windows 11?

    Windows 10 was supposed to be the final desktop OS from Microsoft, wasn’t it?

    Maybe. It depends who you ask.

    Jerry Nixon, a Microsoft developer evangelist, gained notoriety when he uttered these words while at a Microsoft presentation as part of Microsoft Ignite in 2015: “Right now we’re releasing Windows 10, and because Windows 10 is the last version of Windows, we’re all still working on Windows 10,” (Hachman). Microsoft never officially made that statement. Interestingly enough, it never denied the comments made by Jerry Nixon either.

    Perhaps Microsoft released a new operating system as a financial grab, a way to make significant revenue?

    Nope.

    Windows 11 is a free upgrade or is included with any new computer purchase.

    Market share challenges?

    Doubtful.

    It’s true that Microsoft's market share of desktop operating systems is dropping while Apple OS X and Google Chrome OS are rising.

    In fact, Microsoft has relinquished over 13% of the market share since 2012 and Apple has almost doubled its market share. BUT:

    Microsoft is still holding 75.12% of the market while Apple is in the number 2 spot with 14.93% (gs.statcounter.com).

    The market share is worth noting for Microsoft but it hardly warrants a new operating system.

    New look and feel?

    Unlikely

    New start button and taskbar orientation, new search window, rounded corners, new visual look on some controls like the volume bar, new startup sound, new Windows logo, – all minor changes. Updates could achieve the same result.

    Security?

    Likely the main reason.

    Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

    The features are available on all Windows 11 physical devices, due to the common hardware requirements.

    Windows 11 hardware-based security

    These hardware options and features were available in Windows 10 but not enforced. With Windows 11, they are no longer optional. Below is a description and explanation of the main features.

    Feature What it is How it works
    TPM 2.0 (Trusted Platform Module) Chip TPM is a chip on the motherboard of the computer. It is used to store encryption keys, certificates, and passwords. TPM does this securely with tamper-proof prevention. It can also generate encryption keys and it includes its own unique encryption key that cannot be altered (helpdeskgeek.com). You do not need to enter your password once you setup Windows Hello, so the password is no longer easy to capture and steal. It is set up on a device per device basis, meaning if you go to a different device to sign in, your Windows Hello authentication will not follow you and you must set up your Hello pin or facial recognition again on that particular device. TPM (Trusted Platform Module) can store the credentials used by Windows Hello and encrypt them on the module.
    Windows Hello Windows Hello is an alternative to using a password for authentication. Users can use a pin, a fingerprint, or facial recognition to authenticate.
    Device Encryption Device encryption is only on when your device is off. It scrambles the data on your disk to make it unreadable unless you have the key to unscramble it. If your endpoint is stolen, the contents of the hard drive will remain encrypted and cannot be accessed by anyone unless they can properly authenticate on the device and allow the system to unscramble the encrypted data.
    UEFI Secure Boot Capable UEFI is an acronym for Unified Extensible Firmware Interface. It is an interface between the operating system and the computer firmware. Secure Boot, as part of the firmware interface, ensures that only unchangeable and approved software and drivers are loaded at startup and not any malware that may have infiltrated the system (Lumunge). UEFI, with Secure Boot, references a database containing keys and signatures of drivers and runtime code that is approved as well as forbidden. It will not let the system boot up unless the signature of the driver or run-time code that is trying to execute is approved. This UEFI Secure boot recognition process continues until control is handed over to the operating system.
    Virtualization Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI) VBS is security based on virtualization capabilities. It uses the virtualization features of the Windows operating system, specifically the Hyper-V hypervisor, to create and isolate a small chunk of memory that is isolated from the operating system. HVCI checks the integrity of code for violations. The Code Integrity check happens in the isolated virtual area of memory protected by the hypervisor, hence the acronym HVCI (Hypervisor Protected Code Integrity) (Murtaza). In the secure, isolated region of memory created by VBS with the hypervisor, Windows will run checks on the integrity of the code that runs various processes. The isolation protects the stored item from tampering by malware and similar threats. If they run incident free, they are released to the operating system and can run in the standard memory space. If issues are detected, the code will not be released, nor will it run in the standard memory space of the operating system, and damage or compromise will be prevented.

    How do all the hardware-based security features work?

    This scenario explains how a standard boot up and login should happen.

    You turn on your computer. Secure Boot authorizes the processes and UEFI hands over control to the operating system. Windows Hello works with TPM and uses a pin to authenticate the user and the operating systems gives you access to the Windows environment.

    Now imagine the same process with various compromised scenarios.

    You turn on your computer. Secure Boot does not recognize the signature presented to it by the second process in the boot sequence. You will be presented with a “Secure Boot Violation” message and an option to reboot. Your computer remains protected.

    You boot up and get past the secure boot process and UEFI passes control over to the Windows 11 operating system. Windows Hello asks for your pin, but you cannot remember the pin and incorrectly enter it three times before admitting temporary defeat. Windows Hello did not find a matching pin on the TPM and will not let you proceed. You cannot log in but in the eyes of the operating system, it has prevented an unauthorized login attempt.

    You power up your computer, log in without issue, and go about your morning routine of checking email, etc. You are not aware that malware has infiltrated your system and modified a page in system memory to run code and access the operating system kernel. VBS and HVCI check the integrity of that code and detect that it is malicious. The code remains isolated and prevented from running, protecting your system.

    TPM, Hello, UEFI with Secure Boot, VBS and HVCI all work together like a well-oiled machine.

    “Microsoft's rationale for Windows 11's strict official support requirements – including Secure Boot, a TPM 2.0 module, and virtualization support – has always been centered on security rather than raw performance.” – Andrew Cunningham, arstechnica.com

    “Windows 11 raises the bar for security by requiring hardware that can enable protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot. These features in combination have been shown to reduce malware by 60% on tested devices.” – Steven J. Vaughan-Nichols, Computerworld

    Can any device upgrade to Windows 11?

    In addition to the security-related hardware requirements listed previously, which may exclude some devices from Windows 11 eligibility, Windows 11 also has a minimum requirement for other hardware components.

    Windows 7 and Windows 10 were publicized as being backward compatible and almost any hardware would be able to run those operating systems. That changed with Windows 11. Microsoft now insists that modern hardware is required for Windows 11 for not only security but also improved stability.

    Software Requirement

    You must be running Windows 10 version 2004 or greater to be eligible for a Windows 11 upgrade (“Windows 11 Requirements”).

    Complete hardware requirements for Windows 11

    • 1 GHz (or faster) compatible 64-bit processor with two or more cores
    • 4 GB RAM
    • 64 GB or more of storage space
    • Compatible with DirectX 12 or later with WDDM 2.0 driver
      • DirectX connects the hardware in your computer with Windows. It allows software to display graphics using the video card or play audio, as long as that software is DirectX compatible. Windows 11 requires version 12 (“What are DirectX 12 compatible graphics”).
      • WDDM is an acronym for Windows Display Driver Model. WDDM is the architecture for the graphics driver for Windows (“Windows Display Driver Model”).
      • Version 2.0 of WDDM is required for Windows 11.
    • 720p display greater than 9" diagonally with 8 bits per color channel
    • UEFI Secure Boot capable
    • TPM 2.0 chip
    • (“Windows 11 Requirements”)

    Windows 11 may challenge your virtual environment

    When Windows 11 was initially released, some IT administrators experienced issues when trying to install or upgrade to Windows 11 in the virtual world.

    The Challenge

    The issues appeared to be centered around the Windows 11 hardware requirements, which must be detected by the Windows 11 pre-install check before the operating system will install.

    The TPM 2.0 chip requirement was indeed a challenge and not offered as a configuration option with Citrix Hypervisor, the free VMware Workstation Player or Oracle VM VirtualBox when Windows 11 was released in October 2021, although it is on the roadmap for Oracle and Citrix Hypervisor. VMware provides alternative products to the free Workstation Player that do support a virtual TPM. Oracle and Citrix reported that the feature would be available in the future and Windows 11 would work on their platforms.

    Short-Term Solutions

    VMware and Microsoft users can add a vTPM hardware type when configuring a virtual Windows 11 machine. Microsoft Azure does offer Windows 11 as an option as a virtual desktop. Citrix Desktop-As-A-Service (DAAS) will connect to Azure, AWS, or Google Cloud and is only limited by the features of the hosting cloud service provider.

    Additional Insight

    According to Microsoft, any VM running Windows 11 must meet the following requirements (“Virtual Machine Support”):

    • It must be a generation 2 VM, and upgrading a generation 1 VM to Windows 11 (in-place) is not possible
    • 64 GB of storage or greater
    • Secure Boot capable with the virtual TPM enabled
    • 4 GB of memory or greater
    • 2 or more virtual processors
    • The CPU of the physical computer that is hosting the VM must meet the Windows 11 (“Windows Processor Requirements”)

    What’s new or updated in Windows 11?

    The following two slides highlight some of the new and updated features in Windows 11.

    Security

    The most important change with Windows 11 is what you cannot see – the security. Windows 11 adds requirements and controls to make the user and device more secure, as described in previous slides.

    Taskbar

    The most prominent change in relation to the look and feel of Windows 11 is the shifting of the taskbar (and Start button) to the center of the screen. Some users may find this more convenient but if you do not and prefer the taskbar and start button back on the left of your screen, you can change it in taskbar settings.

    Updated Apps

    Paint, Photos, Notepad, Media Player, Mail, and other standard Windows apps have been updated with a new look and in some cases minor enhancements.

    User Interface

    The first change users will notice after logging in to Windows 11 is the new user interface – the look and feel. You may not notice the additional colors added to the Windows palette, but you may have thought that the startup sound was different, and the logo also looks different. You would be correct. Other look-and-feel items that changed include the rounded corners on windows, slightly different icons, new wallpapers, and controls for volume and brightness are now a slide bar. File explorer and the settings app also have a new look.

    Microsoft Teams

    Microsoft Teams is now installed on the taskbar by default. Note that this is for a personal Microsoft account only. Teams for Work or School will have to be installed separately if you are using a work or school account.

    What’s new or updated in Windows 11?

    Snap Layouts

    Snap layouts have been enhanced and snap group functionality has been added. This will allow you to quickly snap one window to the side of the screen and open other Windows in the other side. This feature can be accessed by dragging the window you wish to snap to the left or right edge of the screen. The window should then automatically resize to occupy that half of the screen and allow you to select other Windows that are already open to occupy the remaining space on the screen. You can also hover your mouse over the maximize button in the upper right-hand corner of the window. A small screen with multiple snap layouts will appear for your selection. Multiple snapped Windows can be saved as a “Snap Group” that will open together if one of the group windows are snapped in the future.

    Widgets

    Widgets are expanding. Microsoft started the re-introduction of widgets in Windows 10, specifically focusing on the weather. Widgets now include other services such as news, sports, stock prices, and others.

    Android Apps

    Android apps can now run in Windows 11. You will have to use the Amazon store to access and install Android apps, but if it is available in the Amazon store, you can install it on Windows 11.

    Docking

    Docking has improved with Windows 11. Windows knows when you are docked and will minimize apps when you undock so they are not lost. They will appear automatically when you dock again.

    This is not intended to be an inclusive list but does cover some of the more prominent features.

    What’s missing from Windows 11?

    The following features are no longer found in Windows 11:

    • Backward compatibility
      • The introduction of the hardware requirements for Windows 11 removed the backward compatibility (from a hardware perspective) that made the transition from previous versions of Windows to their successor less of a hardware concern. If a computer could run Windows 7, then it could also run Windows 10. That does not automatically mean it can also run Windows 11.
    • Internet Explorer
      • Internet Explorer is no longer installed by default in Windows 11. Microsoft Edge is now the default browser for Windows. Other browsers can also be installed if preferred.
    • Tablet mode
      • Windows 11 does not have a "tablet" mode, but the operating system will maximize the active window and add more space between icons to make selecting them easier if the 2-in-1 hardware detects that you wish to use the device as a tablet (keyboard detached or device opened up beyond 180 degrees, etc.).
    • Semi-annual updates
      • It may take six months or more to realize that semi-annual feature updates are missing. Microsoft moved to an annual feature update schema but continued with monthly quality updates with Windows 11.
    • Specific apps
      • Several applications have been removed (but can be manually added from the Microsoft Store by the user). They include:
        • OneNote for Windows 10
        • 3D Viewer
        • Paint 3D
        • Skype
    • Cortana (by default)
      • Cortana is missing from Windows 11. It is installed but not enabled by default. Users can turn it on if desired.

    Microsoft included a complete list of features that have been removed or deprecated with Windows 11, which can be found here Windows 11 Specs and System Requirements.

    Windows 11 editions

    • Windows 11 is offered in several editions:
      • Windows 11 Home
      • Windows 11 Pro
      • Windows 11 Pro for Workstations
      • Windows 11 Enterprise Windows 11 for Education
      • Windows 11 SE for Education
    • Windows 11 hardware requirements and security features are common throughout all editions.
    • The new look and feel along with all the features mentioned previously are common to all editions as well.
    • Windows Home
      • Standard offering for home users
    • Pro versus Pro for Workstations
      • Windows 11 Pro and Pro for Workstations are both well suited for the business environment with available features such as support for Active Directory or Azure Active Directory, Windows Autopilot, OneDrive for Business, etc.
      • Windows Pro for Workstations is designed for increased demands on the hardware with the higher memory limits (2 TB vs. 6 TB) and processor count (2 CPU vs. 4 CPU).
      • Windows Pro for Workstations also features Resilient File System, Persistent Memory, and SMB Direct. Neither of these features are available in the Windows 11 Pro edition.
      • Windows 11 Pro and Pro for Workstations are both very business focused, although Pro may also be a common choice for non-business users (Home and Education).
    • Enterprise Offerings
      • Enterprise licenses are subscription based and are part of the Microsoft 365 suite of offerings.
      • Windows 11 Enterprise is Windows 11 Pro with some additional addons and functionality in areas such as device management, collaboration, and security services.
      • The level of the Microsoft 365 Enterprise subscription (E3 or E5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the E5 subscription.

    Windows 11 Education Editions

    With the release of a laptop targeted specifically at the education market, Microsoft must be taking notice of the Google Chrome educational market penetration, especially with headlines like these.

    “40 Million Chromebooks in Use in Education” (Thurrott)

    “The Unprecedented Growth of the Chromebook Education Market Share” (Carklin)

    “Chromebooks Gain Market Share as Education Goes Online” (Hruska)

    “Chromebooks Gain Share of Education Market Despite Shortages” (Mandaro)

    “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand” (Duke)

    • Education licenses are subscription based and are part of the Microsoft 365 suite of offerings. Educational pricing is one benefit of the Microsoft 365 Education model.
    • Windows 11 Education is Windows 11 Pro with some additional addons and functionality similar to the Enterprise offerings for Windows 11 in areas such as device management, collaboration, and security services. Windows 11 Education also adds some education specific settings such as Classroom Tools, which allow institutions to add new students and their devices to their own environment with fewer issues, and includes OneNote Class Notebook, Set Up School PCs app, and Take a Test app.
    • The level of the Microsoft 365 Education subscription (A3 or A5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the A5 subscription.
    • Windows 11 SE for Education:
      • A cloud-first edition of Windows 11 specifically designed for the K-8 education market.
      • Windows 11 SE is a light version of Windows 11 that is designed to run on entry-level devices with better performance and security on that hardware.
      • Windows 11 SE requires Intune for Education and only IT admins can install applications.
    • Microsoft and others have come out with Windows SE specific devices at a low price point.
      • The Microsoft Surface Laptop SE comes pre-loaded with Windows 11 SE and can be purchased for US$249.00.
      • Dell, Asus, Acer, Lenovo, and others also offer Windows 11 SE specific devices (“Devices for Education”).

    Initial Reactions

    Below you can find some actual initial reactions to Windows 11.

    Initial reactions are mixed, as is to be expected with any new release of an operating system. The look and feel is new, but it is not a huge departure from the Windows 10 look and feel. Some new features are well received such as the snap feature.

    The shift of the taskbar (and start button) is the most popular topic of discussion online when it comes to Windows 11 reactions. Some love it and some do not. The best part about the shift of the taskbar is that you can adjust it in settings and move it back to its original location.

    The best thing about reactions is that they garner attention, and thanks in part to all the online reactions and comments, Microsoft is continually improving Windows 11 through quality updates and annual feature releases.

    “My 91-year-old Mum has found it easy!” Binns, Paul ITRG

    “It mostly looks quite nice and runs well.” Jmbpiano, Reddit user

    “It makes me feel more like a Mac user.” Chang, Ben Info-Tech

    “At its core, Windows 11 appears to be just Windows 10 with a fresh coat of paint splashed all over it.” Rouse, Rick RicksDailyTips.com

    “Love that I can snap between different page orientations.” Roberts, Jeremy Info-Tech

    “I finally feel like Microsoft is back on track again.” Jawed, Usama Neowin

    “A few of the things that seemed like issues at first have either turned out not to be or have been fixed with patches.” Jmbpiano, Reddit user

    “The new interface is genuinely intuitive, well-designed, and colorful.” House, Brett AnandTech

    “No issues. Have it out on about 50 stations.” Sandrews1313, Reddit User

    “The most striking change is to the Start menu.” Grabham, Dan pocket-lint.com

    How do I upgrade to Windows 11?

    The process is very similar to applying updates in Windows 10.

    • Windows 11 is offered as an upgrade through the standard Windows 10 update procedure. Windows Update will notify you when the Windows 11 upgrade is ready (assuming your device is eligible for Windows 11).
      • Allow the update (upgrade in this case) to proceed, reboot, and your endpoint will come back to life with Windows 11 installed and ready for you.
    • A fresh install can be delivered by downloading the required Windows 11 installation media from the Microsoft Software Download site for Windows 11.
    • Business users can control the timing and schedule of the Windows 11 rollout to corporate endpoints using Microsoft solutions such as WSUS, Configuration Manager, Intune and Endpoint Manager, or by using other endpoint management solutions.
    • WSUS and Configuration Manager will have to sync the product category for Windows 11 to manage the deployment.
    • Windows Update for Business policies will have to use the target version capability rather than using the feature update referrals alone.
    • Organizations using Intune and a Microsoft 365 E3 license will be able to use the Feature Update Deployments page to select Windows 11.
    • Other modern endpoint management solutions may also allow for a controlled deployment.

    Info-Tech Insight

    The upgrade itself may be a simple process but be prepared for the end-user reactions that will follow. Some will love it but others will despise it. It is not an optional upgrade in the long run, so everyone will have to learn to accept it.

    When can I upgrade to Windows 11?

    You can upgrade right now BUT there is no need to rush. Windows 11 was released in October 2021 but that doesn’t mean you have to upgrade everyone right away. Plan this out.

    • Build deployment rings into your Windows 11 upgrade approach: This approach, also referred to as Canary Releases or deployment rings, allows you to ensure that IT can support users if there's a major problem with the upgrade. Instead of disrupting all end users, you are only disrupting a portion of end users.
      • Deploy the initial update to your test environment.
      • After testing is successful or changes have been made, deploy Windows 11 to your pilot group of users.
      • After the pilot group gives you the thumbs up, deploy to the rest of production in phases. Phases are sometimes by office/location, sometimes by department, sometimes by persona (i.e. defer people that don't handle updates well), and usually by a combination of these factors.
      • Increase the size of each ring as you progress.
    • Always back up your data before any upgrade.

    Deployment Ring Example

    Pilot Ring - Individuals from all departments - 10 users

    Ring #1 - Dev, Finance - 20 Users

    Ring #2 - Research - 100 Users

    Ring #3 - Sales, IT, Marketing - 500 Users

    Upgrade your eligible devices and users to Windows 11

    Build Windows 11 Deployment Rings

    Instructions:

    1. Identify who will be in the pilot group. Use individuals instead of user groups.
    2. Identify how many standard rings you need. This number will be based on the total number of employees per office.
    3. Map groups to rings. Define which user groups will be in each ring.
    4. Allow some time to elapse between upgrades. Allow the first group to work with Windows 11 and identify any potential issues that may arise before upgrading the next group.
    5. Track and communicate. Record all information into a spreadsheet like the one on the right. This will aid in communication and tracking.
    Ring Department or Group Total Users Delay Time Before Next Group
    Pilot Ring Individuals from all departments 10 Three weeks
    Ring 1 Dev Finance 20 Two weeks
    Ring 2 Research 100 One week
    Ring 3 Sales, IT Marketing 500 N/A

    What are my options if my devices cannot upgrade to Windows 11?

    Don’t rush out to replace all the ineligible endpoint devices. You have some time to plan this out. Windows 10 will be available and supported by Microsoft until October 2025.

    Use asset management strategies and budget techniques in your Windows 11 upgrade approach:

    • Start with current inventory and determine which devices will not be eligible for upgrade to Windows 11.
    • Prioritize the devices for replacement, taking device age, the role of the user the device supports, and delivery times for remote users into consideration.
    • Take this opportunity to review overall device offerings and end-user compute strategy. This will help decide which devices to offer going forward while improving end-user satisfaction.
    • Determine the cost for replacement devices:
      • Compare vendor offerings using an RFP process.
    • Use the hardware asset management planning spreadsheet on the next slide to budget for the replacements over the coming months leading up to October 2025.

    Leverage Info-Tech research to improve your end-user computing strategy and hardware asset management processes:

    New to End User Computing Strategies? Start with Modernize and Transform Your End-User Computing Strategy.

    New to IT asset management? Use Info-Tech’s Implement Hardware Asset Management blueprint.

    Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

    Build a Windows 11 Device Replacement Budget

    The link below will open up a hardware asset management (HAM) budgeting tool. This tool can easily be modified to assist in developing and justifying the budget for hardware assets for the Windows 11 project. The tool will allow you to budget for hardware asset refresh and to adjust the budget as needed to accommodate any changes. Follow the instructions on each tab to complete the tool.

    A sample of a possible Windows 11 budgeting spreadsheet is shown on the right, but feel free to play with the HAM budgeting tool to fit your needs.

    HAM Budgeting Tool

    Windows 11 Replacement Schedule
    2022 2023 2024 2025
    Department Total to replace Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Left to allocate
    Finance 120 20 20 20 10 10 20 20 0
    HR 28 15 13 0
    IT 30 15 15 0
    Research 58 8 15 5 20 5 5 0
    Planning 80 10 15 15 10 15 15 0
    Other 160 5 30 5 15 15 30 30 30 0
    Totals 476 35 38 35 35 35 35 38 35 50 35 35 35 35 0

    Related Info-Tech Research

    Modernize and Transform Your End-User Computing Strategy

    This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

    Implement Hardware Asset Management

    This project will help you analyze the current state of your HAM program, define assets that will need to be managed, and build and involve the ITAM team from the beginning to help embed the change. It will also help you define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.

    Bibliography

    aczechowski, et al. “Windows 11 Requirements.” Microsoft, 3 June 2022. Accessed 13 June 2022.

    Binns, Paul. Personal interview. 07 June 2022.

    Butler, Sydney. “What Is Trusted Platform Module (TPM) and How Does It Work?” Help Desk Geek, 5 August 2021. Accessed 18 May 2022.

    Carklin, Nicolette. “The Unprecedented Growth of the Chromebook Education Market Share.” Parallels International GmbH, 26 October 2021. Accessed 19 May 2022.

    Chang, Ben. Personal interview. 26 May 2022.

    Cunningham, Andrew. “Why Windows 11 has such strict hardware requirements, according to Microsoft.” Ars Technica, 27 August 2021. Accessed 19 May 2022.

    Dealnd-Han, et al. “Windows Processor Requirements.” Microsoft, 9 May 2022. Accessed 18 May 2022.

    “Desktop Operating Systems Market Share Worldwide.” Statcounter Globalstats, June 2021–June 2022. Accessed 17 May 2022.

    “Devices for education.” Microsoft, 2022. Accessed 13 June 2022.

    Duke, Kent. “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand.” Android Police, 16 November 2020. Accessed 18 May 2022.

    Grabham, Dan. “Windows 11 first impressions: Our initial thoughts on using Microsoft's new OS.” Pocket-Lint, 24 June 2021. Accessed 3 June 2022.

    Hachman, Mark. “Why is there a Windows 11 if Windows 10 is the last Windows?” PCWorld, 18 June 2021. Accessed 17 May 2022.

    Howse, Brett. “What to Expect with Windows 11: A Day One Hands-On.” Anandtech, 16 November 2020. Accessed 3 June 2022.

    Hruska, Joel. “Chromebooks Gain Market Share as Education Goes Online.” Extremetech, 26 October 2020. Accessed 19 May 2022.

    Jawed, Usama. “I am finally excited about Windows 11 again.” Neowin, 26 February 2022. Accessed 3 June 2022.

    Jmbpiano. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

    Lumunge, Erick. “UEFI and Legacy boot.” OpenGenus, n.d. Accessed 18 May 2022.

    Bibliography

    Mandaro, Laura. “Chromebooks Gain Share of Education Market Despite Shortages.” The Information, 9 September 2020. Accessed 19 May 2022.

    Murtaza, Fawad. “What Is Virtualization Based Security in Windows?” Valnet Inc, 24 October 2021. Accessed 17 May 2022.

    Roberts, Jeremy. Personal interview. 27 May 2022.

    Rouse, Rick. “My initial thoughts about Windows 11 (likes and dislikes).” RicksDailyTips.com, 5 September 2021. Accessed 3 June 2022.

    Sandrews1313. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

    “The Matrix Quotes." Quotes.net, n.d. Accessed 18 May 2022.

    Thurrott, Paul.” Google: 40 Million Chromebooks in Use in Education.” Thurrott, 21 January 2020. Accessed 18 May 2022.

    Vaughan-Nichols, Steven J. “The real reason for Windows 11.” Computerworld, 6 July 2021, Accessed 19 May 2022.

    “Virtual Machine Support.” Microsoft,3 June 2022. Accessed 13 June 2022.

    “What are DirectX 12 compatible graphics and WDDM 2.x.” Wisecleaner, 20 August 2021. Accessed 19 May 2022.

    “Windows 11 Specs and System Requirements.” Microsoft, 2022. Accessed 13 June 2022.

    “Windows Display Driver Model.” MiniTool, n.d. Accessed 13 June 2022.

    Set a Strategic Course of Action for the PMO in 100 Days

    • Buy Link or Shortcode: {j2store}356|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $13,744 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Project Management Office
    • Parent Category Link: /project-management-office
    • As a new PMO director, you’ve been thrown into the middle of an unfamiliar organizational structure and a chaotic project environment.
    • The expectations are that the PMO will help improve project outcomes, but beyond that your mandate as PMO director is opaque.
    • You know that the statistics around PMO longevity aren’t good, with 50% of new PMOs closing within the first three years. As early in your tenure as possible, you need to make sure that your stakeholders understand the value that your role could provide to the organization with the right level of buy-in and support.
    • Whether you’re implementing a new PMO or taking over an already existing one, you need to quickly overcome these challenges by rapidly assessing your unfamiliar tactical environment, while at the same time demonstrating confidence and effective leadership to project staff, business stakeholders, and the executive layer.

    Our Advice

    Critical Insight

    • The first 100 days are critical. You have a window of influence where people are open to sharing insights and opinions because you were wise enough to seek them out. If you don’t reach out soon, people notice and assume you’re not wise enough to seek them out, or that you don’t think they are important enough to involve.
    • PMOs most commonly stumble when they shortsightedly provide project management solutions to what are, in fact, more complex, systemic challenges requiring a mix of project management, portfolio management, and organizational change management capabilities. If you fail to accurately diagnose pain points and needs in your first days, you could waste your tenure as PMO leader providing well-intentioned solutions to the wrong project problems.
    • You have diminishing value on your time before skepticism and doubt start to erode your influence. Use your first 100 days to define an appropriate mandate for your PMO, get the right people behind you, and establish buy-in for long-term PMO success.

    Impact and Result

    • Develop an action plan to help leverage your first 100 days on the job. Hit the ground running in your new role with an action plan to achieve realistic goals and milestones in your first 100 days. A results-driven first three months will help establish roots throughout the organization that will continue to feed and grow the PMO beyond your first year.
    • Get to know what you don’t know quickly. Use Info-Tech’s advice and tools to perform a triage of every aspect of PMO accountability as well as harvest stakeholder input to ensure that your PMO meets or exceeds expectations and establishes the right solutions to the organization’s project challenges.
    • Solidify the PMO’s long-term mission. Adopt our stakeholder engagement best practices to ensure that you knock on the right doors early in your tenure. Not only do you need to clarify expectations, but you will ultimately need buy-in from key stakeholders as you move to align the mandate, authority, and resourcing needed for long-term PMO success.

    Set a Strategic Course of Action for the PMO in 100 Days Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how capitalizing on your first 100 days as PMO leader can help ensure the long-term success of your PMO.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Survey the project landscape

    Get up-to-speed quickly on key PMO considerations by engaging PMO sponsors, assessing stakeholders, and taking stock of your PMO inventory.

    • Set a Strategic Course of Action for the PMO in 100 Days – Phase 1: Survey the Project Landscape
    • Mission Identification and Inventory Tool
    • PMO Director First 100 Days Timeline - MS Project
    • PMO Director First 100 Days Timeline - MS Excel

    2. Gather PMO requirements

    Make your first major initiative as PMO director be engaging the wider pool of PMO stakeholders throughout the organization to determine their expectations for your office.

    • Set a Strategic Course of Action for the PMO in 100 Days – Phase 2: Gather PMO Requirements
    • PMO Requirements Gathering Tool
    • PMO Course of Action Stakeholder Interview Guide

    3. Solidify your PPM goals

    Review the organization’s current PPM capabilities in order to identify your ability to meet stakeholder expectations and define a sustainable mandate.

    • Set a Strategic Course of Action for the PMO in 100 Days – Phase 3: Solidify Your PPM Goals
    • Project Portfolio Management Maturity Assessment Workbook
    • Project Management Maturity Assessment Workbook
    • Organizational Change Management Maturity Assessment Workbook
    • PMO Strategic Expectations Glossary

    4. Formalize the PMO’s mandate

    Communicate your strategic vision for the PMO and garner stakeholder buy-in.

    • Set a Strategic Course of Action for the PMO in 100 Days – Phase 4: Formalize the PMO's Mandate
    • PMO Mandate and Strategy Roadmap Template
    • PMO Director Peer Feedback Evaluation Template
    • PMO Director First 100 Days Self-Assessment Tool
    [infographic]

    Workshop: Set a Strategic Course of Action for the PMO in 100 Days

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess the Current Project Ecosystem

    The Purpose

    Quickly develop an on-the-ground view of the organization’s project ecosystem and the PMO’s abilities to effectively serve.

    Key Benefits Achieved

    A comprehensive and actionable understanding of the PMO’s tactical environment

    Activities

    1.1 Perform a PMO SWOT analysis.

    1.2 Assess the organization’s portfolio management, project management, and organizational change management capability levels.

    1.3 Take inventory of the PMO’s resourcing levels, project demand levels, and tools and artifacts.

    Outputs

    Overview of current strengths, weaknesses, opportunities, and threats

    Documentation of your current process maturity to execute key portfolio management, project management, and organizational change management functions

    Stock of the PMO’s current access to PPM personnel relative to total project demand

    2 Analyze PMO Stakeholders

    The Purpose

    Determine stakeholder expectations for the PMO.

    Key Benefits Achieved

    An accurate understanding of others’ expectations to help ensure the PMO’s course of action is responsive to organizational culture and strategy

    Activities

    2.1 Conduct a PMO Mission Identification Survey with key stakeholders.

    2.2 Map the PMO’s stakeholder network.

    2.3 Analyze key stakeholders for influence, interest, and support.

    Outputs

    An understanding of expected PMO outcomes

    A stakeholder map and list of key stakeholders

    A prioritized PMO requirements gathering elicitation plan

    3 Determine Strategic Expectations and Define the Tactical Plan

    The Purpose

    Develop a process and method to turn stakeholder requirements into a strategic vision for the PMO.

    Key Benefits Achieved

    A strategic course of action for the PMO that is responsive to stakeholders’ expectations.

    Activities

    3.1 Assess the PMO’s ability to support stakeholder expectations.

    3.2 Use Info-Tech’s PMO Strategic Expectations glossary to turn raw process and service requirements into specific strategic expectations.

    3.3 Define an actionable tactical plan for each of the strategic expectations in your mandate.

    Outputs

    An understanding of PMO capacity and limits

    A preliminary PMO mandate

    High-level statements of strategy to help support your mandate

    4 Formalize the PMO’s Mandate and Roadmap

    The Purpose

    Establish a final PMO mandate and a process to help garner stakeholder buy-in to the PMO’s long-term vision.

    Key Benefits Achieved

    A viable PMO course of action complete with stakeholder buy-i

    Activities

    4.1 Finalize the PMO implementation timeline.

    4.2 Finalize Info-Tech’s PMO Mandate and Strategy Roadmap Template.

    4.3 Present the PMO’s strategy to key stakeholders.

    Outputs

    A 3-to-5-year implementation timeline for key PMO process and staffing initiatives

    A ready-to-present strategy document

    Stakeholder buy-in to the PMO’s mandate

    Improve Service Desk Ticket Queue Management

    • Buy Link or Shortcode: {j2store}492|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Service desk tickets pile up in the queue, get lost or buried, jump between queues without progress, leading to slow response and resolution times, a seemingly insurmountable backlog and breached SLAs.
    • There are no defined rules or processes for how tickets should be assigned and routed and technicians don’t know how to prioritize their assigned work, meaning tickets take too long to get to the right place and aren’t always resolved in the correct or most efficient order.
    • Nobody has authority or accountability for queue management, meaning everyone has eyes only on their own tickets while others fall through the cracks.

    Our Advice

    Critical Insight

    If everybody is managing the queue, then nobody is. Without clear ownership and accountability over each and every queue, then it becomes too easy for everyone to assume someone else is handling or monitoring a ticket when in fact nobody is. Assign a Queue Manager to each queue and ensure someone is responsible for monitoring ticket movement across all the queues.

    Impact and Result

    • Clearly define your queue structure, organize the queues by content, then assign resources to relevant queues depending on their role and expertise.
    • Define and document queue management processes, from initial triage to how to prioritize work on assigned tickets. Once processes have been defined, identify opportunities to build in automation to improve efficiency.
    • Ensure everyone who handles tickets is clear on their responsibilities and establish clear ownership and accountability for queue management.

    Improve Service Desk Ticket Queue Management Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Ticket Queue Management Deck – A guide to service desk ticket queue management best practices and advice

    This storyboard reviews the top ten pieces of advice for improving ticket queue management at the service desk.

    • Improve Service Desk Ticket Queue Management Storyboard

    2. Service Desk Queue Structure Template – A template to help you map out and optimize your service desk ticket queues

    This template includes several examples of service desk queue structures, followed by space to build your own model of your optimal service desk queue structure and document who is assigned to each queue and responsible for managing each queue.

    • Service Desk Queue Structure Template
    [infographic]

    Further reading

    Improve Service Desk Ticket Queue Management

    Strong queue management is the foundation to good customer service

    Analyst Perspective

    Secure your foundation before you start renovating.

    Service Desk and IT leaders who are struggling with low efficiency, high backlogs, missed SLAs, and poor service desk metrics often think they need to hire more resources or get a new ITSM tool with better automation and AI capabilities. However, more often than not, the root cause of their challenges goes back to the fundamentals.

    Strong ticket queue management processes are critical to the success of all other service desk processes. You can’t resolve incidents and fulfill service requests in time to meet SLAs without first getting the ticket to the right place efficiently and then managing all tickets in the queue effectively. It sounds simple, but we see a lot of struggles around queue management, from new tickets sitting too long before being assigned, to in-progress tickets getting buried in favor of easier or higher-priority tickets, to tickets jumping from queue to queue without progress, to a seemingly insurmountable backlog.

    Once you have taken the time to clearly structure your queues, assign resources, and define your processes for routing tickets to and from queues and resolving tickets in the queue, you will start to see response and resolution time decrease along with the ticket backlog. However, accountability for queue management is often overlooked and is really key to success.
    This is an image of Dr. Natalie Sansone, Senior Research Analyst at Info-Tech Research Group

    Natalie Sansone, PhD
    Senior Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Tickets come into the service desk via multiple channels (email, phone, chat, portal) and aren’t consolidated into a single queue, making it difficult to know what to prioritize.
    • New tickets sit in the queue for too long before being assigned while assigned tickets sit for too long without progress or in the wrong queue, leading to slow response and resolution times.
    • Tickets quickly pile up in the queues, get lost or buried, or jump between queues without finding the right home, leading to a seemingly insurmountable backlog and breached SLAs.

    Common Obstacles

    • All tickets pile into the same queue, making it difficult to view, manage, or know who’s working on what.
    • There are no defined rules or processes for how tickets should be assigned and routed, meaning they often take too long to get to the right place.
    • Technicians have no guidelines as to how to prioritize their work, and no easy way to organize their tickets or queue to know what to work on next.
    • Nobody has authority or accountability for queue management, meaning everyone has eyes only on their own tickets while others fall through the cracks.

    Info-Tech’s Approach

    • Clearly define your queue structure, organize the queues by content, then assign resources to relevant queues depending on their role and expertise.
    • Define and document queue management processes, from initial triage to how to prioritize work on assigned tickets. Ensure everyone who handles tickets is clear on their responsibilities.
    • Establish clear ownership and accountability for queue management.
    • Once processes have been defined, identify opportunities to build in automation to improve efficiency.

    Info-Tech Insight

    If everybody is managing the queue, then nobody is. Without clear ownership and accountability over each and every queue it becomes too easy for everyone to assume someone else is handling or monitoring a ticket when in fact nobody is. Assign a Queue Manager to each queue and ensure someone is responsible for monitoring ticket movement across all the queues.

    Timeliness is essential to customer satisfaction

    And timeliness can’t be achieved without good queue management practices.

    As soon as that ticket comes in, the clock starts ticking…

    A host of different factors influence service desk response time and resolution time, including process optimization and documentation, workflow automation, clearly defined prioritization and escalation rules, and a comprehensive and easily accessible knowledgebase.

    However, the root cause of poor response and resolution time often comes down to the basics like ticket queue management. Without clearly defined processes and ownership for assigning and actioning tickets from the queue in the most effective order and manner, customer satisfaction will suffer.

    For every 12-hour delay in response time*, CSAT drops by 9.6%.

    *to email and web support tickets
    Source: Freshdesk, 2021

    A Freshworks analysis of 107 million service desk interactions found the relationship between CSAT and response time is stronger than resolution time - when customers receive prompt responses and regular updates, they place less value on actual resolution time.

    A queue is simply a line of people (or tickets) waiting to be helped

    When customers reach out to the service desk for help, their messages are converted into tickets that are stored in a queue, waiting to be actioned appropriately.

    Ticket Queue

    Email/web
    Ideally, the majority of tickets come into the ticket queue through email or a self-service portal, allowing for appropriate categorization, prioritization, and assignment.

    Phone
    For IT teams with a high volume of support requests coming in through the phone, reducing wait time in queue may be a priority.

    Chat
    Live chat is growing in popularity as an intake method and may require routing and distribution rules to prevent long or multiple queues.

    Queue Management

    Queue management is a set of processes and tools to direct and monitor tickets or manage ticket flow. It involves the following activities:

    • Review incoming tickets
    • Categorize and prioritize tickets
    • Route or assign appropriately
    • View or update ticket status
    • Monitor resource workload
    • Ensure tickets are being actioned in time
    • Proactively identify SLA breaches

    Ineffective queue management can bury you in backlog

    Ticket backlog with poor queue management

    Without a clear and efficient process or accountability for moving incoming tickets to the right place, tickets will be worked on randomly, older tickets will get buried, the backlog will grow, and SLAs will be missed.

    Ticket backlog with good queue management

    With effective queue management and ownership, tickets are quickly assigned to the right resource, worked on within the appropriate SLO/SLA, and actively monitored, leading to a more manageable backlog and good response and resolution times.

    A growing backlog will quickly lead to dissatisfied end users and staff

    Failing to efficiently move tickets from the queue or monitor tickets in the queue can quickly lead to tickets being buried and support staff feeling buried in tickets.

    Common challenges with queue management include:

    • Tickets come in through multiple channels and aren’t consolidated into a single queue
    • New tickets sit unassigned for too long, resulting in long response times
    • Tickets move around between multiple queues with no clear ownership
    • Assigned tickets sit too long in a queue without progress and breach SLA
    • No accountability for queue ownership and monitoring
    • Technicians cherry pick the easiest tickets from the queue
    • Technicians have no easy way to organize their queue to know what to work on next

    This leads to:

    • Long response times
    • Long resolution times
    • Poor workload distribution and efficiency
    • High backlog
    • Disengaged, frustrated staff
    • Dissatisfied end users

    Info-Tech Insight

    A growing backlog will quickly lead to frustrated and dissatisfied customers, causing them to avoid the service desk and seek alternate methods to get what they need, whether going directly to their favorite technician or their peers (otherwise known as shadow IT).

    Dig yourself out with strong queue management

    Strong queue management is the foundation to good customer service.

    Build a mature ticket queue management process that allows your team to properly prioritize, assign, and work on tickets to maximize response and resolution times.

    A mature queue management process will:

    • Reduce response time to address tickets.
    • Effectively prioritize tickets and ensure everyone knows what to work on next.
    • Ensure tickets get assigned and routed to the right queue and/or resource efficiently.
    • Reduce overall resolution time to resolve tickets.
    • Enable greater accountability for queue management and monitoring of tickets.
    • Improve customer and employee satisfaction.

    As queue management maturity increases:
    Response time decreases
    Resolution time decreases
    Backlog decreases
    End-user satisfaction increases

    Ten Tips to Effectively Manage Your Queue

    The remaining slides in this deck will review these ten pieces of advice for designing and managing your ticket queues effectively and efficiently.

    1. Define your optimal queue structure
    2. Design and assign resources to relevant queues
    3. Define and document queue management processes
    4. Clearly define queue management responsibilities for every team member
    5. Establish clear ownership & accountability over all queues
    6. Always keep ticket status and documentation up to date
    7. Shift left to reduce queue volume
    8. Build-in automation to improve efficiency
    9. Configure your ITSM tool to support and optimize queue management processes
    10. Don’t lose visibility of the backlog

    #1: Define your optimal queue structure

    There is no one right way to do queue management; choose the approach that will result in the highest value for your customers and IT staff.

    Sample queue structures

    This is an image of a sample Queue structure, where Incoming Tickets from all channels pass through auto or manual Queue assignment, to a numbered queue position.

    *Queues may be defined by skillset, role, ticket category, priority, or a hybrid.

    Triage and Assign

    • All incoming tickets are assigned to an appropriate queue based on predefined criteria.
    • Queue assignment may be done through automated workflows based on specific fields within the ticket, or manually by a
    • Queue Manager, dedicated coordinator, or Tier 1 staff.
    • Queues may be defined based on:
      • Skillset/team (e.g. Infrastructure, Security, Apps, etc.)
      • Ticket category (e.g. Network, Office365, Hardware, etc.)
      • Priority (e.g. P1, P2, P3, P4, P5)
    • Resources may be assigned to multiple queues.

    Define your optimal queue structure (cont.)

    Tiered generalist model

    • All incidents and service requests are routed to Tier 1 first, who prioritize and, if appropriate, conduct initial triage, troubleshooting, and resolution on a wide range of issues.
    • More complex or high-priority tickets are escalated to resources at Tier 2 and/or Tier 3, who are specialists working on projects in addition to support tickets.
    This is an image of the Tiered Generalist Model

    Unassigned queue

    • Very small teams may work from an unassigned queue if there are processes in place to monitor tickets and workload balance.
    • Typically, these teams work by resolving the oldest tickets first regardless of complexity (also known as First In, First Out or FIFO). However, this doesn’t allow for much flexibility in terms of priority of the request or customer.
    This is an image of an unassigned queue model

    #2: Design and assign resources to relevant queues

    Once you’ve defined your overall structure, define the content of each queue.

    This image depicts a sample queue organization structure. The bin titles are: Workgroup; Customer Group; Problem Type; and Hybrid

    Info-Tech Insight

    Start small; don’t create a queue for every possible ticket type. Remember that someone needs to be accountable for each of these queues, so only build what you can monitor.

    #3 Define and document queue management processes

    A clear, comprehensive, easily digestible SOP or workflow outlining the steps for handling new tickets and working tickets from the queue will help agents deliver a consistent experience.

    PROCESS INCLUDES:

    DEFINE THE FOLLOWING:

    TRIAGING INCOMING TICKETS

    • Ensure a ticket is created for every issue coming from every channel (e.g. phone, email, chat, walk-in, portal).
    • Assign a priority to each ticket.
    • Categorize ticket and add any necessary documentation
    • Update ticket status.
    • Delete spam, merge duplicate tickets, clean up inbox.
    • Assign tickets to appropriate queue or resource, escalate when necessary.
    • How should tickets be prioritized?
    • How should tickets from each channel be prioritized and routed? (e.g. are phone calls resolved right away? Are chats responded to immediately?)
    • Criteria that determine where a ticket should be sent or assigned (i.e. ticket category, priority, customer type).
    • How should VIP tickets be handled?
    • When should tickets be automatically escalated?
    • Which tickets require hierarchical escalation (i.e. to management)?

    WORKING ON ASSIGNED TICKETS

    • Continually update ticket status and documentation.
    • Assess which tickets should be worked on or completed ahead of others.
    • Troubleshoot, resolve, or escalate tickets.
    • In what order should tickets be worked on (e.g. by priority, by age, by effort, by time to breach)?
    • How long should a ticket be worked on without progress before it should be escalated to a different tier or queue?
    • Exceptions to the rule (e.g. in which circumstances should a lower priority ticket be worked on over a higher priority ticket).

    Process recommendations

    As you define queue management processes, keep the following advice in mind:

    Rotate triage role

    The triage role is critical but difficult. Consider rotating your Tier 1 resources through this role, or your service desk team if you’re a very small group.

    Limit and prioritize channels

    You decide which channels to enable and prioritize, not your users. Phone and chat are very interrupt-driven and should be reserved for high-priority issues if used. Your users may not understand that but can learn over time with training and reinforcement.

    Prioritize first

    Priority matrixes are necessary for consistency but there are always circumstances that require judgment calls. Think about risk and expected outcome rather than simply type of issue alone. And if the impact is bigger than the initial classification, change it.

    Define VIP treatment

    In some organizations, the same issue can be more critical if it happens to a certain user role (e.g. client facing, c-suite). Identify and flag VIP users and clearly define how their tickets should be prioritized.

    Consider time zone

    If users are in different time zones, take their current business hours into account when choosing which ticket to work on.

    Info-Tech Insight

    Think of your service desk as an emergency room. Patients come in with different symptoms, and the triage nurse must quickly assess these symptoms to decide who the patient should see and how soon. Some urgent cases will need to see the doctor immediately, while others can wait in another queue (the waiting room) for a while before being dealt with. Some cases who come in through a priority channel (e.g. ambulance) may jump the queue. Checklists and criteria can help with this decision making, but some degree of judgement is also required and that comes with experience. The triage role is sometimes seen as a junior-level role, but it actually requires expertise to be done well.

    For more detailed process guidance, see Standardize the Service Desk

    Info-Tech’s blueprint Standardize the Service Desk will help you standardize and document core service desk processes and functions, including:

    • Service desk structure, roles, and responsibilities
    • Metrics and reporting
    • Ticket handling and ticket quality
    • Incident and critical incident management
    • Ticket categorization
    • Prioritization and escalation
    • Service request fulfillment
    • Self-service considerations
    • Building a knowledgebase
    this image contains three screenshots from Info-Tech's Standardize the Service Desk Blueprint

    #4 Clearly define queue management responsibilities for every team member

    This may be one of the most critical yet overlooked keys to queue management success. Define the following:

    Who will have overall accountability?

    Someone must be responsible for monitoring all incoming and open tickets as well as assigned tickets in every queue to ensure they are routed and fulfilled appropriately. This person must have authority to view and coordinate all queues and Queue Managers.

    Who will manage each queue?

    Someone must be responsible for managing each queue, including assigning resources, balancing workload, and ensuring SLOs are met for the tickets within their queue. For example, the Apps Manager may be the Queue Manager for all tickets assigned to the Apps team queue.

    Who is responsible for assigning tickets?

    Will you have a triage team who monitors and assigns all incoming tickets? What are their specific responsibilities (e.g. prioritize, categorize, attempt troubleshooting, assign or escalate)? If not, who is responsible for assigning new tickets and how is this done? Will the triage role be a rotating role, and if so, what will the schedule be?

    What are everyone’s responsibilities?

    Everyone who is assigned tickets should understand the ticket handling process and their specific responsibilities when it comes to queue management.

    #5 Establish clear ownership & accountability over all queues

    If everyone is accountable, then no one is accountable. Ownership for each queue and all queues must be clearly designated.

    You may have multiple queue manager roles: one for each queue, and one who has visibility over all the queues. Typically, these roles make up only part of an individual’s job. Clearly define the responsibilities of the Queue Manager role; sample responsibilities are on the right.

    Info-Tech Insight

    Lack of authority over queues – especially those outside Tier 1 of the service desk – is one of the biggest pitfalls we see causing aging tickets and missed SLAs. Every queue needs clear ownership and accountability with everyone committed to meeting the same SLOs.

    The Queue Manager or Coordinator is accountable for ensuring tickets are routed to the correct resources service level objectives or agreements are met.

    Specific responsibilities may include:

    • Monitors queues daily
    • Ensures new tickets are assigned to appropriate resources for resolution
    • Verifies tickets have been routed and assigned correctly and reroutes if necessary
    • Reallocates tickets if assigned resource is suddenly unavailable or away
    • Ensures ticket handling process is met, ticket status is up to date and correct, and ticket documentation is complete
    • Escalates tickets that are aging or about to breach
    • Ensures service level objectives or agreements are met
    • Facilitates resource allocation based on workload
    • Coordinates tickets that require collaboration across workgroups to ensure resolution is achieved within SLA
    • Associates child and parent tickets
    • Prepares reports on ticket status and volume by queues
    • Regularly reviews reports to identify and act on issues and make improvements or changes where needed
    • Identifies opportunities for improvement

    #6 Always keep ticket status and documentation up to date

    Anyone should be able to quickly understand the status and progress on a ticket without needing to ask the technician working on it. This means both the ticket status and documentation must be continually and accurately updated.

    Ticket Documentation
    Ticket descriptions and documentation must be kept accurate and up to date. This ensures that if the ticket is escalated or assigned to a new person, or the Queue Manager or Service Desk Manager needs to know what progress has been made on a ticket, that person doesn’t need to waste time with back-and-forth communication with the technician or end user.

    Ticket Status
    The ticket status field should change as the ticket moves toward resolution, and must be updated every time the status changes. This ensures that anyone looking at the ticket queue can quickly learn and communicate the status of a ticket, tickets don’t get lost or neglected, metrics are accurate (such as time to resolve), and SLAs are not impacted if a ticket is on hold.

    Common ticket statuses include:

    • New/open
    • Assigned
    • In progress
    • Declined
    • Canceled
    • Pending/on hold
    • Resolved
    • Closed
    • Reopened

    For more guidance on ticket handling and documentation, download Info-Tech’s blueprint: Standardize the Service Desk.

    • For ticket handling and documentation, see Step 1.4
    • For ticket status fields, see Step 2.2.

    #7 Shift left to reduce queue volume

    Enable processes such as knowledge management, self-service, and problem management to prevent tickets from even coming into the queue.

    Shift left means enabling fulfilment of repeatable tasks and requests via faster, lower-cost delivery channels, self-help tools, and automation.

    This image contains a graph, where the Y axis is labeled Cost, and the X axis is labeled Time to Resolve.  On the graph are depicted service desk levels 0, 1, 2, and 3.

    Shift to Level 1

    • Identify tickets that are often escalated beyond Tier 1 but could be resolved by Level 1 if they were given the tools, training, resources, or access they need to do so.
    • Provide tools to succeed at resolving those defined tasks (e.g. knowledge article, documentation, remote tools).
    • Embed knowledge management in resolution workflows.

    Shift to End User

    • Build a centralized, easily accessible self-service portal where users can search for solutions to resolve their issues without having to submit a ticket.
    • Communicate and train users on how to use the portal regularly update and improve it.

    Automate & Eliminate

    • Identify processes or tasks that could be automated to eliminate work.
    • Invest in problem management and event management to fix the root problem of recurring issues and prevent a problem from occurring in the first place, thereby preventing future tickets.

    #8 Build in automation to improve efficiency

    Manually routing every ticket can be time-consuming and prone to errors. Once you’ve established the process, automate wherever possible.

    Automation rules can be used to ensure tickets are assigned to the right person or queue, to alert necessary parties when a ticket is about to breach or has breached SLA, or to remind technicians when a ticket has sat in a queue or at a particular status for too long.

    This can improve efficiency, reduce error, and bring greater visibility to both high-priority tickets and aging tickets in the backlog.

    However, your processes, queues, and responsibilities must be clearly defined before you can build in automation.

    For more guidance on implementing automation and AI within your service desk, see these blueprints:

    https://tymansgrpup.com/research/ss/accelerate-your-automation-processes https://tymansgrpup.com/research/ss/improve-it-operations-with-ai-and-ml

    For examples of rules, triggers, and fields you can automate to improve the efficiency of your queue management processes, see the next slide.

    Sample automation rules

    Criteria or triggers you can automate actions based on:

    • Ticket type
    • Specific field in a ticket web form
    • Ticket form that was used (e.g. specific service request form from the portal)
    • Ticket category
    • Ticket priority
    • Keyword in an email subject line
    • Keywords or string in a chat
    • Requester name or email
    • Requester location
    • Requester/ticket language
    • Requester VIP status
    • Channel ticket was received through
    • SLAs or time-based automations
    • Agent skill
    • Agent status or capacity

    Fields or actions those triggers can automate

    • Priority
    • Category
    • Ticket routing
    • Assigned agent
    • Assigned queue
    • SLA/due date
    • Notifications/communication

    Sample Automation Rules

    • When ticket is about to breach, send alert to Queue Manager and Service Desk Manager.
    • When ticket comes from VIP user, set urgency to high.
    • When ticket status has been set to “open” for ten hours, send an alert to Queue Manager.
    • When ticket status has been set to “on hold” for five days, send a reminder to assignee.
    • When ticket is categorized as “Software-ERP,” send to ERP queue.
    • When ticket is prioritized as P1/critical, send alert to emergency response team.
    • When ticket is prioritized as P1 and hasn’t been updated for one hour, send an alert to Incident Manager.
    • When an in-progress ticket is reassigned to a new queue, alert Queue Manager.
    • When ticket has not been resolved within seven days, flag as aging ticket.

    #9 Configure your ITSM tool to support and optimize queue management processes

    Configure your tool to support your needs; don’t adjust your processes to match the tool.

    • Most ITSM tools have default queues out of the box and the option to create as many custom queues, filters, and views as you need. Custom queues should allow you to name the queue, decide which tickets will be sent to the queue, and what columns or information are displayed in the queue.
    • Before you configure your queues and dashboards, sit down with your team to decide what you need and what will best enable each agent to manage their workload.
    • Decide which queues each role should have access to – most should only need to see their own queue and their team’s queue.
    • Configure which queues or views new tickets will be sent to.
    • Configure automation rules defined earlier (e.g. automate sending certain tickets to specific queues or sending notifications to specific parties when certain conditions are met).
    • Configure dashboards and reports on queue volume and ticket status data relevant to each team to help them manage their workload, increase visibility, and identify issues or actions.

    Info-Tech Insight

    It can be overwhelming to support agents when their view is a long and never-ending queue. Set the default dashboard view to show only those tickets assigned to the viewer to make it appear more manageable and easier to organize.

    Configure queues to maximize productivity

    Info-Tech Insight

    The queue should quickly give your team all the information they need to prioritize their work, including ticket status, priority, category, due date, and updated timestamps. Configuration is important - if it’s confusing, clunky, or difficult to filter or sort, it will impact response and resolution times and can lead to missed tickets. Give your team input into configuration and use visuals such as color coding to help agents prioritize their work – for example, VIP tickets may be clearly flagged, critical or high priority tickets may be highlighted, tickets about to breach may be red.

    this image contains a sample queue organization which demonstrates how to maximize productivity

    #10 Don’t lose visibility of the backlog

    Be careful not to focus so much on assigning new tickets that you forget to update aging tickets, leading to an overwhelming backlog and dissatisfied users.

    Track metrics that give visibility into how quickly tickets are being resolved and how many aging tickets you have. Metrics may include:

    • Ticket resolution time by priority, by workgroup
    • Ticket volume by status (i.e. open, in progress, on hold, resolved)
    • Ticket volume by age
    • Ticket volume by queue and assignee

    Regularly review reports on these metrics with the team.

    Make it an agenda item to review aging tickets, on hold tickets, and tickets about to breach or past breach with the team.

    Take action on aging tickets to ensure progress is being made.

    Set rules to close tickets after a certain number of attempts to reach unresponsive users (and change ticket status appropriately).

    Schedule times for your team to tackle aged tickets or tickets in the backlog.

    Info-Tech Insight

    It can be easy for high priority work to constantly push down low priority work, leaving the lower priority tickets to constantly be ignored and users to be frustrated. If you’re struggling with aging tickets, backlog, and tickets breaching SLA, experiment with your team and queue structure to figure out the best resource distribution to handle your workload. This could mean rotating people through the triage role to allow them time to work through the backlog, reducing the number of people doing triage during slower volume periods, or giving technicians dedicated time to work through tickets. For help with forecasting demand and optimizing resources, see Staff the Service Desk to Meet Demand.

    Activity 1.1: Define ticket queues

    1 hour

    Map out your optimal ticket queue structure using the Service Desk Queue Structure Template. Follow the instructions in the template to complete it as a team.

    The template includes several examples of service desk queue structures followed by space to build your own model of an optimal service desk queue structure and to document who is assigned to each queue and responsible for managing each queue.

    Note:

    The template is not meant to map out your entire service desk structure (e.g. tiers, escalation paths) or ticket resolution process, but simply the ticket queues and how a ticket moves between queues. For help documenting more detailed process workflows or service desk structure, see the blueprint Standardize the Service Desk.

    this image contains screenshot from Info-Tech's blueprint: Service Desk Queue structure Template

    Input

    • Current queue structure and roles

    Output

    • Defined service desk ticket queues and assigned responsibilities

    Materials

    • Org chart
    • ITSM tool for reference, if needed

    Participants

    • Service Desk Manager
    • IT Director
    • Queue Managers

    Document in the Service Desk Queue Structure Template.

    Related Info-Tech Research

    Standardize the Service Desk

    This project will help you build and improve essential service desk processes including incident management, request fulfillment, and knowledge management to create a sustainable service desk.

    Optimize the Service Desk With a Shift-Left Strategy

    This project will help you build a strategy to shift service support left to optimize your service desk operations and increase end-user satisfaction.

    Improve Service Desk Ticket Intake

    This project will help you streamline your ticket intake process and identify improvements to your intake channels.

    Staff the Service Desk to Meet Demand

    This project will help you determine your optimal service desk structure and staffing levels based on your unique environment, workload, and trends.

    Works Cited

    “What your Customers Really Want.” Freshdesk, 31 May 2021. Accessed May 2022.

    Spread Best Practices With an Agile Center of Excellence

    • Buy Link or Shortcode: {j2store}152|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $97,499 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Your organization is looking to create consistency across all Agile teams to drive greater business results and alignment.
    • You are seeking to organically grow Agile capabilities within the organization through a set of support structures and facilitated through shared learning and capabilities.

    Our Advice

    Critical Insight

    • Social capital can be an enabler, but also a barrier. People can only manage a finite number of relationships; ensure that the connections the Center of Excellence (CoE) facilitates are purposeful.
    • Don’t over govern. Empowerment is critical to enable improvements; set boundaries and let teams work inside them with autonomy.
    • Legitimize through listening. A CoE will not be leveraged unless it aligns with the needs of its users. Invest the time to align with the functional expectations of your Agile teams.

    Impact and Result

    • Create a set of service offerings aligned with both corporate objectives and the functional expectations of its customers to ensure broad support and utility of the invested resources.
    • Understand some of the cultural and processual challenges you will face when forming a center of excellence, and address them using Info-Tech’s Agile adoption model.

    Spread Best Practices With an Agile Center of Excellence Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build an Agile Center of Excellence, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Strategically align the Center of Excellence

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision.

    • Spread Best Practices With an Agile Center of Excellence – Phase 1: Strategically Align the Center of Excellence

    2. Standardize the Center of Excellence’s service offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization.

    • Spread Best Practices With an Agile Center of Excellence – Phase 2: Standardize the Center of Excellence’s Service Offerings

    3. Operate the Center of Excellence

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change.

    • Spread Best Practices With an Agile Center of Excellence – Phase 3: Operationalize Your Agile Center of Excellence
    • ACE Satisfaction Survey
    • CoE Maturity Diagnostic Tool
    • ACE Benefits Tracking Tool
    • ACE Communications Deck
    [infographic]

    Workshop: Spread Best Practices With an Agile Center of Excellence

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Determine Vision of CoE

    The Purpose

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision.

    Understand how your key stakeholders will impact the longevity of your CoE.

    Determine your CoE structure and staff.

    Key Benefits Achieved

    Top-down alignment with strategic aims of the organization.

    A set of high-level use cases to form the CoE’s service offerings around.

    Visualization of key stakeholders, with their current and desired power and involvement documented.

    Activities

    1.1 Identify and prioritize organizational business objectives.

    1.2 Form use cases for the points of alignment between your Agile Center of Excellence (ACE) and business objectives.

    1.3 Prioritize your ACE stakeholders.

    Outputs

    Prioritized business objectives

    Business-aligned use cases to form CoE’s service offerings

    Stakeholder map of key influencers

    2 Define Service Offerings of CoE

    The Purpose

    Document the functional expectations of the Agile teams.

    Refine your business-aligned use cases with your collected data to achieve both business and functional alignment.

    Create a capability map that visualizes and prioritizes your key service offerings.

    Key Benefits Achieved

    Understanding of some of the identified concerns, pain points, and potential opportunities from your stakeholders.

    Refined use cases that define the service offerings the CoE provides to its customers.

    Prioritization for the creation of service offerings with a capability map.

    Activities

    2.1 Classified pains and opportunities.

    2.2 Refine your use cases to identify your ACE functions and services.

    2.3 Visualize your ACE functions and service offerings with a capability map.

    Outputs

    Classified pains and opportunities

    Refined use cases based on pains and opportunities identified during ACE requirements gathering

    ACE Capability Map

    3 Define Engagement Plans

    The Purpose

    Align service offerings with an Agile adoption model so that teams have a structured way to build their skills.

    Standardize the way your organization will interact with the Center of Excellence to ensure consistency in best practices.

    Key Benefits Achieved

    Mechanisms put in place for continual improvement and personal development for your Agile teams.

    Interaction with the CoE is standardized via engagement plans to ensure consistency in best practices and predictability for resourcing purposes.

    Activities

    3.1 Further categorize your use cases within the Agile adoption model.

    3.2 Create an engagement plan for each level of adoption.

    Outputs

    Adoption-aligned service offerings

    Role-based engagement plans

    4 Define Metrics and Plan Communications

    The Purpose

    Develop a set of metrics for the CoE to monitor business-aligned outcomes with.

    Key Benefits Achieved

    The foundations of continuous improvement are established with a robust set of Agile metrics.

    Activities

    4.1 Define metrics that align with your Agile business objectives.

    4.2 Define target ACE performance metrics.

    4.3 Define Agile adoption metrics.

    4.4 Assess the interaction and communication points of your Agile team.

    4.5 Create a communication plan for change.

    Outputs

    Business objective-aligned metrics

    CoE performance metrics

    Agile adoption metrics

    Assessment of organizational design

    CoE communication plan

    Further reading

    Spread Best Practices With an Agile Center of Excellence

    Achieve ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    ANALYST PERSPECTIVE

    "Inconsistent processes and practices used across Agile teams is frequently cited as a challenge to adopting and scaling Agile within organizations. (VersionOne’s 13th Annual State of Agile Report [N=1,319]) Creating an Agile Center of Excellence (ACE) is a popular way to try to impose structure and improve performance. However, simply establishing an ACE does not guarantee you will be successful with Agile. When setting up an ACE you must: Define ACE services based on identified stakeholder needs. Staff the ACE with respected, “hands on” people, who deliver identifiable value to your Agile teams. Continuously evolve ACE service offerings to maximize stakeholder satisfaction and value delivered."

    Alex Ciraco, Research Director, Applications Practice Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • A CIO who is looking for a way to optimize their Agile capabilities and ensure ongoing alignment with business objectives.
    • An applications director who is looking for mechanisms to inject continuous improvement into organization-wide Agile practices.

    This Research Will Help You:

    • Align your Agile support structure with business objectives and the functional expectations of its users.
    • Standardize the ways in which Agile teams develop and learn to create consistency in purpose and execution.
    • Track and communicate successes to ensure the long-term viability of an Agile Center of Excellence (ACE).

    This Research Will Also Assist

    • Project managers who are tasked with managing Agile projects.
    • Application development managers who are struggling with establishing consistency, transparency, and collaboration across their teams.

    This Research Will Help Them:

    • Provide service offerings to their team members that will help them personally and collectively to develop desired skills.
    • Provide oversight and transparency into Agile projects and outcomes through ongoing monitoring.

    Executive summary

    Situation

    • Your organization has had some success with Agile, but needs to drive consistency across Agile teams for better business results and alignment.
    • You are seeking to organically grow Agile capabilities within the organization through a set of support services and facilitated through shared learning and capabilities.

    Complication

    • Organizational constraints, culture clash, and lack of continuous top-down support are hampering your Agile growth and maturity.
    • Attempts to create consistency across Agile teams and processes fail to account for the expectations of users and stakeholders, leaving them detached from projects and creating resistance.

    Resolution

    • Align the service offerings of your ACE with both corporate objectives and the functional expectations of its stakeholders to ensure broad support and utilization of the invested resources.
    • Understand some of the culture and process challenges you will face when forming an ACE, and address them using Info-Tech’s Agile adoption journey model.
    • Track the progress of the ACE and your Agile teams. Use this data to find root causes for issues, and ideate to implement solutions for challenges as they arise over time.
    • Effectively define and propagate improvements to your Agile teams in order to drive business-valued results.
    • Communicate progress to interested stakeholders to ensure long-term viability of the Center of Excellence (CoE).

    Info-Tech Insight

    1. Define ACE services based on stakeholder needs.Don’t assume you know what your stakeholders need without talking to them.
    2. Staff the ACE strategically. Choose those who are thought leaders and proven change agents.
    3. Continuously improve based on metrics and feedback.Constantly monitor how your ACE is performing and adjust to feedback.

    Info-Tech’s Agile Journey related Blueprints

    1. Stabilize

    Implement Agile Practices That Work

    Begin your Agile transformation with a comprehensive readiness assessment and a pilot project to adopt Agile development practices and behaviors that fit.

    2. Sustain

    YOU ARE HERE

    Spread Best Practices with an Agile Center of Excellence

    Form an ACE to support Agile development at all levels of the organization with thought leadership, strategic development support & process innovation.

    3. Scale

    Enable Organization-Wide Collaboration by Scaling Agile

    Extend the benefits of your Agile pilot project into your organization by strategically scaling Agile initiatives that will meet stakeholders’ needs.

    4. Satisfy

    Transition to Product Delivery Introduce product-centric delivery practices to drive greater benefits and better delivery outcomes.

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    2.1 Define an adoption plan for Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives

    Supporting Capabilities and Practices

    Modernize Your SDLC

    Remodel the stages of your lifecycle to standardize your definition of a successful product.

    Build a Strong Foundation for Quality

    Instill quality assurance practices and principles in each stage of your software development lifecycle.

    Implement DevOps Practices That Work

    Fix, deploy, and support applications quicker though development and operations collaboration.

    What is an Agile Center of Excellence?

    NOTE: Organizational change is hard and prone to failure. Determine your organization’s level of readiness for Agile transformation (and recommended actions) by completing Info-Tech’s Agile Transformation Readiness Tool.

    An ACE amplifies good practices that have been successfully employed within your organization, effectively allowing you to extend the benefits obtained from your Agile pilot(s) to a wider audience.

    From the viewpoint of the business, members of the ACE provide expertise and insights to the entire organization in order to facilitate Agile transformation and ensure standard application of Agile good practices.

    From the viewpoint of your Agile teams, it provides a community of individuals that share experiences and lessons learned, propagate new ideas, and raise questions or concerns so that delivering business value is always top of mind.

    An ACE provides the following:

    1. A mechanism to gather thought leadership to maximize the accessibility and reach of your Agile investment.
    2. A mechanism to share innovations and ideas to facilitate knowledge transfer and ensure broadly applicable innovations do not go to waste.
    3. Strategic alignment to ensure that Agile practices are driving value towards business objectives.
    4. Purposeful good practices to ensure that the service offerings provided align with expectations of both your Agile practitioners and stakeholders.

    SIDEBAR: What is a Community of Practice? (And how does it differ from a CoE?)

    Some organizations prefer Communities of Practice (CoP) to Centers of Excellence (CoE). CoPs are different from CoEs:

    A CoP is an affiliation of people who share a common practice and who have a desire to further the practice itself … and of course to share knowledge, refine best practices, and introduce standards. CoPs are defined by their domain of interest, but the membership is a social structure comprised of volunteer practitioners

    – Wenger, E., R. A. McDermott, et al. (2002) Cultivating communities of practice: A guide to managing knowledge, Harvard Business Press.

    CoPs differ from a CoE mainly in that they tend to have no geographical boundaries, they hold no hierarchical power within a firm, and they definitely can never have structure determined by the company. However, one of the most obvious and telling differences lies in the stated motive of members – CoPs exist because they have active practitioner members who are passionate about a specific practice, and the goals of a CoP are to refine and improve their chosen domain of practice – and the members provide discretionary effort that is not paid for by the employer

    – Matthew Loxton (June 1, 2011) CoP vs CoE – What’s the difference, and Why Should You Care?, Wordpress.com

    What to know about CoPs:

    1. Less formal than a CoE
      • Loosely organized by volunteer practitioners who are interested in advancing the practice.
    2. Not the Authoritative Voice
      • Stakeholders engage the CoP voluntarily, and are not bound by them.
    3. Not funded by Organization
      • CoP members are typically volunteers who provide support in addition to their daily responsibilities.
    4. Not covered in this Blueprint
      • In depth analysis on CoPs is outside the scope of this Blueprint.

    What does an ACE do? Six main functions derived from Info-Tech’s CLAIM+G Framework

    1. Learning
    • Provide training and development and enable engagement based on identified interaction points to foster organizational growth.
  • Tooling
    • Promote the use of standardized tooling to improve efficiency and consistency throughout the organization.
  • Supporting
    • Enable your Agile teams to access subject-matter expertise by facilitating knowledge transfer and documenting good practices.
  • Governing
    • Create operational boundaries for Agile teams, and monitor their progress and ability to meet business objectives within these boundaries.
  • Monitoring
    • Demonstrate the value the CoE is providing through effective metric setting and ongoing monitoring of Agile’s effectiveness.
  • Guiding
    • Provide guidance, methodology, and knowledge for teams to leverage to effectively meet organizational business objectives.
  • Many organizations encounter challenges to scaling Agile

    Tackle the following barriers to Agile adoption with a business-aligned ACE.

    List based on reported impediments from VersionOne’s 13th Annual State of Agile Report (N=1,319)

    1. Organizational culture at odds with Agile values
    • The ACE identifies and measures the value of Agile to build support from senior business leaders for shifting the organizational culture and achieving tangible business benefits.
  • General organizational resistance to change
    • Resistance comes from a lack of trust. Optimized value delivery from Info-Tech’s Agile adoption model will build the necessary social capital to drive cultural change.
  • Inadequate management support and sponsorship
    • Establishing an ACE will require senior management support and sponsorship. Its formation sends a strong signal to the organizational leadership that Agile is here to stay.
  • Lack of skills/experience with Agile methods
    • The ACE provides a vehicle to absorb external training into an internal development program so that Agile capabilities can be grown organically within the organization.
  • Inconsistent processes and practices across teams
    • The ACE provides support to individual Agile teams and will guide them to adopt consistent processes and practices which have a proven track record in the organization.
  • Insufficient training and education
    • The ACE will assist teams with obtaining the Agile skills training they need to be effective in the organization, and support a culture of continuous learning.
  • Overcome your Agile scaling challenges with a business aligned ACE

    An ACE drives consistency and transparency without sacrificing the ability to innovate. It can build on the success of your Agile pilot(s) by encouraging practices known to work in your organization.

    Support Agile Teams

    Provide services designed to inject evolving good practices into workflows and remove impediments or roadblocks from your Agile team’s ability to deliver value.

    Maintain Business Alignment

    Maintain alignment with corporate objectives without impeding business agility in the long term. The ACE functions as an interface layer so that changing expectations can be adapted without negatively impacting Agile teams.

    Facilitate Learning Events

    Avoid the risk of innovation and subject-matter expertise being lost or siloed by facilitating knowledge transfer and fostering a continuous learning environment.

    Govern Improvements

    Set baselines, monitor metrics, and run retrospectives to help govern process improvements and ensure that Agile teams are delivering expected benefits.

    Shift Culture

    Instill Agile thinking and behavior into the organization. The ACE must encourage innovation and be an effective agent for change.

    Use your ACE to go from “doing” Agile to “being” Agile

    Organizations that do Agile without embracing the changes in behavior will not reap the benefits.

    Doing what was done before

    • Processes and Tools
    • Comprehensive Documentation
    • Contract Negotiation
    • Following a Plan

    Being Prescriptive

    Going through the motions

    • Uses SCRUM and tools such as Jira
    • Plans multiple sprints in detail
    • Talks to stakeholders once in a release
    • Works off a fixed scope BRD

    Doing Agile

    Living the principles

    • Individuals and Interactions
    • Working Software
    • Customer Collaboration
    • Responding to Change

    Being Agile

    “(‘Doing Agile’ is) just some rituals but without significant change to support the real Agile approach as end-to-end, business integration, value focus, and team empowerment.” - Arie van Bennekum

    Establishing a CoE does not guarantee success

    Simply establishing a Center of Excellence for any discipline does not guarantee its success:

    The 2019 State of DevOps Report found that organizations which had established DevOps CoEs underperformed compared to organizations which adopted other approaches for driving DevOps transformation. (Accelerate State of DevOps Report 2019 [N=~1,000])

    Still, Agile Centers of Excellence can and do successfully drive Agile adoption in organizations. So what sets the successful examples apart from the others? Here’s what some have to say:

    The ACE must be staffed with qualified people with delivery experience! … [It is] effectively a consulting practice, that can evolve and continuously improve its services … These services are collectively about ‘enablement’ as an output, more than pure training … and above all, the ability to empirically measure the progress” – Paul Blaney, TD Bank

    “When leaders haven’t themselves understood and adopted Agile approaches, they may try to scale up Agile the way they have attacked other change initiatives: through top-down plans and directives. The track record is better when they behave like an Agile team. That means viewing various parts of the organization as their customers.” – HBR, “Agile at Scale”

    “the Agile CoE… is truly meant to be measured by the success of all the other groups, not their own…[it] is meant to be serving the teams and helping them improve, not by telling them what to do, but rather by listening, understanding and helping them adapt.” - Bart Gerardi, PMI

    The CoE must also avoid becoming static, as it’s crucial the team can adjust as quickly as business and customer needs change, and evolve the technology as necessary to remain competitive.” – Forbes, “RPA CoE (what you need to know)”

    "The best CoEs are formed from thought leaders and change agents within the CoE domain. They are the process and team innovators who will influence your CoE roadmap and success. Select individuals who feel passionate about Agile." – Hans Eckman, InfoTech

    To be successful with your ACE, do the following…

    Info-Tech Insight

    Simply establishing an Agile Center of Excellence does not guarantee its success. When setting up your ACE, optimize its impact on the organization by doing the following 3 things:

    1. Define ACE services based on stakeholder needs. Be sure to broadly survey your stakeholders and identify the ACE functions and services which will best meet their needs. ACE services must clearly deliver business value to the organization and the Agile teams it supports.
    2. Staff the ACE strategically. Select ACE team members who have real world, hands-on delivery experience, and are well respected by the Agile teams they will serve. Where possible, select internal thought leaders in your organization who have the credibility needed to effect positive change.
    3. Continuously improve ACE services based on metrics and feedback. The value your ACE brings to the organization must be clear and measurable, and do not assume that your functions and services will remain static. You must regularly monitor both your metrics and feedback from your Agile teams, and adjust ACE behavior to improve/maximize these over time.

    Spread Best Practices With an Agile Center of Excellence

    This blueprint will walk you through the steps needed to build the foundations for operational excellence within an Agile Center of Excellence.

    Phase 1 - Strategically Align the CoE

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.

    Phase 2 - Standardize the CoEs Service Offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.

    Phase 3 - Operate the CoE

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.

    Info-Tech’s Practice Adoption Journey

    Use Info-Tech’s Practice Adoption Journey model to establish your ACE. Building social capital (stakeholders’ trust in your ability to deliver positive outcomes) incrementally is vital to ensure that everyone is aligned to new mindsets and culture as your Agile practices scale.

    Trust & Competency ↓

    DEFINE

    Begin to document your development workflow or value chain, implement a tracking system for KPIs, and start gathering metrics and reporting them transparently to the appropriate stakeholders.

    ITERATE

    Use collected metrics and retrospectives to stabilize team performance by reducing areas of variability in your workflow and increasing the consistency at which targets are met.

    COLLABORATE

    Use information to support changes and adopt appropriate practices to make incremental improvements to the existing environment.

    EMPOWER

    Drive behavioral and cultural changes that will empower teams to be accountable for their own success and learning.

    INNOVATE

    Use your built-up trust and support practice innovation, driving the definition and adoption of new practices.

    Align your ACE with your organization’s strategy

    This research set will assist you with aligning your ACEs services to the objectives of the business in order to justify the resources and funding required by your Agile program.

    Business Objectives → Alignment ←ACE Functions

    Business justification to continue to fund a Center of Excellence can be a challenge, especially with traditional thinking and rigid stakeholders. Hit the ground running and show value to your key influencers through business alignment and metrics that will ensure that the ACE is worth continuous investment.

    Alignment leads to competitive advantage

    The pace of change in customer expectations, competitive landscapes, and business strategy is continuously increasing. It is critical to develop a method to facilitate ongoing alignment to shifting business and development expectations seamlessly and ensure that your Agile teams are able to deliver expected business value.

    Use Info-Tech’s CoE Operating Model to define the service offerings of your ACE

    Understand where your inputs and outputs lie to create an accessible set of service offerings for your Agile teams.

    The image shows a graphic of the COE Operating Model, showing the inputs and outputs, including Other CoEs (at top); Stakeholder Needs (at left); Metrics and Feedback (at bottom); and ACE Functions and Services (at right)

    Continuously improve the ACE to ensure long-term viability

    Improvement involves the continuous evaluation of the performance of your teams, using well-defined metrics and reasonable benchmarks that are supplemented by analogies and root-cause analysis in retrospectives.

    Monitor

    Monitor your metrics to ensure desired benefits are being realized. The ACE is responsible for ensuring that expected Agile benefits are achievable and on track. Monitor against your defined baselines to create transparency and accountability for desired outcomes.

    Iterate

    Run retrospectives to drive improvements and fixes into Agile projects and processes. Metrics falling short of expectations must be diagnosed and their root causes found, and fixes need to be communicated and injected back into the larger organization.

    Define

    Define metrics and set targets that align with the goals of the ACE. These metrics represent the ACEs expected value to the organization and must be measured against on a regular basis to demonstrate value to your key stakeholders.

    Beware the common risks of implementing your ACE

    Culture clash between Agile teams and larger organization

    Agile leverages empowered teams, meritocracy, and broad collaboration for success, but typical organizations are siloed and hierarchical with top down decision making. There needs to be a plan to enable a smooth transition from the current state towards the Agile target state.

    Persistence of tribal knowledge

    Agile relies on easy and open knowledge sharing, but organizational knowledge can sit in siloes. Employees may also try to protect their expertise for job security. It is important to foster knowledge sharing to ensure that critical know-how is accessible and doesn’t leave the organization with the individual.

    Rigid management structures

    Rigidity in how managers operate (performance reviews, human resource management, etc.) can result in cultural rejection of Agile. People need to be assessed on how they enable their teams rather than as individual contributors. This can help ensure that they are given sufficient opportunities to succeed. More support and less strict governance is key.

    Breakdown due to distributed teams

    When face-to-face interactions are challenging, ensure that you invest in the right communication technologies and remove cultural and process impediments to facilitate organization-wide collaboration. Alternative approaches like using documentation or email will not provide the same experience and value as a face-to-face conversation.

    The State of Maine used an ACE to foster positive cultural change

    CASE STUDY

    Industry - Government

    Source - Cathy Novak, Agile Government Leadership

    The State of Maine’s Agile Center of Excellence

    “The Agile CoE in the State of Maine is completely focused on the discipline of the methodology. Every person who works with Agile, or wants to work with Agile, belongs to the CoE. Every member of the CoE tells the same story, approaches the methodology the same way, and uses the same tools. The CoE also functions as an Agile research lab, experimenting with different standards and tools.

    The usual tools of project management – mission, goals, roles, and a high-level definition of done – can be found in Maine’s Agile CoE. For story mapping, teams use sticky notes on a large wall or whiteboard. Demonstrating progress this way provides for positive team dynamics and a psychological bang. The State of Maine uses a project management framework that serves as its single source of truth. Everyone knows what’s going on at all times and understands the purpose of what they are doing. The Agile team is continually looking for components that can be reused across other agencies and programs.”

    Results:

    • Realized positive culture change, leading to more collaborative and supportive teams.
    • Increased visibility of Agile benefits across functional groups.
    • Standardized methodology across Agile teams and increased innovation and experimentation with new standards and tools.
    • Improved traceability of projects.
    • Increased visibility and ability to determine root causes of problems and right the course when outcomes are not meeting expectations.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Spread Best Practices With an Agile Center of Excellence – project overview

    1. Strategically align the Center of Excellence 2. Standardize the CoEs service offerings 3. Operate the Center of Excellence
    Best-Practice Toolkit

    1.1 Determine the vision of your ACE.

    1.2 Define the service offerings of your ACE.

    2.1 Define an adoption plan for your Agile teams.

    2.2 Create an ACE engagement plan.

    2.3 Define metrics to measure success.

    3.1 Optimize the success of your ACE.

    3.2 Plan change to enhance your Agile initiatives.

    3.3 Conduct ongoing retrospectives of your ACE.

    Guided Implementations
    • Align your ACE with the business.
    • Align your ACE with its users.
    • Dissect the key attributes of Agile adoption.
    • Form engagement plans for your Agile teams.
    • Discuss effective ACE metrics.
    • Conduct a baseline assessment of your Agile environment.
    • Interface ACE with your change management function.
    • Build a communications deck for key stakeholders.
    Onsite Workshop Module 1: Strategically align the ACE Module 2: Standardize the offerings of the ACE Module 3: Prepare for organizational change
    Phase 1 Outcome: Create strategic alignment between the CoE and organizational goals.

    Phase 2 Outcome: Build engagement plans and key performance indicators based on a standardized Agile adoption plan.

    Phase 3 Outcome: Operate the CoEs monitoring function, identify improvements, and manage the change needed to continuously improve.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Module 1 Workshop Module 2 Workshop Module 3 Workshop Module 4
    Activities

    Determine vision of CoE

    1.1 Identify and prioritize organizational business objectives.

    1.2 Form use cases for the points of alignment between your ACE and business objectives.

    1.3 Prioritize your ACE stakeholders.

    Define service offerings of CoE

    2.1 Form a solution matrix to organize your pain points and opportunities.

    2.2 Refine your use cases to identify your ACE functions and services.

    2.3 Visualize your ACE functions and service offerings with a capability map.

    Define engagement plans

    3.1 Further categorize your use cases within the Agile adoption model.

    3.2 Create an engagement plan for each level of adoption.

    Define metrics and plan communications

    4.1 Define metrics that align with your Agile business objectives.

    4.2 Define target ACE performance metrics.

    4.3 Define Agile adoption metrics.

    4.4 Assess the interaction and communication points of your Agile team.

    4.5 Create a communication plan for change.

    Deliverables
    1. Prioritized business objectives
    2. Business-aligned use cases to form CoEs service offerings
    3. Prioritized list of stakeholders
    1. Classified pains and opportunities
    2. Refined use cases based on pains and opportunities identified during ACE requirements gathering
    3. ACE capability map
    1. Adoption-aligned service offerings
    2. Role-specific engagement plans
    1. Business objective-aligned metrics
    2. ACE performance metrics
    3. Agile adoption metrics
    4. Assessment of organization design
    5. ACE Communication Plan

    Phase 1

    Strategically Align the Center of Excellence

    Spread Best Practices With an Agile Center of Excellence

    Begin by strategically aligning your Center of Excellence

    The first step to creating a high-functioning ACE is to create alignment and consensus amongst your key stakeholders regarding its purpose. Engage in a set of activities to drill down into the organization’s goals and objectives in order to create a set of high-level use cases that will evolve into the service offerings of the ACE.

    Phase 1 - Strategically Align the CoE

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.

    Phase 2 - Standardize the CoEs Service Offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.

    Phase 3 - Operate the CoE

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Strategically align the ACE

    Proposed Time to Completion (in weeks): 1

    Step 1.1: Determine the vision of your ACE

    Start with an analyst kick off call:

    • Align your ACE with the business.

    Then complete these activities…

    1.1.1 Optional: Baseline your ACE maturity.

    1.1.2 Identify and prioritize organizational business objectives.

    1.1.3 Form use cases for the points of alignment between your ACE and business objectives.

    1.1.4 Prioritize your ACE stakeholders.

    1.1.5 Select a centralized or decentralized model for your ACE.

    1.1.6 Staff your ACE strategically.

    Step 1.2: Define the service offerings of your ACE

    Start with an analyst kick off call:

    • Align your ACE with its users.

    Then complete these activities…

    1.2.1 Form the Center of Excellence.

    1.2.2 Gather and document your existing Agile practices for the CoE.

    1.2.3 Interview stakeholders to align ACE requirements with functional expectations.

    1.2.4 Form a solution matrix to organize your pain points and opportunities.

    1.2.5 Refine your use cases to identify your ACE functions and services.

    1.2.6 Visualize your ACE functions and service offerings with a capability map.

    Phase 1 Results & Insights:

    • Aligning your ACE with the functional expectations of its users is just as critical as aligning with the business. Invest the time to understand how the ACE fits at all levels of the organization to ensure its highest effectiveness.

    Phase 1, Step 1: Determine the vision of your ACE

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    1.1.1 Optional: Baseline your ACE maturity.

    1.1.2 Identify and prioritize organizational business objectives.

    1.1.3 Form use cases for the points of alignment between your ACE and business objectives.

    1.1.4 Prioritize your ACE stakeholders.

    1.1.5 Select a centralized or decentralized model for your ACE.

    1.1.6 Staff your ACE strategically.

    Outcomes:

    • Gather your leadership to position the ACE and align it with business priorities.
    • Form a set of high-level use cases for services that will support the enablement of business priorities.
    • Map the stakeholders of the ACE to visualize expected influence and current support levels for your initiative.

    What does an ACE do? Six main functions derived from Info-Tech’s CLAIM+G Framework

    1. Learning
    • Provide training and development and enable engagement based on identified interaction points to foster organizational growth.
  • Tooling
    • Promote the use of standardized tooling to improve efficiency and consistency throughout the organization.
  • Supporting
    • Enable your Agile teams to access subject-matter expertise by facilitating knowledge transfer and documenting good practices.
  • Governing
    • Create operational boundaries for Agile teams, and monitor their progress and ability to meet business objectives within these boundaries.
  • Monitoring
    • Demonstrate the value the CoE is providing through effective metric setting and ongoing monitoring of Agile’s effectiveness.
  • Guiding
    • Provide guidance, methodology, and knowledge for teams to leverage to effectively meet organizational business objectives.
  • OPTIONAL: If you have an existing ACE, use Info-Tech’s CoE Maturity Diagnostic Tool to baseline current practices

    1.1.1 Existing CoE Maturity Assessment

    Purpose

    If you already have established an ACE, use Info-Tech’s CoE Maturity Diagnostic Tool to baseline its current maturity level (this will act as a baseline for comparison after you complete this Blueprint). Assessing your ACEs maturity lets you know where you currently are, and where to look for improvements.

    Steps

    1. Download the CoE Maturity Diagnostic Tool to assess the maturity of your ACE.
    2. Complete the assessment tool with all members of your ACE team to determine your current Maturity score.
    3. Document the results in the ACE Communications Deck.

    Document results in the ACE Communications Deck.

    INFO-TECH DELIVERABLE

    The image is a screen capture of the CoE Maturity Diagnostic Tool

    Download the CoE Maturity Diagnostic Tool.

    Get your Agile leadership together and position the ACE

    Stakeholder Role Why they are essential players
    CIO/ Head of IT Program sponsor: Champion and set the tone for the Agile program. Critical in gaining and maintaining buy-in and momentum for the spread of Agile service offerings. The head of IT has insight and influence to drive buy-in from executive stakeholders and ensure the long-term viability of the ACE.
    Applications Director Program executor: Responsible for the formation of the CoE and will ensure the viability of the initial CoE objectives, use cases, and service offerings. Having a coordinator who is responsible for collating performance data, tracking results, and building data-driven action plans is essential to ensuring continuous success.
    Agile Subject-Matter Experts Program contributor: Provide information on the viability of Agile practices and help build capabilities on existing best practices. Agile’s success relies on adoption. Leverage the insights of people who have implemented and evangelized Agile within your organization to build on top of a working foundation.
    Functional Group Experts Program contributor: Provide information on the functional group’s typical processes and how Agile can achieve expected benefits. Agile’s primary function is to drive value to the business – it needs to align with the expected capabilities of existing functional groups in order to enhance them for the better.

    Align your ACE with your organization’s strategy

    This research set will assist you with aligning your ACEs services to the objectives of the business in order to justify the resources and funding required by your Agile program.

    Business Objectives → Alignment ←ACE Functions

    Business justification to continue to fund a Center of Excellence can be a challenge, especially with traditional thinking and rigid stakeholders. Hit the ground running and show value to your key influencers through business alignment and metrics that will ensure that the ACE is worth continuous investment.

    Alignment leads to competitive advantage

    The pace of change in customer expectations, competitive landscapes, and business strategy is continuously increasing. It is critical to develop a method to facilitate ongoing alignment to shifting business and development expectations seamlessly and ensure that your Agile teams are able to deliver expected business value.

    Activity: Identify and prioritize organizational business objectives

    1.1.2 2 Hours

    Input

    • Organizational business objectives

    Output

    • Prioritized business objectives

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. List the primary high-level business objectives that your organization aims to achieve over the course of the following year (focusing on those that ACE can impact/support).
    2. Prioritize these business objectives while considering the following:
    • Criticality of completion: How critical is the initiative in enabling the business to achieve its goals?
    • Transformational impact: To what degree is the foundational structure of the business affected by the initiative (rationale: Agile can support impact on transformational issues)?
  • Document the hypothesized role of Agile in supporting these business objectives. Take the top three prioritized objectives forward for the establishment of your ACE. While in future years or iterations you can inject more offerings, it is important to target your service offerings to specific critical business objectives to gain buy-in for long-term viability of the CoE.
  • Sample Business Objectives:

    • Increase customer satisfaction.
    • Reduce time-to-market of product releases.
    • Foster a strong organizational culture.
    • Innovate new feature sets to differentiate product. Increase utilization rates of services.
    • Reduce product delivery costs.
    • Effectively integrate teams from a merger.
    • Offer more training programs for personal development.
    • Undergo a digital transformation.

    Understand potential hurdles when attempting to align with business objectives

    While there is tremendous pressure to align IT functions and the business due to the accelerating pace of change and technology innovation, you need to be aware that there are limitations in achieving this goal. Keep these challenges at the top of mind as you bring together your stakeholders to position the service offerings of your ACE. It is beneficial to make your stakeholders self-aware of these biases as well, so they come to the table with an open mind and are willing to find common ground.

    The search for total alignment

    There are a plethora of moving pieces within an organization and total alignment is not a plausible outcome.

    The aim of a group should not be to achieve total alignment, but rather reframe and consider ways to ensure that stakeholders are content with the ways they interact and that misalignment does not occur due to transparency or communication issues.

    “The business” implies unity

    While it may seem like the business is one unified body, the reality is that the business can include individuals or groups (CEO, CFO, IT, etc.) with conflicting priorities. While there are shared business goals, these entities may all have competing visions of how to achieve them. Alignment means compromise and agreement more than it means accommodating all competing views.

    Cost vs. reputation

    There is a political component to alignment, and sometimes individual aspirations can impede collective gain.

    While the business side may be concerned with cost, those on the IT side of things can be concerned with taking on career-defining projects to bolster their own credentials. This conflict can lead to serious breakdowns in alignment.

    Panera Bread used Agile to adapt to changing business needs

    CASE STUDY

    Industry Food Services

    Source Scott Ambler and Associates, Case Study

    Challenge

    Being in an industry with high competition, Panera Bread needed to improve its ability to quickly deliver desired features to end customers and adapt to changing business demands from high internal growth.

    Solution

    Panera Bread engaged in an Agile transformation through a mixture of Agile coaching and workshops, absorbing best practices from these engagements to drive Agile delivery frameworks across the enterprise.

    Results

    Adopting Agile delivery practices resulted in increased frequency of solution delivery, improving the relationship between IT and the business. Business satisfaction increased both with the development process and the outcomes from delivery.

    The transparency that was needed to achieve alignment to rapidly changing business needs resulted in improved communication and broad-scale reduced risk for the organization.

    "Agile delivery changed perception entirely by building a level of transparency and accountability into not just our software development projects, but also in our everyday working relationships with our business stakeholders. The credibility gains this has provided our IT team has been immeasurable and immediate."

    – Mike Nettles, VP IT Process and Architecture, Panera Bread

    Use Info-Tech’s CoE Operating Model to define the service offerings of your ACE

    Understand where your inputs and outputs lie to create an accessible set of service offerings for your Agile teams.

    Functional Input

    • Application Development
    • Project Management
    • CIO
    • Enterprise Architecture
    • Data Management
    • Security
    • Infrastructure & Operations
    • Who else?

    The image shows a graphic of the COE Operating Model, showing the inputs and outputs, including Other CoEs (at top); Stakeholder Needs (at left); Metrics and Feedback (at bottom); and ACE Functions and Services (at right)

    Input arrows represent functional group needs, feedback from Agile teams, and collaboration with other CoEs and CoPs

    Output arrows represent the services the CoE delivers and the benefits realized across the organization.

    ACE Operating Model: Governance & Metrics

    Governance & Metrics involves enabling success through the management of the ACEs resources and services, and ensuring that organizational structures evolve in concert with Agile growth and maturity. Your focus should be on governing, measuring, implementing, and empowering improvements.

    Effective governance will function to ensure the long-term effectiveness and viability of your ACE. Changes and improvements will happen continuously and you need a way to decide which to adopt as best practices.

    "Organizations have lengthy policies and procedures (e.g. code deployment, systems design, how requirements are gathered in a traditional setting) that need to be addressed when starting to implement an Agile Center of Excellence. Legacy ideas that end up having legacy policy are the ones that are going to create bottlenecks, waste resources, and disrupt your progress." – Doug Birgfeld, Senior Partner, Agile Wave

    Governance & Metrics

    • Manage organizational Agile standards, policies, and procedures.
    • Define organizational boundaries based on regulatory, compliance, and cultural requirements.
    • Ensure ongoing alignment of service offerings with business objectives.
    • Adapt organizational change management policies to reflect Agile practices.
    • CoE governance functions include:
      • Policy Management
      • Change Management
      • Risk Management
      • Stakeholder Management
      • Metrics/Feedback Monitoring

    ACE Operating Model: Services

    Services refers to the ability to deliver resourcing, guidance, and assistance across all Agile teams. By creating a set of shared services, you enable broad access to specialized resources, knowledge, and insights that will effectively scale to more teams and departments as Agile matures in your organization.

    A Services model:

    • Supports the organization by standardizing and centralizing service offerings, ensuring consistency of service delivery and accessibility across functional groups.
    • Provides a mechanism for efficient knowledge transfer and on-demand support.
    • Helps to drive productivity and project efficiencies through the organization by disseminating best practices.

    Services

    • Provide reference, support, and re-assurance to implement and adapt organizational best practices.
    • Interface relevant parties and facilitate knowledge transfer through shared learning and communities of practice.
    • Enable agreed-upon service levels through standardized support structures.
    • Shared services functions include:
      • Engagement Planning
      • Knowledge Management
      • Subject-Matter Expertise
      • Agile Team Evaluation

    ACE Operating Model: Technology

    Technology refers to a broad range of supporting tools to enable employees to complete their day-to-day tasks and effectively report on their outcomes. The key to technological support is to strike the right balance between flexibility and control based on your organization's internal and external constraints (policy, equipment, people, regulatory, etc.).

    "We sometimes forget the obvious truth that technology provides no value of its own; it is the application of technology to business opportunities that produces return on investment." – Robert McDowell, Author, In Search of Business Value

    Technology

    • Provide common software tools to enable alignment to organizational best practices.
    • Enable access to locally desired tools while considering organizational, technical, and scaling constraints.
    • Enable communication with a technical subject matter expert (SME).
    • Enable reporting consistency through training and maintenance of reporting mechanisms.
    • Technology functions can include:
      • Vendor Management
      • Application Support
      • Tooling Standards
      • Tooling Use Cases

    ACE Operating Model: Staff

    Staff is all about empowerment. The ACE should support and facilitate the sharing of ideas and knowledge sharing. Create processes and spaces where people are encouraged to come together, learn from, and share with each other. This setting will bring up new ideas to enhance productivity and efficiency in day-to-day activities while maintaining alignment with business objectives.

    "An Agile CoE is legitimized by its ability to create a space where people can come together, share, and learn from one another. By empowering teams to grow by themselves and then re-connect with each other you allow the creativity of your employees to flow back into the CoE." – Anonymous, Founder, Agile consultancy group

    Staff

    • Develop and provide training and day-to-day coaching that are aligned with organizational engagement and growth plans.
    • Include workflow change management to assist traditional roles with accommodating Agile practices.
    • Support the facilitation of knowledge transfer from localized Agile teams into other areas of the organization.
    • Achieve team buy-in and engagement with ACE services and capabilities. Provide a forum for collaboration and innovation.
    • People functions can include:
      • Onboarding
      • Coaching
      • Learning Facilitation

    Form use cases to align your ACE with business objectives

    What is a use case?

    A use case tells a story about how a system will be used to achieve a goal from the perspective of a user of that system. The people or other systems that interact with the use case are called “actors.” Use cases describe what a system must be able to do, not how it will do it.

    How does a use case play a role in building your ACE?

    Use cases are used to guide design by allowing you to highlight the intended function of a service provided by the Center of Excellence while maintaining a business focus. Jumping too quickly to a solution without fully understanding user and business needs leads to the loss of stakeholder buy-in and the Centers of Excellence rejection by teams.

    Hypothesized ACE user needs →Use Case←Business objective

    Activity: Form use cases for the points of alignment between your ACE and business objectives

    1.1.3 2 Hours

    Input

    • Prioritized business objectives
    • ACE functions

    Output

    • ACE use cases

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. Using your prioritized business objectives and the six functions of a CoE, create high-level use cases for each point of alignment that describe how the Center of Excellence will better facilitate the realization of that business objective.
    2. For each use case, define the following:
      • Name: Generalized title for the use case.
      • Description: A high-level description of the expected CoE action.
    AGILE CENTER OF EXCELLENCE FUNCTIONS:
    Guiding Learning Tooling Supporting Governing Monitoring
    BUSINESS OBJECTIVES Reduce time-to-market of product releases
    Reduce product delivery costs
    Effectively integrate teams from a merger

    Activity: Form use cases for the points of alignment between your ACE and business objectives (continued)

    1.1.3 2 Hours

    The image shows the Reduce time-to-market of product releases row from the table in the previous section, filled in with sample information.

    Your goal should be to keep these as high level and generally applicable as possible as they provide an initial framework to further develop your service offerings. Begin to talk about the ways in which the ACE can support the realization of your business objectives and what those interactions may look like to customers of the ACE.

    Involve all relevant stakeholders to discuss the organizational goals and objectives of your ACE

    Avoid the rifts in stakeholder representation by ensuring you involve the relevant parties. Without representation and buy-in from all interested parties, your ACE may omit and fail to meet long-term organizational goals.

    By ensuring every group receives representation, your service offerings will speak for the broad organization and in turn meet the needs of the organization as a whole.

    • Business Units: Any functional groups that will be expected to engage with the ACE in order to achieve their business objectives.
    • Team Leads: Representation from the internal Agile community who is aware of the backgrounds, capabilities, and environments of their respective Agile teams.
    • Executive Sponsors: Those expected to evangelize and set the tone and direction for the ACE within the executive ranks of the organization. These roles are critical in gaining buy-in and maintaining momentum for ACE initiatives.

    Organization

    • ACE
      • Executive Sponsors
      • Team Leads
      • Business Units

    Activity: Prioritize your ACE stakeholders

    1.1.4 1 Hour

    Input

    • Prioritized business objectives

    Output

    • Prioritized list of stakeholders

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. Using your prioritized business objectives, brainstorm, as a group, the potential list of stakeholders (representatives from business units, team leads, and executive sponsors) that would need to be involved in setting the tone and direction of your ACE.
    2. Evaluate each stakeholder in terms of power, involvement, impact, and support.
    • Power: How much influence does the stakeholder have? Enough to drive the CoE forward or into the ground?
    • Involvement: How interested is the stakeholder? How involved is the stakeholder in the project already?
    • Impact: To what degree will the stakeholder be impacted? Will this significantly change how they do their job?
    • Support: Is the stakeholder a supporter of the project? Neutral? A resister?
  • Map each stakeholder to an area on the power map on the next slide based on his or her level of power and involvement.
  • Vary the size of the circle to distinguish stakeholders that are highly impacted by the ACE from those who are not. Color each circle to show each stakeholder’s estimated or gauged level of support for the project.
  • Prioritize your ACE stakeholders (continued)

    1.1.4 1 Hour

    The image shows a matrix on the left, and a legend on the right. The matrix is labelled with Involvement at the bottom, and Power on the left side, and has the upper left quadrant labelled Keep Satisfied, the upper right quadrant labelled Key players, the lower right quadrant labelled Keep informed, and the lower left quadrant labelled Minimal effort.

    Should your ACE be Centralized or Decentralized?

    An ACE can be organized differently depending on your organization’s specific needs and culture.

    The SAFe Model:©

    “For smaller enterprises, a single centralized [ACE] can balance speed with economies of scale. However, in larger enterprises—typically those with more than 500 – 1,000 practitioners—it’s useful to consider employing either a decentralized model or a hub-and-spoke model.”

    The image shows 3 models: centralized, represented by a single large circle; decentralized, represented by 5 smaller circles; and hub-and-spoke, represented by a central circle, connected to 5 surrounding circles.

    © Scaled Agile, Inc.

    The Spotify Model:

    Spotify avoids using an ACE and instead spreads agile practices using Squads, Tribes, Chapters, Guilds, etc.

    It can be a challenging model to adopt because it is constantly changing, and must be fundamentally supported by your organization’s culture. (Linders, Ben. “Don't Copy the Spotify Model.” InfoQ.com. 6 Oct. 2016.)

    Detailed analysis of The Spotify Model is out of scope for this Blueprint.

    The image shows the Spotify model, with two sections, each labelled Tribe, and members from within each Tribe gathered together in a section labelled Guild.

    Activity: Select a Centralized or Decentralized ACE Model

    1.1.5 30 minutes

    Input

    • Prioritized business objectives
    • Use Cases
    • Organization qualities

    Output

    • Centralized or decentralized ACE model

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. Using your prioritized business objectives, your ACE use cases, your organization size, structure, and culture, brainstorm the relative pros and cons of a centralized vs decentralized ACE model.
    2. Consider this: to improve understanding and acceptance, ask participants who prefer a centralized model to brainstorm the pros and cons of a decentralized model, and vice-versa.
    3. Collectively decide whether your ACE should be centralized, decentralized or hub-and-spoke and document it.
    Centralized ACE Decentralized ACE
    Pros Cons Pros Cons
    Centralize Vs De-centralize Considerations Prioritized Business Objectives
    • Neutral (objectives don’t favor either model)
    • Neutral (objectives don’t favor either model)
    ACE Use Cases
    • Neutral (use cases don’t favor either model)
    • Neutral (use cases don’t favor either model)
    Organization Size
    • Org. is small enough for centralized ACE
    • Overkill for a small org. like ours
    Organization Structure
    • All development done in one location
    • Not all locations do development
    Organization Culture
    • All development done in one location
    • Decentralized ACE may have yield more buy-in

    SELECTED MODEL: Centralized ACE

    Activity: Staff your ACE strategically

    1.1.6 1 Hour

    Input

    • List of potential ACE staff

    Output

    • Rated list of ACE staff

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. Identify your list of potential ACE staff (this may be a combination of full time and contract staff).
    2. Add/modify/delete the rating criteria to meet your specific needs.
    3. Discuss and adjust the relative weightings of the rating criteria to best suit your organization’s needs.
    4. Rate each potential staff member and compare results to determine the best suited staff for your ACE.
    Candidate: Jane Doe
    Rating Criteria Criteria Weighting Candidate's Score (1-5)
    Candidate has strong theoretical knowledge of Agile. 8% 4
    Candidate has strong hands on experience with Agile. 18% 5
    Candidate has strong hands on experience with Agile. 10% 4
    Candidate is highly respected by the Agile teams. 18% 5
    Candidate is seen as a thought leader in the organization. 18% 5
    Candidate is seen as a change agent in the organization. 18% 5
    Candidate has strong desire to be member of ACE staff. 10% 3
    Total Weighted Score 4.6

    Phase 1, Step 2: Define the service offerings of your ACE

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    1.2.1 Form the Center of Excellence.

    1.2.2 Gather and document your existing Agile practices for the CoE.

    1.2.3 Interview stakeholders to align ACE requirements with functional expectations.

    1.2.4 Form a solution matrix to organize your pain points and opportunities.

    1.2.5 Refine your use cases to identify your ACE functions and services.

    1.2.6 Visualize your ACE functions and service offerings with a capability map.

    Outcomes:

    • Collect data regarding the functional expectations of the Agile teams.
    • Refine your business-aligned use cases with your collected data to achieve both business and functional alignment.
    • Create a capability map that visualizes and prioritizes your key service offerings.

    Structure your ACE with representation from all of your key stakeholders

    Now that you have a prioritized list of stakeholders, use their influence to position the ACE to ensure maximum representation with minimal bottlenecks.

    By operating within a group of your key players, you can legitimize your Center of Excellence by propagating the needs and interests of those who interface and evangelize the CoE within the larger organization.

    The group of key stakeholders will extend the business alignment you achieved earlier by refining your service offerings to meet the needs of the ACEs customers. Multiple representations at the table will generate a wide arrangement of valuable insights and perspectives.

    Info-Tech Insight

    While holistic representation is necessary, ensure that the list is not too comprehensive and will not lead to progress roadblocks. The goal is to ensure that all factors relevant to the organization are represented; too many conflicting opinions may create an obstruction moving forward.

    ACE

    • Executive Sponsors
    • Team Leads
    • Business Units

    Determine how you will fund your ACE

    Choose the ACE funding model which is most aligned to your current system based on the scenarios provided below. Both models will offer the necessary support to ensure the success of your Agile program going forward.

    Funding Model Funding Scenario I Funding Scenario II
    Funded by the CIO Funded by the CIO office and a stated item within the general IT budget. Charged back to supported functional groups with all costs allocated to each functional group’s budget.
    Funded by the PMO Charged back to supported functional groups with all costs allocated to each functional group’s budget. Charged back to supported functional groups with all costs allocated to each functional group’s budget.

    Info-Tech Insight

    Your funding model may add additional key influencers into the mix. After you choose your funding model, ensure that you review your stakeholder map and add anyone who will have a direct impact in the viability and stability of your ACE.

    Determine how you will govern your ACE

    An Agile Center of Excellence is unique in the way you must govern the actions of its customers. Enable “flexible governance” to ensure that Agile teams have the ability to locally optimize and innovate while still operating within expected boundaries.

    ACE Governing Body

    ↑ Agile Team → ACE ← Agile Team ↑

    Who should take on the governance role?

    The governing body can be the existing executive or standing committees, or a newly formed committee involving your key ACE influencers and stakeholders.

    Flexible governance means that your ACE set boundaries based on your cultural, regulatory, and compliance requirements, and your governance group monitors your Agile teams’ adherence to these boundaries.

    Governing Body Responsibilities

    • Review and approve ACE strategy annually and ensure that it is aligned with current business strategy.
    • Provide detailed quality information for board members.
    • Ensure that the ACE is adequately resourced and that the organization has the capacity to deliver the service offerings.
    • Assure that the ACE is delivering benefits and achieving targets.
    • Assure that the record keeping and reporting systems are capable of providing the information needed to properly assess the quality of service.

    Modify your resourcing strategy based on organizational need

    Your Agile Center of Excellence can be organized either in a dedicated or a virtual configuration, depending on your company’s organizational structure and complexity.

    There is no right answer to how your Center of Excellence should be resourced. Consider your existing organizational structure and culture, the quality of relationships between functional groups, and the typical budgetary factors that would weigh on choosing between a virtual and dedicated CoE structure.

    COE Advantages Disadvantages
    Virtual
    • No change in organization structure required, just additional task delegation to your Agile manager or program manager.
    • Less effort and cost to implement.
    • Investment in quality is proportional to return.
    • Resources are shared between practice areas, and initiatives will take longer to implement.
    • Development and enhancement of best practices can become difficult without a centralized knowledge repository.
    Dedicated
    • Demonstrates a commitment to the ACEs long-term existence.
    • Allows for dedicated maintenance of best practices.
    • Clear lines of accountability for Agile processes.
    • Ability to develop highly skilled employees as their responsibilities are not shared.
    • Requires dedicated resources that can in turn be more costly.
    • Requires strong relationships with the functional groups that interface with the ACE.

    Staffing the ACE: Understand virtual versus dedicated ACE organizational models

    Virtual CoE

    The image shows an organizational chart titled Virtual CoE, with Head of IT at the top, then PMO and CoE Lead/Apps Director at the next level. The chart shows that there is crossover between the CoE Lead's reports, and the PMO's, indicated through dotted lines that connect them.

    • Responsibilities for CoE are split and distributed throughout departments on a part-time basis.
    • CoE members from the PMO report to apps director who also functions as the CoE lead on a part-time basis.

    The image shows a organizational chart titled Dedicated CoE, with all CoE members under the CoE.

    • Requires re-organization and dedicated full-time staff to run the CoE with clear lines of responsibility and accountability.
    • Hiring or developing highly skilled employees who have a sole function to facilitate and monitor quality best practices within the IT department may be necessary.

    Activity: Form the Center of Excellence

    1.2.1 1 Hour

    Input

    • N/A

    Output

    • ACE governance and resourcing plan

    Materials

    • Whiteboard

    Participants

    • Agile leadership group
    1. As a group, discuss if there is an existing body that would be able to govern the Center of Excellence. This body will monitor progress on an ongoing basis and assess any change requests that would impact the CoEs operation or goals.
    • List current governing bodies that are closely aligned with your current Agile environment and determine if the group could take on additional responsibilities.
    • Alternatively, identify individuals who could form a new ACE governing body.
  • Using the results of Exercise 1.1.6 in Step 1, select the individuals who will participate in the Center of Excellence. As a rough rule of thumb for sizing, an ACE staffed with 3-5 people can support 8-12 Agile Teams.
  • Document results in the ACE Communications Deck.

    Leverage your existing Agile practices and SMEs when establishing the ACE

    The synergy between Agile and CoE relies on its ability to build on existing best practices. Agile cannot grow without a solid foundation. ACE gives you the way to disseminate these practices and facilitate knowledge transfer from a centralized sharing environment. As part of defining your service offerings, engage with stakeholders across the organization to evaluate what is already documented so that it can be accommodated in the ACE.

    Documentation

    • Are there any existing templates that can be leveraged (e.g. resource planning, sprint planning)?
    • Are there any existing process documents that can be leveraged (e.g. SIPOC, program frameworks)?
    • Are there any existing standards documents the CoE can incorporate (e.g. policies, procedures, guidelines)?

    SMEs

    • Interview existing subject-matter experts that can give you an idea of your current pains and opportunities.
    • You already have feedback from those in your workshop group, so think about the rest of the organization:
      • Agile practitioners
      • Business stakeholders
      • Operations
      • Any other parties not represented in the workshop group

    Metrics

    • What are the current metrics being used to measure the success of Agile teams?
    • What metrics are currently being used to measure the completion of business objectives?
    • What tools or mediums are currently used for recording and communicating metrics?

    Info-Tech Insight

    When considering existing practices, it is important to evaluate the level of adherence to these practices. If they have been efficiently utilized, injecting them into ACE becomes an obvious decision. If they have been underutilized, however, it is important to understand why this occurred and discuss how you can drive higher adherence.

    Examples of existing documents to leverage

    People

    • Agile onboarding planning documents
    • Agile training documents
    • Organizational Agile manifesto
    • Team performance metrics dashboard
    • Stakeholder engagement and communication plan
    • Development team engagement plan
    • Organizational design and structure
    • Roles and responsibilities chart (i.e. RACI)
    • Compensation plan Resourcing plan

    Process

    • Tailored Scrum process
    • Requirements gathering process
    • Quality stage-gate checklist (including definitions of ready and done)
    • Business requirements document
    • Use case document
    • Business process diagrams
    • Entity relationship diagrams
    • Data flow diagrams
    • Solution or system architecture
    • Application documentation for deployment
    • Organizational and user change management plan
    • Disaster recovery and rollback process
    • Test case templates

    Technology

    • Code review policies and procedures
    • Systems design policies
    • Build, test, deploy, and rollback scripts
    • Coding guidelines
    • Data governance and management policies
    • Data definition and glossary
    • Request for proposals (RFPs)
    • Development tool standards and licensing agreements
    • Permission to development, testing, staging, and production environments
    • Application, system, and data integration policies

    Build upon the lessons learned from your Agile pilots

    The success of your Center of Excellence relies on the ability to build sound best practices within your organization’s context. Use your previous lessons learned and growing pains as shared knowledge of past Agile implementations within the ACE.

    Implement Agile Practices That Work

    Draw on the experiences of your initial pilot where you learned how to adapt the Agile manifesto and practices to your specific context. These lessons will help onboard new teams to Agile since they will likely experience some of the same challenges.

    Download

    Documents for review include:

    • Tailored Scrum Process
    • Agile Pilot Metrics
    • Info-Tech’s Agile Pilot Playbook

    Enable Organization-Wide Collaboration by Scaling Agile

    Draw on previous scaling Agile experiences to help understand how to interface, facilitate, and orchestrate cross-functional teams and stakeholders for large and complex projects. These lessons will help your ACE teams develop collaboration and problem-solving techniques involving roles with different priorities and lines of thinking.

    Download

    Documents for review include:

    • Agile Program Framework
    • Agile Pilot Program Metrics
    • Scaled Agile Development Process
    • Info-Tech’s Scaling Agile Playbook

    Activity: Gather and document your existing Agile practices for the CoE

    1.2.2 Variable time commitment based on current documentation state

    Input

    • Existing practices

    Output

    • Practices categorized within operating model

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE team
    1. Compile a list of existing practices that will be shared by the Center of Excellence. Consider any documents, templates, or tools that are used regularly by Agile teams.
    2. Evaluate the level of adherence to use of the practices (whether the practice is complied with regularly or not) with a high, medium, or low. Low compliance will need a root-cause analysis to understand why and how to remedy the situation.
    3. Determine the best fit for each practice under the ACE operational model.
    Name Type Adherence Level CoE Best Fit Source
    1 Tailored Scrum process Process High Shared Services Internal Wiki
    2
    3

    Activity: Interview stakeholders to understand the ACE functional expectations

    1.2.3 30-60 Minutes per interview

    Interview Stakeholders (from both Agile teams and functional areas) on their needs from the ACE. Ensure you capture both pain points and opportunities. Capture these as either Common Agile needs or Functional needs. Document using the tables below:

    Common Agile Needs
    Common Agile Needs
    • Each Agile Team interprets Agile differently
    • Need common approach to Agile with a proven track record within the organization
    • Making sure all Team members have a good understanding of Agile
    • Common set of tool(s) with a proven track record, along with a strong understanding of how to use the tool(s) efficiently and effectively
    • Help troubleshooting process related questions
    • Assistance with addressing the individual short comings of each Agile Team
    • Determining what sort of help each Agile Team needs most
    • Better understanding of the role played by Scrum Master and associated good practices
    • When and how do security/privacy/regulatory requirements get incorporated into Agile projects
    Functional Needs Ent Arch Needs
    • How do we ensure Ent Arch has insight and influence on Agile software design
    • Better understanding of Agile process
    • How to measure compliance with reference architectures

    PMO Needs

    • Better understanding of Agile process
    • Understanding role of PM in Agile
    • Project status reports that determine current level of project risk
    • How does project governance apply on Agile projects
    • What deliverables/artifacts are produced by Agile projects and when are they completed

    Operations Needs

    • Alignment on approaches for doing releases
    • Impact of Agile on change management and support desk processes
    • How and when will installation and operation instructions be available in Agile

    Activity: Form a solution matrix to organize your pain points and opportunities

    1.2.4 Half day

    Input

    • Identified requirements

    Output

    • Classified pains and opportunities

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE team
    1. Review the listed pain points from the data gathering process. Sort the pain points on sticky notes into technology, governance, people, and shared services.
    2. Consider opportunities under each defining element based on the identified business requirements.
    3. Document your findings.
    4. Discuss the results with the project team and prioritize the opportunities.
      • Where do the most pains occur?
      • What opportunities exist to alleviate pains?
    Governance Shared Services Technology People
    Pain Points
    Opportunities

    Document results in the ACE Communications Deck.

    Activity: Refine your use cases to identify your ACE functions and services

    1.2.5 1 Hour

    Input

    • Use cases from activity 1.1.2

    Output

    • Refined use cases based on data collection

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE team
    1. Refine your initial use cases for the points of alignment between your ACE and business objectives using your classified pain points and opportunities.
    2. Add use cases to address newly realized pain points.
    3. Determine the functions and services the CoE can offer to address the identified requirements.
    4. Evaluate the outputs in the form of realized benefits and extracted inefficiencies.

    Possible ACE use cases:

    • Policy Management
    • Change Management
    • Risk Management
    • Stakeholder Management
    • Engagement Planning
    • Knowledge Management
    • Subject-Matter Expertise
    • Agile Team Evaluation
    • Operations Support
    • Onboarding
    • Coaching
    • Learning Facilitation
    • Communications Training
    • Vendor Management
    • Application Support
    • Tooling Standards

    Document results in the ACE Communications Deck.

    Activity: Visualize your ACE functions and service offerings with a capability map

    1.2.6 1 Hour

    Input

    • Use cases from activity 1.2.4

    Output

    • ACE capability map

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE team
    1. Review the refined and categorized list of service offerings.
    2. Determine how these new capabilities will add, remove, or enhance your existing service and capabilities.
    3. Categorize the capabilities into the following groups:
    • Governance and Metrics
    • Services
    • Staff
    • Technology
  • Label the estimated impact of the service offering based on your business priorities for the year. This will guide your strategy for implementing your Agile Center of Excellence moving forward.
  • Document results in the ACE Communications Deck.

    Activity: Visualize your ACE functions and service offerings with a capability map (continued)

    Governance

    Policy Management (Medium Potential)

    Change Management (High Potential)

    Risk Management (High Potential)

    Stakeholder Management (High Potential)

    Metrics/Feedback Monitoring (High Potential)

    Shared Services

    Engagement Planning (High Potential)

    Knowledge Management (High Potential)

    Subject-Matter Expertise (High Potential)

    Agile Team Evaluation (High Potential)

    Operations Support (High Potential)

    People

    Onboarding (Medium Potential)

    Coaching (High Potential)

    Learning Facilitation (High Potential)

    Internal Certification Program (Low Potential)

    Communications Training (Medium Potential)

    Technology

    Vendor Management (Medium Potential)

    Application Support (Low Potential)

    Tooling Standards (High Potential)

    Checkpoint: Are you ready to standardize your CoEs service offerings?

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Self-Auditing Guidelines

    • Have you identified and prioritized the key business objectives for the upcoming year that the ACE will align with?
    • Do you have a high-level set of use cases for points of alignment between your ACE and business objectives?
    • Have you mapped your stakeholders and identified the key players that will have an influence over the future success of your ACE?
    • Have you identified how your organization will fund, resource, and govern the ACE?
    • Have you collected data to understand the functional expectations of the users the ACE is intended to serve?
    • Have you refined your use cases to align with both business objectives and functional expectations?

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.2 Identify and prioritize organizational business objectives

    Our analyst team will help you organize and prioritize your business objectives for the year in order to ensure that the service offerings the ACE offers are delivering consistent business value.

    1.1.3 Form use cases for the points of alignment between your ACE and business objectives

    Our analyst team will help you turn your prioritized business objectives into a set of high-level use cases that will provide the foundation for defining user-aligned services.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    1.1.4 Prioritize your ACE stakeholders

    Our analysts will walk you through an exercise of mapping and prioritizing your Centers of Excellence stakeholders based on impact and power within so you can ensure appropriate presentation of interests within the organization.

    1.2.4 Form a solution matrix to organize your pain points and opportunities

    Our analyst team will help you solidify the direction of your Center of Excellence by overlaying your identified needs, pain points, and potential opportunities in a matrix guided by Info-Tech’s CoE operating model.

    1.2.5 Refine your use cases to identify your ACE functions and services

    Our analyst team will help you further refine your business-aligned use cases with the functional expectations from your Agile teams and stakeholders, ensuring the ACEs long-term utility.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    1.2.6 Visualize your ACE functions and service offerings with a capability map

    Our analysts will walk you through creating your Agile Centers of Excellence capability map and help you to prioritize which service offerings are critical to the success of your Agile teams in meeting their objectives.

    Phase 2

    Standardize the Centers of Excellence Service Offerings

    Spread Best Practices With an Agile Center of Excellence

    The ACE needs to ensure consistency in service delivery

    Now that you have aligned the CoE to the business and functional expectations, you need to ensure its service offerings are consistently accessible. To effectively ensure accessibility and delegation of shared services in an efficient way, the CoE needs to have a consistent framework to deliver its services.

    Phase 1 - Strategically Align the CoE

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.

    Phase 2 - Standardize the CoEs Service Offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.

    Phase 3 - Operate the CoE

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Standardize the CoEs Service Offerings

    Proposed Time to Completion (in weeks): 2

    Step 2.1: Define an adoption plan for your Agile teams

    Start with an analyst kick off call:

    • Dissect the key attributes of Agile adoption.

    Then complete these activities…

    2.1.1 Further categorize your use cases within the Agile adoption model.

    Step 2.2: Create an ACE engagement plan

    Start with an analyst kick off call:

    • Form engagement plans for your Agile teams.

    Then complete these activities…

    2.2.1 Create an engagement plan for each level of adoption.

    Step 2.3: Define metrics to measure success

    Finalize phase deliverable:

    • Discuss effective ACE metrics.

    Then complete these activities…

    2.3.1 Collect existing team-level metrics.

    2.3.2 Define metrics that align with your Agile business objectives.

    2.3.3 Define target ACE performance metrics.

    2.3.4 Define Agile adoption metrics.

    2.3.5 Consolidate metrics for stakeholder impact.

    2.3.6 Use Info-Tech’s ACE Benefits Tracking Tool to monitor, evaluate, refine, and ensure continued business value.

    Phase 2 Results & Insights:

    • Standardizing your service offerings allows you to have direct influence on the dissemination of best practices.

    Phase 2, Step 1: Define an adoption plan for your Agile teams

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    2.1.1 Further categorize your use cases within the Agile adoption model.

    Outcomes:

    • Refine your previously determined use cases within the Agile adoption model to ensure that teams can be assisted at any level of Agile adoption.
    • Understand the key attributes of Agile adoption and how they impact success.

    Understand the implementation challenges that the ACE may face

    Culture clash between ACE and larger organization

    It is important to carefully consider the compatibility between the current organizational culture and Agile moving forward. Agile compels empowered teams, meritocracy, and broad collaboration for success; while typical organizational structures are siloed and hierarchical and decisions are delegated from the top down.

    This is not to say that the culture of the ACE has to match the larger organizational culture; part of the overarching aim of the ACE is to evolve the current organizational culture for the better. The point is to ensure you enable a smooth transition with sufficient management support and a team of Agile champions.

    The changing role of middle management

    Very similar to the culture clash challenge, cultural rigidity in how middle managers operate (performance review, human resource management, etc.) can cause cultural rejection. They need to become enablers for high performance and give their teams the sufficient tools, skills, and opportunities to succeed and excel.

    What impedes Agile adoption?

    Based on a global survey of Agile practitioners (N=1,319)*:

    52% Organizational culture at odds with agile values

    44% Inadequate management support and sponsorship

    48% General organization resistance to change

    *Respondents were able to make multiple selections

    (13th Annual State of Agile Report, VersionOne, 2019)

    Build competency and trust through a structured Agile adoption plan

    The reality of cultural incompatibility between Agile and traditional organization structures necessitates a structured adoption plan. Systematically build competency so teams can consistently achieve project success and solidify trust in your teams’ ability to meet business needs with Agile.

    By incrementally gaining the trust of management as you build up your Agile capabilities, you enable a smooth cultural transition to an environment where teams are empowered, adapt quickly to changing needs, and are trusted to innovate and make successes out of their failures.

    Optimized value delivery occurs when there is a direct relationship between competency and trust. There will be unrealized value when competency or trust outweigh the other. That value loss increases as either dimension of adoption continues to grow faster than the other.

    The image shows a graph with Competency on the x-axis and Trust on the y-axis. There are 3 sections: Level 1, Level 2, and Level 3, in subsequently larger arches in the background of the graph. The graph shows two diagonal arrows, the bottom one labelled Current Value Delivery and the top one labelled Optimized Value Delivery. The space between the two arrows is labelled Value Loss.

    Use Info-Tech’s Practice Adoption Optimization Model to systematically increase your teams’ ability to deliver

    Using Info-Tech’s Practice adoption optimization model will ensure you incrementally build competency and trust to optimize your value delivery.

    Agile adoption at its core, is about building social capital. Your level of trust with key influencers increases as you continuously enhance your capabilities, enabling the necessary cultural changes away from traditional organizational structures.

    Trust & Competency ↓

    DEFINE

    Begin to document your development workflow or value chain, implement a tracking system for KPIs, and start gathering metrics and reporting them transparently to the appropriate stakeholders.

    ITERATE

    Use collected metrics and retrospectives to stabilize team performance by reducing areas of variability in your workflow and increasing the consistency at which targets are met.

    COLLABORATE

    Use information to support changes and adopt appropriate practices to make incremental improvements to the existing environment.

    EMPOWER

    Drive behavioral and cultural changes that will empower teams to be accountable for their own success and learning.

    INNOVATE

    Use your built-up trust and support practice innovation, driving the definition and adoption of new practices.

    Review these key attributes of Agile adoption

    Agile adoption is unique to every organization. Consider these key attributes within your own organizational context when thinking about levels of Agile adoption.

    Adoption Attributes

    Team Organization

    Considers the degree to which teams are able to self-organize based on internal organizational structures (hierarchy vs. meritocracy) and inter-team capabilities.

    Team Coordination

    Considers the degree to which teams can coordinate, both within and across functions.

    Business Alignment

    Considers the degree to which teams can understand and/or map to business objectives.

    Coaching

    Considers what kind of coaching/training is offered and how accessible the training is.

    Empowerment

    Considers the degree to which teams are able and capable to address project, process, and technical challenges without significant burden from process controls and bureaucracy.

    Failure Tolerance

    Considers the degree to which stakeholders are risk tolerant and if teams are capable of turning failures into learning outcomes.

    Why are these important?

    These key attributes function as qualities or characteristics that, when improved, will successively increase the degree to which the business trusts your Agile teams’ ability to meet their objectives.

    Systematically improving these attributes as you graduate levels of the adoption model allows the business to acclimatize to the increased capability the Agile team is offering, and the risk of culture clash with the larger organization decreases.

    Start to consider at what level of adoption each of your service offerings become useful. This will allow you to standardize the way your Agile teams interact with the CoE.

    Activity: Further categorize your use cases within the Agile adoption model

    2.1.1 1.5 Hours

    Input

    • List of service offerings

    Output

    • Service offerings categorized within adoption model

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Team
    1. Gather the list of your categorized use cases.
    2. Based on Info-Tech’s Agile adoption model, categorize which use cases would be useful to help the Agile team graduate to the next level of adoption.
      • Conceptualize: Begin to document your workflow or value chain, implement a tracking system for KPIs, and gather metrics and report them transparently to the appropriate stakeholders.
      • Iterate: Use collected metrics to stabilize team performance by reducing areas of variability in your workflow and increasing the consistency at which targets are met.
      • Collaborate: Use information to drive changes and adopt appropriate Agile practices to make incremental improvements to the existing environment.
      • Empower: Drive behavioral and cultural changes that will empower teams to be accountable for their own successes given the appropriate resources.
      • Innovate: Use your built-up trust to begin to make calculated risks and innovate more, driving new best practices into the CoE.

    The same service offering could be offered at different levels of adoption. In these cases, you will need to re-visit the use case and differentiate how the service (if at all) will be delivered at different levels of adoption.

    1. Use this opportunity to brainstorm alternative or new use cases for any gaps identified. It is the CoEs goal to assist teams at every level of adoption to meet their business objectives. Use a different colored sticky note for these so you can re-visit and map out their inputs, outputs, metrics, etc.

    Activity: Further categorize your use cases within the Agile adoption model (continued)

    2.1.1 1.5 Hours

    Input

    • List of service offerings

    Output

    • Service offerings categorized within adoption model

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Team

    Example:

    Service Offerings
    Level 5: Innovate
    Level 4: Empower
    Level 3: Collaborate Coaching -- Communications Training
    Level 2: Iterate Tooling Standards
    Level 1: Conceptualize

    Learning Facilitation

    Draw on the service offerings identified in activity 1.2.4

    Phase 2, Step 2: Create an ACE engagement plan

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    2.2.1 Create an engagement plan for each level of adoption.

    Outcomes:

    • Understand the importance of aligning with the functional expectations of your ACE customers.
    • Understand the relationship between engagement and continuous improvement.
    • Create an engagement plan for each level of adoption to standardize the way customers interact with the ACE.

    Enable Agile teams to interface with ACE service offerings to meet their business objectives

    A Center of Excellence aligned with your service offerings is only valuable if your CoEs customers can effectively access those services. At this stage, you have invested in ensuring that your CoE aligns to your business objectives and that your service offerings align to its customers. Now you need to ensure that these services are accessible in the day-to-day operation of your Agile teams.

    Engagement Process → Service Offering

    Use backwards induction from your delivery method to the service offering. This is an effective method to determine the optimal engagement action for the CoE, as it considers the end customer as the driver for best action for every possible situation.

    Info-Tech Insight

    Your engagement process should be largely informed by your ACE users. Teams have constraints as well as in-the-trenches concerns and issues. If your service offerings don’t account for these, it can lead to rejection of the culture you are trying to inspire.

    Show the way, do not dictate

    Do not fix problems for your Agile teams, give them the tools and knowledge to fix the problems themselves.

    Facilitate learning to drive success

    A primary function of your ACE is to transfer knowledge to Agile teams to increase their capability to achieve desired outcomes.

    While this can take the form of coaching, training sessions, libraries, and wikis, a critical component of ACE is creating interactions where individuals from Agile teams can come together and share their knowledge.

    Ideas come from different experiences. By creating communities of practice (CoP) around topics that the ACE is tasked with supporting (e.g. Agile business analysts), you foster social learning and decrease the likelihood that change will result in some sort of cultural rejection.

    Consider whether creating CoPs would be beneficial in your organization’s context.

    "Communities of practice are a practical way to frame the task of managing knowledge. They provide a concrete organizational infrastructure for realizing the dream of a learning organization." – Etienne Wenger, Digital Habitats: Stewarding technology for communities

    A lack of top-down support will result in your ACE being underutilized

    Top-down support is critical to validate the CoE to its customers and ensure they feel compelled to engage with its services. Relevancy is a real concern for the long-term viability of a CoE and championing its use from a position of authority will legitimize its function and deter its fading from relevancy of day-to-day use for Agile teams.

    Although you are aligning your engagement processes to the customers of your Agile Center of Excellence, you still need your key influencers to champion its lasting organizational relevancy. Don’t let your employees think the ACE is just a coordinating body or a committee that is convenient but non-essential – make sure they know that it drives their own personal growth and makes everyone better as a collective.

    "Even if a CoE is positioned to meet a real organizational need, without some measure of top-down support, it faces an uphill battle to remain relevant and avoid becoming simply one more committee in the eyes of the wider organization. Support from the highest levels of the organization help fight the tendency of the larger organization to view the CoE as a committee with no teeth and tip the scales toward relevancy for the CoE." – Joe Shepley, VP and Practice Lead, Doculabs

    Info-Tech Insight

    Stimulate top-down support with internal certifications. This allows your employees to gain accreditation while at the same time encouraging top-down support and creating a compliance check for the continual delivery and acknowledgement of your evolving best practices.

    Ensure that best practices and lessons learned are injected back into the ACE

    For your employees to continuously improve, so must the Center of Excellence. Ensure the ACE has the appropriate mechanisms to absorb and disseminate best practices that emerge from knowledge transfer facilitation events.

    Facilitated Learning Session →Was the localized adaption well received by others in similar roles? →Document Localized Adaptation →Is there broad applicability and benefit to the proposed innovation? →CoE Absorbs as Best Practice

    Continuous improvement starts with the CoE

    While facilitating knowledge transfer is key, it is even more important that the Center of Excellence can take localized adaptations from Agile teams and standardize them as best practices when well received. If an individual were to leave without sharing their knowledge, the CoE and the larger organization will lose that knowledge and potential innovation opportunities.

    Experience matters

    To organically grow your ACE and be cost effective, you want your teams to continuously improve and to share that knowledge. As individual team members develop and climb the adoption model, they should participate as coaches and champions for less experienced groups so that their knowledge is reaching the widest audience possible.

    Case study: Agile learning at Spotify

    CASE STUDY

    Industry Digital Media

    Source Henrik Kniberg & Anders Ivarsson, 2012

    Methods of Agile learning at Spotify

    Spotify has continuously introduced innovative techniques to facilitate learning and ensure that that knowledge gets injected back into the organization. Some examples are the following:

    • Hack days: Self-organizing teams, referred to as squads, come together, try new ideas, and share them with their co-workers. This facilitates a way to stay up to date with new tools and techniques and land new product innovations.
    • Coaching: Every squad has access to an Agile coach to help inject best practices into their workflow – coaches run retrospectives, sprint planning meetings, facilitate one-on-one coaching, etc.
    • Tribes: Collections of squads that hold regular gatherings to show the rest of the tribe what they’ve been working on so others can learn from what they are doing.
    • Chapters: People with similar skills within a tribe come together to discuss their area of expertise and their specific challenges.
    • Guilds: A wide-reaching community of interest where members from different tribes can come together to share knowledge, tools, and codes, and practice (e.g. a tester guild, an Agile coaching guild).

    The image shows the Spotify model, with two sections, each labelled Tribe, and members from within each Tribe gathered together in a section labelled Guild.

    "As an example of guild work, we recently had a ‘Web Guild Unconference,’ an open space event where all web developers at Spotify gathered up in Stockholm to discuss challenges and solutions within their field."

    Activity: Create an engagement plan for each level of adoption

    2.2.1 30 Minutes per role

    Input

    • Categorized use cases

    Output

    • Role-based engagement plans

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Team
    1. On the top bar, define the role you are developing the engagement plan for. This will give you the ability to standardize service delivery across all individuals in similar roles.
    2. Import your categorized service offerings for each level of adoption that you think are applicable to the given role.
    3. Using backwards induction, determine the engagement processes that will ensure that those service offerings are accessible and fit the day-to-day operations of the role.
    4. Fill in the template available on the next slide with each role’s engagement plan.

    Document results in the ACE Communications Deck.

    Example engagement plan: Developer

    2.2.1 30 Minutes per role

    Role: Developer
    Level 1 Level 2 Level 3 Level 4 Level 5
    Service Offering
    1. Onboarding
    2. Coaching
    3. Learning Facilitation
    1. Tooling Standards
    2. Learning Facilitation
    1. Communications Training
    2. Learning Facilitation
    1. Subject-Matter Expertise
    2. Coaching
    1. Knowledge Management
    Engagement Process
    1. Based on service request or need identified by dev. manager.
    2. Based on service request or need identified by dev. manager.
    3. Weekly mandatory community of practice meetings.
    1. When determined to have graduated to level 2, receive standard Agile tooling standards training.
    2. Weekly mandatory community of practice meetings.
    1. When determined to have graduated to level 3, receive standard Agile communications training.
    2. Weekly mandatory community of practice meetings
    1. Peer-based training on how to effectively self-organize.
    2. Based on service request or need identified by dev. manager.
    1. Review captured key learnings from last and have CoE review KPIs related to any area changed.

    Example engagement plan: Tester

    2.2.1 30 Minutes per role

    Role: Tester
    Level 1Level 2Level 3Level 4Level 5
    Service Offering
    1. Onboarding
    2. Coaching
    1. Product Training
    2. Communications Training
    1. Communications Training
    2. Learning Facilitation
    1. Subject-Matter Expertise
    2. Coaching
    1. Tooling Standards
    2. Training
    3. Coaching
    Engagement Process
    1. Based on service request or need identified by dev. manager.
    1. Weekly mandatory community of practice meetings.
    2. Provide training on effective methods for communicating with development teams based on organizational best practices.
    1. When determined to have graduated to level 3, receive standard training based on organizational testing best practices. Weekly mandatory community of practice meetings.
    1. Peer-to-peer training with level 5 certified coach.
    2. Based on service request or need identified by dev. manager. .
    1. Periodic updates of organizational tooling standards based on community of practice results.
    2. Automation training.
    3. Provide coaching to level 1 developers on a rotating basis to develop facilitation skills.

    Example engagement plan: Product Owner

    2.2.1 30 Minutes per role

    Role: Product Owner
    Level 1 Level 2 Level 3 Level 4 Level 5
    Service Offering
    1. Onboarding
    2. Coaching
    1. Coaching
    2. Learning Facilitation
    1. Coaching
    2. Communications Training
    3. Learning Facilitation
    1. Coaching
    2. Learning Facilitation
    1. Coaching
    2. Learning Facilitation
    Engagement Process
    1. Provide onboarding materials for Agile product owners.
    2. Provide bi-weekly reviews and subsequent guidance at the end of retrospective processes.
    1. Provide monthly reviews and subsequent guidance based on retrospective results.
    2. Bi-weekly mandatory community of practice meetings
    1. When determined to have graduated to level 3, receive standard training based on organizational testing best practices.
    2. Bi-weekly mandatory community of practice meetings.
    1. Provide monthly reviews and subsequent guidance based on retrospective results.
    2. Bi-weekly mandatory community of practice meetings
    1. Provide quarterly reviews and subsequent guidance based on retrospective results.
    2. Bi-weekly mandatory community of practice meetings

    Phase 2, Step 3: Define metrics to measure success

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    2.3.1 Define existing team-level metrics.

    2.3.2 Define metrics that align with your Agile business objectives.

    2.3.3 Define target ACE performance metrics.

    2.3.4 Define Agile adoption metrics.

    2.3.5 Consolidate your metrics for stakeholder impact.

    2.3.6 Use Info-Tech’s ACE Benefits Tracking Tool to monitor, evaluate, refine, and ensure continued business value.

    Outcomes:

    • Understand the importance of aligning with the functional expectations of your ACE customers.
    • Understand the relationship between engagement and continuous improvement.
    • Create an engagement plan for each level of adoption to standardize the way customers interact with the ACE.

    Craft metrics that will measure the success of your Agile teams

    Quantify measures that demonstrate the effectiveness of your ACE by establishing distinct metrics for each of your service offerings. This will ensure that you have full transparency over the outputs of your CoE and that your service offerings maintain relevance and are utilized.

    Questions to Ask

    1. What are leading indicators of improvements that directly affect the mandate of the CoE?
    2. How do you measure process efficiency and effectiveness?

    Creating meaningful metrics

    Specific

    Measureable

    Achievable

    Realistic

    Time-bound

    Follow the SMART framework when developing metrics for each service offering.

    Adhering to this methodology is a key component of the lean management methodology. This framework will help you avoid establishing general metrics that aren’t relevant.

    "It’s not about telling people what they are doing wrong. It’s about constantly steering everyone on the team in the direction of success, and never letting any individual compromise the progress of the team toward success." – Mary Poppendieck, qtd. in “Questioning Servant Leadership”

    For important advice on how to avoid the many risks associated with metrics, refer to Info-Tech’s Select and Use SDLC Metrics Effectively.

    Ensure your metrics are addressing criteria from different levels of stakeholders and enterprise context

    There will be a degree of overlap between the metrics from your business objectives, service offerings, and existing Agile teams. This is a positive thing. If a metric can speak to multiple benefits it is that much more powerful in commuting successes to your key stakeholders.

    Existing metrics

    Business objective metrics

    Service offering metrics

    Agile adoption metrics

    Finding points of overlap means that you have multiple stakeholders with a vested interest in the positive trend of a specific metric. These consolidated metrics will be fundamental for your CoE as they will help build consensus through communicating the success of the ACE in a common language for a diverse audience.

    Activity: Define existing team-level metrics

    2.3.1 1 Hour

    Input

    • Current metrics

    Output

    • Service offerings categorized within adoption model

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Team
    1. Gather any metrics related documentation that you collected during your requirements gathering in Phase 1.
    2. Collect team-level metrics for your existing Agile teams:
      • Examine outputs from any feedback mechanisms you have (satisfaction surveys, emails, existing SLAs, burndown charts, resourcing costs, licensing costs per sprint, etc.).
      • Look at historical trends and figures when available. Be careful of frequent anomalies as these may indicate a root cause that needs to be addressed.
      • Explore the definition of specific metrics across different functional teams to ensure consistency of measurement and reporting.
    Team Objective Expected Benefits Metrics
    Improve productivity
    • Improve transparency with business decisions
    • Team burndown and velocity
    • Number of releases per milestone
    Increase team morale and motivation
    • Teams are engaged and motivated to develop new opportunities to deliver more value quicker.
    • Team satisfaction with Agile environment
    • Degree of engagement in ceremonies
    Improve transparency with business decisions
    • Teams are engaged and motivated to develop new opportunities to deliver more value quicker.
    • Stakeholder satisfaction with completed product
    • Number of revisions to products in demonstrations

    Activity: Define metrics that align with your Agile business objectives

    2.3.2 1 Hour

    Input

    • Organizational business objectives from Phase 1

    Output

    • Metrics aligned to organizational business objectives

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE
    1. List the business objectives that you determined in 1.1.2.
    2. Create a shortlist of expected benefits from those business objectives. These will help to drive metrics that align with the intended purpose of completing those business objectives, and affirm they are aligned to realizable benefits.
    3. Define metrics that speak to the benefits of your business objectives. While engaging in this process, ensure to document the collection method for each metrics.
    Business Objectives Expected Benefits Metrics
    Decrease time-to-market of product releases
    • Faster feedback from customers.
    • Increased customer satisfaction.
    • Competitive advantage.
    Decrease time-to-market of product releases
    • Alignment to organizational best practices.
    • Improved team productivity.
    • Greater collaboration across functional teams.
    • Policy and practice adherence and acknowledgement
    • Number of requests for ACE services
    • Number of suggestions to improve Agile best practices and ACE operations

    Activity: Define target ACE performance metrics

    2.3.3 1 Hour

    Input

    • Service offerings
    • Satisfaction surveys
    • Usage rates

    Output

    • CoE performance metrics

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE
    1. Define metrics to measure the success of each of your service offerings.
    2. Create a shortlist of expected benefits from those business objectives. These will help to drive metrics that align with the intended purpose of those service offerings, and affirm they are aligned to realizable benefits.
    3. Define metrics that speak to the benefits of your service offerings.
    4. Compare these to your team performance metrics.
    Service Offering Expected Benefits Metrics
    Knowledge management
    • Comprehensive knowledgebase that accommodates various company products and office locations.
    • Easily accessible resources.
    • Number of practices extracted from ACE and utilized
    • Frequency of updates to knowledgebase
    Tooling standards
    • Tools adhere to company policies, security guidelines, and regulations.
    • Improved support of tools and technologies.
    • Tools integrate and function well with enterprise systems.
    • Number of teams and functional groups using standardized tools
    • Number of supported standardized tools
    • Number of new tools added to the standards list
    • Number of tools removed from standards list

    Activity: Define Agile adoption metrics

    2.3.4 1 Hour

    Input

    • Agile adoption model

    Output

    • Agile adoption metrics
    1. Define metrics to measure the success of each of your service offerings.
    2. Create a shortlist of expected benefits from those business objectives. These will help to drive metrics that align with the intended purpose of those service offerings, and affirm they are aligned to realizable benefits.
    3. Define metrics that speak to the benefits of your service offerings.
    4. It is possible that you will need to adjust these metrics after baselines are established when you begin to operate the ACE. Keep this in mind moving forward.
    Adoption attributes Expected Benefits Metrics
    Team organization
    • Acquisition of the appropriate roles and skills to successfully deliver products.
    • Degree of flexibility to adjust team compositions on a per project basis
    Team coordination
    • Ability to successfully undertake large and complex projects involving multiple functional groups.
    • Number of ceremonies involving teams across functional groups
    Business alignment
    • Increased delivery of business value from process optimizations.
    • Number of business-objective metrics surpassing targets
    Coaching
    • Teams are regularly trained with new and better best practices.
    • Number of coaching and training requests
    Empowerment
    • Teams can easily and quickly modify processes to improve productivity without following a formal, rigorous process.
    • Number of implemented changes from team retrospectives
    Failure tolerance
    • Stakeholders trust teams will adjust when failures occur during a project.
    • Degree of stakeholder trust to address project issues quickly and effectively

    Activity: Consolidate your metrics for stakeholder impact

    2.3.5 30 Minutes

    Input

    • New and existing Agile metrics

    Output

    • Consolidated Agile metrics

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE
    1. Take all the metrics defined from the previous activities and compare them as a group.
    2. If there are overlapping metrics that are measuring similar outcomes or providing similar benefits, see if there is a way to merge them together so that a single metric can report outcomes to multiple stakeholders. This reduces the amount of resources invested in metrics gathering and helps to show consensus or alignment between multiple stakeholder interests.
    3. Compare these to your existing Agile metrics, and explore ways to consolidate existing metrics that are established with some of your new metrics. Established metrics are trusted and if they can be continued it can be viewed as beneficial from a consensus and consistency perspective to your stakeholders.

    Activity: Use Info-Tech’s ACE Benefits Tracking Tool to monitor, evaluate, refine, and ensure continued business value

    2.3.6 1 Hour

    Purpose

    The CoE governance team can use this tool to take ownership of the project’s benefits, track progress, and act on any necessary changes to address gaps. In the long term, it can be used to identify whether the team is ahead, on track, or lagging in terms of benefits realization.

    Steps

    1. Enter your identified metrics from the following activities into the ACE Benefits Tracking Tool.
    2. Input your baselines from your data collection (Phase 3) and a goal value for each metric.
    3. Document the results at key intervals as defined by the tool.
    4. Use the summary report to identify metrics that are not tracking well for root cause analysis and communicate with key stakeholders the outcomes of your Agile Center of Excellence based on your communication schedule from Phase 3, Step 3.

    INFO-TECH DELIVERABLE

    Download the ACE Benefits Tracking Tool.

    Checkpoint: Are you ready to operate your ACE?

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Self Auditing Guidelines

    • Have you categorized your ACE service offerings within Info-Tech’s Agile adoption model?
    • Have you formalized engagement plans to standardize the access to your service offerings?
    • Do you understand the function of learning events and their criticality to the function of the ACE?
    • Do you understand the key attributes of Agile adoption and how social capital leads to optimized value delivery?
    • Have you defined metrics for different goals (adoption, effective service offerings, business objectives) of the ACE?
    • Do your defined metrics align to the SMART framework?

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.1 Further categorize your use cases within the Agile adoption model

    Our analyst team will help you categorize the Centers of Excellence service offerings within Info-Tech’s Agile adoption model to help standardize the way your organization engages with the Center of Excellence.

    2.2.1 Create an engagement plan for each level of adoption

    Our analyst team will help you structure engagement plans for each role within your Agile environment to provide a standardized pathway to personal development and consistency in practice.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    2.3.2 Define metrics that align with your Agile business objectives

    Our analysts will walk you through defining a set of metrics that align with your Agile business objectives identified in Phase 1 of the blueprint so the CoEs monitoring function can ensure ongoing alignment during operation.

    2.3.3 Define target ACE performance metrics

    Our analysts will walk you through defining a set of metrics that monitors how successful the ACE has been at providing its services so that business and IT stakeholders can ensure the effectiveness of the ACE.

    2.3.4 Define Agile adoption metrics

    Our analyst team will help you through defining a set of metrics that aligns with your organization’s fit of the Agile adoption model in order to provide a mechanism to track the progress of Agile teams maturing in capability and organizational trust.

    Phase 3

    Operationalize Your Agile Center of Excellence

    Spread Best Practices With an Agile Center of Excellence

    Operate your ACE to drive optimized value from your Agile teams

    The final step is to engage in monitoring of your metrics program to identify areas for improvement. Using metrics as a driver for operating your ACE will allow you to identify and effectively manage needed change, as well as provide you with the data necessary to promote outcomes to your stakeholders to ensure the long-term viability of the ACE within your organization.

    Phase 1 - Strategically Align the CoE

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.

    Phase 2 - Standardize the CoEs Service Offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.

    Phase 3 - Operate the CoE

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Operate the CoE

    Proposed Time to Completion (in weeks): Variable depending on communication plan

    Step 3.1: Optimize the success of your ACE

    Start with an analyst kick off call:

    • Conduct a baseline assessment of your Agile environment.

    Then complete these activities…

    3.1.1 Use Info-Tech’s ACE Satisfaction Survey to help establish your baseline.

    3.1.2 Use Info-Tech’s CoE Maturity Diagnostic Tool to measure the maturity level of your ACE.

    3.1.3 Prioritize ACE actions by monitoring your metrics.

    Step 3.2: Plan change to enhance your Agile initiatives

    Start with an analyst kick off call:

    • Interface with the ACE with your change management function.

    Then complete these activities…

    3.2.1 Assess the interaction and communication points of your Agile teams.

    3.2.2 Determine the root cause of each metric falling short of expectations.

    3.2.3 Brainstorm solutions to identified issues.

    3.2.4 Review your metrics program.

    3.2.5 Create a communication plan for change.

    Step 3.3: Conduct ongoing retrospectives of your ACE

    Finalize phase deliverable:

    • Build a communications deck for key stakeholders.

    Then complete these activities…

    3.3.1 Use the outputs from your metrics tracking tool to communicate progress.

    3.3.2 Summarize adjustments in areas where the ACE fell short.

    3.3.3 Review the effectiveness of your service offerings.

    3.3.4 Evaluate your ACE Maturity.

    3.3.5 Use Info-Tech’s ACE Communications Deck to deliver your outcomes to the key stakeholders.

    Phase 3 Results & Insights:

    Inject improvements into your Agile environment with operational excellence. Plan changes and communicate them effectively, monitor outcomes on a regular basis, and keep stakeholders in the loop to ensure that their interests are being looked after to ensure long-term viability of the CoE.

    Phase 3, Step 1: Optimize the success of your ACE

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Tools:

    3.1.1 Use Info-Tech’s ACE Satisfaction Survey to help establish your baseline.

    3.1.2 Use Info-Tech’s CoE Maturity Diagnostic Tool to measure the maturity level of your ACE.

    3.1.3 Prioritize ACE actions by monitoring your metrics.

    Outcomes:

    • Conduct a baseline assessment of your ACE to measure against using a variety of data sources, including interviews, satisfaction surveys, and historical data.
    • Use the Benefits Tracking Tool to start monitoring the outcomes of the ACE and to keep track of trends.

    Ensure the CoE is able to collect the necessary data to measure success

    Establish your collection process to ensure that the CoE has the necessary resources to collect metrics and monitor progress, that there is alignment on what data sources are to be used when collecting data, and that you know which stakeholder is interested in the outcomes of that metric.

    Responsibility

    • Does the CoE have enough manpower to collect the metrics and monitor them?
    • If automated through technology, is it clear who is responsible for its function?

    Source of metric

    • Is the method of data collection standardized so that multiple people could collect the data in the same way?

    Impacted stakeholder

    • Do you know which stakeholder is interested in this metric?
    • How often should the interested stakeholder be informed of progress?

    Intended function

    • What is the expected benefit of increasing this metric?
    • What does the metric intend to communicate to the stakeholder?

    Conduct a baseline assessment of your ACE to measure success

    Establishing the baseline performance of the ACE allows you to have a reasonable understanding of the impact it is having on meeting business objectives. Use user satisfaction surveys, stakeholder interviews, and any current metrics to establish a concept of how you are performing now. Setting new metrics can be a difficult task so it is important to collect as much current data as possible. After the metrics have been established and monitored for a period of time, you can revisit the targets you have set to ensure they are realistic and usable.

    Without a baseline, you cannot effectively:

    • Establish reasonable target metrics that reflect the performance of your Center of Excellence.
    • Identify, diagnose, and resolve any data that deviates from expected outcomes.
    • Measure ongoing business satisfaction given the level of service.

    Info-Tech Insight

    Invest the needed time to baseline your activities. These data points are critical to diagnose successes and failures of the CoE moving forward, and you will need them to be able to refine your service offerings as business conditions or user expectations change. While it may seem like something you can breeze past, the investment is critical.

    Use a variety of sources to get the best picture of your current state; a combination of methods provides the richest insight

    Interviews

    What to do:

    • Conduct interviews (or focus groups) with key influencers and Agile team members.

    Benefits:

    • Data comes from key business decision makers.
    • Identify what is top of mind for your top-level stakeholders.
    • Ask follow-up questions for detail.

    Challenges:

    • This will only provide a very high-level view.
    • Interviewer biases may skew the results.

    Surveys

    What to do:

    • Distribute an Agile-specific stakeholder satisfaction survey. The survey should be specific to identify factors of your current environment.

    Benefits:

    • Every end user/business stakeholder will be able to provide feedback.
    • The survey will be simple to develop and distribute.

    Challenges:

    • Response rates can be low if stakeholders do not understand the value in their opinions.

    Historical Data

    What to do:

    • Collect and analyze existing Agile data such as past retrospectives, Agile team metrics, etc.

    Benefits:

    • Get a full overview of current service offerings, past issues, and current service delivery.
    • Allows you to get an objective view of what is really going on within your Agile teams.

    Challenges:

    • Requires a significant time investment and analytical skills to analyze the data and generate insights on business satisfaction and needs.

    Use Info-Tech’s ACE Satisfaction Survey to help establish your baseline

    3.1.1 Baseline satisfaction survey

    Purpose

    Conduct a user satisfaction survey prior to setting your baseline for your ACE. This will include high-level questions addressing your overall Agile environment and questions addressing teams’ current satisfaction with their processes and technology.

    Steps

    1. Modify the satisfaction survey template to suit your organization and the service offerings you have defined for the Agile Center of Excellence.
    2. Distribute the satisfaction survey to any users who are expected to interface with the ACE.
    3. Document the results and communicate them with the relevant key stakeholders.
    4. Combine these results with historical data points (if available) and stakeholder interviews to get a holistic picture of your current state.

    INFO-TECH DELIVERABLE

    Download the ACE Satisfaction Survey.

    Use Info-Tech’s CoE Maturity Diagnostic Tool to measure the maturity level of your ACE

    3.1.2 CoE maturity assessment

    Purpose

    Assessing your ACEs maturity lets you know where they currently are and what to track to get them to the next step. This will help ensure your ACE is following good practices and has the appropriate mechanisms in place to serve your stakeholders.

    Steps

    1. Download the CoE Maturity Diagnostic Tool to assess the maturity of your ACE.
    2. Complete the assessment tool with all members of your ACE team to determine your maturity score.
    3. Document the results and communicate them with the relevant key stakeholders.
    4. Combine these results with historical data points (if available) and stakeholder interviews to get a holistic picture of your ACE maturity level.

    Document results in the ACE Communications Deck.

    INFO-TECH DELIVERABLE

    Download the CoE Maturity Diagnostic Tool.

    Activity: Prioritize ACE actions by monitoring your metrics

    3.1.3 Variable time commitment

    Input

    • Metrics from ACE Benefits Tracking Tool

    Output

    • Prioritized actions for the ACE

    Materials

    • ACE Benefits Tracking Tool

    Participants

    • ACE team
    1. Review your ACE Benefits Tracking Tool periodically (at the end of sprint cycles, quarterly, etc.) and document metrics that are trending or actively falling short of goals or expectations.
    2. Take the documented list and have the ACE staff consider what actions or decisions can be prioritized to help mend the identified gaps. Look for any trends that could potentially speak to a larger problem or a specific aspect of the ACE or the organizational Agile environment that is not functioning as expected.
    3. Take the opportunity to review metrics that are also tracking above expected value to see if there are any lessons learned that can be extended to other ACE service offerings (e.g. effective engagement or communication strategies) so that the organization can start to learn what is effective and what is not based on their internal struggles and challenges. Spreading successes is just as important as identifying challenges in a CoE model.

    Phase 3, Step 2: Plan change to enhance your Agile initiatives

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    3.2.1 Assess the interaction and communication points of your Agile teams.

    3.2.2 Determine the root cause of each metric falling short of expectations.

    3.2.3 Brainstorm solutions to identified issues

    3.2.4 Review your metrics program.

    3.2.5 Create a communication plan for change.

    Outcomes:

    • Understand how your existing change management process interfaces with the Center of Excellence.
    • Identify issues and ideate solutions to metrics falling short of expectations.
    • Create a communication plan to prepare groups for any necessary change.

    Manage the adaptation of teams as they adopt Agile capabilities

    As Agile spreads, be cognizant of your cultural tolerance to change and its ability to deliver on such change. Change will happen more frequently and continuously, and there may be conceptual (change tolerance) or capability (delivery tolerance) roadblocks along the way that will need to be addressed.

    The Agile adoption model will help to graduate both the tolerance to change and tolerance to deliver over time. As your level of competency to deliver change increases, organizational tolerance to change, especially amongst management, will increase as well. Remember that optimized value delivery comes from this careful balance of aptitude and trust.

    Tolerance to change

    Tolerance to change refers to the conceptual capacity of your people to consume and adopt change. Change tolerance may become a barrier to success because teams might be too engrained with current structures and processes and find any changes too disruptive and uncomfortable.

    Tolerance to deliver

    Tolerance to deliver refers to the capability to deliver on expected change. While teams may be tolerant, they may not have the necessary capacity, skills, or resources to deliver the necessary changes successfully. The ACE can help solve this problem with training and coaching, or possibly by obtaining outside help where necessary.

    Understand how the ACE interfaces with your current change management process

    As the ACE absorbs best practices and identifies areas for improvement, a change management process should be established to address the implementation and sustainability of change without introducing significant disruptions and costs.

    To manage a continuously changing environment, your ACE will need to align and coordinate with organizational change management processes. This process should be capable of evaluating and incorporating multiple change initiatives continuously.

    Desired changes will need to be validated, and localized adaptations will need to be disseminated to the larger organization, and current state policy and procedures will need to be amended as the adoption of Agile spreads and capabilities increase.

    The goal here is to have the ACE governance group identify and interface with parties relevant to successfully implementing any specific change.

    INFO-TECH RELATED RESEARCH:

    Strategy and Leadership: Optimize Change Management

    Optimize your stakeholder management process to identify, prioritize, and effectively manage key stakeholders.

    Where should your Agile change requests come from?

    Changes to the services, structure, or engagement model of your ACE can be triggered from various sources in your organization. You will see that proposed changes may be requested with the best intentions; however, the potential impacts they may have to other areas of the organization can be significant. Consult all sources of ACE change requests to obtain a consensus that your change requests will not deteriorate the ACEs performance and use.

    ACE Governance

    • Sources of ACE Change Requests
      • ACE Policies/Stakeholders
        • Triggers for Change:
          • Changes in business and functional group objectives.
          • Dependencies and legacy policies and procedures.
      • ACE Customers
        • Triggers for Change:
          • Retrospectives and post-mortems.
          • Poor fit of best practices to projects.
      • Metrics
        • Triggers for Change:
          • Performance falling short of expectations.
          • Lack of alignment with changing objectives.
      • Tools and Technologies
        • Triggers for Change:
          • New or enhanced tools and technologies.
          • Changes in development and technology standards.

    Note: Each source of ACE change requests may require a different change management process to evaluate and implement the change.

    Activity: Assess the interaction and communication points of your Agile teams

    3.2.1 1.5 Hours

    Input

    • Understanding of team and organization structure

    Output

    • Current assessment of organizational design

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Development team
    1. Identify everyone who is directly or indirectly involved in projects completed by Agile teams. This can include those that are:
    • Informed of a project’s progress.
    • Expected to interface with the Agile team for solution delivery (e.g. DevOps).
    • Impacted by the success of the delivered solutions.
    • Responsible for the removal of impediments faced by the Agile team.
  • Indicate how each role interacts with the others and how frequently these interactions occur for a typical project. Do this by drawing a diagram on a whiteboard using labelled arrows to indicate types and frequency of interactions.
  • Identify the possible communication, collaboration, and alignment challenges the team will face when working with other groups.
  • Agile Team n
    Group Type of Interaction Potential challenges
    Operations
    • Release management
    • Past challenges transitioning to DevOps.
    • Communication barrier as an impediment.
    PMO
    • Planning
    • Product owner not located with team in organization.
    • PMO still primarily waterfall; need Agile training/coaching

    Activity: Determine the root cause of each metric falling short of expectations

    3.2.2 30 Minutes per metric

    Input

    • Metrics from Benefits Tracking Tool

    Output

    • Root causes to issues

    Materials

    • Whiteboard
    • Markers

    Participants

    • ACE team
    1. Take each metric from the ACE Benefits Tracking Tool that is lagging behind or has missed expectations and conduct an analysis of why it is performing that way.
    2. Conduct individual webbing sessions to clarify the issues. The goal is to drive out the reasons why these issues are present or why scaling Agile may introduce additional challenges.
    3. Share and discuss these findings with the entire team.

    Example:

    • Lack of best-practice documentation
      • Why?
        • Knowledge siloed within teams
        • No centralized repository for best practices
          • Why?
            • No mechanisms to share between teams
              • Why? Root causes
                • Teams are not sharing localized adaptations
                • CoE is not effectively monitoring team communications
            • Access issues at team level to wiki
              • Why? Root causes
                • Administration issues with best-practice wiki
                • Lack of ACE visibility into wiki access

    Activity: Brainstorm solutions to identified issues

    3.2.3 30 Minutes per metric

    Input

    • Root causes of issues

    Output

    • Fixes and solutions to scaling Agile issues

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Development team
    1. Using the results from your root-cause analysis, brainstorm potential solutions to the identified problems. Frame your brainstorming within the following perspectives: people, process, and technology. Map these solutions using the matrix below.
    2. Synthesize your ideas to create a consolidated list of initiatives.
      1. Highlight the solutions that can address multiple issues.
      2. Collaborate on how solutions can be consolidated into a single initiative.
    3. Write your synthesized solutions on sticky notes.
    SOLUTION CATEGORY
    People Process Technology
    ISSUES Poor face-to-face communication
    Lack of best-practice documentation

    Engage those teams affected by change early to ensure they are prepared

    Strategically managing change is an essential component to ensure that the ACE achieves its desired function. If the change that comes with adopting Agile best practices is going to impact other functions and change their expected workflows, ensure they are well prepared and the benefits for said changes are clearly communicated to them.

    Necessary change may be identified proactively (dependency assessments, system integrity, SME indicates need, etc.) or reactively (through retrospectives, discussions, completing root-cause analyses, etc.), but both types need to be handled the same way – through proper planning and communication with the affected parties.

    Plan any necessary change

    Understand the points where other groups will be affected by the adoption of Agile practices and recognize the potential challenges they may face. Plan changes to accommodate interactions between these groups without roadblocks or impediments.

    Communicate the change

    Structure a communication plan based on your identified challenges and proposed changes so that groups are well prepared to make the necessary adjustments to accommodate Agile workflows.

    Review and modify your metrics and baselines to ensure they are achievable in changing environments

    Consider the possible limitations that will exist from environmental complexities when measuring your Agile teams. Dependencies and legacy policies and procedures that pose a bottleneck to desired outcomes will need to be changed before teams can be measured justifiably. Take the time to ensure the metrics you crafted earlier are plausible in your current environment and there is not a need for transitional metrics.

    Are your metrics achievable?

    Specific

    Measureable

    Achievable

    • Adopting Agile is a journey, not just a destination. Ensure that the metrics a team is measured against reflect expectations for the team’s current level of Agile adoption and consider external dependencies that may limit their ability to achieve intended results.

    Realistic

    Time-bound

    Info-Tech Insight

    Use metrics as diagnostics, not as motivation. Teams will find ways to meet metrics they are measured by making sacrifices and taking unneeded risk to do so. To avoid dysfunction in your monitoring, use metrics as analytical tools to inform decision making, not as a yardstick for judgement.

    Activity: Review your metrics program

    3.2.4 Variable time commitment

    Input

    • Identified gaps
    • Agile team interaction points

    Output

    • ACE baselines
    • Past measurements

    Materials

    • ACE Benefits Tracking Tool

    Participants

    • ACE
    1. Now that you have identified gaps in your current state, see if those will have any impact on the achievability of your current metrics program.
    2. Review your root-cause analyses and brainstormed solutions, and hypothesize whether or not they will have any downstream impact to goal attainment. It is possible that there is no impact, but as cross-functional collaboration increases, the likelihood that groups will act as bottlenecks or impediments to expected performance will increase.
    3. Consider how any changes will impact the interaction points between teams based on the results from activity 3.2.1: Assess the interaction and communication points of your Agile teams. If there are too many negative impacts it may be a sign to re-consider the hypothesized solution to the problem and consider alternatives.
    4. In any cases where a metric has been altered, adjust its goal measurement to reflect its changes in the ACE Benefits Tracking Tool.

    Case study: Agile change at the GSA

    CASE STUDY

    Industry Government

    Source Navin Vembar, Agile Government Leadership

    Challenge

    The GSA is tasked with completed management of the Integrated Award Environment (IAE).

    • The IAE manages ten federal information technology systems that enable registering, searching, and applying for federal awards, as well as tracking them.
    • The IAE also manages the Federal Service Desk.

    The IAE staff had to find a way to break down the problem of modernization into manageable chunks that would demonstrate progress, but also had to be sure to capture a wide variety of user needs with the ability to respond to those needs throughout development.

    Had to work out the logistics of executing Agile change within the GSA, an agency that relies heavily on telework. In the case of modernization, they had a product owner in Florida while the development team was spread across the metro Washington, DC area.

    Solution

    Agile provided the ability to build incremental successes that allowed teams successful releases and built enthusiasm around the potential of adopting Agile practices offered.

    • GSA put in place an organization framework that allowed for planning of change at the portfolio level to enable the change necessary to allow for teams to execute tasks at the project level.
    • A four-year plan with incremental integration points allowed for larger changes on a quarterly basis while maintaining a bi-weekly sprint cycle.
    • They adopted IBM’s RTC tool for a Scrum board and on Adobe Connect for daily Scrum sessions to ensure transparency and effectiveness of outcomes across their collocated teams.

    Create a clear, concise communication plan

    Communication is key to avoid surprises and lost productivity created by the implementation of changes.

    User groups and the business need to be given sufficient notice of an impending change. Be concise, be comprehensive, and ensure that the message is reaching the right audience so that no one is blindsided and unable to deliver what is needed. This will allow them to make appropriate plans to accept the change, minimizing the impact of the change on productivity.

    Key Aspects of a Communication Plan

    • The method of communication (email, meetings, workshops, etc.).
    • The delivery strategy (who will deliver the message?).
    • The communication responsibility structure.
    • The communication frequency.
    • A feedback mechanism that allows you to review the effectiveness of your plan.
    • The message that you need to present.

    Communicating change

    • What is the change?
    • Why are we doing it?
    • How are we going to go about it?
    • What are we trying to achieve?
    • How often will we be updated?

    (Cornelius & Associates, The Qualities of Leadership: Leading Change)

    Apply the following principles to enhance the clarity of your message

    1. Be Consistent
    • "This is important because..."
      • The core message must be consistent regardless of audience, channel, or medium.
      • Test your communication and obtain feedback before delivering your message.
      • A lack of consistency can be perceived as deception.
  • Be Clear
    • "This means..."
      • Say what you mean and mean what you say.
      • Choice of language is important.
      • Don’t use jargon.
  • Be Relevant
    • "This affects you because..."
      • Talk about what matters to the audience.
      • Talk about what matters to the change initiative.
      • Tailor the details of the message to each audience’s specific concerns.
      • Communicate truthfully; do not make false promises or hide bad news.
  • Be Concise
    • "In summary..."
      • Keep communication short and to the point so key messages are not lost in the noise.
  • Activity: Create a communication plan for change

    3.2.5 1.5 Hours

    Input

    • Desired messages
    • Stakeholder list

    Output

    • Communication plan

    Materials

    • Whiteboard
    • Markers

    Participants

    • CoE
    1. Define the audience(s) for your communications. Consider who needs to be the audience of your different communication events and how it will impact them.
    2. Identify who the messenger will be to deliver the message.
    3. Identify your communication methods. Decide on the methods you will use to deliver each communication event. Your delivery method may vary depending on the audience it is targeting.
    4. Establish a timeline for communication releases. Set dates for your communication events. This can be recurring (weekly, monthly, etc.) or one-time events.
    5. Determine what the content of the message must include. Use the guidelines on the following slide to ensure the message is concise and impactful.

    Note: It is important to establish a feedback mechanism to ensure that the communication has been effective in communicating the change to the intended audiences. This can be incorporated into your ACE satisfaction surveys.

    Audience Messenger Format Timing Message
    Operations Development team Email
    • Monthly (major release)
    • Ad hoc (minor release and fixes)
    Build ready for release
    Key stakeholders CIO Meeting
    • Monthly unless dictated otherwise
    Updates on outcomes from past two sprint cycles

    Phase 3, Step 3: Conduct ongoing retrospectives of your ACE

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities/Tools:

    3.3.1 Use the outputs from your metrics tracking tool to communicate progress.

    3.3.2 Summarize adjustments in areas where the ACE fell short.

    3.3.3 Re-conduct satisfaction surveys and compare against your baseline.

    3.3.4 Use Info-Tech’s CoE Maturity Diagnostic Tool to baseline current practices

    3.3.5 Use Info-Tech’s ACE Communications Deck to deliver your outcomes to the key stakeholders.

    Outcomes:

    • Conduct a retrospective of your ACE to enable the continuous improvement of your Agile program.
    • Structure a communications deck to communicate with stakeholders the outcomes from introducing the ACE to the organization.

    Reflect on your ACEs performance to lead the way to enterprise agility

    After functioning for a period of time, it is imperative to review the function of your ACE to ensure its continual alignment and see in what ways it can improve.

    At the end of the year, take the time to deliberately review and discuss:

    1. The effectiveness and use of your ACEs service offerings.
    2. What went well or wrong during the ACEs operation.
    3. What can be done differently to improve reach, usability, and effectiveness.
    4. Bring together Agile teams and discuss the processes they follow and inquire about suggestions for improvement.

    What is involved?

    • Use your metrics program to diagnose areas of issue and success. The diagnostic value of your metrics can help lead conversations with your Agile teams when attempting to inquire about suggestions for improvement.
    • Leverage your satisfaction surveys from the creation of your ACE and compare them against satisfaction surveys run after a year of operation. What are the lessons learned between then and now?
    • While it is primarily conducted by the ACE team, keep in mind it is a collaborative function and should involve all members, including Agile teams, product owners, Scrum masters, etc.

    Communicating with your key influencers is vital to ensure long-term operation of the ACE

    To ensure the long-term viability of your ACE and that your key influencers will continue funding, you need to demonstrate the ROI the Center of Excellence has provided.

    The overlying purpose of your ACE is to effectively align your Agile teams with corporate objectives. This means that there have to be communicable benefits that point to the effort and resources invested being valuable to the organization. Re-visit your prioritized stakeholder list and get ready to show them the impact the ACE has had on business outcomes.

    Communication with stakeholders is the primary method of building and developing a lasting relationship. Correct messaging can build bridges and tear down barriers, as well as soften opposition and bolster support.

    This section will help you to prepare an effective communication piece that summarizes the metrics stakeholders are interested in, as well as some success stories or benefits that are not communicable through metrics to provide extra context to ongoing successes of the ACE.

    INFO-TECH RELATED RESEARCH:

    Strategy and Leadership: Manage Stakeholder Relations

    Optimize your stakeholder management process to identify, prioritize, and effectively manage key stakeholders.

    Involve key stakeholders in your retrospectives to justify the funding for your ACE

    Those who fund the ACE have a large influence on the long-term success of your ACE. If you have not yet involved your stakeholders, you need to re-visit your organizational funding model for the ACE and ensure that your key stakeholders include the key decision makers for your funding. While they may have varying levels of interest and desires for granularity of data reporting, they need to at least be informed on a high level and kept as champions of the ACE so that there are no roadblocks to the long-term viability of this program.

    Keep this in mind as the ACE begins to demonstrate success, as it is not uncommon to have additional members added to your funding model as your service scales, especially in the chargeback models.

    As new key influencers are included, the ACEs governing group must ensure that collective interests may align and that more priorities don’t lead to derailment.

    The image shows a matrix. The matrix is labelled with Involvement at the bottom, and Power on the left side, and has the upper left quadrant labelled Keep Satisfied, the upper right quadrant labelled Key players, the lower right quadrant labelled Keep informed, and the lower left quadrant labelled Minimal effort. In the matric, there are several roles shown, with roles such as CFO, Apps Director, Funding Group, and CIO highlighted in the Key players section.

    Use the outputs from your metrics tracking tool to communicate progress

    3.3.1 1 Hour

    Use the ACE Benefits Tracking Tool to track the progress of your Agile environment to monitor whether or not the ACE is having a positive impact on the business’ ability to meet its objectives. The outputs will allow you to communicate incremental benefits that have been realized and point towards positive trends that will ensure the long-term buy-in of your key influencers.

    For communication purposes, use this tool to:

    • Re-visit who the impacted or interested stakeholders are so you can tailor your communications to be as impactful as possible for each key influencer of the ACE.

    The image shows a screen capture of the Agile CoE Metrics Tracking sheet.

    • Collate the benefits of the current projects undertaken by the Center of Excellence to give an overall recap of the ACEs impact.

    The image is a screen capture of the Summary Report sheet.

    Communicate where the ACE fell short

    Part of communicating the effectiveness of your ACE is to demonstrate that it is able to remedy projects and processes when they fall short of expectations and brainstorm solutions that effectively address these challenges. Take the opportunity to summarize where results were not as expected, and the ways in which the ACE used its influence or services to drive a positive outcome from a problem diagnosis. Stakeholders do not want a sugar-coated story – they want to see tangible results based on real scenarios.

    Summarizing failures will demonstrate to key influencers that:

    • You are not cherry-picking positive metrics to report and that the ACE faced challenges that it was able to overcome to drive positive business outcomes.
    • You are being transparent with the successes and challenges faced by the ACE, fostering increased trust within your stakeholders regarding the capabilities of Agile.
    • Resolution mechanisms are working as intended, successfully building failure tolerance and trust in change management policies and procedures.

    Activity: Summarize adjustments in areas where the ACE fell short

    3.3.2 15 Minutes per metric

    Input

    • Diagnosed problems from tracking tool
    • Root-cause analyses

    Output

    • Summary of change management successes

    Materials

    • Whiteboard
    • Markers

    Participants

    • ACE
    1. Create a list of items from the ACE Benefits Tracking Tool that fell short of expectations or set goals.
    2. For each point, create a brief synopsis of the root-cause analysis completed and summarize the brainstormed solution and its success in remedying the issue. If this process is not complete, create a to-date summary of any progress.
    3. Choose two to three pointed success stories from this list that will communicate broad success to your set of stakeholders.
    Name of metric that fell short
    Baseline measurement 65% of users satisfied with ACE services.
    Goal measurement 80% of users satisfied with ACE services.
    Actual measurement 70% of users satisfied with ACE services.
    Results of root-cause analysis Onboarding was not extensive enough; teams were unaware of some of the services offered, rendering them unsatisfied.
    Proposed solution Revamp onboarding process to include capability map of service offered.
    Summary of success TBD

    Re-conduct surveys with the ACE Satisfaction Survey to review the effectiveness of your service offerings

    3.3.3 Re-conduct satisfaction surveys and compare against your baseline

    Purpose

    This satisfaction survey will give you a template to follow to monitor the effectiveness of your ACEs defined service offerings. The goal is to understand what worked, and what did not, so you can add, retract, or modify service offerings where necessary.

    Steps

    1. Re-use the satisfaction survey to measure the effectiveness of the service offerings. Add questions regarding specific service offerings where necessary.
    2. Cross-analyze your satisfaction survey with metrics tied to your service offerings to help understand the root cause of the issues.
    3. Use the root-cause analysis exercises from step 3.2 to find the root causes of issues.
    4. Create a set of recommendations to add, amend, or improve any existing service offerings.

    INFO-TECH DELIVERABLE

    Download the ACE Satisfaction Survey.

    Use Info-Tech’s CoE Maturity Diagnostic Tool to baseline current practices

    3.3.4 ACE Maturity Assessment

    Purpose

    Assess your ACEs maturity by using Info-Tech’s CoE Maturity Diagnostic Tool. Assessing your ACEs maturity lets you know where you currently are, and where to look for improvements. Note that your optimal Maturity Level will depend on organizational specifics (e.g. a small organization with a handful of Agile Teams can be less mature than a large organization with hundreds of Agile Teams).

    Steps

    1. Download the CoE Maturity Diagnostic Tool to assess the maturity of your ACE.
    2. Complete the assessment tool with all members of your ACE team to determine your current Maturity score.
    3. Document the results in the ACE Communications Deck.

    Document results in the ACE Communications Deck.

    INFO-TECH DELIVERABLE

    Download the CoE Maturity Diagnostic Tool.

    Use Info-Tech’s ACE Communications Deck to deliver your outcomes to the key stakeholders

    3.3.5 Structure communications to each of your key stakeholders

    Purpose

    The ACE Communications Deck will give you a template to follow to effectively communicate with your stakeholders and ensure the long-term viability of your Agile Center of Excellence. Fill in the slides as instructed and provide each stakeholder with a targeted view of the successes of the ACE.

    Steps

    1. Determine who your target audience is for the Communications Deck – you may desire to create one for each of your key stakeholders as they may have different sets of interests.
    2. Fill out the ACE Communications Deck with the suggested inputs from the exercises you have completed during this research set.
    3. Review communications with members of the ACE to ensure that there are no communicable benefits that have been missed or omitted in the deck.

    INFO-TECH DELIVERABLE

    Download the ACE Communications Deck.

    Summary of accomplishment

    Knowledge Gained

    • An understanding of social capital as the key driver for organizational Agile success, and how it optimizes the value delivery of your Agile teams.
    • Importance of flexible governance to balance the benefits of localized adaptation and centralized control.
    • Alignment of service offerings with both business objectives and functional expectations as critical to ensuring long-term engagement with service offerings.

    Processes Optimized

    • Knowledge management and transfer of Agile best practices to new or existing Agile teams.
    • Optimization of service offerings for Agile teams based on organizational culture and objectives.
    • Change request optimization via interfacing ACE functions with existing change management processes.
    • Communication planning to ensure transparency during cross-functional collaboration.

    Deliverables Completed

    • A set of service offerings offered by the Center of Excellence that are aligned with the business, Agile teams, and related stakeholders.
    • Engagement plans for Agile team members based on a standardized adoption model to access the ACEs service offerings.
    • A suite of Agile metrics to measure effectiveness of Agile teams, the ACE itself, and its ability to deliver positive outcomes.
    • A communications plan to help create cross-functional transparency over pending changes as Agile spreads.
    • A communications deck to communicate Agile goals, actions, and outcomes to key stakeholders to ensure long-term viability of the CoE.

    Research contributors and experts

    Paul Blaney, Technology Delivery Executive, Thought Leader and passionate Agile Advocate

    Paul has been an Agile practitioner since the manifesto emerged some 20 years ago, applying and refining his views through real life experience at several organizations from startups to large enterprises. He has recently completed the successful build out of the inaugural Agile Delivery Centre of Excellence at TD bank in Toronto.

    John Munro, President Scrum Masters Inc.

    John Munro is the President of Scrum Masters Inc., a software optimization professional services firm using Agile, Scrum, and Lean to help North American firms “up skill” their software delivery people and processes. Scrum Masters’ unique, highly collaborative “Master Mind” consulting model leverages Agile/Lean experts on a biweekly basis to solve clients’ technical and process challenges.

    Doug Birgfeld, Senior Partner Agile Wave

    Doug has been a leader in building great teams, Agile project management, and business process innovation for over 20 years. As Senior Partner and Chief Evangelist at Agile Wave, his mission is to educate and to learn from all those who care about effective government delivery, nationally.

    Related Info-Tech research

    Implement Agile Practices That Work

    Agile is a cultural shift. Don't just do Agile, be Agile.

    Enable Organization-Wide Collaboration by Scaling Agile

    Execute a disciplined approach to rolling out Agile methods in the organization.

    Improve Application Development Throughput

    Drive down your delivery time by eliminating development inefficiencies and bottlenecks while maintaining high quality.

    Implement DevOps Practices That Work

    Accelerate software deployment through Dev and Ops collaboration.

    Related Info-Tech research (continued)

    Maximize the Benefits from Enterprise Applications with a Center of Excellence

    Optimize your organization’s enterprise application capabilities with a refined and scalable methodology.

    Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program

    Be proactive; it costs exponentially more to fix a problem the longer it goes unnoticed.

    Optimize the Change Management Process

    Right-size your change management process.

    Improve Requirements Gathering

    Back to basics: great products are built on great requirements.

    Bibliography

    Ambler, Scott. “Agile Requirements Change Management.” Agile Modeling. Scott Amber + Associates, 2014. Web. 12 Apr. 2016.

    Ambler, Scott. “Center of Excellence (CoEs).” Disciplined Agile 2.0: A Process Decision Framework for Enterprise I.T. Scott Amber + Associates. Web. 01 Apr. 2016.

    Ambler, Scott. “Transforming From Traditional to Disciplined Agile Delivery.” Case Study: Disciplined Agile Delivery Adoption. Scott Amber + Associates, 2013. Web.

    Beers, Rick. “IT – Business Alignment Why We Stumble and the Path Forward.” Oracle Corporation, July 2013. Web.

    Cornelius & Associates. “The Qualities of Leadership: Leading Change.” Cornelius & Associates, n.d. Web.

    Craig, William et al. “Generalized Criteria and Evaluation Method for Center of Excellence: A Preliminary Report.” Carnegie Mellon University Research Showcase @ CMU – Software Engineering Institute. Dec. 2009. Web. 20 Apr. 2016.

    Forsgren, Dr. Nicole et al (2019), Accelerate: State of DevOps 2019, Google, https://services.google.com/fh/files/misc/state-of-devops-2019.pdf

    Gerardi, Bart (2017), Agile Centers of Excellence, PMI Projectmanagement.com, https://www.projectmanagement.com/articles/405819/Agile-Centers-of-Excellence

    Gerardi, Bart (2017), Champions of Agile Adoption, PMI Projectmanagement.com, https://www.projectmanagement.com/articles/418151/Champions-of-Agile-Adoption

    Gerardi, Bart (2017), The Roles of an Agile COE, PMI Projectmanagement.com, https://www.projectmanagement.com/articles/413346/The-Roles-of-an-Agile-COE

    Hohl, P. et al. “Back to the future: origins and directions of the ‘Agile Manifesto’ – views of the originators.” Journal of Software Engineering Research and Development, vol. 6, no. 15, 2018. https://link.springer.com/article/10.1186/s40411-0...

    Kaltenecker, Sigi and Hundermark, Peter. “What Are Self-Organising Teams?” InfoQ. 18 July 2014. Web. 14 Apr. 2016.

    Kniberg, Henrik and Anderson Ivarsson. “Scaling Agile @ Spotify with Tribes, Squads, Chapters & Guilds.” Oct. 2012. Web. 30 Apr. 2016.

    Kumar, Alok et al. “Enterprise Agile Adoption: Challenges and Considerations.” Scrum Alliance. 30 Oct. 2014. Web. 30 May 2016.

    Levison, Mark. “Questioning Servant Leadership.” InfoQ, 4 Sept. 2008. Web. https://www.infoq.com/news/2008/09/servant_leadership/

    Linders, Ben. “Don't Copy the Spotify Model.” InfoQ.com. 6 Oct. 2016.

    Loxton, Matthew (June 1, 2011), CoP vs CoE – What’s the difference, and Why Should You Care?, Wordpress.com

    McDowell, Robert, and Bill Simon. In Search of Business Value: Ensuring a Return on Your Technology Investment. SelectBooks, 2010

    Novak, Cathy. “Case Study: Agile Government and the State of Maine.” Agile Government Leadership, n.d. Web.

    Pal, Nirmal and Daniel Pantaleo. “Services are the Language and Building Blocks of an Agile Enterprise.” The Agile Enterprise: Reinventing your Organization for Success in an On-Demand World. 6 Dec. 2015. Springer Science & Business Media.

    Rigby, Darrell K. et al (2018), Agile at Scale, Harvard Business Review, https://hbr.org/2018/05/agile-at-scale

    Scaledagileframework.com, Create a Lean-Agile Center of Excellence, Scaled Agile, Inc, https://www.scaledagileframework.com/lace/

    Shepley, Joe. “8 reasons COEs fail (Part 2).” Agile Ramblings, 22 Feb. 2010. https://joeshepley.com/2010/02/22/8-reasons-coes-fail-part-2/

    Stafford, Jan. “How upper management misconceptions foster Agile failures.” TechTarget. Web. 07 Mar. 2016.

    Taulli, Tom (2020), RPA Center Of Excellence (CoE): What You Need To Know For Success, Forbes.com, https://www.forbes.com/sites/tomtaulli/2020/01/25/rpa-center-of-excellence-coe-what-you-need-to-know-for-success/#24364620287a

    Telang, Mukta. “The CMMI Agile Adoption Model.” ScrumAlliance. 29 May 2015. Web. 15 Apr. 2016.

    VersionOne. “13th Annual State of Agile Report.” VersionOne. 2019. Web.

    Vembar, Navin. “Case Study: Agile Government and the General Services Administration (Integrated Award Environment).” Agile Government Leadership, n.d. Web.

    Wenger, E., R. A. McDermott, et al. (2002), Cultivating communities of practice: A guide to managing knowledge, Harvard Business Press.

    Wenger, E., White, N., Smith, J.D. Digital Habitats; Stewarding Technology for Communities. Cpsquare (2009).

    Infrastructure and Operations Priorities 2023

    • Buy Link or Shortcode: {j2store}54|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Disruptive & Emerging Technologies
    • Parent Category Link: /disruptive-emerging-technologies
    • Get out of your I&O silo. I&O teams must be expected to work alongside and integrate with cyber security operations.
    • Being unprepared for new ESG reporting mandates without a clear and validated ESG reporting process puts your organization at risk.
    • Get ahead of inflationary pressures with early budgetary planning and identify the gap between the catchup projects and required critical net new investments.

    Our Advice

    Critical Insight

    • Establish I&O within an AI governance program to build trust in AI results, behaviors, and limit legal exposure.
    • Develop data governance program that includes an I&O data steward for oversight.
    • Ready or not, the metaverse is coming to an infrastructure near you. Start expanding I&O technologies and processes to support a metaverse infrastructure.

    Impact and Result

    • Provide a framework that highlight the impacts the threats of an economic slowdown, growing regulatory reporting requirements, cyber security attacks and opportunity that smart governance over AI, data stewardship and the looming explosion of augmented reality and Web 3.0 technologies.
    • Info-Tech can help communicate your I&O priorities into compelling cases for your stakeholders.

    Infrastructure and Operations Priorities 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Infrastructure & Operations Priorities 2023 – A framework to dive deeper into the trends most relevant to you and your organization

    Discover Info-Tech's six priorities for Infrastructure & Operations leaders.

    Infographic

    Further reading

    Infrastructure &Operations Priorities 2023

    Navigate the liminal space between threats and opportunities.

    2023: A liminal space between threats and opportunities

    Over the last several years, successful CEOs turned to their Infrastructure and Operations (I&O) departments to survive the effects of the pandemic. It was I&O leaders who were able to reconfigure critical infrastructure on the fly to support remote work, adapt to critical supply chain shortages, and work with lines of business managers to innovate operational workflows.

    2023 promises to bring a new set of challenges. Building on the credibility established during the pandemic, I&O is in a unique position to influence the direction a business will take to be successful in a time of austerity.

    I&O members are going to be asked to mitigate the threats of volatility from recession pressures, new cybersecurity attacks, and operational process and litigation from regulatory mandates. At the same time, I&O members are being asked for fundamental digital transformation items to realize long-term opportunities to their organizations in 2023.

    Seemingly counter-intuitive in a time of economic slowdown, organizations in 2023 will want to start the groundwork to realizing the I&O opportunities that unstructured data and artificial intelligence have promised, while prepping for what has been mislabeled as the Metaverse.

    If you are in a traditionally risk adverse industry, you’re more likely to be impacted by the threat mitigation.

    Opportunistic I&O members will use 2023 to proactively jumpstart digital transformation.

    Introduction

    Welcome to the Info-Tech 2023 I&O Priorities Report

    If I&O members learned anything from the last few years, it’s how to tactically respond to the disruptive waves often arising from sources external to the organization. The good news is that Info-Tech’s I&O priorities report provides forward-looking insights to help members become more proactive to the tsunami of change predicted in our Trends Report to happen over the next three to five years.

    Info-Tech I&O priorities are generated through a phased approach. The first phase senses and identifies mega and macro tends in the digital landscape to formulate hypotheses about the trends for the next three to five years. These hypotheses are validated by sending out a survey to Info-Tech members. The responses from 813 members was used to produce an Info-Tech Trends Report focused on major long-term trends.

    The I&O Priorities were determined by combining the I&O member responses within the Info-tech Trends Survey with insightful signals from secondary research, economic markets, regulatory bodies, industry organizations, and vendors. The six I&O priorities identified in this report are presented in a framework that highlight the impacts of an economic slowdown, growing regulatory reporting requirements, cybersecurity threats, smart governance of AI, embracing stewardship of data, and the looming explosion of augmented reality and Web 3.0 technologies.

    We also have a challenge exercise to help you communicate which priorities to focus your I&O organization on. Additionally, we linked some Info-tech research and tools related to the priorities that help your I&O organization formulate actionable plans for each area.

    Priorities

    Six forward-looking priorities for the next year.

    Focus

    Activity to help select which priorities are relevant for you.

    Actions

    Actionable Info-tech research and tools to help you deliver.

    Infrastructure & Operations priorities

    The I&O priorities were determined by combining I&O member responses from the Tech Trends and Priorities 2023 survey with insightful signals from secondary research, economic markets, regulatory bodies, industry organizations, and vendors.

    The image contains a screenshot of the Infrastructure & Operations priorities.

    I&O Priorities 2023

    The image contains a screenshot of the I&O Priorities.

    I&O priorities framework

    Threats signals

    Enhance I&O Cybersecurity

    Produce ESG Reporting

    Recession Readiness

    Get out of your silo. Forget your job description and start doing what needs to be done.

    Infrastructure rarely has authority in these areas, but somehow it ends up with many of the responsibilities. You can't afford to be reactive. Forget about your traditional silo and get out in front of these topics. Not in your job description? Find out whose job it is and make them aware. Better yet – take charge! If you're going to be responsible you might as well be in control.

    Opportunities signals

    AI Governance: Watching the Watchers

    Prep for A Brave New Metaverse

    Data Governance: Cornerstone of Value

    Proper stewardship of data is an I&O must. If thought you had problems with your unstructured data, wait until you see the data sprawl coming from the metaverse.

    I&O needs to be so much more than just an order taker for the dev teams and lines of business. The sprawl of unstructured data in Word, Excel, PDF and PowerPoint was bad historically; imagine those same problems at metaverse scale! Simple storage and connectivity is no longer enough – I&O must move upstream with more sophisticated service and product offerings generated through proper governance and stewardship.

    Challenge: Expand the I&O border

    The hidden message in this report is that I&O priorities extend beyond the traditional scope of I&O functions. I&O members need to collaborate across functional areas to successfully address the priorities presented in this report.

    Info-Tech can help! Align your priorities with our material on how to Build a Business-Aligned IT Strategy. Use a modified version of the Strategy Initiative Template (next slide) to convey your strong opinion on the priorities you need your stakeholders to know about. And do so in a way that is familiar so they will easily understand.

    The image contains a screenshot of Info-Tech's Maturity Ladder.
    Info-Tech 2023 Trends Survey Results

    Call your Executive Advisor or Counselor to help identify the one or two key messages you want to bring forward for success in 2023!

    Info-Tech IT Strategy Initiative Template, from the IT Strategy Presentation Template & Priorities Report Initiative Template

    .
    The image contains a screenshot of a template for your priorities.

    Protect from threats

    Get out of your silo. Forget your job description and just start doing what needs to be done.

    Enhance I&O Cybersecurity

    Produce ESG Reporting

    Recession Readiness

    Enhance cybersecurity response

    SIGNALS

    Cybersecurity incidents are
    a clear and present danger
    to I&O members.

    Cybersecurity incidents have
    a large financial impact
    on organizations.

    Related Info-Tech Research

    Of the surveyed I&O members, 53% identified cybersecurity incidents as the number one threat disrupting their operations in 2023. It’s understandable, as over 18% of surveyed I&O members experienced a cybersecurity incident in 2022. Alarmingly, 10% of surveyed I&O members didn’t know if they had a cybersecurity incident. The impact to the organization was with 14% of those incidents directly impacting their organizations for anywhere from 6 to 60 days.

    The 2022 report “Cost of a Data Breach” was conducted by IBM and the Ponemon Institute using data from 550 companies (across 17 countries) that experienced a security incident during a 12-month period ending in March 2022. It highlighted that the average total organizational cost of a security breach globally was USD 4.35M (locally these numbers expand to USA at USD 9.44M, Canada at USD 5.64, UK at USD 5.05M, Germany at USD 4.85M).

    (Source: IBM, 2022)

    Enhance cybersecurity response

    SIGNALS

    Organizations' exposure comes from internal and external sources.

    The right tools and process can reduce the impact of a cybersecurity incident.

    Related Info-Tech Research

    The IBM/Ponemon Institute report highlighted the following:

    • 59% of organizations didn’t deploy a zero-trust architecture on critical infrastructure to reduce exposure.
    • 19% of the breaches originated from within their business partner eco-system.
    • 45% were cloud-based.

    (Source: IBM, 2022)

    The IBM/Ponemon Institute report also identified technologies and procedures to reduce the fiscal impacts of cybersecurity breaches. Having a dedicated security incident response team with a regularly tested plan reduced the incident cost by an average of USD 2.66M. A fully implemented AI security deduction and response automation system can provide average incident savings of 27.6%.

    Enhance cybersecurity response

    SIGNALS

    Cybersecurity spending is a major and expanding expenditure for our members.

    Cybersecurity is going
    to include brand misinformation.

    For 36% of surveyed I&O members, cybersecurity consumed between 10-20% of their total budget in 2022. Moreover, cybersecurity defense funding is expected to increase for 57% of I&O members.

    A third of surveyed I&O members viewed misinformation as a major risk to their organization for 2023 and 2024. Only 38% of the I&O members reported that they will have software in place to monitor and manage social media posts.

    Increasing environment and regulatory complexity demands more sophisticated cybersecurity operations.

    Infrastructure teams must be expected to work alongside and integrate with cybersecurity operations.

    Enhance cybersecurity response

    CALL TO ACTION

    Get out of your I&O silo and form cross-functional cybersecurity teams.

    I&O priority actions

    Establish a cross-functional security steering committee to coordinate security processes and technologies. The complexity of managing security across modern applications, cloud, IoT, and network infrastructure that members operate is greater than ever before and requires coordinated teamwork.

    Contain the cyber threat with zero trust (ZT) architecture. Extend ZT to network and critical infrastructure to limit exposure.

    Leverage AI to build vigilant security intelligence. Smart I&O operators will make use of AI automation to augment their security technologies to help detect threats and contain security incidents on critical infrastructure.

    Enhance cybersecurity response

    I&O priority actions

    Build specialized cybersecurity incident management protocols with your service desk. Build integrated security focused teams within service desk operations that continually test and improve security incident response protocols internally and with specialized security vendors. In some organizations, security incident response teams extend beyond traditional infrastructure into social media. Work cross-functionally to determine the risk exposure to misinformation and incident response procedures.

    Treat lost or stolen equipment as a security incident. Develop hardware asset management protocols for tracking and reporting on these incidents and keep a record of equipment disposal. Implement tools that allow for remote deletion of data and report on lost or stolen equipment.

    Produce ESG reporting

    SIGNALS

    Government mandates present an operational risk to I&O members.

    ESG reporting is
    often incomplete.

    Related Info-Tech Research

    Surveyed members identified government-enacted policy changes to be a top risk to disrupting to their business operations in 2023. One of the trends identified by Info-Tech is that the impact of regulations on environmental, social, and governance (ESG) reporting are being rolled out by governments worldwide.

    Alarmingly, only 7% of surveyed members responded that they could very accurately report on their carbon footprint and 23% said they were not able to report accurately at all.

    Produce ESG reporting

    SIGNALS

    ESG mandates are being rolled out globally.

    ESG reporting has greatly expanded since a 2017 report by Task Force on Climate-Related Financial Disclosures (TCFD, 2017) which recommended that organizations disclose climate-related financial metrics for investors to appropriately price climate-related risks to share price. In 2021, the Swiss Finance Institute research paper (Sautner, 2021) identified 29 countries that require ESG reporting, primarily for larger public companies, financial institutions, and state-owned corporations.

    Global ESG mandates

    The image contains a screenshot of a world map that demonstrates the Global ESG Mandates.

    29 nations with ESG mandates identified by the Swiss Finance Institute

    Produce ESG reporting

    SIGNALS

    ESG mandates are being rolled out globally.

    The EU has mandated ESG reporting for approximately 11,700 large public companies with more than 500 employees under the Non-Financial Reporting Directive (NFRD), since 2014. The EU is going to replace the NFRD with the Corporate Sustainability Reporting Directive (European Council, 2022), which has set a 3-year timetable for escalating the ESG reporting level to what is estimated to be about 75% of EU total turnover (WorldFavor, 2022).

    • 2024: Companies with 500 or more employees.
    • 2025: Companies with 250 or more employee or 40M EU in revenue/20M in total assets.
    • 2026: SMEs, smaller credit financial, and captive insurance institutions.

    It's been a long time since most enterprises had to report on things like power efficiency factors.

    But don't think that being in the cloud will insulate you from a renewed interest in ESG reporting.

    Produce ESG reporting

    CALL TO ACTION

    Being unprepared for new ESG reporting mandates without a clear and validated ESG reporting process puts your organization at risk.

    I&O priority actions

    Understand ESG risk exposure. Define the gap between what ESG reporting is required in your jurisdiction and current reporting capabilities to meet them. Build the I&O role with responsibility for ESG reporting.

    Include vendors in ESG reporting. Review infrastructure facilities with landlords, utilities, and hosting providers to see if they can provide ESG reporting on sustainable power generation, then map it to I&O power consumption as part of their contractual obligations. Ask equipment vendors to provide ESG reporting on manufacturing materials and energy consumption to boot-strap data collection.

    Implement a HAM process to track asset disposal and other types of e-waste. Update agreements with disposal vendors to get reporting on waste and recycle volumes.

    Produce ESG reporting

    I&O priority actions

    Implement an ESG reporting framework. There are five major ESG reporting frameworks being used globally. Select one of the frameworks below that makes sense for your organization, and implement it.

    ISO 14001 Environmental Management: Part of the ISO Technical Committee family of standards that allows your organization to understand its legal requirements to become certified in ESG.

    Global Reporting Initiative (GRI) Sustainability Reporting Standards: GRI has been developing ESG reporting standards since 1997. GRI provides a modular ESG framework applicable to all sizes and sectors of organizations worldwide.

    Principles for Responsible Investment: UN-developed framework for ESG reporting framework for disclosure in responsible investments.

    Sustainability Accounting Standards Board (SASB): ESG report framework to be used by investors.

    UN Global Compact: ESG reporting framework based on 10 principles that organizations can voluntarily contribute data to.

    Implement a HAM process to track asset disposal and other types of e-waste. Update agreements with disposal vendors to get reports on waste and recycle volumes.

    Recession readiness

    SIGNALS

    Managing accelerated technical debt.

    Recessionary pressures.

    Related Info-Tech Research

    I&O members experienced a spike in technical debt following the global pandemic economic shutdown, workforce displacement, and highly disrupted supply chains. 2023 presents a clear opportunity to work on these projects.

    The shortages in workforce and supply chain have accelerated inflation post pandemic. Central banks have started to slow down inflation in 2022 by raising interest rates. However, the World Bank has forecast a potential 2% rise in interest rates as the battle with inflation continues into 2023 and beyond, which could set off a global slowdown in GDP growth to 0.5%, qualifying as a recession. If interest rates continue to climb, I&O members may struggle with the higher cost of capital for their investments.

    (Source: World Bank Organization, 2022)

    Recession readiness

    SIGNALS

    I&O budgets expected to increase.

    Focused budgetary increases.

    Despite economists’ prediction of a looming recession and inflationary pressures, only 11% of I&O members surveyed indicated that they anticipated any reduction in IT budgets for 2023. In fact, 44% of I&O members expected an increase of IT budgets of between 6% and 30%.

    These increases in budget are not uniform across all investments. Surveyed I&O members indicated that the largest anticipated budget increases (compared to 2022) were in the areas of:

    • AI/machine learning ( +7.5%)
    • 5G (+7%)
    • Data Mesh/Fabric and Data Lake infrastructure (+5.7% and +4.4%, respectively)
    • Mixed reality technologies (augmented or virtual reality) (+3.3%)
    • Next generation cybersecurity (+1.7%)

    "2022 has been the first true opportunity to start getting caught up on technical debt stemming from the post pandemic supply chain and resource shortages. That catch-up is going to continue for some time.

    Unfortunately, the world isn't sitting still while doing that. In fact, we see new challenges around inflationary pressures. 2023 planning is going to be a balancing act between old and new projects."

    Paul Sparks,
    CTO at Brookshire Grocery Company

    Recession readiness

    SIGNALS

    Tough choices on budgetary spends.

    The responses indicated that I&O members expect decreased reinvestment for 2023 for the following:

    • API programming (-21.7%)
    • Cloud computing (-19.4%)
    • 44% of I&O members indicated if 2023 requires costs cutting, 5-20% of their cloud computing investment will be at risk of the chopping block!
    • Workforce management (-9.4%)
    • No-code /low-code infrastructure (-5.3%)

    Make sure you can clearly measure the value of all budgeted I&O activities.

    Anything that can't demonstrate clear value to leadership is potentially on the chopping block.

    Recession readiness

    CALL TO ACTION

    Get ahead of inflationary pressures with early budgetary planning, and identify the gap between the catch-up projects and required critical net new investments.

    II&O priority actions

    Hedge against inflation on infrastructure projects. Develop and communicate value-based strategies to lock in pricing and mitigate inflationary risk with vendors.

    Communicate value-add on all I&O budgeted items. Define an infrastructure roadmap to highlight which projects are technical debt and which are new strategic investments, and note their value to the organization.

    Look for cost saving technologies. Focus on I&O projects that automate services to increase productivity and optimize head count.

    Realize opportunities

    Build on a record of COVID-related innovation success and position the enterprise to take advantage of 2023.

    AI governance: Watching the watchers

    Data stewardship: Cornerstone of value

    Prep for a brave new metaverse

    AI governance: Watching the watchers

    SIGNALS

    Continued investment
    in AI technologies

    AI technology is permeating diverse I&O functional areas.

    Related Info-Tech Research

    About 32% of survey respondents who work in I&O said that they already invest in AI, and 40% intend to invest in 2023.

    I&O members have identified the following areas as the top five focal points for AI uses within their organizations.

    • Automated repetitive, low-level tasks
    • Business analytics or intelligence
    • Identification of risks and improvement of security response
    • Monitoring and governance
    • Sensor data analysis

    AI governance: Watching the watchers

    SIGNALS

    Consequences for misbehaving AI.

    I&O leaders can expect to have silos of AI in pockets scattered across the enterprise. Without oversight on the learning model and the data used for training and analytics there is a risk of overprovisioning, which could reduce the efficiency and effectiveness of AI models and results.

    This scale advantage of AI could result in operational inefficiencies without oversight. For example, bad governance means garbage in / garbage out. Which is worse: getting 100 outputs from a system with a 1% error rate, or getting 10,000 outputs from a system with an 1% error rate?

    These are just the operational issues; legally you can be on the hook, as well. The EU Parliament has issued a civil liability regime for AI (European Parliament, n.d.) which imposes liability to operators of AI systems, regardless of whether they acted with operational due diligence. Additionally, the IEEE (IEEE, 2019) is advocating for legal frameworks and accountability for AI that violates human rights and privacy laws and causes legal harm.

    Who is going to instill standards for AI Operations? Who is going to put in the mechanisms to validate and explain the output of AI black boxes?

    If you said it’s going to end up
    being Infrastructure and Operations – you were right!

    AI governance: Watching the watchers

    CALL TO ACTION

    Establish I&O within an AI governance program to build trust in AI results and behaviors and limit legal exposure.

    I&O priority actions

    Define who has overall AI accountability for AI governance within I&O. This role is responsible for establishing strategic governance metrics over AI use and results, and identifying liability risks.

    Maintain an inventory of AI use. Conduct an audit of where AI is used within I&O, and identify gaps in documentation and alignment with I&O processes and organizational values.

    Define an I&O success map. Provide transparency of AI use by generating pseudo code of AI models, and scorecard AI decision making with expected predictions and behavioral actions taken.

    AI governance: Watching the watchers

    Manage bias in AI decision making. Work with AI technology vendors to identify how unethical bias can enter the results, using operational data sets for validation prior to rollout.

    Protect AI data sets from manipulation. Generate new secure storage for AI technology audit trails on AI design making and results. Work with your security team to ensure data sets used by AI for training can’t be corrupted.

    Data governance: Cornerstone of value

    SIGNALS

    Data volumes grow
    with time.

    Data is seen as a source for generating new value.

    Related Info-Tech Research

    Of surveyed I&O members, 63% expected to see the data storage grow by at least 10% in 2023, and 15% expected a 30% or more growth in data storage volumes.

    I&O members identified the top three ways data brings value to the organization:

    • Helping reduce operational costs.
    • Presenting value-added to existing products and services.
    • Acquiring new customers.

    Data governance: Cornerstone of value

    SIGNALS

    Approach to data analysis is primarily done in-house.

    85% of surveyed I&O members are doing data analysis with custom-made or external tools. Interestingly, 10% of I&O members do not conduct any data analysis.

    Members are missing a formal data governance process.

    81% of surveyed I&O members do not have a formal or automated process for data governance. Ironically, 24% of members responded that they aim to have publicly accessible data-as-a-service or information repositories.

    Despite investment in data initiatives, organizations carry high levels of data debt.

    Info-Tech research, Establish Data Governance, points out that data debt, the accumulated cost associated with sub-optimal governance of data assets, is a problem for 78% of organizations.

    What the enterprise expects out of enterprise storage is much more complicated in 2023.

    Data protection and governance are non-negotiable aspects of enterprise storage, even when it’s unstructured.

    Data governance: Cornerstone of value

    SIGNALS

    Data quality is the primary driver for data governance.

    The data governance market
    is booming.

    Related Info-Tech Research

    In the 2022 Zaloni survey of data governance professionals, 71% indicated that consistent data quality was the top metric for data governance, followed by reduced time to insight and regulatory compliance.

    (Source: Zaloni DATAVERSITY, 2022)

    The Business Research Company determined that the global data governance market is expected to grow from $3.28 billion in 2022 to $7.42 billion in 2026 at a CAGR of 22.7% in response to 74 zettabytes of data in 2021, with a growth rate of 1.145 trillion MB of new data being created every day.

    (Source: Business Research Company, 2022)

    Data governance: Cornerstone of value

    CALL TO ACTION

    Develop a data governance program that includes an I&O data steward for oversight.

    I&O priority actions

    Establish an I&O data steward. Make data governance by establishing a data steward role with accountability for governance. The steward works collaboratively with DataOPs to control access to I&O data, enforce policies, and reduce the time to make use of the data.

    Define a comprehensive storage architecture. If you thought you had a data sprawl problem before, wait until you see the volume of data generated from IoT and Web 3.0 applications. Get ahead of the problem by creating an infrastructure roadmap for structured and unstructured data storage.

    Build a solid backbone for AI Operations using data quality best practices. Data quality is the foundation for generation of operational value from the data and artificial intelligence efforts. Focus on using a methodology to build a culture of data quality within I&O systems and applications that generate data rather than reactive fixes.

    Look to partner with third-party vendors for your master data management (MDM) efforts. Modern MDM vendors can work with your existing data fabrics/lake and help leverage your data governance policies into the cloud.

    Prep for a brave new metaverse

    SIGNALS

    From science fiction to science fact.

    The term metaverse was coined in 1992 by Neal Stephenson and is a common theme in science fiction. For most I&O surveyed professionals, the term metaverse conjures up more confusion than clarity, as it’s not one place, but multiple metaverse worlds. The primordial metaverse was focused on multiplayer gaming and some educational experiences. It wasn’t until recently that it gained a critical mass in the fashion and entertainment industries with the use of non-fungible tokens (NFT). The pandemic created a unique opportunity for metaverse-related technologies to expand Web 3.0.

    Related Info-Tech Research

    Prep for a brave new metaverse

    SIGNALS

    Collaboration and beyond.

    On one hand, metaverse technologies virtual reality(VR)/augmented reality (AR) headsets can be a method of collaborating internally within a single organization. About 10% of our surveyed I&O members engaged this type of collaborative metaverse in 2022, with another 24% looking to run proof of concept projects in 2023. However, there is a much larger terrain for metaverse projects outside of workforce collaboration, which 17% of surveyed I&O members are planning to engage with in 2023.

    These are sophisticated new metaverse worlds, and digital twins of production environments are being created for B2B collaboration, operations, engineering, healthcare, architecture, and education that include the use of block chain, NFTs, smart contracts, and other Web 3.0 technologies

    “They are the audiovisual bodies that people use to communicate with each other in the Metaverse.”

    Neal Stephenson,
    Snow Crash 1992

    Prep for a brave new metaverse

    SIGNALS

    Metaverse requires multidimensional security.

    Security in the context of the metaverse presents new challenges to I&O. The infrastructure that runs the metaverse is still vulnerable to “traditional” security threats. New attack vectors include financial and identity fraud, privacy and data loss, along with new cyber-physical threats which are predicted to occur as the metaverse begins to integrate with IoT and other 3D objects in the physical world.

    The ultimate in "not a product" – the metaverse promises to be a hodgepodge of badly standardized technologies for the near future.

    Be prepared to take care of pets and not cattle for the foreseeable future, but keep putting the fencing around the ranch.

    Prep for a brave new metaverse

    SIGNALS

    Generating new wave of sophisticated engineering coming.

    Economics boom around metaverse set to explode.

    Related Info-Tech Research

    Beyond the current online educational resources, there are reputable universities around the world, including Stanford University, that are offering courses on metaverse and Web 3.0 concepts.

    (Source: Arti, 2022)

    So, what’s providing the impetus for all this activity and investment? Economics. In their 2022 report, Metaverse and Money, Citi estimated that the economic value of the metaverse(s) will have 900M to 1B VR/AR users and 5 billion Web 3.0 users with market sizes of $1-2T and $8-$13T, respectively. Yes, that’s a “T” for Trillions.

    (Source: Ghose, 2022)

    Prep for a brave new metaverse

    CALL TO ACTION

    Ready or not, the metaverse is coming to an infrastructure near you. Start expanding I&O technologies and processes to support a metaverse infrastructure.

    I&O priority actions

    Develop a plan for network upgrades.

    A truly immersive VR/AR experience requires very low latency. Identify gaps and develop a plan to enhance your network infrastructure surrounding your metaverse space(s) and end users.

    Extend security posture into the metaverse.

    Securing the infrastructure that runs your metaverse is going to extend the end-user equipment used to navigate it. More importantly, security policies need to encompass the avatars that navigate it and the spatial web that they interact with, which can include physical world items like IoT.

    Prep for a brave new metaverse

    I&O priority actions

    Metaverse theft prevention

    Leverage existing strategies to identify management in the metaverse. Privacy policies need to extend their focus to data loss prevention within the metaverse.

    Collaborate

    The skill set required to build, deploy, manage, and support the metaverse is complex. Develop a metaverse support organization that extends beyond I&O functions into security, DevOps, and end-user experiences.

    Educate

    Web 3.0 technologies and business models are complex. Education of I&O technical- and commerce-focused team members is going to help prevent you from getting blindsided. Seek out specialized training programs for technical staff and strategic education for executives, like the Wharton School of Business certification program.

    Authors

    John Annand

    Theo Antoniadis

    John Annand

    Principal Research Director

    Theo Antoniadis

    Principal Research Director

    Contributors

    Paul Sparks,
    CTO at Brookshire Grocery Company

    2 Anonymous Contributors

    Figuring out the true nature of the “Turbo” button of his 486DX100 launched John on a 20-year career in managed services and solution architecture, exploring the secrets of HPC, virtualization, and DIY WANs built with banks of USR TotalControl modems. Today he focuses his research and advisory on software-defined infrastructure technologies, strategy, organization, and service design in an increasingly Agile and DevOps world.

    Theo has decades of operational and project management experience with start-ups and multinationals across North America and Europe. He has held various consulting, IT management and operations leadership positions within telecommunications, SaaS, and software companies.

    Bibliography

    “3 Cybersecurity Trends that are Changing Financial Data Management." FIMA US. Accessed August 2022.
    Arti. “While much of the world is just discovering the Metaverse, a number of universities have already established centers for studying Web 3." Analytics Insight. 10 July 2022.
    “Artificial intelligence (AI) for cybersecurity." IBM. Accessed September 2022
    “Business in the Metaverse Economy." Wharton School of University of Pennsylvania. Accessed October 2022.
    “Cost of a data breach 2022: A million-dollar race to detect and respond." IBM. Accessed September 2022.
    “Countries affected by mandatory ESG reporting – here’s the list." New Zealand Ministry of Business, Innovation & Employment. Accessed September 2022.
    “Countries affected by mandatory ESG reporting – here’s the list.” WorldFavor. Accessed September 2022.
    Crenshaw, Caroline A. “SEC Proposes to Enhance Disclosures by Certain Investment Advisers and Investment Companies About ESG Investment Practices." U.S. Securities and Exchange Commission. May 2022.
    “Cutting through the metaverse hype: Practical guidance and use cases for business." Avanade. Accessed October 2022.
    “Data Governance Global Market Sees Growth Rate Of 25% Through 2022." The Business Research Company. August 2022.
    “DIRECTIVE 2014/95/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 22 October 2014 amending Directive 2013/34/EU as regards disclosure of non-financial and diversity information by certain large undertakings and groups." UER-Lex. Accessed September 2022.
    "Ethically Aligned Design: A Vision for Prioritizing Human Well-being with Autonomous and Intelligent Systems." IEEE. March 2019.
    “European Parliament resolution of 20 October 2020 with recommendations to the Commission on a civil liability regime for artificial intelligence." European Parliament. Accessed October 2022.
    Ghose, Ronit et al. "Metaverse and Money." Citi GPS. March 2022.
    Hernandez, Roberto, et al. “Demystifying the metaverse." PWC. Accessed August 2022.
    Info-Tech Trends Report Survey, 2023; N=813.
    “ISO 14000 Family: Environmental Management." ISO. Accessed October 2022.
    Knight, Michelle & Bishop, Annie, ”The 2022 State of Cloud Data Governance.“ Zaloni DATAVERSITY. 2022.

    Bibliography

    Kompella, Kashyap, “What is AI governance and why do you need it?“ TechTarget. March 2022.
    “Management of electronic waste worldwide in 2019, by method." Statista. 2022.
    “Model Artificial Intelligence Governance Framework and Assessment Guide.“ World Economic Forum. Accessed September 2022.
    “Model Artificial Intelligence Governance Framework." PDPC Singapore. Accessed October 2022.
    “New rules on corporate sustainability reporting: provisional political agreement between the Council and the European Parliament.“ European Council. June 2022.
    "OECD Economic Outlook Volume 2022." OECD iLibrary. June 2022.
    "Recommendations of the Task Force on Climate-related Financial Disclosures." TCFD. Accessed August 2022.
    “Risk of Global Recession in 2023 Rises Amid Simultaneous Rate Hikes.” World Bank Organization. September 2022.
    Sautner, Zacharias, et al. “The Effects of Mandatory ESG Disclosure around the World.” SSRN. November 2021.
    Sondergaard, Peter. “AI GOVERNANCE – WHAT ARE THE KPIS? AND WHO IS ACCOUNTABLE?“ The Sondergaard Group. November 2019.
    Srivastavam Sudeep, “How can your business enter the Metaverse?." Appinventiv.
    September 2022.
    “Standards Overview." SASB. Accessed October 2022.
    Stephenson, Neal. Snow Crash. Bantam Books, 1992.
    “Sustainability Reporting Standards." Global Reporting Initiative. Accessed October 2022.
    “The Ten Principles of the UN Global Compact." UN Global Compact. Accessed October 2022.
    Tian Tong Lee, Sheryl. "China Unveils ESG Reporting Guidelines to Catch Peers.” Bloomberg. May 2022.
    “What are the Principles for Responsible Investment?" UNPRI. Accessed October 2022.
    "What is the EU's Corporate Sustainability Reporting Directive (CSRD)?" WorldFavor.
    June 2022.
    West, Darrell M. “Six Steps to Responsible AI in the Federal Government.“ Brookings Institution. March 2022. Web.

    AI and the Future of Enterprise Productivity

    • Buy Link or Shortcode: {j2store}329|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $12,399 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • We’re witnessing a fundamental transformation in how businesses operate and productivity is achieved.
    • Advances in narrow but powerful forms of artificial intelligence (AI) are being driven by a cluster of factors.
    • Applications for enterprise AI aren’t waiting for the emergence of a general AI. They’re being rapidly deployed in task-specific domains. From robotic process automation (RPA) to demand forecasting, from real-world robotics to AI-driven drug development, AI is boosting enterprise productivity in significant ways.

    Our Advice

    Critical Insight

    Algorithms are becoming more advanced, data is now richer and easier to collect, and hardware is cheaper and more powerful. All of this is true and contributes to the excitement around enterprise AI applications, but the biggest difference today is that enterprises are redesigning their processes around AI, rather than simply adding AI to their existing processes.

    Impact and Result

    This report outlines six emerging ways AI is being used in the enterprise, with four future scenarios outlining their possible trajectories. These are designed to guide strategic decision making and facilitate future-focused ideation.

    AI and the Future of Enterprise Productivity Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Read the trend report

    This report outlines six emerging ways AI is being used in the enterprise, with four future scenarios outlining their possible trajectories. These are designed to guide strategic decision making and facilitate future-focused ideation.

    • AI and the Future of Enterprise Productivity Trend Report
    • AI and the Future of Enterprise Productivity Trend Report (PDF)
    [infographic]

    Leadership, Culture and Values

    • Buy Link or Shortcode: {j2store}34|cart{/j2store}
    • Related Products: {j2store}34|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.4/10
    • member rating average dollars saved: $912
    • member rating average days saved: 7
    • Parent Category Name: People and Resources
    • Parent Category Link: /people-and-resources

    The challenge

    • Your talent pool determines IT performance and stakeholder satisfaction. You need to retain talent and continually motivate them to go the extra mile.
    • The market for IT talent is growing, in the sense that talent has many more options these days. Turnover is a serious threat to IT's ability to deliver top-notch service to your company.
    • Engagement is more than HR's responsibility. IT leadership is accountable for the retention of top talent and the overall productivity of IT employees.

    Our advice

    Insight

    • Engagement goes both ways. Your initiatives must address a real need, and employees must actively seek the outcomes. Engagement is not a management edict.
    • Engagement is not about access to the latest perks and gadgets. You must address the right and challenging issues. Use a systematic approach to find what lives among the employees and address these.
    • Your impact on your employees is many times bigger than HR's. Leverage your power to lead your team to success and peak performance.

    Impact and results 

    • Our engagement diagnostic and other tools will help get to the root of disengagement in your team.
    • Our guidance helps you to avoid common errors and engagement program pitfalls. They allow you to take control of your own team's engagement.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started

    Our concise executive brief shows you why engagement is critical to IT performance in your company. We'll show you our methodology and the ways we can help you in handling this.

    Measure your employee engagement

    You can use our full engagement surveys.

    • Improve Employee Engagement to Drive IT Performance – Phase 1: Measure Employee Engagement (ppt)
    • Engagement Strategy Record (doc)
    • Engagement Communication Template (doc)

    Analyze the results and brainstorm solutions

    Understand your employees' engagement drivers. Involve your team in brainstorming engagement initiatives.

    • Improve Employee Engagement to Drive IT Performance – Phase 2: Analyze Results and Ideate Solutions (ppt)
    • Engagement Survey Results Interpretation Guide (ppt)
    • Full Engagement Survey Focus Group Facilitation Guide (ppt)
    • Pulse Engagement Survey Focus Group Facilitation Guide (ppt)
    • Focus Group Facilitation Guide Driver Definitions (doc)
    • One-on-One Manager Meeting Worksheet (doc)

    Select and implement engagement initiatives

    Choose those initiatives that show the most promise with the most significant impact. Create your action plan and establish transparent and open, and ongoing communication with your team.

    • IT Knowledge Transfer Plan Template (xls)
    • IT Knowledge Identification Interview Guide Template (doc)

    Build your knowledge transfer roadmap

    Knowledge transfer is an ongoing effort. Prioritize and define your initiatives.

    • Improve Employee Engagement to Drive IT Performance – Phase 3: Select and Implement Engagement Initiatives (ppt)
    • Summary of Interdepartmental Engagement Initiatives (doc)
    • Engagement Progress One-Pager (ppt)

     

    Build a Strategy for Big Data Platforms

    • Buy Link or Shortcode: {j2store}203|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Big Data
    • Parent Category Link: /big-data
    • The immaturity of the big data market means that organizations lack examples and best practices to follow, and they are often left trailblazing their own paths.
    • Experienced and knowledgeable big data professionals are limited and without creative resourcing; IT might struggle to fill big data positions.
    • The term NoSQL has become a catch-all phrase for big data technologies; however, the technologies falling under the umbrella of NoSQL are disparate and often misunderstood. Organizations are at risk of adopting incorrect technologies if they don’t take the time to learn the jargon.

    Our Advice

    Critical Insight

    • NoSQL plays a key role in the emergence of the big data market, but it has not made relational databases outdated. Successful big data strategies can be conducted using SQL, NoSQL, or a combination of the two.
    • Assign a Data Architect to oversee your initiative. Hire or dedicate someone who has the ability to develop both a short-term and long-term vision and that has hands-on experience with data management, mining and modeling. You will still need someone (like a database administrator) who understands the database, the schemas, and the structure.
    • Understand your data before you attempt to use it. Take a master data management approach to ensure there are rules and standards for managing your enterprise’s data, and take extra caution when integrating external sources.

    Impact and Result

    • Assess whether SQL, NoSQL, or a combination of both technologies will provide you with the appropriate capabilities to achieve your business objectives and gain value from your data.
    • Form a Big Data Team to bring together IT and the business in order to leave a successful initiative.
    • Conduct ongoing training with your personnel to ensure up-to-date skills and end-user understanding.
    • Frequently scan the big data market space to identify new technologies and opportunities to help optimize your big data strategy.

    Build a Strategy for Big Data Platforms Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop a big data strategy

    Know where to start and where to focus attention in the implementation of a big data strategy.

    • Storyboard: Build a Strategy for Big Data Platforms

    2. Assess the appropriateness of big data technologies

    Decide the most correct tools to use in order to solve enterprise data management problems.

    • Big Data Diagnostic Tool

    3. Determine the TCO of a scale out implementation

    Compare the TCO of a SQL (scale up) with a NoSQL (scale out) deployment to determine whether NoSQL will save costs.

    • Scale Up vs. Scale Out TCO Tool
    [infographic]

    z-Series Modernization and Migration

    • Buy Link or Shortcode: {j2store}114|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    Under the best of circumstances, mainframe systems are complex, expensive, and difficult to scale. In today’s world, applications written for mainframe legacy systems also present significant operational challenges to customers compounded by the dwindling pool of engineers who specialize in these outdated technologies. Many organizations want to migrate their legacy applications to the cloud but to do so they need to go through a lengthy migration process that is made more challenging by the complexity of mainframe applications.

    Our Advice

    Critical Insight

    The most common tactic is for the organization to better realize their z/Series options and adopt a strategy built on complexity and workload understanding. To make the evident, obvious, the options here for the non-commodity are not as broad as with commodity server platforms and the mainframe is arguably the most widely used and complex non-commodity platform on the market.

    Impact and Result

    This research will help you:

    • Evaluate the future viability of this platform.
    • Assess the fit and purpose, and determine TCO
    • Develop strategies for overcoming potential challenges.
    • Determine the future of this platform for your organization.

    z/Series Modernization and Migration Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. z/Series Modernization and Migration Guide – A brief deck that outlines key migration options and considerations for the z/Series platform.

    This blueprint will help you assess the fit, purpose, and price; develop strategies for overcoming potential challenges; and determine the future of z/Series for your organization.

    • z/Series Modernization and Migration Storyboard

    2. Scale Up vs. Scale Out TCO Tool – A tool that provides organizations with a framework for TCO.

    Use this tool to play with the pre-populated values or insert your own amounts to compare possible database decisions, and determine the TCO of each. Note that common assumptions can often be false; for example, open-source Cassandra running on many inexpensive commodity servers can actually have a higher TCO over six years than a Cassandra environment running on a larger single expensive piece of hardware. Therefore, calculating TCO is an essential part of the database decision process.

    • Scale Up vs. Scale Out TCO Tool
    [infographic]

    Further reading

    z/Series Modernization and Migration

    The biggest migration is yet to come.

    Executive Summary

    Info-Tech Insight

    “A number of market conditions have coalesced in a way that is increasingly driving existing mainframe customers to consider running their application workloads on alternative platforms. In 2020, the World Economic Forum noted that 42% of core skills required to perform existing jobs are expected to change by 2022, and that more than 1 billion workers need to be reskilled by 2030.” – Dale Vecchio

    Your Challenge

    It seems like anytime there’s a new CIO who is not from the mainframe world there is immediate pressure to get off this platform. However, just as there is a high financial commitment required to stay on System Z, moving off is risky and potentially more costly. You need to truly understand the scale and complexity ahead of the organization.

    Common Obstacles

    Under the best of circumstances, mainframe systems are complex, expensive, and difficult to scale. In today’s world, applications written for mainframe legacy systems also present significant operational challenges to customers compounded by the dwindling pool of engineers who specialize in these outdated technologies. Many organizations want to migrate their legacy applications to the cloud, but to do so they need to go through a lengthy migration process that is made more challenging by the complexity of mainframe applications.

    Info-Tech Approach

    The most common tactic is for the organization to better realize its z/Series options and adopt a strategy built on complexity and workload understanding. To make the evident, obvious: the options here for the non-commodity are not as broad as with commodity server platforms and the mainframe is arguably the most widely used and complex non-commodity platform on the market.

    Review

    We help IT leaders make the most of their z/Series environment

    Problem statement:

    The z/Series remains a vital platform for many businesses and continues to deliver exceptional reliability and performance and play a key role in the enterprise. With the limited and aging resources at hand, CIOs and the like must continually review and understand their migration path with the same regard as any other distributed system roadmap.

    This research is designed for:

    IT strategic direction decision makers.

    IT managers responsible for an existing z/Series platform.

    Organizations evaluating platforms for mission critical applications.

    This research will help you:

    1. Evaluate the future viability of this platform.
    2. Assess the fit and purpose, and determine TCO.
    3. Develop strategies for overcoming potential challenges.
    4. Determine the future of this platform for your organization.

    Analyst Perspective

    Good Luck.

    Darin Stahl.

    Modernize the mainframe … here we go again.

    Prior to 2020, most organizations were muddling around in “year eleven of the four-year plan” to exit the mainframe platform where a medium-term commitment to the platform existed. Since 2020, it appears the appetite for the mainframe platform changed. Again. Discussions mostly seem to be about what the options are beyond hardware outsourcing or re-platforming to “cloud” migration of workloads – mostly planning and strategy topics. A word of caution: it would appear unwise to stand in front of the exit door for fear of being trampled.

    Hardware expirations between now and 2025 are motivating hosting deployments. Others are in migration activities, and some have already decommissioned and migrated but now are trying to rehab the operations team now lacking direction and/or structure.

    There is little doubt that modernization and “digital transformation” trends will drive more exit traffic, so IT leaders who are still under pressure to get off the platform need to assess their options and decide. Being in a state of perpetually planning to get off the mainframe handcuffs your ability to invest in the mainframe, address deficiencies, and improve cost-effectiveness.

    Darin Stahl
    Principal Research Advisor, Infrastructure & Operations Research
    Info-Tech Research Group

    The mainframe “fidget spinner”

    Thinking of modernizing your mainframe can cause you angst so grab a fidget spinner and relax because we have you covered!

    External Business Pressures:

    • Digital transformation
    • Modernization programs
    • Compliance and regulations
    • TCO

    Internal Considerations:

    • Reinvest
    • Migrate to a new platform
    • Evaluate public and vendor cloud alternatives
    • Hosting versus infrastructure outsourcing

    Info-Tech Insight

    With multiple control points to be addressed, care must be taken to simplify your options while addressing all concerns to ease operational load.

    The analyst call review

    “Who has Darin talked with?” – Troy Cheeseman

    Dating back to 2011, Darin Stahl has been the primary z/Series subject matter expert within the Infrastructure & Operations Research team. Below represents the percentage of calls, per industry, where z/Series advisory has been provided by Darin*:

    37% - State Government

    19% - Insurance

    11% - Municipality

    8% - Federal Government

    8% - Financial Services

    5% - Higher Education

    3% - Retail

    3% - Hospitality/Resort

    3% - Logistics and Transportation

    3% - Utility

    Based on the Info-Tech call history, there is a consistent cross section of industry members who not only rely upon the mainframe but are also considering migration options.

    Note:

    Of course, this only represents industries who are Info-Tech members and who called for advisory services about the mainframe.

    There may well be more Info-Tech members with mainframes who have no topic to discuss with us about the mainframe specifically. Why do we mention this?

    We caution against suggesting things like, ”somewhat less than 50% of mainframes live in state data centers” or any other extrapolated inference from this data.

    Our viewpoint and discussion is based on the cases and the calls that we have taken over the years.

    *37+ enterprise calls were reviewed and sampled.

    Scale out versus scale up

    For most workloads “scale out" (e.g. virtualized cloud or IaaS ) is going to provide obvious and quantifiable benefits.

    However, with some workloads (extremely large analytics or batch processing ) a "scale up" approach is more optimal. But the scale up is really limited to very specific workloads. Despite some assumptions, the gains made when moving from scale up to scale out are not linear.

    Obviously, when you scale out from a performance perspective you experience a drop in what a single unit of compute can do. Additionally, there will be latency introduced in the form of network overhead, transactions, and replication into operations that were previously done just bypassing object references within a single frame.

    Some applications or use cases will have to be architected or written differently (thinking about the high-demand analytic workloads at large scale). Remember the “grid computing” craze that hit us during the early part of this century? It was advantageous for many to distribute work across a grid of computing devices for applications but the advantage gained was contingent on the workload able to be parsed out as work units and then pulled back together through the application.

    There can be some interesting and negative consequences for analytics or batch operations in a large scale as mentioned above. Bottom line, as experienced previously with Microfocus mainframe ports to x86, the batch operations simply take much longer to complete.

    Big Data Considerations*:

    • Value: Data has no inherent value until it’s used to solve a business problem.
    • Variety: The type of data being produced is increasingly diverse and ranges from email and social media to geo-spatial and photographic data. This data may be difficult to process using a structured data model.
    • Volume: The sheer size of the datasets is growing exponentially, often ranging from terabytes to petabytes. This is complicating traditional data management strategies.
    • Velocity: The increasing speed at which data is being collected and processed is also causing complications. Big data is often time sensitive and needs to be captured in real time as it is streaming into the enterprise.

    *Build a Strategy for Big Data Platforms

    Consider your resourcing

    Below is a summary of concerns regarding core mainframe skills:

    1. System Management (System Programmers): This is the most critical and hard-to-replace skill since it requires in-depth low-level knowledge of the mainframe (e.g. at the MVS level). These are skills that are generally not taught anymore, so there is a limited pool of experienced system programmers.
    2. Information Management System (IMS) Specialists: Requires a combination of mainframe knowledge and data analysis skills, which makes this a rare skill set. This is becoming more critical as business intelligence takes on an ever-increasing focus in most organizations.
    3. Application Development: The primary concern here is a shortage of developers skilled in older languages such as COBOL. It should be noted that this is an application issue; for example, this is not solved by migrating off mainframes.
    4. Mainframe Operators: This is an easier skill set to learn, and there are several courses and training programs available. An IT person new to mainframes could learn this position in about six weeks of on-the-job training.
    5. DB2 Administration: Advances in database technology have simplified administration (not just for DB2 but also other database products). As a result, as with mainframe operators, this is a skill set that can be learned in a short period of time on the job.

    The Challenge

    An aging workforce, specialized skills, and high salary expectations

    • Mainframe specialists, such as system programmers and IMS specialists, are typically over 50, have a unique skill set, and are tasked with running mission-critical systems.

    The In-House Solution:

    Build your mentorship program to create a viable succession plan

    • Get your money’s worth out of your experienced staff by having them train others.
    • Operator skills take about six weeks to learn. However, it takes about two years before a system programmer trainee can become fully independent. This is similar to the learning curve for other platforms; however, this is a more critical issue for mainframes since organizations have far fewer mainframe specialists to fall back on when senior staff retire or move on.

    Understand your options

    Migrate to another platform

    Use a hosting provider

    Outsource

    Re-platform (cloud/vendors)

    Reinvest

    There are several challenges to overcome in a migration project, from finding an appropriate alternative platform to rewriting legacy code. Many organizations have incurred huge costs in the attempt, only to be unsuccessful in the end, so make this decision carefully.

    Organizations often have highly sensitive data on their mainframes (e.g. financial data), so many of these organizations are reluctant to have this data live outside of their four walls. However, the convenience of using a hosting provider makes this an attractive option to consider.

    The most common tactic is for the organization to adopt some level of outsourcing for the non-commodity platform, retaining the application support/development in-house.

    A customer can “re-platform” the non-commodity workload into public cloud offerings or in a few offerings
    “re-host.”

    If you’re staying with the mainframe and keeping it in-house, it’s important to continue to invest in this platform, keep it current, and look for opportunities to optimize its value.

    Migrate

    Having perpetual plans to migrate handcuffs your ability to invest in your mainframe, extend its value, and improve cost effectiveness.

    If this sounds like your organization, it’s time to do the analysis so you can decide and get clarity on the future of the mainframe in your organization.

    1. Identify current performance, availability, and security requirements. Assess alternatives based on this criteria.
    2. Review and use Info-Tech’s Mainframe TCO Comparison Tool to compare mainframe costs to the potential alternative platform.
    3. Assess the business risks and benefits. Can the alternative deliver the same performance, reliability, and security? If not, what are the risks? What do you gain by migrating?
    4. If migration is still a go, evaluate the following:
    • Do you have the expertise or a reliable third party to perform the migration, including code rewrites?
    • How long will the migration take? Can the business function effectively during this transition period?
    • How much will the migration cost? Is the value you expect to gain worth the expense?

    *3 of the top 4 challenges related to shortfalls of alternative platforms

    The image contains a bar graph that demonstrates challenges related to shortfalls of alternative platforms.

    *Source: Maximize the Value of IBM Mainframes in My Business

    Hosting

    Using a hosting provider is typically more cost-effective than running your mainframe in-house.

    Potential for reduced costs

    • Hosting enables you to reduce or eliminate your mainframe staff.
    • Economies of scale enable hosting providers to reduce software licensing costs. They also have more buying power to negotiate better terms.
    • Power and cooling costs are also transferred to the hosting provider.

    Reliable infrastructure and experienced staff

    • A quality hosting provider will have 24/7 monitoring, full redundancy, and proven disaster recovery capabilities.
    • The hosting provider will also have a larger mainframe staff, so they don’t have the same risk of suddenly being without those advanced critical skills.

    So, what are the risks?

    • A transition to a hosting provider usually means eliminating or significantly reducing your in-house mainframe staff. With that loss of in-house expertise, it will be next to impossible to bring the mainframe back in-house, and you become highly dependent on your hosting provider.

    Outsourcing

    The most common tactic is for the organization to adopt some level of outsourcing for the non-commodity platform, retaining the application support/development in-house.

    The options here for the non-commodity (z/Series, IBM Power platforms, for example) are not as broad as with commodity server platforms. More confusingly, the term “outsourcing” for these can include:

    Traditional/Colocation – A customer transitions their hardware environment to a provider’s data center. The provider can then manage the hardware and “system.”

    Onsite Outsourcing – Here a provider will support the hardware/system environment at the client’s site. The provider may acquire the customer’s hardware and provide software licenses. This could also include hiring or “rebadging” staff supporting the platform. This type of arrangement is typically part of a larger services or application transformation. While low risk, it is not as cost-effective as other deployment models.

    Managed Hosting – A customer transitions their legacy application environment to an off-prem hosted multi-tenanted environment. It will provide the most cost savings following the transition, stabilization, and disposal of existing environment. Some providers will provide software licensing, and some will also support “Bring Your Own,” as permitted by IBM terms for example.

    Info-Tech Insight

    Technical debt for non-commodity platforms isn’t only hardware based. Moving an application written for the mainframe onto a “cheaper” hardware platform (or outsourced deployment) leaves the more critical problems and frequently introduces a raft of new ones.

    Re-platform – z/Series COBOL Cloud

    Re-platforming is not trivial.

    While the majority of the coded functionality (JCLs, programs, etc.) migrate easily, there will be a need to re-code or re-write objects – especially if any object, code, or location references are not exactly the same in the new environment.

    Micro Focus has solid experience in this but if consider it within the context of an 80/20 rule (the actual metrics might be much better than that), meaning that some level of rework would have to be accomplished as an overhead to the exercise.

    Build that thought into your thinking and business case.

    AWS Cloud

    • Astadia (an AWS Partner) is re-platforming mainframe workloads to AWS. With its approach you reuse the original application source code and data to AWS services. Consider reviewing Amazon’s “Migrating a Mainframe to AWS in 5 Steps.”

    Azure Cloud

    Micro Focus COBOL (Visual COBOL)

    • Micro Focus' Visual COBOL also supports running COBOL in Docker containers and managing and orchestrating the containers with Kubernetes. I personally cannot imagine what sort of drunken bender decision would lead me to move COBOL into Docker and then use Kubernetes to run in GCP but there you are...if that's your Jam you can do it.

    Re-platform – z/Series (Non-COBOL)

    But what if it's not COBOL?

    Yeah, a complication for this situation is the legacy code.

    While re-platforming/re-hosting non-COBOL code is not new, we have not had many member observations compared to the re-platforming/re-hosting of COBOL functionality initiatives.

    That being said, there are a couple of interesting opportunities to explore.

    NTT Data Services (GLOBAL)

    • Most intriguing is the re-hosting of a mainframe environment into AWS. Not sure if the AWS target supports NATURAL codebase; it does reference Adabas however (Re-Hosting Mainframe Applications to AWS with NTT DATA Services). Nevertheless, NTT has supported re-platforming and NATURAL codebase environments previously.

    ModernSystems (or ModSys) has relevant experience.

    • ModSys is the resulting entity following a merger between BluePhoenix and ATERAS a number of years ago. ATERAS is the entity I find references to within my “wayback machine” for member discussions. There are also a number of published case studies still searchable about ATERAS’ successful re-platforming engagements, including the California Public Employees Retirement System (CalPERS) most famously after the Accenture project to rewrite it failed.

    ATOS, as a hosting vendor mostly referenced by customers with global locations in a short-term transition posture, could be an option.

    Lastly, the other Managed Services vendors with NATURAL and Adabas capabilities:

    Reinvest

    By contrast, reducing the use of your mainframe makes it less cost-effective and more challenging to retain in-house expertise.

    • For organizations that have migrated applications off the mainframe (at least partly to reduce dependency on the platform), inevitably there remains a core set of mission critical applications that cannot be moved off for reasons described on the “Migrate” slide. This is when the mainframe becomes a costly burden:
      • TCO is relatively high due to low utilization.
      • In-house expertise declines as workload declines and current staffing allocations become harder to justify.
    • Organizations that are instead adding capacity and finding new ways to use this platform have lower cost concerns and resourcing challenges. The charts below illustrate this correlation. While some capacity growth is due to normal business growth, some is also due to new workloads, and it reflects an ongoing commitment to the platform.

    *92% of organizations that added capacity said TCO is lower than for commodity servers (compared to 50% of those who did not add capacity)

    *63% of organizations that added capacity said finding resources is not very difficult (compared to 42% of those who did not add capacity)

    The image contains a bar graph as described in the above text. The image contains a bar graph as described in the above text.

    *Maximize the Value of IBM Mainframes in My Business

    An important thought about data migration

    Mainframe data migrations – “VSAM, IMS, etc.”

    • While the application will be replaced and re-platformed, there is the historical VIN data remaining in the VSAM files and access via the application. The challenge is that a bulk conversion can add upfront costs and delay the re-platforming of the application functionality. Some shops will break the historical data migration into a couple of phases.
    • While there are technical solutions to accessing VSAM data stores, what I have observed with other members facing a similar scenario is a need to “shrink” the data store over time. The technical accesses to historical VSAM records would also have a lifespan, and rather than kicking the can down the road indefinitely, many have turned to a process-based solution allowing them to shrink the historical data store over time. I have observed three approaches to the handling or digitization of historical records like this:

    Temporary workaround. This would align with a technical solution allowing the VASM files to be accessed using platforms other than on mainframe hardware (Micro Focus or other file store trickery). This can be accomplished relatively quickly but does run the risk of technology obsolesce for the workaround at some point in the future.

    Bulk conversion. This method would involve the extract/transform/load of the historical records into the new application platform. Often the order of the conversion is completed on work newest to oldest (the idea is that the newest historical records would have the highest likelihood of an access need), but all files would be converted to the new application and the old data store destroyed.

    Forward convert, which would have files undergo the extract/transform/load conversion into the new application as they are accessed or reopened. This method would keep historical records indefinitely or until they are converted – or the legal retention schedule allows for their destruction (hopefully no file must be kept forever). This could be a cost-efficient approach since the historical files remaining on the VSAM platform would be shrunk over time based on demand from the district attorney process. The conversion process could be automated and scripted, with a QR step allowing for the records to be deleted from the old platform.

    Info-Tech Insight

    It is not usual for organizations to leverage options #2 and #3 above to move the functionality forward while containing the scope creep and costs for the data conversions.

    Enterprise class job scheduling

    Job scheduling or data center automation?

    • Enterprise class job scheduling solutions enable complex unattended batched programmatically conditioned task/job scheduling.
    • Data center automation (DCIM) software automates and orchestrates the processes and workflow for infrastructure operations including provisioning, configuring, patching of physical, virtual, and cloud servers, and monitoring of tasks involved in maintaining the operations of a data center or Infrastructure environment.
    • While there maybe some overlap and or confusion between data center automation and enterprise class job scheduling solutions, data center automation (DCIM) software solutions are least likely to have support for non-commodity server platforms and lack robust scheduling functionality.

    Note: Enterprise job scheduling is a topic with low member interest or demand. Since our published research is driven by members’ interest and needs, the lack of activity or member demand would obviously be a significant influence into our ability to aggregate shared member insight, trends, or best practices in our published agenda.

    Data Center Automation (DCIM) Software

    Orchestration/Provisioning Software

    Enterprise class job scheduling features

    The feature set for these tools is long and comprehensive. The feature list below is not exhaustive as specific tools may have additional product capabilities. At a minimum, the solutions offered by the vendors in the list below will have the following capabilities:

    • Automatic restart and recovery
    • File management
    • Integration with security systems such as AD
    • Operator alerts
    • Ability to control spooling devices
    • Cross-platform support
    • Cyclical scheduling
    • Deadline scheduling
    • Event-based scheduling / triggers
    • Inter-dependent jobs
    • External task monitoring (e.g. under other sub-systems)
    • Multiple calendars and time-zones
    • Scheduling of packaged applications (such as SAP, Oracle, JD Edwards)
    • The ability to schedule web applications (e.g. .net, java-based)
    • Workload analysis
    • Conditional dependencies
    • Critical process monitoring
    • Event-based automation (“self-healing” processes in response to common defined error conditions)
    • Graphical job stream/workflow visualization
    • Alerts (job failure notifications, task thresholds (too long, too quickly, missed windows, too short, etc.) via multiple channels
    • API’s supporting programmable scheduler needs
    • Virtualization support
    • Workload forecasting and workload planning
    • Logging and message data supporting auditing capabilities likely to be informed by or compliant with regulatory needs such as Sarbanes, Gramme-Leach
    • Historical reporting
    • Auditing reports and summaries

    Understand your vendors and tools

    List and compare the job scheduling features of each vendor.

    • This is not presented as an exhaustive list.
    • The list relies on observations aggregated from analyst engagements with Info-Tech Research Group members. Those member discussions tend to be heavily tilted toward solutions supporting non-commodity platforms.
    • Nothing is implied about a solution suitability or capability by the order of presentation or inclusion or absence in this list.

    ✓ Advanced Systems Concepts

    ✓ BMC

    ✓ Broadcom

    ✓ HCL

    ✓ Fortra

    ✓ Redwood

    ✓ SMA Technologies

    ✓ StoneBranch

    ✓ Tidal Software

    ✓ Vinzant Software

    Info-Tech Insight

    Creating vendor profiles will help quickly filter the solution providers that directly meet your z/Series needs.

    Advanced Systems Concepts

    ActiveBatch

    Workload Management:

    Summary

    Founded in 1981, ASCs ActiveBatch “provides a central automation hub for scheduling and monitoring so that business-critical systems, like CRM, ERP, Big Data, BI, ETL tools, work order management, project management, and consulting systems, work together seamlessly with minimal human intervention.”*

    URL

    advsyscon.com

    Coverage:

    Global

    Amazon EC2

    Hadoop Ecosystem

    IBM Cognos

    DataStage

    IBM PureData (Netezza)

    Informatica Cloud

    Microsoft Azure

    Microsoft Dynamics AX

    Microsoft SharePoint

    Microsoft Team Foundation Server

    Oracle EBS

    Oracle PeopleSoft

    SAP

    BusinessObjects

    ServiceNow

    Teradata

    VMware

    Windows

    Linux

    Unix

    IBM i

    *Advanced Systems Concepts, Inc.


    BMC

    Control-M

    Workload Management:

    Summary

    Founded in 1980, BMCs Control-M product “simplifies application and data workflow orchestration on premises or as a service. It makes it easy to build, define, schedule, manage, and monitor production workflows, ensuring visibility, reliability, and improving SLAs.”*

    URL

    bmc.com/it-solutions/control-m.html

    Coverage:

    Global

    AWS

    Azure

    Google Cloud Platform

    Cognos

    IBM InfoSphere

    DataStage

    SAP HANA

    Oracle EBS

    Oracle PeopleSoft

    BusinessObjects

    ServiceNow

    Teradata

    VMware

    Windows

    Linux

    Unix

    IBM i

    IBM z/OS

    zLinux

    *BMC

    Broadcom

    Atomic Automation

    Autosys Workload Automation

    Workload Management:

    Summary

    Broadcom offers Atomic Automation and Autosys Workload Automation which ”gives you the agility, speed and reliability required for effective digital business automation. From a single unified platform, Atomic centrally provides the orchestration and automation capabilities needed accelerate your digital transformation and support the growth of your company.”*

    URL

    broadcom.com/products/software/automation/automic-automation

    broadcom.com/products/software/automation/autosys

    Coverage:

    Global


    Windows

    MacOS

    Linux

    UNIX

    AWS

    Azure

    Google Cloud Platform

    VMware

    z/OS

    zLinux

    System i

    OpenVMS

    Banner

    Ecometry

    Hadoop

    Oracle EBS

    Oracle PeopleSoft

    SAP

    BusinessObjects

    ServiceNow

    Teradata

    VMware

    Windows

    Linux

    Unix

    IBM i

    *Broadcom

    HCL

    Workload Automation

    Workload Management:

    Summary

    “HCL Workload Automation streamlined modelling, advanced AI and open integration for observability. Accelerate the digital transformation of modern enterprises, ensuring business agility and resilience with our latest version of one stop automation platform. Orchestrate unattended and event-driven tasks for IT and business processes from legacy to cloud and kubernetes systems.”*

    URL

    hcltechsw.com/workload-automation

    Coverage:

    Global


    Windows

    MacOS

    Linux

    UNIX

    AWS

    Azure

    Google Cloud Platform

    VMware

    z/OS

    zLinux

    System i

    OpenVMS

    IBM SoftLayer

    IBM BigInsights

    IBM Cognos

    Hadoop

    Microsoft Dynamics 365

    Microsoft Dynamics AX

    Microsoft SQL Server

    Oracle E-Business Suite

    PeopleSoft

    SAP

    ServiceNow

    Apache Oozie

    Informatica PowerCenter

    IBM InfoSphere DataStage

    Salesforce

    BusinessObjects BI

    IBM Sterling Connect:Direct

    IBM WebSphere MQ

    IBM Cloudant

    Apache Spark

    *HCL Software

    Fortra

    JAMS Scheduler

    Workload Management:

    Summary

    Fortra’s “JAMS is a centralized workload automation and job scheduling solution that runs, monitors, and manages jobs and workflows that support critical business processes.

    JAMS reliably orchestrates the critical IT processes that run your business. Our comprehensive workload automation and job scheduling solution provides a single pane of glass to manage, execute, and monitor jobs—regardless of platforms or applications.”*

    URL

    jamsscheduler.com

    Coverage:

    Global


    OpenVMS

    OS/400

    Unix

    Windows

    z/OS

    SAP

    Oracle

    Microsoft

    Infor

    Workday

    AWS

    Azure

    Google Cloud Compute

    ServiceNow

    Salesforce

    Micro Focus

    Microsoft Dynamics 365

    Microsoft Dynamics AX

    Microsoft SQL Server

    MySQL

    NeoBatch

    Netezza

    Oracle PL/SQL

    Oracle E-Business Suite

    PeopleSoft

    SAP

    SAS

    Symitar

    *JAMS

    Redwood

    Redwood SaaS

    Workload Management:

    Summary

    Founded in 1993 and delivered as a SaaS solution, ”Redwood lets you orchestrate securely and reliably across any application, service or server, in the cloud or on-premises, all inside a single platform. Automation solutions are at the core of critical business operations such as forecasting, replenishment, reconciliation, financial close, order to cash, billing, reporting, and more. Enterprises in every industry — from manufacturing, utility, retail, and biotech to healthcare, banking, and aerospace.”*

    URL

    redwood.com

    Coverage:

    Global


    OpenVMS

    OS/400

    Unix

    Windows

    z/OS

    SAP

    Oracle

    Microsoft

    Infor

    Workday

    AWS

    Azure

    Google Cloud Compute

    ServiceNow

    Salesforce

    Github

    Office 365

    Slack

    Dropbox

    Tableau

    Informatica

    SAP BusinessObjects

    Cognos

    Microsoft Power BI

    Amazon QuickSight

    VMware

    Xen

    Kubernetes

    *Redwood

    Fortra

    Robot Scheduler

    Workload Management:

    Summary

    “Robot Schedule’s workload automation capabilities allow users to automate everything from simple jobs to complex, event-driven processes on multiple platforms and centralize management from your most reliable system: IBM i. Just create a calendar of when and how jobs should run, and the software will do the rest.”*

    URL

    fortra.com/products/job-scheduling-software-ibm-i

    Coverage:

    Global


    IBM i (System i, iSeries, AS/400)

    AIX/UNIX

    Linux

    Windows

    SQL/Server

    Domino

    JD Edwards EnterpriseOne

    SAP

    Automate Schedule (formerly Skybot Scheduler)

    *Fortra

    SMA Technologies

    OpCon

    Workload Management:

    Summary

    Founded in1980, SMA offers to “save time, reduce error, and free your IT staff to work on more strategic contributions with OpCon from SMA Technologies. OpCon offers powerful, easy-to-use workload automation and orchestration to eliminate manual tasks and manage workloads across business-critical operations. It's the perfect fit for financial institutions, insurance companies, and other transactional businesses.”*

    URL

    smatechnologies.com

    Coverage:

    Global

    Windows

    Linux

    Unix

    z/Series

    IBM i

    Unisys

    Oracle

    SAP

    Microsoft Dynamics AX

    Infor M3

    Sage

    Cegid

    Temenos

    FICS

    Microsoft Azure Data Management

    Microsoft Azure VM

    Amazon EC2/AWS

    Web Services RESTful

    Docker

    Google Cloud

    VMware

    ServiceNow

    Commvault

    Microsoft WSUS

    Microsoft Orchestrator

    Java

    JBoss

    Asysco AMT

    Tuxedo ART

    Nutanix

    Corelation

    Symitar

    Fiserv DNA

    Fiserv XP2

    *SMA Technologies

    StoneBranch

    Universal Automation Center (UAC)

    Workload Management:

    Summary

    Founded in 1999, ”the Stonebranch Universal Automation Center (UAC) is an enterprise-grade business automation solution that goes beyond traditional job scheduling. UAC's event-based workload automation solution is designed to automate and orchestrate system jobs and tasks across all mainframe, on-prem, and hybrid IT environments. IT operations teams gain complete visibility and advanced control with a single web-based controller, while removing the need to run individual job schedulers across platforms.”*

    URL

    stonebranch.com/it-automation-solutions/enterprise-job-scheduling

    Coverage:

    Global

    Windows

    Linux

    Unix

    z/Series

    Apache Kafka

    AWS

    Databricks

    Docker

    GitHub

    Google Cloud

    Informatica

    Jenkins

    Jscape

    Kubernetes

    Microsoft Azure

    Microsoft SQL

    Microsoft Teams

    PagerDuty

    PeopleSoft

    Petnaho

    RedHat Ansible

    Salesforce

    SAP

    ServiceNow

    Slack

    SMTP and IMAP

    Snowflake

    Tableau

    VMware

    *Stonebranch

    Tidal Software

    Workload Automation

    Workload Management:

    Summary

    Founded in 1979, Tidal’s Workload Automation will “simplify management and execution of end-to-end business processes with our unified automation platform. Orchestrate workflows whether they're running on-prem, in the cloud or hybrid environments.”*

    URL

    tidalsoftware.com

    Coverage:

    Global

    CentOS

    Linux

    Microsoft Windows Server

    Open VMS

    Oracle Cloud

    Oracle Enterprise Linux

    Red Hat Enterprise Server

    Suse Enterprise

    Tandem NSK

    Ubuntu

    UNIX

    HPUX (PA-RISC, Itanium)

    Solaris (Sparc, X86)

    AIX, iSeries

    z/Linux

    z/OS

    Amazon AWS

    Microsoft Azure

    Oracle OCI

    Google Cloud

    ServiceNow

    Kubernetes

    VMware

    Cisco UCS

    SAP R/3 & SAP S/4HANA

    Oracle E-Business

    Oracle ERP Cloud

    PeopleSoft

    JD Edwards

    Hadoop

    Oracle DB

    Microsoft SQL

    SAP BusinessObjects

    IBM Cognos

    FTP/FTPS/SFTP

    Informatica

    *Tidal

    Vinzant Software

    Global ECS

    Workload Management:

    Summary

    Founded in 1987, Global ECS can “simplify operations in all areas of production with the GECS automation framework. Use a single solution to schedule, coordinate and monitor file transfers, database operations, scripts, web services, executables and SAP jobs. Maximize efficiency for all operations across multiple business units intelligently and automatically.”*

    URL

    vinzantsoftware.com

    Coverage:

    Global

    Windows

    Linux

    Unix

    iSeries

    SAP R/3 & SAP S/4HANA

    Oracle, SQL/Server

    *Vizant Software

    Activity

    Scale Out or Scale Up

    Activities:

    1. Complete the Scale Up vs. Scale Out TCO Tool.
    2. Compare total lifecycle costs to determine TCO.

    This activity involves the following participants:

    IT strategic direction decision makers

    IT managers responsible for an existing z/Series platform

    Organizations evaluating platforms for mission critical applications

    Outcomes of this step:

    • Completed Scale Up vs. Scale Out TCO Tool

    Info-Tech Insight

    This checkpoint process creates transparency around agreement costs with the business and gives the business an opportunity to re-evaluate its requirements for a potentially leaner agreement.

    Scale out versus scale up activity

    The Scale Up vs. Scale Out TCO Tool provides organizations with a framework for estimating the costs associated with purchasing and licensing for a scale-up and scale-out environment over a multi-year period.

    Use this tool to:

    • Compare the pre-populated values.
    • Insert your own amounts to contrast possible database decisions and determine the TCO of each.
    The image contains screenshots of the Scale Up vs. Scale Out TCO Tool.

    Info-Tech Insight

    Watch out for inaccurate financial information. Ensure that the financials for cost match your maintenance and contract terms.

    Use the Scale Up vs. Scale Out TCO Tool to determine your TCO options.

    Related Info-Tech Research

    Effectively Acquire Infrastructure Services

    Acquiring a service is like buying an experience. Don’t confuse the simplicity of buying hardware with buying an experience.

    Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery

    There are very few IT infrastructure components you should be housing internally – outsource everything else.

    Build Your Infrastructure Roadmap

    Move beyond alignment: Put yourself in the driver’s seat for true business value.

    Define Your Cloud Vision

    Make the most of cloud for your organization.

    Document Your Cloud Strategy

    Drive consensus by outlining how your organization will use the cloud.

    Build a Strategy for Big Data Platforms

    Know where to start and where to focus attention in the implementation of a big data strategy.

    Create a Better RFP Process

    Improve your RFPs to gain leverage and get better results.

    Research Authors

    Darin Stahl.

    Darin Stahl, Principal Research Advisor, Info-Tech Research Group

    Darin is a Principal Research Advisor within the Infrastructure Practice, and leveraging 38+ years of experience, his areas of focus include: IT Operations Management, Service Desk, Infrastructure Outsourcing, Managed Services, Cloud Infrastructure, DRP/BCP, Printer Management, Managed Print Services, Application Performance Monitoring/ APM, Managed FTP, non-commodity servers (z/Series, mainframe, IBM i, AIX, Power PC).

    Troy Cheeseman.

    Troy Cheeseman, Practice Lead, Info-Tech Research Group

    Troy has over 25 years of IT management experience and has championed large enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT Operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) start-ups.

    Bibliography

    “AWS Announces AWS Mainframe Modernization.” Business Wire, 30 Nov. 2021.
    de Valence, Phil. “Migrating a Mainframe to AWS in 5 Steps with Astadia?” AWS, 23 Mar. 2018.
    Graham, Nyela. “New study shows mainframes still popular despite the rise of cloud—though times are changing…fast?” WatersTechnology, 12 Sept. 2022.
    “Legacy applications can be revitalized with API.” MuleSoft, 2022.
    Vecchio, Dale. “The Benefits of Running Mainframe Applications on LzLabs Software Defined Mainframe® & Microsoft Azure.” LzLabs Sites, Mar. 2021.

    Define Your Cloud Vision

    • Buy Link or Shortcode: {j2store}448|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $182,333 Average $ Saved
    • member rating average days saved: 28 Average Days Saved
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy

    The cloud permeates the enterprise technology discussion. It can be difficult to separate the hype from the value. Should everything go to the cloud, or is that sentiment stoked by vendors looking to boost their bottom lines? Not everything should go to the cloud, but coming up with a systematic way to determine what belongs where is increasingly difficult as offerings get more complex.

    Our Advice

    Critical Insight

    Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud-first isn’t always the way to go.

    Impact and Result

    • Evaluate workloads’ suitability for the cloud using Info-Tech’s methodology to select the optimal migration (or non-migration) path based on the value of cloud characteristics.
    • Codify risks tied to workloads’ cloud suitability and plan mitigations.
    • Build a roadmap of initiatives for actions by workload and risk mitigation.
    • Define a cloud vision to share with stakeholders.

    Define Your Cloud Vision Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define Your Cloud Vision – A step-by-step guide to generating, validating, and formalizing your cloud vision.

    The cloud vision storyboard walks readers through the process of generating, validating and formalizing a cloud vision, providing a framework and tools to assess workloads for their cloud suitability and risk.

    • Define Your Cloud Vision – Phases 1-4

    2. Cloud Vision Executive Presentation – A document that captures the results of the exercises, articulating use cases for cloud/non-cloud, risks, challenges, and high-level initiative items.

    The executive summary captures the results of the vision exercise, including decision criteria for moving to the cloud, risks, roadblocks, and mitigations.

    • Cloud Vision Executive Presentation

    3. Cloud Vision Workbook – A tool that facilitates the assessment of workloads for appropriate service model, delivery model, support model, and risks and roadblocks.

    The cloud vision workbook comprises several assessments that will help you understand what service model, delivery model, support model, and risks and roadblocks you can expect to encounter at the workload level.

    • Cloud Vision Workbook
    [infographic]

    Workshop: Define Your Cloud Vision

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand the Cloud

    The Purpose

    Align organizational goals to cloud characteristics.

    Key Benefits Achieved

    An understanding of how the characteristics particular to cloud can support organizational goals.

    Activities

    1.1 Generate corporate goals and cloud drivers.

    1.2 Identify success indicators.

    1.3 Explore cloud characteristics.

    1.4 Explore cloud service and delivery models.

    1.5 Define cloud support models and strategy components.

    1.6 Create state summaries for the different service and delivery models.

    1.7 Select workloads for further analysis.

    Outputs

    Corporate cloud goals and drivers

    Success indicators

    Current state summaries

    List of workloads for further analysis

    2 Assess Workloads

    The Purpose

    Evaluate workloads for cloud value and action plan.

    Key Benefits Achieved

    Action plan for each workload.

    Activities

    2.1 Conduct workload assessment using the Cloud Strategy Workbook tool.

    2.2 Discuss assessments and make preliminary determinations about the workloads.

    Outputs

    Completed workload assessments

    Workload summary statements

    3 Identify and Mitigate Risks

    The Purpose

    Identify and plan to mitigate potential risks in the cloud project.

    Key Benefits Achieved

    A list of potential risks and plans to mitigate them.

    Activities

    3.1 Generate a list of risks and potential roadblocks associated with the cloud.

    3.2 Sort risks and roadblocks and define categories.

    3.3 Identify mitigations for each identified risk and roadblock

    3.4 Generate initiatives from the mitigations.

    Outputs

    List of risks and roadblocks, categorized

    List of mitigations

    List of initiatives

    4 Bridge the Gap and Create the Strategy

    The Purpose

    Clarify your vision of how the organization can best make use of cloud and build a project roadmap.

    Key Benefits Achieved

    A clear vision and a concrete action plan to move forward with the project.

    Activities

    4.1 Review and assign work items.

    4.2 Finalize the decision framework for each of the following areas: service model, delivery model, and support model.

    4.3 Create a cloud vision statement

    Outputs

    Cloud roadmap

    Finalized task list

    Formal cloud decision rubric

    Cloud vision statement

    5 Next Steps and Wrap-Up

    The Purpose

    Complete your cloud vision by building a compelling executive-facing presentation.

    Key Benefits Achieved

    Simple, straightforward communication of your cloud vision to key stakeholders.

    Activities

    5.1 Build the Cloud Vision Executive Presentation

    Outputs

    Completed cloud strategy executive presentation

    Completed Cloud Vision Workbook.

    Further reading

    Define Your Cloud Vision

    Define your cloud vision before it defines you

    Analyst perspective

    Use the cloud’s strengths. Mitigate its weaknesses.

    The cloud isn’t magic. It’s not necessarily cheaper, better, or even available for the thing you want it to do. It’s not mysterious or a cure-all, and it does take a bit of effort to systematize your approach and make consistent, defensible decisions about your cloud services. That’s where this blueprint comes in.

    Your cloud vision is the culmination of this effort all boiled down into a single statement: “This is how we want to use the cloud.” That simple statement should, of course, be representative of – and built from – a broader, contextual strategy discussion that answers the following questions: What should go to the cloud? What kind of cloud makes sense? Should the cloud deployment be public, private, or hybrid? What does a migration look like? What risks and roadblocks need to be considered when exploring your cloud migration options? What are the “day 2” activities that you will need to undertake after you’ve gotten the ball rolling?

    Taken as a whole, answering these questions is difficult task. But with the framework provided here, it’s as easy as – well, let’s just say it’s easier.

    Jeremy Roberts

    Research Director, Infrastructure and Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • You are both extrinsically motivated to move to the cloud (e.g. by vendors) and intrinsically motivated by internal digital transformation initiatives.
    • You need to define the cloud’s true value proposition for your organization without assuming it is an outsourcing opportunity or will save you money.
    • Your industry, once cloud-averse, is now normalizing the use of cloud services, but you have not established a basic cloud vision from which to develop a strategy at a later point.

    Common Obstacles

    • Organizations jump to the cloud before defining their cloud vision and without any clear plan for realizing the cloud’s benefits.
    • Many organizations have a foot in the cloud already, but these decisions have been made in an ad hoc rather than systematic fashion.
    • You lack a consistent framework to assess your workloads’ suitability for the cloud.

    Info-Tech's Approach

    • Evaluate workloads’ suitability for the cloud using Info-Tech’s methodology to select the optimal migration (or non-migration) path based on the value of cloud characteristics.
    • Codify risks tied to workloads’ cloud suitability and plan mitigations.
    • Build a roadmap of initiatives for actions by workload and risk mitigation.
    • Define a cloud vision to share with stakeholders.

    Info-Tech Insight: 1) Base migration decisions on cloud characteristics. If your justification for the migration is simply getting your workload out of the data center, think again. 2) Address the risks up front in your migration plan. 3) The cloud changes roles and calls for different skill sets, but Ops is here to stay.

    Your challenge

    This research is designed to help organizations who need to:

    • Identify workloads that are good candidates for the cloud.
    • Develop a consistent, cost-effective approach to cloud services.
    • Outline and mitigate risks.
    • Define your organization’s cloud archetype.
    • Map initiatives on a roadmap.
    • Communicate your cloud vision to stakeholders so they can understand the reasons behind a cloud decision and differentiate between different cloud service and deployment models.
    • Understand the risks, roadblocks, and limitations of the cloud.

    “We’re moving from a world where companies like Oracle and Microsoft and HP and Dell were all critically important to a world where Microsoft is still important, but Amazon is now really important, and Google also matters. The technology has changed, but most of the major vendors they’re betting their business on have also changed. And that’s super hard for people..” –David Chappell, Author and Speaker

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Organizations jump to the cloud before defining their cloud vision and without any clear plan for realizing the cloud’s benefits.
    • Many organizations already have a foot in the cloud, but the choice to explore these solutions was made in an ad hoc rather than systematic fashion. The cloud just sort of happened.
    • The lack of a consistent assessment framework means that some workloads that probably belong in the cloud are kept on premises or with hosted services providers – and vice versa.
    • Securing cloud expertise is remarkably difficult – especially in a labor market roiled by the global pandemic and the increasing importance of cloud services.

    Standard cloud challenges

    30% of all cloud spend is self-reported as waste. Many workloads that end up in the cloud don’t belong there. Many workloads that do belong in the cloud aren’t properly migrated. (Flexera, 2021)

    44% of respondents report themselves as under-skilled in the cloud management space. (Pluralsight, 2021)

    Info-Tech’s approach

    Goals and drivers

    • Service model
      • What type of cloud makes the most sense for workload archetypes? When does it make sense to pick SaaS over IaaS, for example?
    • Delivery model
      • Will services be delivered over the public cloud, a private cloud, or a hybrid cloud? What challenges accompany this decision?
    • Migration Path
      • What does the migration path look like? What does the transition to the cloud look like, and how much effort will be required? Amazon’s 6Rs framework captures migration options: rehosting, repurchasing, replatforming, and refactoring, along with retaining and retiring. Each workload should be assessed for its suitability for one or more of these paths.
    • Support model
      • How will services be provided? Will staff be trained, new staff hired, a service provider retained for ongoing operations, or will a consultant with cloud expertise be brought on board for a defined period? The appropriate support model is highly dependent on goals along with expected outcomes for different workloads.

    Highlight risks and roadblocks

    Formalize cloud vision

    Document your cloud strategy

    The Info-Tech difference:

    1. Determine the hypothesized value of cloud for your organization.
    2. Evaluate workloads with 6Rs framework.
    3. Identify and mitigate risks.
    4. Identify cloud archetype.
    5. Plot initiatives on a roadmap.
    6. Write action plan statement and goal statement.

    What is the cloud, how is it deployed, and how is service provided?

    Cloud Characteristics

    1. On-demand self-service: the ability to access reosurces instantly without vendor interaction
    2. Broad network access: all services delivered over the network
    3. Resource pooling: multi-tenant environment (shared)
    4. Rapid elasticity: the ability to expand and retract capabilities as needed
    5. Measured service: transparent metering

    Service Model:

    1. Software-as-a-Service: all but the most minor configuration is done by the vendor
    2. Platform-as-a-Service: customer builds the application using tools provided by the provider
    3. Infrastructure-as-a-Service: the customer manages OS, storage, and the application

    Delivery Model

    1. Public cloud: accessible to anyone over the internet; multi-tenant environment
    2. Private cloud: provisioned for a single organization with multiple units
    3. Hybrid cloud: two or more connected clouds; data is portage across them
    4. Community cloud: provisioned for a specific group of organizations

    (National Institute of Standards and Technology)

    A workload-first approach will allow you to take full advantage of the cloud’s strengths

    • Under all but the most exceptional circumstances, good cloud strategies will incorporate different service models. Very few organizations are “IaaS shops” or “SaaS shops,” even if they lean heavily in one direction.
    • These different service models (including non-cloud options like colocation and on-premises infrastructure) each have different strengths. Part of your cloud strategy should involve determining which of the services makes the most sense for you.
    • Own the cloud by understanding which cloud (or non-cloud!) offering makes the most sense for you given your unique context.

    Migration paths

    In a 2016 blog post, Amazon introduced a framework for understanding cloud migration strategies. The framework presented here is slightly modified – including a “relocate” component rather than a “retire” component – but otherwise hews close to the standard.

    These migration paths reflect organizational capabilities and desired outcomes in terms of service models – cloud or otherwise. Retention means keeping the workload where it is, in a datacenter or a colocation service, or relocating to a colocation or hosted software environment. These represent the “non-cloud” migration paths.

    In the graphic on the right, the paths within the red box lead to the cloud. Rehosting means lifting and shifting to an infrastructure environment. Migrating a virtual machine from your VMware environment on premises to Azure Virtual machines is a quick way to realize some benefits from the cloud. Migrating from SQL Server on premises to a cloud-based SQL solution looks a bit more like changing platforms (replatforming). It involves basic infrastructure modification without a substantial architectural component.

    Refactoring is the most expensive of the options and involves engaging the software development lifecycle to build a custom solution, fundamentally rewriting the solution to be cloud native and take advantage of cloud-native architectures. This can result in a PaaS or an IaaS solution.

    Finally, repurchasing means simply going to market and procuring a new solution. This may involve migrating data, but it does not require the migration of components.

    Migration Paths

    Retain (Revisit)

    • Keep the application in its current form, at least for now. This doesn’t preclude revisiting it in the future.

    Relocate

    • Move the workload between datacenters or to a hosted software/colocation provider.

    Rehost

    • Move the application to the cloud (IaaS) and continue to run it in more or less the same form as it currently runs.

    Replatform

    • Move the application to the cloud and perform a few changes for cloud optimizations.

    Refactor

    • Rewrite the application, taking advantage of cloud-native architectures.

    Repurchase

    • Replace with an alternative, cloud-native application and migrate the data.

    Support model

    Support models by characteristic

    Duration of engagement Specialization Flexibility
    Internal IT Indefinite Varies based on nature of business Fixed, permanent staff
    Managed Service Provider Contractually defined General, some specialization Standard offering
    Consultant Project-based Specific, domain-based Entirely negotiable

    IT services, including cloud services, can be delivered and managed in multiple ways depending on the nature of the workload and the organization’s intended path forward. Three high-level options are presented here and may be more or less valuable based on the duration of the expected engagement with the service (temporary or permanent), the skills specialization required, and the flexibility necessary to complete the job.

    By way of example, a highly technical, short-term project with significant flexibility requirements might be a good fit for an expensive consultant, whereas post-implementation maintenance of a cloud email system requires relatively little specialization and flexibility and would therefore be a better fit for internal management.

    There is no universally applicable rule here, but there are some workloads that are generally a good fit for the cloud and others that are not as effective, with that fit being conditional on the appropriate support model being employed.

    Risks, roadblocks, and strategy components

    No two cloud strategies are exactly alike, but all should address 14 key areas. A key step in defining your cloud vision is an assessment of these strategy components. Lower maturity does not preclude an aggressive cloud strategy, but it does indicate that higher effort will be required to make the transition.

    Component Description Component Description
    Monitoring What will system owners/administrators need visibility into? How will they achieve this? Vendor Management What practices must change to ensure effective management of cloud vendors?
    Provisioning Who will be responsible for deploying cloud workloads? What governance will this process be subject to? Finance Management How will costs be managed with the transition away from capital expenditure?
    Migration How will cloud migrations be conducted? What best practices/standards must be employed? Security What steps must be taken to ensure that cloud services meet security requirements?
    Operations management What is the process for managing operations as they change in the cloud? Data Controls How will data residency, compliance, and protection requirements be met in the cloud?
    Architecture What general principles must apply in the cloud environment? Skills and roles What skills become necessary in the cloud? What steps must be taken to acquire those skills?
    Integration and interoperability How will services be integrated? What standards must apply? Culture and adoption Is there a cultural aversion to the cloud? What steps must be taken to ensure broad cloud acceptance?
    Portfolio Management Who will be responsible for managing the growth of the cloud portfolio? Governing bodies What formal governance must be put in place? Who will be responsible for setting standards?

    Cloud archetypes – a cloud vision component

    Once you understand the value of the cloud, your workloads’ general suitability for cloud, and your proposed risks and mitigations, the next step is to define your cloud archetype.

    Your organization’s cloud archetype is the strategic posture that IT adopts to best support the organization’s goals. Info-Tech’s model recognizes seven archetypes, divided into three high-level archetypes.

    After consultation with your stakeholders, and based on the results of the suitability and risk assessment activities, define your archetype. The archetype feeds into the overall cloud vision and provides simple insight into the cloud future state for all stakeholders.

    The cloud vision itself is captured in a “vision statement,” a short summary of the overall approach that includes the overall cloud archetype.

    We can best support the organization's goals by:

    More Cloud

    Less Cloud

    Cloud Focused Cloud-Centric Providing all workloads through cloud delivery.
    Cloud-First Using the cloud as our default deployment model. For each workload, we should ask “why NOT cloud?”
    Cloud Opportunistic Hybrid Enabling the ability to transition seamlessly between on-premises and cloud resources for many workloads.
    Integrated Combining cloud and traditional infrastructure resources, integrating data and applications through APIs or middleware.
    Split Using the cloud for some workloads and traditional infrastructure resources for others.
    Cloud Averse Cloud-Light Using traditional infrastructure resources and limiting our use of the cloud to when it is absolutely necessary.
    Anti-Cloud Using traditional infrastructure resources and avoiding use of the cloud wherever possible.

    Info-Tech’s methodology for defining your cloud vision

    1. Understand the Cloud 2. Assess Workloads 3. Identify and Mitigate Risks 4. Bridge the Gap and Create the Vision
    Phase Steps
    1. Generate goals and drivers
    2. Explore cloud characteristics
    3. Create a current state summary
    4. Select workloads for analysis
    1. Conduct workload assessments
    2. Determine workload future state
    1. Generate risks and roadblocks
    2. Mitigate risks and roadblocks
    3. Define roadmap initiatives
    1. Review and assign work items
    2. Finalize cloud decision framework
    3. Create cloud vision
    Phase Outcomes
    1. List of goals and drivers
    2. Shared understanding of cloud terms
    3. Current state of cloud in the organization
    4. List of workloads to be assessed
    1. Completed workload assessments
    2. Defined workload future state
    1. List of risks and roadblocks
    2. List of mitigations
    3. Defined roadmap initiatives
    1. Cloud roadmap
    2. Cloud decision framework
    3. Completed Cloud Vision Executive Presentation

    Insight summary

    The cloud may not be right for you – and that’s okay!

    Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud first isn’t always the way to go.

    Not all clouds are equal

    It’s not “should I go to the cloud?” but “what service and delivery models make sense based on my needs and risk tolerance?” Thinking about the cloud as a binary can force workloads into the cloud that don’t belong (and vice versa).

    Bottom-up is best

    A workload assessment is the only way to truly understand the cloud’s value. Work from the bottom up, not the top down, understand what characteristics make a workload cloud suitable, and strategize on that basis.

    Your accountability doesn’t change

    You are still accountable for maintaining available, secure, functional applications and services. Cloud providers share some responsibility, but the buck stops where it always has: with you.

    Don’t customize for the sake of customization

    SaaS providers make money selling the same thing to everyone. When migrating a workload to SaaS, work with stakeholders to pursue standardization around a selected platform and avoid customization where possible.

    Best of both worlds, worst of both worlds

    Hybrid clouds are in fashion, but true hybridity comes with additional cost, administration, and other constraints. A convoy moves at the speed of its slowest member.

    The journey matters as much as the destination

    How you get there is as important as what “there” actually is. Any strategy that focuses solely on the destination misses out on a key part of the value conversation: the migration strategy.

    Blueprint benefits

    Cloud Vision Executive Presentation

    This presentation captures the results of the exercises and presents a complete vision to stakeholders including a desired target state, a rubric for decision making, the results of the workload assessments, and an overall risk profile.

    Cloud Vision Workbook

    This workbook includes the standard cloud workload assessment questionnaire along with the results of the assessment. It also includes the milestone timeline for the implementation of the cloud vision.

    Blueprint benefits

    IT Benefits

    • A consistent approach to the cloud takes the guesswork out of deployment decisions and makes it easier for IT to move on to the execution stage.
    • When properly incorporated, cloud services come with many benefits, including automation, elasticity, and alternative architectures (micro-services, containers). The cloud vision project will help IT readers articulate expected benefits and work towards achieving them.
    • A clear framework for incorporating organizational goals into cloud plans.

    Business benefits

    • Simple, well-governed access to high-quality IT resources.
    • Access to the latest and greatest in technology to facilitate remote work.
    • Framework for cost management in the cloud that incorporates OpEx and chargebacks/showbacks. A clear understanding of expected changes to cost modeling is also a benefit of a cloud vision.
    • Clarity for stakeholders about IT’s response (and contribution to) IT strategic initiatives.

    Measure the value of this blueprint

    Don’t take our word for it:

    • The cloud vision material in various forms has been offered for several years, and members have generally benefited substantially, both from cloud vision workshops and from guided implementations led by analysts.
    • After each engagement, we send a survey that asks members how they benefited from the experience. Of 30 responses, the cloud vision research has received an average score of 9.8/10. Real members have found significant value in the process.
    • Additionally, members reported saving between 2 and 120 days (for an average of 17), and financial savings ranged from $1,920 all the way up to $1.27 million, for an average of $170,577.90! If we drop outliers on both ends, the average reported value of a cloud vision engagement is $37, 613.
    • Measure the value by calculating the time saved from using Info-Tech’s framework vs. a home-brewed cloud strategy alternative and by comparing the overall cost of a guided implementation or workshop with the equivalent offering from another firm. We’re confident you’ll come out ahead.

    9.8/10 Average reported satisfaction

    17 Days Average reported time savings

    $37, 613 Average cost savings (adj.)

    Executive Brief Case Study

    Industry: Financial

    Source: Info-Tech workshop

    Anonymous financial institution

    A small East Coast financial institution was required to develop a cloud strategy. This strategy had to meet several important requirements, including alignment with strategic priorities and best practices, along with regulatory compliance, including with the Office of the Comptroller of the Currency.

    The bank already had a significant cloud footprint and was looking to organize and formalize the strategy going forward.

    Leadership needed a comprehensive strategy that touched on key areas including the delivery model, service models, individual workload assessments, cost management, risk management and governance. The output had to be consumable by a variety of audiences with varying levels of technical expertise and had to speak to IT’s role in the broader strategic goals articulated earlier in the year.

    Results

    The bank engaged Info-Tech for a cloud vision workshop and worked through four days of exercises with various IT team members. The bank ultimately decided on a multi-cloud strategy that prioritized SaaS while also allowing for PaaS and IaaS solutions, along with some non-cloud hosted solutions, based on organizational circumstances.

    Bank cloud vision

    [Bank] will provide innovative financial and related services by taking advantage of the multiplicity of best-of-breed solutions available in the cloud. These solutions make it possible to benefit from industry-level innovations, while ensuring efficiency, redundancy, and enhanced security.

    Bank cloud decision workflow

    • SaaS
      • Platform?
        • Yes
          • PaaS
        • No
          • Hosted
        • IaaS
          • Other

    Non-cloud

    Cloud

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this crticial project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off imediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge the take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Phase 1

    • Call #1: Discuss current state, challenges, etc.
    • Call #2: Goals, drivers, and current state.

    Phase 2

    • Call #3: Conduct cloud suitability assessment for selected workloads.

    Phase 3

    • Call #4: Generate and categorize risks.
    • Call #5: Begin the risk mitigation conversation.

    Phase 4

    • Call #6: Complete the risk mitigation process
    • Call #7: Finalize vision statement and cloud decision framework.

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Offsite day
    Understand the cloud Assess workloads Identify and mitigate risks Bridge the gap and create the strategy Next steps and wrap-up (offsite)
    Activities

    1.1 Introduction

    1.2 Generate corporate goals and cloud drivers

    1.3 Identify success indicators

    1.4 Explore cloud characteristics

    1.5 Explore cloud service and delivery models

    1.6 Define cloud support models and strategy components

    1.7 Create current state summaries for the different service and delivery models

    1.8 Select workloads for further analysis

    2.1 Conduct workload assessments using the cloud strategy workbook tool

    2.2 Discuss assessments and make preliminary determinations about workloads

    3.1 Generate a list of risks and potential roadblocks associated with the cloud

    3.2 Sort risks and roadblocks and define categories

    3.3 Identify mitigations for each identified risk and roadblock

    3.4 Generate initiatives from the mitigations

    4.1 Review and assign work items

    4.2 Finalize the decision framework for each of the following areas:

    • Service model
    • Delivery model
    • Support model

    4.3 Create a cloud vision statement

    5.1 Build the Cloud Vision Executive Presentation
    Deliverables
    1. Corporate goals and cloud drivers
    2. Success indicators
    3. Current state summaries
    4. List of workloads for further analysis
    1. Completed workload assessments
    2. Workload summary statements
    1. List of risks and roadblocks, categorized
    2. List of mitigations
    3. List of initiatives
    1. Finalized task list
    2. Formal cloud decision rubric
    3. Cloud vision statement
    1. Completed cloud strategy executive presentation
    2. Completed cloud vision workbook

    Understand the cloud

    Build the foundations of your cloud vision

    Phase 1

    Phase 1

    Understand the Cloud

    Phase 1

    1.1 Generate goals and drivers

    1.2 Explore cloud characteristics

    1.3 Create a current state summary

    1.4 Select workloads for analysis

    Phase 2

    2.1 Conduct workload assessments

    2.2 Determine workload future states

    Phase 3

    3.1 Generate risks and roadblocks

    3.2 Mitigate risks and roadblocks

    3.3 Define roadmap initiatives

    Phase 4

    4.1 Review and assign work items

    4.2 Finalize cloud decision framework

    4.3 Create cloud vision

    This phase will walk you through the following activities:

    1.1.1 Generate organizational goals

    1.1.2 Define cloud drivers

    1.1.3 Define success indicators

    1.3.1 Record your current state

    1.4.1 Select workloads for further assessment

    This phase involves the following participants:

    IT management, the core working group, security, infrastructure, operations, architecture, engineering, applications, non-IT stakeholders.

    It starts with shared understanding

    Stakeholders must agree on overall goals and what “cloud” means

    The cloud is a nebulous term that can reasonably describe services ranging from infrastructure as a service as delivered by providers like Amazon Web Services and Microsoft through its Azure platform, right up to software as a service solutions like Jira or Salesforce. These solutions solve different problems – just because your CRM would be a good fit for a migration to Salesforce doesn’t mean the same system would make sense in Azure or AWS.

    This is important because the language we use to talk about the cloud can color our approach to cloud services. A “cloud-first” strategy will mean something different to a CEO with a concept of the cloud rooted in Salesforce than it will to a system administrator who interprets it to mean a transition to cloud-hosted virtual machines.

    Add to this the fact that not all cloud services are hosted externally by providers (public clouds) and the fact that multiple delivery models can be engaged at once through hybrid or multi-cloud approaches, and it’s apparent that a shared understanding of the cloud is necessary for a coherent strategy to take form.

    This phase proceeds in four steps, each governed by the principle of shared understanding. The first requires a shared understanding of corporate goals and drivers. Step 2 involves coming to a shared understanding of the cloud’s unique characteristics. Step 3 requires a review of the current state. Finally, in Step 4, participants will identify workloads that are suitable for analysis as candidates for the cloud.

    Step 1.1

    Generate goals and drivers

    Activities

    1.1.1 Define organizational goals

    1.1.2 Define cloud drivers

    1.1.3 Define success indicators

    Generate goals and drivers

    Explore cloud characteristics

    Create a current state summary

    Select workloads for analysis

    This step involves the following participants:

    • IT management
    • Core working group
    • Security
    • Applications
    • Infrastructure
    • Service management
    • Leadership

    Outcomes of this step

    • List of organizational goals
    • List of cloud drivers
    • Defined success indicators

    What can the cloud do for you?

    The cloud is not valuable for its own sake, and not all users derive the same value

    • The cloud is characterized by on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Any or all of those characteristics might be enough to make the cloud appealing, but in most cases, there is an overriding driver.
    • Multiple paths may lead to the cloud. Consider an organization with a need to control costs by showing back to business units, or perhaps by reducing capital expenditure – the cloud may be the most appropriate way to effect these changes. Conversely, an organization expanding rapidly and with a need to access the latest and greatest technology might benefit from the elasticity and pooled resources that major cloud providers can offer.
    • In these cases, the destination might be the same (a cloud solution) but the delivery model – public, private, or hybrid – and the decisions made around the key strategy components, including architecture, provisioning, and cost management, will almost certainly be different.
    • Defining goals, understanding cloud drivers, and – crucially – understanding what success means, are all therefore essential elements of the cloud vision process.

    1.1.1 Generate organizational goals

    1-3 hours

    Input

    • Strategy documentation

    Output

    • Organizational goals

    Materials

    • Whiteboard (digital/physical)

    Participants

    • IT leadership
    • Infrastructure
    • Applications
    • Security
    1. As a group, brainstorm organizational goals, ideally based on existing documentation
      • Review relevant corporate and IT strategies.
      • If you do not have access to internal documentation, review the standard goals on the next slide and select those that are most relevant for you.
    2. Record the most important business goals in the Cloud Vision Executive Presentation. Include descriptions where possible to ensure wide readability.
    3. Make note of these goals. They should inform the answers to prompts offered in the Cloud Vision Workbook and should be a consistent presence in the remainder of the visioning exercise. If you’re conducting the session in person, leave the goals up on a whiteboard and make reference to them throughout the workshop.

    Cloud Vision Executive Presentation

    Standard COBIT 19 enterprise goals

    1. Portfolio of competitive products and services
    2. Managed business risk
    3. Compliance with external laws and regulations
    4. Quality of financial information
    5. Customer-oriented service culture
    6. Business service continuity and availability
    7. Quality of management information
    8. Optimization of internal business process functionality
    9. Optimization of business process costs
    10. Staff skills, motivation, and productivity
    11. Compliance with internal policies
    12. Managed digital transformation programs
    13. Product and business innovation

    1.1.2 Define cloud drivers

    30-60 minutes

    Input

    • Organizational goals
    • Strategy documentation
    • Management/staff perspective

    Output

    • List of cloud drivers

    Materials

    • Sticky notes
    • Whiteboard
    • Markers

    Participants

    • IT leadership
    • Infrastructure
    • Applications
    • Security
    1. Cloud drivers sit at a level of abstraction below organizational goals. Keeping your organizational goals in mind, have each participant in the session write down how they expect to benefit from the cloud on a sticky note.
    2. Solicit input one at a time and group similar responses. Encourage participants to bring forward their cloud goals even if similar goals have been mentioned previously. The number of mentions is a useful way to gauge the relative weight of the drivers.
    3. Once this is done, you should have a few groups of similar drivers. Work with the group to name each category. This name will be the driver reported in the documentation.
    4. Input the results of the exercise into the Cloud Vision Executive Presentation, and include descriptions based on the constituent drivers. For example, if a driver is titled “do more valuable work,” the constituent drivers might be “build cloud skills,” “focus on core products,” and “avoid administration work where possible.” The description would be based on these components.

    Cloud Vision Executive Presentation

    1.1.3 Define success indicators

    1 hour

    Input

    • Cloud drivers
    • Organizational goals

    Output

    • List of cloud driver success indicators

    Materials

    • Whiteboard
    • Markers

    Participants

    • IT leadership
    • Infrastructure
    • Applications
    • Security
    1. On a whiteboard, draw a table with each of the cloud drivers (identified in 1.1.2) across the top.
    2. Work collectively to generate success indicators for each cloud driver. In this case, a success indicator is some way you can report your progress with the stated driver. It is a real-world proxy for the sometimes abstract phenomena that make up your drivers. Think about what would be true if your driver was realized.
      1. For example, if your driver is “faster access to resources,” you might consider indicators like developer satisfaction, project completion time, average time to provision, etc.
    3. Once you are satisfied with your list of indicators, populate the slide in the Cloud Vision Executive Presentation for validation from stakeholders.

    Cloud Vision Executive Presentation

    Step 1.2

    Explore cloud characteristics

    Activities

    Understand the value of the cloud:

    • Review delivery models
    • Review support models
    • Review service models
    • Review migration paths

    Understand the Cloud

    Generate goals and drivers

    Explore cloud characteristics

    Create a current state summary

    Select workloads for analysis

    This step involves the following participants:

    • Core working group
    • Architecture
    • Engineering
    • Security

    Outcomes of this step

    • Understanding of cloud service models and value

    Defining the cloud

    Per NIST, the cloud has five fundamental characteristics. All clouds have these characteristics, even if they are executed in somewhat different ways between delivery models, service models, and even individual providers.

    Cloud characteristics

    On-demand self-service

    Cloud customers are capable of provisioning cloud resources without human interaction (e.g. contacting sales), generally through a web console.

    Broad network access

    Capabilities are designed to be delivered over a network and are generally intended for access by a wide variety of platform types (cloud services are generally device-agnostic).

    Resource pooling

    Multiple customers (internal, in the case of private clouds) make use of a highly abstracted shared infrastructure managed by the cloud provider.

    Rapid elasticity

    Customers are capable of provisioning additional resources as required, pulling from a functionally infinite pool of capacity. Cloud resources can be spun-down when no longer needed.

    Measured service

    Consumption is metered based on an appropriate unit of analysis (number of licenses, storage used, compute cycles, etc.) and billing is transparent and granular.

    Cloud delivery models

    The NIST definition of cloud computing outlines four cloud delivery models: public, private, hybrid, and community clouds. A community cloud is like a private cloud, but it is provisioned for the exclusive use of a like-minded group of organizations, usually in a mutually beneficial, non-competitive arrangement. Universities and hospitals are examples of organizations that can pool their resources in this way without impacting competitiveness. The Info-Tech model covers three key delivery models – public, private, and hybrid, and an overarching model (multi-cloud) that can comprise more than one of the other models – public + public, public + hybrid, etc.

    Public

    The cloud service is provisioned for access by the general public (customers).

    Private

    A private cloud has the five key characteristics, but is provisioned for use by a single entity, like a company or organization.

    Hybrid

    Hybridity essentially refers to interoperability between multiple cloud delivery models (public +private).

    Multi

    A multi-cloud deployment requires only that multiple clouds are used without any necessary interoperability (Nutanix, 2019).

    Public cloud

    This is what people generally think about when they talk about cloud

    • The public cloud is, well, public! Anyone can make use of its resources, and in the case of the major providers, capacity is functionally unlimited. Need to store exabytes of data in the cloud? No problem! Amazon will drive a modified shipping container to your datacenter, load it up, and “migrate” it to a datacenter.
    • Public clouds offer significant variety on the infrastructure side. Major IaaS providers, like Microsoft and Amazon, offer dozens of services across many different categories including compute, networking, and storage, but also identity, containers, machine learning, virtual desktops, and much, much more. (See a list from Microsoft here, and Amazon here)
    • There are undoubtedly strengths to the public cloud model. Providers offer the “latest and greatest” and customers need not worry about the details, including managing infrastructure and physical locations. Providers offer built-in redundancy, multi-regional deployments, automation tools, management and governance solutions, and a variety of leading-edge technologies that would not be feasible for organizations to run in-house, like high performance compute, blockchain, or quantum computing.
    • Of course, the public cloud is not all sunshine and rainbows – there are downsides as well. It can be expensive; it can introduce regulatory complications to have to trust another entity with your key information. Additionally, there can be performance hiccups, and with SaaS products, it can be difficult to monitor at the appropriate (per-transaction) level.

    Prominent examples include:

    AWS

    Microsoft

    Azure

    Salesforce.com

    Workday

    SAP

    Private cloud

    A lower-risk cloud for cloud-averse customers?

    • A cloud is a cloud, no matter how small. Some IT shops deploy private clouds that make use of the five key cloud characteristics but provisioned for the exclusive use of a single entity, like a corporation.
    • Private clouds have numerous benefits. Some potential cloud customers might be uncomfortable with the shared responsibility that is inherent in the public cloud. Private clouds allow customers to deliver flexible, measured services without having to surrender control, but they require significant overhead, capital expenditure, administrative effort, and technical expertise.
    • According to the 2021 State of the Cloud Report, private cloud use is common, and the most frequently cited toolset is VMware vSphere, followed by Azure Stack, OpenStack, and AWS Outposts. Private cloud deployments are more common in larger organizations, which makes sense given the overhead required to manage such an environment.

    Private cloud adoption

    The images shows a graph titled Private Cloud Adoption for Enterprises. It is a horizontal bar graph, with three segments in each bar: dark blue marking currently use; mid blue marking experimenting; and light blue marking plan to use.

    VMware and Microsoft lead the pack among private cloud customers, with Amazon and Red Hat also substantially present across private cloud environments.

    Hybrid cloud

    The best of both worlds?

    Hybrid cloud architectures combine multiple cloud delivery models and facilitate some level of interoperability. NIST suggests bursting and load balancing as examples of hybrid cloud use cases. Note: it is not sufficient to simply have multiple clouds running in parallel – there must be a toolset that allows for an element of cross-cloud functionality.

    This delivery model is attractive because it allows users to take advantage of the strengths of multiple service models using a single management pane. Bursting across clouds to take advantage of additional capacity or disaster recovery capabilities are two obvious use cases that appeal to hybrid cloud users.

    But while hybridity is all the rage (especially given the impact Covid-19 has had on the workplace), the reality is that any hybrid cloud user must take the good with the bad. Multiple clouds and a management layer can be technically complex, expensive, and require maintaining a physical infrastructure that is not especially valuable (“I thought we were moving to the cloud to get out of the datacenter!”).

    Before selecting a hybrid approach through services like VMware Cloud on AWS or Microsoft’s Azure Stack, consider the cost, complexity, and actual expected benefit.

    Amazon, Microsoft, and Google dominate public cloud IaaS, but IBM is betting big on hybrid cloud:

    The image is a screencap of a tweet from IBM News. The tweet reads: IBM CEO Ginni Rometty: Hybrid cloud is a trillion dollar market and we'll be number one #Think2019.

    With its acquisition of Red Hat in 2019 for $34 billion, Big Blue put its money where its mouth is and acquired a substantial hybrid cloud business. At the time of the acquisition, Red Hat’s CEO, Jim Whitehurst, spoke about the benefit IBM expected to receive:

    “Joining forces with IBM gives Red Hat the opportunity to bring more open source innovation to an even broader range of organizations and will enable us to scale to meet the need for hybrid cloud solutions that deliver true choice and agility” (Red Hat, 2019).

    Multi-cloud

    For most organizations, the multi-cloud is the most realistic option.

    Multi-cloud is popular!

    The image shows a graph titled Multi-Cloud Architectures Used, % of all Respondents. The largest percentage is Apps siloed on different clouds, followed by DAta integration between clouds.

    Multi-cloud solutions exist at a different layer of abstraction from public, private, and even hybrid cloud delivery models. A multi-cloud architecture, as the name suggests, requires the user to be a customer of more than one cloud provider, and it can certainly include a hybrid cloud deployment, but it is not bound by the same rules of interoperability.

    Many organizations – especially those with fewer resources or a lack of a use case for a private cloud – rely on a multi-cloud architecture to build applications where they belong, and they manage each environment separately (or occasionally with the help of cloud management platforms).

    If your data team wants to work in AWS and your enterprise services run on basic virtual machines in Azure, that might be the most effective architecture. As the Flexera 2021 State of the Cloud Report suggests, this architecture is far more common than the more complicated bursting or brokering architectures characteristic of hybrid clouds.

    NIST cloud service models

    Software as a service

    SaaS has exploded in popularity with consumers who wish to avail themselves of the cloud’s benefits without having to manage underlying infrastructure components. SaaS is simple, generally billed per-user per-month, and is almost entirely provider-managed.

    Platform as a service

    PaaS providers offer a toolset for their customers to run custom applications and services without the requirement to manage underlying infrastructure components. This service model is ideal for custom applications/services that don’t benefit from highly granular infrastructure control.

    Infrastructure as a service

    IaaS represents the sale of components. Instead of a service, IaaS providers sell access to components, like compute, storage, and networking, allowing for customers to build anything they want on top of the providers’ infrastructure.

    Cloud service models

    • This research focuses on five key service models, each of which has its own strengths and weaknesses. Moving right from “on-prem,” customers gradually give up more control over their environments to cloud service providers.
    • An entirely premises-based environment means that the customer is responsible for everything ranging from the dirt under the datacenter to application-level configurations. Conversely, in a SaaS environment, the provider is responsible for everything but those top-level application configurations.
    • A managed service provider or other third party can manage any or of the components of the infrastructure stack. A service provider may, for example, build a SaaS solution on top of another provider’s IaaS, or might offer configuration assistance with a commercially available SaaS.

    Info-Tech Insight

    Not all workloads fit well in the cloud. Many environments will mix service models (e.g. SaaS for some workloads, some in IaaS, some on-premises), and this can be perfectly effective. It must be consistent and intentional, however.

    On-prem Co-Lo IaaS PaaS SaaS
    Application Application Application Application Application
    Database Database Database Database Database
    Runtime/ Middleware Runtime/ Middleware Runtime/ Middleware Runtime/ Middleware Runtime/ Middleware
    OS OS OS OS OS
    Hypervisor Hypervisor Hypervisor Hypervisor Hypervisor
    Server Network Storage Server Network Storage Server Network Storage Server Network Storage Server Network Storage
    Facilities Facilities Facilities Facilities Facilities

    Organization has control

    Organization or vendor may control

    Vendor has control

    Analytics folly

    SaaS is good, but it’s not a panacea

    Industry: Healthcare

    Source: Info-Tech workshop

    Situation

    A healthcare analytics provider had already moved a significant number of “non-core workloads” to the cloud, including email, HRIS, and related services.

    The company CEO was satisfied with the reduced effort required by IT to manage SaaS-based workloads and sought to extend the same benefits to the core analytics platform where there was an opportunity to reduce overhead.

    Complication

    Many components of the health analytics service were designed to run specifically in a datacenter and were not ready to be migrated to the cloud without significant effort/refactoring. SaaS was not an option because this was a core platform – a SaaS provider would have been the competition.

    That left IaaS, which was expensive and would not bring the expected benefits (reduced overhead).

    Results

    The organization determined that there were no short-term gains from migrating to the cloud. Due to the nature of the application (its extensive customization, the fact that it was a core product sold by the company) any steps to reduce operational overhead were not feasible.

    The CEO recognized that the analytics platform was not a good candidate for the cloud and what distinguished the analytics platform from more suitable workloads.

    Migration paths

    In a 2016 blog post, Amazon Web Services articulated a framework for cloud migration that incorporates elements of the journey as well as the destination. If workload owners do not choose to retain or retire their workloads, there are four alternatives. These alternatives all stack up differently along five key dimensions:

    1. Value: does the workload stand to benefit from unique cloud characteristics? To what degree?
    2. Effort: how much work would be required to make the transition?
    3. Cost: how much money is the migration expected to cost?
    4. Time: how long will the migration take?
    5. Skills: what skills must be brought to bear to complete the migration?

    Not all migration paths can lead to all destinations. Rehosting generally means IaaS, while repurchasing leads to SaaS. Refactoring and replatforming have some variety of outcomes, and it becomes possible to take advantage of new IaaS architectures or migrate workloads over fully to SaaS.

    As part of the workload assessment process, use the five dimensions (expanded upon on the next slide) to determine what migration path makes sense. Preferred migration paths form an important part of the overall cloud vision process.

    Retain (Revisit)

    • Keep the application in its current form, at least for now. This doesn’t preclude revisiting it in the future.

    Retire

    • Get rid of the application completely.

    Rehost

    • Move the application to the cloud (IaaS) and continue to run it in more or less the same form as it currently runs.

    Replatform

    • Move the application to the cloud and perform a few changes for cloud optimizations.

    Refactor

    • Rewrite the application, taking advantage of cloud native architectures.

    Repurchase

    • Replace with an alternative, cloud-native application and migrate the data.

    Migration paths – relative value

    Migration path Value Effort Cost Time Skills
    Retain No real change in the absolute value of the workload if it is retained. No effort beyond ongoing workload maintenance. No immediate hard dollar costs, but opportunity costs and technical debt abound. No time required! (At least not right away…) Retaining requires the same skills it has always required (which may be more difficult to acquire in the future).
    Rehire A retired workload can provide no value, but it is not a drain! Spinning a service down requires engaging that part of the lifecycle. N/A Retiring the service may be simple or complicated depending on its current role. N/A
    Rehost Some value comes with rehosting, but generally components stay the same (VM here vs. a VM there). Minimal effort required, especially with automated tools. The effort will depend on the environment being migrated. Relatively cheap compared to other options. Rehosting infrastructure is the simplest cloud migration path and is useful for anyone in a hurry. Rehosting is the simplest cloud migration path for most workloads, but it does require basic familiarity with cloud IaaS.

    Replatform

    Replatformed workloads can take advantage of cloud-native services (SQL vs. SQLaaS). Replatforming is more effortful than rehosting, but less effortful than refactoring. Moderate cost – does not require fundamental rearchitecture, just some tweaking. Relatively more complicated than a simple rehost, but less demanding than a refactor. Platform and workload expertise is required; more substantial than a simple rehost.
    Refactor A fully formed, customized cloud-based workload that can take advantage of cloud-native architectures is generally quite valuable. Significant effort required based on the requirement to engage the full SDLC. Significant cost required to engage SDLC and rebuild the application/service. The most complicated and time-consuming. The most complicated and time-consuming.
    Repurchase Repurchasing is the quickest way to achieve cloud-native value. There are compromises, however (high cost, vendor-lock-in). Repurchasing is the quickest way to achieve cloud-native value. There are compromises, however (high cost, vendor-lock-in). Repurchasing is the quickest way to achieve cloud-native value. There are compromises, however (high cost, vendor-lock-in). Configuration – especially for massive projects – can be time consuming, but in general repurchasing can be quite fast. Buying software does require knowledge of requirements and integrations, but is otherwise quite simple.

    Where should you get your cloud skills?

    Cloud skills are certainly top of mind right now. With the great upheaval in both work patterns and in the labor market more generally, expertise in cloud-related areas is simultaneously more valuable and more difficult to procure. According to Pluralsight’s 2021 “State of Upskilling” report, 44% of respondents report themselves under-skilled in the cloud management area, making cloud management the most significant skill gap reported on the survey.

    Everyone left the office. Work as we know it is fundamentally altered for a generation or more. Cloud services shot up in popularity by enabling the transition. And yet there is a gap – a prominent gap – in skilling up for this critically important future. What is the cloud manager to do?

    Per the framework presented here, that manager has three essential options. They may take somewhat different forms depending on specific requirements and the quirks of the local market, but the options are:

    1. Train or hire internal resources: This might be easier said than done, especially for more niche skills, but makes sense for workloads that are critical to operations for the long term.
    2. Engage a managed service provider: MSPs are often engaged to manage services where internal IT lacks bandwidth or expertise.
    3. Hire a consultant: Consultants are great for time-bound implementation projects where highly specific expertise is required, such as a migration or implementation project.

    Each model makes sense to some degree. When evaluating individual workloads for cloud suitability, it is critical to consider the support model – both immediate and long term. What makes sense from a value perspective?

    Cloud decisions – summary

    A key component of the Info-Tech cloud vision model is that it is multi-layered. Not every decision must be made at every level. At the workload level, it makes sense to select service models that make sense, but each workload does not need its own defined vision. Workload-level decisions should be guided by an overall strategy but applied tactically, based on individual workload characteristics and circumstances.

    Conversely, some decisions will inevitably be applied at the environment level. With some exceptions, it is unlikely that cloud customers will build an entire private/hybrid cloud environment around a single solution; instead, they will define a broader strategy and fit individual workloads into that strategy.

    Some considerations exist at both the workload and environment levels. Risks and roadblocks, as well as the preferred support model, are concerns that exist at both the environment level and at the workload level.

    The image is a Venn diagram, with the left side titled Workload level, and the right side titled Environment Level. In the left section are: service model and migration path. On the right section are: Overall vision and Delivery model. In the centre section are: support model and Risks and roadblocks.

    Step 1.3

    Create a current state summary

    Activities

    1.3.1 Record your current state

    Understand the Cloud

    Generate goals and drivers

    Explore cloud characteristics

    Create a current state summary

    Select workloads for analysis

    This step involves the following participants: Core working group

    Outcomes of this step

    • Current state summary of cloud solutions

    1.3.1 Record your current state

    30 minutes

    Input

    • Knowledge of existing cloud workloads

    Output

    • Current state cloud summary for service, delivery, and support models

    Materials

    • Whiteboard

    Participants

    • Core working group
    • Infrastructure team
    • Service owners
    1. On a whiteboard (real or virtual) draw a table with each of the cloud service models across the top. Leave a cell below each to list examples.
    2. Under each service model, record examples present in your environment. The purpose of the exercise is to illustrate the existence of cloud services in your environment or the lack thereof, so there is no need to be exhaustive. Complete this in turn for each service model until you are satisfied that you have created an effective picture of your current cloud SaaS state, IaaS state, etc.
    3. Input the results into their own slide titled “current state summary” in the Cloud Vision Executive Presentation.
    4. Repeat for the cloud delivery models and support models and include the results of those exercises as well.
    5. Create a short summary statement (“We are primarily a public cloud consumer with a large SaaS footprint and minimal presence in PaaS and IaaS. We retain an MSP to manage our hosted telephony solution; otherwise, everything is handled in house.”

    Cloud Vision Executive Presentation

    Step 1.4

    Select workloads for current analysis

    Activities

    1.4.1 Select workloads for assessment

    This step involves the following participants:

    • Core working group

    Outcomes of this step

    • List of workloads for assessment

    Understand the cloud

    Generate goals and drivers

    Explore cloud characteristics

    Create a current state summary

    Select workloads for analysis

    1.4.1 Select workloads for assessment

    30 minutes

    Input

    • Knowledge of existing cloud workloads

    Output

    • List of workloads to be assessed

    Materials

    • Whiteboard
    • Cloud Vision Workbook

    Participants

    • Core working group
    • IT management
    1. In many cases, the cloud project is inspired by a desire to move a particular workload or set of workloads. Solicit feedback from the core working group about what these workloads might be. Ask everyone in the meeting to suggest a workload and record each one on a sticky note or white board (virtual or physical).
    2. Discuss the results with the group and begin grouping similar workloads together. They will be subject to the assessments in the Cloud Vision Workbook, so try to avoid selecting too many workloads that will produce similar answers. It might not be obvious, but try to think about workloads that have similar usage patterns, risk levels, and performance requirements, and select a representative group.
    3. You should embrace counterintuition by selecting a workload that you think is unlikely to be a good fit for the cloud if you can and subjecting it to the assessment as well for validation purposes.
    4. When you have a list of 4-6 workloads, record them on tab 2 of the Cloud Vision Workbook.

    Cloud Vision Workbook

    Assess your cloud workloads

    Build the foundations of your cloud vision

    Phase 2

    Phase 2

    Evaluate Cloud Workloads

    Phase 1

    1.1 Generate goals and drivers

    1.2 Explore cloud characteristics

    1.3 Create a current state summary

    1.4 Select workloads for analysis

    Phase 2

    2.1 Conduct workload assessments

    2.2 Determine workload future states

    Phase 3

    3.1 Generate risks and roadblocks

    3.2 Mitigate risks and roadblocks

    3.3 Define roadmap initiatives

    Phase 4

    4.1 Review and assign work items

    4.2 Finalize cloud decision framework

    4.3 Create cloud vision

    This phase will walk you through the following activities:

    • Conduct workload assessments
    • Determine workload future state

    This phase involves the following participants:

    • Subject matter experts
    • Core working group
    • IT management

    Define Your Cloud Vision

    Work from the bottom up and assess your workloads

    A workload-first approach will help you create a realistic vision.

    The concept of a cloud vision should unquestionably be informed by the nature of the workloads that IT is expected to provide for the wider organization. The overall cloud vision is no greater than the sum of its parts. You cannot migrate to the cloud in the abstract. Workloads need to go – and not all workloads are equally suitable for the transition.

    It is therefore imperative to understand which workloads are a good fit for the cloud, which cloud service models make the most sense, how to execute the migration, what support should look like, and what risks and roadblocks you are likely to encounter as part of the process.

    That’s where the Cloud Vision Workbook comes into play. You can use this tool to assess as many workloads as you’d like – most people get the idea after about four – and by the end of the exercise, you should have a pretty good idea about where your workloads belong, and you’ll have a tool to assess any net new or previously unconsidered workloads.

    It’s not so much about the results of the assessment – though these are undeniably important – but about the learnings gleaned from the collaborative assessment exercise. While you can certainly fill out the assessment without any additional input, this exercise is most effective when completed as part of a group.

    Introducing the Cloud Vision Workbook

    • The Cloud Vision Workbook is an Excel tool that answers the age old question: “What should I do with my workloads?”
    • It is divided into eight tabs, each of which offers unique value. Start by reading the introduction and inputting your list of workloads. Work your way through tabs 3-6, completing the suitability, migration, management, and risk and roadblock assessments, and review the results on tab 7.
    • If you choose to go through the full battery of assessments for each workload, expect to answer and weight 111 unique questions across the four assessments. This is an intensive exercise, so carefully consider which assessments are valuable to you, and what workloads you have time to assess.
    • Tab 8 hosts the milestone timeline and captures the results of the phase 3 risk and mitigation exercise.

    Understand Cloud Vision Workbook outputs

    The image shows a graphic with several graphs and lists on it, with sections highlighted with notes. At the top, there's the title Database with the note Workload title (populated from tab 2). Below that, there is a graph with the note Relative suitability of the five service models. The Risks and roadblocks section includes the note: The strategy components – the risks and roadblocks – are captured relative to one another to highlight key focus areas. To the left of that, there is a Notes section with the note Notes populated based on post-assessment discussion. At the bottom, there is a section titled Where should skills be procured?, with the note The radar diagram captures the recommended support model relative to the others (MSP, consultant, internal IT). To the right of that, there is a section titled Migration path, with the note that Ordered list of migration paths. Note: a disconnect here with the suggested service model may indicate an unrealistic goal state.

    Step 2.1

    Conduct workload assessments

    Activities

    2.1.1 Conduct workload assessments

    2.1.2 Interpret your results

    Phase Title

    Conduct workload assessments

    Determine workload future state

    This step involves the following participants:

    • Core working group
    • Workload subject matter experts

    Outcomes of this step

    • Completed workload assessments

    2.1.1 Conduct workload assessments

    2 hours per workload

    Input

    • List of workloads to be assessed

    Output

    • Completed cloud vision assessments

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    • Service owners/workload SMEs
    1. The Cloud Vision Workbook is your one stop shop for all things workload assessment. Open the tool to tab 2 and review the workloads you identified at the end of phase 1. Ensure that these are correct. Once satisfied, project the tool (virtually, if necessary) so that all participants can see the assessment questions.
    2. Work through tabs 3-6, answering the questions and assigning a multiplier for each one. A higher multiplier increases the relative weight of the question, giving it a greater impact on the overall outcome.
    3. Do your best to induce participants to offer opinions. Consensus is not absolutely necessary, but it is a good goal. Ask your participants if they agree with initial responses and occasionally take the opposite position (“I’m surprised you said agree – I would have thought we didn’t care about CapEx vs. OpEx”). Stimulate discussion.
    4. Highlight any questions that you will need to return to or run by someone not present. Include a placeholder answer, as the tool requires all cells to be filled for computation.

    Cloud Vision Workbook

    2.1.2 Interpret your results

    10 minutes

    Input

    • Completed cloud vision assessments

    Output

    • Shared understanding of implications

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    • Service owners/workload SMEs
    1. Once you’ve completed all 111 questions for each workload, you can review your results on tab 7. On tab 7, you will see four populated graphics: cloud suitability, migration path, “where should skills be procured?”, and risks and roadblocks. These represent the components of the overall cloud vision that you will present to stakeholders.
    2. The “cloud suitability” chart captures the service model that the assessment judges to be most suitable for the workload. Ask those present if any are surprised by the output. If there is any disagreement, discuss the source of the surprise and what a more realistic outcome would be. Revisit the assessment if necessary.
    3. Conduct a similar exercise with each of the other outputs. Does it make sense to refactor the workload based on its cloud suitability? Does the fact that we scored so highly on the “consultant” support model indicate something about how we handle upskilling internally? Does the profile of risks and roadblocks identified here align with expectations? What should be ranked higher? What about lower?
    4. Once everyone is generally satisfied with the results, close the tool and take a break! You’ve earned it.

    Cloud Vision Workbook

    Understand the cloud strategy components

    Each cloud strategy will take a slightly different form, but all should contain echoes of each of these components. This process will help you define your vision and direction, but you will need to take steps to execute on that vision. The remainder of the cloud strategy, covered in the related blueprint Document Your Cloud Strategy comprises these fourteen topics divided across three categories: people, governance, and technology. The workload assessment covers these under risks and roadblocks and highlights areas that may require specific additional attention. When interpreting the results, think of these areas as comprising things that you will need to do to make your vision a reality.

    People

    • Skills and roles
    • Culture and adoption
    • Governing bodies

    Governance

    • Architecture
    • Integration and interoperability
    • Operations management
    • Cloud portfolio management
    • Cloud vendor management
    • Finance management
    • Security
    • Data controls

    Technology

    • Monitoring
    • Provisioning
    • Migration

    Strategy component: People

    People form the core of any good strategy. As part of your cloud vision, you will need to understand the implications a cloud transition will have on your staff and users, whether those users are internal or external.

    Component Description Challenges
    Skills and roles The move to the cloud will require staff to learn how to handle new technology and new operational processes. The cloud is a different way of procuring IT resources and may require the definition of new roles to handle things like cost management and provisioning. Staff may not have the necessary experience to migrate to a cloud environment or to effectively manage resources once the cloud transition is made. Cloud skills are difficult to hire for, and with the ever-changing nature of the platforms themselves, this shows no sign of abating. Redefining roles can also be politically challenging and should be done with due care and consideration.
    Culture and adoption If you build it, they will come…right? It is not always the case that a new service immediately attracts users. Ensuring that organizational culture aligns with the cloud vision is a critical success factor. Equally important is ensuring that cloud resources are used as intended. Those unfamiliar with cloud resources may be less willing to learn to use them. If alternatives exist (e.g. a legacy service that has not been shut down), or if those detractors are influential, this resistance may impede your cloud execution. Also, if the cloud transition involves significant effort or a fundamental rework (e.g. a DevOps transition) this role redefinition could cause some internal turmoil.
    Governing bodies A large-scale cloud deployment requires formal governance. Formal governance requires a governing body that is ultimately responsible for designing the said governance. This could take the form of a “center of excellence” or may rest with a single cloud architect in a smaller, less complicated environment. Governance is difficult. Defining responsibilities in a way that includes all relevant stakeholders without paralyzing the decision-making process is difficult. Implementing suggestions is a challenge. Navigating the changing nature of service provision (who can provision their own instances or assign licenses?) can be difficult as well. All these concerns must be addressed in a cloud strategy.

    Strategy component: Governance

    Without guardrails, the cloud deployment will grow organically. This has strengths (people tend to adopt solutions that they select and deploy themselves), but these are more than balanced out by the drawbacks that come with inconsistency, poor administration, duplication of services, suboptimal costing, and any number of other unique challenges. The solution is to develop and deploy governance. The following list captures some of the necessary governance-related components of a cloud strategy.

    Component Description Challenges
    Architecture Enterprise architecture is an important function in any environment with more than one interacting workload component (read: any environment). The cloud strategy should include an approach to defining and implementing a standard cloud architecture and should assign responsibility to an individual or group. Sometimes the cloud transition is inspired by the desire to rearchitect. The necessary skills and knowledge may not be readily available to design and transition to a microservices-based environment, for example, vs. a traditional monolithic application architecture. The appropriateness of a serverless environment may not be well understood, and it may be the case that architects are unfamiliar with cloud best practices and reference architectures.
    Integration and interoperability Many services are only highly functional when integrated with other services. What is a database without its front-end? What is an analytics platform without its data lake? For the cloud vision to be properly implemented, a strategy for handling integration and interoperability must be developed. It may be as simple as “all SaaS apps must be compatible with Okta” but it must be there. Migration to the cloud may require a fundamentally new approach to integration, moving away from a point-to-point integrations and towards an ESB or data lake. In many cases, this is easier said than done. Centralization of management may be appealing, but legacy applications – or those acquired informally in a one-off fashion – might not be so easy to integrate into a central management platform.
    Operations management Service management (ITIL processes) must be aligned with your overall cloud strategy. Migrating to the cloud (where applicable) will require refining these processes, including incident, problem, request, change, and configuration management, to make them more suitable for the cloud environment. Operations management doesn’t go away in the cloud, but it does change in line with the transition to shared responsibility. Responding to incidents may be more difficult on the cloud when troubleshooting is a vendor’s responsibility. Change management in a SaaS environment may be more receptive than staff are used to as cloud providers push changes out that cannot be rolled back.

    Strategy component: Governance (cont.)

    Component Description Challenges
    Cloud portfolio management This component refers to the act of managing the portfolio of cloud services that is available to IT and to business users. What requirements must a SaaS service meet to be onboarded into the environment? How do we account for exceptions to our IaaS policy? What about services that are only available from a certain provider? Rationalizing services offers administrative benefits, but may make some tasks more difficult for end users who have learned things a certain way or rely on niche toolsets. Managing access through a service catalog can also be challenging based on buy-in and ongoing administration. It is necessary to develop and implement policy.
    Cloud vendor management Who owns the vendor management function, and what do their duties entail? What contract language must be standard? What does due diligence look like? How should negotiations be conducted? What does a severing of the relationship look like? Cloud service models are generally different from traditional hosted software and even from each other (e.g. SaaS vs. PaaS). There is a bit of a learning curve when it comes to dealing with vendors. Also relevant: the skills that it takes to build and maintain a system are not necessarily the same as those required to coherently interact with a cloud vendor.
    Finance management Cloud services are, by definition, subject to a kind of granular, operational billing that many shops might not be used to. Someone will need to accurately project and allocate costs, while ensuring that services are monitored for cost abnormalities. Cloud cost challenges often relate to overall expense (“the cloud is more expensive than an alternative solution”), expense variability (“I don’t know what my budget needs to be this quarter”), and cost complexity (“I don’t understand what I’m paying for – what’s an Elastic Beanstalk?”).
    Security The cloud is not inherently more or less secure than a premises-based alternative, though the risk profile can be different. Applying appropriate security governance to ensure workloads are compliant with security requirements is an essential component of the strategy.

    Technical security architecture can be a challenge, as well as navigating the shared responsibility that comes with a cloud transition. There are also a plethora of cloud-specific security tools like cloud access security brokers (CASBs), cloud security posture management (CSPM) solutions, and even secure access services edge (SASE) technology.

    Data controls Data residency, classification, quality, and protection are important considerations for any cloud strategy. With cloud providers taking on outsized responsibility, understanding and governing data is essential. Cloud providers like to abstract away from the end user, and while some may be able to guarantee residency, others may not. Additionally, regulations may prevent some data from going to the cloud, and you may need to develop a new organizational backup strategy to account for the cloud.

    Strategy component: Technology

    Good technology will never replace good people and effective process, but it remains important in its own right. A migration that neglects the undeniable technical components of a solid cloud strategy is doomed to mediocrity at best and failure at worst. Understanding the technical implications of the cloud vision – particularly in terms of monitoring, provisioning, and migration – makes all the difference. You can interpret the results of the cloud workload assessments by reviewing the details presented here.

    Component Description Challenges
    Monitoring The cloud must be monitored in line with performance requirements. Staff must ensure that appropriate tools are in place to properly monitor cloud workloads and that they are capturing adequate and relevant data. Defining requirements for monitoring a potentially unfamiliar environment can be difficult, as can consolidating on a monitoring solution that both meets requirements and covers all relevant areas. There may be some upskilling and integration work required to ensure that monitoring works as required.
    Provisioning How will provisioning be done? Who will be responsible for ensuring the right people have access to the right resources? What tooling must be deployed to support provisioning goals? What technical steps must be taken to ensure that the provisioning is as seamless as possible? There is the inevitable challenge of assigning responsibility and accountability in a changing infrastructure and operations environment, especially if the changes are substantial (e.g. a fundamental operating model shift, reoriented around the cloud). Staff may also need to familiarize themselves with cloud-based provisioning tools like Ansible, Terraform, or even CloudFormation.
    Migration The act of migrating is important as well. In some cases, the migration is as simple as configuring the new environment and turning it up (e.g. with a net new SaaS service). In other cases, the migration itself can be a substantial undertaking, involving large amounts of data, a complicated replatforming/refactoring, and/or a significant configuration exercise.

    Not all migration journeys are created equal, and challenges include a general lack of understanding of the requirements of a migration, the techniques that might be necessary to migrate to a particular cloud (there are many) and the disruption/risk associated with moving large amounts of data. All of these challenges must be considered as part of the overall cloud strategy, whether in terms of architectural principles or skill acquisition (or both!).

    Step 2.2

    Determine workload future state

    Activities

    2.2.1 Determine workload future state

    Conduct workload assessments

    Determine workload future state

    This step involves the following participants:

    • IT management
    • Core working group

    Outcomes of this step

    • Completed workload assessments
    • Defined workload future state

    2.2.1 Determine workload future state

    1-3 hours

    Input

    • Completed workload assessments

    Output

    • Preliminary future state outputs

    Materials

    • Cloud Vision Workbook
    • Cloud Vision Executive Presentation

    Participants

    • Core working group
    • Service owners
    • IT management
    1. After you’ve had a chance to validate your results, refer to tab 7 of the tool, where you will find a blank notes section.
    2. With the working group, capture your answers to each of the following questions:
      1. What service model is the most suitable for the workload? Why?
      2. How will we conduct the migration? Which of the six models makes the most sense? Do we have a backup plan if our primary plan doesn’t work out?
      3. What should the support model look like?
      4. What are some workload-specific risks and considerations that must be taken into account for the workload?
    3. Once you’ve got answers to each of these questions for each of the workloads, include your summary in the “notes” section of tab 7.

    Cloud Vision Executive Presentation

    Paste the output into the Cloud Vision Executive Presentation

    • The Cloud Vision Workbook output is a compact, consumable summary of each workload’s planned future state. Paste each assessment in as necessary.
    • There is no absolutely correct way to present the information, but the output is a good place to start. Do note that, while the presentation is designed to lead with the vision statement, because the process is workload-first, the assessments are populated prior to the overall vision in a bottom-up manner.
    • Be sure to anticipate the questions you are likely to receive from any stakeholders. You may consider preparing for questions like: “What other workloads fit this profile?” “What do we expect the impact on the budget to be?” “How long will this take?” Keep these and other questions in mind as you progress through the vision definition process.

    The image shows the Cloud Vision Workbook output, which was described in an annotated version in an earlier section.

    Info-Tech Insight

    Keep your audience in mind. You may want to include some additional context in the presentation if the results are going to be presented to non-technical stakeholders or those who are not familiar with the terms or how to interpret the outputs.

    Identify and Mitigate Risks

    Build the foundations of your cloud vision

    PHASE 3

    Phase 3

    Identify and Mitigate Risks

    Phase 1

    1.1 Generate goals and drivers

    1.2 Explore cloud characteristics

    1.3 Create a current state summary

    1.4 Select workloads for analysis

    Phase 2

    2.1 Conduct workload assessments

    2.2 Determine workload future states

    Phase 3

    3.1 Generate risks and roadblocks

    3.2 Mitigate risks and roadblocks

    3.3 Define roadmap initiatives

    Phase 4

    4.1 Review and assign work items

    4.2 Finalize cloud decision framework

    4.3 Create cloud vision

    This phase will walk you through the following activities:

    • Generate risks and roadblocks
    • Mitigate risks and roadblocks
    • Define roadmap initiatives

    This phase involves the following participants:

    • Core working group
    • Workload subject matter experts

    You know what you want to do, but what do you have to do?

    What questions remain unanswered?

    There are workload-level risks and roadblocks, and there are environment-level risks. This phase is focused primarily on environment-level risks and roadblocks, or those that are likely to span multiple workloads (but this is not hard and fast rule – anything that you deem worth discussing is worth discussing). The framework here calls for an open forum where all stakeholders – technical and non-technical, pro-cloud and anti-cloud, management and individual contributor – have an opportunity to articulate their concerns, however specific or general, and receive feedback and possible mitigation.

    Start by soliciting feedback. You can do this over time or in a single session. Encourage anyone with an opinion to share it. Focus on those who are likely to have a perspective that will become relevant at some point during the creation of the cloud strategy and the execution of any migration. Explain the preliminary direction; highlight any major changes that you foresee. Remind participants that you are not looking for solutions (yet), but that you want to make sure you hear any and every concern as early as possible. You will get feedback and it will all be valuable.

    Before cutting your participants loose, remind them that, as with all business decisions, the cloud comes with trade-offs. Not everyone will have every wish fulfilled, and in some cases, significant effort may be needed to get around a roadblock, risks may need to be accepted, and workloads that looked like promising candidates for one service model or another may not be able to realize that potential. This is a normal and expected part of the cloud vision process.

    Once the risks and roadblocks conversation is complete, it is the core working group’s job to propose and validate mitigations. Not every risk can be completely resolved, but the cloud has been around for decades – chances are someone else has faced a similar challenge and made it through relatively unscathed. That work will inevitably result in initiatives for immediate execution. Those initiatives will form the core of the initiative roadmap that accompanies the completed Cloud Vision Executive Presentation.

    Step 3.1

    Generate risks and roadblocks

    Activities

    3.1.1 Generate risks and roadblocks

    3.1.2 Generate mitigations

    Identify and mitigate risks

    Generate risks and roadblocks

    Mitigate risks and roadblocks

    Define roadmap initiatives

    This step involves the following participants:

    • Core working group
    • IT management
    • Infrastructure
    • Applications
    • Security
    • Architecture

    Outcomes of this step

    • List of risks and roadblocks

    Understand risks and roadblocks

    Risk

    • Something that could potentially go wrong.
    • You can respond to risks by mitigating them:
      • Eliminate: take action to prevent the risk from causing issues.
      • Reduce: take action to minimize the likelihood/severity of the risk.
      • Transfer: shift responsibility for the risk away from IT, towards another division of the company.
      • Accept: where the likelihood or severity is low, it may be prudent to accept that the risk could come to fruition.

    Roadblock

    • There are things that aren’t “risks” that we care about when migrating to the cloud.
    • We know, for example, that a complicated integration situation will create work items for any migration – this is not an “unknown.”
    • We respond to roadblocks by generating work items.

    3.1.1 Generate risks and roadblocks

    1.5 hours

    Input

    • Completed cloud vision assessments

    Output

    • List of risks and roadblocks

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Core working group
    • Service owners/workload SMEs
    • Anyone with concerns about the cloud
    1. Gather your core working group – and really anyone with an intelligent opinion on the cloud – into a single meeting space. Give the group 5-10 minutes to list anything they think could present a difficulty in transitioning workloads to the cloud. Write each risk/roadblock on its own sticky note. You will never be 100% exhaustive, but don’t let anything your users care about go unaddressed.
    2. Once everyone has had time to write down their risks and roadblocks, have everyone share one by one. Make sure you get them all. Overlap in risks and roadblocks is okay! Group similar concerns together to give a sort of heat map of what your participants are concerned about. (This is called “affinity diagramming.”)
    3. Assign names to these categories. Many of these categories will align with the strategy components discussed in the previous phase (governance, security, etc.) but some will be specific whether by nature or by degree.
    4. Sort each of the individual risks into its respective category, collapsing any exact duplicates, and leaving room for notes and mitigations (see the next slide for a visual).

    Understand risks and roadblocks

    The image is two columns--on the left, the column is titled Affinity Diagramming. Below the title, there are many colored blocks, randomly arranged. There is an arrow pointing right, to the same coloured blocks, now sorted by colour. In the right column--titled Categorization--each colour has been assigned a category, with subcategories.

    Step 3.2

    Mitigate risks and roadblocks

    Activities

    3.2.1 Generate mitigations

    Identify and mitigate risks

    Generate risks and roadblocks

    Mitigate risks and roadblocks

    Define roadmap initiatives

    This step involves the following participants:

    • Core working group

    Outcomes of this step

    • List of mitigations

    Is the public cloud less secure?

    This is the key risk-related question that most cloud customers will have to answer at some point: does migrating to the cloud for some services increase their exposure and create a security problem?

    As with all good questions, the answer is “it depends.” But what does it depend on? Consider these cloud risks and potential mitigations:

    1. Misconfiguration: An error grants access to unauthorized parties (as happened to Capital One in 2019). This can be mitigated by careful configuration management and third-party tooling.
    2. Unauthorized access by cloud provider/partner employees: Though rare, it is possible that a cloud provider or partner can be a vector for a breach. Careful contract language, choosing to own your own encryption keys, and a hybrid approach (storing data on-premises) are some possible ways to address this problem.
    3. Unauthorized access to systems: Cloud services are designed to be accessed from anywhere and may be accessed by malicious actors. Possible mitigations include risk-based conditional access, careful identity access management, and logging and detection.

    “The cloud is definitely more secure in that you have much more control, you have much more security tooling, much more visibility, and much more automation. So it is more secure. The caveat is that there is more risk. It is easier to accidentally expose data in the cloud than it is on-premises, but, especially for security, the amount of tooling and visibility you get in cloud is much more than anything we’ve had in our careers on-premises, and that’s why I think cloud in general is more secure.” –Abdul Kittana, Founder, ASecureCloud

    Breach bests bank

    No cloud provider can protect against every misconfiguration

    Industry: Finance

    Source: The New York Times, CNET

    Background

    Capital One is a major Amazon Web Services customer and is even featured on Amazon’s site as a case study. That case study emphasizes the bank’s commitment to the cloud and highlights how central security and compliance were. From the CTO: “Before we moved a single workload, we engaged groups from across the company to build a risk framework for the cloud that met the same high bar for security and compliance that we meet in our on-premises environments. AWS worked with us every step of the way.”

    Complication

    The cloud migration was humming along until July 2019, when the bank suffered a serious breach at the hands of a hacker. That hacker was able to steal millions of credit card applications and hundreds of thousands of Social Security numbers, bank account numbers, and Canadian social insurance numbers.

    According to investigators and to AWS, the breach was caused by an open reverse proxy attack against a misconfigured web app firewall, not by an underlying vulnerability in the cloud infrastructure.

    Results

    Capital One reported that the breach was expected to cost it $150 million, and AWS fervently denied any blame. The US Senate got involved, as did national media, and Capital One’s CEO issued a public apology, writing, “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”

    It was a bad few months for IT at Capital One.

    3.2.1 Generate mitigations

    3-4.5 hours

    Input

    • Completed cloud vision assessments

    Output

    • List of risks and roadblocks

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Core working group
    • Service owners/workload SMEs
    • Anyone with concerns about the cloud
    1. Recall the four mitigation strategies: eliminate, reduce, transfer, or accept. Keep these in mind as you work through the list of risks and roadblocks with the core working group. For every individual risk or roadblock raised in the initial generation session, suggest a specific mitigation. If the concern is “SaaS providers having access to confidential information,” a mitigation might be encryption, specific contract language, or proof of certifications (or all the above).
    2. Work through this for each of the risks and roadblocks, identifying the steps you need to take that would satisfy your requirements as you understand them.
    3. Once you have gone through the whole list – ideally with input from SMEs in particular areas like security, engineering, and compliance/legal – populate the Cloud Vision Workbook (tab 8) with the risks, roadblocks, and mitigations (sorted by category). Review tab 8 for an example of the output of this exercise.

    Cloud Vision Workbook

    Cloud Vision Workbook – mitigations

    The image shows a large chart titled Risks, roadblocks, and mitigations, which has been annotated with notes.

    Step 3.3

    Define roadmap initiatives

    Activities

    3.3.1 Generate roadmap initiatives

    Identify and mitigate risks

    Generate risks and roadblocks

    Mitigate risks and roadblocks

    Define roadmap initiatives

    This step involves the following participants:

    • Core working group

    Outcomes of this step

    • Defined roadmap initiatives

    3.3.1 Generate roadmap initiatives

    1 hour

    Input

    • List of risk and roadblock mitigations

    Output

    • List of cloud initiatives

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    1. Executing on your cloud vision will likely require you to undertake some key initiatives, many of which have already been identified as part of your mitigation exercise. On tab 8 of the Cloud Vision Workbook, review the mitigations you created in response to the risks and roadblocks identified. Initiatives should generally be assignable to a party and should have a defined scope/duration. For example, “assess all net new applications for cloud suitability” might not be counted as an initiative, but “design a cloud application assessment” would likely be.
    2. Design a timeline appropriate for your specific needs. Generally short-term (less than 3 months), medium-term (3-6 months), and long-term (greater than 6 months) will work, but this is entirely based on preference.
    3. Review and validate the parameters with the working group. Consider creating additional color-coding (highlighting certain tasks that might be dependent on a decision or have ongoing components).

    Cloud Vision Workbook

    Bridge the gap and create the vision

    Build the foundations of your cloud vision

    Phase 4

    Phase 4

    Bridge the Gap and Create the Vision

    Phase 1

    1.1 Generate goals and drivers

    1.2 Explore cloud characteristics

    1.3 Create a current state summary

    1.4 Select workloads for analysis

    Phase 2

    2.1 Conduct workload assessments

    2.2 Determine workload future states

    Phase 3

    3.1 Generate risks and roadblocks

    3.2 Mitigate risks and roadblocks

    3.3 Define roadmap initiatives

    Phase 4

    4.1 Review and assign work items

    4.2 Finalize cloud decision framework

    4.3 Create cloud vision

    This phase will walk you through the following activities:

    • Assign initiatives and propose timelines
    • Build a delivery model rubric
    • Build a service model rubric
    • Built a support model rubric
    • Create a cloud vision statement
    • Map cloud workloads
    • Complete the Cloud Vision presentation

    This phase involves the following participants:

    • IT management, the core working group, security, infrastructure, operations, architecture, engineering, applications, non-IT stakeholders

    Step 4.1

    Review and assign work items

    Activities

    4.1.1 Assign initiatives and propose timelines

    Bridge the gap and create the vision

    Review and assign work items

    Finalize cloud decision framework

    Create cloud vision

    This step involves the following participants:

    • Core working group
    • IT management

    Outcomes of this step

    • Populated cloud vision roadmap

    4.1.1 Assign initiatives and propose timelines

    1 hour

    Input

    • List of cloud initiatives

    Output

    • Initiatives assigned by responsibility and timeline

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    1. Once the list is populated, begin assigning responsibility for execution. This is not a RACI exercise, so focus on the functional responsibility. Once you have determined who is responsible, assign a timeline and include any notes. This will form the basis of a more formal project plan.
    2. To assign the initiative to a party, consider 1) who will be responsible for execution and 2) if that responsibility will be shared. Be as specific as possible, but be sure to be consistent to make it easier for you to sort responsibility later on.
    3. When assigning timelines, we suggest including the end date (when you expect the project to be complete) rather than the start date, though whatever you choose, be sure to be consistent. Make use of the notes column to record anything that you think any other readers will need to be aware of in the future, or details that may not be possible to commit to memory.

    Cloud Vision Workbook

    Step 4.2

    Finalize cloud decision framework

    Activities

    4.2.1 Build a delivery model rubric

    4.2.2 Build a service model rubric

    4.2.3 Build a support model rubric

    Bridge the gap and create the vision

    Review and assign work items

    Finalize cloud decision framework

    Create cloud vision

    This step involves the following participants:

    • Core working group

    Outcomes of this step

    • Cloud decision framework

    4.2.1 Build a delivery model rubric

    1 hour

    Input

    • List of cloud initiatives

    Output

    • Initiatives assigned by responsibility and timeline

    Materials

    Participants

    • Core working group
    1. Now that we have a good understanding of the cloud’s key characteristics, the relative suitability of different workloads for the cloud, and a good understanding of some of the risks and roadblocks that may need to be overcome if a cloud transition is to take place, it is time to formalize a delivery model rubric. Start by listing the delivery models on a white board vertically – public, private, hybrid, and multi-cloud. Include a community cloud option as well if that is feasible for you. Strike any models that do not figure into your vision.
    2. Create a table style rubric for each delivery model. Confer with the working group to determine what characteristics best define workloads suitable for each model. If you have a hybrid cloud option, you may consider workloads that are highly dynamic; a private cloud hosted on-premises may be more suitable for workloads that have extensive regulatory requirements.
    3. Once the table is complete, include it in the Cloud Vision Executive Presentation.

    Cloud Vision Executive Presentation

    Vision for the cloud future state (example)

    Delivery model Decision criteria
    Public cloud
    • Public cloud is the primary destination for all workloads as the goal is to eliminate facilities and infrastructure management
    • Offers features, broad accessibility, and managed updates along with provider-managed facilities and hardware
    Legacy datacenter
    • Any workload that is not a good fit for the public cloud
    • Dependency (like a USB key for license validation)
    • Performance requirements (e.g. workloads highly sensitive to transaction thresholds)
    • Local infrastructure components (firewall, switches, NVR)

    Summary statement: Everything must go! Public cloud is a top priority. Anything that is not compatible (for whatever reason) with a public cloud deployment will be retained in a premises-based server closet (downgraded from a full datacenter). The private cloud does not align with the overall organizational vision, nor does a hybrid solution.

    4.2.2 Build a service model rubric

    1 hour

    Input

    • Output of workload assessments
    • Output of risk and mitigation exercise

    Output

    • Service model rubric

    Materials

    • Whiteboard
    • Cloud Vision Executive Presentation

    Participants

    • Core working group
    1. This next activity is like the delivery model activity, but covers the relevant cloud service models. On a whiteboard, make a vertical list of the cloud service models (SaaS, PaaS, IaaS, etc.) that will be considered for workloads. If you have an order of preference, place your most preferred at the top, your least preferred at the bottom.
    2. Describe the circumstances under which you would select each service model. Do your best to focus on differentiators. If a decision criterion appears for multiple service models, consider refining or excluding it. (For additional information, check out Info-Tech’s Reimagine IT Operations for a Cloud-First World blueprint.)
    3. Create a summary statement to capture your overall service model position. See the next slide for an example. Note: this can be incorporated into your cloud vision statement, so be sure that it reflects your genuine cloud preferences.
    4. Record the results in the Cloud Vision Executive Presentation.

    Cloud Vision Executive Presentation

    Vision for the cloud future state (example)

    Service model Decision criteria
    SaaS

    SaaS first; opt for SaaS when:

    • A SaaS option exists that meets all key business requirements
    • There is a strong desire to have someone else (the vendor) manage infrastructure components/the platform
    • Not particularly sensitive to performance thresholds
    • The goal is to transition management of the workload outside of IT
    • SaaS is the only feasible way to consume the desired service
    PaaS
    • Highly customized service/workload – SaaS not feasible
    • Still preferable to offload as much management as possible to third parties
    • Customization required, but not at the platform level
    • The workload is built using a standard framework
    • We have the time/resources to replatform
    IaaS
    • Service needs to be lifted and shifted out of the datacenter quickly
    • Customization is required at the platform level/there is value in managing components
    • There is no need to manage facilities
    • Performance is not impacted by hosting the workload offsite
    • There is value in right-sizing the workload over time
    On-premises Anything that does not fit in the cloud for performance or other reasons (e.g. licensing key)

    Summary statement: SaaS will be the primary service model. All workloads will migrate to the public cloud where possible. Anything that cannot be migrated to SaaS will be migrated to PaaS. IaaS is a transitory step.

    4.2.3 Build a support model rubric

    1 hour

    Input

    • Results of the cloud workload assessments

    Output

    • Support model rubric

    Materials

    • Whiteboard
    • Cloud Vision Executive Presentation

    Participants

    • Core working group
    1. The final rubric covered here is that for the support model. Where will you procure the skills necessary to ensure the vision’s proper execution? Much like the other rubric activities, write the three support models vertically (in order of preference, if you have one) on a whiteboard.
    2. Next to each model, describe the circumstances under which you would select each support model. Focus on the dimensions: the duration of the engagement, specialization required, and flexibility required. If you have existing rules/practices around hiring consultants/MSPs, consider those as well.
    3. Once you have a good list of decision criteria, form a summary statement. This should encapsulate your position on support models and should mention any notable criteria that will contribute to most decisions.
    4. Record the results in the Cloud Vision Executive Presentation.

    Cloud Vision Executive Presentation

    Vision for the cloud future state (example)

    Support model Decision criteria
    Internal IT

    The primary support model will be internal IT going forward

    • Chosen where the primary work required is administrative
    • Where existing staff can manage the service in the cloud easily and effectively
    • Where the chosen solution fits the SaaS service model
    Consultant
    • Where the work required is time-bound (e.g. a migration/refactoring exercise)
    • Where the skills do not exist in house, and where the skills cannot easily be procured (specific technical expertise required in areas of the cloud unfamiliar to staff)
    • Where opportunities for staff to learn from consultant SMEs are valuable
    • Where ongoing management and maintenance can be handled in house
    MSP
    • Where an ongoing relationship is valued
    • Where ongoing administration and maintenance are disproportionately burdensome on IT staff (or where this administration and maintenance is likely to be burdensome)
    • Where the managed services model has already been proven out
    • Where specific expertise in an area of technology is required but this does not rise to the need to hire an FTE (e.g. telephony)

    Summary statement: Most workloads will be managed in house. A consultant will be employed to facilitate the transition to micro-services in a cloud container environment, but this will be transitioned to in-house staff. An MSP will continue to manage backups and telephony.

    Step 4.3

    Create cloud vision

    Activities

    4.3.1 Create a cloud vision statement

    4.3.2 Map cloud workloads

    4.3.3 Complete the Cloud Vision Presentation

    Review and assign work items

    Finalize cloud decision framework

    Create cloud vision

    This step involves the following participants:

    • Core working group
    • IT management

    Outcomes of this step

    Completed Cloud Vision Executive Presentation

    4.3.1 Create a cloud vision statement

    1 hour

    Input

    • List of cloud initiatives

    Output

    • Initiatives assigned by responsibility and timeline

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    1. Now that you know what service models are appropriate, it’s time to summarize your cloud vision in a succinct, consumable way. A good vision statement should have three components:
      • Scope: Which parts of the organization will the strategy impact?
      • Goal: What is the strategy intended to accomplish?
      • Key differentiator: What makes the new strategy special?
    2. On a whiteboard, make a chart with three columns (one column for each of the features of a good mission statement). Have the group generate a list of words to describe each of the categories. Ideally, the group will produce multiple answers for each category.
    3. Once you’ve gathered a few different responses for each category, have the team put their heads down and generate pithy mission statements that capture the sentiments underlying each category.
    4. Have participants read their vision statements in front of the group. Use the rest of the session to produce a final statement. Record the results in the Cloud Strategy Executive Presentation.

    Example vision statement outputs

    “IT at ACME Corp. hereby commits to providing clients and end users with an unparalleled, productivity-enabling technology experience, leveraging, insofar as it is possible and practical, cloud-based services.”

    “At ACME Corp. our employees and customers are our first priority. Using new, agile cloud services, IT is devoted to eliminating inefficiency, providing cutting-edge solutions for a fast-paced world, and making a positive difference in the lives of our colleagues and the people we serve.”

    As a global leader in technology, ACME Corp. is committed to taking full advantage of new cloud services, looking first to agile cloud options to optimize internal processes wherever efficiency gaps exist. Improved efficiency will allow associates to spend more time on ACME’s core mission: providing an unrivalled customer experience.”

    Scope

    Goal

    Key differentiator

    4.3.2 Map cloud workloads

    1 hour

    Input

    • List of workloads
    • List of acceptable service models
    • List of acceptable migration paths

    Output

    • Workloads mapped by service model/migration path

    Materials

    • Whiteboard
    • Sticky notes

    Participants

    • Core working group
    1. Now that you have defined your overall cloud vision as well as your service model options, consider aligning your service model preferences with your migration path preferences. Draw a table with your expected migration strategies across the top (retain, retire, rehost, replatform, refactor, repurchase, or some of these) and your expected service models across the side.
    2. On individual sticky notes, write a list of workloads in your environment. In a smaller environment, this list can be exhaustive. Otherwise take advantage of the list you created as part of phase 1 along with any additional workloads that warrant discussion.
    3. As a group, go through the list, placing the sticky notes first in the appropriate row based on their characteristics and the decision criteria that have already been defined, and then in the appropriate column based on the appropriate migration path. (See the next slide for an example of what this looks like.)
    4. Record the results in the Cloud Vision Executive Presentation. Note: not every cell will be filled; some migration path/service model combinations are impossible or otherwise undesirable.

    Cloud Vision Executive Presentation

    Example cloud workload map

    Repurchase Replatform Rehost Retain
    SaaS

    Office suite

    AD

    PaaS SQL Database
    IaaS File Storage DR environment
    Other

    CCTV

    Door access

    4.3.3 Complete the Cloud Vision Presentation

    1 hour

    Input

    • List of cloud initiatives

    Output

    • Initiatives assigned by responsibility and timeline

    Materials

    • Cloud Vision Workbook

    Participants

    • Core working group
    1. Open the Cloud Vision Executive Presentation to the second slide and review the templated executive brief. This comprises several sections (see the next slide). Populate each one:
      • Summary of the exercise
      • The cloud vision statement
      • Key cloud drivers
      • Risks and roadblocks
      • Top initiatives and next steps
    2. Review the remainder of the presentation. Be sure to elaborate on any significant initiatives and changes (where applicable) and to delete any slides that you no longer require.

    Cloud Vision Workbook

    Sample cloud vision executive summary

    • From [date to date], a cross-functional group representing IT and its constituents met to discuss the cloud.
    • Over the course of the week, the group identified drivers for cloud computing and developed a shared vision, evaluated several workloads through an assessment framework, identified risks, roadblocks, and mitigations, and finally generated initiatives and next steps.
    • From the process, the group produced a summary and a cloud suitability assessment framework that can be applied at the level of the workload.

    Cloud Vision Statement

    [Organization] will leverage public cloud solutions and retire existing datacenter and colocation facilities. This transition will simplify infrastructure administration, support, and security, while modernizing legacy infrastructure and reducing the need for additional capital expenditure.

    Cloud Drivers Retire the datacenter Do more valuable work
    Right-size the environment Reduce CapEx
    Facilitate ease of mgmt. Work from anywhere
    Reduce capital expenditure Take advantage of elasticity
    Performance and availability Governance Risks and roadblocks
    Security Rationalization
    Cost Skills
    Migration Remaining premises resources
    BC, backup, and DR Control

    Initiatives and next steps

    • Close the datacenter and colocation site in favor of a SaaS-first cloud approach.
    • Some workloads will migrate to infrastructure-as-a-service in the short term with the assistance of third-party consultants.

    Document your cloud strategy

    You did it!

    Congratulations! If you’ve made it this far, you’ve successfully articulated a cloud vision, assessed workloads, developed an understanding (shared with your team and stakeholders) of cloud concepts, and mitigated risks and roadblocks that you may encounter along your cloud journey. From this exercise, you should understand your mission and vision, how your cloud plans will interact with any other relevant strategic plans, and what successful execution looks like, as well as developing a good understanding of overall guiding principles. These are several components of your overall strategy, but they do not comprise the strategy in its entirety.

    How do you fix this?

    First, validate the results of the vision exercise with your stakeholders. Socialize it and collect feedback. Make changes where you think changes should be made. This will become a key foundational piece. The next step is to formally document your cloud strategy. This is a separate project and is covered in the Info-Tech blueprint Document Your Cloud Strategy.

    The vision exercise tells you where you want to go and offers some clues as to how to get there. The formal strategy exercise is a formal documentation of the target state, but also captures in detail the steps you’ll need to take, the processes you’ll need to refine, and the people you’ll need to hire.

    A cloud strategy should comprise your organizational stance on how the cloud will change your approach to people and human resources, technology, and governance. Once you are confident that you can make and enforce decisions in these areas, you should consider moving on to Document Your Cloud Strategy. This blueprint, Define Your Cloud Vision, often serves as a prerequisite for the strategy documentation conversation(s).

    Appendix

    Summary of Accomplishment

    Additional Support

    Research Contributors

    Related Info-Tech Research

    Vendor Resources

    Bibliography

    Summary of Accomplishment

    Problem Solved

    You have now documented what you want from the cloud, what you mean when you say “cloud,” and some preliminary steps you can take to make your vision a reality.

    You now have at your disposal a framework for identifying and evaluating candidates for their cloud suitability, as well as a series of techniques for generating risks and mitigations associated with your cloud journey. The next step is to formalize your cloud strategy using the takeaways from this exercise. You’re well on your way to a completed cloud strategy!

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Generate drivers for cloud adoption

    Work with stakeholders to understand the expected benefits of the cloud migration and how these drivers will impact the overall vision.

    Conduct workload assessments

    Assess your individual cloud workloads for their suitability as candidates for the cloud migration.

    Bibliography

    “2021 State of the Cloud Report.” Flexera, 2021. Web.

    “2021 State of Upskilling Report.” Pluralsight, 2021. Web.

    “AWS Snowmobile.” Amazon Web Services, n.d. Web.

    “Azure products.” Microsoft, n.d. Web.

    “Azure Migrate Documentation.” Microsoft, n.d. Web.

    Bell, Harold. “Multi-Cloud vs. Hybrid Cloud: What’s the Difference?” Nutanix, 2019. Web.

    “Cloud Products.” Amazon Web Services, n.d. Web.

    “COBIT 2019 Framework: Introduction and Methodology.” ISACA, 2019. Web.

    Edmead, Mark T. “Using COBIT 2019 to Plan and Execute an Organization’s Transformation Strategy.” ISACA, 2020. Web.

    Flitter, Emily, and Karen Weise. “Capital One Data Breach Compromises Data of Over 100 Million.” The New York Times, 29 July 2019. Web.

    Gillis, Alexander S. “Cloud Security Posture Management (CSPM).” TechTarget, 2021. Web.

    “’How to Cloud’ with Capital One.” Amazon Web Services, n.d. Web.

    “IBM Closes Landmark Acquisition of Red Hat for $34 Billion; Defines Open, Hybrid Cloud Future.” Red Hat, 9 July 2019. Web.

    Mell, Peter, and Timothy Grance. “The NIST Definition of Cloud Computing.” National Institute of Standards and Technology, Sept. 2011. Web.

    Ng, Alfred. “Amazon Tells Senators it Isn't to Blame for Capital One Breach.” CNET, 2019. Web.

    Orban, Stephen. “6 Strategies for Migrating Applications to the Cloud.” Amazon Web Services, 2016. Web.

    Sullivan, Dan. “Cloud Access Security Broker (CASB).” TechTarget, 2021. Web.

    “What Is Secure Access Service Edge (SASE)?” Cisco, n.d. Web.

    Build a Data Architecture Roadmap

    • Buy Link or Shortcode: {j2store}124|cart{/j2store}
    • member rating overall impact (scale of 10): 8.8/10 Overall Impact
    • member rating average dollars saved: $8,846 Average $ Saved
    • member rating average days saved: 23 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Data architecture involves many moving pieces requiring coordination to provide greatest value from data.
    • Data architects are at the center of this turmoil and must be able to translate high-level business requirements into specific instructions for data workers using complex data models.
    • Data architects must account for the constantly growing data and application complexity, more demanding needs from the business, an ever-increasing number of data sources, and a growing need to integrate components to ensure that performance isn’t compromised.

    Our Advice

    Critical Insight

    • Data architecture needs to evolve with the changing business landscape. There are four common business drivers that put most pressure on archaic architectures. As a result, the organization’s architecture must be flexible and responsive to changing business needs.
    • Data architecture is not just about models. Viewing data architecture as just technical data modeling can lead to structurally unsound data that does not serve the business.
    • Data is used differently across the layers of an organization’s data architecture, and the capabilities needed to optimize use of data change with it. Architecting and managing data from source to warehousing to presentation requires different tactics for optimal use.

    Impact and Result

    • Have a framework in place to identify the appropriate solution for the challenge at hand. Our three-phase practical approach will help you build a custom and modernized data architecture.
      • Identify and prioritize the business drivers in which data architecture changes would create the largest overall benefit, and determine the corresponding data architecture tiers that need to be addressed.
      • Discover the best-practice trends, measure your current state, and define the targets for your data architecture tactics.
      • Build a cohesive and personalized roadmap for restructuring your data architecture. Manage your decisions and resulting changes.

    Build a Data Architecture Roadmap Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why your organization should optimize its data architecture as it evolves with the drivers of the business to get the most from its data.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prioritize your data architecture with business-driven tactics

    Identify the business drivers that necessitate data architecture improvements, then create a tactical plan for optimization.

    • Build a Business-Aligned Data Architecture Optimization Strategy – Phase 1: Prioritize Your Data Architecture With Business-Driven Tactics
    • Data Architecture Driver Pattern Identification Tool
    • Data Architecture Optimization Template

    2. Personalize your tactics to optimize your data architecture

    Analyze how you stack up to Info-Tech’s data architecture capability model to uncover your tactical plan, and discover groundbreaking data architecture trends and how you can fit them into your action plan.

    • Build a Business-Aligned Data Architecture Optimization Strategy – Phase 2: Personalize Your Tactics to Optimize Your Data Architecture
    • Data Architecture Tactical Roadmap Tool
    • Data Architecture Trends Presentation

    3. Create your tactical data architecture roadmap

    Optimize your data architecture by following tactical initiatives and managing the resulting change brought on by those optimization activities.

    • Build a Business-Aligned Data Architecture Optimization Strategy – Phase 3: Create Your Tactical Data Architecture Roadmap
    • Data Architecture Decision Template
    [infographic]

    Workshop: Build a Data Architecture Roadmap

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify the Drivers of the Business for Optimizing Data Architecture

    The Purpose

    Explain approach and value proposition.

    Review the common business drivers and how the organization is driving a need to optimize data architecture.

    Understand Info-Tech’s five-tier data architecture model.

    Determine the pattern of tactics that apply to the organization for optimization.

    Key Benefits Achieved

    Understanding of the current data architecture landscape.

    Priorities for tactical initiatives in the data architecture practice are identified.

    Target state for the data quality practice is defined.

    Activities

    1.1 Explain approach and value proposition.

    1.2 Review the common business drivers and how the organization is driving a need to optimize data architecture.

    1.3 Understand Info-Tech’s five-tier data architecture model.

    1.4 Determine the pattern of tactics that apply to the organization for optimization.

    Outputs

    Five-tier logical data architecture model

    Data architecture tactic plan

    2 Determine Your Tactics For Optimizing Data Architecture

    The Purpose

    Define improvement initiatives.

    Define a data architecture improvement strategy and roadmap.

    Key Benefits Achieved

    Gaps, inefficiencies, and opportunities in the data architecture practice are identified.

    Activities

    2.1 Create business unit prioritization roadmap.

    2.2 Develop subject area project scope.

    2.3 Subject area 1: data lineage analysis, root cause analysis, impact assessment, business analysis

    Outputs

    Business unit prioritization roadmap

    Subject area scope

    Data lineage diagram

    3 Create a Strategy for Data Quality Project 2

    The Purpose

    Define improvement initiatives.

    Define a data quality improvement strategy and roadmap.

    Key Benefits Achieved

    Improvement initiatives are defined.

    Improvement initiatives are evaluated and prioritized to develop an improvement strategy.

    A roadmap is defined to depict when and how to tackle the improvement initiatives.

    Activities

    3.1 Create business unit prioritization roadmap.

    3.2 Develop subject area project scope.

    3.3 Subject area 1: data lineage analysis, root cause analysis, impact assessment, business analysis.

    Outputs

    Business unit prioritization roadmap

    Subject area scope

    Data lineage diagram

    Further reading

    Build a Data Architecture Roadmap

    Optimizing data architecture requires a plan, not just a data model.

    ANALYST PERSPECTIVE

    Integral to an insight-driven enterprise is a modern and business-driven data environment.

    “As business and data landscapes change, an organization’s data architecture needs to be able to keep pace with these changes. It needs to be responsive so as to not only ensure the organization continues to operate efficiently but that it supports the overall strategic direction of the organization.

    In the dynamic marketplace of today, organizations are constantly juggling disruptive forces and are finding the need to be more proactive rather than reactive. As such, organizations are finding their data to be a source of competitive advantage where the data architecture has to be able to not only support the increasing amount, sources, and rate at which organizations are capturing and collecting data but also be able to meet and deliver on changing business needs.

    Data architecture optimization should, therefore, aid in breaking down data silos and creating a more shared and all-encompassing data environment for better empowering the business.” (Crystal Singh, Director, Research, Data and Information Practice, Info-Tech Research Group)

    Our understanding of the problem

    This Research Is Designed For:
    • Data architects or their equivalent, looking to optimize and improve the efficiency of the capture, movement and storage of data for a variety of business drivers.
    • Enterprise architects looking to improve the backbone of the holistic approach of their organization’s structure.
    This Research Will Help You:
    • Identify the business drivers that are impacted and improved by best-practice data architecture.
    • Optimize your data architecture using tactical practices to address the pressing issues of the business to drive modernization.
    • Align the organization’s data architecture with the grander enterprise architecture.
    This Research Will Also Assist:
    • CIOs concerned with costs, benefits, and the overall structure of their organizations data flow.
    • Database administrators tasked with overseeing crucial elements of the data architecture.
    This Research Will Help Them:
    • Get a handle on the current situation of data within the organization.
    • Understand how data architecture affects the operations of the data sources within the enterprise.

    Executive summary

    Situation

    • The data architecture of a modern organization involves many moving pieces requiring coordination to provide greatest value from data.
    • Data architects are at the center of this turmoil and must be able to translate high-level business requirements into specific instructions for data workers using complex data models.

    Complication

    • Data architects must account for the constantly growing data and application complexity, and more demanding needs from the business.
    • There is an ever-increasing number of data sources and a growing need to integrate components to ensure that performance isn’t compromised.
    • There isn’t always a clearly defined data architect role, yet the responsibilities must be filled to get maximum value from data.

    Resolution

    • To deal with these challenges, a data architect must have a framework in place to identify the appropriate solution for the challenge at hand.
      • Identify and prioritize the business drivers in which data architecture changes would create the largest overall benefit, and determine the corresponding data architecture tiers that need to be addressed to customize your solution.
      • Discover the best practice trends, measure your current state, and define the targets for your data architecture tactics.
      • Build a cohesive and personalized roadmap for restructuring your data architecture. Manage your decisions and resulting changes.

    Info-Tech Insight

    1. Data architecture is not just about models. Viewing data architecture as just technical data modeling can lead to a data environment that does not aptly serve or support the business. Identify the priorities of your business and adapt your data architecture to those needs.
    2. Changes to data architecture are typically driven by four common business driver patterns. Use these as a shortcut to understand how to evolve your data architecture.
    3. Data is used differently across the layers of an organization’s data architecture; therefore, the capabilities needed to optimize the use of data change with it. Architecting and managing data from source to warehousing to presentation requires different tactics for optimal use.

    Your data is the foundation of your organization’s knowledge and ability to make decisions

    Data should be at the foundation of your organization’s evolution.

    The transformational insights that executives are constantly seeking to leverage can be uncovered with a data practice that makes high quality, trustworthy information readily available to the business users who need it.

    50% Organizations that embrace data are 50% more likely to launch products and services ahead of their competitors. (Nesta, 2016)

    Whether hoping to gain a better understanding of your business or trying to become an innovator in your industry, any organization can get value from its data regardless of where you are in your journey to becoming a data-driven enterprise:

    Business Monitoring
    • Data reporting
    • Uncover inefficiencies
    • Monitor progress
    • Track inventory levels
    Business Insights
    • Data analytics
    • Expose patterns
    • Predict future trends
    Business Optimization
    • Data-based apps
    • Build apps to automate actions based on insights
    Business Transformation
    • Monetary value of data
    • Create new revenue streams
    (Journey to Data Driven Enterprise, 2015)

    As organizations seek to become more data driven, it is imperative to better manage data for its effective use

    Here comes the zettabyte era.

    A zettabyte is a billion terabytes. Organizations today need to measure their data size in zettabytes, a challenge that is only compounded by the speed at which the data is expected to move.

    Arriving at the understanding that data can be the driving force of your organization is just the first step. The reality is that the true hurdles to overcome are in facing the challenges of today’s data landscape.

    Challenges of The Modern Data Landscape
    Data at rest Data movement
    Greater amounts Different types Uncertain quality Faster rates Higher complexity

    “The data environment is very chaotic nowadays. Legacy applications, data sprawl – organizations are grappling with what their data landscape looks like. Where are our data assets that we need to use?” (Andrew Johnston, Independent Consultant)

    Solution

    Well-defined and structured data management practices are the best way to mitigate the limitations that derive from these challenges and leverage the most possible value from your data.

    Refer to Info-Tech’s capstone Create a Plan For Establishing a Business-Aligned Data Management Practice blueprint to understand data quality in the context of data disciplines and methods for improving your data management capabilities.

    Data architecture is an integral aspect of data management

    Data Architecture

    The set of rules, policies, standards, and models that govern and define the type of data collected and how it is used, stored, managed, and integrated within the organization and its database systems.

    In general, the primary objective of data architecture is the standardization of data for the benefit of the organization.

    54% of leading “analytics-driven” enterprises site data architecture as a required skill for data analytics initiatives. (Maynard 2015)

    MYTH

    Data architecture is purely a model of the technical requirements of your data systems.

    REALITY

    Data architecture is largely dependent on a human element. It can be viewed as “the bridge between defining strategy and its implementation”. (Erwin 2016)

    Functions

    A strong data architecture should:

    • Define, visualize, and communicate data strategy to various stakeholders.
    • Craft a data delivery environment.
    • Ensure high data quality.
    • Provide a roadmap for continuous improvement.

    Business value

    A strong data architecture will help you:

    • Align data processes with business strategy and the overall holistic enterprise architecture.
    • Enable efficient flow of data with a stronger focus on quality and accessibility.
    • Reduce the total cost of data ownership.

    Data architects must maintain a comprehensive view of the organization’s rapidly proliferating data

    The data architect:
    • Acts as a “translator” between the business and data workers to communicate data and technology requirements.
    • Facilitates the creation of the data strategy.
    • Manages the enterprise data model.
    • Has a greater knowledge of operational and analytical data use cases.
    • Recommends data management policies and standards, and maintains data management artifacts.
    • Reviews project solution architectures and identifies cross impacts across the data lifecycle.
    • Is a hands-on expert in data management and warehousing technologies.
    • Is not necessarily it’s own designated position, but a role that can be completed by a variety of IT professionals.

    Data architects bridge the gap between strategic and technical requirements:

    Visualization centering the 'Data Architect' as the bridge between 'Data Workers', 'Business', and 'Data & Applications'.

    “Fundamentally, the role of a data architect is to understand the data in an organization at a reasonable level of abstraction.” (Andrew Johnston, Independent Consultant)

    Many are experiencing the pains of poor data architecture, but leading organizations are proactively tackling these issues

    Outdated and archaic systems and processes limit the ability to access data in a timely and efficient manner, ultimately diminishing the value your data should bring.

    59%

    of firms believe their legacy storage systems require too much processing to meet today’s business needs. (Attivio, Survey Big Data decision Makers, 2016)

    48%

    of companies experience pains from being reliant on “manual methods and trial and error when preparing data.” (Attivio, Survey Big Data decision Makers, 2016)

    44%
    +
    22%

    44% of firms said preparing data was their top hurdle for analytics, with 22% citing problems in accessing data. (Data Virtualization blog, Data Movement Killed the BI Star, 2016)

    Intuitive organizations who have recognized these shortcomings have already begun the transition to modernized and optimized systems and processes.

    28%

    of survey respondents say they plan to replace “data management and architecture because it cannot handle the requirements of big data.” (Informatica, Digital Transformation: Is Your Data Management Ready, 2016)

    50%

    Of enterprises plan to replace their data warehouse systems and analytical tools in the next few years. (TDWI, End of the Data Warehouse as we know it, 2017)

    Leading organizations are attacking data architecture problems … you will be left behind if you do not start now!

    Once on your path to redesigning your data architecture, neglecting the strategic elements may leave you ineffective

    Focusing on only data models without the required data architecture guidance can cause harmful symptoms in your IT department, which will lead to organization-wide problems.

    IT Symptoms Due to Ineffective Data Architecture

    Poor Data Quality

    • Inconsistent, duplicate, missing, incomplete, incorrect, unstandardized, out of date, and mistake-riddled data can plague your systems.

    Poor Accessibility

    • Delays in accessing data.
    • Limits on who can access data.
    • Limited access to data remotely.

    Strategic Disconnect

    • Disconnect between owner and consumer of data.
    • Solutions address narrow scope problems.
    • System barriers between departments.
    Leads to Poor Organizational Conditions

    Inaccurate Insights

    • Inconsistent and/or erroneous operational and management reports.
    • Ineffective cross-departmental use of analytics.

    Ineffective Decision Making

    • Slow flow of information to executive decision makers.
    • Inconsistent interpretation of data or reports.

    Inefficient Operations

    • Limits to automated functionality.
    • Increased divisions within organization.
    • Regulatory compliance violations.
    You need a solution that will prevent the pains.

    Follow Info-Tech’s methodology to optimize data architecture to meet the business needs

    The following is a summary of Info-Tech’s methodology:

    1

    1. Prioritize your core business objectives and identify your business driver.
    2. Learn how business drivers apply to specific tiers of Info-Tech’s five-tier data architecture model.
    3. Determine the appropriate tactical pattern that addresses your most important requirements.
    Visualization of the process described on the left: Business drivers applying to Info-Tech's five-tier data architecture, then determining tactical patterns, and eventually setting targets of your desired optimized state.

    2

    1. Select the areas of the five-tier architecture to focus on.
    2. Measure current state.
    3. Set the targets of your desired optimized state.

    3

    1. Roadmap your tactics.
    2. Manage and communicate change.
    A roadmap leading to communication.

    Info-Tech will get you to your optimized state faster by focusing on the important business issues

    First Things First

    1. Info-Tech’s methodology helps you to prioritize and establish the core strategic objectives behind your goal of modernizing data architecture. This will narrow your focus to the appropriate areas of your current data systems and processes that require the most attention.

    Info-Tech has identified these four common drivers that lead to the need to optimize your data architecture.

    • Becoming More Data Driven
    • Regulations and Compliance
    • Mergers and Acquisitions
    • New Functionality or Business Rule

    These different core objectives underline the motivation to optimize data architecture, and will determine your overall approach.

    Use the five-tier architecture to provide a consumable view of your data architecture

    Every organization’s data system requires a unique design and an assortment of applications and storage units to fit their business needs. Therefore, it is difficult to paint a picture of an ideal model that has universal applications. However, when data architecture is broken down in terms of layers or tiers, there exists a general structure that is seen in all data systems.

    Info-Tech's Five Tier Data Architecture. The five tiers being 'Sources' which includes 'Apps', 'Excel and other documents', and 'Access database(s)'; 'Integration and Translation' the 'Movement and transformation of data'; 'Warehousing' which includes 'Data Lakes & Warehouse(s) (Raw Data)'; 'Analytics' which includes 'Data Marts', 'Data Cube', 'Flat Files', and 'BI Tools'; and 'Presentation' which includes 'Reports' and 'Dashboards'.

    Thinking of your data systems and processes in this framework will allow you to see how different elements of the architecture relate to specific business operations.

    1. This blueprint will demonstrate how the business driver behind your redesign requires you to address specific layers of the five-tier data architecture.
    1. Once you’ve aligned your business driver to the appropriate data tiers, this blueprint will provide you with the best practice tactics you should apply to achieve an optimized data architecture.

    Use the five-tier architecture to prioritize tactics to improve your data architecture in line with your pattern

    Info-Tech’s Data Architecture Capability Model
    Info-Tech’s Data Architecture Capability Model featuring the five-tier architecture listing 'Core Capabilities' and 'Advanced Capabilities' within each tier, and a list of 'Cross Capabilities' which apply to all tiers.
    1. Based on your business driver, the relevant data tiers, and your organization’s own specific requirements you will need to establish the appropriate data architecture capabilities.
    2. This blueprint will help you measure how you are currently performing in these capabilities…
    3. And help you define and set targets so you can reach your optimized state.
    1. Once completed, these steps will be provided with the information you will need to create a comprehensive roadmap.
    2. Lastly, this blueprint will provide you with the tools to communicate this plan across your organization and offer change management guidelines to ensure successful adoption.
    Info-Tech Insight

    Optimizing data architecture requires a tactical approach, not a passive approach.

    The demanding task of optimization requires the ability to heavily prioritize. After you have identified why, determine how using our pre-built roadmap to address the four common drivers.

    Do not forget: data architecture is not a standalone concept; it fits into the more holistic design of enterprise architecture

    Data Architecture in Alignment

    Data architecture can not be designed to simply address the focus of data specialists or even the IT department.

    It must act as a key component in the all encompassing enterprise architecture and reflect the strategy and design of the entire business.

    Data architecture collaborates with application architecture in the delivery of effective information systems, and informs technology architecture on data related infrastructure requirements/considerations

    Please refer to the following blueprints to see the full picture of enterprise architecture:

    A diagram titled 'Enterprise Architecture' with multiple forms of architecture interacting with each other. At the top is 'Business Architecture' which feeds into 'Data Architecture' and 'Application Architecture' which feed into each other, and influence 'Infrastructure Architecture' and 'Security Architecture'.
    Adapted from TOGAF
    Refer to Phase C of TOGAF and Bizbok for references to the components of business architecture that are used in data architecture.

    Info-Tech’s data architecture optimization methodology helped a monetary authority fulfill strict regulatory pressures

    CASE STUDY

    Industry: Financial
    Source: Info-Tech Consulting
    Symbol for 'Monetary Authority Case Study'. Look for this symbol as you walk through the blueprint for details on how Info-Tech Consulting assisted this monetary authority.

    Situation: Strong external pressures required the monetary authority to update and optimize its data architecture.

    The monetary authority is responsible for oversight of the financial situation of a country that takes in revenue from foreign incorporation. Due to increased pressure from international regulatory bodies, the monetary authority became responsible for generating multiple different types of beneficial ownership reports based on corporation ownership data within 24 hours of a request.

    A stale and inefficient data architecture prevented the monetary authority from fulfilling external pressures.

    Normally, the process to generate and provide beneficial ownership reports took a week or more. This was due to multiple points of stale data architecture, including a dependence on outdated legacy systems and a broken process for gathering the required data from a mix of paper and electronic sources.

    Provide a structured approach to solving the problem

    Info-Tech helped the monetary authority identify the business need that resulted from regulatory pressures, the challenges that needed to be overcome, and actionable tactics for addressing the needs.

    Info-Tech’s methodology was followed to optimize the areas of data architecture that address the business driver.

    • External Requirements
    • Business Driver
        Diagnose Data Architecture Problems
      • Outdated architecture (paper, legacy systems)
      • Stale data from other agencies
      • Incomplete data
          Data Architecture Optimization Tactics
        1. Optimized Source Databases
        2. Improved Integration
        3. Data Warehouse Optimization
        4. Data Marts for Reports
        5. Report Delivery Efficiency

    As you walk through this blueprint, watch for additional case studies that walk through the details of how Info-Tech helped this monetary authority.

    This blueprint’s three-step process will help you optimize data architecture in your organization

    Phase 1
    Prioritize Your Data Architecture With Business-Driven Tactics
    Phase 2
    Personalize Your Tactics to Optimize Your Data Architecture
    Phase 3
    Create Your Tactical Data Architecture Roadmap
    Step 1: Identify Your Business Driver for Optimizing Data Architecture
    • Learn about what data architecture is and how it must evolve with the drivers of the business.
    • Determine the business driver that your organization is currently experiencing.
    • Data Architecture Driver Pattern Identification Tool

    Step 2: Determine Actionable Tactics to Optimize Data Architecture
    • Create your data architecture optimization plan to determine the high-level tactics you need to follow.
    • Data Architecture Optimization Template

    Step 1: Measure Your Data Architecture Capabilities
    • Determine where you currently stand in the data architecture capabilities across the five-tier data architecture.
    • Data Architecture Tactical Roadmap Tool

    Step 2: Set a Target for Data Architecture Capabilities
    • Identify your targets for the data architecture capabilities.
    • Data Architecture Tactical Roadmap Tool

    Step 3: Identify the Tactics that Apply to Your Organization
    • Understand the trends in the field of data architecture and how they can help to optimize your environment.
    • Data Architecture Trends Presentation

    Step 1: Personalize Your Data Architecture Roadmap
    • Personalize the tactics across the tiers that apply to you to build your personalized roadmap.
    • Data Architecture Tactical Roadmap Tool

    Step 2: Manage Your Data Architecture Decisions and the Resulting Changes
    • Document the changes in the organization’s data architecture.
    • Data architecture involves change management – learn how data architects should support change management in the organization.
    • Data Architecture Decision Template

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Build a Business-Aligned Data Architecture Optimization Strategy – project overview

    PHASE 1
    Prioritize Your Data Architecture With Business-Driven Tactics
    PHASE 2
    Personalize Your Tactics to Optimize Your Data Architecture
    PHASE 3
    Create Your Tactical Data Architecture Roadmap
    Supporting Tool icon

    Best-Practice Toolkit

    1.1 Identify Your Business Driver for Optimizing Data Architecture

    1.2 Determine Actionable Tactics to Optimize Data Architecture

    2.1 Measure Your Data Architecture Capabilities

    2.2 Set a Target for Data Architecture Capabilities

    2.3 Identify the Tactics that Apply to Your Organization

    3.1 Personalize Your Data Architecture Roadmap

    3.2 Manage Your Data Architecture Decisions and the Resulting Changes

    Guided Implementations

    • Understand what data architecture is, how it aligns with enterprise architecture, and how data architects support the needs of the business.
    • Identify the business drivers that necessitate the optimization of the organization’s data architecture.
    • Create a tactical plan to optimize data architecture across Info-Tech’s five-tier logical data architecture model.
    • Understand Info-Tech’s tactical data architecture capability model and measure the current state of these capabilities at the organization.
    • Determine the target state of data architecture capabilities.
    • Understand the trends in the field of data architecture and identify how they can fit into your environment.
    • Use the results of the data architecture capability gap assessment to determine the priority of activities to populate your personalized data architecture optimization roadmap.
    • Understand how to manage change as a data architect or equivalent.
    Associated Activity icon

    Onsite Workshop

    Module 1:
    Identify the Drivers of the Business for Optimizing Data Architecture
    Module 2:
    Create a Tactical Plan for Optimizing Data Architecture
    Module 3:
    Create a Personalized Roadmap for Data Architecture Activities

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Preparation

    Workshop Day 1

    Workshop Day 2

    Workshop Day 3

    Workshop Day 4

    Workshop Day 5

    Organize and Plan Workshop Identify the Drivers of the Business for Optimizing Data Architecture Determine the Tactics For Optimizing Data Architecture Create Your Roadmap of Optimization Activities Create Your Personalized Roadmap Create a Plan for Change Management

    Morning Activities

    • Finalize workshop itinerary and scope.
    • Identify workshop participants.
    • Gather strategic documentation.
    • Engage necessary stakeholders.
    • Book interviews.
    • 1.1 Explain approach and value proposition.
    • 1.2 Review the common business drivers and how the organization is driving a need to optimize data architecture.
    • 2.1 Create your data architecture optimization plan.
    • 2.2 Interview key business stakeholders for input on business drivers for data architecture.
    • 3.1 Align with the enterprise architecture by interviewing the enterprise architect for input on the data architecture optimization roadmap.
    • 4.1 As a group, determine the roadmap activities that are applicable to your organization and brainstorm applicable initiatives.
    • 5.1 Use the Data Architecture Decision Documentation Template to document key decisions and updates.

    Afternoon Activities

    • 1.3 Understand Info-Tech’s Five-Tier Data Architecture.
    • 1.4 Determine the pattern of tactics that apply to the organization for optimization.
    • 2.3 With input from the business and enterprise architect, determine the current data architecture capabilities.
    • 3.3 With input from the business and enterprise architect, determine the target data architecture capabilities.
    • 4.2 Determine the timing and effort of the roadmap activities.
    • 5.2 Review best practices for change management.
    • 5.3 Present roadmap and findings to the business stakeholders and enterprise architect.

    Deliverables

    • Workshop Itinerary
    • Workshop Participant List
    1. Five-Tier Logical Data Architecture Model
    2. Data Architecture Tactic Plan
    1. Five-Tier Data Architecture Capability Model
    1. Data Architecture Tactical Roadmap
    1. Data Architecture Tactical Roadmap
    1. Data Architecture Decision Template

    Build a Business-Aligned Data Architecture Optimization Strategy

    PHASE 1

    Prioritize Your Data Architecture With Business-Driven Tactics

    Phase 1 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Prioritize Your Data Architecture With Business-Driven Tactics

    Proposed Time to Completion: 2 weeks
    Step 1.1: Identify Your Business Driver for Optimizing Data Architecture Step 1.2: Determine Actionable Tactics to Optimize Data Architecture
    Start with an analyst kick-off call:
    • Understand what data architecture is, what it is not, and how it fits into the broader enterprise architecture program.
    • Determine the drivers that fuel the need for data architecture optimization.
    Review findings with analyst:
    • Understand the Five-Tier Data Architecture Model and how the drivers of the business inform your priorities across this logical model of data architecture.
    Then complete these activities…
    • Complete the Data Architecture Driver Pattern Identification Tool.
    Then complete these activities…
    • Create a tactical data architecture optimization plan based on the business driver input.
    With these tools & templates:
    • Data Architecture Driver Pattern Identification Tool
    With these tools & templates:
    • Data Architecture Optimization Template

    Phase 1 Results & Insights

    • Data Architecture is not just about data models. The approach that Phase 1 guides you through will help to not only plan where you need to focus your efforts as a data architect (or equivalent) but also give you guidance in how you should go about optimizing the holistic data architecture environment based on the drivers of the business.

    Phase 1 will help you create a strategy to optimize your data architecture using actionable tactics

    In this phase, you will determine your focus for optimizing your data architecture based on the business drivers that are commonly felt by most organizations.

    1. Identify the business drivers that necessitate data architecture optimization efforts.
    2. Understand Info-Tech’s Five-Tier Data Architecture, a logical architecture model that will help you prioritize tactics for optimizing your data architecture environment.
    3. Identify tactics for optimizing the organization’s data architecture across the five tiers.

    “To stay competitive, we need to become more data-driven. Compliance pressures are becoming more demanding. We need to add a new functionality.”

    Info-Tech’s Five-Tier Data Architecture:

    1. Data Sources
    2. Data Integration and Translation
    3. Data Warehousing
    4. Data Analytics
    5. Data Presentation

    Tactical plan for Data Architecture Optimization

    Phase 1, Step 1: Identify Your Business Driver for Optimizing Data Architecture

    PHASE 1

    1.1 1.2
    Identify Your Business Driver for Optimizing Data Architecture Determine Actionable Tactics to Optimize Data Architecture

    This step will walk you through the following activities:

    • Understand how data architecture fits into the organization’s larger enterprise architecture.
    • Understand what data architecture is and how it should be driven by the business.
    • Identify the driver that is creating a need for data architecture optimization.

    This step involves the following participants:

    • Data Architect
    • Enterprise Architect

    Outcomes of this step

    • A starting point for the many responsibilities of the data architect role. Balancing business and technical requirements can be challenging, and to do so you need to first understand what is driving the need for data architecture improvements.
    • Holistic understanding of the organization’s architecture environment, including enterprise, application, data, and technology architectures and how they interact.

    Data architecture involves planning, communication, and understanding of technology

    Data Architecture

    A description of the structure and interaction of the enterprise’s major types and sources of data, logical data assets, physical data assets, and data management resources (TOGAF 9).

    The subject area of data management that defines the data needs of the enterprise and designs the master blueprints to meet those needs (DAMA DMBOK, 2009).

    IBM (2007) defines data architecture as the design of systems and applications that facilitate data availability and distribution across the enterprise.

    Definitions vary slightly across major architecture and management frameworks.

    However, there is a general consensus that data architecture provides organizations with:

    • Alignment
    • Planning
    • Road mapping
    • Change management
    • A guide for the organization’s data management program

    Data architecture must be based on business goals and objectives; developed within the technical strategies, constraints, and opportunities of the organization in support of providing a foundation for data management.

    Current Data Management
    • Alignment
    • Planning
    • Road mapping
    Goal for Data Management

    Info-Tech Insight

    Data Architecture is not just data models. Data architects must understand the needs of the business, as well as the existing people and processes that already exist in the organization to effectively perform their job.

    Review how data architecture fits into the broader architectural context

    A flow diagram starting with 'Business Processes/Activities' to 'Business Architecture' which through a process of 'Integration' flows to 'Data Architecture' and 'Application Architecture', the latter of which also flows into to the former, and they both flow into 'Technology Architecture' which includes 'Infrastructure' and 'Security'.

    Each layer of architecture informs the next. In other words, each layer has components that execute processes and offer services to the next layer. For example, data architecture can be broken down into more granular activities and processes that inform how the organization’s technology architecture should be arranged.

    Data does not exist on its own. It is informed by business architecture and used by other architectural domains to deliver systems, IT services, and to support business processes. As you build your practice, you must consider how data fits within the broader architectural framework.

    The Zachman Framework is a widely used EA framework; within it, data is identified as the first domain.

    The framework aims to standardize artifacts (work-products) within each architectural domain, provides a cohesive view of the scope of EA and clearly delineates data components. Use the framework to ensure that your target DA practice is aligned to other domains within the EA framework.

    'The Zachman Framework for Enterprise Architecture: The Enterprise Ontology', a complicated framework with top and bottom column headers and left and right row headers. Along the top are 'Classification Names': 'What', 'How', 'Where', 'Who', 'When', and 'Why'. Along the bottom are 'Enterprise Names': 'Inventory Sets', 'Process Flows', 'Distribution Networks', 'Responsibility Assignments', 'Timing Cycles', and 'Motivation Intentions'. Along the left are 'Audience Perspectives': 'Executive Perspective', 'Business Mgmt. Perspective', 'Architect Perspective', 'Engineer Perspective', 'Technician Perspective', and 'Enterprise Perspective'. Along the right are 'Model Names': 'Scope Contexts', 'Business Concepts', 'System Logic', 'Technology Physics', 'Tool Components', and 'Operations Instances'.
    (Source: Zachman International)

    Data architects operate in alignment with the other various architecture groups

    Data architects operate in alignment with the other various architecture groups, with coordination from the enterprise architect.

    Enterprise Architect
    The enterprise architect provides thought leadership and direction to domain architects.

    They also maintain architectural standards across all the architectural domains and serve as a lead project solution architect on the most critical assignments.

    • Business Architect
      A business subject matter expert who works with the line-of-business team to assist in business planning through capability-based planning.
    • Security Architect
      Plays a pivotal role in formulating the security strategy of the organization, working with the business and CISO/security manager. Recommends and maintains security standards, policies, and best practices.
    • Infrastructure Architect
      Recommends and maintains standards across the compute, storage, and network layers of the organization. Reviews project solution architectures to ensure compliance with infrastructure standards, regulations, and target state blueprints.
    • Application Architect
      Manages the business effectiveness, satisfaction, and maintainability of the application portfolio. Conduct application architecture assessments to document expected quality attribute standards, identify hotspots, and recommend best practices.
    • Data Architect
      Facilitates the creation of data strategy and has a greater understanding of operational and analytical data use cases. Manages the enterprise data model which includes all the three layers of modelling - conceptual, logical, and physical. Recommends data management policies and standards, and maintains data management artefacts. Reviews project solution architectures and identifies cross impacts across the data lifecycle.

    As a data architect, you must maintain balance between the technical and the business requirements

    The data architect role is integral to connecting the long-term goals of the business with how the organization plans to manage its data for optimal use.

    Data architects need to have a deep experience in data management, data warehousing, and analytics technologies. At a high level, the data architect plans and implements an organization’s data, reporting, and analytics roadmap.

    Some of the role’s primary duties and responsibilities include:

    1. Data modeling
    2. Reviewing existing data architecture
    3. Benchmark and improve database performance
    4. Fine tune database and SQL queries
    5. Lead on ETL activities
    6. Validate data integrity across all platforms
    7. Manage underlying framework for data presentation layer
    8. Ensure compliance with proper reporting to bureaus and partners
    9. Advise management on data solutions

    Data architects bridge the gap between strategic and technical requirements:

    Visualization centering the 'Data Architect' as the bridge between 'Data Workers', 'Business', and 'Data & Applications'.

    “Fundamentally, the role of a data architect is to understand the data in an organization at a reasonable level of abstraction.” (Andrew Johnston, Independent Consultant)

    Info-Tech Insight

    The data architect role is not always clear cut. Many organizations do not have a dedicated data architect resource, and may not need one. However, the duties and responsibilities of the data architect must be carried out to some degree by a combination of resources as appropriate to the organization’s size and environment.

    Understand the role of a data architect to ensure that essential responsibilities are covered in the organization

    A database administrator (DBA) is not a data architect, and data architecture is not something you buy from an enterprise application vendor.

    Data Architect Role Description

    • The data architect must develop (along with the business) a short-term and long-term vision for the enterprise’s data architecture.
    • They must be able to create processes for governing the identification, collection, and use of accurate and valid metadata, as well as for tracking data quality, completeness, and redundancy.
    • They need to create strategies for data security, backup, disaster recovery, business continuity, and archiving, and ensure regulatory compliance.

    Skills Necessary

    • Hands-on experience with data architecting and management, data mining, and large-scale data modeling.
    • Strong understanding of relational and non-relational data structures, theories, principles, and practices.
    • Strong familiarity with metadata management.
    • Knowledge of data privacy practices and laws.

    Define Policies, Processes, and Priorities

    • Policies
      • Boundaries of the data architecture.
      • Data architecture standards.
      • Data architecture security.
      • Responsibility of ownership for the data architecture and data repositories.
      • Responsibility for data architecture governance.
    • Processes
      • Data architecture communication.
      • Data architecture change management.
      • Data architecture governance.
      • Policy compliance monitoring.
    • Priorities
      • Align architecture efforts with business priorities.
      • Close technology gaps to meet service level agreements (SLAs).
      • Determine impacts on current or future projects.

    See Info-Tech’s Data Architect job description for a comprehensive description of the data architect role.

    Leverage data architecture frameworks to understand how the role fits into the greater Enterprise Architecture framework

    Enterprise data architectures are available from industry consortiums such as The Open Group (TOGAF®), and open source initiatives such as MIKE2.0.

    Logo for The Open Group.

    The Open Group TOGAF enterprise architecture model is a detailed framework of models, methods, and supporting tools to create an enterprise-level architecture.

    • TOGAF was first developed in 1995 and was based on the Technical Architecture Framework for Information Management (TAFIM) developed by the US Department of Defense.
    • TOGAF includes application, data, and infrastructure architecture domains providing enterprise-level, product-neutral architecture principles, policies, methods, and models.
    • As a member of The Open Group, it is possible to participate in ongoing TOGAF development initiatives.

    The wide adoption of TOGAF has resulted in the mapping of it to several other industry standards including CoBIT and ITIL.

    Logo for MIKE2.0.

    MIKE2.0 (Method for an Integrated Knowledge Environment), is an open source method for enterprise information management providing a framework for information development.

    • SAFE (Strategic Architecture for the Federated Enterprise) provides the technology solution framework for MIKE2.0
    • SAFE includes application, presentation, information, data, Infrastructure, and metadata architecture domains.

    Info-Tech Best Practice

    If an enterprise-level IT architecture is your goal, TOGAF is likely a better model. However, if you are an information and knowledge-based business then MIKE2.0 may be more relevant to your business.

    The data architect must identify what drives the need for data from the business to create a business-driven architecture

    As the business landscape evolves, new needs arise. An organization may undergo new compliance requirements, or look to improve their customer intimacy, which could require a new functionality from an application and its associated database.

    There are four common scenarios that lead to an organization’s need to optimize its data architecture and these scenarios all present unique challenges for a data architect:

    1. Becoming More Data Driven As organizations are looking to get more out of their data, there is a push for more accurate and timely data from applications. Data-driven decision making requires verifiable data from trustworthy sources. Result: Replace decisions made on gut or intuition with real and empirical data - make more informed and data-driven decisions.
    2. New Functionality or Business Rule In order to succeed as business landscapes change, organizations find themselves innovating on products or services and the way they do things. Changes in business rules, product or service offering, and new functionalities can subsequently demand more from the existing data architecture. Result: Prepare yourself to successfully launch new business initiatives with an architecture that supports business needs.
    3. Mergers and Acquisitions If an organization has recently acquired, been acquired, or is merging with another, the technological implications require careful planning to ensure a seamless fit. Application consolidation, retirement, data transfer, and integration points are crucial. Result: Leverage opportunities to incorporate and consolidate new synergistic assets to realize the ROI.
    4. Risk and Compliance Data in highly regulated organizations needs to be kept safe and secure. Architectural decisions around data impact the level of compliance within the organization. Result: Avoid the fear of data audits, regulatory violations, and privacy breaches.

    Info-Tech Best Practice

    These are not the only reasons why data architects need to optimize the organization’s data architecture. These are only four of the most common scenarios, however, other business needs can be addressed using the same concept as these four common scenarios.

    Use the Data Architecture Driver tool to identify your focus for data architecture

    Supporting Tool icon 1.1 Data Architecture Driver Pattern Identification Tool

    Follow Info-Tech’s process of first analyzing the needs of the business, then determining how best to architect your data based on these drivers. Data architecture needs to be able to rapidly evolve to support the strategic goals of the business, and the Data Architecture Driver Pattern Identification Tool will help you to prioritize your efforts to best do this.

    Tab 2. Driver Identification

    Objective: Objectively assess the most pressing business drivers.

    Screenshot of the Data Architecture Driver Pattern Identification Tool, tab 2.

    Tab 3. Tactic Pattern Plan, Section 1

    Purpose: Review your business drivers that require architectural changes in your environment.

    Screenshot of the Data Architecture Driver Pattern Identification Tool, tab 3, section 1.

    Tab 3. Tactic Pattern Plan, Section 2

    Purpose: Determine a list of tactics that will help you address the business drivers.

    Screenshot of the Data Architecture Driver Pattern Identification Tool, tab 3, section 2.

    Step
    • Evaluate business drivers to determine the data architecture optimization priorities and tactics.
    Step
    • Understand how each business driver relates to data architecture and how each driver gives rise to a specific pattern across the five-tier data architecture.
    Step
    • Review the list of high-level tactics presented to optimize your data architecture across the five tier architecture.

    Identify the drivers for improving your data architecture

    Associated Activity icon 1.1.1 1 hour

    INPUT: Data Architecture Driver tool assessment prompts.

    OUTPUT: Identified business driver that applies to your organization.

    Materials: Data Architecture Driver Pattern Identification Tool

    Participants: Data architect, Enterprise architect

    Instructions

    In Tab 2. Driver Identification of the Data Architecture Driver Pattern Identification Tool, assess the degree to which the organization is feeling the pains of the four most common business drivers:

    1. Is there a present or growing need for the business to be making data-driven decisions?
    2. Does the business want to explore a new functionality and hence require a new application?
    3. Is your organization acquiring or merging with another entity?
    4. Is your organization’s regulatory environment quick to change and require stricter reporting?

    Data architecture improvements need to be driven by business need.

    Screenshot of the Data Architecture Driver Pattern Identification Tool, tab 2 Driver Identification.
    Tab 2. Driver Identification

    “As a data architect, you have to understand the functional requirements, the non-functional requirements, then you need to make a solution for those requirements. There can be multiple solutions and multiple purposes. (Andrew Johnston, Independent Consultant)

    Interview the business to get clarity on business objectives and drivers

    Associated Activity icon 1.1.2 1 hour per interview

    INPUT: Sample questions targeting the activities, challenges, and opportunities of each business unit

    OUTPUT: Sample questions targeting the activities, challenges, and opportunities of each business unit

    Materials: Data Architecture Driver Pattern Identification Tool

    Participants: Data architect, Business representatives, IT representatives

    Identify 2-3 business units that demonstrate enthusiasm for or a positive outlook on improving how organizational data can help them in their role and as a unit.

    Conducting a deep-dive interview process with these key stakeholders will help further identify high-level goals for the data architecture strategy within each business unit. This process will help to secure their support throughout the implementation process by giving them a sense of ownership.

    Key Interview Questions:

    1. What are your primary activities? What do you do?
    2. What challenges do you have when completing your activities?
    3. How is poor data impacting your job?
    4. If [your selected domain]’s data is improved, what business issues would this help solve?

    Request background information and documentation from stakeholders regarding the following:

    • What current data management policies and processes exist (that you know of)?
    • Who are the data owners and end users?
    • Where are the data sources within the department stored?
    • Who has access to these data sources?
    • Are there existing or ongoing data issues within those data sources?

    Interview the enterprise architect to get input on the drivers of the business

    Associated Activity icon 1.1.3 2 hours

    INPUT: Data Architecture Driver tool assessment prompts.

    OUTPUT: Identified business driver that applies to your organization.

    Materials: Data Architecture Driver Pattern Identification Tool

    Participants: Data architect, Enterprise architect

    Data architecture improvements need to be driven by business need.

    Instructions

    As you work through Tab 2. Driver Identification of the Data Architecture Driver Pattern Identification Tool, consult with the enterprise architect or equivalent to assist you in rating the importance of each of the symptoms of the business drivers. This will help you provide greater value to the business and more aligned objectives.

    Screenshot of the Data Architecture Driver Pattern Identification Tool, tab 2 Driver Identification.
    Tab 2. Driver Identification

    Once you know what that need is, go to Step 2.

    Phase 1, Step 2: Establish Actionable Tactics to Optimize Data Architecture

    PHASE 1

    1.11.2
    Identify Your Business Driver for Optimizing Data ArchitectureDetermine Actionable Tactics to Optimize Data Architecture

    This step will walk you through the following activities:

    • Understand Info-Tech’s five-tier data architecture to begin focusing your architectural optimization.
    • Create your Data Architecture Optimization Template to plan your improvement tactics.
    • Prioritize your tactics based on the five-tier architecture to plan optimization.

    This step involves the following participants:

    • Data Architect
    • Enterprise Architect
    • DBAs

    Outcomes of this step

    • A tactical and prioritized plan for optimizing the organization’s data architecture according to the needs of the business.

    To plan a business-driven architecture, data architects need to keep the organization’s big picture in mind

    Remember… Architecting an organization involves alignment, planning, road mapping, design, and change management functions.

    Data architects must be heavily involved with:

    • Understanding the short- and long-term visions of the business to develop a vision for the organization’s data architecture.
    • Creating processes for governing the identification, collection, and use of accurate and valid data, as well as for tracking data quality, completeness, and redundancy.
    • They need to create strategies for data security, backup, disaster recovery, business continuity, and archiving, and ensure regulatory compliance.

    To do this, you need a framework. A framework provides you with the holistic view of the organization’s data environment that you can use to design short- and long-term tactics for improving the use of data for the needs of the business.

    Use Info-Tech’s five-tier data architecture to model your environment in a logical, consumable fashion.

    Info-Tech Best Practice

    The more complicated an environment is, the more need there is for a framework. Being able to pick a starting point and prioritize tasks is one of the most difficult, yet most essential, aspects of any architect’s role.

    The five tiers of an organization’s data architecture support the use of data throughout its lifecycle

    Info-Tech’s five-tier data architecture model summarizes an organization’s data environment at a logical level. Data flows from left to right, but can also flow from the presentation layer back to the warehousing layer for repatriation of data.

    Info-Tech's Five Tier Data Architecture. The five tiers being 'Sources' which includes 'App1 ', 'App2', 'Excel and other documents', 'Access database(s)', 'IOT devices', and 'External data feed(s) & social media'; 'Integration and Translation' which includes 'Solutions: SOA, Point to Point, Manual Loading, ESB , ETL, ODS, Data Hub' and 'Functions: Scrambling Masking Encryption, Tokenizing, Aggregation, Transformation, Migration, Modeling'; 'Warehousing' which includes 'Data Lakes & Warehouse(s) (Raw Data)', 'EIM, ECM, DAM', and 'Data Lakes & Warehouse(s) (Derived Data)'; 'Analytics' which includes 'Data Marts', 'Data Cube', 'Flat Files', 'BI Tools', and the 'Protected Zone: Data Marts - BDG Class Ref. MDM'; and 'Presentation' which includes 'Formulas', 'Thought Models', 'Reports', 'Dashboards', 'Presentations', and 'Derived Data (from analytics activities)'.

    Use the Data Architecture Optimization Template to build your improvement roadmap

    Supporting Tool icon 1.2 Data Architecture Optimization Template

    Download the Data Architecture Optimization Template.

    Overview

    Use this template to support your team in creating a tactical strategy for optimizing your data architecture across the five tiers of the organization’s architecture. This template can be used to document your organization’s most pressing business driver, the reasons for optimizing data architecture according to that driver, and the tactics that will be employed to address the shortcomings in the architecture.

    Sample of Info-Tech’s Data Architecture Optimization Template. Info-Tech’s Data Architecture Optimization Template Table of Contents
    1. Build Your Current Data Architecture Logical Model Use this section to document the current data architecture situation, which will provide context for your plan to optimize your data architecture.
    2. Optimization Plan Use this section to document the tactics that will be employed to optimize the current data architecture according to the tactic pattern identified by the business driver.

    Fill out as you go

    As you read about the details of the five-tier data architecture model in the following slides, start building your current logical data architecture model by filling out the sections that correspond to the various tiers. For example, if you identified that the most pressing business driver is becoming compliant with regulations, document the sources of data required for compliance, as well as the warehousing strategy currently being employed. This will help you to understand the organization’s data architecture at a logical level.

    Tier 1 represents all of the sources of your organization’s data

    Tier 1 of Info-Tech's Five Tier Data Architecture, 'Sources', which includes 'App1 ', 'App2', 'Excel and other documents', 'Access database(s)', 'IOT devices', and 'External data feed(s) & social media'.
    –› Data to integration layer

    Tier 1 is where the data enters the organization.

    All applications, data documents such as MS Excel spreadsheets, documents with table entries, manual extractions from other document types, user-level databases including MS Access and MySQL, other data sources, data feeds, big datasets, etc. reside here.

    This tier typically holds the siloed data that is so often not available across the enterprise because the data is held within department-level applications or systems. This is also the layer where transactions and operational activities occur and where data is first created or ingested.

    There are any number of business activities from transactions through business processes that require data to flow from one system to another, so it is often at this layer we see data created more than once, data corruption occurs, manual re-keying of data from system to system, and spaghetti-like point-to-point connections are built that are often fragile. This is usually the single most problematic area within an enterprise’s data environment. Application- or operational-level (siloed) reporting often occurs at this level.

    Info-Tech Best Practice

    An optimized Tier 1 has the following attributes:

    • Rationalized applications
    • Operationalized database administration
    • Databases governed, monitored, and maintained to ensure optimal performance

    Tier 2 represents the movement of data

    Tier 2 of Info-Tech's Five Tier Data Architecture, 'Integration and Translation', which includes 'Solutions: SOA, Point to Point, Manual Loading, ESB , ETL, ODS, Data Hub' and 'Functions: Scrambling Masking Encryption, Tokenizing, Aggregation, Transformation, Migration, Modeling'.
    –› Data to Warehouse Environment

    Find out more

    For more information on data integration, see Info-Tech’s Optimize the Organization’s Data Integration Practices blueprint.

    Tier 2 is where integration, transformation, and aggregation occur.

    Regardless of how you integrate your systems and data stores, whether via ETL, ESB, SOA, data hub, ODS, point-to-point, etc., the goal of this layer is to move data at differing speeds for one of two main purposes:

    1) To move data from originating systems to downstream systems to support integrated business processes. This ensures the data is pristine through the process and improves trustworthiness of outcomes and speed to task and process completion.

    2) To move data to Tier 3 - The Data Warehouse Architecture, where data rests for other purposes. This movement of data in its purest form means we move raw data to storage locations in an overall data warehouse environment reflecting any security, compliance and other standards in our choices for how to store.

    Also, this is where data is transformed for unique business purpose that will also be moved to a place of rest or a place of specific use. Data masking, scrambling, aggregation, cleansing and matching, and other data related blending tasks occur at this layer.

    Info-Tech Best Practice

    An optimized Tier 2 has the following attributes:

    • Business data glossary is leveraged
    • ETL is governed
    • ETL team is empowered
    • Data matching is facilitated
    • Canonical data model is present

    Tier 3 is where data comes together from all sources to be stored in a central warehouse environment

    Tier 3 is where data rests in long-term storage.

    This is where data rests (long-term storage) and also where an enterprise’s information, documents, digital assets, and any other content types are stored. This is also where derived and contrived data creations are stored for re-use, and where formulas, thought models, heuristics, algorithms, report styles, templates, dashboard styles, and presentations-layer widgets are all stored in the enterprise information management system.

    At this layer there may be many technologies and many layers of security to reflect data domains, classifications, retention, compliance, and other data needs. This is also the layer where data lakes exist as well as traditional relational databases, enterprise database systems, enterprise content management systems, and simple user-level databases.

    Info-Tech Best Practice

    An optimized Tier 3 has the following attributes:

    • Data warehouse is governed
    • Data warehouse operations and planning
    • Data library is comprehensive
    • Four Rosetta Stones of data are in place: BDG, data classification, reference data, master data.
    Data from integration layer –›
    Tier 3 of Info-Tech's Five Tier Data Architecture, 'Data Warehouse Environment' which includes 'Data Lakes & Warehouse(s) (Raw Data)', 'EIM, ECM, DAM'.
    –› Analytics

    Find out more

    For more information on Data Warehousing, see Info-Tech’s Build an Extensible Data Warehouse Foundation and Drive Business Innovation With a Modernized Data Warehouse Environment blueprints.

    Tier 4 is where knowledge and insight is born

    Tier 4 represents data being used for a purpose.

    This is where you build fit-for-purpose data sets (marts, cubes, flat files) that may now draw from all enterprise data and information sources as held in Tier 3. This is the first place where enterprise views of all data may be effectively done and with trust that golden records from systems of record are being used properly.

    This is also the layer where BI tools get their greatest use for performing analysis. Unlike Tier 3 where data is at rest, this tier is where data moves back into action. Data is brought together in unique combinations to support reporting, and analytics. It is here that the following enterprise analytic views are crafted:
    Exploratory, Inferential, Causal, Comparative, Statistical, Descriptive, Diagnostic, Hypothesis, Predictive, Decisional, Directional, Prescriptive

    Info-Tech Best Practice

    An optimized Tier 4 has the following attributes:

    • Reporting meets business needs
    • Data mart operations are in place
    • Governance of data marts, cubes, and BI tools in place
    Warehouse Environment –›
    Tier 4 of Info-Tech's Five Tier Data Architecture, 'Analytics', which includes 'Data Marts', 'Data Cube', 'Flat Files', and 'BI Tools'.
    –› Presentation

    Find out more

    For more information on BI tools and strategy, see Info-Tech’s Select and Implement a Business Intelligence and Analytics Solution and Build a Next Generation BI with a Game-Changing BI Strategy blueprints.

    The presentation layer, Tier 5, is where data becomes presentable information

    Tier 5 represents data in knowledge form.

    This is where the data and information combine in information insight mapping methods (presentations, templates, etc.). We craft and create new ways to slice and dice data in Tier 4 to be shown and shared in Tier 5.

    Templates for presenting insights are extremely valuable to an enterprise, both for their initial use, and for the ability to build deeper, more insightful analytics. Re-use of these also enables maximum speed for sharing, consuming the outputs, and collective understanding of these deeper meanings that is a critical asset to any enterprise. These derived datasets and the thought models, presentation styles, templates, and other derived and contrived assets should be repatriated into the derived data repositories and the enterprise information management systems respectively as shown in Tier 3.

    Find out more

    For more information on enterprise content management and metadata, see Info-Tech’s Develop an ECM Strategy and Break Open Your DAM With Intuitive Metadata blueprints.

    Tier 5 of Info-Tech's Five Tier Data Architecture, 'Presentation', which includes 'Formulas', 'Thought Models', 'Reports', 'Dashboards', 'Presentations', and 'Derived Data (from analytics activities)'. The 'Repatriation of data' feeds the derived data back into Warehousing.

    Info-Tech Best Practice

    An optimized Tier 5 has the following attributes:

    • Metadata creation is supervised
    • Metadata is organized
    • Metadata is governed
    • Content management capabilities are present

    Info-Tech Insight

    Repatriation of data and information is an essential activity for all organizations to manage organizational knowledge. This is the activity where information, knowledge, and insights that are stored in content form are moved back to the warehousing layer for long-term storage. Because of this, it is crucial to have an effective ECM strategy as well as the means to find information quickly and efficiently. This is where metadata and taxonomy come in.

    As a data architect, you must prioritize your focus according to business need

    Determine your focus.

    Now that you have an understanding of the drivers requiring data architecture optimization, as well as the current data architecture situation at your organization, it is time to determine the actions that will be taken to address the driver.

    1. Business driver

    Screenshot of Data Architecture Driver Pattern Identification Tool, Tab 2. Tactic Pattern Plan.
    Data Architecture Driver Pattern Identification Tool, Tab 2. Tactic Pattern Plan

    3. Documented tactic plan

    Data Architecture Optimization Template

    2. Tactics across the five tiers

    Another screenshot of Data Architecture Driver Pattern Identification Tool, Tab 2. Tactic Pattern Plan.

    The next four slides provide an overview of the priorities that accompany the four most common business drivers that require updates to a stale data architecture.

    Business driver #1: Adding a new functionality to an application can have wide impacts on data architecture

    Does the business wants to add a new application or supplement an existing application with a new functionality?

    Whether the business wants to gain better customer intimacy, achieve operational excellence, or needs to change its compliance and reporting strategy, the need for collecting new data through a new application or a new functionality within an existing application can arise. This business driver has the following attributes:

    • Often operational oriented and application driven.
    • An application is changed through an application version upgrade, migration to cloud, or application customization, or as a result of application rationalization or changes in the way that application data is generated.
    • However, not all new functionalities trigger this scenario. Non-data-related changes, such as a new interface, new workflows, or any other application functionality changes that do not involve data, will not have data architecture impacts.
    Stock photo of someone using a smartphone with apps.
    Modified icon for Tools & Templates. When this business driver arises, data architects should focus on optimizing architecture at the source tier and the integration of the new functionality. Tactics for this business driver should address the following pattern:
    Tiers 1 and 2 highlighted.

    Business driver #2: Organizations today are looking to become more data driven

    Does the business wants to better leverage its data?

    An organization can want to use its data for multiple reasons. Whether these reasons include improving customer experience or operational excellence, the data architect must ensure that the organization’s data aggregation environment, reporting and analytics, and presentation layer are assessed and optimized for serving the needs of the business.

    “Data-drivenness is about building tools, abilities, and, most crucially, a culture that acts on data.” (Carl Anderson, Creating a Data-Driven Organization)

    Tactics for this business driver should address the following pattern:
    Tiers 3, 4, and 5 highlighted.
    Modified icon for Tools & Templates. When this business driver arises, data architects should focus on optimizing architecture at the source tier and the integration of the new functionality.
    Stock photo of someone sitting at multiple computers with analytics screens open.
    • This scenario is typically project driven and analytical oriented.
    • The business is looking to leverage data and information by processing data through BI tools and self-service.
    • Example: The organization wants to include new third-party data, and needs to build a new data mart to provide a slice of data for analysis.

    Business driver #3: Risk and compliance demands can put pressure on outdated architectures

    Is there increasing pressure on the business to maintain compliance requirements as per regulations?

    An organization can want to use its data for multiple reasons. Whether these reasons include improving customer experience or operational excellence, the data architect must ensure that the organization’s data aggregation environment, reporting and analytics, and presentation layer are assessed and optimized for serving the needs of the business.

    There are different types of requirements:
    • Can be data-element driven. For example, PII, PHI are requirements around data elements that are associated with personal and health information.
    • Can be process driven. For example, some requirements restrict data read/write to certain groups.
    Stock photo of someone pulling a block out of a Jenga tower.
    Modified icon for Tools & Templates. When this business driver arises, data architects should focus on optimizing architecture where data is stored: at the sources, the warehouse environment, and analytics layer. Tactics for this business driver should address the following pattern:
    Tiers 1, 3, and 4 highlighted.

    Business driver #4: Mergers and acquisitions can require a restructuring of the organization’s data architecture

    Is the organization looking to acquire or merge with another organization or line of business?

    There are three scenarios that encompass the mergers and acquisitions business driver for data architecture:

    1. The organization acquires/merges with another organization and wants to integrate the data.
    2. The organization acquires/merges a subset of an organization (a line of business, for example) and wants to integrate the data.
    3. The organization acquires another organization for competitive purposes, and does not need to integrate the data.
    Regardless of what scenario your organization falls into, you must go through the same process of identifying the requirements for the new data:
    1. Understand what data you are getting.
      The business may acquire another organization for the data, for the technology, and/or for algorithms (for example). If the goal is to integrate the new data, you must understand if the data is unstructured, structured, how much data, etc.
    2. Plan for the integration of the new data into your environment.
      Do you have the expertise in-house to integrate the data? Database structures and systems are often mismatched (for example, acquired company could have an Oracle database whereas you are an SAP shop) and this may require expertise from the acquired company or a third party.
    3. Integrate the new data.
      Often, the extraction of the new data is the easy part. Transforming and loading the data is the difficult and costly part.
    “As a data architect, you must do due diligence of the acquired firm. What are the workflows, what are the data sources, what data is useful, what is useless, what is the value of the data, and what are the risks of embedding the data?” (Anonymous Mergers and Acquisitions Consultant)
    Modified icon for Tools & Templates. When this business driver arises, data architects should focus on optimizing architecture at the source tier, the warehousing layer, and analytics. Tiers 1, 3, and 4 highlighted.

    Determine your tier priority pattern and the tactics that you should address based on the business drivers

    Associated Activity icon 1.2.1 30 minutes

    INPUT: Business driver assessment

    OUTPUT: Tactic pattern and tactic plan

    Materials: Data Architecture Driver Pattern Identification Tool, Data Architecture Optimization Template

    Participants: Data architect, Enterprise architect

    Instructions
    1. After you have assessed the organization’s business driver on Tab 1. Driver Identification, move to Tab 2. Tactic Pattern Plan.
    2. Here, you will find a summary of the business driver that applies to you, as well as the tier priority pattern that will help you to focus your efforts for data architecture.
    3. Document the Tier Priority Pattern and associated tactics in Section 2. Optimization Plan of the Data Architecture Optimization Plan.
    Screenshot of Data Architecture Driver Tool.
    Data Architecture Driver Tool
    Arrow pointing right. Sample of Data Architecture Optimization Template
    Data Architecture Optimization Template

    Info-Tech Insight

    Our approach will help you to get to the solution of the organization’s data architecture problems as quickly as possible. However, keep in mind that you should still address the other tiers of your data architecture even if they are not part of the pattern we identified. For example, if you need to become more data driven, don’t completely ignore the sources and the integration of data. However, to deliver the most and quickest value, focus on tiers 3, 4, and 5.

    This phase helped you to create a tactical plan to optimize your data architecture according to business priorities

    Phase 1 is all about focus.

    Data architects and those responsible for updating an organization’s data architecture have a wide-open playing field with which to take their efforts. Being able to narrow down your focus and generate an actionable plan will help you provide more value to the organization quickly and get the most out of your data.

      Phase 1
      • Business Drivers
        • Tactic Pattern
          • Tactical Plan

    Now that you have your prioritized tactical plan, move to Phase 2. This phase will help you map these priorities to the essential capabilities and measure where you stack up in these capabilities. This is an essential step in creating your data architecture roadmap and plan for coming years to modernize the organization’s data architecture.

    To identify what the monetary authority needed from its data architecture, Info-Tech helped determine the business driver

    CASE STUDY

    Industry: Financial
    Source: Info-Tech Consulting
    Symbol for 'Monetary Authority Case Study'.

    Part 1

    Prior to receiving new external requirements, the monetary Authority body had been operating with an inefficient system. Outdated legacy systems, reports in paper form, incomplete reports, and stale data from other agencies resulted in slow data access. The new requirements demanded speeding up this process.

    Diagram comparing the 'Original Reporting' requirement of 'Up to 7 days' vs the 'New Requirement' of 'As soon as 1 hour'. The steps of reporting in that time are 'Report Request', 'Gather Data', and 'Make Report'.

    Although the organization understood it needed changes, it first needed to establish what were the business objectives, and which areas of their architecture they would need to focus on.

    The business driver in this case was compliance requirements, which directed attention to the sources, aggregation, and insights tiers.

    Tiers 1, 3, and 4 highlighted.

    Looking at the how the different tiers relate to certain business operations, the organization uncovered the best practise tactics to achieving an optimized data architecture.

    1. Source Tactics: 3. Warehousing Tactics: 4. Analytics Tactics:
    • Identify data sources
    • Ensure data quality
    • Properly catalogue data
    • Properly index data
    • Provide the means for data accessibility
    • Allow for data reduction/space for report building

    Once the business driver had been established, the organization was able to identify the specific areas it would eventually need to evaluate and remedy as needed.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.1

    Sample of activity 1.1.1 'Identify the drivers for improving your data architecture'. Identify the business driver that will set the direction of your data architecture optimization plan.

    In this activity, the facilitator will guide the team in identifying the business driver that is creating the need to improve the organization’s data architecture. Data architecture needs to adapt to the changing needs of the business, so this is the most important step of any data architecture improvements.

    1.2.1

    Sample of activity 1.2.1 'Determine your tier priority pattern and the tactics that you should address based on the business drivers'. Determine the tactics that you will use to optimize data architecture.

    In this activity, the facilitator will help the team create a tactical plan for optimizing the organization’s data architecture across the five tiers of the logical model. This plan can then be followed when addressing the business needs.

    Build a Business-Aligned Data Architecture Optimization Strategy

    PHASE 2

    Personalize Your Tactics to Optimize Your Data Architecture

    Phase 2 will determine your tactics that you should implement to optimize your data architecture

    Business Drivers
    Each business driver requires focus on specific tiers and their corresponding capabilities, which in turn correspond to tactics necessary to achieve your goal.
    New Functionality Risk and Compliance Mergers and Acquisitions Become More Data Driven
    Tiers 1. Data Sources 2. Integration 3. Warehousing 4. Insights 5. Presentation
    Capabilities Current Capabilities
    Target Capabilities
    Example Tactics Leverage indexes, partitions, views, and clusters to optimize performance.

    Cleanse data source.

    Leverage integration technology.

    Identify matching approach priorities.

    Establish governing principles.

    Install performance enhancing technologies.

    Establish star schema and snowflake principles.

    Share data via data mart.

    Build metadata architecture:
    • Data lineage
    • Sharing
    • Taxonomy
    • Automatic vs. manual creation

    Phase 2 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Personalize Your Tactics to Optimize Your Data Architecture

    Proposed Time to Completion: 2 weeks
    Step 2.1: Measure Your Data Architecture Capabilities Step 2.2: Set a Target for Data Architecture Capabilities Step 2.3: Identify the Tactics That Apply to Your Organization
    Start with an analyst kick-off call:
    • Understand Info-Tech’s data architecture capability model to begin identifying where to develop tactics for optimizing your data architecture.
    Review findings with analyst:
    • Understand Info-Tech’s data architecture capability model to begin identifying where to develop tactics for optimizing your data architecture.
    Finalize phase deliverable:
    • Learn about the trends in data architecture that can be leveraged to develop tactics.
    Then complete these activities…
    • Measure your current state across the tiers of the capability model that will help address your business driver.
    Then complete these activities…
    • Measure your target state for the capabilities that will address your business driver.
    Then complete these activities…
    • Review the tactical roadmap that was created with guidance from the capability gap analysis.
    With these tools & templates:
    • Data Architecture Tactical Roadmap Tool
    With these tools & templates:
    • Data Architecture Tactical Roadmap Tool
    With these tools & templates:
    • Data Architecture Trends Presentation Template

    Phase 2 Results & Insights

    • Data architecture is not just data models. Understand the essential capabilities that your organization needs from its data architecture to develop a tactical plan for optimizing data architecture across its people, processes, and technology.

    Phase 2, Step 1: Measure Your Data Architecture Capabilities

    PHASE 2

    2.1 2.2 2.3
    Measure Your Data Architecture Capabilities Set a Target for Data Architecture Capabilities Identify the Tactics That Apply to Your Organization

    This step will walk you through the following activities:

    • As you walk through the data architecture capability model, measure your current state in each of the relevant capabilities.
    • Distinguish between essential and nice-to-have capabilities for your organization.

    This step involves the following participants:

    • Data Architect

    Outcomes of this step

    • A framework for generating a tactical plan for data architecture optimization.
    • Knowledge of the various trends in the data architecture field that can be incorporated into your plan.

    To personalize your tactical strategy, you must measure up your base data architecture capabilities

    What is a capability?

    Capabilities represent a mixture of people, technology, and processes. The focus of capability design is on the outcome and the effective use of resources to produce a differentiating capability or an essential supporting capability.

    To personalize your tactics, you have to understand what the essential capabilities are across the five tiers of an organization’s data architecture. Then, assess where you currently stand in these capabilities and where you need to go in order to build your optimization plan.

    'Capability' as a mixture of 'People', 'Technology', 'Process', and 'Assets'.

    Info-Tech’s data architecture capability model can be laid over the five-tier data architecture to understand the essential and advanced capabilities that an organization should have, and to build your tactical strategy for optimizing the organization’s data architecture across the tiers.

    Use Info-Tech’s data architecture capability model as a resource to assess and plan your personalized tactics

    Info-Tech’s data architecture capability model can be laid over the five-tier data architecture to understand the essential and advanced capabilities that an organization should have, and to build your tactical strategy for optimizing the organization’s data architecture across the tiers.

    Info-Tech’s Data Architecture Capability Model featuring the five-tier architecture listing 'Core Capabilities' and 'Advanced Capabilities' within each tier, and a list of 'Cross Capabilities' which apply to all tiers.

    Use the Data Architecture Tactical Roadmap Tool to create a tailored plan of action

    Supporting Tool icon 2.1.1 Data Architecture Tactical Roadmap Tool

    Instructions

    Use the Data Architecture Tactical Roadmap Tool as your central tool to develop a tactical plan of action to optimize the organization’s data architecture.

    This tool contains the following sections:

    1. Business Driver Input
    2. Capability Assessment
    3. Capability Gap Analysis
    4. Tactical Roadmap
    5. Metrics
    6. Initiative Roadmap

    INFO-TECH DELIVERABLE

    Sample of the Info-Tech deliverable Data Architecture Tactical Roadmap Tool.

    Benefits of using this tool:

    • Comprehensive documentation of data architecture capabilities present in leading organizations.
    • Generates an accurate architecture roadmap for your organization that is developed in alignment with the broader enterprise architecture and related architectural domains.

    To create a plan for your data architecture priorities, you must first understand where you currently stand

    Now that you understand the business problem that you are trying to solve, it is time to take action in solving the problem.

    The organization likely has some of the capabilities that are needed to solve the problem, but also a need to improve other capabilities. To narrow down the capabilities that you should focus on, first select the business driver that was identified in Phase 1 in Tab 1. Business Driver Input of the Data Architecture Tactical Roadmap Tool. This will customize the roadmap tool to deselect the capabilities that are likely to be less relevant to your organization.

    For Example: If you identified your business driver as “becoming more data-driven”, you will want to focus on measuring and building out the capabilities within Tiers 3, 4, and 5 of the capability model.

    Data Architecture Capability Model
    Info-Tech’s Data Architecture Capability Model with tiers 3, 4, and 5 highlighted.

    Note

    If you want to assess your organization for all of the capabilities across the data architecture capability model, select “Comprehensive Data Architecture Assessment” in Tab 1. Business Driver Input of the Data Architecture Tactical Roadmap Tool.

    Determine your current state across the related architecture tiers

    Associated Activity icon 2.1.2 1 hour

    INPUT: Current data architecture capabilities.

    OUTPUT: An idea of where you currently stand in the capabilities.

    Materials: Data Architecture Tactical Roadmap Tool

    Participants: Data architect, Enterprise architect, Business representatives

    Use the Data Architecture Tactical Roadmap Tool to evaluate the baseline and target capabilities of your practice in terms of how data architecture is approached and executed.

    Instructions
    1. Invite the appropriate stakeholders to participate in this exercise.
    2. On Tab 2. Practice Components, assess the current and target states of each capability on a scale of 1–5.
    3. Note: “Ad hoc” implies a capability is completed, but randomly, informally, and without a standardized method.
      These results will set the baseline against which you will monitor performance progress and keep track of improvements over time.
    To assess data architecture maturity, Info-Tech uses the Capability Maturity Model Integration (CMMI) program for rating capabilities on a scale of 1 to 5:

    1 = Initial/Ad hoc

    2 = Developing

    3 = Defined

    4 = Managed and Measurable

    5 = Optimized

    Info-Tech Insight

    Focus on Early Alignment. Assessing capabilities within specific people’s job functions can naturally result in disagreement or debate, especially between business and IT people. Objectively facilitate any debate and only finalize capability assessments when there is full alignment. Remind everyone that data architecture should ultimately serve business needs wherever possible.

    Phase 2, Step 2: Set a Target for Data Architecture Capabilities

    PHASE 2

    2.12.22.3
    Measure Your Data Architecture CapabilitiesSet a Target for Data Architecture CapabilitiesIdentify the Tactics That Apply to Your Organization

    This step will walk you through the following activities:

    • Determine your target state in each of the relevant capabilities.
    • Distinguish between essential and nice-to-have capabilities for your organization.

    This step involves the following participants:

    • Data Architect

    Outcomes of this step

    • A holistic understanding of where the organization’s data architecture currently sits, where it needs to go, and where the biggest gaps lie.

    To create a plan for your data architecture priorities, you must also understand where you need to get to in the future

    Keep the goal in mind by documenting target state objectives. This will help to measure the highest priority gaps in the organization’s data architecture capabilities.

    Example driver = Becoming more data driven Arrow pointing right. Info-Tech’s Data Architecture Capability Model with tiers 3, 4, and 5 highlighted. Arrow pointing right. Current Capabilities Arrow pointing right. Target Capabilities
    Gaps and Priorities
    Stock photo of a hand placing four shelves arranged as stairs. On the first step is a mini-cut-out of a person walking.

    Determine your future state across the relevant tiers of the data architecture capability model

    Associated Activity icon 2.2.1 2 hours

    INPUT: Current state of data architecture capabilities.

    OUTPUT: Target state of data architecture capabilities.

    Materials: Data Architecture Tactical Roadmap Tool

    Participants: Data architect

    The future of data architecture is now.

    Determine the state of data architecture capabilities that the organization needs to reach to address the drivers of the business.

    For example: If you identified your business driver as “becoming more data driven”, you will want to focus on the capabilities within Tiers 3, 4, and 5 of the capability model.

    Driver = Becoming more data driven Arrow pointing right. Info-Tech’s Data Architecture Capability Model with tiers 3, 4, and 5 highlighted. Arrow pointing right. Target Capabilities

    Identify where gaps in your data architecture capabilities lie

    Associated Activity icon 2.2.2 1 hour

    INPUT: Current and target states of data architecture capabilities.

    OUTPUT: Holistic understanding of where you need to improve data architecture capabilities.

    Materials: Data Architecture Tactical Roadmap Tool

    Participants: Data architect

    Visualization of gap assessment of data quality practice capabilities

    To enable deeper analysis on the results of your capability assessment, Tab 4. Capability Gap Analysis in the Data Architecture Tactical Roadmap Tool creates visualizations of the gaps identified in each of your practice capabilities and related data management practices. These diagrams serve as analysis summaries.

    Gap Assessment of Data Source Capabilities

    Sample of the Data Architecture Tactical Roadmap Tool, tab 4. Capability Gap Analysis.

    Use Tab 3. Data Quality Practice Scorecard to enhance your data quality project.

    1. Enhance your gap analyses by forming a relative comparison of total gaps in key practice capability areas, which will help in determining priorities.
    2. Put these up on display to improve discussion in the gap analyses and prioritization sessions.
    3. Improve the clarity and flow of your strategy template, final presentations, and summary documents by copying and pasting the gap assessment diagrams.

    Phase 2, Step 3: Identify the Tactics That Apply to Your Organization

    PHASE 2

    2.12.22.3
    Measure Your Data Architecture CapabilitiesSet a Target for Data Architecture CapabilitiesIdentify the Tactics That Apply to Your Organization

    This step will walk you through the following activities:

    • Before making your personal tactic plan, identify the trends in data architecture that can benefit your organization.
    • Understand Info-Tech’s data architecture capability model.
    • Initiate the Data Architecture Roadmap Tool to begin creating a roadmap for your optimization plan.

    This step involves the following participants:

    • Data Architect

    Outcomes of this step

    • A framework for generating a tactical plan for data architecture optimization.
    • Knowledge of the various trends in the data architecture field that can be incorporated into your plan.

    Capitalize on trends in data architecture before you determine the tactics that apply to you

    Stop here. Before you begin to plan for optimization of the organization’s data environment, get a sense of the sustainability and scalability of the direction of the organization’s data architecture evolution.

    Practically any trend in data architecture is driven by an attempt to solve one or more the common challenges of today’s tumultuous data landscape, otherwise known as “big data.” Data is being produced in outrageous amounts, at very high speeds, and in a growing number of types and structures.

    To meet these demands, which are not slowing down, you must keep ahead of the curve. Consider the internal and external catalysts that might fuel your organization’s need to modernize its data architecture:

    Big Data

    Data Storage

    Advanced analytics

    Unstructured data

    Integration

    Hadoop ecosystem

    The discussion about big data is no longer about what it is, but how do businesses of all types operationalize it.

    Is your organization currently capturing and leveraging big data?

    Are they looking to do so in the near future?

    The cloud

    The cloud offers economical solutions to many aspects of data architecture.

    Have you dealt with issues of lack of storage space or difficulties with scalability?

    Do you need remote access to data and tools?

    Real-time architecture

    Advanced analytics (machine learning, natural language processing) often require data in real-time. Consider Lambda and Kappa architectures.

    Has your data flow prevented you from automation, advanced analytics, or embracing the world of IoT?

    Graph databases

    Self-service data access allows more than just technical users to participate in analytics. NoSQL can uncover buried relationships in your data.

    Has your organization struggled to make sense of different types of unstructured data?

    Is ETL enough?

    What SQL is to NoSQL, ETL is to NoETL. Integration techniques are being created to address the high variety and high velocity of data.

    Have your data scientists wasted too much time and resources in the ETL stage?

    Read the Data Architecture Trends Presentation to understand the current cutting edge topics in data architecture

    Supporting Tool icon 2.1 Data Architecture Trends Presentation

    The speed at which new technology is changing is making it difficult for IT professionals to keep pace with best practices, let alone cutting edge technologies.

    The Info-Tech Data Architecture Trends Presentation provides a glance at some of the more significant innovations in technology that are driving today’s advanced data architectures.

    This presentation also explains how these trends relate to either the data challenges you may be facing, or the specific business drivers you are hoping to bring to your organization.

    Sample of the Data Architecture Trends Presentation.
    Data Architecture Trends Presentation

    Gaps between your current and future capabilities will help you to determine the tactics that apply to you

    Now that you know where the organization currently stands, follow these steps to begin prioritizing the initiatives:

    1. What are you trying to accomplish? Determine target states that are framed in quantifiable objectives that can be clearly communicated. The more specific the objectives are the better.
    2. Evaluate the “delta,” or difference between where the organization currently stands and where it needs to go. This will be expressed in terms of gap closure strategies, and will help clarify the initiatives that will populate the road map.
    3. Determine the relative business value of each initiative, as well as the relative complexities of successfully implementing them. These scores should be created with stakeholder input, and then plotted in an effort/transition quadrant map to determine where the quickest and most valuable wins lie.
    Current State Gap Closure Strategies Target State Data Architecture Tactical Roadmap
    • Organization objectives
    • Functional needs
    • Current operating models
    • Technology assets
    Initiatives involving:
    • Organizational changes
    • Functional changes
    • Technology changes
    • Process changes
    • Performance objectives (revenue growth, customer intimacy, growth of organization)
    • Operating model improvements
    • Prioritized, simplified, and compelling vision of how the organization will optimize data architecture

    (Source: “How to Build a Roadmap”)

    Info-Tech Insight

    Optimizing data architecture requires a tactical approach, not a passive approach. The demanding task of optimization requires the ability to heavily prioritize. After you have identified why, determine how using our pre-built roadmap to address the four common drivers.

    Each of the layers of an organization’s data architecture have associated challenges to optimization

    Stop! Before you begin, recognize these “gotchas” that can present roadblocks to creating an effective data architecture environment.

    Before diving headfirst into creating your tactical data architecture plan, documenting the challenges associated with each aspect of the organization’s data architecture can help to identify where you need to focus your energy in optimizing each tier. The following table presents the common challenges across the five tiers:

    Source Tier

    Integration Tier

    Warehousing Tier

    Analytics Tier

    Presentation Tier

    Inconsistent data models Performance issues Scalability of the data warehouse Data currency, flexibility Model interoperability
    Data quality measures: data accuracy, timeliness, accessibility, relevance Duplicated data Infrastructure needed to support volume of data No business context for using the data in the correct manner No business context for using the data in the correct manner
    Free-form field and data values beyond data domain Tokenization and other required data transformations Performance
    Volume
    Greedy consumers can cripple performance
    Insufficient infrastructure
    Inefficiencies in building the data mart Report proliferation/chaos (“kitchen sink dashboards”)
    Reporting out of source systems DB model inefficiencies
    Manual errors;
    Application usability
    Elasticity

    Create metrics before you plan to optimize your data architecture

    Associated Activity icon 2.2.3 1 hour

    INPUT: Tactics that will be used to optimize data architecture.

    OUTPUT: Metrics that can be used to measure optimization success.

    Materials: Data Architecture Tactical Roadmap Tool

    Participants: Data architect

    Metrics will help you to track your optimization efforts and ensure that they are providing value to the organization.

    There are two types of metrics that are useful for data architects to track and measure: program metrics and project metrics. Program metrics represent the activities that the data architecture program, which is the sum of multiple projects, should help to improve. Project metrics are the more granular metrics that track each project.

    Program Metrics

    • TCO of IT
      • Costs associated with applications, databases, data maintenance
      • Should decrease with better data architecture (rationalized apps, operationalized databases)
    • Cost savings:
      • Retiring a legacy system and associated databases
      • Consolidated licensing
      • Introducing shared services
    • Data systems under maintenance (maintenance burden)
    • End-user data requests fulfilled
    • Improvement of time of delivery of reports and insights

    Project Metrics

    • Percent of projects in alignment with EA
    • Percent of projects compliant with the EA governance process (architectural due diligence rate)
    • Reducing time to market for launching new products
      • Reducing human error rates
      • Speeding up order delivery
      • Reducing IT costs
      • Reducing severity and frequency of security incidents

    Use Tab 6. Metrics of the Data Architecture Tactical Roadmap Tool to document and track metrics associated with your optimization tactics.

    Use Info-Tech’s resources to build your data architecture capabilities

    The following resources from Info-Tech can be used to improve the capabilities that were identified as having a gap. Read more about the details of the five-tier architecture in the blueprints below:

    Data Governance

    Data architecture depends on effective data governance. Use our blueprint, Enable Shared Insights With an Effective Data Governance Engine to get more out of your architecture.

    Data Quality

    The key to maintaining high data quality is a proactive approach that requires you to establish and update strategies for preventing, detecting, and correcting errors. Find out more on how to improve data quality with Info-Tech’s blueprint, Restore Trust in Your Data Using a Business-Aligned Data Quality Management Approach.

    Master Data Management

    When you start your data governance program, you will quickly realize that you need an effective MDM strategy for managing your critical data assets. Use our blueprint, Develop a Master Data Management Strategy and Roadmap to Better Monetize Data to get started with MDM.

    Data Warehouse

    The key to maintaining high data quality is a proactive approach that requires you to establish and update strategies for preventing, detecting, and correcting errors. Find out more on how to improve data quality with Info-Tech’s blueprint, Drive Business Innovation With a Modernized Data Warehouse Environment.

    With the optimal tactics identified, the monetary authority uncovered areas needing improvement

    CASE STUDY

    Industry: Financial
    Source: Info-Tech Consulting
    Symbol for 'Monetary Authority Case Study'.

    Part 2

    After establishing the appropriate tactics based on its business driver, the monetary authority was able to identify its shortcomings and adopt resolutions to remedy the issues.

    Best Practice Tactic Current State Solution
    Tier 1 - Data Sources Identify data sources Data coming from a number of locations. Create data model for old and new systems.
    Ensure data quality Internal data scanned from paper and incomplete. Data cleansing and update governance and business rules for migration to new system.
    External sources providing conflicting data.
    Tier 3 - Data Warehousing Data catalogue Data aggregated incompletely. Built proper business data glossary for searchability.
    Indexing Data warehouse performance sub-optimal. Architected data warehouse for appropriate use (star schema).
    Tier 4 - Data Analytics Data accessibility Relevant data buried in warehouse. Build data marts for access.
    Data reduction Accurate report building could not be performed in current storage. Built interim solution sandbox, spin up SQL database.

    Establishing these solutions provided the organization with necessary information to build their roadmap and move towards implementing an optimized data architecture.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of a Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.1 – 2.2.2

    Sample of activities 2.1.1 and 2.2.2, the first being 'Determine your current state across the related architecture tiers'. Evaluate your current capabilities and design your target data quality practice from two angles

    In this assessment and planning activity, the team will evaluate the current and target capabilities for your data architecture’s ability to meet business needs based on the essential capabilities across the five tiers of an organization’s architectural environment.

    2.2.3

    Sample of activity 2.2.3 'Create metrics before you plan to optimize your data architecture'. Create metrics to track the success of your optimization plan.

    The Info-Tech facilitator will guide you through the process of creating program and project metrics to track as you optimize your data architecture. This will help to ensure that the tactics are helping to improve crucial business attributes.

    Build a Business-Aligned Data Architecture Optimization Strategy

    PHASE 3

    Create Your Tactical Data Architecture Roadmap

    Phase 3 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Create Your Tactical Data Architecture Roadmap

    Proposed Time to Completion: 2 weeks
    Step 3.1: Personalize Your Data Architecture RoadmapStep 3.2: Manage Your Data Architecture Decisions and the Resulting Changes
    Start with an analyst kick-off call:
    • Review the tactical plan that addresses the business drivers by optimizing your data architecture in the relevant focus areas.
    Review findings with analyst:
    • Discuss and review the roadmap of optimization activities, including dependencies, timing, and ownership of activities.
    • Understand how change management is an integral aspect of any data architecture optimization plan.
    Then complete these activities…
    • Create your detailed data architecture initiative roadmap.
    Then complete these activities…
    • Create your Data Architecture Decision Template to document the changes that are going to be made to optimize your data architecture environment.
    • Review how change management fits into the data architecture improvement program.
    With these tools & templates:
    • Data Architecture Tactical Roadmap Tool
    With these tools & templates:
    • Data Architecture Decision Template

    Phase 3 Results & Insights

    • Phase 3 will help you to build a personalized roadmap and plan for optimizing data architecture in your organization. In carrying out this roadmap, changes will, by necessity, occur. Therefore, an integral aspect of a data architect’s role is change management. Use the resources included in Phase 3 to smoothen the change management process.

    Phase 3, Step 1: Personalize Your Data Architecture Roadmap

    PHASE 3

    3.1 3.2
    Personalize Your Data Architecture Roadmap Manage Your Data Architecture Decisions and the Resulting Changes

    This step will walk you through the following activities:

    • Determine the timing, effort, and ownership of the recommended optimization initiatives.
    • Brainstorm initiatives that are not yet on the roadmap but apply to you.

    This step involves the following participants:

    • Data Architect
    • DBAs
    • Enterprise Architect

    Outcomes of this step

    • A roadmap of specific initiatives that map to the tactical plan for optimizing your organization’s data architecture.
    • A plan for communicating high-level business objectives to data workers to address the issues of the business.

    Now that you have tactical priorities, identify the actionable steps that will lead you to an optimized data architecture

    Phase 1 and 2 helped you to identify tactics that address some of the most common business drivers. Phase 3 will bring you through the process of practically planning what those tactics look like in your organization’s environment and create a roadmap to plan how you will generate business value through optimization of your data architecture environment.

    Diagram of the three phases and the goals of each one. The first phase says 'Identify your data architecture business driver' and highlights 'Business Driver 3' out of four to focus on in Phase 2. Phase 2 says 'Optimization tactics across the five-tier logical data architecture' and identifies four of six 'Tactics' to use in Phase 3. Phase 3 is a 'Practical Roadmap of Initiatives' and utilizes a timeline of initiatives in which to apply the chosen tactics.

    Use the Data Architecture Tactic Roadmap Tool to personalize your roadmap

    Supporting Tool icon 3.1.1 Data Architecture Tactic Roadmap Tool
    Generating Your Roadmap
    1. On Tab 5. Tactic and Initiative Planning, you will find a list of tactics that correspond to every capability that applies to your chosen driver and where there is a gap. In addition, each tactic has a sequence of “Suggested Initiatives,” which represent the best-practice steps that you should take to optimize your data architecture according to your priorities and gaps.
    2. Customize this list of initiatives according to your needs.
    3. The Gantt chart is generated in Tab 7. Initiative Roadmap, and can be used to organize your plan and ensure that all of the essential aspects of optimizing data architecture are addressed.
    4. The roadmap can be used as an “executive brief” roadmap and as a communication tool for the business.
    Screenshot of the Data Architecture Tactic Roadmap Tool, Tab 5. Tactic and Initiative Planning.
    Tab 5. Tactic and Initiative Planning

    Screenshot of the Data Architecture Tactic Roadmap Tool, Tab 7. Initiative Roadmap.
    Tab 7. Initiative Roadmap

    Determine the details of your data architecture optimization activities

    Associated Activity icon 3.1.2 1 hour

    INPUT: Timing of initiatives for optimizing data architecture.

    OUTPUT: Optimization roadmap

    Materials: Data Architecture Tactic Roadmap Tool

    Participants: Data architect, Enterprise Architect

    Instructions

    1. With the list of suggested activities in place on Tab 5. Tactic and Initiative Planning, select whether or not the initiatives will be included in the roadmap. By default, all of the initiatives are set to “Yes.”
    2. Plan the sequence, starting time, and length of each initiative, as well as the assigned responsibility of the initiative in Tab 5. Tactic and Initiative Planning of the Data Architecture Tactic Roadmap Tool.
    3. The tool will a generate a Gantt chart based on the start and length of your initiatives.
    4. The Gantt chart is generated in Tab 7. Initiative Roadmap.
    Screenshot of the Data Architecture Tactic Roadmap Tool, Tab 5. Tactic and Initiative Planning. Tab 5. Tactic and Initiative Planning Screenshot of the Data Architecture Tactic Roadmap Tool, Tab 7. Initiative Roadmap. Tab 7. Initiative Roadmap

    Info-Tech Insight

    The activities that populate the roadmap can be taken as best practice activities. If you want an actionable, comprehensive, and prescriptive plan for optimizing your data architecture, fill in the timing of the activities and print the roadmap. This can serve as a rapid communication tool for your data architecture plan to the business and other architects.

    Optimizing data architecture relies on communication between the business and data workers

    Remember: Data architects bridge the gap between strategic and technical requirements of data.

    Visualization centering the 'Data Architect' as the bridge between 'Data Workers', 'Business', and 'Data & Applications'.

    Therefore, as you plan the data and its interactions with applications, it is imperative that you communicate the plan and its implications to the business and the data workers. Stock photo of coworkers communicating.
    Also remember: In Phase 1, you built your tactical data architecture optimization plan.
    Sample 1 of the Data Architecture Optimization Template. Sample 2 of the Data Architecture Optimization Template.
    Use this document to communicate your plan for data architecture optimization to both the business and the data workers. Socialize this document as a representation of your organization’s current data architecture as well as where it is headed in the future.

    Communicate your data architecture optimization plan to the business for approval

    Associated Activity icon 3.1.3 2 hours

    INPUT: Data Architecture Tactical Roadmap

    OUTPUT: Communication plan

    Materials: Data Architecture Optimization Template

    Participants: Data Architect, Business representatives, IT representatives

    Instructions

    Begin by presenting your plan and roadmap to the business units who participated in business interviews in activity 1.1.3 of Phase 1.

    If you receive feedback that suggests that you should make revisions to the plan, consult Info-Tech Research Group for suggestions on how to improve the plan.

    If you gain approval for the plan, communicate it to DBAs and other data workers.

    Iterative optimization and communication plan:
    Visualization of the Iterative optimization and communication plan. 'Start here' at 'Communicate Plan and Roadmap to the Business', and then continue in a cycle of 'Receive Approval or Suggested Modifications', 'Get Advice for Improvements to the Plan', 'Revise Plan', and back to the initial step until you receive 'Approval', then 'Present to Data Workers'.

    With a roadmap in place, the monetary authority followed a tactical and practical plan to repair outdated data architecture

    CASE STUDY

    Industry: Financial
    Source: Info-Tech Consulting
    Symbol for 'Monetary Authority Case Study'.

    Part 3

    After establishing the appropriate tactics based on its business driver, the monetary authority was able to identify its shortcomings and adopt resolutions to remedy the issues.

    Challenge

    A monetary authority was placed under new requirements where it would need to produce 6 different report types on its clients to a regulatory body within a window potentially as short as 1 hour.

    With its current capabilities, it could complete such a task in roughly 7 days.

    The organization’s data architecture was comprised of legacy systems that had poor searchability. Moreover, the data it worked with was scanned from paper, regularly incomplete and often inconsistent.

    Solution

    The solution first required the organization to establish the business driver behind the need to optimize its architecture. In this case, it would be compliance requirements.

    With Info-Tech’s methodology, the organization focused on three tiers: data sources, warehousing, and analytics.

    Several solutions were developed to address the appropriate lacking capabilities. Firstly, the creation of a data model for old and new systems. The implementation of governance principles and business rules for migration of any data. Additionally, proper indexing techniques and business data glossary were established. Lastly, data marts and sandboxes were designed for data accessibility and to enable a space for proper report building.

    Results

    With the solutions established, the monetary authority was given information it needed to build a comprehensive roadmap, and is currently undergoing the implementation of the plan to ensure it will experience its desired outcome – an optimized data architecture built with the capacity to handle external compliance requirements.

    Phase 3, Step 2: Manage Your Data Architecture Decisions and the Resulting Changes

    PHASE 3

    3.13.2
    Personalize Your Data Architecture RoadmapManage Your Data Architecture Decisions and the Resulting Changes

    This step will walk you through the following activities:

    • With a plan in place, document the major architectural decisions that have been and will be made to optimize data architecture.
    • Create a plan for change and release management, an essential function of the data architect role.

    This step involves the following participants:

    • Data Architect
    • Enterprise Architect

    Outcomes of this step

    • Resources for documenting and managing the inevitable change associated with updates to the organization’s data architecture environment.

    To implement data architecture changes, you must plan to accommodate the issues that come with change

    Once you have a plan in place, one the most challenging aspects of improving an organization is yet to come…overcoming change!

    “When managing change, the job of the data architect is to avoid unnecessary change and to encapsulate necessary change.

    You must provide motivation for simplifying change, making it manageable for the whole organization.” (Andrew Johnston, Independent Consultant)

    Stock photo of multiple hands placing app/website design elements on a piece of paper.

    Create roadmap

    Arrow pointing down.

    Communicate roadmap

    Arrow pointing down.

    Implement roadmap

    Arrow pointing down.

    Change management

    Use the Data Architecture Decision Template when architectural changes are made

    Supporting Tool icon 3.2 Data Architecture Decision Template
    Document the architectural decisions made to provide context around changes made to the organization’s data environment.

    The goal of this Data Architecture Decision Template is to provide data architects with a template for managing the changes that accompany major architectural decisions. As you work through the Build a Business-Aligned Data Architecture Optimization Strategy blueprint, you will create a plan for tactical initiatives that address the drivers of the business to optimize your data architecture. This plan will bring about changes to the organization’s data architecture that need change management considerations.

    Document any major changes to the organization’s data architecture that are required to evolve with the organization’s drivers. This will ensure that major architectural changes are documented, tracked, and that the context around the decision is maintained.

    “Environment is very chaotic nowadays – legacy apps, sprawl, ERPs, a huge mix and orgs are grappling with what our data landscape look like? Where are our data assets that we need to use?” (Andrew Johnston, Independent Consultant)

    Sample of the Data Architecture Decision Template.

    Use Info-Tech’s Data Architecture Decision Template to document any major changes in the organization’s data architecture.

    Leverage Info-Tech’s resources to smooth change management

    As changes to the architectural environment occur, data architects must stay ahead of the curve and plan the change management considerations that come with major architectural decisions.

    “When managing change, the job of the data architect is to avoid unnecessary change and to encapsulate necessary change.

    You must provide motivation for simplifying change, making it manageable for the whole organization.” (Andrew Johnston, Independent Consultant)

    See Info-Tech’s resources on change management to smooth changes:
    Banner for the blueprint set 'Optimize Change Management' with subtitle 'Turn and face the change with a right-sized change management process'.
    Sample of the Optimize Change Management blueprint.

    Change Management Blueprint

    Sample of the Change Management Roadmap Tool.

    Change Management Roadmap Tool

    Use Info-Tech’s resources for effective release management

    As changes to the architectural environment occur, data architects must stay ahead of the curve and plan the release management considerations around new hardware and software releases or updates.

    Release management is a process that encompasses the planning, design, build, configuration, and testing of hardware and software releases to create a defined set of release components (ITIL). Release activities can include the distribution of the release and supporting documentation directly to end users. See Info-Tech’s resources on Release Management to smooth changes:

    Banner for the blueprint set 'Take a Holistic View to Optimize Release Management' with subtitle 'Build trust by right-sizing your process using appropriate governance'.
    Samples of the Release Management blueprint.

    Release Management Blueprint

    Sample of the Release Management Process Standard Template.

    Release Management Process Standard Template

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of a Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1.1

    Sample of activity 3.1.2 'Determine the timing of your data architecture optimization activities'. Create your personalized roadmap of activities.

    In this activity, the facilitator will guide the team in evaluating practice gaps highlighted by the assessment, and compare these gaps at face value so general priorities can be documented. The same categories as in 3.1.1 are considered.

    3.1.3

    Sample of activity 3.1.3 'Communicate your Data Architecture Optimization Plan to the business for approval'. Communicate your data architecture optimization plan.

    The facilitator will help you to identify the optimal medium and timing for communicating your plan for optimizing your data architecture.

    Insight breakdown

    Insight 1

    • Data architecture needs to evolve along with the changing business landscape. There are four common business drivers that put most pressure on archaic architectures. As a result, the organization’s architecture must be flexible and responsive to changing business needs.

    Insight 2

    • Data architecture is not just about models.
      Viewing data architecture as just technical data modeling can lead to structurally unsound data that does not serve the business.

    Insight 3

    • Data is used differently across the layers of an organization’s data architecture, and the capabilities needed to optimize use of data change with it. Architecting and managing data from source to warehousing to presentation requires different tactics for optimal use.

    Summary of accomplishment

    Knowledge Gained

    • An understanding of what data architecture is, how data architects can provide value to the organization, and how data architecture fits into the larger enterprise architecture picture.
    • The capabilities required for optimization of the organization’s data architecture across the five tiers of the logical data architecture model.

    Processes Optimized

    • Prioritization and planning of data architect responsibilities across the five tiers of the five-tier logical data architecture model.
    • Roadmapping of tactics that address the most common business drivers of the organization.
    • Architectural change management.

    Deliverables Completed

    • Data Architecture Driver Pattern Identification Tool
    • Data Architecture Optimization Template
    • Data Architecture Trends Presentation
    • Data Architecture Roadmap Tool
    • Data Architecture Decision Template

    Research contributors and experts

    Photo of Ron Huizenga, Senior Product Manager, Embarcadero Technologies, Inc. Ron Huizenga, Senior Product Manager
    Embarcadero Technologies, Inc.

    Ron Huizenga has over 30 years of experience as an IT executive and consultant in enterprise data architecture, governance, business process reengineering and improvement, program/project management, software development, and business management. His experience spans multiple industries including manufacturing, supply chain, pipelines, natural resources, retail, healthcare, insurance, and transportation.

    Photo of Andrew Johnston, Architect, Independent Consultant. Andrew Johnston, Architect Independent Consultant

    An independent consultant with a unique combination of managerial, commercial, and technical skills, Andrew specializes in the development of strategies and technical architectures that allow businesses to get the maximum benefit from their IT resources. He has been described by clients as a "broad spectrum" architect, summarizing his ability to engage in many problems at many levels.

    Research contributors

    Internal Contributors
    Logo for Info-Tech Research Group.
    • Steven J. Wilson, Senior Director, Research & Advisory Services
    • Daniel Ko, Research Manager
    • Bernie Gilles, Senior Director, Research & Advisory Services
    External Contributors
    Logo for Embarcadero.
    Logo for Questa Computing. Logo for Geha.
    • Ron Huizenga, Embercardo Technologies
    • Andrew Johnston, Independent Consultant
    • Darrell Enslinger, Government Employees Health Association
    • Anonymous Contributors

    Bibliography

    Allen, Mark. “Get the ETL Out of Here.” MarkLogic. Sep, 2016. Web. 25 Apr 2017.[http://www.marklogic.com/blog/get-the-etl-out-of-here/]

    Anadiotis, George. “Streaming hot: Real-time big data architecture matters.” ZDNet. Jan, 2017. Web. 25 Apr 2017. [http://www.zdnet.com/article/streaming-hot-real-time-big-data-architecture-matters/]

    Aston, Dan. “The Economic value of Enterprise Architecture and How to Show It.” Erwin. Aug, 2016. Web. 20 Apr 2017. [http://erwin.com/blog/economic-value-enterprise-architecture-show/]

    Baer, Tony. “2017 Trends to Watch: Big Data.” Ovum. Nov, 2016. Web. 25 Apr 2017.

    Bmc. “Benefits & Advantages of Hadoop.” Bmc. Web. 25 Apr 2017. [http://www.bmcsoftware.ca/guides/hadoop-benefits-business-case.html]

    Boyd, Ryan, et al. “Relational vs. Graph Data Modeling” DZone. Mar 2016. Web. 25 Apr 2017. [https://dzone.com/articles/relational-vs-graph-data-modeling]

    Brahmachar, Satya. “Theme To Digital Transformation - Journey to Data Driven Enterprise” Feb, 2015. Web. 20 Apr 2017. [http://satyabrahmachari-thought-leader.blogspot.ca/2015/02/i-smac-theme-to-digital-transformation.html]

    Capsenta. “NoETL.” Capsenta. Web. 25 Apr 2017. [https://capsenta.com/wp-content/uploads/2015/03/Capsenta-Booklet.pdf]

    Connolly, Shaun. “Implementing the Blueprint for Enterprise Hadoop” Hortonworks. Apr, 2014. Web. 25 Apr 2017. https://hortonworks.com/blog/implementing-the-blue...

    Forbes. “Cloud 2.0: Companies Move From Cloud-First To Cloud-Only.” Forbes. Apr, 2017. Web. 25 Apr 2017. [https://www.forbes.com/sites/vmware/2017/04/07/cloud-2-0-companies-move-from-cloud-first-to-cloud-only/#5cd9d94a4d5e]

    Forgeat, Julien. “Lambda and Kappa.” Ericsson. Nov 2015. Web 25 Apr 2017. [https://www.ericsson.com/research-blog/data-knowledge/data-processing-architectures-lambda-and-kappa/]

    Grimes, Seth. “Is It Time For NoETL?” InformationWeek. Mar, 2010. Web. 25 Apr 2017. [http://www.informationweek.com/software/information-management/is-it-time-for-noetl/d/d-id/1087813]

    Gupta, Manav. et al. “How IB‹ leads in building big data analytics solutions in the cloud.” IBM. Feb, 2016. Web. 25 Apr 2017. [https://www.ibm.com/developerworks/cloud/library/cl-ibm-leads-building-big-data-analytics-solutions-cloud-trs/index.html#N102DE]

    “How To Build A Roadmap.” Hub Designs Magazine. Web 25 Apr 2017. [https://hubdesignsmagazine.com/2011/03/05/how-to-build-a-roadmap/]

    IBM. “Top industry use cases for stream computing.” IBM. Oct, 2015. Web. 25 Apr 2017. [https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=IMW14704USEN]

    Mateos-Garcia, Juan, et al. “Skills Of The Datavores.” Nesta. July. 2015. Web. 8 Aug 2016. [https://www.nesta.org.uk/sites/default/files/skills_of_the_datavores.pdf].

    Maynard, Steven. “Analytics: Don’t Forget The Human Element” Forbes. 2015. Web. 20 Apr. 2017. [http://www.ey.com/Publication/vwLUAssets/EY-Forbes-Insights-Data-and-Analytics-Impact-Index-2015/$FILE/EY-Forbes-Insights-Data-and-Analytics-Impact-Index-2015.pdf]

    Neo4j. “From Relational to Neo4j.” Neo4j. Web. 25 Apr 2017. [https://neo4j.com/developer/graph-db-vs-rdbms/#_from_relational_to_graph_databases]

    NoETL “NoETL.” NoETL. Web. 25 Apr 2017. [http://noetl.org/]

    Nolan, Roger. “Digital Transformation: Is Your Data Management Ready?” Informatica. Jun, 2016. Web. 20 Apr 2017. [https://blogs.informatica.com/2016/06/10/digital-transformation-data-management-ready/#fbid=hmBYQgS6hnm]

    OpsClarity. “2016 State of Fast Data & Streaming Applications.” OpsClarity. Web. 25 Apr 2017. [https://www.opsclarity.com/wp-content/uploads/2016/07/2016FastDataSurvey.pdf]

    Oracle. “A Relational Database Overview.” Oracle. Web. 25 Apr 2017. [https://docs.oracle.com/javase/tutorial/jdbc/overview/database.html]

    Ponemon Institute LLC. “Big Data Cybersecurity Analytics Research Repor.t” Cloudera. Aug, 2016. Web. 25 Apr 2017. [https://www.cloudera.com/content/dam/www/static/documents/analyst-reports/big-data-cybersecurity-analytics-research-report.pdf]

    Sanchez, Jose Juan. “Data Movement Killed the BI Star.” DV Blog. May, 2016. Web. 20 Apr. 2017. [http://www.datavirtualizationblog.com/data-movement-killed-the-bi-star/]

    SAS. “Hadoop; What it is and why does it matter?” SAS. Web. 25 Apr 2017. [https://www.sas.com/en_ca/insights/big-data/hadoop.html#hadoopusers]

    Schumacher, Robin. “A Quick Primer on graph Databases for RDBMS Professionals.” Datastax. Jul, 2016. Web. 25 Apr 2017. [http://www.datastax.com/2016/07/quick-primer-on-graph-databases-for-rdbms-professionals]

    Swoyer, Steve. “It’s the End of the Data Warehouse as We Know It.” TDWI. Jan, 2017. Web. 20 Apr. 2017. [https://upside.tdwi.org/articles/2017/01/11/end-of-the-data-warehouse-as-we-know-it.aspx]

    Webber, Jim, and Ian Robinson. “The Top 5 Use Cases of Graph Databases.” Neo4j. 2015. Web. 25 Apr 2017. [http://info.neo4j.com/rs/773-GON-065/images/Neo4j_Top5_UseCases_Graph%20Databases.pdf]

    Zachman Framework. [https://www.zachman.com/]

    Zupan, Jane. “Survey of Big Data Decision Makers.” Attiv/o. May, 2016. Web. 20 Apr 2017. [https://www.attivio.com/blog/post/survey-big-data-decision-makers]

    Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program

    • Buy Link or Shortcode: {j2store}338|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement
    • According to Info-Tech research, 74% of our clients feel that IT quality management is an important process, however, only 15% said they actually had effective quality management.
    • IT is required to deliver high quality projects and services, but if CIOs are ineffective at quality management, how can IT deliver?
    • Rather than disturb the status quo with holistic quality initiatives, heads of IT leave quality in the hands of process owners, functional areas, and other segmented facets of the department.
    • CIOs are facing greater pressures to be innovative, agile, and cost-effective, but cannot do so without stable operations, an accountable staff base, and business support; all of which are achieved by high IT quality.

    Our Advice

    Critical Insight

    • Quality management needs more attention that it’s typically getting. It’s not going to happen randomly; you must take action to see results.
    • Quality must be holistic. Centralized accountability will align inconsistencies in quality and refocus IT towards a common goal.
    • Accountability is the key to quality. Clearly defined roles and responsibilities will put your staff on the hook for quality outcomes.

    Impact and Result

    • Shift your mindset to the positive implications of high quality. Info-Tech’s quality management methodology will promote innovation, agility, lower costs, and improved operations.
    • We will help you develop a fully functional quality management program in four easy steps:
      • Position your program as a group to encourage buy-in and unite IT around a common quality vision. Enact a center of excellence to build, support, and monitor the program.
      • Build flexible program requirements that will be adapted for a fit-to-purpose solution.
      • Implement the program using change management techniques to alleviate challenges and improve adoption.
      • Operate the program with a focus on continual improvement to ensure that your IT department continues to deliver high quality projects and services as stakeholder needs change.

    Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program Research & Tools

    Start here – read the Executive Brief

    Understand why Info-Tech’s unique approach to quality management can fix a variety of IT issues and understand the four ways we can support you in building a quality management program designed just for you.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Position the program

    Hold a positioning working session to focus the program around business needs, create solid targets, and create quality champions to get the job done.

    • Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program – Phase 1: Position the Quality Program
    • Quality Management Program Charter
    • Quality Management Capability Assessment and Planning Tool
    • Quality Management Roadmap

    2. Build the program

    Build program requirements and design standard templates that will unite IT quality.

    • Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program – Phase 2: Build a Quality Program
    • Quality Management Quality Plan Template
    • Quality Management Review Template
    • Quality Management Dashboard Template

    3. Implement the program

    Evaluate the readiness of the department for change and launch the program at the right time and in the right way to transform IT quality.

    • Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program – Phase 3: Implement the Quality Program
    • Quality Management Communication Plan Template
    • Quality Management Readiness Assessment Template

    4. Operate the program

    Facilitate the success of key IT practice areas by operating the Center of Excellence to support the key IT practice areas’ quality initiatives.

    • Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program – Phase 4: Operate the Quality Program
    • Quality Management User Satisfaction Survey
    • Quality Management Practice Area Assessment and Planning Tool
    • Quality Management Capability Improvement Plan
    [infographic]

    Workshop: Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Position Your Program

    The Purpose

    Create a quality center of excellence to lead and support quality initiatives.

    Position your quality program to meet the needs of your business.

    Develop clear targets and create a roadmap to achieve your vision. 

    Key Benefits Achieved

    Defined Center of Excellence roles & responsibilities.

    A firm vision for your program with clearly outlined targets.

    A plan for improvements to show dedication to the program and create accountability. 

    Activities

    1.1 Identify current quality maturity.

    1.2 Craft vision and mission.

    1.3 Define scope.

    1.4 Determine goals and objectives.

    1.5 Specify metrics and critical success factors.

    1.6 Develop quality principles.

    1.7 Create action plan.

    Outputs

    Completed Maturity Assessment

    Completed Project Charter

    Completed Quality Roadmap

    2 Build Your Program

    The Purpose

    Build the requirements for the quality program, including outputs for quality planning, quality assurance, quality control, and quality improvement.

    Key Benefits Achieved

    Defined standards for the quality program.

    General templates to be used to unify quality throughout IT. 

    Activities

    2.1 Define quality policy, procedures, and guidelines.

    2.2 Define your standard Quality Plan.

    2.3 Define your standard Quality Review Document.

    2.4 Develop your Standard Quality Management Dashboard.

    Outputs

    Quality Policy

    Standard Quality Plan Template

    Standard Quality Review Template

    Standard Quality Dashboard

    3 Implement Your Program

    The Purpose

    Launch the program and begin quality improvement.

    Key Benefits Achieved

    Perform a readiness assessment to ensure your organization is ready to launch its quality program.

    Create a communication plan to ensure constant and consistent communication throughout implementation. 

    Activities

    3.1 Assess organizational readiness.

    3.2 Create a communication plan.

    Outputs

    Completed Readiness Assessment

    Completed Communication Plan

    4 Operate Your Program

    The Purpose

    Have the Center of Excellence facilitate the roll-out of the quality program in your key practice areas.

    Initiate ongoing monitoring and reporting processes to enable continuous improvement.  

    Key Benefits Achieved

    Quality plans for each practice area aligned with the overall quality program.

    Periodic quality reviews to ensure plans are being acted upon.

    Methodology for implementing corrective measures to ensure quality expectations are met.

    Activities

    4.1 Perform a quality management satisfaction survey.

    4.2 Complete a practice area assessment.

    4.3 Facilitate the creation of practice area quality plans.

    4.4 Populate quality dashboards.

    4.5 Perform quality review(s).

    4.6 Address issues with corrective and preventative measures.

    4.7 Devise a plan for improvement.

    4.8 Report on quality outcomes.

    Outputs

    Completed Satisfaction Surveys

    Practice Area Assessments

    Quality Plans (for each practice area)

    Quality Reviews (for each practice area)

    Quality Improvement Plan

    2021 CIO Priorities Report

    • Buy Link or Shortcode: {j2store}83|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • It is a new year, but the challenges of 2020 remain: COVID-19 infection rates continue to climb, governments continue to enforce lockdown measures, we continue to find ourselves in the worst economic crisis since the Great Depression, and civil unrest grows in many democratic societies.
    • At the start of 2020, no business leader predicted the disruption that was to come. This left IT in a reactive but critical role as the health crisis hit. It was core to delivering the organization’s products and services, as it drove the radical shift to work-from-home.
    • For the year ahead, IT will continue to serve a critical function in uncertain times. However, unlike last year, CIOs can better prepare for 2021. That said, in the face of the uncertainty and volatility of the year ahead, what they need to prepare for is still largely undefined.
    • But despite the lack of confidence on knowing specifically what is to come, most business leaders will admit they need to get ready for it. This year’s priority report will help.

    Our Advice

    Critical Insight

    • “Resilience” is the theme for this year’s CIO Priorities Report. In this context, resilience is about building up the capacity and the capabilities to effectively respond to emergent and unforeseen needs.
    • Early in 2021 is a good time to develop resilience in several different areas. As we explore in this year’s Report, CIOs can best facilitate enterprise resilience through strategic financial planning, proactive risk management, effective organizational change management and capacity planning, as well as through remaining tuned into emergent technologies to capitalize on innovations to help weather the uncertainty of the year ahead.

    Impact and Result

    • Use Info-Tech’s 2021 CIO Priorities Report to prepare for the uncertainty of the year ahead. Across our five priorities we provide five avenues through which CIOs can demonstrate resilient planning, enabling the organization as a whole to better confront what’s coming in 2021.
    • Each of our priorities is backed up by a “call to action” that will help CIOs start to immediately implement the right drivers of resilience for their organization.
    • By building up resilience across our five key areas, CIOs will not only be able to better prepare for the year to come, but also strengthen business relations and staff morale in difficult times.

    2021 CIO Priorities Report Research & Tools

    Read the 2021 CIO Priorities Report

    Use Info-Tech’s 2021 CIO Priorities Report to prepare for the uncertainty of the year ahead. Across our five priorities we provide five avenues through which CIOs can demonstrate resilient planning, enabling the organization as a whole to better confront what’s coming in 2021.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create an appropriate budget reserve

    Identifying and planning sources of financial contingency will help ensure CIOs can meet unforeseen and emergent operational and business needs throughout the year.

    • 2021 CIO Priorities Report: Priority 1 – Create an Appropriate Budget Reserve

    2. Refocus IT risk planning

    The start of 2021 is a time to refocus and redouble IT risk management and business continuity planning to bring it up to the standards of our “new normal.” Indeed, if last year taught us anything, it’s that no “black swan” should be off the table in terms of scenarios or possibilities for business disruption.

    • 2021 CIO Priorities Report: Priority 2 – Refocus IT Risk Planning

    3. Strengthen organizational change management capabilities

    At its heart, resilience is having the capacity to deal with unexpected change. Organizational change management can help build up this capacity, providing the ability to strategically plot known changes while leaving some capacity to absorb the unknowns as they present themselves.

    • 2021 CIO Priorities Report: Priority 3 – Strengthen Organizational Change Management Capabilities

    4. Establish capacity awareness

    Capacity awareness facilitates resilience by providing capital in the form of resource data. With this data, CIOs can make better decisions on what can be approved and when it can be scheduled for.

    • 2021 CIO Priorities Report: Priority 4 – Establish Capacity Awareness

    5. Keep emerging technologies in view

    Having an up-to-date view of emerging technologies will enable the resilient CIO to capitalize on and deploy leading-edge innovations as the business requires.

    • 2021 CIO Priorities Report: Priority 5 – Keep Emerging Technologies in View
    [infographic]

    2021 IT Talent Trend Report

    • Buy Link or Shortcode: {j2store}516|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $9,919 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Lead
    • Parent Category Link: /lead
    • In March 2020, many organizations were forced to switch to a virtual working world. IT enabled organizations to be successful while working from home. Ultimately, this shift changed the way that we all work, and in turn, the way IT leaders manage talent.
    • Many organizations are considering long-term remote work (Kelly, 2020).
    • Change is starting but is lagging.

    Our Advice

    Critical Insight

    • Increase focus on employee experience to navigate new challenges.
    • A good employee experience is what is best for the IT department.

    Impact and Result

    • The data shows IT is changing in the area of talent management.
    • IT has a large role in enabling organizations to work from home, especially from a technological and logistics perspective. There is evidence to show that they are now expanding their role to better support employees when working from home.
    • Survey respondents identified efforts already underway for IT to improve employee experience and subsequently, IT effectiveness.

    2021 IT Talent Trend Report Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should focus on the employee experience and get an overview of what successful IT leaders are doing differently heading into 2021 – the five new talent management trends.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. DEI: A top talent objective

    The focus on diversity, equity, and inclusion (DEI) initiatives spans the entire organization beyond just HR. Learn which DEI efforts are underway with IT.

    • 2021 IT Talent Trend Report – Trend 1: DEI: A Top Talent Objective

    2. Remote work is here to stay

    Forced work-from-home demonstrated to organizations that employees can be productive while working away from the physical office. Learn more about how remote work is changing work.

    • 2021 IT Talent Trend Report – Trend 2: Remote Work Is Here to Stay

    3. A greater emphasis on wellbeing

    When the pandemic hit, organizations were significantly concerned about how employees were doing. Learn more about wellbeing.

    • 2021 IT Talent Trend Report – Trend 3: A Greater Emphasis on Wellbeing

    4. A shift in skills priorities

    Upskilling and finding sought after skills were challenging before the pandemic. How has it changed since? Learn more about skills priorities.

    • 2021 IT Talent Trend Report – Trend 4: A Shift in Skills Priorities

    5. Uncertainty unlocks performance

    The pandemic and remote work has affected performance. Learn about how uncertainty has impacted performance management.

    • 2021 IT Talent Trend Report – Trend 5: Uncertainty Unlocks Performance
    [infographic]

    Create and Manage Enterprise Data Models

    • Buy Link or Shortcode: {j2store}340|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $7,263 Average $ Saved
    • member rating average days saved: 16 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Business executives don’t understand the value of Conceptual and Logical Data Models and how they define their data assets.
    • Data, like mercury, is difficult to manage and contain.
    • IT needs to justify the time and cost of developing and maintaining Data Models.
    • Data as an asset is only perceived from a physical point of view, and the metadata that provides context and definition is often ignored.

    Our Advice

    Critical Insight

    • Data Models tell the story of the organization and its data in pictures to be used by a business as a tool to evolve the business capabilities and processes.
    • Data Architecture and Data Modeling have different purposes and should be represented as two distinct processes within the software development lifecycle (SDLC).
    • The Conceptual Model provides a quick win for both business and IT because it can convey abstract business concepts and thereby compartmentalize the problem space.

    Impact and Result

    • A Conceptual Model can be used to define the semantics and relationships for your analytical layer.
      • It provides a visual representation of your data in the semantics of business.
      • It acts as the anchor point for all data lineages.
      • It can be used by business users and IT for data warehouse and analytical planning.
      • It provides the taxonomies for data access profiles.
      • It acts as the basis for your Enterprise Logical and Message Models.

    Create and Manage Enterprise Data Models Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create enterprise data models, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Setting the stage

    Prepare your environment for data architecture.

    • Enterprise Data Models

    2. Revisit your SDLC

    Revisit your SDLC to embed data architecture.

    • Enterprise Architecture Tool Selection

    3. Develop a Conceptual Model

    Create and maintain your Conceptual Data Model via an iterative process.

    4. Data Modeling Playbook

    View the main deliverable with sample models.

    • Data Modeling Playbook
    [infographic]

    Workshop: Create and Manage Enterprise Data Models

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the Data Architecture Practice

    The Purpose

    Understand the context and goals of data architecture in your organization.

    Key Benefits Achieved

    A foundation for your data architecture practice.

    Activities

    1.1 Review the business context.

    1.2 Obtain business commitment and expectations for data architecture.

    1.3 Define data architecture as a discipline, its role, and the deliverables.

    1.4 Revisit your SDLC to embed data architecture.

    1.5 Modeling tool acquisition if required.

    Outputs

    Data Architecture vision and mission and governance.

    Revised SDLC to include data architecture.

    Staffing strategy.

    Data Architecture engagement protocol.

    Installed modeling tool.

    2 Business Architecture and Domain Modeling

    The Purpose

    Identify the concepts and domains that will inform your data models.

    Key Benefits Achieved

    Defined concepts for your data models.

    Activities

    2.1 Revisit business architecture output.

    2.2 Business domain selection.

    2.3 Identify business concepts.

    2.4 Organize and group of business concepts.

    2.5 Build the Business Data Glossary.

    Outputs

    List of defined and documented entities for the selected.

    Practice in the use of capability and business process models to identify key data concepts.

    Practice the domain modeling process of grouping and defining your bounded contexts.

    3 Harvesting Reference Models

    The Purpose

    Harvest reference models for your data architecture.

    Key Benefits Achieved

    Reference models selected.

    Activities

    3.1 Reference model selection.

    3.2 Exploring and searching the reference model.

    3.3 Harvesting strategies and maintaining linkage.

    3.4 Extending the conceptual and logical models.

    Outputs

    Established and practiced steps to extend the conceptual or logical model from the reference model while maintaining lineage.

    4 Harvesting Existing Data Artifacts

    The Purpose

    Gather more information to create your data models.

    Key Benefits Achieved

    Remaining steps and materials to build your data models.

    Activities

    4.1 Use your data inventory to select source models.

    4.2 Match semantics.

    4.3 Maintain lineage between BDG and existing sources.

    4.4 Select and harvest attributes.

    4.5 Define modeling standards.

    Outputs

    List of different methods to reverse engineer existing models.

    Practiced steps to extend the logical model from existing models.

    Report examples.

    5 Next Steps and Wrap-Up (offsite)

    The Purpose

    Wrap up the workshop and set your data models up for future success.

    Key Benefits Achieved

    Understanding of functions and processes that will use the data models.

    Activities

    5.1 Institutionalize data architecture practices, standards, and procedures.

    5.2 Exploit and extend the use of the Conceptual model in the organization.

    Outputs

    Data governance policies, standards, and procedures for data architecture.

    List of business function and processes that will utilize the Conceptual model.

    Re-Envision Enterprise Printing

    • Buy Link or Shortcode: {j2store}165|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $9,000 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices
    • Enterprises may be overspending on printing, but this spend is often unknown and untracked.
    • You are locked into a traditional printer lease and outdated document management practices, hampering digital transformation.

    Our Advice

    Critical Insight

    Don’t just settle for printer consolidation: Seek to eliminate print and enlist your managed print services vendor to help you achieve that goal.

    Impact and Result

    • Identify reduction opportunities via a thorough inventory and requirements-gathering process, and educate others on the financial and non-financial benefits. Enforce reduced printing through policies.
    • Change your printing financial model to print as a service by building an RFP and scoring tool for managed print services that makes the vendor a partner in continuous innovation.
    • Leverage durable print management software to achieve vendor-agnostic governance and visibility.

    Re-Envision Enterprise Printing Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Re-Envision Enterprise Printing – A step-by-step document to help plan and execute a printer reduction project.

    This storyboard will help you plan the project, assess your current state and requirements, build a managed print services RFP and scoring process, and build continuous improvement of business processes into your operations.

    • Re-Envision Enterprise Printing – Phases 1-3

    2. Planning tools

    Use these templates and tools to plan the printer reduction project, document your inventory, assess current printer usage, and gather information on current and future requirements.

    • Enterprise Printing Project Charter
    • Enterprise Printing Roles and Responsibilities RACI Guide
    • Printer Reduction Tool
    • End-User Print Requirements Survey

    3. RFP tools

    Use these templates and tools to create an RFP for managed print services that can easily score and compare vendors.

    • Managed Print Services Vendor Assessment Questions
    • Managed Print Services RFP Vendor Proposal Scoring Tool
    • Managed Print Services RFP Template

    4. Printer policy

    Update the printer policy to express the new focus on reducing unsupported printer use.

    • Printer Policy Template

    Infographic

    Further reading

    Re-Envision Enterprise Printing

    Don't settle for printer consolidation; seek the elimination of print

    Analystperspective

    You're likely not in the printing business.
    Prepare your organization for the future by reducing print.

    Initiatives to reduce printers are often met with end-user resistance. Don't focus on the idea of taking something away from end users. Instead, focus on how print reduction fits into larger goals of business process improvement, and on opportunities to turn the vendor into a partner who drives business process improvement through ongoing innovation and print reduction.

    What are your true print use cases? Except in some legitimate use cases, printing often introduces friction and does not lead to efficiencies. Companies investing in digital transformation and document management initiatives must take a hard look at business processes still reliant on hard copies. Assess your current state to identify what the current print volume and costs are and where there are opportunities to consolidate and reduce.

    Change your financial model. The managed print services industry allows you to use a pay-as-you-go approach and right-size your print spend to the organization's needs. However, in order to do printing-as-a-service right, you will need to develop a good RFP and RFP evaluation process to make sure your needs are covered by the vendor, while also baking in assurances the vendor will partner with you for continuous print reduction.

    This is a picture of Emily Sugerman

    Emily Sugerman
    Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Darin Stahl
    Principal Research Advisor, Infrastructure & Operations
    Info-Tech Research Group

    Executive summary

    Your Challenge

    IT directors and business operations managers face several challenges:

    • Too many known unknowns: Enterprises may be overspending on printing, but this spend is often unknown and untracked.
    • Opportunity costs: By locking into conventional printer leases and outdated document management, you are locking yourself out of the opportunity to improve business processes.

    Common Obstacles

    Printer reduction initiatives are stymied by:

    • End-user resistance: Though sometimes the use of paper remains necessary, end users often cling to paper processes out of concern about change.
    • Lack of governance: You lack insight into legitimate print use cases and lack full control over procurement of devices and consumables.
    • Overly generic RFP: Print requirements are not tailored to your organization, and your managed print services RFP does not ask enough of the vendor.

    Info-Tech's Approach

    Follow these steps to excise superfluous, costly printing:

    • Identify reduction opportunities via a thorough inventory and requirements-gathering process, and educate others on the financial and non-financial benefits. Enforce reduced printing through policies.
    • Change your printing financial model to print-as-a-service by building an RFP and scoring tool for managed print services that makes the vendor a partner in continuous innovation.
    • Leverage durable print management software to achieve vendor-agnostic governance and visibility.

    Info-Tech Insight

    Don't settle for printer consolidation: seek to eliminate print and enlist your managed print services vendor to help you achieve that goal.

    Your challenge

    This research is designed to help organizations that aim to reduce printing long term

    • Finally understand aggregate printing costs: Not surprisingly, printing has become a large hidden expense in IT. Enterprises may be overspending on printing, but this spend is often unknown and untracked. Printer consumables are purchased independently by each department, non-networked desktop printers are everywhere, and everyone seems to be printing in color.
    • Walk the walk when it comes to digital transformation: Outdated document management practices that rely on unnecessary printing are not the foundation upon which the organization can improve business processes.
    • Get out of the printing business: Hire a managed print provider and manage that vendor well.

    "There will be neither a V-shaped nor U-shaped recovery in demand for printing paper . . . We are braced for a long L-shaped decline."
    –Toru Nozawa, President, Nippon Paper Industries (qtd. in Nikkei Asia, 2020).

    Weight of paper and paperboard generated in the U.S.*

    This is an image of a graph plotting the total weight of paper and paperboard generated in the US, bu thousands of US tons.

    *Comprises nondurable goods (including office paper), containers, and packaging.

    **2020 data not available.

    Source: EPA, 2020.

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Cost-saving opportunities are unclear: In most cases, nobody is accountable for controlling printing costs, so there's a lack of incentive to do so.
    • End-user attachment to paper-based processes: For end users who have been relying on paper processes, switching to a new way of working can feel like a big ask, particularly if an optimized alternative has not been provided and socialized.
    • Legitimate print use cases are undefined: Print does still have a role in some business processes (e.g. for regulatory reasons). However, these business processes have not been analyzed to determine which print use cases are still legitimate. The WFH experience during the COVID-19 pandemic demonstrated that many workflows that previously incorporated printing could be digitized. Indeed, the overall attachment to office paper is declining (see chart).
    • Immature RFP and RFP scoring methods: Outsourcing print to a managed service provider necessitates careful attention to RFP building and scoring. If your print requirements are not properly tailored to your organization and your managed print services RFP does not ask enough of the vendor, it will be harder to hold your vendor to account.

    How important is paper in your office?

    87% 77%

    Quocirca, a printer industry market research firm, found that the number of organizations for whom paper is "fairly or very important to their business" has dropped 10 percentage points between 2019 and 2021.

    Source: Quocirca, 2021.

    Info-Tech's approach

    Permanently change your company's print culture

    1. Plan your Project
    • Create your project charter, investigate end user printer behavior and reduction opportunities, gather requirements and calculate printer costs
  • Find the right managed print vendor
    • Protect yourself by building the right requirements into your RFP, evaluating candidates and negotiating from a strong position
  • Implement the new printer strategy
    • Identify printers to consolidate and eliminate, install them, and communicate updated printer policy
  • Operate
    • Track the usage metrics, service requests, and printing trends, support the printers and educate users to print wisely and sparingly
  • The Info-Tech difference:

    1. Use Info-Tech's tracking tools to finally track data on printer inventory and usage.
    2. Get to an RFP for managed print services faster through Info-Tech's requirement selection activity, and use Info-Tech's scoring tool template to more quickly compare candidates and identify frontrunners and knockouts.
    3. Use Info-Tech's guidance on print management software to decouple your need to govern the fleet from any specific vendor.

    Info-Tech's methodology for Re-Envision Enterprise Printing

    1. Strategy & planning 2. Vendor selection, evaluation, acquisition 3. Implementation & operation
    Phase steps
    1. Create project charter and assign roles
    2. Assess current state of enterprise print environments
    3. Gather current and future printer requirements
    1. Understand managed print services model
    2. Create RFP documents and score vendors
    3. Understand continuous innovation & print management software
    1. Modify printer policies
    2. Measure project success
    3. Training & adoption
    4. Plan persuasive communication
    5. Prepare for continuous improvement
    Phase outcomes
    • Documentation of project roles, scope, objectives, success metrics
    • Accurate printer inventory
    • Documentation of requirements based on end-user feedback, existing usage, and future goals
    • Finalized requirements
    • Completed RFP and vendor scoring tool
    • Managed print vendor selected, if necessary
    • Updated printer policies that reinforce print reduction focus
    • Assessment of project success

    Insight summary

    Keep an eye on the long-term goal of eliminating print

    Don't settle for printer consolidation: seek to eliminate print and enlist your managed print services vendor to help you achieve that goal.

    Persuading leaders is key

    Good metrics and visible improvement are important to strengthen executive support for a long-term printer reduction strategy.

    Tie printer reduction into business process improvement

    Achieve long-lasting reductions in print through document management and improved workflow processes.

    Maintain clarity on what types of printer use are and aren't supported by IT

    Modifying and enforcing printing policies can help reduce use of printers.

    Print management software allows for vendor-agnostic continuity

    Print management software should be vendor-agnostic and allow you to manage devices even if you change vendors or print services.

    Secure a better financial model from the provider

    Simply changing your managed print services pay model to "pay-per-click" can result in large cost savings.

    Blueprint deliverables

    Key deliverable:

    Managed Print Services RFP

    This blueprint's key deliverable is a completed RFP for enterprise managed print services, which feeds into a scoring tool that accelerates the requirements selection and vendor evaluation process.

    Managed Print Services Vendor Assessment Questions

    This is a screenshot from the Managed Print Services Vendor Assessment Questions

    Managed Print Services RFP Template

    This is a screenshot from the Managed Print Services RFP Template

    Managed Print Services RFP Vendor Proposal Scoring Tool

    This is a screenshot from the Managed Print Services RFP Vendor Proposal Scoring Tool

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Enterprise Printing Project Charter

    This is a screenshot from the Enterprise Printing Project Charter

    Document the parameters of the print reduction project, your goals, desired business benefits, metrics.

    Enterprise Printing Roles and Responsibilities RACI Guide

    This is a screenshot from the Enterprise Printing Project Charter

    Assign key tasks for the project across strategy & planning, vendor selection, implementation, and operation.

    Printer Policy

    This is a screenshot from the Printer Policy

    Start with a policy template that emphasizes reduction in print usage and adjust as needed for your organization.

    Printer Reduction Tool

    This is a screenshot from the Printer Reduction Tool

    Track the printer inventory and calculate total printing costs.

    End-User Print Requirements Survey

    This is a screenshot from the End-User Print Requirements Survey

    Base your requirements in end user needs and feedback.

    Blueprint benefits

    IT benefits

    • Make the project charter for printer reduction and estimate cost savings
    • Determine your organization's current printing costs, usage, and capabilities
    • Define your organization's printing requirements and select a solution
    • Develop a printer policy and implement the policy

    Business benefits

    • Understand the challenges involved in reducing printers
    • Understand the potential of this initiative to reduce costs
    • Accelerate existing plans for modernization of paper-based business processes by reducing printer usage
    • Contribute to organizational environmental sustainability targets

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #4: Review requirements.
    Weigh the benefits of managed print services.

    Call #6: Measure project success.

    Call #2: Review your printer inventory.
    Understand your current printing costs and usage.

    Call #5: Review completed scoring tool and RFP.

    Call #5: Review vendor responses to RFP.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    Phase 1

    Strategy and Planning

    Strategy & planning

    Vendor selection, evaluation, acquisition

    Implementation & Operation

    1.1 Create project charter and assign roles

    1.2 Assess current state

    1.3 Gather requirements

    2.1 Understand managed print services model

    2.2 Create RFP materials

    2.3 Leverage print management software

    3.1 Modify printer policies

    3.2 Measure project success

    3.3 Training & adoption

    3.4 Plan communication

    3.5 Prepare for continuous improvement

    Re-Envision Enterprise Printing

    • This phase will walk you through the following activities:
    • Create a list of enterprise print roles and responsibilities
    • Create project charter
    • Inventory printer fleet and calculate printing costs
    • Examine current printing behavior and identify candidates for device elimination
    • Gather requirements, including through end user survey

    This phase involves the following participants:

    • IT director/CIO
    • Business operations manager
    • Project manager

    Step 1.1

    Create project charter and assign roles

    Outcomes of this step

    Completed Project Charter with RACI chart

    Phase 1: Strategy and Planning

    • Step 1.1 Create project charter and assign roles
    • Step 1.2 Assess current state
    • Step 1.3 Gather requirements

    This step involves the following participants:

    • IT director/CIO
    • Business operations manager
    • Project manager

    Activities in this step

    • Create a list of enterprise print roles and responsibilities
    • Create project charter

    1.1 Create project charter

    Use the project charter to clearly define the scope and avoid scope creep

    Identify project purpose

    • Why is the organization taking on this project? What are you trying to achieve?
    • What is the important background you need to document? How old is the fleet? What kinds of printer complaints do you get? What percentage of the IT budget does printing occupy?
    • What specific goals should this project achieve? What measurable financial and non-financial benefits do these goals achieve?

    Identify project scope

    • What functional requirements do you have?
    • What outputs are expected?
    • What constraints will affect this project?
    • What is out of scope for this project?

    What are the main roles and responsibilities?

    • Who is doing what for this project?

    How will you measure success?

    • What are the project's success metrics and KPIs?

    Enterprise Printing Project Charter

    This is a screenshot from the Enterprise Printing Project Charter

    Anticipate stakeholder resistance

    Getting management buy-in for printer reduction is often one of the biggest challenges of the project.

    Challenge Resolution
    Printer reduction is not typically high on the priority list of strategic IT initiatives. It is often a project that regularly gets deferred. The lack of an aggregate view of the total cost of printing in the environment could be one root cause, and what can't be measured usually isn't being managed. Educate and communicate the benefits of printer reduction to executives. In particular, spend time getting buy-in from the COO and/or CFO. Use Info-Tech's Printer Reduction Tool to show executives the waste that is currently being generated.
    Printers are a sensitive and therefore unpopular topic of discussion. Executives often see a trade-off: cost savings versus end-user satisfaction. Make a strong financial and non-financial case for the project. Show examples of other organizations that have successfully consolidated their printers.

    Info-Tech Insight

    If printer reduction is not driven and enforced from the top down, employees will find ways to work around your policies and changes. Do not attempt to undertake printer reduction initiatives without alerting executives. Ensure visible executive support to achieve higher cost savings.

    Align the printer reduction project to org goals to achieve buy-in

    A successful IT project demonstrates clear connections to business goals

    Which business and organizational goals and drivers are supported by IT's intention to transform its printing ecosystem? For example,

    Legislation: In 2009, the Washington House of Representatives passed a bill requiring state agencies to implement a plan to reduce paper consumption by 30% (State of Washington, 2009). The University of Washington cites this directive as one of the drivers for their plans to switch fully to electronic records by 2022 (University of Washington, n.d.).

    Health care modernization: Implementing electronic health records; reducing paper charts.

    Supply chain risk reduction: In 2021, an Ontario district school board experienced photocopier toner shortages and were forced to request schools to reduce printing and photocopying: "We have recommended to all locations that the use of printing be minimized as much as possible and priority given to the printing of sensitive and confidential documentation" (CBC, 2021).

    Identify overall organizational goals in the following places:

    • Company mission statements
    • Corporate website
    • Business strategy documents
    • Other IT strategy documents
    • Executives

    Document financial and non-financial benefits

    Financial benefits: Printer reduction can reduce your printing costs and improve printing capabilities.

    • Printer reduction creates a controlled print environment; poorly controlled print environments breed unnecessary costs.
    • Cost savings can be realized through:
      • Elimination of cost-efficient inkjet desktop printers.
      • Elimination of high-cost, inefficient, or underutilized printers.
      • Sharing of workshop printers between an optimal number of end users.
      • Replacing separate printers, scanners, copiers, and fax machines with. multi-function devices.
    • Cost savings can be achieved through a move to managed print services, if you negotiate the contract well and manage the vendor properly. The University of Washington estimated a 20-25% cost reduction under a managed print services model compared to the existing lease (University of Washington, "What is MPS").

    Non-financial benefits: Although the main motivation behind printer reduction is usually cost savings, there are also non-financial benefits to the project.

    • Printer reduction decreases physical space required for printers
    • Printer reduction meets employee and client environmental demands
      • Printer reduction can reduce the electricity and consumables used
      • Reduction in consumables means reduced hazardous waste from consumables and devices
    • Printer reduction can result in better printing capabilities
      • Moving to a managed print services model can provide you with better printing capabilities with higher availability

    Assign responsibility to track print device costs to IT

    Problem:
    Managers in many organizations wrongly assume that since IT manages the printer devices, they also already manage costs.

    However, end users typically order printer devices and supplies through the supplies/facilities department, bypassing any budget approval process, or through IT, which does not have any authority or incentive to restrict requests (when they're not measured against the controlling of printer costs).

    Organization-wide printer usage policies are rarely enforced with any strictness.

    Without systematic policy enforcement, end-user print behavior becomes frivolous and generates massive printing costs.

    Solution:
    Recommend all print device costs be allocated to IT.

    • Aggregate responsibility: Recommend that all printer costs be aggregated under IT's budget and tracked by IT staff.
    • Assign accountability: Although supplies may continually be procured by the organization's supplies/facilities department, IT should track monthly usage and costs by department.
    • Enforce policy: Empower IT with the ability to enforce a strict procurement policy that ensures all devices in the print environment are approved models under IT's control. This eliminates having unknown devices in the printer fleet and allows for economies of scale to be realized from purchasing standardized printing supplies.
    • Track metrics: IT should establish metrics to measure and control each department's printer usage and flat departments that exceed their acceptable usage amounts.

    Assign accountability for the initiative

    Someone needs to have accountability for both the printer reduction tasks and the ongoing operation tasks, or the initiative will quickly lose momentum.

    Customize Info-Tech's Enterprise Printing Roles and Responsibilities RACI Guide RACI chart to designate project roles and responsibilities to participants both inside and outside IT.

    These tasks fall under the categories of:

    • Strategy and planning
    • Vendor selection, evaluation, and acquisition
    • Implementation
    • Operate

    Assign a RACI: Remember the meaning of the different roles

    • Responsible (does the work on a day-to-day basis)
    • Accountable (reviews, signs off on, and is held accountable for outcomes)
    • Consulted (input is sought to feed into decision making)
    • Informed (is given notification of outcomes)

    As a best practice, no more than one person should be responsible or accountable for any given process. The same person can be both responsible and accountable for a given process, or it could be two different people.

    Avoid making someone accountable for a process if they do not have full visibility into the process for appropriate oversight, or do not have time to give the process sufficient attention.

    The Enterprise Printing Roles and Responsibilities RACI Guide can be used to organize and manage these tasks.

    This is a screenshot from the Enterprise Printing Roles and Responsibilities RACI Guide

    Define metrics to measure success

    Track your project success by developing and tracking success metrics

    Ensure your metrics relate both to business value and customer satisfaction. "Reduction of print" is a business metric, not an experience metric.

    Frame metrics around experience level agreements (XLAs) and experience level objectives (XLOs): What are the outcomes the customer wants to achieve and the benefits they want to achieve? Tie the net promoter score into the reporting from the IT service management system, since SLAs are still needed to tactically manage the achievement of the XLOs.

    Use the Metrics Development Workbook from Info-Tech's Develop Meaningful Service Metrics to define:

    • Relevant stakeholders
    • Their goals and pain points
    • The success criteria that must be met to achieve these goals
    • The key indicators that must be measured to achieve these goals from an IT perspective
    • What the appropriate IT metrics are, based on all of the above

    Metrics could include

    • User satisfaction
    • Print services net promoter model
    • Total printing costs
    • Printer availability (uptime)
    • Printer reliability (mean time between failures)
    • Total number of reported incidents
    • Mean time for vendor to respond and repair

    Info-Tech Insight:

    Good metrics and visible improvement are important to strengthen executive support for a long-term printer reduction strategy.

    Step 1.2

    Assess current state

    Outcomes of this step

    • Aggregate view of your printer usage and costs

    Strategy and Planning

    This step involves the following participants:

    • IT director/CIO
    • Business operations manager
    • Project manager

    Activities in this step

    • 1.2. Inventory your printer fleet: Office walk-around
    • 1.2 Inventory your printer fleet: Collect purchase receipts/statements/service records
    • 1.3 Calculate printing costs

    Create an aggregate view of your printer usage and costs

    Problem: Lack of visibility

    • Most organizations are unaware of the savings potential in reducing print due to a lack of data.
    • Additionally, organizations may have inappropriately sized devices for their workloads.
    • Often, nobody is responsible for managing the printers collectively, resulting in a lack of visibility into printing activity. Without this visibility, it is difficult to muster executive commitment and support for printer reduction efforts.
    • The first step to eliminating your printers is to inventory all the printers in the organization and look at an aggregate view of the costs. Without understanding the cost saving potential, management will likely continue to avoid printer changes due to the idea's unpopularity with end users.
    • Valid use cases for printers will likely still remain, but these use cases should be based on a requirements analysis.
    This is a screenshot from the Printer Reduction Tool. It includes the Printer Inventory, and a table with the following column headings: Device Type; Specific Device; Networked; Manufacturer; Model; Serial #; Office Location; Device Owner; # users Supported; Monthly Duty; Page Count to; Device Age; Remaining Useful; # Pages printer/month; % Utilization

    Create visibility through by following these steps:

    1. Office walk-around: Most organizations have no idea how many printers they have until they walk around the office and physically count them. This is especially true in cases where management is allowed to purchase personal printers and keep them at their desks. An office walk-around is often necessary to accurately capture all the printers in your inventory.
    2. Collect purchase receipts/statements/service records: Double-check your printer inventory by referring to purchase receipts, statements, and service records.
    3. Identify other sources of costs: Printer purchases only make up a small fraction of total printing costs. Operating costs typically account for 95% of total printer costs. Make sure to factor in paper, ink/toner, electricity, and maintenance costs.

    1.2.1 Inventory your printer fleet: part 1

    Office walk-around

    1. Methodically walk around the office and determine the following for each printer:
      • Device type
      • Make, model, serial number
      • Location
      • Number of users supported
      • Device owner
      • Type of users supported (department, employee position)
    2. Record printer details in Tab 1 of Info-Tech's Printer Reduction Tool. Collaborate with the accounting or purchasing department to determine the following for each printer recorded:
      • Purchase price/date
      • Monthly duty cycle
      • Estimated remaining useful life
      • Page count to date

    Input

    Output
    • Existing inventory lists
    • Visual observation
    • Inventory of office printers, including their printer details

    Materials

    Participants

    • Notepad
    • Pen
    • Printer Reduction Tool
    • IT director
    • IT staff

    Download the Printer Reduction Tool

    1.2.2 Inventory your printer fleet:
    part 2

    Collect purchase receipts/statements/service records

    1. Ask your purchasing manager for purchase receipts, statements, and service records relating to printing.
    2. For documents found, match the printer with your physical inventory. Add any printers found that were not captured in the physical inventory count. Record the following:
      1. Device type
      2. Make, model, serial number
      3. Location
      4. Number of users supported
      5. Device owner
      6. Type of users supported (department, employee position)
    3. 3. Collaborate with the accounting or purchasing department to determine the following for each printer recorded:
      1. Purchase price/date
      2. Monthly duty cycle
      3. Estimated remaining useful life
      4. Page count to date
    4. Enter the data in Tab 1 of the Printer Reduction Tool

    Input

    Output
    • Purchase receipts
    • Statements
    • Service records
    • Printer inventory cross-checked with paperwork

    Materials

    Participants

    • Printer inventory from previous activity
    • IT director
    • IT staff
    • Purchasing manager

    Download the Printer Reduction Tool

    1.2.3 Calculate your printing costs

    Collect purchase receipts/statements/service records

    • Collect invoices, receipts, and service records to sum up the costs of paper, ink or toner, and maintenance for each machine. Estimate electricity costs.
    • Record your costs in Tab 2 of the Printer Reduction Tool.
    • Review the costs per page and per user to look for particularly expensive printers and understand the main drivers of the cost.
    • Review your average monthly cost and annual cost per user. Do these costs surprise you?

    Input

    Output
    • Invoices, receipts, service records for
    • Cost per page and user
    • Average monthly and annual cost

    Materials

    Participants

    • Printer Reduction Tool
    • IT director
    • IT staff

    Step 1.3

    Gather printing requirements

    Outcomes of this step

    • Understanding of the organization's current printing behavior and habits
    • Identification of how industry context and digitization of business processes have impacted current and future requirements

    This step involves the following participants:

    • IT director
    • IT staff
    • Rest of organization

    Activities in this step

    • Examine current printing behavior and habits
    • Administer end-user survey
    • Identify current requirements
    • Identify future requirements

    Requirements Gathering Overview

    1. Identify opportunities to go paperless
      • Determine where business process automation is occurring
      • Align with environmental and sustainability campaigns
    2. Identify current requirements
      • Review the types of document being printed and the corresponding features needed
      • Administer end-user survey to understand user needs and current printer performance
    3. Identify future requirements
    • Identify future requirements to avoid prematurely refreshing your printer fleet
  • Examine industry-specific/ workflow printing
    • Some industries have specific printing requirements such as barcode printing accuracy. Examine your industry-specific printing requirements
  • Stop: Do not click "Print"

    The most effective way to achieve durable printing cost reduction is simply to print less.

    • Consolidating devices and removing cost-inefficient individual printers is a good first step to yielding savings.
    • However, more sustainable success is achieved by working with the printer vendor(s) and the business on continuous innovation via proposals and initiatives that combine hardware, software, and services.
    • Sustained print reduction depends on separate but related business process automation and digital innovation initiatives.

    Info-Tech Insight:

    Achieve long-lasting reductions in print through document management and improved workflow processes.

    Leverage Info-Tech research to support your business' digital transformation

    This is an image of the title page from Info-Tech's Define your Digital Business Strategy blueprint.

    Define how changes to enterprise printing fit into digital transformation plans

    Identify opportunities to go paperless

    The "paperless office" has been discussed since the 1970s. The IT director alone does not have authority to change business processes. Ensure the print reduction effort is tied to other strategies and initiatives around digital transformation. Working on analog pieces of paper is not digital and may be eroding digital transformation process.

    Leverage Info-Tech's Assert IT's Relevance During Digital Transformations to remind others that modernization of the enterprise print environment belongs to the discussion around increasing digitized support capabilities.

    1. Digital Marketing

    2. Digital Channels

    3. Digitized Support Capabilities

    4. Digitally Enabled Products

    5. Business Model Innovation

    Manage Websites

    E-Channel Operations

    Workforce Management

    Product Design

    Innovation Lab Management

    Brand Management

    Product Inventory Management

    Digital Workplace Management

    Portfolio Product Administration

    Data Sandbox Management

    SEO

    Interactive Help

    Document Management

    Product Performance Measurement

    Innovation Compensation Management

    Campaign Execution

    Party Authentication

    Eliminate business process friction caused by print

    Analyze workflows for where they are still using paper. Ask probing questions about where paper still adds value and where the business process is a candidate for paperless digital transformation

    • Is this piece of paper only being used to transfer information from one application to another?
    • What kind of digitalization efforts have happened in the business as a result of the COVID-19 pandemic? Which workflows have digitized on their own?
    • Where has e-signature been adopted?
    • Is this use of paper non-negotiable (e.g. an ER triage that requires a small printer for forms; the need for bank tellers to provide receipts to customers)?
    • Do we have compliance obligations that require us to retain a paper process?
    • What is getting printed? Who is printing the most? Identify if there are recurring system-generated reports being printed daily/weekly/quarterly that are adding to the volume. Are reports going directly from staff mailboxes to a recycling bin?
    • Does our print financial model incentivize the transformation of business processes, or does it reinforce old habits?
    • What services, software, and solutions for document management and business process analysis does our managed print services vendor offer? Can we involve the vendor in the business transformation conversation by including an innovation clause in the next contract (re)negotiation to push the vendor to offer proposals for projects that reduce print?

    Develop short-term and long-term print reduction strategies

    Short-term strategies

    • Consolidate the number of printers you have.
    • Determine whether to outsource printing to a managed services provider and make the move.
    • Enable print roaming and IT verification.
    • Require user-queued print jobs to be authenticated at a printer to prevent print jobs that are lost or not picked up.
    • Set up user quotas.
    • Provide usage records to business managers so they can understand the true cost of printing.
    • User quotas may create initial pushback, but they lead users to ask themselves whether a particular print job is necessary.
    • Renegotiate print service contracts.
    • Revisit contracts and shop around to ensure pricing is competitive.
    • Leverage size and centralization by consolidating to a single vendor, and use the printing needs of the entire enterprise to decrease pricing and limit future contractual obligations.
    • Train users on self-support.
    • Train users to remedy paper jams and move paper in and out of paper trays.

    Long-term strategies

    • Promote a paperless culture by convincing employees of its benefits (greater cost savings, better security, easier access, centralized repository, greener).
    • Educate users to use print area wisely.
    • Develop campaigns to promote black and white printing or a paperless culture.

    Info-Tech Insight:

    One-time consolidation initiatives leave money on the table. The extra savings results from changes in printing culture and end-user behavior.

    Examine current printing behavior and habits

    It's natural for printer usage and printing costs to vary based on office, department, and type of employee. Certain jobs simply require more printing than others.

    However, the printing culture within your organization likely also varies based on

    • office
    • department
    • type of employee

    Examine the printing behaviors of your employees based on these factors and determine whether their printing behavior aligns with the nature of their job.

    Excessive printing costs attributed to departments or groups of employees that don't require much printing for their jobs could indicate poor printing culture and potentially more employee pushback.

    Examine current printing behavior and habits, and identify candidates for elimination

    1. Go to Tab 3 of your Printer Reduction Tool ("Usage Dashboard Refresh"). Right-click each table and press "Refresh."
    2. Go to Tab 4 of your Printer Reduction Tool ("Usage Dashboard") to understand the following:
      1. Average printer utilization by department
      2. Pages printed per month by department
      3. Cost per user by department
    3. Take note of the outliers and expensive departments.
    4. Review printer inventory and printer use rates on Tab 5.
    5. Decide which printers are candidates for elimination and which require more research.
    6. If already working in a managed print services model, review the vendor's recommendations for printer elimination and consolidation.
    7. Mark printers that could be eliminated or consolidated.

    Input

    Output
    • Discussion
    • Understanding of expensive departments and other outliers

    Materials

    Participants

    • Printer Reduction Tool
    • IT director/ business operations
    • Business managers

    Administer end-user survey

    Understand end-user printing requirements and current printer performance through an end-user survey

    1. Customize Info-Tech's End-User Print Requirements Survey to help you understand your users' needs and the current performance of your printer fleet.
    2. Send the survey to all printer users in the organization.
    3. Collect the surveys and aggregate the requirements of users in each department.
    4. Record the survey results in the "Survey Results" tab.

    Input

    Output
    • End-user feedback
    • Identification of outliers and expensive departments

    Materials

    Participants

    • End-User Print Requirements Survey template
    • IT director
    • IT staff
    • Rest of organization

    Download the End-User Print Requirements Survey

    Info-Tech Insight:

    Use an end-user printer satisfaction survey before and after any reduction efforts or vendor implementation, both as a requirement-gathering user input and to measure/manage the vendor.

    Identify your current requirements

    Collect all the surveys and aggregate user requirements. Input the requirements into your Printer Reduction Tool.

    Discussion activity:

    • Review the requirements for each department and discuss:
    • What is this device being used for (e.g. internal documents, external documents, high-quality graphics/color)?
    • Based on its use case, what kinds of features are needed (e.g. color printing, scanning to email, stapling)?
    • Is this the right type of device for its purpose? Do we need this device, or can it be eliminated?
    • Based on its use case, what kinds of security features are needed (e.g. secure print release)?
    • Are there any compliance requirements that need to be satisfied (e.g. PCI, ITAR, HIPAA)?
    • Based on its use case, what's the criticality of uptime?
    • What is this device's place in the organization's workflow? What are its dependencies?
    • With which systems is the device compatible? Is it compatible with the newer operating system versions? If not, determine whether the device is a refresh candidate.

    Input

    Output
    • Survey results and department requirements
    • List of current requirements

    Materials

    Participants

    • N/A
    • IT director
    • IT staff

    Identify your future requirements

    Prepare your printer fleet for future needs to avoid premature printer refreshes.

    Discussion activity:

    • Review the current requirements for each department's printers and discuss whether the requirements will meet the department's printing needs over the next 10 years.
    • What is this device going to be used for in the next 10 years?
    • Will use of this device be reduced by plans to increase workflow digitization?
    • Based on its use case, what kinds of features are needed?
    • Is this the right type of device for its purpose?
    • Based on its use case, what kinds of security features are needed?
    • Based on its use case, what is the criticality of uptime?
    • Is this device's place in the organization's workflow going to change? What are its dependencies?
    • Reassess your current requirements and make any changes necessary to accommodate for future requirements.

    Input

    Output
    • Discussion
    • List of future requirements

    Materials

    Participants

    • N/A
    • IT director
    • IT staff

    Examine requirements specific to your industry and workflow

    Some common examples of industries with specific printing requirements:

    • Healthcare
      • Ability to comply with HIPAA requirements
      • High availability and reliability with on-demand support and quick response times
      • Built-in accounting software for billing purposes
      • Barcode printing for hospital wristbands
      • Fax requirements
    • Manufacturing
      • Barcoding technology
      • Ability to meet regulations such as FDA requirements for the pharmaceutical industry
      • Ability to integrate with ERP systems
    • Education
      • Password protection for sensitive student information
      • Test grading solutions
      • Paper tests for accessibility needs

    Phase 2

    Vendor Selection, Evaluation, Acquisition

    Strategy & planning

    Vendor selection, evaluation, acquisition

    Implementation & Operation

    1.1 Create project charter and assign roles

    1.2 Assess current state

    1.3 Gather requirements

    2.1 Understand managed print services model

    2.2 Create RFP materials

    2.3 Leverage print management software

    3.1 Modify printer policies

    3.2 Measure project success

    3.3 Training & adoption

    3.4 Plan communication

    3.5 Prepare for continuous improvement

    Re-Envision Enterprise Printing

    • This phase will walk you through the following activities:
    • Define managed print services RFP requirement questions
    • Create managed print services RFP and scoring tool
    • Score the RFP responses

    This phase involves the following participants:

    • IT director/CIO
    • Business operations manager
    • Project manager

    Change your financial model

    The managed print services industry allows you to use a pay-as-you-go approach and right-size your print spend to the organization's needs.

    Avoid being locked into a long lease where the organization pays a fixed monthly fee whether the printer runs or not.

    Instead, treat enterprise printing as a service, like the soda pop machine in the break room, where the vendor is paid when the device is used. If the vending machine is broken, the vendor is not paid until the technician restores it to operability. Printers can work the same way.

    By moving to a per click/page financial model, the vendor installs and supports the devices and is paid whenever a user prints. Though the organization pays more on a per-click/page basis compared to a lease, the vendor is incentivized to right-size the printer footprint to the organization, and the organization saves on monthly recurring lease costs and maintenance costs.

    Right-size commitments: If the organization remains on a lease instead of pay-per-click model, it should right-size the commitment if printing drops below a certain volume. In the agreement, include a business downturn clause that allows the organization to right-size and protect itself in the event of negative growth.

    Understand the managed print services model and its cost savings

    Outsourcing print services can monitor and balance your printers and optimize your fleet for efficiency. Managed print services are most appropriate for:

    • Organizations engaging in high-volume, high-quality print jobs with growing levels of output.
    • Organizations with many customer-facing print jobs.

    There are three main managed printing service models. Sometimes, an easy switch from a level pay model to a pay-per-click model can result in substantial savings:

    Level Pay

    • Flat rate per month based on estimates.
    • Attempts to flatten IT's budgeting so printing costs are consistent every month or every year (for budgeting purposes). At the end of the year, the amount of supplies used is added up and compared with the initial estimates and adjusted accordingly.
    • The customer pays the same predictable fee each month every year, even if you don't meet the maximum print quantity for the pay. Increased upcharge for quantities exceeding maximum print quantity.

    Base Plus Click

    • Fixed base payment (lease or rental) + pay-per-sheet for services.
    • In addition to the monthly recurring base cost, you pay for what you use. This contract may be executed with or without a minimum monthly page commitment. Page count through remote monitoring technologies is typically required.

    Pay Per Click

    • Payment is solely based on printing usage.
    • Printing costs will likely be the lowest with this option, but also the most variable.
    • This option requires a minimum monthly page commitment and/or minimum term.

    Info-Tech Insight:

    Vendors typically do not like the pay-per-click option and will steer businesses away from it. However, this option holds the vendor accountable for the availability and reliability of your printers, and Info-Tech generally recommends this option.

    Compare financials of each managed print services option

    Your printing costs with a pay-per-click model are most reflective of your actual printer usage. Level pay tends to be more expensive, where you need to pay for overages but don't benefit from printing less than the maximum allocated.

    See the below cost comparison example with level pay set at a maximum of 120,000 impressions per month. In the level pay model, the organization was paying for 120,000 sheets in the month it only used 60,000 impressions, whereas it would have been able to pay just for the 60,000 sheets in the pay-per-click model.

    This image contains tables with the column headings: Impressions per month; Total Cost; Average Cost per Impression; for each of the following categories: Level Pay; Base Plus Click; Pay Per Click

    Financial comparison case study

    This organization compared estimated costs over a 36-month period for the base-plus-click and pay-per-page models for Toshiba E Studio 3515 AC Digital Color Systems.

    Base-plus-click model

    Monthly recurring cost

    Avg. impressions per month

    Monthly cost

    Monthly cost

    "Net pay per click"

    Cost over 36-month period

    A fixed lease cost each month, with an additional per click/page charge

    $924.00

    12,000 (B&W)

    $0.02 (B&W)

    $1,164.00 (B&W)

    $0.097 (B&W)

    $41,904 (B&W)

    5,500 (Color)

    $0.09 (Color)

    $495.00 (Color)

    $0.090 (Color)

    $17,820 (Color)

    Base-plus-click model

    Monthly recurring cost

    Avg. impressions per month

    Monthly cost

    Monthly cost

    "Net pay per click"

    Cost over 36-month period

    No monthly lease cost, only per-image charges

    0.00

    12,000 (B&W)

    $0.06 (B&W)

    $720.00 (B&W)

    $0.060 (B&W)

    $25,920 (B&W)

    5,500 (Color)

    $0.12 (Color)

    $660.00 (Color)

    $0.120 (Color)

    $23,760 (Color)

    Results

    Though the per-image cost for each image is lower in the base-plus-click model, the added monthly recurring costs for the lease means the "net pay per click" is higher.

    Overall, the pay-per-page estimate saved $10,044 over a 36-month period for this device.

    Bake continuing innovation into your requirements

    Once you are in the operation phase, you will need to monitor and analyze trends in company printing in order to make recommendations for the future and to identify areas for possible savings and/or asset optimization.

    Avoid a scenario where the vendor drops the printer in your environment and returns only for repairs. Engage the vendor in this continuous innovation work:

    In the managed services agreement, include a proviso for continuous innovation where the vendor has a contractual obligation to continually look at the business process flow and bring yearly proposals to show innovation (e.g. cost reductions; opportunities to reduce print, which allows the vendor to propose document management services and record keeping services). Leverage vendors who are building up capabilities to transform business processes to help with the heavy lifting.

    Establish a vision for the relationship that goes beyond devices and toner. The vendor can make a commitment to continuous management and constant improvement, instead of installing the devices and leaving. Ideally, this produces a mutually beneficial situation: The client asks the vendor to sell them ways to mature and innovate the business processes, while the vendor retains the business and potentially sells new services. In order to retain your business, the vendor must continue to learn and know about your business.

    The metric of success for your organization is the simple reduction in printed copies overall. The vendor success metric would be proposals that may combine hardware, software, and services that provide cost-effective reductions in print through document management and workflow processes. The vendors should be keen to build this into the relationship since the services delivery has a higher margin for them.

    Sample requirement wording:

    "Continuing innovation: The contractor initiates at least one (1) project each year of the contract that shows leadership and innovation in solutions and services for print, document management, and electronic recordkeeping. Bidders must describe a sample project in their response, planning for an annual investment of approximately 50 consulting hours and $10,000 in hardware and/or software."

    Reward the vendor for performance instead of "punishing" them for service failures

    Problem: Printer downtime and poor service is causing friction with your managed service provider (MSP).

    MSPs often offer clients credit requests (service credits) for their service failures, which are applied to the previous month's monthly recurring charge. They are applied to the last month's MRC (monthly reoccurring charges) at the end of term and then the vendor pays out the residual.

    However, while common, service credits are not always perceived to be a strong incentive for the provider to continually focus on improvement of mean time to respond or mean time to repair.

    Solution: Turn your vendor into a true partner by including an "earn back" condition in the contract.

    • Engage the vendor as a true partner within a relationship based upon service credits.
    • Suggest that the vendor include a minor change to the non-performance processes within the final agreement: the vendor implements an "earn back" condition in the agreement.
    • Where a bank of service credits exists because of non-performance, if the provider exceeds the SLA performance metrics for a number of consecutive months (two is common), then a given number of prior credits received by the client are returned to the provider as a reward for improved performance.
    • This can be a useful mechanism to drive improved performance.

    Leverage enterprise print management software

    Printers are commoditized and can come and go, but print management software enables the governance, compliance, savings and visibility necessary for the transformation

    • Printer management solutions range from tools bundled with ink-jet printers that track consumables' status, to software suites that track data for thousands of print devices.
    • Typically, these solutions arrive in enterprises as part of larger managed services printing engagements, bundled with hardware, financing, maintenance, and "services."
    • Bundling print management software means that customers very rarely seek to acquire printing management software alone.
    • Owing to the level of customization (billing, reporting, quotas, accounts, etc.) switching print management software solutions is also rare. The work you put into this software will remain with IT regardless of your hardware.
    • Durability of print management software is also influenced by the hardware- and technology-agnostic nature of the solutions (e.g. swapping one vendor's devices for another does not trigger anything more than a configuration change in print management software.)

    Include enterprise print management requirements in the RFP

    Ask respondents to describe their managed services capabilities and an optional on-premises, financed solution with these high-level capabilities.

    Select the appropriate type of print management software

    Vendor-provided solutions are adequate control for small organizations with simple print environments

    • Suitable for small organizations (<100 users).
    • Software included with print devices can pool print jobs, secure access, and centralize job administration.
    • Dealing with complex sales channels for third-party vendors is likely a waste of resources.

    SMBs with greater print control needs can leverage mid-level solutions to manage behavior

    • Suitable for mid-size organizations (<500 users).
    • Mid-level software can track costs, generate reports, and centralize management.
    • Solutions start at $500 but require additional per-device costs.

    Full control solutions will only attract large organizations with a mature print strategy

    • Full control solutions tend to be suitable for large organizations (>500 users) with complex print environments and advanced needs.
    • Full control software allows for absolute enforcement of printing policies and full control of printing.
    • Expect to spend thousands for a tailored solution that will save time and guide cost savings.

    Enterprise print management software features

    The feature set for these tools is long and comprehensive. The feature list below is not exhaustive, as specific tools may have additional product capabilities.

    Print Management Software Features

    Hardware-neutral support of all major printer types and operating systems (e.g. direct IP to any IPP-enabled printer along with typical endpoint devices) Tracking of all printing activity by user, client account, printer, and document metadata
    Secure print on demand (Secure print controls: User Authenticated Print Release, Pull Printing) Granular print cost/charging, allowing costs to be assigned on a per-printer basis with advanced options to charge different amounts based on document type (e.g. color, grayscale or duplex), page size, user or group
    Managed and secured mobile printing (iOS/Android), BYOD, and guest printing DaaS/VDI print support
    Printer installation discovery/enablement, device inventory/management Auditing/reporting, print audit trail using document attributes to manage costs/savings, enforce security and compliance with regulations and policies
    Monitoring print devices, print queues, provide notification of conditions Watermarking and/or timestamping to ensure integrity and confidentially/classification of printed documents some solutions support micro font adding print date, time, user id and other metadata values discreetly to a page preventing data leakage
    Active Directory integration or synchronization with LDAP user accounts Per-user quotas or group account budgets
    Ability to govern default print settings policies (B&W, double-sided, no color, etc.)

    Get to the managed print services RFP quicker

    Jumpstart your requirements process using these tools and exercises

    Vendor Assessment Questions

    Use Info-Tech's catalog of commonly used questions and requirements in successful acquisition processes for managed print services. Ask the right questions to secure an agreement that meets your needs. If you are already in a contract with managed print services, take the opportunity of contract renewal to improve the contract and service.

    RFP Template and "Schedule 1" Attachment

    Add your finalized assessment questions into this table, which you will attach to your RFP. The vendor answers questions in this "Schedule 1" attachment and returns it to you.

    RFP Scoring Tool

    Aggregate the RFP responses into this scoring tool to identify the frontrunners and candidates for elimination. Since the vendors are asked to respond in a standard format, it is easier to bring together all the responses to create a complete view of your options.

    Define RFP requirement questions

    Include the right requirements for your organization, and avoid leaving out important requirements that might have been overlooked.

    1. Download the Managed Print Services Vendor Assessment Questions tool. Use this document as a "shopping list" to jumpstart an initial draft of the RFP and, more importantly, scoring requirements.
    2. Review the questions in the context of your near- and long-term printer outsourcing needs. Consider your environment, your requirements, and goals. Include other viewpoints from the RACI chart from Phase 1.
    3. Place an 'X' in the first column to retain the question. Edit the wording of the question if required, based on your organizational needs.
    4. Use the second column to indicate which section of the RFP to include the question in.

    Input

    Output
    • Requirements from Phase 1.3
    • Completed list of requirement questions

    Materials

    Participants

    • Managed Print Services Vendor Assessment Questions tool
    • IT director/business operations
    • Other roles from the RACI chart completed in Phase 1

    Download the Managed Print Services Vendor Assessment Questions tool

    Create RFP scoring tool and RFP

    1. Enter the requirements questions into the scoring tool on Tabs 2 and 4.
    2. Tab 2: Create scoring column for each vendor. You will paste in their responses here.
    3. Edit Tabs 3 and 4 so they align with what you want the vendor to see. Copy and paste Tab 3 and Tab 4 into a new document, which will serve as a "Schedule 1" attachment to the RFP package the vendor receives.
    4. Complete the RFP template. Describe your current state and current printer hardware (documented in the earlier current-state assessment). Explain the rules of how to respond and how to fill out the Schedule 1 document. Instruct each vendor to fill in their responses to each question along with any notes, and to reply with a zip file that includes the completed RFP package along with any marketing material needed to support their response.
    5. Send a copy of the RFP and Schedule 1 to each vendor under consideration.

    Input

    Output
    • Completed list of requirement questions from previous activity
    • RFP Scoring tool
    • Completed RFP and schedule 1 attachment

    Materials

    Participants

    • Managed Print Services RFP Vendor Proposal Scoring Tool
    • Managed Print Services RFP
    • IT director/business operations

    Download the Managed Print Services RFP Vendor Proposal Scoring Tool

    Download the Managed Print Services RFP template

    Score RFP responses

    1. When the responses are returned, copy and paste each vendor's results from Schedule 1 into Tab 2 of the main scoring tool.
    2. Evaluate each RFP response against the RFP criteria based on the scoring scale.
    3. Send the completed scoring tool to the CIO.
    4. Set up a meeting to discuss the scores and generate shortlist of vendors.
    5. Conduct further interviews with shortlisted vendors for due diligence, pricing, and negotiation discussions.
    6. Once a vendor is selected, review the SLAs and contract and develop a transition plan.

    Input

    Output
    • Completed Managed Print Services RFP Vendor Proposal Scoring Tool
    • Shortlist or final decision on vendor

    Materials

    Participants

    • N/A
    • IT director/business operations

    Info-Tech Insight:

    The responses from the low-scoring vendors still have value: these providers will likely provide ideas that you can then leverage with your frontrunner, even if their overall proposal did not score highly.

    Phase 3

    Implementation & Operation

    Strategy & planning

    Vendor selection, evaluation, acquisition

    Implementation & Operation

    1.1 Create project charter and assign roles

    1.2 Assess current state

    1.3 Gather requirements

    2.1 Understand managed print services model

    2.2 Create RFP materials

    2.3 Leverage print management software

    3.1 Modify printer policies

    3.2 Measure project success

    3.3 Training & adoption

    3.4 Plan communication

    3.5 Prepare for continuous improvement

    Re-Envision Enterprise Printing

    This phase will walk you through the following activities:

    • Update your enterprise printer policies
    • Readminister end-user survey to measure project success

    This phase involves the following participants:

    • IT director/CIO
    • Business operations manager
    • Project manager

    Modify your printer policies

    Review and modify Info-Tech's Printer Policy Template to support your print reduction goals

    Consider that your goal is to achieve printer reduction. Discuss with your team how strict it needs to be to truly reset behavior with printers. Many organizations struggle with policy enforcement. Firm language in the policy may be required to achieve this goal. For example,

    • IT only supports the printers acquired through the managed print service. Personal desktop printers are not supported by IT. Expense statements will not be accepted for non-supported printers.
    • Create a procurement policy where all device requests need justification and approval by department managers and IT. Have a debate over what the extreme exceptions would be. Legitimate exceptions must go through a review and approval process.
    • Restrict color printing to external or customer-facing use cases.
    • Encourage digital or electronic solutions in lieu of hard copies (e.g. e-signatures and approval workflows; scanning; use of integrated enterprise applications like SharePoint).
    This is a screenshot of the Printer Policy Page Template

    Download the Printer Policy template

    Readminister the end-user survey

    You have already run this survey during the requirements-gathering phase. Run it again to measure success.

    The survey was run once prior to the changes being implemented to establish a baseline of user satisfaction and to gain insights into additional requirements.

    Several months after the initial rollout (90 days is typical to let the dust settle), resurvey the end users and publish or report to the administration success metrics (the current costs vs. the actual costs prior to the change).

    User satisfaction survey can be used to manage the vendor, especially if the users are less happy after the vendor touched their environment. Use this feedback to hold the provider to account for improvement.

    Input

    Output
    • Previous survey results
    • Changes to baseline satisfaction metrics

    Materials

    Participants

    • End-user survey from Phase 1
    • IT director
    • IT staff
    • Rest of organization

    Measure project success

    Revisit the pre-project metrics and goals and compare with your current metrics

    • Identify printers to consolidate or eliminate.
    • Update asset management system (enter software and hardware serial numbers or identification tags into configuration management system).
    • Reallocate/install printers across the organization.
    • Develop ongoing printer usage and cost reports for each department.
    • Review the end-user survey and compare against baseline.
    • Operate, validate, and distribute usage metrics/chargeback to stakeholders.
    • Audit and report on environmental performance and sustainability performance to internal and external bodies, as required.
    • Write and manage knowledgebase articles.
    • Monitor and analyze trends in company printing in order to make recommendations for the future and to identify areas for possible savings and/or asset optimization.

    Metrics could include

    • User satisfaction
    • Print services net promoter model
    • Total printing costs
    • Printer availability (uptime)
    • Printer reliability (mean time between failures)
    • Total number of reported incidents
    • Mean time for vendor to respond and repair

    Support training and adoption

    Train users on self-support

    Prepare troubleshooting guides and step-by-step visual aid posters for the print areas that guide users to print, release, and find their print jobs and fix common incidents on their own. These may include:

    • The name of this printer location and the names of the others on that floor.
    • How to enter a PIN to release a print job.
    • How to fix a paper jam.
    • How to empty the paper tray.
    • How to log a service ticket if all other steps are exhausted.

    Educate users to use print area wisely

    • Inform users what to do if other print jobs appear to be left behind in the printer area.
    • Display guidelines on printer location alternatives in case of a long line.
    • Display suggestions on maximum recommended time to spend on a job in the event other users are waiting.

    Develop campaign to promote paperless culture

    Ensure business leadership and end users remain committed to thinking before they print.

    • Help your users avoid backsliding by soliciting feedback on the new printer areas.
    • Ensure timely escalation of service tickets to the vendor.
    • Support efforts by the business to seek out business process modernization opportunities whenever possible.

    Plan persuasive communication strategies

    Identify cost-saving opportunities and minimize complaints through persuasive communication

    Solicit the input of end users through surveys and review comments.

    Common complaints Response

    Consider the input of end users when making elimination and consolidation decisions and communicate IT's justification for each end user's argument to keep their desktop printers.

    "I don't trust network storage. I want physical copies." Explain the security and benefits of content management systems.
    "I use my desktop a lot. I need it." Explain the cost benefits of printing on cheaper network MFPs, especially if they print in large quantities.
    "I don't use it a lot, so it's not costly." It's a waste of money to maintain and power underused devices.
    "I need security and confidentiality." MFPs have biometric and password-release functions, which add an increased layer of security.
    "I need to be able to print from home." Print drivers and networked home printers can be insecure devices and attack vectors.
    "I don't have time to wait." Print jobs in queue can be released when users are at the device.
    "I don't want to walk that far." Tell the end user how many feet the device will be within (e.g. 50 feet). It is not usually very far.

    Implement a continual improvement plan to achieve long-term enterprise print goals

    Implement a continual improvement plan for enterprise printing:

    • Develop a vendor management plan:
      • In order to govern SLAs and manage the vendor, ensure that you can track printer-related tickets even if the device is now supported by managed print services.
      • Ensure that printer service tickets sent from the device to the vendor are also reconciled in your ITSM tool. Require the MSP to e-bond the ticket created within their own device and ticketing system back to you so you can track it in your own ITSM tool.
      • Every two months, validate service credits that can be returned to the vendor for exceeding SLA performance metrics.
      • Monitor the impact of their digital transformation strategies. Develop a cadence to review the vendor's suggestions for innovation opportunities.
    • Operate, validate, and distribute usage and experience metrics/chargeback to stakeholders.
    • Monitor and analyze trends in company printing.
    This is a graph which demonstrates the process of continual improvement through Standardization. It depicts a graph with Time as the X axis, and Quality Management as the Y axis. A grey circle with the words: ACT; PLAN; CHECK; DO, moving from the lower left part of the graph to the upper right, showing that standardization improves Quality Management.

    Summary of Accomplishment

    Problem Solved

    You have now re-envisioned your enterprise print environment by documenting your current printer inventory and current cost and usage. You also have hard inventory and usage data benchmarks that you can use to measure the success of future initiatives around digitalization, going paperless, and reducing print cost.

    You have also developed a plan to go to market and become a consumer of managed print services, rather than a provider yourself. You have established a reusable RFP and requirements framework to engage a managed print services vendor who will work with you to support your continuous improvement plans.

    Return to the deliverables and advice in this blueprint to reinforce the organization's message to end users on when, where, and how to print. Ideally, this project has helped you go beyond a printer refresh – but rather served as a means to change the printing culture at your organization.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information

    workshops@infotech.com
    1-888-670-8889

    Bibliography

    Fernandes, Louella. "Quocirca Managed Services Print Market, 2021." Quocirca, 25 Mar. 2021. Accessed 12 Oct. 2021.

    McInnes, Angela. "No More Photocopies, No More Ink: Thames Valley Schools Run Out of Toner." CBC, 21 Oct. 2021. Web.

    "Paper and Paperboard: Material-Specific Data." EPA, 15 Dec. 2020. Accessed 15 Oct. 2021.

    State of Washington, House of Representatives. "State Agencies – Paper Conservation and Recycling." 61st Legislature, Substitute House Bill 2287, Passed 20 April 2009.

    Sugihara, Azusa. "Pandemic Shreds Office Paper Demand as Global Telework Unfolds." Nikkei Asia, 18 July 2020. Accessed 29 Sept. 2021.

    "Paper Reduction." University of Washington, n.d. Accessed 28 Oct. 2021.

    "What is MPS?" University of Washington, n.d. Accessed 16 Mar. 2022.

    Research contributors

    Jarrod Brumm
    Senior Digital Transformation Consultant

    Jacques Lirette
    President, Ditech Testing

    3 anonymous contributors

    Info-Tech Research Group Experts

    Allison Kinnaird, Research Director & Research Lead
    Frank Trovato, Research Director

    State of Hybrid Work in IT

    • Buy Link or Shortcode: {j2store}551|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Attract & Select
    • Parent Category Link: /attract-and-select

    Hybrid work is here, but there is no consensus among industry leaders on how to do it right. IT faces the dual challenge of supporting its own employees while enabling the success of the broader organization. In the absence of a single best practice to adopt, how can IT departments make the right decisions when it comes to the new world of hybrid?

    Our Advice

    Critical Insight

    • Don’t make the mistake of emulating the tech giants, unless they are your direct competition. Instead, look to organizations that have walked your path in terms of scope, organizational goals, industry, and organizational structure. Remember, your competitors are not just those who compete for the same customers but also those who compete for your employees.
    • Hybrid and remote teams require more attention, connection, and leadership from managers. The shift from doing the day-to-day to effectively leading is critical for the success of nontraditional work models. As hybrid and remote work become engrained in society, organizations must ensure that the concept of the “working manager” is as obsolete as the rotary telephone.

    Impact and Result

    Read this concise report to learn:

    • What other IT organizations are doing in the new hybrid world.
    • How hybrid has impacted infrastructure, operations, and business relations.
    • How to succeed at building a highly effective hybrid team.
    • How Info-Tech can help you make hybrid an asset for your IT department.

    State of Hybrid Work in IT Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. State of Hybrid Work in IT: A Trend Report – A walkthrough of the latest data on the impact of the hybrid work revolution in IT.

    Read this report to learn how IT departments are using the latest trends in hybrid work for greater IT effectiveness. Understand what work models are best for IT, how IT can support a remote organization, and how hybrid work changes team dynamics.

    • State of Hybrid Work in IT: A Trends Report

    Infographic

    Further reading

    State of Hybrid Work in IT: A Trend Report

    When tech giants can’t agree and best practices change by the minute, forge your own path to your next normal.

    Hybrid is here. Now how do we do this?

    The pandemic has catapulted hybrid work to the forefront of strategic decisions an organization needs to make. According to our State of Hybrid Work in IT survey conducted in July of 2022, nearly all organizations across all industries are continuing some form of hybrid or remote work long-term (n=518). Flexible work location options are the single greatest concern for employees seeking a new job. IT departments are tasked with not only solving hybrid work questions for their own personnel but also supporting a hybrid-first organization, which means significant changes to technology and operations.

    Faced with decisions that alter the very foundation of how an organization functions, IT leaders are looking for best practices and coming up empty. The world of work has changed quickly and unexpectedly. If you feel you are “winging it” in the new normal, you are not alone.

    95% of organizations are continuing some form of hybrid or remote work.

    n=518

    47% of respondents look at hybrid work options when evaluating a new employer, vs. 46% who look at salary.

    n=518

    Hybrid work model decision tree

    Your organization, your employees, your goals – your hybrid work

    The days of a “typical” workplace have passed. When it comes to the new world of hybrid work, there is no best-of-breed example to follow.

    Among the flood of contradictory decisions made by industry leaders, your IT organization must forge its own path, informed by the needs of your employees and your organizational goals.

    All IT work models can support the broader organization. However, IT is more effective in a hybrid work mode.

    Stay informed on where your industry is headed, but learn from, rather than follow, industry leaders.

    All industries reported primarily using partial, balanced & full hybrid work models.

    All industries reported some fully remote work, ranging from 2-10% of organizations surveyed.

    Construction and healthcare & life sciences did not require any fully in-office work. Other industries, between 1-12% required fully in-office work.

    The image contains a screenshot of the Enablement of Organizational Goals.

    Move beyond following tech giants

    The uncomfortable truth about hybrid work is that there are many viable models, and the “best of breed” depends on who you ask. In the post-pandemic workspace, for every work location model there is an industry leader that has made it functional. And yet this doesn’t mean that every model will be viable for your organization.

    In the absence of a single best practice, rely on an individualized cost-benefit assessment rooted in objective feasibility criteria. Every work model – whether it continues your status quo or overhauls the working environment – introduces risk. Only in the context of your particular organization does that risk become quantifiable.

    Don’t make the mistake of emulating the tech giants, unless they are your direct competition. Instead, look to organizations that have walked your path in terms of scope, organizational goals, industry, and organizational structure.

    External

    Internal

    Political

    Economic

    Social

    Technological

    Legal

    Environmental

    Operations

    Culture

    Resources

    Risk

    Benefit

    Employee Preferences

    Comparative

    Your competitors

    Info-Tech Insight

    Remember, your competitors are not just those who compete for the same customers but also those who compete for your employees.

    IT must balance commitments to both the organization and its employees

    IT has two roles: to effectively support the broader organization and to function effectively within the department. It therefore has two main stakeholder relationships: the organization it supports and the employees it houses. Hybrid work impacts both. Don't make the mistake of overweighting one relationship at the expense of the other. IT will only function effectively when it addresses both.

    Track your progress with the right metrics

    IT and the organization

    • Business satisfaction with IT
    • Perception of IT value

    Diagnostic tool: Business Vision

    IT and its employees

    • Employee engagement

    Diagnostic tool:
    Employee Engagement Surveys

    This report contains:

    1. IT and the Organization
      1. IT Effectiveness
        in a Hybrid World
      2. The Impact of Hybrid on Infrastructure & Operations
    2. IT and Its Employees
      1. What Hybrid Means for the IT Workforce
      2. Leadership for Hybrid IT Teams

    This report is based on organizations like yours

    The image contains graphs that demonstrate demographics of organizations.

    This report is based on organizations like yours

    The image contains two graphs that demonstrate a breakdown of departments in an organization.

    This report is based on organizations like yours

    The image contains two graphs that demonstrate the workforce type and operating budget.


    This report is based on organizations like yours

    The image contains two graphs that demonstrate organization maturity and effectiveness score.

    At a high level, hybrid work in IT is everywhere

    INDUSTRY

    • Arts & Entertainment (including sports)
    • Retail & Wholesale
    • Utilities
    • Transportation & Warehousing
    • Not-for-Profit (incl. professional associations)
    • Education
    • Professional Services
    • Manufacturing
    • Media, Information, Telecom & Technology
    • Construction
    • Gaming & Hospitality
    • Government
    • Healthcare & Life Sciences
    • Financial Services (incl. banking & insurance)

    ORGANIZATIONAL SIZE

    Small

    <100

    Medium

    101-5,000

    Large

    >5,000

    Employees

    POSITION LEVEL

    • Executive
    • Director
    • Supervisor/Manager
    • Student/Contractor/Team Member

    100% of industries, organizational sizes, and position levels reported some form of hybrid or remote work.

    Work model breakdown at the respondent level

    5% 21% 30% 39% 5%

    No Remote
    Work

    Partial Hybrid

    Balanced Hybrid

    Full Hybrid

    Full Remote

    Work

    n=516

    Industry lens: Work location model

    The image contains a screenshot of a graph that demonstrates the work location model with the work model breakdown at the respondent level.

    Percentage of IT roles currently in a hybrid or remote work arrangement

    The image contains a screenshot of two graphs that demonstrate the percentage of IT roles currently in a hybrid or remote work arrangement.

    Work location model by organization size

    The image contains a screenshot of a graph that demonstrates work location model by organization size.

    Hybrid work options

    The image contains a screenshot of two pie graphs that demonstrate hybrid work options.

    Expense reimbursement

    28% 27% 22% 26% 13% 4%

    None

    Internet/home phone

    Just internet

    Home office setup

    Home utilities

    Other

    NOTES

    n=518

    Home office setup: One-time lump-sum payment

    Home utilities: Gas, electricity, lights, etc.

    Other: Office supplies, portion of home rent/mortgage payments, etc.

    01 TECHNOLOGY

    IT and the Organization

    Section 1

    The promise of hybrid work for IT department effectiveness and the costs of making it happen

    In this section:

    1. IT Effectiveness in a Hybrid World
    2. The Impact of Hybrid on Infrastructure & Operations

    Hybrid work models in IT bolster effectiveness

    IT’s effectiveness, meaning its ability to enable organizational goal attainment, is its ultimate success metric. In the post-pandemic world, this indicator is intimately tied to IT’s work location model, as well as IT’s ability to support the work location model used by the broader organization.

    In 2022, 90% of organizations have embraced some form of hybrid work (n=516). And only a small contingent of IT departments have more than 90% of roles still working completely in office, with no remote work offered (n=515).

    This outcome was not unexpected, given the unprecedented success of remote work during the pandemic. However, the implications of this work model were far less certain. Would productivity remain once the threat of layoffs had passed? Would hybrid work be viable in the long term, once the novelty wore off? Would teams be able to function collaboratively without meeting face to face? Would hybrid allow a great culture
    to continue?

    All signs point to yes. For most IT departments, the benefits of hybrid work outweigh its costs. IT is significantly more effective when some degree of remote or hybrid work is present.

    The image contains a screenshot of a graph on how hybrid work models in IT bolster effectiveness.

    n=518

    Remote Work Effectiveness Paradox

    When IT itself works fully onsite, lower effectiveness is reported (6.2). When IT is tasked with supporting fully, 100% remote organizations (as opposed to being fully remote only within IT), lower effectiveness is reported then as well (5.9). A fully remote organization means 100% virtual communication, so the expectations placed on IT increase, as do the stakes of any errors. Of note, hybrid work models yield consistent effectiveness scores when implemented at both the IT and organizational levels.

    IT has risen to the challenge of hybrid

    Despite the challenges initially posed by hybrid and remote organizations, IT has thrived through the pandemic and into this newly common workplace.

    Most organizations have experienced an unchanged or increased level of service requests and incidents. However, for the majority of organizations, service desk support has maintained (58%) or improved (35%). Only 7% of IT organizations report decreased service desk support.

    Is your service desk able to offer the same level of support compared to the pre-pandemic/pre-hybrid work model?

    The image contains a screenshot of a graph that demonstrates service desk levels.

    How has the volume of your service requests/incidents changed?

    The image contains a screenshot of a graph that demonstrates volume of service requests/incidents changed.

    Has hybrid work impacted your customer satisfaction scores?

    The image contains a graph that demonstrates if hybrid work impacted customer satisfaction scores.

    Industry lens: Volume of service requests

    It is interesting to note that service request volumes have evolved similarly across industries, mirroring the remarkable consistency with which hybrid work has been adopted across disparate fields, from construction to government.

    Of note are two industries where the volume of service requests mostly increased: government and media, information, telecom & technology.

    With the global expansion of digital products and services through the pandemic, it’s no surprise to see volumes increase for media, information, telecom & technology. With government, the shift from on premises to rapid and large-scale hybrid or remote work for administrative and knowledge worker roles likely meant additional support from IT to equip employees and end users with the necessary tools to carry out work offsite.

    How has the volume of your service requests/incidents changed?

    The image contains a screenshot of a graph that demonstrates the volume of service requests/incidents changed.

    The transition to hybrid was worth the effort

    Hybrid and remote work have been associated with greater productivity and organizational benefits since before the pandemic. During emergency remote work, doubts arose about whether productivity would be maintained under such extreme circumstances and were quickly dispelled. The promise of remote productivity held up.

    Now, cautiously entering a “new normal,” the question has emerged again. Will long-term hybrid work bring the same benefits?

    The expectations have held up, with hybrid work benefits ranging from reduced facilities costs to greater employee performance.

    Organizational hybrid work may place additional strain on IT,
    but it is clear IT can handle the challenge. And when it does,
    the organizational benefits are tremendous.

    88% of respondents reported increased or consistent Infrastructure & Operations customer satisfaction scores.

    What benefits has the organization achieved as a result of moving to a hybrid work model?

    The image contains a bar graph that demonstrates the benefits of a hybrid work model.

    n=487

    Hybrid has sped up modernization of IT processes and infrastructure

    Of the organizations surveyed, the vast majority reported significant changes to both the process and the technology side of IT operations. Four key processes affected by the move to hybrid were:

    • Incident management
    • Service request support
    • Asset management
    • Change management

    Within Infrastructure & Operations, the area with the greatest degree
    of change was network architecture (reported by 44% of respondents), followed closely by service desk (41%) and recovery workspaces and mitigations (40%).

    63% of respondents reported changes to conference room technology to support hybrid meetings.

    n=496

    IT Infrastructure & Operations changes, upgrades, and modernization

    The image contains a screenshot of a bar graph that demonstrates IT Infrastructure & Operations Changes, Upgrades, and Modernizations.

    What process(es) had the highest degree of change in response to supporting hybrid work?

    The image contains a screenshot of a bar graph that demonstrates the highest degree of change in response to supporting hybrid work.

    Hybrid has permanently changed deployment strategy

    Forty-five percent of respondents reported significant changes to deployment as a result of hybrid work, with an additional 42% reporting minor changes. Only 13% of respondents stated that their deployment processes remained unchanged following the shift to hybrid work.

    With the ever-increasing globalization of business, deployment modernization practices such as the shift to zero touch are no longer optional or a bonus. They are a critical part of business operation that bring efficiency benefits beyond just supporting hybrid work.

    The deployment changes brought on by hybrid span across industries. Even in manufacturing, with the greatest proportion of respondents reporting “no change” to deployment practices (33%), most organizations experienced some degree of change.

    Has a hybrid work model led you to make any changes to your deployment, such as zero touch, to get equipment to end users?

    The image contains a graph to demonstrate if change was possible with hybrid models.

    Industry lens: Deployment changes

    Has a hybrid work model led you to make any changes to your deployment, such as zero touch, to get equipment to end users?

    The image contains a screenshot of a graph that demonstrates deployment changes at an industry lens.

    Hybrid work has accelerated organizational digitization

    Over half of respondents reported significantly decreased reliance on printed copies as a result of hybrid. While these changes were on the horizon for many organizations even before the pandemic, the necessity of keeping business operations running during lockdowns meant that critical resources could be invested in these processes. As a result, digitization has leapt forward.

    This represents an opportunity for businesses to re-evaluate their relationships with printing vendors. Resources spent on printing can be reduced or reallocated, representing additional savings as a result of moving to hybrid. Additionally, many respondents report a willingness – and ability – from vendors to partner with organizations in driving innovation and enabling digitization.

    With respect to changes pertaining to hard copies/printers as a result of your hybrid work model:

    The image contains a screenshot of a bar graph that demonstrates how hybrid work has accelerated organizational digitization.

    Hybrid work necessitates network and communications modernization

    The majority (63%) of respondents reported making significant changes to conference room technology as a result of hybrid work. A significant proportion (30%) report that such changes were not needed, but this includes organizations who had already set up remote communication.

    An important group is the remaining 8% of respondents, who cite budgetary restrictions as a key barrier in making the necessary technology upgrades. Ensure the business case for communication technology appropriately reflects the impact of these upgrades, and reduce the impact of legacy technology where possible:

    • Recognize not just meeting efficiency but also the impact on culture, engagement, morale, and external and internal clients.
    • Connect conference room tech modernization to the overall business goals and work it into the IT strategy.
    • Leverage the scheduling flexibility available in hybrid work arrangements to reduce reliance on inadequate conference technology by scheduling in-person meetings where possible and necessary.

    Have you made changes/upgrades
    to the conference room technology to support hybrid meetings?
    (E.g. Some participants joining remotely, some participants present in a conference room)

    The image contains a screenshot of a graph that demonstrates if network and communications modernization was needed.

    How we can help

    Metrics

    Resources

    Create a Work-From-Anywhere IT Strategy

    Stabilize Infrastructure & Operations During Work-From-Anywhere

    Sustain Work-From-Home in the New Normal

    Establish a Communication & Collaboration Systems Strategy

    Modernize the Network

    Simplify Remote Deployment With Zero-Touch Provisioning

    For a comprehensive list of resources, visit
    Info-Tech’s Hybrid Workplace Research Center

    02 PEOPLE

    IT and Its Employees

    Section 2

    Cultivate the dream team in a newly hybrid world

    In this section:

    1. What Hybrid Means for the IT Workforce
    2. Leadership for IT Hybrid Teams

    Hybrid means permanent change to how IT hires

    Since before the pandemic, the intangibles of having a job that works with your lifestyle have been steadily growing in importance. Considerations like flexible work options, work-life balance, and culture are more important to employees now than they were two years ago, and employers must adapt.

    Salary alone is no longer enough to recruit the best talent, nor is it the key to keeping employees engaged and productive. Hybrid work options are the single biggest concern for IT professionals seeking new employment, just edging out salary. This means employers must not offer just some work flexibility but truly embrace a hybrid environment.

    The image contains a screenshot of several graphs that compare results from 2019 to 2021 on what is important to employees.

    What are you considering when looking at a potential employer?

    The image contains a screenshot of a bar graph that demonstrates what needs to be considered when looking at a potential employer.

    A recession may not significantly impact hybrid work decisions overall

    Declining economic conditions suggest that a talent market shift may be imminent. Moving toward a recession may mean less competition for top talent, but this doesn't mean hybrid will be left behind as a recruitment tactic.

    Just over half of IT organizations surveyed are considering expanding hybrid work or moving to fully remote work even in a recession. Hybrid work is a critical enabler of organizational success when resources are scarce, due to the productivity benefits and cost savings it has demonstrated. Organizations that recognize this and adequately invest in hybrid tools now will have equipped themselves with an invaluable tool for weathering a recession storm, should one come.

    What impact could a potential recession in the coming year have on your decisions around your work location?

    The image contains a screenshot of a graph that demonstrates the potential impact of a recession.

    Hybrid work may help small organizations in a declining economy

    The potential for a recession has a greater impact on the workforce decisions of small organizations. They likely face greater financial pressures than medium and large-sized organizations, pressures that could necessitate halting recruitment efforts or holding firm on current salaries and health benefits.

    A reliance on intangible benefits, like the continuation of hybrid work, may help offset some of negative effects of such freezes, including the risk of lower employee engagement and productivity. Survey respondents indicated that hybrid work options (47%) were slightly more important to them than salary/compensation (46%) and significantly more important than benefits (29%), which could work in favor of small organizations in keeping the critical employees needed to survive an economic downturn.

    Small

    Medium Large
    90% 82% 66%

    Currently considering some form of hiring/salary freeze or cutbacks, if a recession occurs

    NOTES

    n=520

    Small: <101 employees

    Medium: 101-5000 employees

    Large: >5,000 employees

    Hybrid mitigates the main challenge of remote work

    One advantage of hybrid over remote work is the ability to maintain an in-office presence, which provides a failsafe should technology or other barriers stand in the way of effective distance communication. To take full advantage of this, teams should coordinate tasks with location, so that employees get the most out of the unique benefits of working in office and remotely.

    Activities to prioritize for in-office work:

    • Collaboration and brainstorming
    • Team-building activities
    • Introductions and onboarding

    Activities to prioritize for remote work:

    • Individual focus time

    As a leader, what are your greatest concerns with hybrid work?

    The image contains a bar graph that demonstrates concerns about hybrid work as an employer.

    Hybrid necessitates additional effort by managers

    When it comes to leading a hybrid team, there is no ignoring the impact of distance on communication and team cohesion. Among leaders’ top concerns are employee wellbeing and the ability to pick up on signs of demotivation among team members.

    The top two tactics used by managers to mitigate these concerns center on increasing communication:

    • Staying available through instant messaging.
    • Increasing team meetings.

    Tactics most used by highly effective IT departments

    The image contains a screenshot of tactics most used by highly effective IT departments.

    Team success is linked to the number of tools at the manager’s disposal

    The most effective hybrid team management tools focus on overcoming the greatest obstacle introduced by remote work: barriers to communication and connection.

    The most effective IT organizations use a variety of tactics. For managers looking to improve hybrid team effectiveness, the critical factor is less the tactic used and more the ability to adapt their approach to their team’s needs and incorporate team feedback. As such, IT effectiveness is linked to the total number of tactics used by managers.

    IT department effectiveness

    The image contains a screenshot of a graph that demonstrates IT department effectiveness.

    Autonomy is key to hybrid team success

    Not all hybrid work models are created equal. IT leaders working with hybrid teams have many decisions to make, from how many days will be spent in and out of office to how much control employees get over which days they work remotely.

    Employee and manager preferences are largely aligned regarding the number of days spent working remotely or onsite: Two to three days in office is the most selected option for both groups, although overall manager preferences lean slightly toward more time spent in office.

    Comparison of leader and employee preference for days in-office

    The image contains a screenshot of a graph that compares leader and employee preference for days in-office.

    Do employees have a choice in the days they work in office/offsite?

    The image contains a screenshot of a graph that demonstrates if employees have a choice in the days they work in office or offsite.

    For most organizations, employees get a choice of which days they spend working remotely. This autonomy can range from complete freedom to a choice between several pre-approved days depending on team scheduling needs.

    Work is still needed to increase autonomy in hybrid teams

    Organizations’ success in establishing hybrid team autonomy varies greatly post pandemic. Responses are roughly equally split between staff feeling more, less, or the same level of autonomy as before the pandemic. Evaluated in the context of most organizations continuing a hybrid approach, this leads to the conclusion that not all hybrid implementations are being conducted equally effectively when it comes to employee empowerment.

    As an employee, how much control do you have over the decisions related to where, when, and how you work currently?

    The image contains a screenshot of a graph that demonstrates autonomy in hybrid teams.

    Connectedness in hybrid teams lags behind

    A strong case can be made for fostering autonomy and empowerment on hybrid teams. Employees who report lower levels of control than before the pandemic also report lower engagement indicators, such as trust in senior leadership, motivation, and intention to stay with the organization. On the other hand, employees experiencing increased levels of control report gains in these areas.

    The only exception to these gains is the sense of team connectedness, which employees experiencing more control report as lower than before the pandemic. A greater sense of connectedness among employees reporting decreased control may be related to more mandatory in-office time or a sense of connection over shared team-level disengagement.

    These findings reinforce the need for hybrid teams to invest in team building and communication practices and confirm that significant benefits are to be had when a sense of autonomy can be successfully instilled.

    Employees who experience less control than before the pandemic report lowered engagement indicators ... except sense of connectedness

    The image contains a screenshot of a graph that demonstrates less control, means lowered engagement.

    Employees who experience more control than before the pandemic report increased engagement indicators ... except sense of connectedness

    The image contains a screenshot of a graph that demonstrates more control, means increased engagement.

    Case study: Hybrid work at Microsoft Canada

    The Power of Intentionality

    When the pandemic hit, technology was not in question. Flexible work options had been available and widely used, and the technology to support them was in place.

    The leadership team turned their focus to ensuring their culture survived and thrived. They developed a laser-focused approach for engaging their employees by giving their leaders tools to hold conversations. The dialogue was ongoing to allow the organization to adapt to the fast pace of changing conditions.

    Every tactic, plan, and communication started with the question, “What outcome are we striving for?”

    With a clear outcome, tools were created and leaders supported to drive the desired outcome.

    “We knew we had the technology in place. Our concern was around maintaining our strong culture and ensuring continued engagement and connection with our employees.”

    Lisa Gibson, Chief of Staff, Microsoft Canada

    How we can help

    Metrics

    Resources

    Webinar: Effectively Manage Remote Teams

    Build a Better Manager: Manage Your People

    Info-Tech Leadership Training

    Adapt Your Onboarding Process to a Virtual Environment

    Virtual Meeting Primer

    For a comprehensive list of resources, visit
    Info-Tech’s Hybrid Workplace Research Center

    Recommendations

    The last two years have been a great experiment, but it’s not over.

    BE INTENTIONAL

    • Build a team charter on how and when to communicate.
    • Create necessary tools/templates.

    INVOLVE EMPLOYEES

    • Conduct surveys and focus groups.
      Have conversations to understand sentiment.

    ALLOW CHOICE

    • Provide freedom for employees to have some level of choice in hybrid arrangements.

    BE TRANSPARENT

    • Disclose the rationale.
    • Share criteria and decision making.

    Info-Tech Insight

    Hybrid and remote teams require more attention, connection, and leadership from managers. The shift from doing the day-to-day to effectively leading is critical for the success of nontraditional work models. As hybrid and remote work become engrained in society, organizations must ensure that the concept of the “working manager” is as obsolete as the rotary telephone.

    Bibliography

    “8 Unexpected Benefits of Online Learning for Development.” Center for Creative Leadership (CCL), 14 Oct. 2020. Accessed 5 Nov. 2021.
    “2021 Global Workplace Report.” NTT, 2021. Accessed 6 July 2022.
    “Advantages of Online Learning for Leadership Development: What Our Research Says.” CCL, 8 Dec. 2020. 5 Nov. 2021.
    “Annual Work Trend Index Report – Great Expectations: Making Hybrid Work Work.” Microsoft WorkLab, 2022. Accessed 6 July 2022.
    Aten, Jason. “Google’s Employees Return to the Office Today. This Former Exec Says Hybrid Work Won’t Last.” Inc.Com, 4 April 2022. Web.
    Bariso, Justin. “Google Spent 2 Years Researching What Makes a Great Remote Team. It Came Up With These 3 Things.” Inc.Com, 8 April 2019. Web.
    Berger, Chloe. “What Is ‘Hybrid Guilt’? Going to Office Part-Time May Be Worst Option.” Fortune, 22 Aug. 2022. Web.
    Brodkin, Jon. “After Remote-Work Ultimatum, Musk Reveals Plan to Cut 10% of Tesla Jobs.” Ars Technica, 3 June 2022. Web.
    Brown, Brené, host. “Brené with Scott Sonenshein on Why We’ll Never Be the Same Again (and Why It’s Time to Talk About It).” Dare to Lead with Brené Brown, 11 April 2022. Brené Brown, https://brenebrown.com/podcast/why-well-never-be-the-same-again-and-why-its-time-to-talk-about-it/.
    Burgess, Mark. “Most Asset Managers Operating Under Hybrid Work Model: Survey.” Advisor’s Edge, 13 Sept. 2022. Web.
    Caminiti, Susan. “Workers Want Hybrid but Say It’s Exhausting Them. Here’s How Companies Can Fix That.” CNBC, 8 Feb. 2022. Web.
    Capossela, Chris. “The next Chapter of Our Hybrid Workplace: Update on Our Washington State Work Sites.” The Official Microsoft Blog, 14 Feb. 2022. Web.
    Carrigan, John. “Meta Embraces ‘Work From Anywhere’ Ahead of Return to Office.” Human Resources Director, 25 March 2022. Web.
    Chaturvedi, H., and Ajoy Kumar Dey. The New Normal: Reinventing Professional Life and Familial Bonding in the Post COVID 19 Era. Bloomsbury Publishing, 2021.
    Commonwealth of Massachusetts. “Alternative Work Options.” Mass.Gov, n.d. Accessed 17 Sept. 2022.
    Commonwealth of Massachusetts. “Hybrid Work for Commonwealth Employees.” Mass.Gov, n.d. Accessed 17 Sept. 2022.
    “COVID-19 and the Future of Business.” IBM, 21 Sept. 2020. Web.
    Daniel, Will. “The Layoffs at Tesla Show That White-Collar Workers Are Screwed, Hedge Funder Famous from ‘The Big Short’ Predicts.” Fortune, 29 June 2022. Web.
    D’Auria, Gemma, and Aaron De Smet. “Leadership in a Crisis: Responding to Coronavirus.” McKinsey, 16 March 2020. Web.
    Dave, Paresh. “Google Mandates Workers Back to Silicon Valley, Other Offices from April 4.” Reuters, 3 March. 2022. Web.
    Delaney, Kevin. “What We Know Now About the Business Impact of Hybrid Work.” Time, 6 Sept. 2022. Web.
    Dobson, Sarah. “Legal Considerations for Hybrid Work.” Canadian HR Reporter, 15 Sept. 2022. Web.
    Dondo, Jean. “Hybrid Work Is the Way for More Than a Quarter of Canadian Investment Firms.” Wealth Professional, 14 Sept. 2022. Web.
    Elias, Jennifer. “Twitter to Reopen Offices March 15, Though Remote Work Remains an Option.” CNBC, 3 March 2022. Web.
    Esade Business & Law School. “Leadership After Covid-19: Learning To Navigate The Unknown Unknowns.” Forbes, 30 March 2021. Web.
    “Famous Companies Without Offices.” The Hoxton Mix, 19 Oct. 2021. Web.
    Gerdeman, Dina. “COVID Killed the Traditional Workplace. What Should Companies Do Now?” HBS Working Knowledge, 8 March 2021. Web.
    Gleason, Mike. “Apple’s Hybrid Work Plans Draw Worker Pushback.” SearchUnifiedCommunications, TechTarget, 24 Aug. 2022. Web.
    Gleeson, Brent. “13 Tips For Leading And Managing Remote Teams.” Forbes, 26 Aug. 2020. Web.
    Gratton, Lynda. “How to Do Hybrid Right.” Harvard Business Review, 1 May 2021. Web.
    “Guide: Understand team effectiveness.” re:Work, Google, n.d. Accessed 5 Nov. 2021.
    Hardy, Karen. “Your Business Has Decided on Hybrid Work… Now What?” CIO, 12 Sept. 2022. Web.
    Hirsch, Arlene S. “How to Boost Employee Performance in a Hybrid Work Environment.” SHRM, 6 Sept. 2022. Web.
    “How to Get Hybrid Work Right.” CBRE Canada, 14 June 2022. Web.
    “Hybrid Work: When Freedom Benefits from Rules.” Audi, 12 Sept. 2022. Accessed 18 Sept. 2022.
    “Hybrid Workplace | Global Culture Report.” O.C. Tanner, 2022, Web.
    “Intel Is Hiring for Various Roles with Temporary Remote Work Benefits.” SightsIn Plus, 11 June 2022. Web.
    Iyer, Viswanathan. “Council Post: Hybrid Work: Beyond The Point Of No Return.” Forbes, 14 Sept. 2022. Web.
    Johnson, Ricardo. “Securing Hybrid Work All Starts with Zero-Trust.” SC Media, 29 Aug. 2022. Web.
    Jones, Jada. “The Rules of Work Are Changing, and Hybrid Work Is Winning.” ZDNET, 1 Sept. 2022. Web.
    Kowitt, Beth. “Inside Google’s Push to Nail Hybrid Work and Bring Its 165,000-Person Workforce Back to the Office Part-Time.” Fortune, 17 May 2022. Web.
    Kumra, Gautam, and Diaan-Yi Lin. “The Future of (Hybrid) Work.” McKinsey, 2 Sept. 2022. Web.
    Lagowska, Urszula, et al. “Leadership under Crises: A Research Agenda for the Post-COVID-19 Era.” Brazilian Administration Review, vol. 17, no. 2, Aug. 2020. Web.
    Larson, Barbara Z., et al. “A Guide to Managing Your (Newly) Remote Workers.” Harvard Business Review, 18 March 2020. Web.
    “Leadership During COVID-19: Resources for Times of Uncertainty.” CCL, n.d. Accessed 5 Nov. 2021.
    “Managing Remote Employees: How to Lead From a Distance.” CCL, 7 April 2020. Accessed 5 Nov. 2021.
    “Managing Remote Teams.” Know Your Team, n.d. Web. Accessed 5 Nov. 2021.
    Mayhem, Julian. “Virtual Leadership - Essential Skills for Managing Remote Teams.” VirtualSpeech, 4 Nov. 2020. Web.
    McKendrick, Joe. “Keeping Hybrid Workers In Sync, Digitally And In-Person.” Forbes, 22 Aug. 2022. Web.
    McKenna, Karissa, et al. “Webinar: Build Leadership Skills for the New World of Work.” CCL, 15 June 2020. Accessed 5 Nov. 2021.
    Mearian, Lucas. “Microsoft Edges Back to ‘Normal’ with Workplace Reopening Plan.” Computerworld, 14 Feb. 2022. Web.
    “Meta Careers.” Meta, n.d. Accessed 17 Sept. 2022.
    Miller, Mark. “5 Tips to Make Your Hybrid Work Model More Effective.” Entrepreneur, 25 Aug. 2022. Web.
    Nica, Irina. “How to Manage a Remote Team: 14 Effective Tips for Your Business.” Business 2 Community, 8 July 2021. Web.
    O’Halloran, Joe. “Organisations Struggle to Support IT in a Hybrid Work Model.” ComputerWeekly.com, 17 June 2022. Web.
    Ong, Ivan. “Council Post: Why Hybrid Work Is The Way To Go.” Forbes, 12 Sept. 2022. Web.
    Osborne, Charlie. “The End of Fully Remote Work? Google Begins Shift to the Hybrid Office.” ZDNet. 3 March 2022. Web.
    Pazzanese, Christina. “Back to Office? Stay Remote? Go Hybrid?” Harvard Gazette, 24 Aug. 2022. Web.
    “PinFlex.” Pinterest Careers, n.d. Accessed 17 Sept. 2022.
    Rand, Ben. “Does Hybrid Work Actually Work? Insights from 30,000 Emails.” Harvard Business School – Working Knowledge, 6 Sept. 2022. Web.
    “Remote Locations, Working with Flexibility.” Amazon.jobs, n.d. Accessed 17 Sept. 2022.
    Renjen, Punit. “The Heart of Resilient Leadership: Responding to COVID-19.” Deloitte Insights, 16 March 2020. Web.
    Shih, Clara. “Keeping Hybrid Employees Engaged.” Harvard Business Review, 11 Aug. 2022. Web.
    Singerman, Michelle. “Is the Hybrid Work Model Working? CPAs Spill the Beans.” Chartered Professional Accountants Canada, 24 Aug. 2022. Web.
    Stern, Stefan. “Hybrid Working: Why the Office-Home Balance Is Still a Challenge.” Financial Times, 4 Sept. 2022.
    Subramaniam, Vanmala, et al. “Ready to Go Back to the Office? Employers and Workers Are Divided over the Fate of Remote Work.” The Globe and Mail, 1 Sept. 2022. Web.
    Tong, Goh Chiew. “Inflation and Hybrid Work ‘skyrocketed’ Demand for Flexible Workspace, WeWork Says.” CNBC, 6 Sept. 2022. Web.
    Tsipursky, Gleb. “Commentary: The Psychology behind Why Some Leaders Are Resisting a Hybrid Work Model.” Fortune, 8 June 2021. Web.
    Turner, Jack. “Tesla Doubles Down on Remote Working Ban, Tracks Office Attendance.” Tech.Co, 3 July 2022. Web.
    “Virtual Leadership Styles for Remote Businesses.” Maryville Online, 4 Feb. 2021. Web.
    “Webinar: How Leaders Can Build Organizational Resilience.” CCL, 15 June 2020. Accessed 5 Nov. 2021.
    “Why GitLab Uses the Term All-Remote to Describe Its 100% Remote Workforce.” GitLab, 2022. Accessed 17 Sept. 2022.
    Wigert, Ben, and Sangeeta Agrawal. “Returning to the Office: The Current, Preferred and Future State of Remote Work.” Gallup, 31 Aug. 2022. Web.
    Wingard, Jason. “Elon Musk’s Big Bet Against Remote Work: Will Tesla Win?” Forbes, 4 June 2022. Web.

    Enterprise Network Design Considerations

    • Buy Link or Shortcode: {j2store}502|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Network Management
    • Parent Category Link: /network-management

    Security, risk, and trust models play into how networks are designed and deployed. If these models are not considered during network design, band-aids and workarounds will be deployed to achieve the needed goals, potentially bypassing network controls.

    Our Advice

    Critical Insight

    The cloud “gold rush” has made it attractive for many enterprises to migrate services off the traditional network and into the cloud. These services are now outside of the traditional network and associated controls. This shifts the split of east-west vs. north-south traffic patterns, as well as extending the network to encompass services outside of enterprise IT’s locus of control.

    Impact and Result

    Where users access enterprise data or services and from which devices dictate the connectivity needed. With the increasing shift of work that the business is completing remotely, not all devices and data paths will be under the control of IT. This shift does not allow IT to abdicate from the responsibility to provide a secure network.

    Enterprise Network Design Considerations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Enterprise Network Design Considerations Deck – A brief deck that outlines key trusts and archetypes when considering enterprise network designs.

    This blueprint will help you:

    • Enterprise Network Design Considerations Storyboard

    2. Enterprise Network Roadmap Technology Assessment Tool – Build an infrastructure assessment in an hour.

    Dispense with detailed analysis and customizations to present a quick snapshot of the road ahead.

    • Enterprise Network Roadmap Technology Assessment Tool
    [infographic]

    Further reading

    Enterprise Network Design Considerations

    It is not just about connectivity.

    Executive Summary

    Info-Tech Insight

    Connectivity and security are tightly coupled

    Security, risk, and trust models play into how networks are designed and deployed. If these models are not considered during network design, band-aids and workarounds will be deployed to achieve the needed goals, potentially bypassing network controls.

    Many services are no longer within the network

    The cloud “gold rush” has made it attractive for many enterprises to migrate services off the traditional network and into the cloud. These services are now outside of the traditional network and associated controls. This shifts the split of east-west vs. north-south traffic patterns, as well as extending the network to encompass services outside of enterprise IT’s locus of control.

    Users are demanding an anywhere, any device access model

    Where users access enterprise data or services and from which devices dictate the connectivity needed. With the increasing shift of work that the business is completing remotely, not all devices and data paths will be under the control of IT. This shift does not allow IT to abdicate from the responsibility to provide a secure network.

    Enterprise networks are changing

    The new network reality

    The enterprise network of 2020 and beyond is changing:

    • Services are becoming more distributed.
    • The number of services provided “off network” is growing.
    • Users are more often remote.
    • Security threats are rapidly escalating.

    The above statements are all accurate for enterprise networks, though each potentially to differing levels depending on the business being supported by the network. Depending on how affected the network in question currently is and will be in the near future, there are different common network archetypes that are best able to address these concerns while delivering business value at an appropriate price point.

    High-Level Design Considerations

    1. Understand Business Needs
    2. Understand what the business needs are and where users and resources are located.

    3. Define Your Trust Model
    4. Trust is a spectrum and tied tightly to security.

    5. Align With an Archetype
    6. How will the network be deployed?

    7. Understand Available Tooling
    8. What tools are in the market to help achieve design principles?

    Understand business needs

    Mission

    Never ignore the basics. Start with revisiting the mission and vision of the business to address relevant needs.

    Users

    Identify where users will be accessing services from. Remote vs. “on net” is a design consideration now more than ever.

    Resources

    Identify required resources and their locations, on net vs. cloud.

    Controls

    Identify required controls in order to define control points and solutions.

    Define a trust model

    Trust is a spectrum

    • There is a spectrum of trust, from fully trusted to not trusted at all. Each organization must decide for their network (or each area thereof) the appropriate level of trust to assign.
    • The ease of network design and deployment is directly proportional to the trust spectrum.
    • When resources and users are outside of direct IT control, the level of appropriate trust should be examined closely.

    Implicit

    Trust everything within the network. Security is perimeter based and designed to stop external actors from entering the large trusted zone.

    Controlled

    Multiple zones of trust within the network. Segmentation is a standard practice to separate areas of higher and lower trust.

    Zero

    Verify trust. The network is set up to recognize and support the principle of least privilege where only required access is supported.

    Align with an archetype

    Archetypes are a good guide

    • Using a defined archetype as a guiding principle in network design can help clarify appropriate tools or network structures.
    • Different aspects of a network can have different archetypes where appropriate (e.g. IT vs. OT [operational technology] networks).

    Traditional

    Services are provided from within the traditional network boundaries and security is provided at the network edge.

    Hybrid

    Services are provided both externally and from within the traditional network boundaries, and security is primarily at the network edge.

    Inverted

    Services are provided primarily externally, and security is cloud centric.

    Traditional networks

    Resources within network boundaries

    Moat and castle security perimeter

    Abstract

    A traditional network is one in which there are clear boundaries defined by a security perimeter. Trust can be applied within the network boundaries as appropriate, and traffic is generally routed through internally deployed control points that may be centralized. Traditional networks commonly include large firewalls and other “big iron” security and control devices.

    Network Design Tenets

    • The full network path from resource to user is designed, deployed, and controlled by IT.
    • Users external to the network must first connect to the network to gain access to resources.
    • Security, risk, and trust controls will be implemented by internal enterprise hardware/software devices.

    Control

    In the traditional network, it is assumed that all required control points can be adequately deployed across hardware/software that is “on prem” and under the control of central IT.

    Info-Tech Insight

    With increased cloud services provided to end users, this network is now more commonly used in data centers or OT networks.

    Traditional networks

    The image contains an example of what traditional networks look like, as described in the text below.

    Defining Characteristics

    • Traffic flows in a defined path under the control of IT to and from central IT resources.
    • Due to visibility into, and the control of, the traffic between the end user and resources, IT can relatively simply implement the required security controls on owned hardware.

    Common Components

    • Traditional offices
    • Remote users/road warriors
    • Private data center/colocation space

    Hybrid networks

    Resources internal and external to network

    Network security perimeter combined with cloud protection

    Abstract

    A hybrid network is one that combines elements of a traditional network with cloud resources. As some of these resources are not fully under the control of IT and may be completely “offnet” or loosely coupled to the on-premises network, the security boundaries and control points are less likely to be centralized. Hybrid networks allow the flexibility and speed of cloud deployment without leaving behind traditional network constructs. This generally makes them expensive to secure and maintain.

    Network Design Tenets

    • The network path from resource to user may not be in IT’s locus of control.
    • Users external to the network must first connect to the network to gain access to internal resources but may directly access publicly hosted ones.
    • Security, risk, and trust controls may potentially be implemented by a mixture of internal enterprise hardware/software devices and external control points.

    Control

    The hallmark of a hybrid network is the blending of public and private resources. This blending tends to necessitate both public and private points of control that may not be homogenous.

    Info-Tech Insight

    With multiple control points to address, take care in simplifying designs while addressing all concerns to ease operational load.

    Hybrid networks

    The image contains an example of what hybrid networks look like, as described in the text below.

    Defining Characteristics

    • Traffic flows to central resources across a defined path under the control of IT.
    • Traffic to cloud assets may be partially under the control of IT.
    • For central resources, the traffic to and from the end user can have the required security controls relatively simply implemented on owned hardware.
    • For public cloud assets, IT may or may not have some control over part of the path.

    Common Components

    • Traditional offices
    • Remote users/road warriors
    • Private data center/colocation space
    • Public cloud assets (IaaS/PaaS/SaaS)

    Inverted perimeter

    Resources primarily external to the network

    Security control points are cloud centric

    Abstract

    An inverted perimeter network is one in which security and control points cover the entire workflow, on or off net, from the consumer of services through to the services themselves with zero trust. Since the control plane is designed to encompass the workflow in a secure manner, much of the underlying connectivity can be abstracted. In an extreme version of this deployment, IT would abstract end-user access, and any cloud-based or on-premises resources would be securely published through the control plane with context-aware precision access.

    Network Design Tenets

    • The network path from resource to user is abstracted and controlled by IT through services like secure access service edge (SASE).
    • Users only need internet access and appropriate credentials to gain access to resources.
    • Security, risk, and trust controls will be implemented through external cloud based services.

    Control

    An inverted network abstracts the lower-layer connectivity away and focuses on implementing a cloud-based zero trust control plane.

    Info-Tech Insight

    This model is extremely attractive for organizations that consume primarily cloud services and have a large remote work force.

    Inverted networks

    The image contains an example of what inverted networks look like, as described in the text below.

    Defining Characteristics

    • The end user does not have to be in a defined location.
    • All central resources that are to be accessed are hosted on cloud resources.
    • IT has little to no control of the path between the end user and central resources.

    Common Components

    • Traditional offices
    • Regent offices/shared workspaces
    • Remote users/road warriors
    • Public cloud assets (IaaS/PaaS/SaaS)

    Understand available tooling

    Don’t buy a hammer and go looking for nails

    • A network archetype must be defined in order to understand what tools (hardware or software) are appropriate for consideration in a network build or refresh.
    • Tools are purpose built and generally designed to solve specific problems if implemented and operated correctly. Choose the tools to align with the challenges that you are solving as opposed to choosing tools and then trying to use those purchases to overcome challenges.
    • The purchase of a tool does not allow for abdication of proper design. Tools must be chosen appropriately and integrated properly to orchestrate the best solutions. Purchasing a tool and expecting the tool to solve all your issues rarely succeeds.

    “It is essential to have good tools, but it is also essential that the tools should be used in the right way.” — Wallace D. Wattles

    Software-defined WAN (SD-WAN)

    Simplified branch office connectivity

    Archetype Value: Traditional Networks

    What It Is Not

    SD-WAN is generally not a way to slash spending by lowering WAN circuit costs. Though it is traditionally deployed across lower cost access, to minimize risk and realize the most benefits from the platform many organizations install multiple circuits with greater bandwidths at each endpoint when replacing the more costly traditional circuits. Though this maximizes the value of the technology investment, it will result in the end cost being similar to the traditional cost plus or minus a small percentage.

    What It Is

    SD-WAN is a subset of software-defined networking (SDN) designed specifically to deploy a secure, centrally managed, connectivity agnostic, overlay network connecting multiple office locations. This technology can be used to replace, work in concert with, or augment more traditional costly connectivity such as MPLS or private point to point (PtP) circuits. In addition to the secure overlay, SD-WAN usually also enables policy-based, intelligent controls, based on traffic and circuit intelligence.

    Why Use It

    You have multiple endpoint locations connected by expensive lower bandwidth traditional circuits. Your target is to increase visibility and control while controlling costs if and where possible. Ease of centralized management and the ability to more rapidly turn up new locations are attractive.

    Cloud access security broker (CASB)

    Inline policy enforcement placed between users and cloud services

    Archetype Value: Hybrid Networks

    What It Is Not

    CASBs do not provide network protection; they are designed to provide compliance and enforcement of rules. Though CASBs are designed to give visibility and control into cloud traffic, they have limits to the data that they generally ingest and utilize. A CASB does not gather or report on cloud usage details, licencing information, financial costing, or whether the cloud resource usage is aligned with the deployment purpose.

    What It Is

    A CASB is designed to establish security controls beyond a company’s environment. It is commonly deployed to augment traditional solutions to extend visibility and control into the cloud. To protect assets in the cloud, CASBs are designed to provide central policy control and apply services primarily in the areas of visibility, data security, threat protection, and compliance.

    Why Use It

    You a mixture of on-premises and cloud assets. In moving assets out to the cloud, you have lost the traditional controls that were implemented in the data center. You now need to have visibility and apply controls to the usage of these cloud assets.

    Secure access service edge (SASE)

    Convergence of security and service access in the cloud

    Archetype Value: Inverted Networks

    What It Is Not

    Though the service will consist of many service offerings, SASE is not multiple services strung together. To present the value proposed by this platform, all functionality proposed must be provided by a single platform under a “single pane of glass.” SASE is not a mature and well-established service. The market is still solidifying, and the full-service definition remains somewhat fluid.

    What It Is

    SASE exists at the intersection of network-as-a-service and network-security-as-a-service. It is a superset of many network and security cloud offerings such as CASB, secure web gateway, SD-WAN, and WAN optimization. Any services offered by a SASE provider will be cloud hosted, presented in a single stack, and controlled through a single pane of glass.

    Why Use It

    Your network is inverting, and services are provided primarily as cloud assets. In a full realization of this deployment’s value, you would abstract how and where users gain initial network access yet remain in control of the communications and data flow.

    Activity

    Understand your enterprise network options

    Activity: Network assessment in an hour

    • Learn about the Enterprise Network Roadmap Technology Assessment Tool
    • Complete the Enterprise Network Roadmap Technology Assessment Tool

    This activity involves the following participants:

    • IT strategic direction decision makers.
    • IT managers responsible for network.
    • Organizations evaluating platforms for mission critical applications.

    Outcomes of this step:

    • Completed Enterprise Network Roadmap Technology Assessment Tool

    Info-Tech Insight

    Review your design options with security and compliance in mind. Infrastructure is no longer a standalone entity and now tightly integrates with software-defined networks and security solutions.

    Build an assessment in an hour

    Learn about the Enterprise Network Roadmap Technology Assessment Tool.

    This workbook provides a high-level analysis of a technology’s readiness for adoption based on your organization’s needs.

    • The workbook then places the technology on a graph that measures both the readiness and fit for your organization. In addition, it provides warnings for specific issues and lets you know if you have considerable uncertainty in your answers.
    • At a glance you can now communicate what you are doing to help the company:
      • Grow
      • Save money
      • Reduce risk
    • Regardless of your specific audience, these are important stories to be able to tell.
    The image contains three screenshots from the Enterprise Network Roadmap Technology Assessment Tool.

    Build an assessment in an hour

    Complete the Enterprise Network Roadmap Technology Assessment Tool.

    Dispense with detailed analysis and customizations to present a quick snapshot of the road ahead.

    1. Weightings: Adjust the Weighting tab to meet organizational needs. The provided weightings for the overall solution areas are based on a generic firm; individual firms will have different needs.
    2. Data Entry: For each category, answer the questions for the technology you are considering. When you have completed the questionnaire, go to the next tab for the results.
    3. Results: The Enterprise Network Roadmap Technology Assessment Tool provides a value versus readiness assessment of your chosen technology customized to your organization.

    The image contains three screenshots from the Enterprise Network Roadmap Technology Assessment Tool. It has a screenshot for each step as described in the text above.

    Related Info-Tech Research

    Effectively Acquire Infrastructure Services

    Acquiring a service is like buying an experience. Don’t confuse the simplicity of buying hardware with buying an experience.

    Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery

    There are very few IT infrastructure components you should be housing internally – outsource everything else.

    Build Your Infrastructure Roadmap

    Move beyond alignment: Put yourself in the driver’s seat for true business value.

    Drive Successful Sourcing Outcomes With a Robust RFP Process

    Leverage your vendor sourcing process to get better results.

    Research Authors

    The image contains a photo of Scott Young.

    Scott Young, Principal Research Advisor, Info-Tech Research Group

    Scott Young is a Director of Infrastructure Research at Info-Tech Research Group. Scott has worked in the technology field for over 17 years, with a strong focus on telecommunications and enterprise infrastructure architecture. He brings extensive practical experience in these areas of specialization, including IP networks, server hardware and OS, storage, and virtualization.

    The image contains a photo of Troy Cheeseman.

    Troy Cheeseman, Practice Lead, Info-Tech Research Group

    Troy has over 24 years of experience and has championed large enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) startups.

    Bibliography

    Ahlgren, Bengt. “Design considerations for a network of information.” ACM Digital Library, 21 Dec. 2008.

    Cox Business. “Digital transformation is here. Is your business ready to upgrade your mobile work equation?” BizJournals, 1 April 2022. Accessed April 2022.

    Elmore, Ed. “Benefits of integrating security and networking with SASE.” Tech Radar, 1 April 2022. Web.

    Greenfield, Dave. “From SD-WAN to SASE: How the WAN Evolution is Progressing.” Cato Networks, 19 May 2020. Web

    Korolov, Maria. “What is SASE? A cloud service that marries SD-WAN with security.” Network World, 7 Sept. 2020. Web.

    Korzeniowski, Paul, “CASB tools evolve to meet broader set of cloud security needs.” TechTarget, 26 July 2019. Accessed March 2022.

    Go the Extra Mile With Blockchain

    • Buy Link or Shortcode: {j2store}130|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • The transportation and logistics industry is facing a set of inherent flaws, such as high processing fees, fraudulent information, and lack of transparency, that blockchain is set to transform and alleviate.
    • Many companies have FOMO (fear of missing out), causing them to rush toward blockchain adoption without first identifying the optimal use case.

    Our Advice

    Critical Insight

    • Understand how blockchain can alleviate your pain points before rushing to adopt the technology. You have been hearing about blockchain for some time now and are feeling pressured to adopt it. Moreover, the series of issues hindering the transportation and logistics industry, such as the lack of transparency, poor cash flow management, and high processing fees, are frustrating business leaders and thereby adding additional pressure on CIOs to adopt the technology. While blockchain is complex, you should focus on its key features of transparency, integrity, efficiency, and security to identify how it can help your organization.
    • Ensure your use case is actually useful and can be valuable to your organization by selecting a business idea that is viable, feasible, and desirable. Applying design thinking tactics to your evaluation process provides a practical approach that will help you avoid wasting resources (both time and money) and hurting IT’s image in the eyes of the business. While it is easy to get excited and invest in a new technology to help maintain your image as a thought leader, you must ensure that your use case is fully developed prior to doing so.

    Impact and Result

    • Understand blockchain’s transformative potential for the transportation and logistics industry by breaking down how its key benefits can alleviate inherent industry flaws.
    • Identify business processes and stakeholders that could benefit from blockchain.
    • Build and evaluate an inventory of use cases to determine where blockchain could have the greatest impact on your organization.
    • Articulate the value and organizational fit of your proposed use case to the business to gain their buy-in and support.

    Go the Extra Mile With Blockchain Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why your organization should care about blockchain’s transformative potential for the transportation and logistics industry and how Info-Tech will support you as you identify and build your blockchain use case.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Evaluate why blockchain can disrupt the transportation and logistics industry

    Analyze the four key benefits of blockchain as they relate to the transportation and logistics industry to understand how the technology can resolve issues being experienced by industry incumbents.

    • Go the Extra Mile With Blockchain – Phase 1: Evaluate Why Blockchain Can Disrupt the Transportation and Logistics Industry
    • Blockchain Glossary

    2. Build and evaluate an inventory of use cases

    Brainstorm a set of blockchain use cases for your organization and apply design thinking tactics to evaluate and select the optimal one to pitch to your executives for prototyping.

    • Go the Extra Mile With Blockchain – Phase 2: Build and Evaluate an Inventory of Use Cases
    • Blockchain Use Case Evaluation Tool
    • Prototype One Pager
    [infographic]

    Enterprise Application Selection and Implementation

    • Buy Link or Shortcode: {j2store}29|cart{/j2store}
    • Related Products: {j2store}29|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.0/10
    • member rating average dollars saved: $37,356
    • member rating average days saved: 34
    • Parent Category Name: Applications
    • Parent Category Link: /applications

    The challenge

    • Large scale implementations are prone to failure. This is probably also true in your company. Typically large endeavors like this overrun the budget, are late to deliver, or are abandoned altogether. It would be best if you manage your risks when starting such a new project.

    Our advice

    Insight

    • Large-scale software implementations continue to fail at very high rates. A recent report by McKinsey & Company estimates that 66% go over budget, 33% over time, and 17% delivered less value than expected. Most companies will survive a botched implementation, but 17% threatened the existence of the company involved.
    • With all the knowledge sharing that we have today with oodles of data at our disposal, we should expect IT-providers to have clear, standardized frameworks to handle these implementations. But projects that overrun by more than 200% still occur more often than you may think.
    • When you solicit a systems integrator (SI), you want to equip yourself to manage the SI and not be utterly dependent on their methodology.

    Impact and results 

    • You can assume proper accountability for the implementation and avoid over-reliance on the systems integrator.
    • Leverage the collective knowledge and advice of additional IT professionals
    • Review the pitfalls and lessons learned from failed integrations.
    • Manage risk at every stage.
    • Perform a self-assessment at various stages of the integration path.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Executive Summary

    Determine the rations for your implementation

    See if a custom-of-the-shelf process optimization makes sense.

    • Storyboard: Govern and Manage an Enterprise Software Implementation (ppt)

    Prepare

    Determine the right (level of) governance for your implementation.

    • Large Software Implementation Maturity Assessment Tool (xls)
    • Project Success Measurement Tool (xls)
    • Risk Mitigation Plan Template (xls)

    Plan and analyze

    Prepare for the overall implementation journey and gather your requirements. Then conduct a stage-gate assessment of this phase.

    • Project Phases Entry and Exit Criteria Checklist Tool (xls)
    • Project Lessons Learned Document (doc)

    Design, build and deploy

    Conduct a stage-gate assessment after every step below.

    • Make exact designs of the software implementation and ensure that all stakeholders and the integrator completely understand.
    • Build the solution according to the requirements and designs.
    • Thoroughly test and evaluate that the implementation meets your business expectations. 
    • Then deploy

    Initiate your roadmap

    Review your dispositions to ensure they align with your goals. 

    • Build an Application Rationalization Framework – Phase 4: Initiate Your Roadmap (ppt)
    • Disposition Prioritization Tool (xls)

    Secure Your Hybrid Workforce

    • Buy Link or Shortcode: {j2store}271|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Secure Cloud & Network Architecture
    • Parent Category Link: /secure-cloud-network-architecture
    • Many IT and security leaders struggle to cope with the challenges associated with an hybrid workforce and how best to secure it.
    • Understanding the main principles of zero trust: never trust, always verify, assume breach, and verify explicitly.
    • How to go about achieving a zero trust framework.
    • Understanding the premise of SASE as it pertains to a hybrid workforce.

    Our Advice

    Critical Insight

    Securing your hybrid workforce should be an opportunity to get started on the zero trust journey. Realizing the core features needed to achieve this will assist you determine which of the options is a good fit for your organization.

    Impact and Result

    Every organization's strategy to secure their hybrid workforce should include introducing zero trust principles in certain areas. Our unique approach:

    • Assess the suitability of SASE/SSE and zero trust.
    • Present capabilities and feature benefits.
    • Procure SASE product and/or build a zero trust roadmap.

    Secure Your Hybrid Workforce Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Secure Your Hybrid Workforce Deck – The purpose of the storyboard is to provide a detailed description of the steps involved in securing your hybrid workforce with zero trust.

    The storyboard contains two easy-to-follow steps on securing your hybrid workforce with zero trust, from assessing the suitability of SASE/SSE to taking a step in building a zero trust roadmap.

    • Secure Your Hybrid Workforce – Phases 1-2

    2. Suitability Assessment Tool – A tool to identify whether SASE/SSE or a zero trust roadmap is a better fit for your organization.

    Use this tool to identify your next line of action in securing your hybrid workforce by assessing key components that conforms to the ideals and principles of Zero Trust.

    • Zero Trust - SASE Suitability Assessment Tool

    3. RFP Template – A document to guide you through requesting proposals from vendors.

    Use this document to request proposals from select vendors.

    • Request for Proposal (RFP) Template
    [infographic]

    Further reading

    Secure Your Hybrid Workforce

    SASE as a driver to zero trust.

    Analyst Perspective

    Consolidate your security and network.

    Remote connections like VPNs were not designed to be security tools or to have the capacity to handle a large hybrid workforce; hence, organizations are burdened with implementing controls that are perceived to be "security solutions." The COVID-19 pandemic forced a wave of remote work for employees that were not taken into consideration for most VPN implementations, and as a result, the understanding of the traditional network perimeter as we always knew it has shifted to include devices, applications, edges, and the internet. Additionally, remote work is here to stay as recruiting talent in the current market means you must make yourself attractive to potential hires.

    The shift in the network perimeter increases the risks associated with traditional VPN solutions as well as exposing the limitations of the solution. This is where zero trust as a principle introduces a more security-focused strategy that not only mitigates most (if not all) of the risks, but also eliminates limitations, which would enhance the business and improve customer/employee experience.

    There are several ways of achieving zero trust maturity, and one of those is SASE, which consolidates security and networking to better secure your hybrid workforce as implied trust is thrown out of the window and verification of everything becomes the new normal to defend the business.

    This is a picture of Victor Okorie

    Victor Okorie
    Senior Research Analyst, Security and Privacy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    CISOs are looking to zero trust to fill the gaps associated with their traditional remote setup as well as to build an adaptable security strategy. Some challenges faced include:

    • Understanding the main principles of zero trust: never trust, always verify, assume breach, and verify explicitly.
    • Understanding how to achieve a zero trust framework.
    • Understanding the premise of SASE as it pertains to a hybrid workforce.

    Common Obstacles

    The zero trust journey may seem tedious because of a few obstacles like:

    • Knowing what the principle is all about and the components that align with it.
    • Knowing where to start. Due to the lack of a standardized path for the zero trust journey, going about the journey can be confusing.
    • Not having a uniform definition of what makes up a SASE solution as it is heavily dependent on vendors.

    Info-Tech's Approach

    Info-Tech provides a three-service approach to helping organizations better secure their hybrid workforce.

    • Understand your current, existing technological capabilities and challenges with your hybrid infrastructure, and prioritize those challenges.
    • Gain insight into zero trust and SASE as a mitigation/control/tool to those challenges.
    • Identify the SASE features that are relevant to your needs and a source guide for a SASE vendor.

    Info-Tech Insight

    Securing your hybrid workforce should be an opportunity to get started on the zero trust journey. Realizing the core features needed to achieve this will assist you in determining which of the options is a good fit for your organization.

    Turn your challenges into opportunities

    Hybrid workforce is the new normal

    The pandemic has shown there is no going back to full on-prem work, and as such, security should be looked at differently with various considerations in mind.

    Understand that current hybrid solutions are susceptible to various forms of attack as the threat attack surface area has now expanded with users, devices, applications, locations, and data. The traditional perimeter as we know it has expanded beyond just the corporate network, and as such, it needs a more mature security strategy.

    Onboarding and offboarding have been done remotely, and with some growth recorded, the size of companies has also increased, leading to a scaling issue.

    Employees are now demanding remote work capabilities as part of contract negotiation before accepting a job.

    Attacks have increased far more quickly during the pandemic, and all indications point to them increasing even more.

    Scarce available security personnel in the job market for hire.

    Reality Today

    This image is a circle graph and 67% of it is coloured with the number 67% in the middle of the graph

    The number of breach incidents by identity theft.
    Source: Security Magazine, 2022.

    This image is a circle graph and 78% of it is coloured with the number 78% in the middle of the graph

    IT security teams want to adopt zero trust.
    Source: Cybersecurity Insiders, 2019.

    Reduce the risks of remote work by using zero trust

    $1.07m

    $1.76m

    235

    Increase in breaches related to remote work

    Cost difference in a breach where zero trust is deployed

    Days to identify a breach

    The average cost of a data breach where remote work was a factor rose by $1.07 million in 2021. COVID-19 brought about rapid changes in organizations, and digital transformation changes curbed some of its excesses. Organizations that did not make any digital transformation changes reported a $750,000 higher costs compared to global average.

    The average cost of a breach in an organization with no zero trust deployed was $5.04 million in 2021 compared to the average cost of a breach in an organization with zero trust deployed of $3.28 million. With a difference of $1.76 million, zero trust makes a significant difference.

    Organizations with a remote work adoption rate of 50% took 235 days to identify a breach and 81 days to contain that breach – this is in comparison to the average of 212 days to identify a breach and 75 days to contain that breach.

    Source: IBM, 2021.

    Network + Security = SASE

    What exactly is a SASE product?

    The convergence and consolidation of security and network brought about the formation of secure access service edge (SASE – pronounced like "sassy"). Digital transformation, hybrid workforce, high demand of availability, uninterrupted access for employees, and a host of other factors influenced the need for this convergence that is delivered as a cloud service.

    The capabilities of a SASE solution being delivered are based on certain criteria, such as the identity of the entity (users, devices, applications, data, services, location), real-time context, continuous assessment and verification of risk and "trust" throughout the lifetime of a session, and the security and compliance policies of the organization.

    SASE continuously identifies users and devices, applies security based on policy, and provides secure access to the appropriate and requested application or data regardless of location.

    image contains a list of the SASE Network Features and Security Features. the network Features are: WAN optimization; SD WAN; CDN; Network-as-a-service. The Security Features are: CASB; IDPS; ZTNA/VPN; FWaaS; Browser isolation; DLP; UEBA; Secure web gateway; Sandboxing

    Current Approach

    The traditional perimeter security using the castle and moat approach is depicted in the image here. The security shields valuable resources from external attack; however, it isn't foolproof for all kinds of external attacks. Furthermore, it does not protect those valuable resources from insider threat.

    This security perimeter also allows for lateral movement when it has been breached. Access to these resources is now considered "trusted" solely because it is now behind the wall/perimeter.

    This approach is no longer feasible in our world today where both external and internal threats pose continuous risk and need to be contained.

    Determine the suitability of SASE and zero trust

    The Challenge:

    Complications facing traditional infrastructure

    • Increased hybrid workforce
    • Regulatory compliance
    • Limited Infosec personnel
    • Poor threat detection
    • Increased attack surface

    Common vulnerabilities in traditional infrastructure

    • MITM attack
    • XSS attack
    • Session hijacking
    • Trust-based model
    • IP spoofing
    • Brute force attack
    • Distributed denial of service
    • DNS hijacking
    • Latency issues
    • Lateral movement once connection is established

    TRADITIONAL INFRASTRUCTURE

    NETWORK

    SECURITY

    AUTHENTICATION

    IDENTITY

    ACCESS

    • MPLS
    • Corporate Network
    • Antivirus installed
    • Traditional Firewall
    • Intrusion Detection and Prevention System
    • Allow and Deny rules
    • Businesses must respond to consumer requests to:
    • LDAP
    • AAA
    • Immature password complexity
    • Trusted device with improperly managed endpoint protection.
    • Little or no DNS security
    • Web portal (captive)
    • VPN client

    Candidate Solutions

    Proposed benefits of SASE

    • Access is only granted to the requested resource
    • Consolidated network and security as a service
    • Micro-segmentation on application and gateway
    • Adopts a zero trust security posture for all access
    • Managed detection and response
    • Uniform enforcement of policy
    • Distributed denial of service shield

    SASE

    NETWORK

    SECURITY

    AUTHENTICATION

    IDENTITY

    ACCESS

    • Software defined – WAN
    • Content delivery network
    • WAN optimization
    • Network-as-a-service
    • Firewall-as-a-service/NGFW
    • Zero trust network access
    • Endpoint detection & response
    • Secure web gateway
    • Cloud access security broker
    • Data loss prevention
    • Remote browser isolation
    • Multifactor authentication
    • Context-based security policy for authentication
    • Authorization managed with situational awareness and real-time risk analytics
    • Continuous verification throughout an access request lifecycle
    • Zero trust identity on users, devices, applications, and data.
    • Strong password complexity enforced
    • Privilege access management
    • Secure internet access
    • SASE client

    ZERO TRUST

    TENETS OF ZERO TRUST

    ZERO TRUST PILLARS

    • Continuous, dynamic authentication and verification
    • Principle of least privilege
    • Always assume a breach
    • Implement the tenets of zero trust across the following domains of your environment:
      • IDENTITY
      • APPLICATION
      • NETWORK
      • DEVICES
      • DATA

    Proposed benefits of zero trust

    • Identify and protect critical and non-critical resources in accordance with business objectives.
    • Produce initiatives that conform to the ideals of zero trust and are aligned with the corresponding pillars above.
    • Formulate policies to protect resources and aid segmentation.

    Info-Tech Insight

    Securing your hybrid workforce should be an opportunity to get started on the zero trust journey. Realizing the core features needed to achieve this will help you determine which of the options is a good fit for your organization.

    Measure the value of using Info-Tech's approach

    IT and business value

    PHASE 1

    PHASE 2

    Assess the benefits of adopting SASE or zero trust

    Vendors will try to control the narrative in terms of what they can do for you, but it's time for you to control the narrative and identify pain points to IT and the business, and with that, to understand and define what the vendor solution can do for you.

    PHASE 2

    Assess the benefits of adopting SASE or zero trust

    Vendors will try to control the narrative in terms of what they can do for you, but it's time for you to control the narrative and identify pain points to IT and the business, and with that, to understand and define what the vendor solution can do for you.

    Short-term benefits

    • Gain awareness of your zero trust readiness.
    • Embed a zero trust mindset across your architecture.
    • Control the narrative of what SASE brings to your organization.

    Long-term benefits

    • Identified controls to mitigate risks with current architecture while on a zero trust journey.
    • Improved security posture that reduces risk by increasing visibility into threats and user connections.
    • Reduced CapEx and OpEx due to the scalability, low staffing requirements, and improved time to respond to threats using a SASE or SSE solution.

    Determine SASE cost factors

    IT and business value

    Info-Tech Insight

    IT leaders need to examine different areas of their budget and determine how the adoption of a SASE solution could influence several areas of their budget breakdown.

    Determining the SASE cost factors early could accelerate the justification the business needs to move forward in making an informed decision.

    01- Infrastructure

    • Physical security
    • Cabling
    • Power supply and HVAC
    • Hosting

    02- Administration

    • Human hours to analyze logs and threats
    • Human hours to secure infrastructure
    • Fees associated with maintenance

    03- Inbound

    • DPI
    • DDoS
    • Web application firewall
    • VPN concentrators

    04- Outbound

    • IDPS
    • DLP on-prem
    • QoS
    • Sandbox & URL filtering

    04- Data Protection

    • Real-time URL
      insights
    • Threat hunting
    • Data loss prevention

    06- Monitoring

    • Log storage
    • Logging engine
    • Dashboards
    • Managed detection
      and response

    Info-Tech's methodology for securing your hybrid workforce

    1. Current state and future mitigation

    2. Assess the benefits of moving to SASE/zero trust

    Phase Steps

    1.1 Limitations of legacy infrastructure

    1.2 Zero trust principle as a control

    1.3 SASE as a driver of zero trust

    2.1 Sourcing out a SASE/SSE vendor

    2.2 Build a zero trust roadmap

    Phase Outcomes

    Identify and prioritize risks of current infrastructure and several ways to mitigate them.

    RFP template and build a zero trust roadmap.

    Consider several factors needed to protect your growing hybrid workforce and assess your current resource capabilities, solutions, and desire for a more mature security program. The outcome should either address a quick pain point or a long-term roadmap.

    The internet is the new corporate network

    The internet is the new corporate network, which opens the organization up to more risks not protected by the current security stack. Using Info-Tech's methodology of zero trust adoption is a sure way to reduce the attack surface, and SASE is one useful tool to take you on the zero trust journey.

    Current-state risks and future mitigation

    Securing your hybrid workforce via zero trust will inevitably include (but is not limited to) technological products/solutions.

    SASE and SSE features sit as an overlay here as technological solutions that will help on the zero trust journey by aggregating all the disparate solutions required for you to meet zero trust requirements into a single interface. The knowledge and implementation of this helps put things into perspective of where and what our target state is.

    The right solution for the right problem

    It is critical to choose a solution that addresses the security problems you are actually trying to solve.

    Don't allow the solution provider to tell you what you need – rather, start by understanding your capability gaps and then go to market to find the right partner.

    Take advantage of the RFP template to source a SASE or SSE vendor. Additionally, build a zero trust roadmap to develop and strategize initiatives and tasks.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Zero Trust and SASE Suitability Tool
    Identify critical and vulnerable DAAS elements to protect and align them to business goals.

    Zero Trust Program Gap Analysis Tool
    Perform a gap analysis between current and target states to build a zero trust roadmap.

    Key deliverable:

    Secure Your Hybrid Workforce With Zero Trust Communication deck
    Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.

    Phase 1

    Current state and future mitigation

    Phase 1

    Phase 2

    1.1 Limitations of legacy infrastructure

    1.2 Zero trust principle as a control

    1.3 SASE as a driver of zero trust

    2.1 Sourcing out a SASE/SSE vendor

    2.2 Build a zero trust roadmap

    This phase will walk you through the following activities:

    • Introduction to the tool, how to use the input tabs to identify current challenges, technologies being used, and to prioritize the challenges. The prioritized list will highlight existing gaps and eventually be mapped to recommended mitigations in the following phase.

    This phase involves the following participants:

    • CIO
    • CISO
    • CSO
    • IT security team
    • IT network team

    Secure Your Hybrid Workforce

    1.1 Limitations of legacy infrastructure

    Traditional security & remote access solutions must be modernized

    Info-Tech Insight
    Traditional security is architected with a perimeter in mind and is poorly suited to the threats in hybrid or distributed environments.

    Ensure you minimize or eliminate weak points on all layers.

    • SECURITY
      • DDoS
      • DNS hijacking
      • Weak VPN protocols
    • IDENTITY
      • One-time verification allowing lateral movement
    • NETWORK
      • Risk perimeter stops at corporate network edge
      • Split tunneling
    • AUTHENTICATION
      • Weak authentication
      • Weak passwords
    • ACCESS
      • Man-in-the-middle attack
      • Cross-site scripting
      • Session hijacking

    1.1.1 For example: traditional VPNs are poorly suited to a hybrid workforce

    There are many limitations that make it difficult for traditional VPNs to adapt to an ever-growing hybrid workforce.

    The listed limitations are tied to associated risks of legacy infrastructure as well as security components that are almost non-existent in a VPN implementation today.

    Scaling

    VPNs were designed for small-scale remote access to corporate network. An increase in the remote workforce will require expensive hardware investment.

    Visibility

    Users and attackers are not restricted to specific network resources, and with an absence of activity logs, they can go undetected.

    Managed detection & response

    Due to the reduction in or lack of visibility, threat detections are poorly managed, and responses are already too late.

    Hardware

    Limited number of locations for VPN hardware to be situated as it can be expensive.

    Hybrid workforce

    The increase in the hybrid workforce requires the risk perimeter to be expanded from the corporate network to devices and applications. VPNs are built for privacy, not security.

    Info-Tech Insight

    Hybrid workforces are here to stay, and adopting a strategy that is adaptable, flexible, simple, and cost-effective is a recommended road to take on the journey to bettering your security and network.

    1.1 Identify risk from legacy infrastructure

    Estimated Time: 1-2 hours

    1. Ensure all vulnerabilities described on slide 17 are removed.
    2. Note any forecasted challenge you think you might have down the line with your current hybrid setup.
    3. Identify any trend that may be of interest to you with regards to your hybrid setup.

    This is a screenshot of the organizational profile table found in the Zero Trust - SASE Suitability Assessment Tool

    Download the Zero Trust - SASE Suitability Assessment Tool

    Input

    • List of key pain points and challenges
    • List of forecasted challenges and trends of interest

    Output

    • Prioritized list of pain points and/or challenges

    Materials

    • Excel tool
    • Whiteboard

    Participants

    • CISO
    • InfoSec team
    • IT manager
    • CIO
    • Infrastructure team

    1.2 Zero trust principle as a control

    A zero trust implementation comes with benefits/initiatives that mitigate the challenges identified in earlier activities.

    Info-Tech Insight

    Zero trust/"always verify" is applied to identity, workloads, devices, networks, and data to provide a greater control for risks associated with traditional network architecture.

    Improve IAM maturity

    Zero trust identity and access will lead to a mature IAM process in an organization with the removal of implicit trust.

    Secure your remote access

    With a zero trust network architecture (ZTNA), both the remote and on-prem network access are more secure than the traditional network deployment. The software-defined parameter ensures security on each network access.

    Reduce threat surface area

    With zero trust principle applied on identity, workload, devices, network, and data, the threat surface area which births some of the risks identified earlier will be significantly reduced.

    Improve hybrid workforce

    Scaling, visibility, network throughput, secure connection from anywhere, micro-segmentation, and a host of other benefits to improve your hybrid workforce.

    1.2 SASE as an overlay to zero trust

    Security and network initiatives of a zero trust roadmap converged into a single pane of glass.

    Info-Tech Insight

    Security and network converged into a single pane of glass giving you some of the benefits and initiatives of a zero trust implemented architecture in one package.

    Improve IAM maturity

    The identity-centric nature of SASE solutions helps to improve your IAM maturity as it applies the principle of least privilege. The removal of implicit trust and continuous verification helps foster this more.

    Secure your remote access

    With ZTNA, both the remote and on-prem network access are more secure than the traditional network deployment. The software defined parameter ensures security on each network access.

    Reduce threat surface area

    Secure web gateway, cloud access security broker, domain name system, next-generation firewall, data loss prevention, and ZTNA protect against data leaks, prevent lateral movement, and prevent malicious actors from coming in.

    Improve hybrid workforce

    Reduced costs and complexity of IT, faster user experience, and reduced risk as a result of the scalability, visibility, ease of IT administration, network throughput, secure connection from anywhere, micro-segmentation, and a host of other benefits will surely improve your hybrid workforce.

    Align SASE features to zero trust core capabilities

    Verify Identity

    • Authentication & verification are enforced for each app request or session.
    • Use of multifactor authentication.
    • RBAC/ABAC and principle of least privilege are applied on the identity regardless of user, device, or location.

    Verify Device

    • Device health is checked to ensure device is not compromised or vulnerable.
    • No admin permissions on user devices.
    • Device-based risk assessment is enforced as part of UEBA.

    Verify Access

    • Micro-segmentation built around network, user, device, location and roles.
    • Use of context and content-based policy enforced to the user, application, and device identity.
    • Network access only granted to specified application request and not to the entire network.

    Verify Services

    • Applications and services are checked before access is granted.
    • Connections to the application and services are inspected with the security controls built into the SASE solution.

    Info-Tech Insight

    These features of SASE and zero trust mitigate the risks associated with a traditional VPN and reduce the threat surface area. With security at the core, network optimization is not compromised.

    Security components of SASE

    Otherwise known as security service edge (SSE)

    Security service edge is the convergence of all security services typically found in SASE. At its core, SSE consists of three services which include:

    • Secure web gateway – secure access to the internet and web.
    • Cloud access security broker – secure access to SaaS and cloud applications.
    • Zero trust network access – secure remote access to private applications.

    SSE components are also mitigations or initiatives that make up a zero trust roadmap as they comply with the zero trust principle, and as a result, they sit up there with SASE as an overlay/driver of a zero trust implementation. SSE's benefits are identical to SASE's in that it provides zero trust access, risk reduction, low costs and complexity, and a better user experience. The difference is SSE's sole focus on security services and not the network component.

    SASE

    NETWORK FEATURES

    SECURITY FEATURES

    • WAN optimization
    • SD WAN
    • CDN
    • Network-as-a-service
    • CASB
    • IDPS
    • ZTNA/VPN
    • FWaaS
    • Browser isolation
    • DLP
    • UEBA
    • Secure web gateway
    • Sandboxing

    1.3 Pros & cons of zero trust and SASE

    Zero Trust

    SASE

    Pros

    Cons

    Pros

    Cons

    • Robust IAM process and technologies with role-based access control.
    • Strong and continuous verification of identity of user accounts, devices, data, location, and principle of least privilege applied.
    • Micro-segmentation applied around users, network, devices, roles, and applications to prevent lateral movement.
    • Threat attack surface eliminated, which reduces organizational risks.
    • Protection of data strengthened based on sensitivity and micro-segmentation.
    • Difficult to identify the scope of the zero trust initiative.
    • Requires continuous and ongoing update of access controls.
    • Zero trust journey/process could take years and is prone to being abandoned without commitment from executives.
    • Legacy systems can be hard to replace, which would require all stakeholders to prioritize resource allocation.
    • Can be expensive to implement.
    • Adopts a zero trust security posture for all access requests.
    • Converged and consolidated network and security delivered as a cloud service to the user rather than a single point of enforcement.
    • Centralized visibility of devices, data in transit and at rest, user activities, and threats.
    • Cheaper than a zero trust roadmap implementation.
    • Managed detection and response.
    • The limited knowledge of SASE.
    • No universally agreed upon SASE definition.
    • SASE products are still being developed and are open to vendors' interpretation.
    • Existing vendor relationships could be a hinderance to deployment.
    • Hard to manage MSSPs.

    Understand SASE and zero trust suitability for your needs

    Estimated Time: 1 hour

    Use the dashboard to understand the value assessment of adopting a SASE product or building a zero trust roadmap.

    This is an image of the SASE Suitability Assessment

    This is the image of the Zero Trust Suitability Assessment

    Info-Tech Insight

    This tool will help steer you on a path to take as a form of mitigation/control to some or all the identified challenges.

    Phase 2

    Make a decision and next steps

    Phase 1

    Phase 2

    1.1 Limitations of legacy infrastructure

    1.2 Zero trust principle as a control

    1.3 SASE as a driver of zero trust

    2.1 Sourcing out a SASE/SSE vendor

    2.2 Build a zero trust roadmap

    This phase will walk you through the following activities:

    • Introduction to the tool activity, how to use the input tabs and considerations to generate an output that could help understand the current state of your hybrid infrastructure and what direction is to be followed next to improve.

    This phase involves the following participants:

    • CIO
    • CISO
    • CSO
    • IT security
    • IT network team

    Secure Your Hybrid Workforce

    Step 2.1

    Sourcing out a SASE/SSE vendor

    Activities

    2.1.1 Use the RFP template to request proposal from vendors

    2.1.2 Use SoftwareReviews to compare vendors

    This step involves the following participants:

    • CIO, CISO, IT manager, Infosec team, executives.

    Outcomes of this step

    • Zero Trust Roadmap

    2.1.1 Use the RFP template to request proposal from vendors

    Estimated Time: 1-3 hours

    1. As a group, use the RFP Template to include technical capabilities of your desired SASE product and to request proposals from vendors.
    2. The features that are most important to your organization generated from phase one should be highlighted in the RFP.

    Input

    • List of SASE features
    • Technical capabilities

    Output

    • RFP

    Materials

    • RFP Template

    Participants

    • Security team
    • IT leadership

    Download the RFP Template

    2.1.2 Use SoftwareReviews to compare vendors

    SoftwareReviews

    • The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.
    • Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.
    • The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.
    • Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Step 2.2

    Zero trust readiness and roadmap

    Activities

    2.2.1 Assess the maturity of your current zero trust implementation

    2.2.2 Understand business needs and current security projects

    2.2.3 Set target maturity state with timeframe

    This step involves the following participants:

    CIO, CISO, IT manager, Infosec team, executives.

    Outcomes of this step

    Zero Trust Roadmap

    2.2.1 Assess the maturity of your current zero trust implementation

    Estimated Time: 1-3 hours

    • Realizing that zero trust is a journey helps create a better roadmap and implementation. Identify the current controls or solutions in your organization that align with the principle of zero trust.
    • Break down these controls or solutions into different silos (e.g. identity, security, network, data, device, applications, etc.).
    • Determine your zero trust readiness.

    Input

    • List of zero trust controls/solutions
    • Siloed list of zero trust controls/solutions
    • Current state of zero trust maturity

    Output

    • Zero trust readiness and current maturity state

    Materials

    • Zero Trust Security Benefit Assessment tool

    Participants

    • Security team
    • IT leadership

    Download the Zero Trust Security Benefit Assessment tool

    2.2.2 Understand business needs and current security projects

    Estimated Time: 1-3 hours

    1. Identify the business and IT executives, application owners, and board members whose vision aligns with the zero trust journey.
    2. Identify existing projects within security, IT, and the business and highlight interdependencies or how they fit with the zero trust journey.
    3. Build a rough sketch of the roadmap that fits the business needs, current projects and the zero trust journey.

    Input

    • Meetings with stakeholders
    • List of current and future projects

    Output

    • Sketch of zero trust roadmap

    Materials

    • Whiteboard activity

    Participants

    • Security team
    • IT leadership
    • IT ops team
    • Business executives
    • Board members

    Download Zero Trust Protect Surface Mapping Tool

    2.2.3 Set target maturity state with a given timeframe

    Estimated Time: 1-3 hours

    1. With the zero trust readiness, current business, IT and security projects, current maturity state, and sketch of the roadmap, setting a target maturity state within some timeframe is at the top of the list. The target maturity state will include a list of initiatives that could be siloed and confined to a timeframe.
    2. A Gantt chart or graph could be used to complete this task.

    Input

    • Results from previous activity slides

    Output

    • Current state and target state assessment for gap analysis
    • List of initiatives and timeframe

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security team
    • IT leadership
    • IT ops team
    • Business executives
    • Board members

    Download the Zero Trust Program Gap Analysis Tool

    Summary of Accomplishment

    Insights Gained

    • Difference between zero trust as a principle and SASE as a framework
    • Difference between SASE and SSE platforms.
    • Assessment of which path to take in securing your hybrid workforce

    Deliverables Completed

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    Contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    This is a screenshot from the Zero Trust - SASE Suitability Assessment Tool

    Zero Trust - SASE Suitability Assessment Tool

    Assess current security capabilities and build a roadmap of tasks and initiatives that close maturity gaps.

    Research Contributors

    • Aaron Shum, Vice President, Security & Privacy
    • Cameron Smith, Research Lead, Security & Privacy
    • Brad Mateski, Zones, Solutions Architect for CyberSecurity
    • Bob Smock, Info-Tech Research Group, Vice President of Consulting
    • Dr. Chase Cunningham, Ericom Software, Chief Strategy Officer
    • John Kindervag, ON2IT Cybersecurity, Senior Vice President, Cybersecurity Strategy and ON2IT Group Fellow
    • John Zhao, Fonterra, Enterprise Security Architect
    • Rongxing Lu, University of New Brunswick, Associate Professor
    • Sumanta Sarkar, University of Warwick, Assistant Professor
    • Tim Malone, J.B. Hunt Transport, Senior Director Information Security
    • Vana Matte, J.B. Hunt Transport, Senior Vice President of Technology Services

    Related Info-Tech Research

    This is a screenshot from Info-Tech's Security Strategy Model

    Build an Information Security Strategy

    Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current state assessment, prioritizing initiatives, and building out a security roadmap.

    This is a screenshot from Info-Tech's research: Determine Your Zero Trust Readiness

    Determine Your Zero Trust Readiness

    IT security was typified by perimeter security. However, the way the world does business has mandated a change to IT security. In response, zero trust is a set of principles that can add flexibility to planning your IT security strategy.

    Use this blueprint to determine your zero trust readiness and understand how zero trust can benefit both security and the business.

    This is a screenshot from Info-Tech's research: Mature Your Identity and Access Management Program

    Mature Your Identity and Access Management Program

    Many organizations are looking to improve their identity and access management (IAM) practices but struggle with where to start and whether all areas of IAM have been considered. This blueprint will help you improve the organization's IAM practices by following our three-phase methodology:

    • Assess identity and access requirements.
    • Identify initiatives using the identity lifecycle.
    • Prioritize initiatives and build a roadmap.

    Bibliography

    "2021 Data Breach Investigations Report." Verizon, 2021. Web.
    "Fortinet Brings Networking and Security to the Cloud" Fortinet, 2 Mar. 2021. Web.
    "A Zero Trust Strategy Has 3 Needs – Identify, Authenticate, and Monitor Users and Devices on and off the Network." Fortinet, 15 July 2021. Web.
    "Applying Zero Trust Principles to Enterprise Mobility." CISA, Mar. 2022. Web.
    "CISA Zero Trust Maturity Model." CISA, Cybersecurity Division, June 2021. Web.
    "Continuous Diagnostics and Mitigation Program Overview." CISA, Jan. 2022. Web.
    "Cost of a Data Breach Report 2021 | IBM." IBM, July 2021. Web.
    English, Melanie. "5 Stats That Show The Cost Saving Effect of Zero Trust." Teramind, 29 Sept. 2021. Web.
    Hunter, Steve. "The Five Business Benefits of a Zero Trust Approach to Security." Security Brief - Australia, 19 Aug. 2020. Web.
    "Improve Application Access and Security With Fortinet Zero Trust Network Access." Fortinet, 2 Mar. 2021. Web.
    "Incorporating zero trust Strategies for Secure Network and Application Access." Fortinet, 21 Jul. 2021. Web.
    Jakkal, Vasu. "Zero Trust Adoption Report: How Does Your Organization Compare?" Microsoft, 28 July 2021. Web.
    "Jericho Forum™ Commandments." The Open Group, Jericho Forum, May 2007. Web.
    Schulze, Holger. "2019 Zero Trust Adoption Report." Cybersecurity Insiders, 2019. Web.
    "67% of Organizations Had Identity-Related Data Breaches Last Year." Security Magazine, 22 Aug. 2022. Web.
    United States, Executive Office of the President Joseph R. Biden, Jr. "Executive Order on Improving the Nation's Cybersecurity." The White House, 12 May 2021. Web.

    Corporate security consultancy

    Corporate security consultancy

    Based on experience
    Implementable advice
    human-based and people-oriented

    Engage our corporate security consultancy firm to discover any weaknesses within your company’s security management. Tymans Group has extensive expertise in helping small and medium businesses set up clear security protocols to safeguard their data and IT infrastructure. Read on to discover how our consulting firm can help improve corporate security within your company.

    Why should you hire a corporate security consultancy company?

    These days, corporate security includes much more than just regulating access to your physical location, be it an office or a store. Corporate security increasingly deals in information and data security, as well as general corporate governance and responsibility. Proper security protocols not only protect your business from harm, but also play an important factor in your overall success. As such, corporate security is all about setting up practical and effective strategies to protect your company from harm, regardless of whether the threat comes from within or outside. As such, hiring a security consulting firm to improve corporate security and security management within your company is not an unnecessary luxury, but a must.

    Security and risk management

    Our security and risk services

    Security strategy

    Security Strategy

    Embed security thinking through aligning your security strategy to business goals and values

    Read more

    Disaster Recovery Planning

    Disaster Recovery Planning

    Create a disaster recovey plan that is right for your company

    Read more

    Risk Management

    Risk Management

    Build your right-sized IT Risk Management Program

    Read more

    Check out all our services

    Improve your corporate security with help from our consulting company

    As a consultancy firm, Tymans Group can help your business to identify possible threats and help set up strategies to avoid them. However, as not all threats can be avoided, our corporate security consultancy firm also helps you set up protocols to mitigate and manage them, as well as help you develop effective incident management protocols. All solutions are practical, people-oriented and based on our extensive experience and thus have proven effectiveness.

    Hire our experienced consultancy firm

    Engage the services of our consulting company to improve corporate security within your small or medium business. Contact us to set up an appointment on-site or book a one-hour talk with expert Gert Taeymans to discuss any security issues you may be facing. We are happy to offer you a custom solution.

    Continue reading

    2022 Tech Trends

    • Buy Link or Shortcode: {j2store}94|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • The post-pandemic workplace continues to shift and requires collaboration between remote workers and office workers.
    • Digital transformation has accelerated across every organization and CIOs must maneuver to keep pace.
    • Customer expectations have shifted, and spending habits are moving away from in-person activities to online.
    • IT must improve its maturity in key capabilities to maintain relevance in the organization.

    Our Advice

    Critical Insight

    • Improve the capabilities that matter. Focus on IT capabilities that are most relevant to competing in the digital economy and will enable the CEO's mission for growth.
    • Assess how external environment presents opportunities or threats to your organization using a scenarios approach, then chart a plan.

    Impact and Result

    • Use the data and analysis from Info-Tech's 2022 Tech Trends report to inform your digital strategic plan.
    • Discover the five trends shaping IT's path in 2022 and explore use cases for emerging technologies.
    • Hear directly from leading subject matter experts on each trend with featured episodes from our Tech Insights podcast.

    2022 Tech Trends Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. 2022 Tech Trends Report – A deck that discusses five use cases that can improve on your organization’s ability to compete in the digital economy.

    The post-pandemic pace of change continues to accelerate as the economic rapidly becomes more digital. To keep pace with shifting consumer expectations, CIOs must help the CEO compete in the digital economy by focusing on five key capabilities: innovation, human resources management, data architecture, security strategy, and business process controls and internal audit. Raising maturity in these capabilities will help CIOs deliver on opportunities to streamline back-office processes and develop new lines of revenue.

    • 2022 Tech Trends Report

    Infographic

    Further reading

    2022 Tech Trends

    Enabling the digital economy

    Supporting the CEO for growth

    The post-pandemic pace of change

    The disruptions to the way we work caused by the pandemic haven’t bounced back to normal.

    As part of its research process for the 2022 Tech Trends Report, Info-Tech Research Group conducted an open online survey among its membership and wider community of professionals. The survey was fielded from August 2021 through to September 2021, collecting 475 responses. We asked some of the same questions as last year’s survey so we can compare results as well as new questions to explore new trends.

    How much do you expect your organization to change permanently compared to how it was operating before the pandemic?

    • 7% – No change. We'll keep doing business as we always have.
    • 33% – A bit of change. Some ways of working will shift long term
    • 47% – A lot of change. The way we work will be differ in many ways long term. But our business remains...
    • 13% – Transformative change. Our fundamental business will be different and we'll be working in new ways.

    This year, about half of IT professionals expect a lot of change to the way we work and 13% expect a transformative change with a fundamental shift in their business. Last year, the same percentage expected a lot of change and only 10% expected transformative change.

    30% more professionals expect transformative permanent change compared to one year ago.

    47% of professionals expect a lot of permanent change; this remains the same as last year. (Info-Tech Tech Trends 2022 Survey)

    The pandemic accelerated the speed of digital transformation

    With the massive disruption preventing people from gathering, businesses shifted to digital interactions with customers.

    A visualization of the growth of 'Global average share of customer interactions that are digital' from December 2019 to July 2020. In that time it went from 36% to 58% with an 'Acceleration of 3 years'.

    Companies also accelerated the pace of creating digital or digitally enhanced products and services.

    A visualization of the growth of 'Global average share of partially or fully digitized products and/or services' from December 2019 to July 2020. In that time it went from 35% to 55% with an 'Acceleration of 7 years'. (McKinsey, 2020)

    “The Digital Economy incorporates all economic activity reliant on or significantly enhanced by the use of digital inputs, including digital technologies, digital infrastructure, digital services and data.” (OECD Definition)

    IT must enable participation in the digital economy

    Consumer spending is tilting more digital.

    Consumers have cut back spending on sectors where purchases are mostly made offline. That spending has shifted to digital services and online purchases. New habits formed during the pandemic are likely to stick for many consumers, with a continued shift to online consumption for many sectors.

    Purchases on online platforms are projected to rise from 10% today to 33% by 2030.

    Estimated online share of consumption
    Recreation & culture 30%
    Restaurants & hotels 50%
    Transport 10%
    Communications 90%
    Education 50%
    Health 20%
    Housing & utilities 50%
    (HSBC, 2020)

    Changing customer expectations pose a risk.

    IT practitioners agree that customer expectations are changing. They expect this to be more likely to disrupt their business in the next 12 months than new competition, cybersecurity incidents, or government-enacted policy changes.

    Factors likely to disrupt business in next 12 months
    Government-enacted policy changes 22%
    Cybersecurity incidents 56%
    Regulatory changes 45%
    Established competitor wins 26%
    New player enters the market 23%
    Changing customer expectations 68%
    (Info-Tech Tech Trends 2022 Survey)

    This poses a challenge to IT departments below the “expand” level of maturity

    CIOs must climb the maturity ladder to help CEOs drive growth.

    Most IT departments rated their maturity in the “optimize” or “support” level on Info-Tech’s maturity ladder.

    CIOs at the “optimize” level can play a role in digital transformation by improving back-office processes but should aim for a higher mandate.

    CIOs achieving at the “expand” level can help directly improve revenues by improving customer-facing products and services, and those at the “transform” level can help fundamentally change the business to create revenue in new ways. CIOs can climb the maturity ladder by enabling new digital capabilities.

    Maturity is heading in the wrong direction.

    Only half of IT practitioners described their department’s maturity as “transform” compared to last year’s survey, and more than twice the number rated themselves as “struggle.”

    A colorful visualization of the IT 'Maturity Ladder' detailing levels of IT function within an organization. Percentages represent answers from IT practitioners to an Info-Tech survey about the maturity level of their company. Starting from the bottom: 13% answered 'Struggle', compared to 6% in 2020; 35% answered 'Support'; 37% answered 'Optimize'; 12% answered 'Expand'; and only 3% answered 'Transform', compared to 6% in 2020.

    48% rate their IT departments as low maturity.

    Improve maturity by focusing on key capabilities to compete in the digital economy

    Capabilities to unlock digital

    Innovation: Identify innovation opportunities and plan how to use technology innovation to create a competitive advantage or achieve improved operational effectiveness and efficiency.

    Human Resources Management: Provide a structured approach to ensure optimal planning, evaluation, and development of human resources.

    Data Architecture: Manage the business’ data stores, including technology, governance, and people that manage them. Establish guidelines for the effective use of data.

    Security Strategy: Define, operate, and monitor a system for information security management. Keep the impact and occurrence of information security incidents within risk appetite levels.

    Business Process Controls and Internal Audit: Manage business process controls such as self-assessments and independent assurance reviews to ensure information related to and used by business processes meets security and integrity requirements. (ISACA, 2020)

    A periodic table-esque arrangement of Info-Tech tools and templates titled 'IT Management and Governance Framework', subtitled 'A comprehensive and connected set of research to help you optimize and improve your core IT processes', and anchored by logos for Info-Tech and COBIT. Color-coded sections with highlighted tools or templates are: 'Strategy and Governance' with 'APO04 Innovation' highlighted; 'People and Resources' with 'APO07 Human Resources Management' highlighted; 'Security and Risk' with 'APO13 Security Strategy' and 'DSS06 MEA02 Business Process Controls and Internal Audit' highlighted; 'Data and BI' with 'ITRG07 Data Architecture' highlighted. Other sections are 'Financial Management', 'Service planning and architecture', 'Infrastructure and operations', 'Apps', and 'PPM and projects'.

    5 Tech Trends for 2022

    In this report, we explore five use cases for emerging technology that can improve on capabilities needed to compete in the digital economy. Use cases combine emerging technologies with new processes and strategic planning.

    DIGITAL ECONOMY

    TREND 01 | Human Resources Management

    HYBRID COLLABORATION
    Provide a digital employee experience that is flexible, contextual, and free from the friction of hybrid operating models.

    TREND 02 | Security Strategy

    BATTLE AGAINST RANSOMWARE
    Prevent ransomware infections and create a response plan for a worst-case scenario. Collaborate with relevant external partners to access resources and mitigate risks.

    TREND 03 | Business Process Controls and Internal Audit

    CARBON METRICS IN ENERGY 4.0
    Use internet of things (IoT) and auditable tracking to provide insight into business process implications for greenhouse gas emissions.

    TREND 04 | Data Architecture

    INTANGIBLE VALUE CREATION
    Provide governance around digital marketplace and manage implications of digital currency. Use blockchain technology to turn unique intellectual property into saleable digital products

    TREND 05 | Innovation

    AUTOMATION AS A SERVICE
    Automate business processes and access new sophisticated technology services through platform integration.

    Hybrid Collaboration

    TREND 01 | HUMAN RESOURCES MANAGEMENT

    Provide a digital employee experience that is flexible, contextual, and free from the friction of hybrid operating models.

    Emerging technologies:
    Intelligent conference rooms; intelligent workflows, platforms

    Introduction

    Hybrid work models enable productive, diverse, and inclusive talent ecosystems necessary for the digital economy.

    Hybrid work models have become the default post-pandemic work approach as most knowledge workers prefer the flexibility to choose whether to work remotely or come into the office. CIOs have an opportunity lead hybrid work by facilitating collaboration between employees mixed between meeting at the office and virtually.

    IT departments rose to the challenge to quickly facilitate an all-remote work scenario for their organizations at the outset of the pandemic. Now they must adapt again to facilitate the hybrid work model, which brings new friction to collaboration but also new opportunities to hire a talented, engaged, and diverse workforce.

    79% of organizations will have a mix of workers in the office and at home. (Info-Tech Tech Trends 2022 Survey)

    35% view role type as a determining factor in the feasibility of the hybrid work model.

    Return-to-the-office tensions

    Only 18% of employees want to return to the office full-time.

    But 70% of employers want people back in the office. (CNBC, April 2021)

    Signals

    IT delivers the systems needed to make the hybrid operating model a success.

    IT has an opportunity to lead by defining the hybrid operating model through technology that enables collaboration. To foster collaboration, companies plan to invest in the same sort of tools that helped them cope during the pandemic.

    As 79% of organizations envision a hybrid model going forward, investments into hybrid work tech stacks – including web conferencing tools, document collaboration tools, and team workspaces – are expected to continue into 2022.

    Plans for future investment in collaboration technologies

    Web Conferencing 41%
    Document Collaboration and Co-Authoring 39%
    Team Workspaces 38%
    Instant Messaging 37%
    Project and Task Management Tools 36%
    Office Meeting Room Solutions 35%
    Virtual Whiteboarding 30%
    Intranet Sites 21%
    Enterprise Social Networking 19%
    (Info-Tech Tech Trends 2022 Survey)

    Drivers

    COVID-19

    Vaccination rates around the world are rising and allowing more offices to welcome back workers because the risk of COVID-19 transmission is reduced and jurisdictions are lifting restrictions limiting gatherings.

    Worker satisfaction

    Most workers don't want to go to the office full-time. In a Bloomberg poll (2021), almost half of millennial and Gen Z workers say they would quit their job if not given an option to work remotely.

    IT spending

    Companies are investing more into IT budgets to find ways to support a mix of remote work and in-office resources to cope with work disruption. This extra spending is offset in some cases by companies saving money from having employees work from home some portion of the time. (CIO Dive, 2021)

    Risks and Benefits

    Benefits

    Flexibility Employees able to choose between working from home and working in the office have more control over their work/life balance.
    Intelligence Platforms that track contextual work relationships can accelerate workflows through smart recommendations that connect people at the right time, in the right place.
    Talent Flexible work arrangements provide businesses with access to the best talent available around the world and employees with more career options as they work from a home office (The Official Microsoft Blog, 2021).

    Risks

    Uncertainty The pandemic lacks a clear finish line and local health regulations can still waver between strict control of movement and open movement. There are no clear assurances of what to expect for how we'll work in the near future.
    FOMO With some employees going back to the office while others remain at home, employee bases could be fractured along the lines of those seeing each other in person every day and those still connecting by videoconference.
    Complexity Workers may not know in advance whether they're meeting certain people in person or online, or a mix of the two. They'll have to use technology on the fly to try and collaborate across a mixed group of people in the office and people working remotely (McKinsey Quarterly, 2021).

    “We have to be careful what we automate. Do we want to automate waste? If a company is accustomed to having a ton of meetings and their mode in the new world is to move that online, what are you going to do? You're going to end up with a lot of fatigue and disenchantment…. You have to rethink your methods before you think about the automation part of it." (Vijay Sundaram, Chief Strategy Officer, Zoho)

    Photo of Vijay Sundaram, Chief strategy officer, Zoho.

    Listen to the Tech Insights podcast: Unique approach to hybrid collaboration

    Case Study: Zoho

    Situation

    Zoho Corp. is a cloud software firm based in Chennai, India. It develops a wide range of cloud software, including enterprise collaboration software and productivity tools. Over the past decade, Zoho has used flexible work models to grant remote work options to some employees.

    When the coronavirus pandemic hit, not only did the office have to shut down but also many employees had to relocate back with families in rural areas. The human costs of the pandemic experienced by staff required Zoho to respond by offering counseling services and material support to employees.

    Complication

    Zoho prides itself as an employee-centric company and views its culture as a community that's purpose goes beyond work. That sense of community was lost because of the disruption caused by the pandemic. Employees lost their social context and their work role models. Zoho had to find a way to recreate that without the central hub of the office or find a way to work with the limitations of it not being possible.

    Resolution

    To support employees in rural settings, Zoho sent out phones to provide redundant bandwidth. As lockdowns in India end, Zoho is taking a flexible approach and giving employees the option to come to the office. It's seeing more people come back each week, drawn by the strong community.

    Zoho supports the hybrid mix of workers by balancing synchronous and asynchronous collaboration. It holds meetings when absolutely necessary through tools like Zoho Meet but tries to keep more work context to asynchronous collaboration that allows people to complete tasks quickly and move on. Its applications are connected to a common platform that is designed to facilitate workflows between employees with context and intelligence. (Interview with Vijay Sundaram, Chief Strategy Officer, Zoho)

    “We tend to think of it on a continuum of synchronous to asynchronous work collaboration. It’s become the paramount norm for so many different reasons…the point is people are going to work at different times in different locations. So how do we enable experiences where everyone can participate?" (Jason Brommet, Head of Modern Work and Security Business Group at Microsoft)

    Photo of Jason Brommet, Head of Modern Work and Security Business Group at Microsoft.

    Listen to the Tech Insights podcast: Microsoft on the ‘paradox of hybrid work’

    Case Study: Microsoft

    Situation

    Before the pandemic, only 18% of Microsoft employees were working remotely. As of April 1, 2020, they were joined by the other 82% of non-essential workers at the company in working remotely.

    As with its own customers, Microsoft used its own software to enable this new work experience, including Microsoft Teams for web conferencing and instant messaging and Office 365 for document collaboration. Employees proved just as productive getting their work done from home as they were working in the office.

    Complication

    At Microsoft, the effects of firm-wide remote work changed the collaboration patterns of the company. Even though a portion of the company was working remotely before the pandemic, the effects of everyone working remotely were different. Employees collaborated in a more static and siloed way, focusing on scheduled meetings with existing relationships. Fewer connections were made with more disparate parts of the organization. There was also a decrease in synchronous communication and an increase in asynchronous communication.

    Resolution

    Microsoft is creating new tools to break down the silos in organizations that are grappling with hybrid work challenges. For example, Viva Insights is designed to inform workers about their collaboration habits with analytics. Microsoft wants to provide workers with insights on their collaborative networks and whether they are creating new connections or deepening existing connections. (Interview with Jason Brommet, Head of Modern Work and Security Business Group, Microsoft; Nature Human Behaviour, 2021)

    What's Next?

    Distributed collaboration space:

    International Workplace Group says that more companies are taking advantage of its full network deals on coworking spaces. Companies such as Standard Charter are looking to provide their workers with a happy compromise between working from home and making the commute all the way to the central office. The hub-and-spoke model gives employees the opportunity to work near home and looks to be part of the hybrid operating model mix for many companies. (Interview with Wayne Berger, CEO of IWG Canada & Latin America)

    Optimized hybrid meetings:

    Facilitating hybrid meetings between employees grouped in the office and remote workers will be a major pain point. New hybrid meeting solutions will provide cameras embedded with intelligence to put boardroom participants into independent video streams. They will also focus on making connecting to the same meeting from various locations as convenient as possible and capture clear and crisp audio from each speaker.

    Uncertainties

    Mix between office and remote work:

    It's clear we're not going to work the way we used to previously with central work hubs, but full-on remote work isn't the right path forward either. A new hybrid work model is emerging, and organizations are experimenting to find the right approach.

    Attrition:

    Between April and September 2021, 15 million US workers quit their jobs, setting a record pace. Employees seek a renewed sense of purpose in their work, and many won’t accept mandates to go back to the office. (McKinsey, 2021)

    Equal footing in meetings:

    What are the new best practices for conducting an effective meeting between employees in the office and those who are remote? Some companies ask each employee to connect via a laptop. Others are using conference rooms with tech to group in-office workers together and connect them with remote workers.

    Hybrid Collaboration Scenarios

    Organizations can plan their response to the hybrid work context by plotting their circumstances across two continuums: synchronous to asynchronous collaboration approach and remote work to central hub work model.

    A map of hybrid collaboration scenarios with two axes representing 'Work Context, From all remote work to gathering in a central hub' and 'Collaboration Style, From collaborating at the same time to collaborating at different times'. The axes split the map into quarters. 'Work Context' ranges from 'Remote Work' on the left to 'Central Hub' on the right. 'Collaboration Style' ranges from 'Synchronous' on top to 'Asynchronous' on bottom. The top left quarter, synchronous remote work, reads 'Virtual collective collaboration via videoconference and collaboration software, with some workers meeting in coworking spaces.' The top right quarter, synchronous central hub, reads 'In-person collective collaboration in the office.' The bottom left quarter, asynchronous remote work, reads 'Virtual group collaboration via project tracking tools and shared documents.' The bottom right quarter, asynchronous central hub, reads 'In-person group collaboration in coworking spaces and the main office.'

    Recommendations

    Rethink technology solutions. Don't expect your pre-pandemic videoconference rooms to suffice. And consider how to optimize your facilities and infrastructure for hot-desking scenarios.

    Optimize remote work. Shift from the collaboration approach you put together just to get by to the program you'll use to maximize flexibility.

    Enable effective collaboration. Enable knowledge sharing no matter where and when your employees work and choose the best collaboration software solutions for your scenario.

    Run better meetings. Successful hybrid workplace plans must include planning around hybrid meetings. Seamless hybrid meetings are the result of thoughtful planning and documented best practices.

    89% of organizations invested in web conferencing technology to facilitate better collaboration, but only 43% invested in office meeting room solutions. (Info-Tech Tech Trends 2022 Survey)

    Info-Tech Resources

    Battle Against Ransomware

    TREND 02 | SECURITY STRATEGY

    Prevent ransomware infections and create a response plan for a worst-case scenario. Collaborate with relevant external partners to access resources and mitigate risks.

    Emerging technologies:
    Open source intelligence; AI-powered threat detection

    “It has been a national crisis for some time…. For every [breach] that hits the news there are hundreds that never make it.” (Steve Orrin, Federal Chief Technology Officer, Intel)

    Photo of Steve Orrin, Federal Chief Technology Officer, Intel.

    Listen to the Tech Insights podcast: Ransomware crisis and AI in military

    Introduction

    Between 2019 and 2020, ransomware attacks rose by 62% worldwide and by 158% in North America. (PBS NewsHour, 2021)

    Security strategies are crucial for companies to control access to their digital assets and confidential data, providing it only to the right people at the right time. Now security strategies must adapt to a new caliber of threat in ransomware to avoid operational disruption and reputational damage.

    In 2021, ransomware attacks exploiting flaws in widely used software from vendors Kaseya, SolarWinds, and Microsoft affected many companies and saw record-breaking ransomware payments made to state-sponsored cybercriminal groups.

    After a ransomware attack caused Colonial Pipeline to shut down its pipeline operations across the US, the ransomware issue became a topic of federal attention with executives brought before Senate committees. A presidential task force to combat ransomware was formed.

    62% of IT professionals say they are more concerned about being a victim of ransomware than they were one year ago. (Info-Tech Tech Trends 2022 Survey)

    $70 million demanded by REvil gang in ransom to unlock firms affected by the Kaseya breach. (TechRadar, 2021)

    Signals

    Organizations are taking a multi-faceted approach to preparing for the event of a ransomware breach.

    The most popular methods to prepare for ransomware are to buy an insurance policy or create offline backups and redundant systems. Few are making an effort to be aware of free decryption tools, and only 2% admit to budgeting to pay ransoms.

    44% of IT professionals say they spent time and money specifically to prevent ransomware over the past year. (Info-Tech Tech Trends 2022 Survey)

    Approaches to prepare for ransomware

    Kept aware of free decryption tools available 9%
    Set aside budget to pay ransoms 2%
    Designed network to contain ransomware 24%
    Implemented technology to eradicate ransomware 36%
    Created a specific incident response plan for ransomware 26%
    Created offline backups and redundant systems 41%
    Purchased insurance covering cyberattacks 47%

    (Info-Tech Tech Trends 2022 Survey)

    Drivers

    National security concerns

    Attacks on US infrastructure and government agencies have prompted the White House to treat ransomware as a matter of national security. The government stance is that Russia supports the attacks. The US is establishing new mechanisms to address the threat. Plans include new funding to support ransomware response, a mandate for organizations to report incidents, and requirements for organizations to consider the alternatives before paying a ransom. (Institute for Security and Technology, 2021)

    Advice from cybersecurity insurance providers

    Increases in ransom payouts have caused cybersecurity insurance providers to raise premiums and put in place more security requirements for policyholders to try and prevent ransomware infection. However, when clients are hit with ransomware, insurance providers advise to pay the ransom as it's usually the cheapest option. (ProPublica, 2019)

    Reputational damage

    Ransomware attacks also often include a data breach event with hackers exfiltrating the data before encrypting it. Admitting a breach to customers can seriously damage an organization's reputation as trustworthy. Organizations may also be obligated to pay for credit protection of their customers. (Interview with Frank Trovato, Research Director – Infrastructure, Info-Tech Research Group)

    Risks and Benefits

    Benefits

    Privacy Protecting personal data from theft improves people’s confidence that their privacy is being respected and they are not at risk of identity theft.
    Productivity Ransomware can lock out employees from critical work systems and stop them from being able to complete their tasks.
    Access Ransomware has prevented public access to transportation, healthcare, and any number of consumer services for days at a time. Ransomware prevention ensures public service continuity.

    Risks

    Expenses Investing in cybersecurity measures to protect against attacks is becoming more expensive, and recently cybersecurity insurance premiums have gone up in response to expensive ransoms.
    Friction More security requirements could create friction between IT priorities and business priorities in trying to get work done.
    Stability If ransomware attacks become worse or cybercriminals retaliate for not receiving payments, people could find their interactions with government services and commercial services are disrupted.

    Case Study: Victim to ransomware

    Situation

    In February 2020, a large organization found a ransomware note on an admin’s workstation. They had downloaded a local copy of the organization’s identity management database for testing and left a port open on their workstation. Hackers exfiltrated it and encrypted the data on the workstation. They demanded a ransom payment to decrypt the data.

    Complication

    Because private information of employees and customers was breached, the organization decided to voluntarily inform the state-level regulator. With 250,000 accounts affected, plans were made to require password changes en masse. A public announcement was made two days after the breach to ensure that everyone affected could be reached.

    The organization decided not to pay the ransom because it didn’t need the data back, since it had a copy on an unaffected server.

    Resolution

    After a one-day news cycle for the breach, the story about the ransom was over. The organization also received praise for handling the situation well and quickly informing stakeholders.

    The breach motivated the organization to put more protections in place. It implemented a deny-by-default network and turned off remote desktop protocol and secure shell. It mandated multi-factor authentication and put in a new endpoint-detection and response system. (Interview with CIO of large enterprise)

    What's Next

    AI for cybersecurity:

    New endpoint protections using AI are being deployed to help defend against ransomware and other cybersecurity intrusions. The solutions focus on the prevention and detection of ransomware by learning about the expected behavior of an environment and then detecting anomalies that could be attack attempts. This type of approach can be applied to everything from reading the contents of an email to helping employees detect phishing attempts to lightweight endpoint protection deployed to an Internet of Things device to detect an unusual connection attempt.

    Unfortunately, AI is a tool available to both the cybersecurity industry and hackers. Examples of hackers tampering with cybersecurity AI to bypass it have already surfaced. (Forbes, 23 Sept. 2021)

    Uncertainties

    Government response:

    In the US, the Ransomware Task Force has made recommendations to the government but it's not clear whether all of them will be followed. Other countries such as Russia are reported to be at least tolerating ransomware operations if not supporting them directly with resources.

    Supply chain security:

    Sophisticated attacks using zero-day exploits in widely used software show that organizations simply can't account for every potential vulnerability.

    Arms escalation:

    The ransomware-as-a-service industry is doing good business and finding new ways to evade detection by cybersecurity vendors. New detection techniques involving AI are being introduced by vendors, but will it just be another step in the back-and-forth game of one-upmanship? (Interview with Frank Trovato)

    Battle Against Ransomware Scenarios

    Determine your organization’s threat profile for ransomware by plotting two variables: the investment made in cybersecurity and the sophistication level of attacks that you should be prepared to guard against.

    A map of Battle Against Ransomware scenarios with two axes representing 'Attack Sophistication, From off-the-shelf, ransomware-as-a-service kits to state-sponsored supply chain attacks' and 'Investment in Cybersecurity, From low, minimal investment to high investment for a multi-layer approach.'. The axes split the map into quarters. 'Attack Sophistication' ranges from 'Ransomware as a Service' on the left to 'State-Sponsored' on the right. 'Investment in Cybersecurity' ranges from 'High' on top to 'Low' on bottom. The top left quarter, highly invested ransomware as a service, reads 'Organization is protected from most ransomware attacks and isn’t directly targeted by state-sponsored attacks.' The top right quarter, highly invested state-sponsored, reads 'Organization is protected against most ransomware attacks but could be targeted by state-sponsored attacks if considered a high-value target.' The bottom left quarter, low investment ransomware as a service, reads 'Organization is exposed to most ransomware attacks and is vulnerable to hackers looking to make a quick buck by casting a wide net.' The bottom right quarter, low investment state-sponsored, reads 'Organization is exposed to most ransomware attacks and risks being swept up in a supply chain attack by being targeted or as collateral damage.'

    Recommendations

    Create a ransomware incident response plan. Assess your current security practices and identify gaps. Quantify your ransomware risk to prioritize investments and run tabletop planning exercises for ransomware attacks.

    Reduce your exposure to ransomware. Focus on securing the frontlines by improving phishing awareness among staff and deploying AI tools to help flag attacks. Use multi-factor authentication. Take a zero-trust approach and review your use of RDP, SSH, and VPN.

    Require security in contracts. Security must be built into vendor contracts. Government contracts are now doing this, elevating security to the same level as functionality and support features. This puts money incentives behind improving security. (Interview with Intel Federal CTO Steve Orrin)

    42% of IT practitioners feel employees must do much more to help defend against ransomware. (Info-Tech Tech Trends 2022 Survey)

    Info-Tech Resources

    Carbon Metrics in Energy 4.0

    TREND 03 | BUSINESS PROCESS CONTROLS AND INTERNAL AUDIT

    Use Internet of Things (IoT) and auditable tracking to provide insight into business process implications for greenhouse gas emissions.

    Emerging technologies:
    IoT

    Introduction

    Making progress towards a carbon-neutral future.

    A landmark report published in 2021 by the United Nations Intergovernmental Panel on Climate Change underlines that human actions can still determine the future course of climate change. The report calls on governments, individuals, and organizations to stop putting new greenhouse gas emissions into the atmosphere no later than 2050, and to be at the halfway point to achieving that by 2030.

    With calls to action becoming more urgent, organizations are making plans to reduce the use of fossil fuels, move to renewable energy sources, and reduce consumption that causes more emissions downstream. As both voluntary and mandatory regulatory requirements task organizations with reducing emissions, they will first be challenged to accurately measure the size of their footprint.

    CIOs in organizations are well positioned to make conscious decisions to both influence how technology choices impact carbon emissions and implement effective tracking of emissions across the entire enterprise.

    Canada’s CIO strategy council is calling on organizations to sign a “sustainable IT pledge” to cut emissions from IT operations and supply chain and to measure and disclose emissions annually. (CIO Strategy Council, Sustainable IT Pledge)

    SCOPE 3 – Indirect Consumption

    • Goods and services
    • Fuel, travel, distribution
    • Waste, investments, leased assets, employee activity

    SCOPE 2 – Indirect Energy

    • Electricity
    • Heat and cooling

    SCOPE 1 – Direct

    • Facilities
    • Vehicles

    Signals

    Emissions tracking requires a larger scope.

    About two-thirds of organizations have a commitment to reduce greenhouse gas emissions. When asked about what tactics they use to reduce emissions, the most popular options affect either scope 1 emissions (retiring older IT equipment) or scope 2 emissions (using renewable energy sources). Fewer are using tactics that would measure scope 3 emissions such as using IoT to track or using software or AI.

    68% of organizations say they have a commitment to reduce greenhouse gas emissions. (Info-Tech Tech Trends 2022 Survey)

    Approaches to reducing carbon emissions

    Using "smart technologies" or IoT to help cut emissions 12%
    Creating incentive programs for staff to reduce emissions 10%
    Using software or AI to manage energy use 8%
    Using external DC or cloud on renewable energy 16%
    Committing to external emissions standards 15%
    Retiring/updating older IT equipment 33%
    Using renewable energy sources 41%

    (Info-Tech Tech Trends 2022 Survey)

    Drivers

    Investor pressure

    The world’s largest asset manager, at $7 trillion in investments, says it will move away from investing in firms that are not aligned to the Paris Agreement. (The New York Times, 2020)

    Compliance tipping point

    International charity CDP has been collecting environmental disclosure from organizations since 2002. In 2020, more than 9,600 of the world’s largest companies – representing over 50% of global market value – took part. (CDP, 2021)

    International law

    In 2021, six countries have net-zero emissions policies in law, six have proposed legislations, and 20 have policy documents. (Energy & Climate Intelligence Unit, 2021)

    Employee satisfaction

    In 2019, thousands of workers walked out of offices of Amazon, Google, Twitter, and Microsoft to demand their employers do more to reduce carbon emissions. (NBC News, 2021)

    High influence factors for carbon reduction

    • 25% – New government laws or policies
    • 9% – External social pressures
    • 9% – Pressure from investors
    • 8% – International climate compliance efforts
    • 7% – Employee satisfaction

    (Info-Tech Tech Trends 2022 Survey)

    Risks and Benefits

    Benefits

    Trust Tracking carbon emissions creates transparency into an organization’s operations and demonstrates accountability to its carbon emissions reduction goals.
    Innovation As organizations become more proficient with carbon measurement and modeling, insights can be leveraged as a decision-making tool.
    Resilience Reducing energy usage shrinks your carbon footprint, increases operational efficiency, and decreases energy costs.

    Risks

    Regulatory Divergence Standardization of compliance enforcement around carbon emissions is a work in progress. Several different voluntary frameworks exist, and different governments are taking different approaches including taxation and cap-and-trade markets.
    Perceptions Company communications that speak to emissions reduction targets without providing proof can be accused of “greenwashing” or falsely trying to improve public perception.
    Financial Pain Institutional investments are requiring clear commitments and plans to reduce greenhouse gases. Some jurisdictions are now taxing carbon emissions.

    “When you can take technology and embed that into management change decisions that impact the environment, you can essentially guarantee that [greenhouse gas] offset. Companies that are looking to reduce their emissions can buy those offsets and it creates value for everybody.” (Wade Barnes, CEO and founder of Farmers Edge)

    Photo of Wade Barnes, CEO and founder of Farmers Edge.

    Listen to the Tech Insights podcast: The future of farming is digital

    Case Study

    Situation

    The Alberta Technology Innovation and Emissions Reduction Regulation is Alberta’s approach to reduce emissions from large industrial emitters. It prices GHG and provides a trading system.

    No-till farming and nitrogen management techniques sequester up to 0.3 metric tons of GHG per year.

    Complication

    Farmers Edge offers farmers a digital platform that includes IoT and a unified data warehouse. It can turn farm records into digital environmental assets, which are aggregated and sold to emitters.

    Real-time data from connected vehicles, connected sensors, and other various inputs can be verified by third-party auditors.

    Resolution

    Farmers Edge sold aggregated carbon offsets to Alberta power producer Capital Power to help it meet regulatory compliance.

    Farmers Edge is expanding its platform to include farmers in other provinces and in the US, providing them opportunity to earn revenue via its Smart Carbon program.

    The firm is working to meet standards outlined by the U.S. Department of Agriculture’s Natural Resources Conservation Service. (Interview with Wade Barnes, CEO, Farmers Edge)

    What's Next

    Global standards:

    The International Sustainability Standards Board (ISSB) has been formed by the International Financial Reporting Standards Foundation and will have its headquarters location announced in November at a United Nations conference. The body is already governing a set of global standards that have a roadmap for development through 2023 through open consultation. The standards are expected to bring together the multiple frameworks for sustainability standards and offer one global set of standards. (Business Council of Canada, 2021)

    CIOs take charge:

    The CIO is well positioned to take the lead role on corporate sustainability initiatives, including measuring and reducing an organization’s carbon footprint (or perhaps even monetizing carbon credits for an organization that is a negative emitter). CIOs can use their position as facilities managers and cross-functional process owners and mandate to reduce waste and inefficiency to take accountability for this important role. CIOs will expand their roles to deliver transparent and auditable reporting on environmental, social, and governance (ESG) goals for the enterprise.

    Uncertainties

    International resolve:

    Fighting the climate crisis will require governments and private sector collaboration from around the world to commit to creating new economic structures to discourage greenhouse gas emissions and incentivize long-term sustainable thinking. If some countries or private sector forces continue to prioritize short-term gains over sustainability, the U.N.’s goals won’t be achieved and the human costs as a result of climate change will become more profound.

    Cap-and-trade markets:

    Markets where carbon credits are sold to emitters are organized by various jurisdictions around the world and have different incentive structures. Some are created by governments and others are voluntary markets created by industry. This type of organization for these markets limits their size and makes it hard to scale the impact. Organizations looking to sell carbon credits at volume face the friction of having to navigate different compliance rules for each market they want to participate in.

    Carbon Metrics in Energy 4.0 Scenarios

    Determine your organization’s approach to measuring carbon dioxide and other greenhouse gas emissions by considering whether your organization is likely to be a high emitter or a carbon sink. Also consider your capability to measure and report on your carbon footprint.

    A map of Carbon Metrics in Energy 4.0 scenarios with two axes representing 'Quantification Capability, From not tracking any emissions whatsoever to tracking all emissions at every scope' and 'Greenhouse Gas Emissions, From mitigating more emissions than you create to emitting more than regulations allow'. The axes split the map into quarters. 'Quantification Capability' ranges from 'No Measures' on the left to 'All Emissions Measured' on the right. 'Greenhouse Gas Emissions' ranges from 'More Than Allowed' on top to 'Net-Negative' on bottom. The top left quarter, no measures and more than allowed, reads 'Companies that are likely to be high emitters and not measuring will attract the most scrutiny from regulators and investors.' The top right quarter, all measured and more than allowed, reads 'Companies emit more than regulators allow but the measurements show a clear path to mitigation through the purchase of carbon credits.' The bottom left quarter, no measures and net-negative, reads 'Companies able to achieve carbon neutrality or even be net-negative in emissions but unable to demonstrate it will still face scrutiny from regulators.' The bottom right quarter, all measured and net-negative, reads 'Companies able to remove more emissions than they create have an opportunity to aggregate those reductions and sell on a cap-and-trade market.'

    Recommendations

    Measure the whole footprint. Devise a plan to measure scope 1, 2, and 3 greenhouse gas emissions at a level that is auditable by a third party.

    Gauge the impact of Industry 4.0. New technologies in Industry 4.0 include IoT, additive manufacturing, and advanced analytics. Make sustainability a core part of your focus as you plan out how these technologies will integrate with your business.

    Commit to net zero. Make a clear commitment to achieve net-zero emissions by a specific date as part of your organization’s core strategy. Take a continuous improvement approach to make progress towards the goal with measurable results.

    New laws from governments will have the highest degree of influence on an organization’s decision to reduce emissions. (Info-Tech Tech Trends 2022 Survey)

    Info-Tech Resources

    Intangible Value Creation

    TREND 04 | DATA ARCHITECTURE

    Use blockchain technology to turn unique intellectual property into saleable digital products. Provide governance around marketplaces where sales are made.

    Emerging technologies:
    Blockchain, Distributed Ledger Technology, Virtual Environments

    Introduction

    Decentralized technologies are propelling the digital economy.

    As the COVID-19 pandemic has accelerated our shift into virtual social and economic systems, blockchain technology poses a new technological frontier – further disrupting digital interactions and value creation by providing a modification of data without relying on third parties. New blockchain software developments are being used to redefine how central banks distribute currency and to track provenance for scarce digital assets.

    Tokenizing the blockchain

    Non-fungible tokens (NFTs) are distinct cryptographic tokens created from blockchain technology. The rarity systems in NFTs are redefining digital ownership and being used to drive creator-centric communities.

    Not crypto-currency, central currency

    Central Bank Digital Currencies (CBDC) combine the same architecture of cryptocurrencies built on blockchain with the financial authority of a central bank. These currencies are not decentralized because they are controlled by a central authority, rather they are distributed systems. (Decrypt, 2021)

    80% of banks are working on a digital currency. (Atlantic Council, 2021)

    Brands that launched NFTs

    NBA, NFL, Formula 1, Nike, Stella Artois, Coca-Cola, Mattel, Dolce & Gabbana, Ubisoft, Charmin

    Banks that launched digital currencies

    The Bahamas, Saint Kitts and Nevis, Antigua and Barbuda, Saint Lucia, Grenada

    Signals

    ID on the blockchain

    Blockchains can contain smart contracts that automatically execute given specific conditions, protecting stakeholders involved in a transaction. These have been used by central banks to automate when and how currency can be spent and by NFT platforms to attribute a unique identity to a digital asset. Automation and identity verification are the most highly valued digital capabilities of IT practitioners.

    $69.3 million – The world’s most expensive NFT artwork sale, for Beeple’s “Everydays: The First 5,000 Days” (The New York Times, Mar. 2021)

    Digital capabilities that provide high value to the organization

    E-commerce 50%
    Automation 79%
    Smart contracts 42%
    Community building and engagement 55%
    Real-time payments 46%
    Tracking provenance 33%
    Identity verification 74%

    (Info-Tech Tech Trends 2022 Survey)

    Drivers

    Financial autonomy

    Central banks view cryptocurrencies as "working against the public good" and want to maintain control over their financial system to maintain the integrity of payments and provide financial crime oversight and protections against money laundering. (Board of Governors of the Federal Reserve System, 2021)

    Bitcoin energy requirements and greenhouse gas emissions

    Annual energy consumption of the Bitcoin blockchain in China is estimated to peak in 2024 at 297 TwH and generate 130.5 million metric tons of carbon emissions. That would exceed the annual GHG of the Czech Republic and Qatar and rank in the top 10 among 182 cities and 42 industrial sectors in China. This is motiving cryptocurrency developers and central banks to move away from the energy-intensive "Proof of Work" mining approach and towards the "Proof of Stake" approach. (Nature Communications, 2021)

    Digital communities

    During the pandemic, people spent more time exploring digital spaces and interacting in digital communities. Asset ownership within those communities is a way for individuals to show their own personal investment in the community and achieve a status that often comes with additional privileges. The digital assets can also be viewed as an investment vehicle or to gain access to exclusive experiences.

    “The pillars of the music economy have always been based on three things that the artist has never had full control of. The idea of distribution is freed up. The way we are going to connect to fans in this direct to fan value prop is very interesting. The fact we can monetize it, and that money exchange, that transaction is immediate. And on a platform like S!NG we legitimately have a platform to community build…. Artists are getting a superpower.” (Raine Maida, Chief Product Officer, S!NG Singer, Our Lady Peace)

    Raine Maida, Chief Product Officer, S!NG, and Singer, Our Lady Peace.

    Listen to the Tech Insights podcast: Raine Maida's startup is an NFT app for music

    Case Study

    Situation

    Artists can create works and distribute them to a wide audience more easily than ever with the internet. Publishing a drawing or a song to a website allows it to be infinitely copied. Creators can use social media accounts and digital advertisements to build up a fan base for their work and monetize it through sales or premium-access subscriber schemes.

    Complication

    The internet's capacity for frictionless distribution is a boon and a burden for artists at the same time. Protecting copyright in a digital environment is difficult because there is no way to track a song or a picture back to its creator. This devalues the work because it can be freely exchanged by users.

    Resolution

    S!NG allows creators to mint their works with a digital token that stamps its origin to the file and tracks provenance as it is reused and adapted into other works. It uses the ERC 721 standard on the Ethereum blockchain to create its NFT tokens. They are portable files that the user can create for free on the S!NG platform and are interoperable with other digital token platforms. This enables a collaboration utility by reducing friction in using other people's works while giving proper attribution. Musicians can create mix tracks using the samples of others’ work easily and benefit from a smart-contract-based revenue structure that returns money to creators when sales are made. (Interview with Geoff Osler and Raine Maida, S!NG Executives)

    Risks and Benefits

    Benefits

    Autonomy Digital money and assets could proliferate the desire for autonomy as users have greater control over their assets (by cutting out the middlemen, democratizing access to investments, and re-claiming ownership over intangible data).
    Community Digital worlds and assets offer integrated and interoperable experiences influenced by user communities.
    Equity Digital assets allow different shareholder equity models as they grant accessible and affordable access to ownership.

    Risks

    Volatility Digital assets are prone to volatile price fluctuations. A primary reason for this is due to its perceived value relative to the fiat currency and the uncertainty around its future value.
    Security While one of the main features of blockchain-based digital assets is security, digital assets are vulnerable to breaches during the process of storing and trading assets.
    Access Access to digital marketplaces requires a steep learning curve and a base level of technical knowledge.

    What's Next

    Into the Metaverse:

    Digital tokens are finding new utility in virtual environments known as the Metaverse. Decentraland is an example of a virtual reality environment that can be accessed via a web browser. Based on the Ethereum blockchain, it's seen sales of virtual land plots for hundreds of thousands of dollars. Sotheby's is one buyer, building a digital replica of its New Bond Street gallery in London, complete with commissionaire Hans Lomuldur in avatar form to greet visitors. The gallery will showcase and sell Sotheby's digital artworks. (Artnet News, 2021)

    Bitcoin as legal tender:

    El Salvador became the first country in the world to make Bitcoin legal tender in September 2021. The government intended for this to help citizens avoid remittance fees when receiving money sent from abroad and to provide a way for citizens without bank accounts to receive payments. Digital wallet Chivo launched with technical glitches and in October a loophole that allowed “price scalping” had to be removed to stop speculators from using the app to trade for profit. El Salvador’s experiment will influence whether other countries consider using Bitcoin as legal tender. (New Scientist, 2021)

    Uncertainties

    Stolen goods at the mint:

    William Shatner complained that Twitter account @tokenizedtweets had taken his content without permission and minted tokens for sale. In doing so, he pointed out there’s no guarantee a minted digital asset is linked to the creator of the attached intellectual property.

    Decentralized vs. distributed finance:

    Will blockchain-based markets be controlled by a single platform operator or become truly open? For example, Dapper Labs centralizes the minting of NFTs on its Flow blockchain and controls sales through its markets. OpenSea allows NFTs minted elsewhere to be brought to the platform and sold.

    Supply and demand:

    Platforms need to improve the reliability of minting technology to create tokens in the future. Ethereum's network is facing more demand than it can keep up with and requires future upgrades to improve its efficiency. Other platforms that support minting tokens are also awaiting upgrades to be fully functional or have seen limited NFT projects launched on their platform.

    Intangible Value Creation Scenarios

    Determine your organization’s strategy by considering the different scenarios based on two main factors. The design decisions are made around whether digital assets are decentralized or distributed and whether the assets facilitate transactions or collections.

    A map of Intangible Value Creation scenarios with two axes representing 'Fungibility, From assets that are designed to be exchanged like currency to assets that are unique' and 'Asset Control Model, From decentralized control with open ownership to centralized control with distributed assets'. The axes split the map into quarters. 'Fungibility' ranges from 'Transactional' on the left to 'Collectible' on the right. 'Asset Control Model' ranges from 'Distributed' on top to 'Decentralized' on bottom. The top left quarter, distributed transactional, reads 'Platform-controlled digital exchanges and utility (e.g. tokens exchanged for fan experiences, central bank digital currency, S!NG).' The top right quarter, distributed collectible, reads 'Platform-controlled digital showcases and community (e.g. NBA Top Shot, Decentraland property).' The bottom left quarter, decentralized transactional, reads 'Peer-controlled digital exchanges and utility (e.g. Bitcoin).' The bottom right quarter, decentralized collectible, reads 'Peer-controlled digital showcases and community (e.g. OpenSea and Ethereum-based NFTs).'

    Recommendations

    Determine your role in the digital asset ecosystem.
    • Becoming a platform provider for digital tokens will require a minting capability to create blockchain-based assets and a marketplace for users to exchange them.
    • Issuing digital tokens to a platform through a sale will require making partnerships and marketing.
    • Investing in digital assets will require management of digital wallets and subject-matter expert analysis of the emerging markets.
    Track the implications of digital currencies.

    Track what your country’s central bank is planning for digital currency and determine if you’ll need to prepare to support it. Be informed about payment partner support for cryptocurrency and consider any complications that may introduce.

    $1 billion+ – The amount of cryptocurrency spent by consumers globally through crypto-linked Visa cards in first half of 2021. (CNBC, July 2021)

    Info-Tech Resources

    Automation as a Service

    TREND 05 | INNOVATION

    Automate business processes and access new sophisticated technology services through platform integration.

    Emerging technologies:
    Cloud platforms, APIs, Generative AI

    Introduction

    The glue for innovation

    Rapidly constructing a business model that is ready to compete in a digital economy requires continuous innovation. Application programming interfaces (APIs) can accelerate innovation by unlocking marketplaces of ready-to-use solutions to business problems and automating manual tasks to make more time for creativity. APIs facilitate a microarchitecture approach and make it possible to call upon a new capability with a few lines of code. This is not a new tool, as the first API was specified in 1951, but there were significant advances of both scale and capability in this area in 2021.

    In the past 18 months, API adoption has exploded and even industries previously considered as digital laggards are now integrating them to reinvent back-office processes. Technology platforms specializing in API management are attracting record-breaking investment. And sophisticated technology services such as artificial intelligence are being delivered by APIs.

    APIs can play a role in every company’s digital strategy, from transforming back-office processes to creating revenue as part of a platform.

    $500,000 was invested in API companies in 2016. (Forbes, May 2021)

    $2,000,000,000+ was invested in API companies in 2020. (Forbes, May 2021)

    69% of IT practitioners say digital transformation has been a high priority for their organization during the pandemic. (Info-Tech Tech Trends 2022 Survey)

    51% of developers used more APIs in 2020 than in 2019. (InsideHPC, 2021)

    71% of developers planned to use even more APIs in 2021. (InsideHPC, 2021)

    Signals

    IT practitioners indicate that digital transformation was a strong focus for their organization during the pandemic and will remain so during the period afterwards, and one-third say their organizations were “extremely focused” on digital transformation.

    When it came to shifting processes from being done manually to being completed digitally, more than half of IT practitioners say they shifted at least 21% of their processes during the past year. More than one in five say that at least 60% of their processes were shifted from manual to digital in the past year.

    3.5 trillion calls were performed on API management platform Apigee, representing a 50% increase year over year. (SiliconANGLE, 2021)

    Processes shifted from manual to digital in the past year

    A horizontal bar chart recording survey responses regarding the percent of processes that shifted from manual to digital in the past year. The horizontal axis is 'percent of survey respondents' with values from 0 to 35%. The vertical axis is 'percent of process shifted to digital' with bar labels 'Between 0 to 20%', 'Between 21 to 40%', and so on until 'Between 81 to 100%'. 20% of respondents answered '0 to 20%' of processes went digital. 28% of respondents answered '21 to 40%' of processes went digital. 30% of respondents answered '41 to 60%' of processes went digital. 15% of respondents answered '61 to 80%' of processes went digital. 7% of respondents answered '81 to 100%' of processes went digital.

    Drivers

    Covid-19

    The pandemic lockdowns pushed everyone into a remote-work scenario. With in-person interaction not an option, even more traditional businesses had to adapt to digital processes.

    Customer Expectations

    The success of digital services in the consumer space is causing expectations to rise in other areas, such as professional services. Consumers now want their health records to be portable and they want to pay their lawyer through e-transfer, not by writing a cheque. (Interview with Mik Lernout)

    Standardization

    Technology laggard industries such as legal and healthcare are recognizing the pain of working with siloed systems. New standardization efforts are driving the adoption of open APIs at a rapid rate. (Interview with Jennifer Jones, Research Director – Industry, Info-Tech Research Group)

    Risks and Benefits

    Benefits

    Speed Using a microarchitecture approach with readily available services constructed in different ways provides a faster way to get from idea to minimum-viable product.
    Intelligence Open APIs have more than ever exposed people to sophisticated AI algorithms that were in the domain of only advanced researchers just a couple years ago. Developers can integrate AI with a couple lines of code. Non-technical users can train algorithms with low-code and no-code tools (Forbes, Sept. 2021).
    Resilience If one function of a solution doesn't work, it can be easily replaced with another one available on the market and the overall experience is maintained.

    Risks

    Loss of Privacy APIs are being targeted by hackers as a way to access personal information. Recent API-related leaks affected Experian, John Deere, Clubhouse, and Peloton (VentureBeat, 2021).
    Complexity Using a decentralized approach to assemble applications means that there is no single party accountable for the solution. Different pieces can break, or oversights can go unnoticed.
    Copycats Platforms that take the approach of exposing all functions via API run the risk of having their services used by a competitor to offer the same solution but with an even better user experience.

    “When we think about what the pandemic did, we had this internal project called 'back to the future.' It kind of put the legal industry in a time machine and it kind of accelerated the legal industry 5, maybe even 10 years. A lot of the things we saw with the innovators became table stakes.” (Mik Lernout, Vice President of Product, Clio)

    Photo of Mik Lernout, Vice president of product, Clio.

    Listen to the Tech Insights podcast: Clio drives digital transformation to redefine the legal industry

    Case Study

    Situation

    The COVID-19 pandemic required the legal industry to shift to remote work. A typically change-resistant industry was now holding court hearings over videoconference, taking online payments, and collecting e-signatures on contracts. For Clio, a software-as-a-service software vendor that serves the legal industry, its client base grew and its usage increased. It previously focused on the innovators in the legal industry, but now it noticed laggards were going digital too.

    Complication

    Law firms have very different needs depending on their legal practice area (e.g. family law, corporate law, or personal injury) and what jurisdiction they operate in.

    Clients are also demanding more from their lawyers in terms of service experience. They don't want to travel to the law office to drop off a check but expect digital interactions on par with service they receive in other areas.

    Resolution

    Since its inception, Clio built its software product so that all of its functions could be called upon by an API as well. It describes its platform as the "operating system for the legal industry." Its API functions include capabilities like managing activities, billing, and contracts. External developers can submit applications to the Clio Marketplace to add new functionality. Its platform approach enables it to find solutions for its 150,000+ users. During the pandemic, Clio saw its customers rely on its APIs more than ever before. It expects this accelerated adoption to be the way of working in the future. (ProgrammableWeb, 2021; Interview with Mik Lernout)

    What's Next

    GOOGLE’S API-FIRST APPROACH:

    Google is expanding its Apigee API management platform so enterprises will be able to connect existing data and applications and access them via APIs. It's part of Google's API-first approach to digital transformation, helping enterprises with their integration challenges. The new release includes tools and a framework that's needed to integrate services in this way and includes pre-built connectors for common business apps and services such as Salesforce, Cloud SQL, MySQL, and BigQuery. (SiliconANGLE, 2021)

    Uncertainties

    API SECURITY:

    APIs represent another potential vulnerability for hackers to exploit and the rise in popularity has come with more security incidents. Companies using APIs have leaked data through APIs, with one research report on the state of API security finding that 91% of organizations have suffered an API security incident. Yet more than a quarter of firms running production APIs don’t have an API security strategy. (VentureBeat, 2021)

    For low IT maturity organizations moving onto platforms that introduce API capabilities, education is required about the consequences of creating more integrations. Platforms must bear some responsibility for monitoring for irregular activity. (Interview with Mik Lernout)

    Automation as a Service Scenarios

    Determine your organization’s platform strategy from the basis of your digital maturity – from that of a laggard to a native – and whether it involves monetized APIs vs. freely available public APIs. A strategy can include both the consumption of APIs and the creation of them.

    A map of Automation as a Service scenarios with two axes representing 'Business Model, From an open and public API to a monetized pay-for-use API' and 'Digital Maturity, From being a digital laggard to being a digital native'. The axes split the map into quarters. 'Business Model' ranges from 'Public APIs' on the left to 'Monetized APIs' on the right. 'Digital Maturity' ranges from 'Digital Native' on top to 'Digital Laggard' on bottom. The top left quarter, digital native public APIs, reads 'Platform business model that grows through adoption of free APIs (e.g. Clio).' The top right quarter, digital native monetized APIS, reads 'Platform business model with spectrum of API services including free tiers.' The bottom left quarter, digital laggard public APIs, reads 'Consume public APIs to simplify and automate business processes and improve customer experience (e.g. law firms using Clio).' The bottom right quarter, digital laggard monetized APIs, reads 'Consume paid APIs to provide customers with expanded services (e.g. retailer Lowe’s uses AccuWeather to predict supply and demand).'

    Recommendations

    Leverage APIs to connect your systems. Create a repeatable process to improve the quality, reusability, and governance of your web APIs.

    Transform your business model with digital platforms. Use the best practices of digital native enterprises and leverage your core assets to compete in a digital economy.

    Deliver sophisticated new capabilities with APIs. Develop an awareness of new services made available through API integration, such as artificial intelligence, and take advantage of them.

    4.5 billion words per day generated by the OpenAI natural language API GPT-3, just nine months after launch. (OpenAI, 2021)

    Info-Tech Resources

    Behind the design

    Inspiration provided by the golden ratio

    The golden ratio has long fascinated humans for its common occurrence in nature and inspired artists who adopted its proportions as a guiding principle for their creations. A new discovery of the golden ratio in economic cycles was published in August 2021 by Bert de Groot, et al. As the boundaries of value creation blur between physical and digital and the pace of change accelerates, these digital innovations may change our lives in many ways. But they are still bound by the context of the structure of the economy. Hear more about this surprising finding from de Groot and from this report’s designer by listening to our podcast. (Technological Forecasting and Social Change, 2021)

    “Everything happening will adapt itself into the next cycle, and that cycle is one phi distance away.” (Bert de Groot, professor of economics at Erasmus University Rotterdam)

    Photo of Bert de Groot, Professor of Economics at Erasmus University Rotterdam.

    Listen to the Tech Insights podcast: New discovery of the golden ratio in the economy

    Contributing Experts

    Vijay Sundaram
    Chief Strategy Officer, Zoho
    Photo of Vijay Sundaram, Chief Strategy Officer, Zoho.
    Jason Brommet
    Head of Modern Work and Security Business Group, Microsoft
    Photo of Jason Brommet, Head of Modern Work and Security Business Group at Microsoft.
    Steve Orrin
    Federal Chief Technology Officer, Intel
    Photo of Steve Orrin, Federal Chief Technology Officer, Intel.
    Wade Barnes
    CEO and Founder, Farmers Edge
    Photo of Wade Barnes, CEO and founder of Farmers Edge.

    Contributing Experts

    Raine Maida
    Chief Product Officer, S!NG
    Singer, Our Lady Peace
    Raine Maida, Chief Product Officer, S!NG Singer, Our Lady Peace.
    Geoff Osler
    CEO, S!NG
    Photo of Geoff Osler, CEO, S!NG.
    Mik Lernout
    Vice President of Product, Clio
    Photo of Mik Lernout, Vice President of Product, Clio.
    Bert de Groot
    Professor of Economics, Erasmus University Rotterdam
    Photo of Bert de Groot, Professor of Economics at Erasmus University Rotterdam.

    Bibliography – Enabling the Digital Economy

    “2021 Canada Dealer Financing Satisfaction Study.” J.D. Power, 13 May 2021. Accessed 27 May 2021.

    Brown, Sara. “The CIO Role Is Changing. Here’s What’s on the Horizon.” MIT Sloan, 2 Aug. 2021. Accessed 16 Aug. 2021.

    de Groot, E. A., et al. “Disentangling the Enigma of Multi-Structured Economic Cycles - A New Appearance of the Golden Ratio.” Technological Forecasting and Social Change, vol. 169, Aug. 2021, pp. 120793. ScienceDirect, https://doi.org/10.1016/j.techfore.2021.120793.

    Hatem, Louise, Daniel Ker, and John Mitchell. “Roadmap toward a common framework for measuring the Digital Economy.” Report for the G20 Digital Economy Task Force, OECD, 2020. Accessed 19 Oct. 2021.

    LaBerge, Laura, et al. “How COVID-19 has pushed companies over the technology tipping point—and transformed business forever.” McKinsey, 5 Oct. 2020. Accessed 14 June 2021.

    Pomeroy, James. The booming digital economy. HSBC, Sept. 2020. Web.

    Salman, Syed. “Digital Transformation Realized Through COBIT 2019.” ISACA, 13 Oct. 2020. Accessed 25 Oct. 2021.

    Bibliography – Hybrid Collaboration

    De Smet, Aaron, et al. “Getting Real about Hybrid Work.” McKinsey Quarterly, 9 July 2021. Web.

    Herskowitz, Nicole. “Brace Yourselves: Hybrid Work Is Hard. Here’s How Microsoft Teams and Office 365 Can Help.” Microsoft 365 Blog, 9 Sept. 2021. Web.

    Melin, Anders, and Misyrlena Egkolfopoulou. “Employees Are Quitting Instead of Giving Up Working From Home.” Bloomberg, 1 June 2021. Web.

    Spataro, Jared. “Microsoft and LinkedIn Share Latest Data and Innovation for Hybrid Work.” The Official Microsoft Blog, 9 Sept. 2021. Web.

    Subin, Samantha. “The new negotiation over job benefits and perks in post-Covid hybrid work.” CNBC, 23 Apr. 2021. Web.

    Torres, Roberto. “How to Sidestep Overspend as Hybrid Work Tests IT.” CIO Dive, 26 July 2021. Accessed 16 Sept. 2021.

    Wong, Christine. “How the hybrid workplace will affect IT spending.” ExpertIP, 15 July 2021. Web.

    Yang, Longqi, et al. “The Effects of Remote Work on Collaboration among Information Workers.” Nature Human Behaviour, Sept. 2021, pp. 1-12. Springer Nature, https://doi.org/10.1038/s41562-021-01196-4.

    Bibliography – Battle Against Ransomware

    Berg, Leandro. “RTF Report: Combatting Ransomware.” Institute for Security and Technology (IST), 2021. Accessed 21 Sept. 2021.

    Dudley, Renee. “The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks.” ProPublica, 27 Aug. 2019. Accessed 22 Sept. 2021.

    Durbin, Steve. “Council Post: Artificial Intelligence: The Future Of Cybersecurity?” Forbes, 23 Sept. 2021. Accessed 21 Oct. 2021.

    “FACT SHEET: Ongoing Public U.S. Efforts to Counter Ransomware.” The White House, 13 Oct. 2021. Web.

    Jeffery, Lynsey, and Vignesh Ramachandran. “Why ransomware attacks are on the rise — and what can be done to stop them.” PBS NewsHour, 8 July 2021. Web.

    McBride, Timothy, et al. Data Integrity: Recovering from Ransomware and Other Destructive Events. NIST Special Publication (SP) 1800-11, National Institute of Standards and Technology, 22 Sept. 2020. NIST Computer Security Resource Center (CSRC), https://doi.org/10.6028/NIST.SP.1800-11.

    Mehrotra, Karitkay, and Jennifer Jacobs. “Crypto Channels Targeted in Biden’s Fight Against Ransomware.” BNN Bloomberg, 21 Sept. 2021. Web.

    Sharma, Mayank. “Hackers demand $70m ransom after executing massive Solar Winds-like attack.” TechRadar, 5 July 2021. Web.

    “Unhacked: 121 Tools against Ransomware on a Single Website.” Europol, 26 July 2021. Web.

    Bibliography – Carbon Metrics in Energy 4.0

    “The A List 2020.” CDP, 2021. Web.

    Baazil, Diedrik, Hugo Miller, and Laura Hurst. “Shell loses climate case that may set precedent for big oil.” Australian Financial Review, 27 May 2021. Web.

    “BlackRock’s 2020 Carbon Footprint.” BlackRock, 2020. Accessed 25 May 2021.

    “CDP Media Factsheet.” CDP, n.d. Accessed 25 May 2021.

    Glaser, April, and Leticia Miranda. “Amazon workers demand end to pollution hitting people of color hardest.” NBC News, 24 May 2021. Accessed 25 May 2021.

    Little, Mark. “Why Canada should be the home of the new global sustainability standards board.” Business Council of Canada, 1 Oct. 2021. Accessed 22 Oct. 2021.

    McIntyre, Catherine. “Canada vying for global headquarters to oversee sustainable-finance standards.” The Logic, 22 July 2021. Web.

    “Net Zero Scorecard.” Energy & Climate Intelligence Unit, 2021. Accessed 25 May 2021.

    Sayer, Peter. “Greenhouse gas emissions: The next big issue for CIOs.” CIO, 13 Oct. 2021. Web.

    “Scope 1 and Scope 2 Inventory Guidance.” US EPA, OAR. 14 Dec. 2020. Web.

    Sorkin, Andrew Ross. “BlackRock C.E.O. Larry Fink: Climate Crisis Will Reshape Finance.” The New York Times, 14 Jan. 2020. Web.

    “Sustainable IT Pledge.” CIO Strategy Council, 2021. Accessed 22 Oct. 2021.

    Bibliography – Intangible Value Creation

    Areddy, James T. “China Creates Its Own Digital Currency, a First for Major Economy.” Wall Street Journal, 5 Apr. 2021. Web.

    Boar, Codruta, et al. Impending arrival - a sequel to the survey on central bank digital currency. BIS Papers No 107, Jan. 2020. Web.

    Brainard, Lael. “Speech by Governor Brainard on Private Money and Central Bank Money as Payments Go Digital: An Update on CBDCs.” Board of Governors of the Federal Reserve System, 24 May 2021. Accessed 28 May 2021.

    Howcroft, Elizabeth, and Ritvik Carvalho. “How a 10-second video clip sold for $6.6 million.” Reuters, 1 Mar. 2021. Web.

    “Central Bank Digital Currency Tracker.” Atlantic Council, 2021. Accessed 10 Sept. 2021.

    “Expert Comment From Warwick Business School: Problems With El Salvador’s Bitcoin Experiment Are Unsurprising.” Mondo Visione, 8 Sept. 2021. Accessed 10 Sept. 2021.

    Goldstein, Caroline. “In Its Ongoing Bid to Draw Crypto-Collectors, Sotheby’s Unveils a Replica of Its London H.Q. in the Blockchain World Decentraland.” Artnet News, 7 June 2021. Web.

    Hamacher, Adriana. “Taco Bell to Charmin: 10 Big Brands Jumping On The NFT Bandwagon.” Decrypt, 22 Mar. 2021. Web.

    Hazan, Eric, et al. “Getting tangible about intangibles: The future of growth and productivity?” McKinsey. 16 June 2021. Web.

    Bibliography – Intangible Value Creation

    Herrera, Pedro. “Dapp Industry Report: Q3 2021 Overview.” DappRadar, 1 Oct. 2021. Web.

    Holland, Frank. “Visa Says Crypto-Linked Card Usage Tops $1 Billion in First Half of 2021.” CNBC, 7 July 2021. Web.

    Jiang, Shangrong, et al. “Policy Assessments for the Carbon Emission Flows and Sustainability of Bitcoin Blockchain Operation in China.” Nature Communications, vol. 12, no. 1, Apr. 2021, p. 1938. Springer Nature, https://doi.org/10.1038/s41467-021-22256-3.

    Reyburn, Scott. “JPG File Sells for $69 Million, as ‘NFT Mania’ Gathers Pace.” The New York Times, 11 Mar. 2021. Web.

    Taylor, Luke. “Bitcoin: El Salvador’s Cryptocurrency Gamble Hit by Trading Loophole.” New Scientist, 25 Oct. 2021. Web.

    Bibliography – Automation as a Service

    Belsky, Scott. “The Furry Lisa, CryptoArt, & The New Economy Of Digital Creativity.” Medium, 21 Feb. 2021. Web.

    Culbertson, Joy. “10 Top Law APIs.” ProgrammableWeb, 14 Feb. 2021. Web.

    Caballar, Rina Diane. “Programming by Voice May Be the Next Frontier in Software Development - IEEE Spectrum.” IEEE Spectrum: Technology, Engineering, and Science News, 22 Mar 2021. Accessed 23 Mar. 2021.

    Gonsalves, Chris. “The Problem with APIs.” VentureBeat, 7 May 2021. Web.

    Graca, Joao. “Council Post: How APIs Are Democratizing Access To AI (And Where They Hit Their Limits).” Forbes, 24 Sept 2021. Accessed 28 Sept. 2021.

    Harris, Tony. “What is the API Economy?” API Blog: Everything You Need to Know, 4 May 2021. Web.

    Kitsing, Meelis. Scenarios for Digital Platform Ecosystems, 2020, pp. 453-57. ResearchGate, https://doi.org/10.1109/ICCCS49078.2020.9118571.

    Pilipiszyn, Ashley. “GPT-3 Powers the Next Generation of Apps.” OpenAI, 25 Mar. 2021. Web.

    Rethans, John. “So You Want to Monetize Your APIs?” APIs and Digital Transformation, 29 June 2018. Web.

    Bibliography – Automation as a Service

    Salyer, Patrick. “API Stack: The Billion Dollar Opportunities Redefining Infrastructure, Services & Platforms.” Forbes, 4 May 2021. Accessed 27 Oct. 2021.

    staff. “RapidAPI Raises $60M for Expansion of API Platform.” InsideHPC, 21 Apr. 2021. Web.

    Taulli, Tom. “API Economy: Is It The Next Big Thing?” Forbes, 18 Jan. 2021. Accessed 5 May 2021.

    Warren, Zach. “Clio Taking 2021 Cloud Conference Virtual, Announces New Mission Among Other News.” Legaltech News, 11 Mar. 2021. Web.

    Wheatley, Mike. “Google Announces API-First Approach to Application Data Integration with Apigee.” SiliconANGLE, 28 Sept. 2021. Web.

    About the research

    Tech trends survey

    As part of its research process for the 2022 Tech Trends Report, Info-Tech Research Group conducted an open online survey among its membership and wider community of professionals. The survey was fielded from August 2021 to September 2021, collecting 475 responses.

    The underlying metrics are diverse, capturing 14 countries and regions and 16 Industries.

    A geospatial chart of the world documenting the percentage of respondents from each country to Info-Tech's '2022 Tech Trends Report' Percentages are below.
    01 United States 45.3% 08 India 1.7%
    02 Canada 19.2% 09 Other (Asia) 1.7%
    03 Africa 9.3% 10 New Zealand 1.5%
    04 Other (Europe) 5.3% 11 Germany 0.8%
    05 Australia 4.2% 12 Mexico 0.4%
    06 Great Britain 3.8% 13 Netherlands 0.4%
    07 Middle East 2.9% 14 Japan 0.2%

    Industry

    01 Government 18.9%
    02 Media, Information, & Technology 12.8%
    03 Professional Services 12.8%
    04 Manufacturing 9.9%
    05 Education 8.8%
    06 Healthcare 8.2%
    07 Financial Services 7.8%
    08 Transportation & Logistics 3.4%
    09 Utilities 3.4%
    10 Insurance 2.5%
    11 Retail & Wholesale 2.5%
    12 Construction 2.3%
    13 Natural Resources 2.1%
    14 Real Estate & Property Management 1.7%
    15 Arts & Leisure 1.5%
    16 Professional Associations 1.3%

    Department

    IT (information technology) 88.2%
    Other (Department) 3.79%
    Operations 2.32%
    Research & Development 1.89%
    Sales 1.26%
    Administration 1.06%
    Finance 0.42%
    HR (Human Resources) 0.42%
    Marketing 0.42%
    Production 0.21%

    Role

    Manager 24%
    Director-level 22%
    C-level officer 19%
    VP-level 9%
    Team lead / supervisor 7%
    Owner / President / CEO 7%
    Team member 7%
    Consultant 5%
    Contractor 1%

    IT Spend

    Respondents on average spent 35 million per year on their IT budget.

    Accounting for the outlier responses – the median spend sits closer to 4.5 million per year. The highest spend on IT was within the Government, Healthcare, and Retail & Wholesale sectors.

    Slash Spending by Optimizing Your Software Maintenance and Support

    • Buy Link or Shortcode: {j2store}217|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Perpetual software maintenance (SW M&S) is an annual budget cost that increases almost yearly. You don’t really know if there is value in it, if its required by the vendor, or if there are opportunities for cost savings.
    • Most organizations never reap the full benefits of software M&S. They blindly send renewal fees to the vendor every year without validating their needs or the value of the maintenance. In addition, your vendor maintenance may be under contract and you aren’t sure what the obligations are for both parties.

    Our Advice

    Critical Insight

    • Analyzing the benefits contained within a vendor’s software M&S will provide the actual cost value of the M&S and whether there are critical support requirements vs. “nice to have” benefits.
    • Understanding the value and your requirement for M&S will allow you to make an informed decision on how best to optimize and reduce your annual software M&S spend.
    • Use a holistic approach when looking to reduce your software M&S spend. Review the entire portfolio for targeted reduction that will result in short- and long-term savings.
    • When targeting vendors to negotiate M&S price or coverage reduction, engaging them three to six months in advance of renewal will provide you with more time to effectively negotiate and not fall to the pressure of time.

    Impact and Result

    • Reduce annual costs for software maintenance and support.
    • Complete a value of investment (VOI) analysis of your software M&S for strategic vendors.
    • Maximize value of the software M&S by using all the benefits being paid for.
    • Right-size support coverage for your requirements.
    • Prioritize software vendors to target for cost reduction and optimization.

    Slash Spending by Optimizing Your Software Maintenance and Support Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to prioritize your software vendors and effectively target M&S for reduction, optimization, or elimination.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Evaluate

    Evaluate what software maintenance you are spending money.

    • Slash Spending by Optimizing Your Software Maintenance and Support – Phase 1: Evaluate
    • Software M&S Inventory and Prioritization Tool

    2. Establish

    Establish your software M&S requirements and coverage.

    • Slash Spending by Optimizing Your Software Maintenance and Support – Phase 2: Establish
    • Software Vendor Classification Tool

    3. Optimize

    Optimize your M&S spend, reduce or eliminate, where applicable.

    • Slash Spending by Optimizing Your Software Maintenance and Support – Phase 3: Optimize
    • Software M&S Value of Investment Tool
    • Software M&S Cancellation Decision Guide
    • Software M&S Executive Summary Template
    • Software M&S Cancellation Support Template
    [infographic]

    Stabilize Release and Deployment Management

    • Buy Link or Shortcode: {j2store}453|cart{/j2store}
    • member rating overall impact (scale of 10): 9.6/10 Overall Impact
    • member rating average dollars saved: $38,699 Average $ Saved
    • member rating average days saved: 37 Average Days Saved
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management

    Lack of control over the release process, poor collaboration between teams, and manual deployments lead to poor quality releases at a cost to the business.

    Our Advice

    Critical Insight

    • Manage risk. Release management should stabilize the IT environment. A poorly designed release can take down the whole business. Rushing releases out the door leads to increased risk for the business.
    • Quality processes are key. Standardized process will enable your release and deployment management teams to have a framework to deploy new releases with minimal chance of costly downtime further down the production chain.
    • Business must own the process. Release managers need oversight of the business to remain good stewards of the release management process.

    Impact and Result

    • Be prepared with a release management policy. With vulnerabilities discovered and published at an alarming pace, organizations have to build a plan to address and fix them quickly. A detailed release and patch policy should map out all the logistics of the deployment in advance, so that when necessary, teams can handle rollouts like a well-oiled machine.
    • Automate your software deployment and patch management strategy. Replace tedious and time-consuming manual processes with the use of automated release and patch management tools. Some organizations have a variety of release tools for various tasks and processes to ensure all or most of the required processes are covered across a diverse development environment.
    • Test deployments and monitor your releases. Larger organizations may have the luxury of a test environment prior to deployment, but that may be cost prohibitive for smaller organizations. If resources are a constraint, roll out the patch gradually and closely monitor performance to be able to quickly revert in the event of an issue.

    Stabilize Release and Deployment Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should control and stabilize your release and deployment management practice while improving the quality of releases and deployments, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Analyze current state

    Begin improving release management by assessing the current state and gaining a solid understanding of how core operational processes are actually functioning within the organization.

    • Stabilize Release and Deployment Management – Phase 1: Analyze Current State
    • Release Management Maturity Assessment
    • Release Management Project Roadmap Tool
    • Release Management Workflow Library (Visio)
    • Release Management Workflow Library (PDF)
    • Release Management Standard Operating Procedure
    • Patch Management Policy
    • Release Management Policy
    • Release Management Deployment Tracker
    • Release Management Build Procedure Template

    2. Plan releases and deployments

    Plan releases to gather all the pieces in one place and define what, why, when, and how a release will happen.

    • Stabilize Release and Deployment Management – Phase 2: Release and Deployment Planning

    3. Build, test, deploy

    Take a holistic and comprehensive approach to effectively designing and building releases. Get everything right the first time.

    • Stabilize Release and Deployment Management – Phase 3: Build, Test, Deploy

    4. Measure, manage, improve

    Determine desired goals for release management to ensure both IT and the business see the benefits of implementation.

    • Stabilize Release and Deployment Management – Phase 4: Measure, Manage, Improve
    [infographic]

    Workshop: Stabilize Release and Deployment Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Analyze Current State

    The Purpose

    Release management improvement begins with assessment of the current state.

    Key Benefits Achieved

    A solid understanding of how core operational processes are actually functioning within the organization.

    Activities

    1.1 Evaluate process maturity.

    1.2 Assess release management challenges.

    1.3 Define roles and responsibilities.

    1.4 Review and rightsize existing policy suite.

    Outputs

    Maturity Assessment

    Release Management Policy

    Release Management Standard Operating Procedure

    Patch Management Policy

    2 Release Management Planning

    The Purpose

    In simple terms, release planning puts all the pertinent pieces in one place.

    Key Benefits Achieved

    It defines the what, why, when, and how a release will happen.

    Activities

    2.1 Design target state release planning process.

    2.2 Define, bundle, and categorize releases.

    2.3 Standardize deployment plans and models.

    Outputs

    Release Planning Workflow

    Categorization and prioritization schemes

    Deployment models aligned to release types

    3 Build, Test, and Deploy

    The Purpose

    Take a holistic and comprehensive approach to effectively designing and building releases.

    Key Benefits Achieved

    Standardize build and test procedures to begin to drive consistency.

    Activities

    3.1 Standardize build procedures for deployments.

    3.2 Standardize test plans aligned to release types.

    Outputs

    Build procedure for hardware and software releases

    Test models aligned to deployment models

    4 Measure, Manage, and Improve

    The Purpose

    Determine and define the desired goals for release management as a whole.

    Key Benefits Achieved

    Agree to key metrics and success criteria to start tracking progress and establish a post-deployment review process to promote continual improvement.

    Activities

    4.1 Determine key metrics to track progress.

    4.2 Establish a post-deployment review process.

    4.3 Understand and define continual improvement drivers.

    Outputs

    List of metrics and goals

    Post-deployment validation checklist

    Project roadmap

    Secure IT-OT Convergence

    • Buy Link or Shortcode: {j2store}382|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $10,499 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations

    IT and OT are both very different complex systems. However, significant benefits have driven OT to be converged to IT. This results in IT security leaders, OT leaders and their teams' facing challenges in:

    • Governing and managing IT and OT security and accountabilities.
    • Converging security architecture and controls between IT and OT environments.
    • Compliance with regulations and standards.
    • Metrics for OT security effectiveness and efficiency.

    Our Advice

    Critical Insight

    • Returning to isolated OT is not beneficial for the organization, therefore IT and OT need to learn to collaborate starting with communication to build trust and to overcome differences between IT and OT. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and metrics for OT security.
    • Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
    • OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT-OT based on negotiation and this needs top-down support.

    Impact and Result

    Info-Tech’s approach in preparing for IT/OT convergence in the planning phase is coordination and collaboration of IT and OT to

    • initiate communication to define roles and responsibilities.
    • establish governance and build cross-functional team.
    • identify convergence components and compliance obligations.
    • assess readiness.

    Secure IT/OT Convergence Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Secure IT/OT Convergence Storyboard – A step-by-step document that walks you through how to secure IT-OT convergence.

    Info-Tech provides a three-phase framework of secure IT/OT convergence, namely Plan, Enhance, and Monitor & Optimize. The essential steps in Plan are to:

  • Initiate communication to define roles and responsibilities.
  • Establish governance and build a cross-functional team.
  • Identify convergence components and compliance obligations.
  • Assess readiness.
    • Secure IT/OT Convergence Storyboard

    2. Secure IT/OT Convergence Requirements Gathering Tool – A tool to map organizational goals to secure IT-OT goals.

    This tool serves as a repository for information about the organization, compliance, and other factors that will influence your IT/OT convergence.

    • Secure IT/OT Convergence Requirements Gathering Tool

    3. Secure IT/OT Convergence RACI Chart Tool – A tool to identify and understand the owners of various IT/OT convergence across the organization.

    A critical step in secure IT/OT convergence is populating a RACI (Responsible, Accountable, Consulted, and Informed) chart. The chart assists you in organizing roles for carrying out convergence steps and ensures that there are definite roles that different individuals in the organization must have. Complete this tool to assign tasks to suitable roles.

    • Secure IT/OT Convergence RACI Chart Tool
    [infographic]

    Further reading

    Secure IT/OT Convergence

    Create a holistic IT/OT security culture.

    Analyst Perspective

    Are you ready for secure IT/OT convergence?

    IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.

    In the past, OT systems were engineered to be air gapped, relying on physical protection and with little or no security in design, (e.g. OT protocols without confidentiality properties). However, now, OT has become dependent on the IT capabilities of the organization, thus OT inherits IT’s security issues, that is, OT is becoming more vulnerable to attack from outside the system. IT/OT convergence is complex because the culture, policies, and rules of IT are quite foreign to OT processes such as change management, and the culture, policies, and rules of OT are likewise foreign to IT processes.

    A secure IT/OT convergence can be conceived of as a negotiation of a strong treaty between two systems: IT and OT. The essential initial step is to begin with communication between IT and OT, followed by necessary components such as governing and managing OT security priorities and accountabilities, converging security controls between IT and OT environments, assuring compliance with regulations and standards, and establishing metrics for OT security.

    Photo of Ida Siahaan, Research Director, Security and Privacy Practice, Info-Tech Research Group. Ida Siahaan
    Research Director, Security and Privacy Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    IT and OT are both very different complex systems. However, significant benefits have driven OT to converge with IT. This results in IT security leaders, OT leaders, and their teams facing challenges with:

    • Governing and managing IT and OT security and accountabilities.
    • Converging security architecture and controls between IT and OT environments.
    • Compliance with regulations and standards.
    • Metrics for OT security effectiveness and efficiency.
    Common Obstacles
    • IT/OT network segmentation and remote access issues, as most OT incidents indicate that the attackers gained access through the IT network, followed by infiltration into OT networks.
    • OT proprietary devices and unsecure protocols use outdated systems which may be insecure by design.
    • Different requirements of OT and IT security – i.e. IT (confidentiality, integrity, and availability) vs. OT (safety, reliability, and availability).
    Info-Tech’s Approach

    Info-Tech’s approach in preparing for IT/OT convergence (i.e. the Plan phase) is coordination and collaboration of IT and OT to:

    • Initiate communication to define roles and responsibilities.
    • Establish governance and build a cross-functional team.
    • Identify convergence components and compliance obligations.
    • Assess readiness.

    Info-Tech Insight

    Returning to isolated OT is not beneficial for the organization, so IT and OT need to learn to collaborate, starting with communication to build trust and to overcome their differences. Next, negotiation is needed on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.

    Consequences of unsecure IT/OT convergence

    OT systems were built with no or little security design

    90% of organizations that use OT experienced a security incident. (Fortinet, 2021. Ponemon, 2019.)

    Bar graph comparing three years, 2019-2021, of four different OT security incidents: 'Ransomeware', 'Insider breaches', 'Phishing', and 'Malware'.
    (Source: Fortinet, 2021.)
    Lack of visibility

    86% of OT security-related service engagements lack complete visibility of OT network in 2021 (90% in 2020, 81% in 2019). (Source: “Cybersecurity Year In Review” Dragos, 2022.)

    The need for secure IT/OT convergence

    Important Industrial Control System (ICS) cyber incidents

    2000
    Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released.
    2012
    Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files.
    2014
    Target: German Steel Mill. Method: Spear-phishing. Impact: Blast furnace failed to shut down.
    2017
    Target: Middle East safety instrumented system (SIS). Method: TRISIS/TRITON. Impact: Modified SIS ladder logic.
    2022
    Target: Viasat’s KA-SAT network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat’s services.
    Timeline of Important Industrial Control System (ICS) cyber incidents.
    1903
    Target: Marconi wireless telegraph presentation. Method: Morse code. Impact: Fake message sent “Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily.”
    2010
    Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs).
    2013
    Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers
    2016
    Target: Ukrainian power grid. Method: BlackEnergy. Impact: For 1-6 hours, power outages for 230,000 consumers.
    2021
    Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation.

    (Source: US Department of Energy, 2018.


    ”Significant Cyber Incidents,” CSIS, 2022


    MIT Technology Review, 2022.)

    Info-Tech Insight

    Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.

    Case Study

    Horizon Power
    Logo for Horizon Power.
    INDUSTRY
    Utilities
    SOURCE
    Interview

    Horizon Power is the regional power provider in Western Australia and stands out as a leader not only in the innovative delivery of sustainable power, but also in digital transformation. Horizon Power is quite mature in distributed energy resource management; moving away from centralized generation to decentralized, community-led generation, which reflects in its maturity in converging IT and OT.

    Horizon Power’s IT/OT convergence journey started over six years ago when advanced metering infrastructure (AMI) was installed across its entire service area – an area covering more than one quarter of the Australian continent.

    In these early days of the journey, the focus was on leveraging matured IT approaches such as adoption of cloud services to the OT environment, rather than converging the two. Many years later, Horizon Power has enabled OT data to be more accessible to derive business benefits such as customer usage data using data analytics with the objective of improving the collection and management of the OT data to improve business performance and decision making.

    The IT/OT convergence meets legislation such as the Australian Energy Sector Cyber Security Framework (AESCSF), which has impacts on the architectural layer of cybersecurity that support delivery of the site services.

    Results

    The lessons learned in converging IT and OT from Horizon Power were:

    • Start with forming relationships to build trust and overcome any divide between IT and OT.
    • Collaborate with IT and OT teams to successfully implement solutions, such as vulnerability management and discovery tools for OT assets.
    • Switch the focus from confidentiality and integrity to availability in solutions evaluation
    • Develop training and awareness programs for all levels of the organization.
    • Actively encourage visible sponsorship across management by providing regular updates and consistent messaging.
    • Monitor cybersecurity metrics such as vulnerabilities, mean time to treat vulnerabilities, and intrusion attempts.
    • Manage third-party vendors using a platform which not only performs external monitoring but provides third-party vendors with visibility or potential threats in their organization.

    The Secure IT/OT Convergence Framework

    IT/OT convergence is less of a convergence and more of a migration. The previously entirely separate OT ecosystem is migrating onto the IT ecosystem, to improve access via the internet and to leverage other standard IT capabilities. However, IT and OT are historically very different, and without careful calculation, simply connecting the two systems will result in a problem. Therefore, IT and OT need to learn to live together starting with communication to build trust and to overcome differences between IT and OT.
    Convergence Elements
    • Process convergence
    • Software and data convergence
    • Network and infrastructure convergence
    Target Groups
    • OT leader and teams
    • IT leader and teams
    • Security leader and teams
    Security Components
    • Governance and compliance
    • Security strategy
    • Risk management
    • Security policies
    • IR, DR, BCP
    • Security awareness and training
    • Security architecture and controls

    Plan

    • Initiate communication
    • Define roles and responsibilities
    • Establish governance and build a cross-functional team
    • Identify convergence elements and compliance obligations
    • Assess readiness

    Governance

    Compliance

    Enhance

    • Update security strategy for IT/OT convergence
    • Update risk-management framework for IT/OT convergence
    • Update security policies and procedures for IT/OT convergence
    • Update incident response, disaster recovery, and business continuity plan for IT/OT convergence

    Security strategy

    Risk management

    Security policies and procedures

    IR, DR, and BCP

    Monitor &
    Optimize

    • Implement awareness, induction, and cross-training program
    • Design and deploy converging security architecture and controls
    • Establish and monitor IT/OT security metrics on effectiveness and efficiency
    • Red-team followed by blue-team activity for cross-functional team building

    Awareness and cross-training

    Architecture and controls

    Phases
    Color-coded phases with arrows looping back up from the bottom to top phase.
    • Plan
    • Enhance
    • Monitor & Optimize
    Plan Outcomes
    • Mapping business goals to IT/OT security goals
    • RACI chart for priorities and accountabilities
    • Compliance obligations register
    • Readiness checklist
    Enhance Outcomes
    • Security strategy for IT/OT convergence
    • Risk management framework
    • Security policies & procedures
    • IR, DR, BCP
    Monitor & Optimize Outcomes
    • Security awareness and training
    • Security architecture and controls
    Plan Benefits
    • Improved flexibility and less divided IT/OT
    • Improved compliance
    Enhance Benefits
    • Increased strategic common goals
    • Increased efficiency and versatility
    Monitor & Optimize Benefits
    • Enhanced security
    • Reduced costs

    Plan

    Initiate communication

    To initiate communication between the IT and OT teams, it is important to understand how the two groups are different and to build trust to find a holistic approach which overcomes those differences.
    IT OT
    Remote Access Well-defined access control Usually single-level access control
    Interfaces Human Machine, equipment
    Software ERP, CRM, HRIS, payroll SCADA, DCS
    Hardware Servers, switches, PCs PLC, HMI, sensors, motors
    Networks Ethernet Fieldbus
    Focus Reporting, communication Up-time, precision, safety
    Change management Frequent updates and patches Infrequent updates and patches
    Security Confidentiality, integrity, availability Safety, reliability, availability
    Time requirement Normally not time critical Real time

    Info-Tech Insight

    OT interfaces with the physical world while IT system concerns more on cyber world. Thus, the two systems have different properties. The challenge is how to create strategic collaboration between IT and OT based on negotiation, and this needs top-down support.

    Identifying organization goals is the first step in aligning your secure IT/OT convergence with your organization’s vision.

    • Security leaders need to understand the direction the organization is headed in.
    • Wise security investments depend on aligning your security initiatives to the organization.
    • Secure IT/OT convergence should contribute to your organization’s objectives by supporting operational performance and ensuring brand protection and shareholder value.

    Map organizational goals to IT/OT security goals

    Input: Corporate, IT, and OT strategies

    Output: Your goals for the security strategy

    Materials: Secure IT/OT Convergence Requirements Gathering Tool

    Participants: Executive leadership, OT leader, IT leader, Security leader, Compliance, Legal, Risk management

    1. As a group, brainstorm organization goals.
      1. Review relevant corporate, IT, and OT strategies.
    2. Record the most important business goals in the Secure IT/OT Convergence Requirements Gathering Tool. Try to limit the number of business goals to no more than 10 goals. This limitation will be critical to helping focus on your secure IT/OT convergence.
    3. For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.

    Download the Secure IT/OT Convergence Requirements Gathering Tool

    Record organizational goals

    Sample of the definitions table with columns numbered 1-4.

    Refer to the Secure IT/OT Convergence Framework when filling in the following elements.

    1. Record your identified organization goals in the Goals Cascade tab of the Secure IT/OT Convergence Requirements Gathering Tool.
    2. For each of your organizational goals, identify IT alignment goals.
    3. For each of your organizational goals, identify OT alignment goals.
    4. For each of your organizational goals, select one to two IT/OT security alignment goals from the drop-down lists.

    Establish scope and boundaries

    It is important to know at the outset of the strategy: What are we trying to secure in IT/OT convergence ?
    This includes physical areas we are responsible for, types of data we care about, and departments or IT/OT systems we are responsible for.

    This also includes what is not in scope. For some outsourced services or locations, you may not be responsible for their security. In some business departments, you may not have control of security processes. Ensure that it is made explicit at the outset what will be included and what will be excluded from security considerations.

    Physical Scope and Boundaries

    • How many offices and locations does your organization have?
    • Which locations/offices will be covered by your information security management system (ISMS)?
    • How sensitive is the data residing at each location?
    • You may have many physical locations, and it is not necessary to list each one. Rather, list exceptional cases that are specifically in or out of scope.

    IT Systems Scope and Boundaries

    • There may be hundreds of applications that are run and maintained in your organization. Some of these may be legacy applications. Do you need to secure all your programs or only a select few?
    • Is the system owned or outsourced?
    • Where are you accountable for security?
    • How sensitive is the data that each system handles?

    Organizational Scope and Boundaries

    • Will your ISMS cover all departments within your organization? For example, do certain departments (e.g. operations) not need any security coverage?
    • Do you have the ability to make security decisions for each department?
    • Who are the key stakeholders/data owners for each department?

    OT Systems Scope and Boundaries

    • There may be hundreds of OT systems that are run and maintained in your organization. Do you need to secure all OT or a select subset?
    • Is the system owned or outsourced?
    • Where are you accountable for safety and security?
    • What reliability requirements does each system handle?

    Record scope and boundaries

    Sample Scope and Boundaries table. Refer to the Secure IT/OT Convergence Framework when filling in the following elements:
    • Record your security-related organizational scope, physical location scope, IT systems scope, and OT systems scope in the Scope tab of the Secure IT/OT Convergence Requirements Gathering Tool.
    • For each item scoped, give the rationale for including it in the comments column. Careful attention should be paid to any elements that are not in scope.

    Plan

    Define roles and responsibilities

    Input: List of relevant stakeholders

    Output: Roles and responsibilities for the secure IT/OT convergence program

    Materials: Secure IT/OT Convergence RACI Chart Tool

    Participants: Executive leadership, OT leader, IT leader, Security leader

    There are many factors that impact an organization’s level of effectiveness as it relates to IT/OT convergence. How the two groups interact, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, it is imperative in the planning phase to identify stakeholders who are:

    • Responsible: The people who do the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
    • Accountable: The person who is accountable for the completion of the activity. Ideally, this is a single person and will often be an executive or program sponsor.
    • Consulted: The people who provide information. This is usually several people, typically called subject matter experts (SMEs).
    • Informed: The people who are updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

    Download the Secure IT/OT Convergence RACI Chart Tool

    Define RACI Chart

    Sample RACI chart with only the 'Plan' section enlarged.

    Define responsible, accountable, consulted, and informed (RACI) stakeholders.
    1. Customize the "work units" to best reflect your operation with applicable stakeholders.
    2. Customize the "action“ rows as required.
    Info-Tech Insight

    The roles and responsibilities should be clearly defined. For example, IT network should be responsible for the communication and configuration of all access points and devices from the remote client to the control system DMZ, and controls engineering should be responsible from the control system DMZ to the control system.

    Plan

    Establish governance and build cross-functional team

    To establish governance and build an IT/OT cross-functional team, it is important to understand the operation of OT systems and their interactions with IT within the organization, e.g. ad hoc, centralized, decentralized.

    The maturity ladder with levels 'Fully Converged', 'Collaborative Partners', 'Trusted Resources', 'Affiliated Entities', and 'Siloed' at the bottom. Each level has four maturity indicators listed.

    Info-Tech Insight

    To determine IT/OT convergence maturity level, Info-Tech provides the IT/OT Convergence Self-Evaluation Tool.

    Centralized security governance model example

    Example of a centralized security governance model.

    Plan

    Identify convergence elements and compliance obligations

    To switch the focus from confidentiality and integrity to safety and availability for OT system, it is important to have a common language such as the Purdue model for technical communication.
    • A lot of OT compliance standards are technically focused and do not address governance and management, e.g. IT standards like the NIST Cybersecurity Framework. For example, OT system modeling with Purdue model will help IT teams to understand assets, networking, and controls. This understanding is needed to know the possible security solutions and where these solutions could be embedded to the OT system with respect to safety, reliability, and availability.
    • However, deployment of technical solutions or patches to OT system may nullify warranty, so arrangements should be made to manage this with the vendor or manufacturer prior to modification.
    • Finally, OT modernizations such as smart grid together with the advent of IIoT where data flow is becoming less hierarchical have encouraged the birth of a hybrid Purdue model, which maintains segmentation with flexibility for communications.

    Level 5: Enterprise Network

    Level 4: Site Business

    Level 3.5: DMZ
    Example: Patch Management Server, Application Server, Remote Access Server

    Level 3: Site Operations
    Example: SCADA Server, Engineering Workstation, Historian

    Level 2: Area Supervisory Control
    Example: SCADA Client, HMI

    Level 1: Basic Control
    Example: Batch Controls, Discrete Controls, Continuous Process Controls, Safety Controls, e.g. PLCs, RTUs

    Level 0: Process
    Example: Sensors, Actuators, Field Devices

    (Source: “Purdue Enterprise Reference Architecture (PERA) Model,” ISA-99.)

    Identify compliance obligations

    To manage compliance obligations, it is important to use a platform which not only performs internal and external monitoring, but also provides third-party vendors with visibility on potential threats in their organization.
    Example table of compliance obligations standards. Example tables of compliance obligations regulations and guidelines.

    Source:
    ENISA, 2013
    DHS, 2009.

    • OT system has compliance obligations with industry regulations and security standards/regulations/guidelines. See the lists given. The lists are not exhaustive.
    • OT system owner can use the standards/regulations/guidelines as a benchmark to determine and manage the security level provided by third parties.
    • It is important to understand the various frameworks and to adhere to the appropriate compliance obligations, e.g. IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series.

    IEC/ISA 62443 - Security for Industrial Automation and Control Systems Series

    International series of standards for asset owners, system integrators, and product manufacturers.
    Diagram of the international series of standards for asset owners.
    (Source: Cooksley, 2021)
    • IEC/ISA 62443 is a comprehensive international series of standards covering security for ICS systems, which recognizes three roles, namely: asset owner, system integrator, and product manufacturer.
    • In IEC/ISA 62443, requirements flow from the asset owner to the product manufacturer, while solutions flow in the opposite direction.
    • For the asset owner who owns and operates a system, IEC 62443-2 enables defining target security level with reference to a threat level and using the standard as a benchmark to determine the current security level.
    • For the system integrator, IEC 62443-3 assists to evaluate the asset owner’s requirements to create a system design. IEC 62443-3 also provides a method for verification that components provided by the product manufacturer are securely developed and support the functionality required.

    Record your compliance obligations

    Refer to the “Goals Cascade” tab of the Secure IT/OT Convergence Requirements Gathering Tool.
    1. Identify your compliance obligations. Most organizations have compliance obligations that must be adhered to. These can include both mandatory and voluntary obligations. Mandatory obligations include:
      1. Laws
      2. Government regulations
      3. Industry standards
      4. Contractual agreements
      Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your secure IT/OT convergence, include only those that have OT security requirements.
    2. Record your compliance obligations, along with any notes, in your copy of the Secure IT/OT Convergence Requirements Gathering Tool.
    3. Refer to the “Compliance DB” tab for lists of standards/regulations/guidelines.
    Table of mandatory and voluntary security compliance obligations.

    Plan

    Assess readiness

    Readiness checklist for secure IT/OT convergence

    People

    • Define roles and responsibilities on interaction based on skill sets and the degree of support and alignment.
    • Adopt well-established security governance practices for cross-functional teams.
    • Analyze and develop skills required by implementing awareness, induction, and cross-training program.

    Process

    • Conduct a maturity assessment of key processes and highlight interdependencies.
    • Redesign cybersecurity processes for your secure IT/OT convergence program.
    • Develop a baseline and periodically review on risks, security policies and procedures, incident response, disaster recovery, and business continuity plan.

    Technology

    • Conduct a maturity assessment and identify convergence elements and compliance obligations.
    • Develop a roadmap and deploy converging security architecture and controls step by step, working with trusted technology partners.
    • Monitor security metrics on effectiveness and efficiency and conduct continuous testing by red-team and blue-team activities.

    (Source: “Grid Modernization: Optimize Opportunities And Minimize Risks,” Info-Tech)

    Enhance

    Update security strategy

    To update security strategy, it is important to actively encourage visible sponsorship across management and to provide regular updates.

    Cycle for updating security strategy: 'Architecture design', 'Procurement', 'Installation', 'Maintenance', 'Decommissioning'.
    (Source: NIST SP 800-82 Rev.3, “Guide to Operational Technology (OT) Security,” NIST, 2022.)
    • OT system life cycle is like the IT system life cycle, starting with architectural design and ending with decommissioning.
    • Currently, IT only gets involved from installation or maintenance, so they may not fully understand the OT system. Therefore, if OT security is compromised, the same personnel who commissioned the OT system (e.g. engineering, electrical, and maintenance specialists) must be involved. Thus, it is important to have the IT team collaborate with the OT team in each stage of the OT system’s life cycle.
    • Finally, it is necessary to have propositional sharing of responsibilities between IT leaders, security leaders, and OT leaders who have broader responsibilities.

    Enhance

    Update risk management framework

    The need for asset and threat taxonomy

    • One of issues in IT/OT convergence is that OT systems focus on production, so IT solutions like security patching or updates may deteriorate a machine or take a machine offline and may not be applicable. For example, some facilities run with reliability of 99.999%, which only allows maximum of 5 minutes and 35 seconds or less of downtime per year.
    • Managing risks requires an understanding of the assets and threats for IT/OT systems. Having a taxonomy of the assets and the threats cand help.
    • Applying normal IT solutions to mitigate security risks may not be applicable in an OT environment, e.g. running an antivirus tool on OT system may remove essential OT operations files. Thus, this approach must be avoided; instead, systems must be rebuilt from golden images.
    Risk management framework.
    (Source: ENISA, 2018.)

    Enhance

    Update security policies and procedures

    • Policy is the link between people, process, and technology for any size of organization. Small organizations may think that having formal policies in place is not necessary for their operations, but compliance is applicable to all organizations, and vulnerabilities affect organizations of all sizes as well. Small organizations partnering with clients or other organizations are sometimes viewed as ideal proxies for attackers.
    • Updating security policies to align with the OT system so that there is a uniform approach to securing both IT and OT environments has several benefits. For example, enhancing the overall security posture as issues are pre-emptively avoided, being better prepared for auditing and compliance requirements, and improving governance especially when OT governance is weak.
    • In updating security policies, it is important to redefine the policy framework to include the OT framework and to prioritize the development of security policies. For example, entities that own or manage US and Canadian electric power grids must comply with North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards, specifically CIP-003 for Policy and Governance. This can be achieved by understanding the current state of policies and by right-sizing the policy suite based on a policy hierarchy.
    The White House released an Executive Order on Improving the Nation’s Cybersecurity (EO 14028) in 2021 that establishes new requirements on the scope of protection and security policy such that it must include both IT and OT.

    Policy hierarchy example

    This example of a policy hierarchy features templates from Info-Tech’s Develop and Deploy Security Policies and Identify the Best Framework for Your Security Policies research.

    Example policy hierarchy with four levels, from top-down: 'Governance', 'Process-based policies', 'Prescriptive/ technical (for IT including OT elements)', 'Prescriptive/ technical (for users)'.

    Enhance

    Update IR, DR, and BCP

    A proactive approach to security is important, so actions such as updating and testing the incident response plan for OT are a must. (“Cybersecurity Year In Review” Dragos, 2022.)

    1. Customize organizational chart for IT/OT IR, DR, BCP based on governance and management model.
      E.g. ad hoc, internal distributed, internal centralized, combined distributed, and decentralized. (Software Engineering Institute, 2003)
    2. Adjust the authority of the new organizational chart and decide if it requires additional staffing.
      E.g. full authority, shared authority. (Software Engineering Institute, 2003)
    3. Update IR plan, DR plan, and BCP for IT/OT convergence.
      E.g. incorporate zero trust principles for converge network
    4. Testing updated IR plan, DR plan, and BCP.

    Optimize

    Implement awareness, induction, and cross-training

    To develop training and awareness programs for all levels of the organization, it is important to understand the common challenges in IT security that also affect secure IT/OT convergence and how to overcome those challenges.

    Alert Fatigue

    Too many false alarms, too many events to process, and an evolving threat landscape that wastes analysts’ valuable time on mundane tasks such as evidence collection. Meanwhile, only limited time is given for decision and conclusion, which results in fear of missing an incident and alert fatigue.

    Skill Shortages

    Obtaining and retaining cybersecurity-skilled talent is challenging. Organizations need to invest in the people, but not all organizations will be able to invest sufficiently to have their own dedicated security team.

    Lack of Insight

    To report progress, clear metrics are needed. However, cybersecurity still falls short in this area, as the system itself is complex, and much work is siloed. Furthermore, lessons learned are not yet distilled into insights yet for improving future accuracy.

    Lack of Visibility

    Ensuring complete visibility of the threat landscape, risks, and assets requires system integration and consistent workflow across the organization, and the convergence of OT, IoT, and IT enhances this challenge (e.g. machines cannot be scanned during operational uptime).
    (Source: Security Intelligence, 2020.)
    “Cybersecurity staff are feeling burnout and stressed to the extent that many are considering leaving their jobs.” (Danny Palmer, ZDNET News, 2022)

    Awareness may not correspond to readiness

    • An issue with IT/OT convergence training and awareness happens when awareness exists, but the personnel are trained only for IT security and are not trained for OT-specific security. For example, some organizations still use generic topics such as not opening email attachments, when the personnel do not even operate using email nor in a web browsing environment. (“Assessing Operational Readiness,” Dragos, 2022)
    • Meanwhile, as is the case with IT, OT security training topics are broad, such as OT threat intelligence, OT-specific incident response, and tabletop exercises.
    • Hence, it requires the creation of a training program development plan that considers the various audiences and topics and maps them accordingly.
    • Moreover, roles are also evolving due to convergence and modernization. These new roles require an integrative skill set. For example, the grid security & ops team might consist of an IT security specialist, SCADA technician/engineer, and OT/IIOT security specialist where OT/IIOT security specialist is a new role. (Grid Modernization: Optimize Opportunities and Minimize Risks,” Info-Tech)
    • In conclusion, it is important to approach talent development with an open mind. The ability to learn and flexibility in the face of change are important attributes, and technical skill sets can be improved with certifications and training.
    “One area regularly observed by Dragos is a weakness in overall cyber readiness and training tailored specific to the OT environment.” (“Assessing Operational Technology,” Dragos, 2022.)

    Certifications

    What are the options?
    • One of issues in certification is the complexity on relevancy in topics with respect to roles and levels.
    • An example solution is the European Union Agency for Cybersecurity (ENISA)’s approach to analyzing existing certifications by orientation, scope, and supporting bodies, grouped into specific certifications, relevant certifications, and safety certifications.

    Specific cybersecurity certification of ICS/SCADA
    Example: ISA-99/IEC 62443 Cybersecurity Certificate Program, GIAC Global Industrial Cyber Security Professional (GICSP), Certified SCADA Security Architect (CSSA), EC-Council ICS/SCADA Cybersecurity Training Course.

    Other relevant certification schemes
    Example: Network and Information Security (NIS) Driving License, ISA Certified Automation Professional (CAP), Industrial Security Professional Certification (NCMS-ISP).

    Safety Certifications
    Example: Board of Certified Safety Professionals (BCSP), European Network of Safety and Health Professional Organisations (ENSHPO).

    Order of certifications with 'Orientation' at the top, 'Scope', then 'Support'.(Source: ENISA, 2015.)

    Optimize

    Design and deploy converging security architecture and controls

    • IT/OT convergence architecture can be modeled as a layered structure based on security. In this structure, the bottom layer is referred as “OT High-Security Zone” and the topmost layer is “IT Low-Security Zone.” In this model, each layer has its own set of controls configured and acts like an additional layer of security for the zone underneath it.
    • The data flows from the “OT High-Security Zone” to the topmost layer, the “IT Low-Security Zone,” and the traffic must be verified to pass to another zone based on the need-to-know principle.
    • In the normal control flow within the “OT High-Security Zone” from level 3 to level 0, the traffic must be verified to pass to another level based on the principle of least privilege.
    • Remote access (dotted arrow) is allowed under strict access control and change control based on the zero-trust principle with clear segmentation and a point for disconnection between the “OT High-Security Zone” and the “OT Low-Security Zone”
    • This model simplifies the security process, as if the lower layers have been compromised, then the compromise can be confined on that layer, and it also prevents lateral movement as access is always verified.
    Diagram for the deployments of converging security architecture.(Source: “Purdue Enterprise Reference Architecture (PERA) model,” ISA-99.)

    Off-the-shelf solutions

    Getting the right recipe: What criteria to consider?

    Image of a shopping cart with the four headlines on the right listed in order from top to bottom.
    Icon of an eye crossed out. Visibility and Asset Management

    Passive data monitoring using various protocol layers, active queries to devices, or parsing configuration files of OT, IoT, and IT environments on assets, processes, and connectivity paths.

    Icon of gears. Threat Detection, Mitigation, and Response (+ Hunting)

    Automation of threat analysis (signature-based, specification-based, anomaly-based, sandboxing) not only in IT but also in relevant environments, e.g. IoT, IIoT, and OT on assets, data, network, and orchestration with threat intelligence sharing and analytics.

    Icon of a check and pen. Risk Assessment and Vulnerability Management

    Risk scoring approach (qualitative, quantitative) based on variables such as behavioral patterns and geolocation. Patching and vulnerability management.

    Icon of a wallet. Usability, Architecture, Cost

    The user and administrative experience, multiple deployment options and extensive integration capabilities, and affordability.

    Optimize

    Establish and monitor IT/OT security metrics for effectiveness and efficiency

    Role of security metrics in a cybersecurity program (EPRI, 2017.)
    • Requirements for secure IT/OT are derived from mandatory or voluntary compliance, e.g. NERC CIP, NIST SP 800-53.
    • Frameworks for secure IT/OT are used to build and implement security, e.g. NIST CSF, AESCSF.
    • Maturity of secure IT/OT is used to measure the state of security, e.g. C2M2, CMMC.
    • Security metrics have the role of measuring effectiveness and efficiency.

    Icon of a person ascending stairs.
    Safety

    OT interfaces with the physical world. Thus, metrics based on risks related with life, health, and safety are crucial. These metrics motivate personnel by making clear why they should care about security. (EPRI, 2017.)

    Icon of a person ascending stairs.
    Business Performance

    The impact of security on the business can be measured in various metrics such as operational metrics, service level agreements (SLAs), and financial metrics. (BMC, 2022.)

    Icon of a person ascending stairs.
    Technology Performance

    Early detection will lead to faster remediation and less damage. Therefore, metrics such as maximum tolerable downtime (MTD) and mean time to recovery (MTR) indicate system reliability. (Dark Reading, 2022)

    Icon of a person ascending stairs.
    Security Culture

    The metrics for the overall quality of security culture with indicators such as compliance and audit, vulnerability management, and training and awareness.

    Further information

    Related Info-Tech Research

    Sample of 'Build an Information Security Strategy'.

    Build an Information Security Strategy

    Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations.

    This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap.

    Sample of 'Preparing for Technology Convergence in Manufacturing'.

    Preparing for Technology Convergence in Manufacturing

    Information technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication.

    Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration.

    Sample of 'Implement a Security Governance and Management Program'.

    Implement a Security Governance and Management Program

    Your security governance and management program needs to be aligned with business goals to be effective.

    This approach also helps provide a starting point to develop a realistic governance and management program.

    This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

    Bibliography

    Assante, Michael J. and Robert M. Lee. “The Industrial Control System Cyber Kill Chain.” SANS Institute, 2015.

    “Certification of Cyber Security Skills of ICS/SCADA Professionals.” European Union Agency for Cybersecurity (ENISA), 2015. Web.

    Cooksley, Mark. “The IEC 62443 Series of Standards: A Product Manufacturer‘s Perspective.” YouTube, uploaded by Plainly Explained, 27 Apr. 2021. Accessed 26 Aug. 2022.

    “Cyber Security Metrics for the Electric Sector: Volume 3.” Electric Power Research Institute (EPRI), 2017.

    “Cybersecurity and Physical Security Convergence.” Cybersecurity and Infrastructure Security Agency (CISA). Accessed 19 May 2022.

    “Cybersecurity in Operational Technology: 7 Insights You Need to Know,” Ponemon, 2019. Web.

    “Developing an Operational Technology and Information Technology Incident Response Plan.” Public Safety Canada, 2020. Accessed 6 Sep. 2022.

    Gilsinn, Jim. “Assessing Operational Technology (OT) Cybersecurity Maturity.” Dragos, 2021. Accessed 02 Sep. 2022.

    “Good Practices for Security of Internet of Things.” European Union Agency for Cybersecurity (ENISA), 2018. Web.

    Greenfield, David. “Is the Purdue Model Still Relevant?” AutomationWorld. Accessed 1 Sep. 2022

    Hemsley, Kevin E., and Dr. Robert E. Fisher. “History of Industrial Control System Cyber Incidents.” US Department of Energy (DOE), 2018. Accessed 29 Aug. 2022.

    “ICS Security Related Working Groups, Standards and Initiatives.” European Union Agency for Cybersecurity (ENISA), 2013.

    Killcrece, Georgia, et al. “Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Software Engineering Institute, CMU, 2003.

    Liebig, Edward. “Security Culture: An OT Survival Story.” Dark Reading, 30 Aug. 2022. Accessed 29 Aug. 2022.

    Bibliography

    O'Neill, Patrick. “Russia Hacked an American Satellite Company One Hour Before the Ukraine Invasion.” MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022.

    Palmer, Danny. “Your Cybersecurity Staff Are Burned Out – And Many Have Thought About Quitting.” Zdnet, 08 Aug. 2022. Accessed 19 Aug. 2022.

    Pathak, Parag. “What Is Threat Management? Common Challenges and Best Practices.” SecurityIntelligence, 23 Jan. 2020. Web.

    Raza, Muhammad. “Introduction To IT Metrics & KPIs.” BMC, 5 May 2022. Accessed 12 Sep. 2022.

    “Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability.” Department of Homeland Security (DHS), Oct. 2009. Web.

    Sharma, Ax. “Sigma Rules Explained: When and How to Use Them to Log Events.” CSO Online, 16 Jun. 2018. Accessed 15 Aug. 2022.

    “Significant Cyber Incidents.” Center for Strategic and International Studies (CSIS). Accessed 1 Sep. 2022.

    Tom, Steven, et al. “Recommended Practice for Patch Management of Control Systems.” Department of Homeland Security (DHS), 2008. Web.

    “2021 ICS/OT Cybersecurity Year In Review.” Dragos, 2022. Accessed 6 Sep. 2022.

    “2021 State of Operational Technology and Cybersecurity Report,” Fortinet, 2021. Web.

    Zetter, Kim. “Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed.” Black Hat USA, 08 Aug. 2022. Accessed 19 Aug. 2022.

    Research Contributors and Experts

    Photo of Jeff Campbell, Manager, Technology Shared Services, Horizon Power, AU. Jeff Campbell
    Manager, Technology Shared Services
    Horizon Power, AU

    Jeff Campbell has more than 20 years' experience in information security, having worked in both private and government organizations in education, finance, and utilities sectors.

    Having focused on developing and implementing information security programs and controls, Jeff is tasked with enabling Horizon Power to capitalize on IoT opportunities while maintaining the core security basics of confidentiality, integrity and availability.

    As Horizon Power leads the energy transition and moves to become a digital utility, Jeff ensures the security architecture that supports these services provides safer and more reliable automation infrastructures.

    Christopher Harrington
    Chief Technology Officer (CTO)
    Carolinas Telco Federal Credit Union

    Frank DePaola
    Vice President, Chief Information Security Officer (CISO)
    Enpro

    Kwasi Boakye-Boateng
    Cybersecurity Researcher
    Canadian Institute for Cybersecurity

    Present Security to Executive Stakeholders

    • Buy Link or Shortcode: {j2store}262|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $2,000 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • There is a disconnect between security leaders and executive stakeholders on what information is important to present.
    • Security leaders find it challenging to convey the necessary information to obtain support for security objectives.
    • Changes to the threat landscape and shifts in organizational goals exacerbate the issue, as they impact security leaders' ability to prioritize topics to be communicated.
    • Security leaders struggle to communicate the importance of security to a non-technical audience.

    Our Advice

    Critical Insight

    Security presentations are not a one-way street. The key to a successful executive security presentation is having a goal for the presentation and ensuring that you have met your goal.

    Impact and Result

    • Developing a thorough understanding of the security communication goals.
    • Understanding the importance of leveraging highly relevant and understandable data.
    • Developing and delivering presentations that will keep your audience engaged and build trust with your executive stakeholders.

    Present Security to Executive Stakeholders Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Present Security to Executive Stakeholders – A step-by-step guide to communicating security effectively to obtain support from decision makers.

    Use this as a guideline to assist you in presenting security to executive stakeholders.

    • Present Security to Executive Stakeholders Storyboard

    2. Security Presentation Templates – A set of security presentation templates to assist you in communicating security to executive stakeholders.

    The security presentation templates are a set of customizable templates for various types of security presentation including:

    • Present Security to Executive Stakeholders Templates

    Infographic

    Further reading

    Present Security to Executive Stakeholders

    Learn how to communicate security effectively to obtain support from decision makers.

    Analyst Perspective

    Build and deliver an effective security communication to your executive stakeholders.

    Ahmad Jowhar

    As a security leader, you’re tasked with various responsibilities to ensure your organization can achieve its goals while its most important assets are being protected.

    However, when communicating security to executive stakeholders, challenges can arise in determining what topics are pertinent to present. Changes in the security threat landscape coupled with different business goals make identifying how to present security more challenging.

    Having a communication framework for presenting security to executive stakeholders will enable you to effectively identify, develop, and deliver your communication goals while obtaining the support you need to achieve your objectives.

    Ahmad Jowhar
    Research Specialist, Security & Privacy

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    • Many security leaders struggle to decide what to present and how to present security to executive stakeholders.
    • Constant changes in the security threat landscape impacts a security leader’s ability to prioritize topics to be communicated.
    • There is a disconnect between security leaders and executive stakeholders on what information is important to present.
    • Security leaders struggle to communicate the importance of security to a non-technical audience.
    • Developing a thorough understanding of security communication goals.
    • Understanding the importance of leveraging highly relevant and understandable data.
    • Developing and delivering presentations that will keep your audience engaged and build trust with your executive stakeholders.

    Info-Tech Insight

    Security presentations are not a one-way street. The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

    Your challenge

    As a security leader, you need to communicate security effectively to executive stakeholders in order to obtain support for your security objectives.

    • When it comes to presenting security to executive stakeholders, many security leaders find it challenging to convey the necessary information in order to obtain support for security objectives.
    • This is attributed to various factors, such as an increase in the threat landscape, changes to industry regulations and standards, and new organizational goals that security has to align with.
    • Furthermore, with the limited time to communicate with executive stakeholders, both in frequency and duration, identifying the most important information to address can be challenging.

    76% of security leaders struggle in conveying the effectiveness of a cybersecurity program.

    62% find it difficult to balance the risk of too much detail and need-to-know information.

    41% find it challenging to communicate effectively with a mixed technical and non-technical audience.

    Source: Deloitte, 2022

    Common obstacles

    There is a disconnect between security leaders and executive stakeholders when it comes to the security posture of the organization:

    • Executive stakeholders are not confident that their security leaders are doing enough to mitigate security risks.
    • The issue has been amplified, with security threats constantly increasing across all industries.
    • However, security leaders don’t feel that they are in a position to make themselves heard.
    • The lack of organizational security awareness and support from cross-functional departments has made it difficult to achieve security objectives (e.g. education, investments).
    • Defining an approach to remove that disconnect with executive stakeholders is of utmost importance for security leaders, in order to improve their organization’s security posture.

    9% of boards are extremely confident in their organization’s cybersecurity risk mitigation measures.

    77% of organizations have seen an increase in the number of attacks in 2021.

    56% of security leaders claimed their team is not involved when leadership makes urgent security decisions.

    Source: EY, 2021
    The image contains a screenshot of an Info-Tech Thoughtmodel titled: Presenting Security to Executive Stakeholders.

    Info-Tech’s methodology for presenting security to executive stakeholders

    1. Identify communication goals

    2. Collect information to support goals

    3. Develop communication

    4. Deliver communication

    Phase steps

    1. Identify drivers for communicating to executives
    2. Define your goals for communicating to executives
    1. Identify data to collect
    2. Plan how to retrieve data
    1. Plan communication
    2. Build a compelling communication document
    1. Deliver a captivating presentation
    2. Obtain/verify goals

    Phase outcomes

    A defined list of drivers and goals to help you develop your security presentations

    A list of data sources to include in your communication

    A completed communication template

    A solidified understanding of how to effectively communicate security to your stakeholders

    Develop a structured process for communicating security to your stakeholders

    Security presentations are not a one-way street
    The key to a successful executive security presentation is having a goal for the presentation and verifying that you have met your goal.

    Identifying your goals is the foundation of an effective presentation
    Defining your drivers and goals for communicating security will enable you to better prepare and deliver your presentation, which will help you obtain your desired outcome.

    Harness the power of data
    Leveraging data and analytics will help you provide quantitative-based communication, which will result in a more meaningful and effective presentation.

    Take your audience on a journey
    Developing a storytelling approach will help engage with your audience.

    Win your audience by building a rapport
    Establishing credibility and trust with executive stakeholders will enable you to obtain their support for security objectives.

    Tactical insight
    Conduct background research on audience members (i.e. professional background) to help understand how best to communicate with them and overcome potential objections.

    Tactical insight
    Verifying your objectives at the end of the communication is important, as it ensures you have successfully communicated to executive stakeholders.

    Project deliverables

    This blueprint is accompanied by a supporting deliverable which includes five security presentation templates.

    Report on Security Initiatives
    Template showing how to inform executive stakeholders of security initiatives.

    Report on Security Initiatives.

    Security Metrics
    Template showing how to inform executive stakeholders of current security metrics that would help drive future initiatives.

    Security Metrics.

    Security Incident Response & Recovery
    Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.

    Security Incident Response & Recovery

    Security Funding Request
    Template showing how to inform executive stakeholders of security incidents, their impact, and the response plan.

    Security Funding Request

    Key template:

    Security and Risk Update

    Template showing how to inform executive stakeholders of proactive security and risk initiatives.

    Blueprint benefits

    IT/InfoSec benefits

    Business benefits

    • Reduce effort and time spent preparing cybersecurity presentations for executive stakeholders by having templates to use.
    • Enable security leaders to better prepare what to present and how to present it to their executive stakeholders, as well as driving the required outcomes from those presentations.
    • Establish a best practice for communicating security and IT to executive stakeholders.
    • Gain increased awareness of cybersecurity and the impact executive stakeholders can have on improving an organization’s security posture.
    • Understand how security’s alignment with the business will enable the strategic growth of the organization.
    • Gain a better understanding of how security and IT objectives are developed and justified.

    Measure the value of this blueprint

    Phase

    Measured Value (Yearly)

    Phase 1: Identify communication goals

    Cost to define drivers and goals for communicating security to executives:

    16 FTE hours @ $233K* =$1,940

    Phase 2: Collect information to support goals

    Cost to collect and synthesize necessary data to support communication goals:

    16 FTE hours @ $233K = $1,940

    Phase 3: Develop communication

    Cost to develop communication material that will contextualize information being shown:

    16 FTE hours @ $233K = $1,940

    Phase 4: Deliver communication

    Potential Savings:

    Total estimated effort = $5,820

    Our blueprint will help you save $5,820 and over 40 FTE hours

    * The financial figure depicts the annual salary of a CISO in 2022

    Source: Chief Information Security Officer Salary.” Salary.com, 2022

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Phase 1

    Identify communication goals

    Phase 1 Phase 2 Phase 3 Phase 4

    1.1 Identify drivers for communicating to executives

    1.2 Define your goals for communicating to executives

    2.1 Identify data to collect

    2.2 Plan how to retrieve data

    3.1 Plan communication

    3.2 Build a compelling communication document

    4.1 Deliver a captivating presentation

    4.2 Obtain/verify support for security goals

    This phase will walk you through the following activities:

    • Understanding the different drivers for communicating security to executive stakeholders
    • Identifying different communication goals

    This phase involves the following participants:

    • Security leader

    1.1. Identify drivers for communicating to executive stakeholders

    As a security leader, you meet with executives and stakeholders with diverse backgrounds, and you aim to showcase your organization’s security posture along with its alignment with the business’ goals.

    However, with the constant changes in the security threat landscape, demands and drivers for security could change. Thus, understanding potential drivers that will influence your communication will assist you in developing and delivering an effective security presentation.

    39% of organizations had cybersecurity on the agenda of their board’s quarterly meeting.

    Source: EY, 2021.

    Info-Tech Insight

    Not all security presentations are the same. Keep your communication strategy and processes agile.

    Know your drivers for security presentations

    By understanding the influences for your security presentations, you will be able to better plan what to present to executive stakeholders.

    • These meetings, which are usually held once per quarter, provide you with less than one hour of presentation time.
    • Hence, it is crucial to know why you need to present security and whether these drivers are similar across the other presentations.

    Understanding drivers will also help you understand how to present security to executive stakeholders.

    • These drivers will shape the structure of your presentation and help determine your approach to communicating your goals.
    • For example, financial-based presentations that are driven by budget requests might create a sense of urgency or assurance about investment in a security initiative.

    Identify your communication drivers, which can stem from various initiatives and programs, including:

    • Results from internal or external audit reports.
    • Upcoming budget meetings.
    • Briefing newly elected executive stakeholders on security.

    When it comes to identifying your communication drivers, you can collaborate with subject matter experts, like your corporate secretary or steering committees, to ensure the material being communicated will align with some of the organizational goals.

    Examples of drivers for security presentations

    Audit
    Upcoming internal or external audits might require updates on the organization’s compliance

    Organizational restructuring
    Restructuring within an organization could require security updates

    Merger & Acquisition
    An M&A would trigger presentations on organization’s current and future security posture

    Cyber incident
    A cyberattack would require an immediate presentation on its impact and the incident response plan

    Ad hoc
    Provide security information requested by stakeholders

    1.2. Define your goals for communicating to executives

    After identifying drivers for your communication, it’s important to determine what your goals are for the presentation.

    • Communication drivers are mainly triggers for why you want to present security.
    • Communication goals are the potential outcomes you are hoping to obtain from the presentation.
    • Your communication goals would help identify what data and metrics to include in your presentation, the structure of your communication deck, and how you deliver your communication to executive stakeholders.

    Identifying your communication goals could require the participation of the security team, IT leadership, and other business stakeholders.

    • As a group, brainstorm the security goals that align with your business goals for the coming year.
      • Aim to have at least two business goals that align with each security goal.
    • Identify what benefits and value the executive stakeholders will gain from the security goal being presented.
      • E.g. Increased security awareness, updates on organization's security posture.
    • Identify what the ask is for this presentation.
      • E.g. Approval for increasing budget to support security initiatives, executive support to implement internal security programs.

    Info-Tech Insight

    There can be different reasons to communicate security to executive stakeholders. You need to understand what you want to get out of your presentation.

    Examples of security presentation goals

    Educate
    Educate the board on security trends and/or latest risks in the industry

    Update
    Provide updates on security initiatives, relevant security metrics, and compliance posture

    Inform
    Provide an incident response plan due to a security incident or deliver updates on current threats and risks

    Investment
    Request funding for security investments or financial updates on past security initiatives

    Ad hoc
    Provide security information requested by stakeholders

    Phase 2

    Collect information to support goals

    Phase 1Phase 2Phase 3Phase 4

    1.1 Identify drivers for communicating to executives

    1.2 Define your goals for communicating to executives

    2.1 Identify data to collect

    2.2 Plan how to retrieve data

    3.1 Plan communication

    3.2 Build a compelling communication document

    4.1 Deliver a captivating presentation

    4.2 Obtain/verify support for security goals

    This phase will walk you through the following activities:

    • Understanding what types of data to include in your security presentations
    • Defining where and how to retrieve data

    This phase involves the following participants:

    • Security leader
    • Network/security analyst

    2.1 Identify data to collect

    After identifying drivers and goals for your communication, it’s important to include the necessary data to justify the information being communicated.

    • Leveraging data and analytics will assist in providing quantitative-based communication, which will result in a more meaningful and effective presentation.
    • The data presented will showcase the visibility of an organization’s security posture along with potential risks and figures on how to mitigate those risks.
    • Providing analysis of the quantitative data presented will also showcase further insights on the figures, allow the audience to better understand the data, and show its relevance to the communication goals.

    Identifying data to collect doesn’t need to be a rigorous task; you can follow these steps to help you get started:

    • Work with your security team to identify the main type of data applicable to the communication goals.
      • E.g. Financial data would be meaningful to use when communicating a budget presentation.
    • Identify supporting data linked to the main data defined.
      • E.g. If a financial investment is made to implement a security initiative, then metrics on improvements to the security posture will be relevant.
    • Show how both the main and supporting data align with the communication goals.
      • E.g. Improvement in security posture would increase alignment with regulation standards, which would result in additional contracts being awarded and increased revenue.

    Info-Tech Insight

    Understand how to present your information in a way that will be meaningful to your audience, for instance by quantifying security risks in financial terms.

    Examples of data to present

    Educate
    Number of organizations in industry impacted by data breaches during past year; top threats and risks affecting the industries

    Update
    Degree of compliance with standards (e.g. ISO-27001); metrics on improvement of security posture due to security initiatives

    Inform
    Percentage of impacted clients and disrupted business functions; downtime; security risk likelihood and financial impact

    Investment
    Capital and operating expenditure for investment; ROI on past and future security initiatives

    Ad hoc
    Number of security initiatives that went over budget; phishing test campaign results

    2.2 Plan how to retrieve the data

    Once the data that is going to be used for the presentation has been identified, it is important to plan how the data can be retrieved, processed, and shared.

    • Most of the data leveraged for security presentations are structured data, which are highly organized data that are often stored in a relational and easily searchable database.
      • This includes security log reports or expenditures for ongoing and future security investments.
    • Retrieving the data, however, would require collaboration and cooperation from different team members.
    • You would need to work with the security team and other appropriate stakeholders to identify where the data is stored and who the data owner is.

    Once the data source and owner has been identified, you need to plan how the data would be processed and leveraged for your presentation

    • This could include using queries to retrieve the relevant information needed (e.g. SQL, Microsoft Excel).
    • Verify the accuracy and relevance of the data with other stakeholders to ensure it is the most appropriate data to be presented to the executive stakeholders.

    Info-Tech Insight

    Using a data-driven approach to help support your objectives is key to engaging with your audience.

    Plan where to retrieve the data

    Identifying the relevant data sources to retrieve your data and the appropriate data owner enables efficient collaboration between departments collecting, processing, and communicating the data and graphics to the audience.

    Examples of where to retrieve your data

    Data Source

    Data

    Data Owner

    Communication Goal

    Audit & Compliance Reports

    Percentage of controls completed to be certified with ISO 27001; Number of security threats & risks identified.

    Audit Manager;

    Compliance Manager;

    Security Leader

    Ad hoc, Educate, Inform

    Identity & Access Management (IAM) Applications

    Number of privileged accounts/department; Percentage of user accounts with MFA applied

    Network/Security Analyst

    Ad hoc, Inform, Update

    Security Information & Event Management (SIEM)

    Number of attacks detected and blocked before & after implementing endpoint security; Percentage of firewall rules that triggered a false positive

    Network/Security Analyst

    Ad hoc, Inform, Update

    Vulnerability Management Applications

    Percentage of critical vulnerabilities patched; Number of endpoints encrypted

    Network/Security Analyst

    Ad hoc, Inform, Update

    Financial & Accounting Software

    Capital & operating expenditure for future security investments; Return on investment (ROI) on past and current security investments

    Financial and/or Accounting Manager

    Ad hoc, Educate, Investments

    Phase 3

    Develop communication

    Phase 1Phase 2Phase 3Phase 4

    1.1 Identify drivers for communicating to executives

    1.2 Define your goals for communicating to executives

    2.1 Identify data to collect

    2.2 Plan how to retrieve data

    3.1 Plan communication

    3.2 Build a compelling communication document

    4.1 Deliver a captivating presentation

    4.2 Obtain/verify support for security goals

    This phase will walk you through the following activities:

    • Identifying a communication strategy for presenting security
    • Identifying security templates that are applicable to your presentation

    This phase involves the following participants:

    • Security leader

    3.1 Plan communication: Know who your audience is

    • When preparing your communication, it's important to understand who your target audience is and to conduct background research on them.
    • This will help develop your communication style and ensure your presentation caters to the expected audience in the room.

    Examples of two profiles in a boardroom

    Formal board of directors

    The executive team

    • In the private sector, this will include an appointed board of shareholders and subcommittees external to the organization.
    • In the public sector, this can include councils, commissions, or the executive team itself.
    • In government, this can include mayors, ministers, and governors.
    • The board’s overall responsibility is governance.
    • This audience will include your boss and your peers internal to the organization.
    • This category is primarily involved in the day-to-day operations of the organization and is responsible for carrying out the strategic direction set by the board.
    • The executive team’s overall responsibility is operations.

    3.1.1 Know what your audience cares about

    • Understanding what your executive stakeholders value will equip you with the right information to include in your presentations.
    • Ensure you conduct background research on your audience to assist you in knowing what their potential interests are.
    • Your background research could include:
      • Researching the audience’s professional background through LinkedIn.
      • Reviewing their comments from past executive meetings.
      • Researching current security trends that align with organizational goals.
    • Once the values and risks have been identified, you can document them in notes and share the notes with subject matter experts to verify if these values and risks should be shared in the coming meetings.

    A board’s purpose can include the following:

    • Sustaining and expanding the organization’s purpose and ability to execute in a competitive market.
    • Determining and funding the organization’s future and direction.
    • Protecting and increasing shareholder value.
    • Protecting the company’s exposure to risks.

    Examples of potential values and risks

    • Business impact
    • Financial impact
    • Security and incidents

    Info-Tech Insight
    Conduct background research on audience members (e.g. professional background on LinkedIn) to help understand how best to communicate to them and overcome potential objections.

    Understand your audience’s concerns

    • Along with knowing what your audience values and cares about, understanding their main concerns will allow you to address those items or align them with your communication.
    • By treating your executive stakeholders as your project sponsors, you would build a level of trust and confidence with your peers as the first step to tackling their concerns.
    • These concerns can be derived from past stakeholder meetings, recent trends in the industry, or strategic business alignments.
    • After capturing their concerns, you’ll be equipped with the necessary understanding on what material to include and prioritize during your presentations.

    Examples of potential concerns for each profile of executive stakeholders

    Formal board of directors

    The executive team

    • Business impact (What is the impact of IT in solving business challenges?)
    • Investments (How will it impact organization’s finances and efficiency?)
    • Cybersecurity and risk (What are the top cybersecurity risks, and how is IT mitigating those risks to the business?)
    • Business alignment (How do IT priorities align to the business strategy and goals?)
    • IT operational efficiency (How is IT set up for success with foundational elements of IT’s operational strategy?)
    • Innovation & transformation priorities (How is IT enabling the organization’s competitive advantage and supporting transformation efforts as a strategic business partner?)

    Build your presentation to tackle their main concerns

    Your presentation should be well-rounded and compelling when it addresses the board’s main concerns about security.

    Checklist:

    • Research your target audience (their backgrounds, board composition, dynamics, executive team vs. external group).
    • Include value and risk language in your presentation to appeal to your audience.
    • Ensure your content focuses on one or more of the board’s main concerns with security (e.g. business impact, investments, or risk).
    • Include information about what is in it for them and the organization.
    • Research your board’s composition and skillsets to determine their level of technical knowledge and expertise. This helps craft your presentation with the right amount of technology vs. business-facing information.

    Info-Tech Insight
    The executive stakeholder’s main concerns will always boil down to one important outcome: providing a level of confidence to do business through IT products, services, and systems – including security.

    3.1.2 Take your audience through a security journey

    • Once you have defined your intended target and their potential concerns, developing the communication through a storytelling approach will be the next step to help build a compelling presentation.
    • You need to help your executive stakeholders make sense of the information being conveyed and allow them to understand the importance of cybersecurity.
    • Taking your audience through a story will allow them to see the value of the information being presented and better resonate with its message.
    • You can derive insights for your storytelling presentation by doing the following:
      • Provide a business case scenario on the topic you are presenting.
      • Identify and communicate the business problem up front and answer the three questions (why, what, how).
      • Quantify the problems in terms of business impact (money, risk, value).

    Info-Tech Insight
    Developing a storytelling approach will help keep your audience engaged and allow the information to resonate with them, which will add further value to the communication.

    Identify the purpose of your presentation

    You should be clear about your bottom line and the intent behind your presentation. However, regardless of your bottom line, your presentation must focus on what business problems you are solving and why security can assist in solving the problem.

    Examples of communication goals

    To inform or educate

    To reach a decision

    • In this presentation type, it is easy for IT leaders to overwhelm a board with excessive or irrelevant information.
    • Focus your content on the business problem and the solution proposed.
    • Refrain from too much detail about the technology – focus on business impact and risk mitigated. Ask for feedback if applicable.
    • In this presentation type, there is a clear ask and an action required from the board of directors.
    • Be clear about what this decision is. Once again, don’t lead with the technology solution: Start with the business problem you are solving, and only talk about technology as the solution if time permits.
    • Ensure you know who votes and how to garner their support.

    Info-Tech Insight
    Nobody likes surprises. Communicate early and often. The board should be pre-briefed, especially if it is a difficult subject. This also ensures you have support when you deliver a difficult message.

    Gather the right information to include in your boardroom presentation

    Once you understand your target audience, it’s important to tailor your presentation material to what they will care about.

    Typical IT boardroom presentations include:

    • Communicating the value of ongoing business technology initiatives.
    • Requesting funds or approval for a business initiative that IT is spearheading.
    • Security incident response/Risk/DRP.
    • Developing a business program or an investment update for an ongoing program.
    • Business technology strategy highlights and impacts.
    • Digital transformation initiatives (value, ROI, risk).

    Info-Tech Insight
    You must always have a clear goal or objective for delivering a presentation in front of your board of directors. What is the purpose of your board presentation? Identify your objective and outcome up front and tailor your presentation’s story and contents to fit this purpose.

    Info-Tech Insight
    Telling a good story is not about the message you want to deliver but the one the executive stakeholders want to hear. Articulate what you want them to think and what you want them to take away, and be explicit about it in your presentation. Make your story logically flow by identifying the business problem, complication, the solution, and how to close the gap. Most importantly, communicate the business impacts the board will care about.

    Structure your presentation to tell a logical story

    To build a strong story for your presentation, ensure you answer these three questions:

    WHY

    Why is this a business issue, or why should the executive stakeholders care?

    WHAT

    What is the impact of solving the problem and driving value for the company?

    HOW

    How will we leverage our resources (technology, finances) to solve the problem?

    Examples:

    Scenario 1: The company has experienced a security incident.

    Intent: To inform/educate the board about the security incident.

    WHY

    The data breach has resulted in a loss of customer confidence, negative brand impact, and a reduction in revenue of 30%.

    WHAT

    Financial, legal, and reputational risks identified, and mitigation strategies implemented. IT is working with the PR team on communications. Incident management playbook executed.

    HOW

    An analysis of vulnerabilities was conducted and steps to address are in effect. Recovery steps are 90% completed. Incident management program reviewed for future incidents.

    Scenario 2: Security is recommending investments based on strategic priorities.

    Intent: To reach a decision with the board – approve investment proposal.

    WHY

    The new security strategy outlines two key initiatives to improve an organization’s security culture and overall risk posture.

    WHAT

    Security proposed an investment to implement a security training & phishing test campaign, which will assist in reducing data breach risks.

    HOW

    Use 5% of security’s budget to implement security training and phishing test campaigns.

    Time plays a key role in delivering an effective presentation

    What you include in your story will often depend on how much time you have available to deliver the message.

    Consider the following:

    • Presenting to executive stakeholders often means you have a short window of time to deliver your message. The average executive stakeholder presentation is 15 minutes, and this could be cut short due to other unexpected factors.
    • If your presentation is too long, you risk overwhelming or losing your audience. You must factor in the time constraints when building your board presentation.
    • Your executive stakeholders have a wealth of experience and knowledge, which means they could jump to conclusions quickly based on their own experiences. Ensure you give them plenty of background information in advance. Provide your presentation material, a brief, or any other supporting documentation before the meeting to show you are well prepared.
    • Be prepared to have deep conversations about the topic, but respect that the executive stakeholders might not be interested in hearing the tactical information. Build an elevator pitch, a one-pager, back-up slides that support your ask and the story, and be prepared to answer questions within your allotted presentation time to dive deeper.

    Navigating through Q&A

    Use the Q&A portion to build credibility with the board.

    • It is always better to say, “I’m not certain about the answer but will follow up,” than to provide false or inaccurate information on the spot.
    • When asked challenging or irrelevant questions, ensure you have an approach to deflect them. Questions can often be out of scope or difficult to answer in a group. Find what works for you to successfully navigate through these questions:
      • “Let’s work with the sub-committee to find you an answer.”
      • “Let’s take that offline to address in more detail.”
      • “I have some follow-up material I can provide you to discuss that further after our meeting.”
    • And ensure you follow up! Make sure to follow through on your promise to provide information or answers after the meeting. This helps build trust and credibility with the board.

    Info-Tech Insight
    The average board presentation is 15 minutes long. Build no more than three or four slides of content to identify the business problem, the business impacts, and the solution. Leave five minutes for questions at the end, and be prepared with back-up slides to support your answers.

    Storytelling checklist

    Checklist:

    • Tailor your presentation based on how much time you have.
    • Find out ahead of time how much time you have.
    • Identify if your presentation is to inform/educate or reach a decision.
    • Identify and communicate the business problem up front and answer the three questions (why, what, how).
    • Express the problem in terms of business impact (risk, value, money).
    • Prepare and send pre-meeting collateral to the members of the board and executive team.
    • Include no more than 5-6 slides for your presentation.
    • Factor in Q&A time at the end of your presentation window.
    • Articulate what you want them to think and what you want them to take away – put it right up front and remind them at the end.
    • Have an elevator speech handy – one or two sentences and a one-pager version of your story.
    • Consider how you will build your relationship with the members outside the boardroom.

    3.1.3 Build a compelling communication document

    Once you’ve identified your communication goals, data, and plan to present to your stakeholders, it’s important to build the compelling communication document that will attract all audiences.

    A good slide design increases the likelihood that the audience will read the content carefully.

    • Bad slide structure (flow) = Audience loses focus
      • You can have great content on a slide, but if a busy audience gets confused, they’ll just close the file or lose focus. Structure encompasses horizontal and vertical logic.
    • Good visual design = Audience might read more
      • Readers will probably skim the slides first. If the slides look ugly, they will already have a negative impression. If the slides are visually appealing, they will be more inclined to read carefully. They may even use some slides to show others.
    • Good content + Good structure + Visual appeal = Good presentation
      • A presentation is like a house. Good content is the foundation of the house. Good structure keeps the house strong. Visual appeal differentiates houses.

    Slide design best practices

    Leverage these slide design best practices to assist you in developing eye-catching presentations.

    • Easy to read: Assume reader is tight on time. If a slide looks overwhelming, the reader will close the document.
    • Concise and clear: Fewer words = more skim-able.
    • Memorable: Use graphics and visuals or pithy quotes whenever you can do so appropriately.
    • Horizontal logic: Good horizontal logic will have slide titles that cascade into a story with no holes or gaps.
    • Vertical logic: People usually read from left to right, top to bottom, or in a Z pattern. Make sure your slide has an intuitive flow of content.
    • Aesthetics: People like looking at visually appealing slides, but make sure your attempts to create visual appeal do not detract from the content.

    Your presentation must have a logical flow

    Horizontal logic

    Vertical logic

    • Horizontal logic should tell a story.
    • When slide titles are read in a cascading manner, they will tell a logical and smooth story.
    • Title & tagline = thesis (best insight).
    • Vertical logic should be intuitive.
    • Each step must support the title.
    • The content you intend to include within each slide is directly applicable to the slide title.
    • One main point per slide.

    Vertical logic should be intuitive

    The image contains a screenshot example of a bad design layout for a slide. The image contains a screenshot example of a good design layout for a slide.

    The audience is unsure where to look and in what order.

    The audience knows to read the heading first. Then look within the pie chart. Then look within the white boxes to the right.

    Horizontal and vertical logic checklists

    Horizontal logic

    Vertical logic

    • List your slide titles in order and read through them.
    • Good horizontal logic should feel like a story. Incomplete horizontal logic will make you pause or frown.
    • After a self-test, get someone else to do the same exercise with you observing them.
    • Note at which points they pause or frown. Discuss how those points can be improved.
    • Now consider each slide title proposed and the content within it.
    • Identify if there is a disconnect in title vs. content.
    • If there is a disconnect, consider changing the title of the slide to appropriately reflect the content within it, or consider changing the content if the slide title is an intended path in the story.

    Make it easy to read

    The image contains a screenshot that demonstrates an uneasy to read slide. The image contains a screenshot that demonstrates an easy to read slide.
    • Unnecessary coloring makes it hard on the eyes
    • Margins for title at top is too small
    • Content is not skim-able (best to break up the slide)

    Increase skim-ability:

    • Emphasize the subheadings
    • Bold important words

    Make it easier on the eyes:

    • Declutter and add sections
    • Have more white space

    Be concise and clear

    1. Write your thoughts down
      • This gets your content documented.
      • Don’t worry about clarity or concision yet.
    2. Edit for clarity
      • Make sure the key message is very clear.
      • Find your thesis statement.
    3. Edit for concision
      • Remove unnecessary words.
      • Use the active voice, not passive voice (see below for examples).

    Passive voice

    Active voice

    “There are three things to look out for” (8 words)

    “Network security was compromised by hackers” (6 words)

    “Look for these three things” (5 words)

    “Hackers compromised network security” (4 words)

    Be memorable

    The image contains a screenshot of an example that demonstrates a bad example of how to be memorable. The image contains a screenshot of an example that demonstrates a good example of how to be memorable.

    Easy to read, but hard to remember the stats.

    The visuals make it easier to see the size of the problem and make it much more memorable.

    Remember to:

    • Have some kind of visual (e.g. graphs, icons, tables).
    • Divide the content into sections.
    • Have a bit of color on the page.

    Aesthetics

    The image contains a screenshot of an example of bad aesthetics. The image contains a screenshot of an example of good aesthetics.

    This draft slide is just content from the outline document on a slide with no design applied yet.

    • Have some kind of visual (e.g. graphs, icons, tables) as long as it’s appropriate.
    • Divide the content into sections.
    • Have a bit of color on the page.
    • Bold or italicize important text.

    Why use visuals?

    How graphics affect us

    Cognitively

    • Engage our imagination
    • Stimulate the brain
    • Heighten creative thinking
    • Enhance or affect emotions

    Emotionally

    • Enhance comprehension
    • Increase recollection
    • Elevate communication
    • Improve retention

    Visual clues

    • Help decode text
    • Attract attention
    • Increase memory

    Persuasion

    • 43% more effective than text alone
    Source: Management Information Systems Research Center

    Presentation format

    Often stakeholders prefer to receive content in a specific format. Make sure you know what you require so that you are not scrambling at the last minute.

    • Is there a standard presentation template?
    • Is a hard-copy handout required?
    • Is there a deadline for draft submission?
    • Is there a deadline for final submission?
    • Will the presentation be circulated ahead of time?
    • Do you know what technology you will be using?
    • Have you done a dry run in the meeting room?
    • Do you know the meeting organizer?

    Checklist to build compelling visuals in your presentation

    Leverage this checklist to ensure you are creating the perfect visuals and graphs for your presentation.

    Checklist:

    • Do the visuals grab the audience’s attention?
    • Will the visuals mislead the audience/confuse them?
    • Do the visuals facilitate data comparison or highlight trends and differences in a more effective manner than words?
    • Do the visuals present information simply, cleanly, and accurately?
    • Do the visuals display the information/data in a concentrated way?
    • Do the visuals illustrate messages and themes from the accompanying text?

    3.2 Security communication templates

    Once you have identified your communication goals and plans for building your communication document, you can start building your presentation deck.

    These presentation templates highlight different security topics depending on your communication drivers, goals, and available data.

    Info-Tech has created five security templates to assist you in building a compelling presentation.

    These templates provide support for presentations on the following five topics:

    • Security Initiatives
    • Security & Risk Update
    • Security Metrics
    • Security Incident Response & Recovery
    • Security Funding Request

    Each template provides instructions on how to use it and tips on ensuring the right information is being presented.

    All the templates are customizable, which enables you to leverage the sections you need while also editing any sections to your liking.

    The image contains screenshots of the Security Presentation Templates.

    Download the Security Presentation Templates

    Security template example

    It’s important to know that not all security presentations for an organization are alike. However, these templates would provide a guideline on what the best practices are when communicating security to executive stakeholders.

    Below is an example of instructions to complete the “Security Risk & Update” template. Please note that the security template will have instructions to complete each of its sections.

    The image contains a screenshot of the Executive Summary slide. The image contains a screenshot of the Security Goals & Objectives slide.

    The first slide following the title slide includes a brief executive summary on what would be discussed in the presentation. This includes the main security threats that would be addressed and the associated risk mitigation strategies.

    This slide depicts a holistic overview of the organization’s security posture in different areas along with the main business goals that security is aligning with. Ensure visualizations you include align with the goals highlighted.

    Security template example (continued)

    The image contains a screenshot example of the Top Threats & Risks. The image contains a screenshot example of the Top Threats & Risks.

    This slide displays any top threats and risks an organization is facing. Each threat consists of 2-3 risks and is prioritized based on the negative impact it could have on the organization (i.e. red bar = high priority; green bar = low priority). Include risks that have been addressed in the past quarter, and showcase any prioritization changes to those risks.

    This slide follows the “Top Threats & Risks” slide and focuses on the risks that had medium or high priority. You will need to work with subject matter experts to identify risk figures (likelihood, financial impact) that will enable you to quantify the risks (Likelihood x Financial Impact). Develop a threshold for each of the three columns to identify which risks require further prioritization, and apply color coding to group the risks.

    Security template example (continued)

    The image contains a screenshot example of the slide, Risk Analysis. The image contains a screenshot example of the slide, Risk Mitigation Strategies & Roadmap.

    This slide showcases further details on the top risks along with their business impact. Be sure to include recommendations for the risks and indicate whether further action is required from the executive stakeholders.

    The last slide of the “Security Risk & Update” template presents a timeline of when the different initiatives to mitigate security risks would begin. It depicts what initiatives will be completed within each fiscal year and the total number of months required. As there could be many factors to a project’s timeline, ensure you communicate to your executive stakeholders any changes to the project.

    Phase 4

    Deliver communication

    Phase 1Phase 2Phase 3Phase 4

    1.1 Identify drivers for communicating to executives

    1.2 Define your goals for communicating to executives

    2.1 Identify data to collect

    2.2 Plan how to retrieve data

    3.1 Plan communication

    3.2 Build a compelling communication document

    4.1 Deliver a captivating presentation

    4.2 Obtain/verify support for security goals

    This phase will walk you through the following activities:

    • Identifying a strategy to deliver compelling presentations
    • Ensuring you follow best practices for communicating and obtaining your security goals

    This phase involves the following participants:

    • Security leader

    4.1 Deliver a captivating presentation

    You’ve gathered all your data, you understand what your audience is expecting, and you are clear on the outcomes you require. Now, it’s time to deliver a presentation that both engages and builds confidence.

    Follow these tips to assist you in developing an engaging presentation:

    • Start strong: Give your audience confidence that this will be a good investment of their time. Establish a clear direction for what’s going to be covered and what the desired outcome is.
    • Use your time wisely: Odds are, your audience is busy, and they have many other things on their minds. Be prepared to cover your content in the time allotted and leave sufficient time for discussion and questions.
    • Be flexible while presenting: Do not expect that your presentation will follow the path you have laid out. Anticipate jumping around and spending more or less time than you had planned on a given slide.

    Keep your audience engaged with these steps

    • Be ready with supporting data. Don’t make the mistake of not knowing your content intimately. Be prepared to answer questions on any part of it. Senior executives are experts at finding holes in your data.
    • Know your audience. Who are you presenting to? What are their specific expectations? Are there sensitive topics to be avoided? You can’t be too prepared when it comes to understanding your audience.
    • Keep it simple. Don’t assume that your audience wants to learn the details of your content. Most just want to understand the bottom line, the impact on them, and how they can help. More is not always better.
    • Focus on solving issues. Your audience members have many of their own problems and issues to worry about. If you show them how you can help make their lives easier, you’ll win them over.

    Info-Tech Insight
    Establishing credibility and trust with executive stakeholders is important to obtaining their support for security objectives.

    Be honest and straightforward with your communication

    • Be prepared. Being properly prepared means not only that your update will deliver the value that you expect, but also that you will have confidence and the flexibility you require when you’re taken off track.
    • Don’t sugarcoat it. These are smart, driven people that you are presenting to. It is neither beneficial nor wise to try to fool them. Be open and transparent about problems and issues. Ask for help.
    • No surprises. An executive stakeholder presentation is not the time or the place for a surprise. Issues seen as unexpected or contentious should always be dealt with prior to the meeting with those most impacted.

    Hone presentation skills before meeting with the executive stakeholders

    Know your environment

    Be professional but not boring

    Connect with your audience

    • Your organization has standards for how people are expected to dress at work. Make sure that your attire meets this standard – don’t be underdressed.
    • Think about your audience – would they appreciate you starting with a joke, or do they want you to get to the point as quickly as possible?
    • State the main points of your presentation confidently. While this should be obvious, it is essential. Your audience should be able to clearly see that you believe the points you are stating.
    • Present with lots of energy, smile, and use hand gestures to support your speech.
    • Look each member of the audience in the eye at least once during your presentation. Avoid looking at the ceiling, the back wall, or the floor. Your audience should feel engaged – this is essential to keeping their attention on you.
    • Never read from your slides. If there is text on a slide, paraphrase it while maintaining eye contact.

    Checklist for presentation logistics

    Optimize the timing of your presentation:

    • Less is more: Long presentations are detrimental to your cause – they lead to your main points being diluted. Keep your presentation short and concise.
    • Keep information relevant: Only present information that is important to your audience. This includes the information that they are expecting to see and information that connects to the business.
    • Expect delays: Your audience will likely have questions. While it is important to answer each question fully, it will take away from the precious time given to you for your presentation. Expect that you will not get through all the information you have to present.

    Script your presentation:

    • Use a script to stay on track: Script your presentation before the meeting. A script will help you present your information in a concise and structured manner.
    • Develop a second script: Create a script that is about half the length of the first script but still contains the most important points. This will help you prepare for any delays that may arise during the presentation.
    • Prepare for questions: Consider questions that may be asked and script clear and concise answers to each.
    • Practice, practice, practice: Practice your presentation until you no longer need the script in front of you.

    Checklist for presentation logistics (continued)

    Other considerations:

    • After the introduction of your presentation, clearly state the objective – don’t keep people guessing and consequently lose focus on your message.
    • After the presentation is over, document important information that came up. Write it down or you may forget it soon after.
    • Rather than create a long presentation deck full of detailed slides that you plan to skip over during the presentation, create a second, compact deck that contains only the slides you plan to present. Send out the longer deck after the presentation.

    Checklist for delivering a captivating presentation

    Leverage this checklist to ensure you are prepared to develop and deliver an engaging presentation.

    Checklist:

    • Start with a story or something memorable to break the ice.
    • Go in with the end state in mind (focus on the outcome/end goal and work back from there) – What’s your call to action?
    • Content must compliment your end goal, filter out any content that doesn’t compliment the end goal.
    • Be prepared to have less time to speak. Be prepared with shorter versions of your presentation.
    • Include an appendix with supporting data, but don’t be data heavy in your presentation. Integrate the data into a story. The story should be your focus.

    Checklist for delivering a captivating presentation (continued)

    • Be deliberate in what you want to show your audience.
    • Ensure you have clean slides so the audience can focus on what you’re saying.
    • Practice delivering your content multiple times alone and in front of team members or your Info-Tech counselor, who can provide feedback.
    • How will you handle being derailed? Be prepared with a way to get back on track if you are derailed.
    • Ask for feedback.
    • Record yourself presenting.

    4.2 Obtain and verify support on security goals

    Once you’ve delivered your captivating presentation, it’s imperative to communicate with your executive stakeholders.

    • This is your opportunity to open the floor for questions and clarify any information that was conveyed to your audience.
    • Leverage your appendix and other supporting documents to justify your goals.
    • Different approaches to obtaining and verifying your goals could include:
      • Acknowledgment from the audience that information communicated aligns with the business’s goals.
      • Approval of funding requests for security initiatives.
      • Written and verbal support for implementation of security initiatives.
      • Identifying next steps for information to communicate at the next executive stakeholder meeting.

    Info-Tech Insight
    Verifying your objectives at the end of the presentation is important, as it ensures you have successfully communicated to executive stakeholders.

    Checklist for obtaining and verify support on security goals

    Follow this checklist to assist you in obtaining and verifying your communication goals.

    Checklist:

    • Be clear about follow-up and next steps if applicable.
    • Present before you present: Meet with your executive stakeholders before the meeting to review and discuss your presentation and other supporting material and ensure you have executive/CEO buy-in.
    • “Be humble, but don’t crumble” – demonstrate to the executive stakeholders that you are an expert while admitting you don’t know everything. However, don’t be afraid to provide your POV and defend it if need be. Strike the right balance to ensure the board has confidence in you while building a strong relationship.
    • Prioritize a discussion over a formal presentation. Create an environment where they feel like they are part of the solution.

    Summary of Accomplishment

    Problem Solved

    A better understanding of security communication drivers and goals

    • Understanding the difference between communication drivers and goals
    • Identifying your drivers and goals for security presentation

    A developed a plan for how and where to retrieve data for communication

    • Insights on what type of data can be leveraged to support your communication goals
    • Understanding who you can collaborate with and potential data sources to retrieve data from

    A solidified communication plan with security templates to assist in better presenting to your audience

    • A guideline on how to prepare security presentations to executive stakeholders
    • A list of security templates that can be customized and used for various security presentations

    A defined guideline on how to deliver a captivating presentation to achieve your desired objectives

    • Clear message on best practices for delivering security presentations to executive stakeholders
    • Understanding how to verify your communication goals have been obtained

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Related Info-Tech Research

    Build an Information Security Strategy
    This blueprint will walk you through the steps of tailoring best practices to effectively manage information security.

    Build a Security Metrics Program to Drive Maturity
    This blueprint will assist you in identifying security metrics that can tie to your organizational goals and build those metrics to achieve your desired maturity level.

    Bibliography

    Bhadauriya, Amit S. “Communicating Cybersecurity Effectively to the Board.” Metricstream. Web.
    Booth, Steven, et al. “The Biggest Mistakes Made When Presenting Cyber Security to Senior Leadership or the Board, and How to Fix Them.” Mandiant, May 2019. Web.
    Bradford, Nate. “6 Slides Every CISO Should Use in Their Board Presentation.” Security Boulevard, 9 July 2020. Web.
    Buckalew, Lauren, et al. “Get the Board on Board: Leading Cybersecurity from the Top Down.” Newsroom, 2 Dec. 2019. Web.
    Burg, Dave, et al. “Cybersecurity: How Do You Rise above the Waves of a Perfect Storm?” EY US - Home, EY, 22 July 2021. Web.
    Carnegie Endowment for International Peace. Web.
    “Chief Information Security Officer Salary.” Salary.com, 2022. Web.
    “CISO's Guide to Reporting to the Board - Apex Assembly.” CISO's Guide To Reporting to the Board. Web.
    “Cyber Security Oversight in the Boardroom” KPMG, Jan. 2016. Web.
    “Cybersecurity CEO: My 3 Tips for Presenting in the Boardroom.” Cybercrime Magazine, 31 Mar. 2020. Web.
    Dacri , Bryana. Do's & Don'ts for Security Professionals Presenting to Executives. Feb. 2018. Web.
    Froehlich, Andrew. “7 Cybersecurity Metrics for the Board and How to Present Them: TechTarget.” Security, TechTarget, 19 Aug. 2022. Web.
    “Global Board Risk Survey.” EY. Web.
    “Guidance for CISOs Presenting to the C-Suite.” IANS, June 2021. Web.
    “How to Communicate Cybersecurity to the Board of Directors.” Cybersecurity Conferences & News, Seguro Group, 12 Mar. 2020. Web.
    Ide, R. William, and Amanda Leech. “A Cybersecurity Guide for Directors” Dentons. Web.
    Lindberg, Randy. “3 Tips for Communicating Cybersecurity to the Board.” Cybersecurity Software, Rivial Data Security, 8 Mar. 2022. Web.
    McLeod, Scott, et al. “How to Present Cybersecurity to Your Board of Directors.” Cybersecurity & Compliance Simplified, Apptega Inc, 9 Aug. 2021. Web.
    Mickle, Jirah. “A Recipe for Success: CISOs Share Top Tips for Successful Board Presentations.” Tenable®, 28 Nov. 2022. Web.
    Middlesworth, Jeff. “Top-down: Mitigating Cybersecurity Risks Starts with the Board.” Spiceworks, 13 Sept. 2022. Web.
    Mishra, Ruchika. “4 Things Every CISO Must Include in Their Board Presentation.” Security Boulevard, 17 Nov. 2020. Web.
    O’Donnell-Welch, Lindsey. “CISOs, Board Members and the Search for Cybersecurity Common Ground.” Decipher, 20 Oct. 2022. Web.

    Bibliography

    “Overseeing Cyber Risk: The Board's Role.” PwC, Jan. 2022. Web.
    Pearlson, Keri, and Nelson Novaes Neto. “7 Pressing Cybersecurity Questions Boards Need to Ask.” Harvard Business Review, 7 Mar. 2022. Web.
    “Reporting Cybersecurity Risk to the Board of Directors.” Web.
    “Reporting Cybersecurity to Your Board - Steps to Prepare.” Pondurance ,12 July 2022. Web.
    Staynings, Richard. “Presenting Cybersecurity to the Board.” Resource Library. Web.
    “The Future of Cyber Survey.” Deloitte, 29 Aug. 2022. Web.
    “Top Cybersecurity Metrics to Share with Your Board.” Packetlabs, 10 May 2022. Web.
    Unni, Ajay. “Reporting Cyber Security to the Board? How to Get It Right.” Cybersecurity Services Company in Australia & NZ, 10 Nov. 2022. Web.
    Vogel, Douglas, et al. “Persuasion and the Role of Visual Presentation Support.” Management Information Systems Research Center, 1986.
    “Welcome to the Cyber Security Toolkit for Boards.” NCSC. Web.

    Research Contributors

    • Fred Donatucci, New-Indy Containerboard, VP, Information Technology
    • Christian Rasmussen, St John Ambulance, Chief Information Officer
    • Stephen Rondeau, ZimVie, SVP, Chief Information Officer

    Service Management Integration With Agile Practices

    • Buy Link or Shortcode: {j2store}400|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management

    • Work efficiently and in harmony with Agile and service management to deliver business value.
    • Optimize the value stream of services and products.
    • Leverage the benefits of each practice.
    • Create a culture of collaboration to support a rapidly changing business.

    Our Advice

    Critical Insight

    Agile and Service Management are not necessarily at odds; find the integration points to solve specific problems.

    Impact and Result

    • Optimize the value stream of services and products.
    • Work efficiently and in harmony with Agile and service management to deliver business value.
    • Create a culture of collaboration to support a rapidly changing business.

    Service Management Integration With Agile Practices Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Service Management Integration With Agile Practices Storyboard – Use this deck to understand the integration points and how to overcome common challenges.

    Understand how service management integrates with Agile software development practices, and how to solve the most common challenges to work efficiently and deliver business value.

    • Service Management Integration With Agile Practices Storyboard

    2. Service Management Stakeholder Register Template – Use this tool to identify and document Service Management stakeholders.

    Use this tool to identify your stakeholders to engage when working on the service management integration.

    • ITSM Stakeholder Register Template

    3. Service Management Integration With Agile Practices Assessment Tool – Use this tool to identify key challenging integration points in your organization.

    Use this tool to identify which of your current practices might already be aligned with Agile mindset and which might need adjustment. Identify integration challenges with the current service management practices.

    • Service Management Integration With Agile Practices Assessment Tool
    [infographic]

    Further reading

    Service Management Integration With Agile Practices

    Understand how Agile transformation affects service management

    Analyst Perspective

    Don't forget about operations

    Many organizations believe that once they have implemented Agile that they no longer need any service management framework, like ITIL. They see service management as "old" and a roadblock to deliver products and services quickly. The culture clash is obvious, and it is the most common challenge people face when trying to integrate Agile and service management. However, it is not the only challenge. Agile methodologies are focused on optimized delivery. However, what happens after delivery is often overlooked. Operations may not receive proper communication or documentation, and processes are cumbersome or non-existent. This is a huge paradox if an organization is trying to become nimbler. You need to find ways to integrate your Agile practices with your existing Service Management processes.

    This is a picture of Renata Lopes

    Renata Lopes
    Senior Research Analyst
    Organizational Transformation Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Work efficiently and in harmony with Agile and service management to deliver business value.
    • Optimize the value stream of services and products.
    • Leverage the benefits of each practice.
    • Create a culture of collaboration to support a rapidly changing business.

    Common Obstacles

    • Culture clashes.
    • Inefficient or inexistent processes.
    • Lack of understanding of what Agile and service management mean.
    • Leadership doesn't understand the integration points of practices.
    • Development overlooks the operations requirement.

    Info-Tech's Approach

    • When integrating Agile and service management practices start by understanding the key integration points:
    • Processes
    • People and resources
    • Governance and org structure

    Info-Tech Insight

    Agile and Service Management are not necessarily at odds Find the integration points to solve specific problems.

    Your challenge

    Deliver seamless business value by integrating service management and Agile development.

    • Understand how Agile development impacts service management.
    • Identify bottlenecks and inefficiencies when integrating with service management.
    • Connect teams across the organization to collaborate toward the organizational goals.
    • Ensure operational requirements are considered while developing products in an Agile way.
    • Stay in alignment when designing and delivering services.

    The most significant Agile adoption barriers

    46% of respondents identified inconsistent processes and practices across teams as a challenge.
    Source: Digital.ai, 2021

    43% of respondents identified Culture clashes as a challenge.
    Source: Digital.ai, 2021

    What is Agile?

    Agile development is an umbrella term for several iterative and incremental development methodologies to develop products.

    In order to achieve Agile development, organizations will adopt frameworks and methodologies like Scaled Agile Framework (SAFe), Scrum, Large Scaled Scrum (LeSS), DevOps, Spotify Way of Working (WoW), etc.

    • DevOps
    • WoW
    • SAFe
    • Scrum
    • LeSS

    IBM i Migration Considerations

    • Buy Link or Shortcode: {j2store}109|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    IBM i remains a vital platform and now many CIOs, CTOs, and IT leaders are faced with the same IBM i challenges regardless of industry focus: how do you evaluate the future viability of this platform, assess the future fit and purpose, develop strategies, and determine the future of this platform for your organization?

    Our Advice

    Critical Insight

    For organizations that are struggling with the iSeries/IBM i platform, resourcing challenges are typically the culprit. An aging population of RPG programmers and system administrators means organizations need to be more pro-active in maintaining in-house expertise. Migrating off the iSeries/IBM i platform is a difficult option for most organizations due to complexity, switching costs in the short term, and a higher long-term TCO.

    Impact and Result

    The most common tactic is for the organization to better understand their IBM i options and adopt some level of outsourcing for the non-commodity platform retaining the application support/development in-house. To make the evident, obvious; the options here for the non-commodity are not as broad as with commodity server platforms. Options include co-location, onsite outsourcing, managed and public cloud services.

    IBM i Migration Considerations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. IBM i Migration Considerations – A brief deck that outlines key migration options for the IBM i platforms.

    This project will help you evaluate the future viability of this platform; assess the fit, purpose, and price; develop strategies for overcoming potential challenges; and determine the future of this platform for your organization.

    • IBM i Migration Considerations Storyboard

    2. Infrastructure Outsourcing IBM i Scoring Tool – A tool to collect vendor responses and score each vendor.

    Use this scoring sheet to help you define and evaluate IBM i vendor responses.

    • Infrastructure Outsourcing IBM i Scoring Tool
    [infographic]

    Further reading

    IBM i Migration Considerations

    Don’t be overwhelmed by IBM i migration options.

    Executive Summary

    Your Challenge

    IBM i remains a vital platform and now many CIO, CTO, and IT leaders are faced with the same IBM i challenges regardless of industry focus; how do you evaluate the future viability of this platform, assess the future fit and purpose, develop strategies, and determine the future of this platform for your organization?

    Common Obstacles

    For organizations that are struggling with the iSeries/IBM i platform, resourcing challenges are typically the culprit. An aging population of RPG programmers and system administrators means organizations need to be more proactive in maintaining in-house expertise. Migrating off the iSeries/IBM i platform is a difficult option for most organizations due to complexity, switching costs in the short term, and a higher long-term TCO.

    Info-Tech Approach

    The most common tactic is for the organization to better understand its IBM i options and adopt some level of outsourcing for the non-commodity platform, retaining the application support/development in-house. To make the evident, obvious: the options here for the non-commodity are not as broad as with commodity server platforms. Options include co-location, onsite outsourcing, managed hosting, and public cloud services.

    Info-Tech Insight

    “For over twenty years, IBM was ‘king,’ dominating the large computer market. By the 1980s, the world had woken up to the fact that the IBM mainframe was expensive and difficult, taking a long time and a lot of work to get anything done. Eager for a new solution, tech professionals turned to the brave new concept of distributed systems for a more efficient alternative. On June 21, 1988, IBM announced the launch of the AS/400, their answer to distributed computing.” (Dale Perkins)

    Review

    We help IT leaders make the most of their IBM i environment.

    Problem Statement:

    The IBM i remains a vital platform for many businesses and continues to deliver exceptional reliability and performance and play a key role in the enterprise. With the limited resources at hand, CIOs and the like must continually review and understand their migration path with the same regard as any other distributed system roadmap.

    This research is designed for:

    • IT strategic direction decision makers
    • IT managers responsible for an existing iSeries or IBM i platform
    • Organizations evaluating platforms for mission-critical applications

    This research will help you:

    1. Evaluate the future viability of this platform.
    2. Assess the fit, purpose, and price.
    3. Develop strategies for overcoming potential challenges.
    4. Determine the future of this platform for your organization.

    The “fit for purpose” plot

    Thought Model

    We will investigate the aspect of different IBM i scenarios as they impact business, what that means, and how that can guide the questions that you are asking as you move to an aligned IBM i IT strategy. Our model considers:

    • Importance to Business Outcomes
      • Important to strategic objectives
      • Provides competitive advantage
      • Non-commodity IT service or process
      • Specialized in-house knowledge required
    • Vendor’s Performance Advantage
      • Talent or access to skills
      • Economies of scale or lower cost at scale
      • Access to technology

    Info-Tech Insights

    With multiple control points to be addressed, care must be taken in simplifying your options while addressing all concerns to ease operational load.

    Map different 'IBM i' scenarios with axes 'Importance to Business Outcomes - Low to High' and 'Vendor’s Performance Advantage - Low to High'. Quadrant labels are '[LI/LA] Potentially Outsource: Service management, Help desk, desk-side support, Asset management', '[LI/HA] Outsource: Application & Infra Support, Web Hosting, SAP Support, Email Services, Infrastructure', '[HI/LA] Insource (For Now): Application development tech support', and '[HI/HA] Potentially Outsource: Onshore or offshore application maintenance'.

    IBM i environments are challenging

    “The IBM i Reality” – Darin Stahl

    Most members relying on business applications/workloads running on non-commodity platforms (zSeries, IBM i, Solaris, AIX, etc.) are first motivated to get out from under the perceived higher costs for the hardware platform.

    An additional challenge for non-commodity platforms is that from an IT Operations Management perspective they become an island with a diminishing number of integrated operations skills and solutions such as backup/restore and monitoring tools.

    The most common tactic is for the organization to adopt some level of outsourcing for the non-commodity platform, retaining the application support and development in-house.

    Key challenges with current IBM i environments:
    1. DR Requirements
      Understand what the business needs are and where users and resources are located.
    2. Market Lack of Expertise
      Skilled team members are hard to find.
    3. Cost Management
      There is a perceived cost disadvantage to managing on-prem solutions.
    4. Aging Support Teams
      Current support teams are aging with little backfill in skill and experience.

    Understand your options

    Co-Location

    A customer transitions their hardware environment to a provider’s data center. The provider can then manage the hardware and “system.”

    Onsite Outsourcing

    A provider will support the hardware/system environment at the client’s site.

    Managed Hosting

    A customer transitions their legacy application environment to an off-prem hosted, multi-tenanted environment.

    Public Cloud

    A customer can “re-platform” the non-commodity workload into public cloud offerings or in a few offerings “re-host.”

    Co-Location

    Provider manages the data center hardware environment.

    Abstract

    Here a provider manages the system data center environment and hardware; however, the client’s in-house IBM i team manages the IBM i hardware environment and the system applications. The client manages all of the licenses associated with the platform as well as the hardware asset management considerations. This is typically part of a larger services or application transformation. This effectively outsources the data center management while maintaining all IBM i technical operations in-house.

    Advantages

    • On-demand bandwidth
    • Cost effective
    • Secure and compliant environment
    • On-demand remote “hands and feet” services
    • Improved IT DR services
    • Data center compliance

    Considerations

    • Application transformation
    • CapEx cost
    • Fluctuating network bandwidth costs
    • Secure connectivity
    • Disaster recovery and availability of vendor
    • Company IT DR and BC planning
    • Remote system maintenance (HW)

    Info-Tech Insights

    This model is extremely attractive for organizations looking to reduce their data center management footprint. Idea for the SMB.

    Onsite Sourcing

    A provider will support the hardware/system environment at the client’s site.

    Abstract

    Here a provider will support and manage the hardware/system environment at the client’s site. The provider may acquire the customer’s hardware and provide software licenses. This could also include hiring or “rebadging” staff supporting the platform. This type of arrangement is typically part of a larger services or application transformation. While low risk, it is not as cost-effective as other deployment models.

    Advantages

    • Managed environment within company premises
    • Cost effective (OpEx expense)
    • Economies of scale
    • On-demand “as-a-service” model
    • Improved IT DR staffing services
    • 24x7 monitoring and support

    Considerations

    • Outsourced IT talent
    • Terms and contract conditions
    • IT staff attrition
    • Increased liability
    • Modified technical support and engagement
    • Secure connectivity and communication
    • Internal problem and change management

    Info-Tech Insights

    Depending on the application lifecycle and viability, in-house skill and technical depth is a key consideration when developing your IBM i strategy.

    Managed Hosting

    Transition legacy application environment to an off-prem hosted multi-tenanted environment.

    Abstract

    This type of arrangement is typically part of an application migration or transformation. In this model, a client can “re-platform” the application into an off-premises-hosted provider platform. This would yield many of the cloud benefits however in a different scaling capacity as experienced with commodity workloads (e.g. Windows, Linux) and the associated application.

    Advantages

    • Turns CapEx into OpEx
    • Reduces in-house need for diminishing or scarce human resources
    • Allows the enterprise to focus on the value of the IBM i platform through the reduction of system administrative toil
    • Improved IT DR services
    • Data center compliance

    Considerations

    • Application transformation
    • Network bandwidth
    • Contract terms and conditions
    • Modified technical support and engagement
    • Secure connectivity and communication
    • Technical security and compliance
    • Limited providers; reduced options

    Info-Tech Insights

    There is a difference between a “re-host” and “re-platform” migration strategy. Determine which solution aligns to the application requirements.

    Public Cloud

    Leverage “public cloud” alternatives with AWS, Google, or Microsoft AZURE.

    Abstract

    This type of arrangement is typically part of a larger migration or application transformation. While low risk, it is not as cost-effective as other deployment models. In this model, client can “re-platform” the non-commodity workload into public cloud offerings or in a few offerings “re-host.” This would yield many of the cloud benefits however in a different scaling capacity as experienced with commodity workloads (e.g. Windows, Linux).

    Advantages

    • Remote workforce accessibility
    • OpEx expense model
    • Improved IT DR services
    • Reduced infrastructure and system administration
    • Vendor management
    • 24x7 monitoring and support

    Considerations

    • Contract terms and conditions
    • Modified technical support and engagement
    • Secure connectivity and communication
    • Technical security and compliance
    • Limited providers; reduced options
    • Vendor/cloud lock-in
    • Application migration/”re-platform”
    • Application and system performance

    Info-Tech Insights

    This model is extremely attractive for organizations that consume primarily cloud services and have a large remote workforce.

    Understand your vendors

    • To best understand your options, you need to understand what IBM i services are provided by the industry vendors.
    • Within the following slides, you will find a defined activity with a working template that will create “vendor profiles” for each vendor.
    • As a working example, you can review the following partners:
    • Connectria (United States)
    • Rowton IT Solutions Ltd (United Kingdom)
    • Mid-Range (Canada)

    Info-Tech Insights

    Creating vendor profiles will help quickly filter the solution providers that directly meet your IBM i needs.

    Vendor Profile #1

    Rowton IT

    Summary of Vendor

    “Rowton IT thrive on creating robust and simple solutions to today's complex IT problems. We have a highly skilled and motivated workforce that will guarantee the right solution.

    Working with select business partners, we can offer competitive and cost effective packages tailored to suit your budget and/or business requirements.

    Our knowledge and experience cover vast areas of IT including technical design, provision and installation of hardware (Wintel and IBM Midrange), technical engineering services, support services, IT project management, application testing, documentation and training.”

    IBM i Services

    • ✔ IBM Power Hardware Sales
    • ✔ Co-Managed Services
    • ✔ DR/High Available Config
    • ✔ Full Managed Services
    • ✖ Co-Location Services
    • ✔ Public Cloud Services (AWS)

    URL
    rowtonit.com

    Regional Coverage:
    United Kingdom

    Logo for RowtonIT.com.

    Vendor Profile #2

    Connectria

    Summary of Vendor

    “Every journey starts with a single step and for Connectria, that step happened to be with the world’s largest bank, Deutsche Bank. Followed quickly by our second client, IBM. Since then, we have added over 1,000 clients worldwide. For 25 years, each customer, large or small, has relied on Connectria to deliver on promises made to make it easy to do business with us through flexible terms, scalable solutions, and straightforward pricing. Join us on our journey.”

    IBM i Services

    • ✔ IBM Power Hardware Sales
    • ✔ Co-Managed Services
    • ✔ DR/High Available Config
    • ✔ Full Managed Services
    • ✔ Co-Location Services
    • ✔ Public Cloud Services (AWS)

    URL
    connectria.com

    Regional Coverage:
    United States

    Logo for Connectria.

    Vendor Profile #3

    Mid-Range

    Summary of Vendor

    “Founded in 1988 and profitable throughout all of those 31 years, we have a solid track record of success. At Mid-Range, we use our expertise to assess your unique needs, in order to proactively develop the most effective IT solution for your requirements. Our full-service approach to technology and our diverse and in-depth industry expertise keep our clients coming back year after year.

    Serving clients across North America in a variety of industries, from small and emerging organizations to large, established enterprises – we’ve seen it all. Whether you need hardware or software solutions, disaster recovery and high availability, managed services or hosting or full ERP services with our JD Edwards offerings – we have the methods and expertise to help.”

    IBM i Services

    • ✔ IBM Power Hardware Sales
    • ✔ Co-Managed Services
    • ✔ DR/High Available Config
    • ✔ Full Managed Services
    • ✔ Co-Location Services
    • ✔ Public Cloud Services (AWS)

    URL
    midrange.ca

    Regional Coverage:
    Canada

    Logo for Mid-Range.

    Activity

    Understand your vendor options

    Activities:
    1. Create your vendor profiles
    2. Score vendor responses
    3. Develop and manage your vendor agenda

    This activity involves the following participants:

    • IT strategic direction decision makers
    • IT managers responsible for an existing iSeries or IBM i platform

    Outcomes of this step:

    • Vendor Profile Template
    • Completed IT Infrastructure Outsourcing Scoring Tool

    Info-Tech Insights

    This check-point process creates transparency around agreement costs with the business and gives the business an opportunity to re-evaluate its requirements for a potentially leaner agreement.

    1. Create your vendor profiles

    Define what you are looking for:

    • Create a vendor profile for every vendor of interest.
    • Leverage our starting list and template to track and record the advantages of each vendor.

    Mindshift

    First National Technology Solutions

    Key Information Systems

    MainLine

    Direct Systems Support

    T-Systems

    Horizon Computer Solutions Inc.

    Vendor Profile Template

    [Vendor Name]

    Summary of Vendor

    [Vendor Summary]
    *Detail the Vendor Services as a Summary*

    IBM i Services

    • ✔ IBM Power Hardware Sales
    • ✔ Co-Managed Services
    • ✔ DR/High Available Config
    • ✔ Full Managed Services
    • ✔ Co-Location Services
    • ✔ Public Cloud Services (AWS)
    *Itemize the Vendor Services specific to your requirements*

    URL
    https://www.url.com/
    *Insert the Vendor URL*

    Regional Coverage:
    [Country\Region]
    *Insert the Vendor Coverage & Locations*

    *Insert the Vendor Logo*

    2. Score your vendor responses

    Use the IT Infrastructure Outsourcing Scoring Tool to manage vendor responses.
    Use Info-Tech’s IT Infrastructure Outsourcing Scoring Tool to systematically score your vendor responses.

    The overall quality of the IBM i questions can help you understand what it might be like to work with the vendor.

    Consider the following questions:

    • Is the vendor clear about what it’s able to offer? Is its response transparent?
    • How much effort did the vendor put into answering the questions?
    • Does the vendor seem like someone you would want to work with?

    Once you have the vendor responses, you will select two or three vendors to continue assessing in more depth leading to an eventual final selection.

    Screenshot of the IT Infrastructure Outsourcing Scoring Tool's Scoring Sheet. There are three tables: 'Scoring Scale', 'Results', and one with 'RFP Questions'. Note on Results table says 'Top Scoring Vendors', and note on questions table says 'List your IBM i questions (requirements)'.

    Info-Tech Insights

    Watch out for misleading scores that result from poorly designed criteria weightings.

    3. Develop your vendor agenda

    Vendor Conference Call

    Develop an agenda for the conference call. Here is a sample agenda:
    • Review the vendor questions.
    • Go over answers to written vendor questions previously submitted.
    • Address new vendor questions.

    Commonly Debated Question:
    Should vendors be asked to remain anonymous on the call or should each vendor mention their organization when they join the call?

    Many organizations worry that if vendors can identify each other, they will price fix. However, price fixing is extremely rare due to its consequences and most vendors likely have a good idea which other vendors are participating in the bid. Another thought is that revealing vendors could either result in a higher level of competition or cause some vendors to give up:

    • A vendor that hears its rival is also bidding may increase the competitiveness of its bid and response.
    • A vendor that feels it doesn’t have a chance may put less effort into the process.
    • A vendor that feels it doesn’t have real competition may submit a less competitive or detailed response than it otherwise would have.

    Vendor Workshop

    A vendor workshop day is an interactive way to provide context to your vendors and to better understand the vendors’ offerings. The virtual or in-person interaction also offers a great way to understand what it’s like to work with each vendor and decide whether you could build a partnership with them in the long run.

    The main focus of the workshop is the vendors’ service solution presentation. Here is a sample agenda for a two-day workshop:

    Day 1
    • Meet and greet
    • Welcome presentation with objectives, acquisition strategy, and company overview
    • Overview of the current IT environment, technologies, and company expectations
    • Question and answer session
    • Site walk
    Day 2
    • Review Day 1 activities
    • Vendor presentations and solution framing
    Use the IT Infrastructure Outsourcing Scoring Tool to manage vendor responses.

    Related Info-Tech Research

    Effectively Acquire Infrastructure Services
    Acquiring a service is like buying an experience. Don’t confuse the simplicity of buying hardware with buying an experience.

    Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery
    There are very few IT infrastructure components you should be housing internally – outsource everything else.

    Build Your Infrastructure Roadmap
    Move beyond alignment: Put yourself in the driver’s seat for true business value.

    Define Your Cloud Vision
    Make the most of cloud for your organization.

    Document Your Cloud Strategy
    Drive consensus by outlining how your organization will use the cloud.

    Create a Right-Sized Disaster Recovery Plan
    Close the gap between your DR capabilities and service continuity requirements.

    Create a Better RFP Process
    Improve your RFPs to gain leverage and get better results.

    Research Authors

    Photo of Darin Stahl, Principal Research Advisor, Info-Tech Research Group.Darin Stahl, Principal Research Advisor, Info-Tech Research Group

    Principal Research Advisor within the Infrastructure Practice and leveraging 38+ years of experience, his areas of focus include: IT Operations Management, Service Desk, Infrastructure Outsourcing, Managed Services, Cloud Infrastructure, DRP/BCP, Printer Management, Managed Print Services, Application Performance Monitoring (APM), Managed FTP, and non-commodity servers (zSeries, mainframe, IBM i, AIX, Power PC).

    Photo of Troy Cheeseman, Practice Lead, Info-Tech Research Group.Troy Cheeseman, Practice Lead, Info-Tech Research Group

    Troy has over 24 years of experience and has championed large, enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT Operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) start-ups.

    Research Contributors

    Photo of Dan Duffy, President & Owner, Mid-Range.Dan Duffy, President & Owner, Mid-Range

    Dan Duffy is the President and Founder of Mid-Range Computer Group Inc., an IBM Platinum Business Partner. Dan and his team have been providing the Canadian and American IBM Power market with IBM infrastructure solutions including private cloud, hosting and disaster recovery, high availability and data center services since 1988. He has served on numerous boards and associations including the Toronto Users Group for Mid-Range Systems (TUG), the IBM Business Partners of the Americas Advisory Council, the Cornell Club of Toronto, and the Notre Dame Club of Toronto. Dan holds a Bachelor of Science from Cornell University.

    Photo of George Goodall, Executive Advisor, Info-Tech Research Group.George Goodall, Executive Advisor, Info-Tech Research Group

    George Goodall is an Executive Advisor in the Research Executive Services practice at Info-Tech Research Group. George has over 20 years of experience in IT consulting, enterprise software sales, project management, and workshop delivery. His primary focus is the unique challenges and opportunities in organizations with small and constrained IT operations. In his long tenure at Info-Tech, George has covered diverse topics including voice communications, storage, and strategy and governance.

    Bibliography

    “Companies using IBM i (formerly known as i5/OS).” Enlyft, 21 July 2021. Web.

    Connor, Clare. “IBM i and Meeting the Challenges of Modernization.” Ensono, 22 Mar. 2022. Web.

    Huntington, Tom. “60+ IBM i User Groups and Communities to Join?” HelpSystems, 16 Dec. 2021. Web.

    Perkins, Dale. “The Road to Power Cloud: June 21st 1988 to now. The Journey Continues.” Mid-Range, 1 Nov. 2021. Web.

    Prickett Morgan, Timothy. “How IBM STACKS UP POWER8 AGAINST XEON SERVERS.” The Next Platform, 13 Oct. 2015. Web.

    “Why is AS/400 still used? Four reasons to stick with a classic.” NTT, 21 July 2016. Web.

    Appendix

    Public Cloud Provider Notes

    Appendix –
    Cloud
    Providers


    “IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

    AWS

    Appendix –
    Cloud
    Providers



    “IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

    Google

    • Google Cloud console supports IBM Power Systems.
    • This offering provides cloud instances running on IBM Power Systems servers with PowerVM.
    • The service uses a per-day prorated monthly subscription model for cloud instance plans with different capacities of compute, memory, storage, and network. Standard plans are listed below and custom plans are possible.
    • There is no IBM i offering yet that we are aware of.
    • For AIX on Power, this would appear to be a better option than AWS (Converge Enterprise Cloud with IBM Power for Google Cloud).

    Appendix –
    Cloud
    Providers



    “IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

    Azure

    • Azure has partners using the Azure Dedicated Host offerings to deliver “native support for IBM POWER Systems to Azure data centres” (PowerWire).
    • Microsoft has installed Power servers in an couple Azure data centers and Skytap manages the IBM i, AIX, and Linux environments for clients.
    • As far as I am aware there is no ability to install IBM i or AIX within an Azure Dedicated Host via the retail interfaces – these must be worked through a partner like Skytap.
    • The cloud route for IBM i or AIX might be the easiest working with Skytap and Azure. This would appear to be a better option than AWS in my opinion.

    Appendix –
    Cloud
    Providers



    “IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

    IBM

    IT Operations Consulting

    Operations... make sure that the services and products you offer your clients are delivered in the most efficient way possible. IT Operations makes sure that the applications and infrastructure that your delivery depends on is solid.

    Gert Taeymans has over 20 years experience in directing the implementation and management of mission-critical services for businesses in high-volume international markets. Strong track record in risk management, crisis management including disaster recovery, service delivery and change & config management.

    Continue reading

    Drive Technology Adoption

    • Buy Link or Shortcode: {j2store}111|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    The project isn’t over if the new product or system isn’t being used. How do you ensure that what you’ve put in place isn’t going to be ignored or only partially adopted? People are more complicated than any new system and managing them through the change needs careful planning.

    Our Advice

    Critical Insight

    Cultivating a herd mentality, where people adopt new technology merely because everyone else is, is an important goal in getting the bulk of users using the new product or system. The herd needs to gather momentum though and this can be done by using the more tech-able and enthused to lead the rest on the journey. Identifying and engaging these key resources early in the process will greatly assist in starting the flow.

    Impact and Result

    While communication is key throughout, involving staff in proof-of-concept activities and contests and using the train-the-trainer techniques and technology champions will all start the momentum toward technology adoption. Group activities will address the bulk of users, but laggards may need special attention.

    Drive Technology Adoption Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Drive Technology Adoption – A brief deck describing how to encourage users to adopt newly implemented technology.

    This document will help you to ensure that newly implemented systems and technologies are correctly adopted by the intended recipients.

    • Drive Technology Adoption Storyboard
    [infographic]

    Further reading

    Drive Technology Adoption

    The project is over. The new technology is implemented. Now how do we make sure it's used?

    Executive Summary

    Your Challenge

    Technology endlessly changes and evolves. Similarly, business directions and requirements change, and these changes need to be supported by technology. Improved functionality and evolvement of systems, along with systems becoming redundant or unsupported, means that maintaining a static environment is virtually impossible.

    Enormous amounts of IT budget are allocated to these changes each year. But once the project is over, how do you manage that change and ensure the systems are being used? Planning your technology adoption is vital.

    Common Obstacles

    The obstacles to technology adoption can be many and various, covering a broad spectrum of areas including:

    • Reluctance of staff to let go of familiar processes and procedures.
    • Perception that any change will add complications but not add value, thereby hampering enthusiasm to adopt.
    • Lack of awareness of the change.
    • General fear of change.
    • Lack of personal confidence.

    Info-Tech’s Approach

    Start by identifying, understanding, categorizing, and defining barriers and put in place a system to:

    • Gain an early understanding of the different types of users and their attitudes to technology and change.
    • Review different adoption techniques and analyze which are most appropriate for your user types.
    • Use a “Follow the Leader” approach, by having technical enthusiasts and champions to show the way.
    • Prevent access to old systems and methods.

    Info-Tech Insight

    For every IT initiative that will be directly used by users, consider the question, “Will the final product be readily accepted by those who are going to use it?” There is no point in implementing a product that no one is prepared to use. Gaining user acceptance is much more than just ticking a box in a project plan once UAT is complete.

    The way change should happen is clear

    Prosci specializes in change. Its ADKAR model outlines what’s required to bring individuals along on the change journey.

    AWARENESS

    • Awareness means more than just knowing there’s a change occurring,
    • it means understanding the need for change.

    DESIRE

    • To achieve desire, there needs to be motivation, whether it be from an
    • organizational perspective or personal.

    KNOWLEDGE

    • Both knowledge on how to train during the transition and knowledge
    • on being effective after the change are required. This can only be done
    • once awareness and desire are achieved.

    ABILITY

    • Ability is not knowledge. Knowing how to do something doesn’t necessarily translate to having the skills to do it.

    REINFORCEMENT

    • Without reinforcement there can be a tendency to revert.

    When things go wrong

    New technology is not being used

    The project is seen as complete. Significant investments have been made, but the technology either isn’t being used or is only partially in use.

    Duplicate systems are now in place

    Even worse. The failure to adopt the new technology by some means that the older systems are still being used. There are now two systems that fail to interact; business processes are being affected and there is widespread confusion.

    Benefits not being realized

    Benefits promised to the business are not being realized. Projected revenue increases, savings, or efficiencies that were forecast are now starting to be seen as under threat.

    There is project blowout

    The project should be over, but the fact that the technology is not being used has created a perception that the implementation is not complete and the project needs to continue.

    Info-Tech Insight

    People are far more complicated than any technology being implemented.

    Consider carefully your approach.

    Why does it happen?

    POOR COMMUNICATION

    There isn’t always adequate communications about what’s changing in the workplace.

    FEAR

    Fear of change is natural and often not rational. Whether the fear is about job loss or not being able to adapt to change; it needs to be managed.

    TRAINING

    Training can be insufficient or ineffective and when this happens people are left feeling like they don’t have the skills to make the change.

    LACK OF EXECUTIVE SUPPORT

    A lack of executive support for change means the change is seen as less important.

    CONFLICTING VIEWS OF CHANGE

    The excitement the project team and business feels about the change is not necessarily shared throughout the business. Some may just see the change as more work, changing something that already works, or a reason to reduce staff levels.

    LACK OF CONFIDENCE

    Whether it’s a lack of confidence generally with technology or concern about a new or changing tool, a lack of confidence is a huge barrier.

    BUDGETARY CONSTRAINTS

    There is a cost with managing people during a change, and budget must be allocated to allow for it.

    Communications

    Info-Tech Insight

    Since Sigmund Freud there has been endless work to understand people’s minds.
    Don’t underestimate the effect that people’s reactions to change can have on your project.

    This is a Kubler-ross change curve graph, plotting the following Strategies: Create Alignment; Maximize Communication; Spark Motivation; Develop Capability; Share Knowledge

    Communication plans are designed to properly manage change. Managing change can be easier when we have the right tools and information to adapt to new circumstances. The Kubler-Ross change curve illustrates the expected steps on the path to acceptance of change. With the proper communications strategy, each can be managed appropriately

    Analyst perspective

    Paul Binns – Principal Research Advisor, Info-Tech

    The rapidly changing technology landscape in our world has always meant that an enthusiasm or willingness to embrace change has been advantageous. Many of us have seen how the older generation has struggled with that change and been left behind.

    In the work environment, the events of the past two years have increased pressure on those slow to adopt as in many cases they couldn't perform their tasks without new tools. Previously, for example, those who may have been reluctant to use digital tools and would instead opt for face-to-face meetings, suddenly found themselves without an option as physical meetings were no longer possible. Similarly, digital collaboration tools that had been present in the market for some time were suddenly more heavily used so everyone could continue to work together in the “online world.”

    At this stage no one is sure what the "new normal" will be in the post-pandemic world, but what has been clearly revealed is that people are prepared to change given the right motivation.

    “Technology adoption is about the psychology of change.”
    Bryan Tutor – Executive Counsellor, Info-Tech

    The Fix

    • Categorize Users
      • Gain a clear understanding of your user types.
    • Identify Adoption Techniques
      • Understand the range of different tools and techniques available.
    • Match Techniques To Categories
      • Determine the most appropriate techniques for your user base.
    • Follow-the-Leader
      • Be aware of the different skills in your environment and use them to your advantage.
    • Refresh, Retrain, Restrain
      • Prevent reversion to old methods or systems.

    Categories

    Client-Driven Insight

    Consider your staff and industry when looking at the Everett Rogers curve. A technology organization may have less laggards than a traditional manufacturing one.

    In Everett Rogers’ book Diffusion of Innovations 5th Edition (Free Press, 2005), Rogers places adopters of innovations into five different categories.

    This is an image of an Innovation Adoption Curve from Everett Rogers' book Diffusion of Innovations 5th Edition

    Category 1: The Innovator – 2.5%

    Innovators are technology enthusiasts. Technology is a central interest of theirs, either at work, at home, or both. They tend to aggressively pursue new products and technologies and are likely to want to be involved in any new technology being implemented as soon as possible, even before the product is ready to be released.

    For people like this the completeness of the new technology or the performance can often be secondary because of their drive to get new technology as soon as possible. They are trailblazers and are not only happy to step out of their comfort zone but also actively seek to do so.

    Although they only make up about 2.5% of the total, their enthusiasm, and hopefully endorsement of new technology, offers reassurance to others.

    Info-Tech Insight

    Innovators can be very useful for testing before implementation but are generally more interested in the technology itself rather than the value the technology will add to the business.

    Category 2: The Early Adopter – 13.5%

    Whereas Innovators tend to be technologists, Early Adopters are visionaries that like to be on board with new technologies very early in the lifecycle. Because they are visionaries, they tend to be looking for more than just improvement – a revolutionary breakthrough. They are prepared to take high risks to try something new and although they are very demanding as far as product features and performance are concerned, they are less price-sensitive than other groups.

    Early Adopters are often motivated by personal success. They are willing to serve as references to other adopter groups. They are influential, seen as trendsetters, and are of utmost importance to win over.

    Info-Tech Insight

    Early adopters are key. Their enthusiasm for technology, personal drive, and influence make them a powerful tool in driving adoption.

    Category 3: The Early Majority – 34%

    This group is comprised of pragmatists. The first two adopter groups belong to early adoption, but for a product to be fully adopted the mainstream needs to be won over, starting with the Early Majority.

    The Early Majority share some of the Early Adopters’ ability to relate to technology. However, they are driven by a strong sense of practicality. They know that new products aren’t always successful. Consequently, they are content to wait and see how others fare with the technology before investing in it themselves. They want to see well-established references before adopting the technology and to be shown there is no risk.

    Because there are so many people in this segment (roughly 34%), winning these people over is essential for the technology to be adopted.

    Category 4: The Late Majority – 34%

    The Late Majority are the conservatives. This group is generally about the same size as the Early Majority. They share all the concerns of the Early Majority; however, they are more resistant to change and are more content with the status quo than eager to progress to new technology. People in the Early Majority group are comfortable with their ability to handle new technology. People in the Late Majority are not.

    As a result, these conservatives prefer to wait until something has become an established standard and take part only at the end of the adoption period. Even then, they want to see lots of support and ensure that there is proof there is no risk in them adopting it.

    Category 5: The Laggard – 16%

    This group is made up of the skeptics and constitutes 16% of the total. These people want nothing to do with new technology and are generally only content with technological change when it is invisible to them. These skeptics have a strong belief that disruptive new technologies rarely deliver the value promised and are almost always worried about unintended consequences.

    Laggards need to be dealt with carefully as their criticism can be damaging and without them it is difficult for a product to become fully adopted. Unfortunately, the effort required for this to happen is often disproportional to the size of the group.

    Info-Tech Insight

    People aren’t born laggards. Technology projects that have failed in the past can alter people’s attitudes, especially if there was a negative impact on their working lives. Use empathy when dealing with people and respect their hesitancy.

    Adoption Techniques

    Different strokes for different folks

    Technology adoption is all about people; and therefore, the techniques required to drive that adoption need to be people oriented.

    The following techniques are carefully selected with the intention of being impactful on all the different categories described previously.

    Technology Adoption: Herd Mentality; Champions; Force; Group Training; One-on-One; Contests; Marketing; Proof of Concept; Train the Trainer

    There are multitudes of different methods to get people to adopt new technology, but which is the most appropriate for your situation? Generally, it’s a combination.

    Technology Adoption: Herd Mentality; Champions; Force; Group Training; One-on-One; Contests; Marketing; Proof of Concept; Train the Trainer

    Train the Trainer

    Use your staff to get your message across.

    Abstract

    This technique involves training key members of staff so they can train others. It is important that those selected are strong communicators, are well respected by others, and have some expertise in technology.

    Advantages

    • Cost effective
    • Efficient dissemination of information
    • Trusted internal staff

    Disadvantages

    • Chance of inconsistent delivery
    • May feel threatened by co-worker

    Best to worst candidates

    • Early Adopter: Influential trendsetters. Others receptive of their lead.
    • Innovator: Comfortable and enthusiastic about new technology, but not necessarily a trainer.
    • Early Majority: Tendency to take others’ lead.
    • Late Majority: Risk averse and tend to follow others, only after success is proven.
    • Laggard: Last to adopt usually. Unsuitable as Trainer.

    Marketing

    Marketing should be continuous throughout the change to encourage familiarity.

    Abstract

    Communication is key as people are comfortable with what is familiar to them. Marketing is an important tool for convincing adopters that the new product is mainstream, widely adopted and successful.

    Advantages

    • Wide communication
    • Makes technology appear commonplace
    • Promotes effectiveness of new technology

    Disadvantages

    • Reliant on staff interest
    • Can be expensive

    Best to worst candidates

    • Early Majority: Pragmatic about change. Marketing is effective encouragement.
    • Early Adopter: Receptive and interested in change. Marketing is supplemental.
    • Innovator: Actively seeks new technology. Does not need extensive encouragement.
    • Late Majority: Requires more personal approach.
    • Laggard: Resistant to most enticements.

    One-on-One

    Tailored for individuals.

    Abstract

    One-on-one training sometimes is the only way to train if you have staff with special needs or who are performing unique tasks.
    It is generally highly effective but inefficient as it only addresses individuals.

    Advantages

    • Tailored to specific need(s)
    • Only relevant information addressed
    • Low stress environment

    Disadvantages

    • Expensive
    • Possibility of inconsistent delivery
    • Personal conflict may render it ineffective

    Best to worst candidates

    • Laggard: Encouragement and cajoling can be used during training.
    • Late Majority: Proof can be given of effectiveness of new product.
    • Early Majority: Effective, but not cost efficient.
    • Early Adopter: Effective, but not cost-efficient.
    • Innovator: Effective, but not cost-efficient.

    Group Training

    Similar roles, attitudes, and abilities.

    Abstract

    Group training is one of the most common methods to start people on their journey toward new technology. Its effectiveness with the two largest groups, Early Majority and Late Majority, make it a primary tool in technology adoption.

    Advantages

    • Cost effective
    • Time effective
    • Good for team building

    Disadvantages

    • Single method may not work for all
    • Difficult to create single learning pace for all

    Best to worst candidates

    • Early Majority: Receptive. The formality of group training will give confidence.
    • Late Majority: Conservative attitude will be receptive to traditional training.
    • Early Adopter: Receptive and attentive. Excited about the change.
    • Innovator: Will tend to want to be ahead or want to move ahead of group.
    • Laggard: Laggards in group training may have a negative impact.

    Force

    The last resort.

    Abstract

    The transition can’t go on forever.

    At some point the new technology needs to be fully adopted and if necessary, force may have to be used.

    Advantages

    • Immediate full transition
    • Fixed delivery timeline

    Disadvantages

    • Alienation of some staff
    • Loss of faith in product if there are issues

    Best to worst candidates

    • Laggard: No choice but to adopt. Forces the issue.
    • Late Majority: Removes issue of reluctance to change.
    • Early Majority: Content, but worried about possible problems.
    • Early Adopter: Feel less personal involvement in change process.
    • Innovator: Feel less personal involvement in change process.

    Contests

    Abstract

    Contests can generate excitement and create an explorative approach to new technology. People should not feel pressured. It should be enjoyable and not compulsory.

    Advantages

    • Rapid improvement of skills
    • Bring excitement to the new technology
    • Good for team building

    Disadvantages

    • Those less competitive or with lower skills may feel alienated
    • May discourage collaboration

    Best to worst candidates

    • Early Adopter: Seeks personal success. Risk taker. Effective.
    • Innovator: Enthusiastic to explore limits of technology.
    • Early Majority: Less enthusiastic. Pragmatic. Less competitive.
    • Late Majority: Conservative. Not enthusiastic about new technology.
    • Laggard: Reluctant to get involved.

    Incentives

    Incentives don’t have to be large.

    Abstract

    For some staff, merely taking management’s lead is not enough. Using “Nudge” techniques to give that extra incentive is quite effective. Incentivizing staff either financially or through rewards, recognition, or promotion is a successful adoption technique for some.

    Advantages

    Encouragement to adopt from receiving tangible benefit

    Draws more attention to the new technology

    Disadvantages

    Additional expense to business or project

    Possible poor precedent for subsequent changes

    Best to worst candidates

    Early Adopter: Desire for personal success makes incentives enticing.

    Early Majority: Prepared to change, but extra incentive will assist.

    Late Majority: Conservative attitude means incentive may need to be larger.

    Innovator: Enthusiasm for new technology means incentive not necessary.

    Laggard: Sceptical about change. Only a large incentive likely to make a difference.

    Champions

    Strong internal advocates for your new technology are very powerful.

    Abstract

    Champions take on new technology and then use their influence to promote it in the organization. Using managers as champions to actively and vigorously promote the change is particularly effective.

    Advantages

    • Infectious enthusiasm encourages those who tend to be reluctant
    • Use of trusted internal staff

    Disadvantages

    • Removes internal staff from regular duties
    • Ineffective if champion not respected

    Best to worst candidates

    • Early Majority: Champions as references of success provide encouragement.
    • Late Majority: Management champions in particular are effective.
    • Laggard: Close contact with champions may be effective.
    • Early Adopter: Receptive of technology, less effective.
    • Innovator: No encouragement or promotion required.

    Herd Mentality

    Follow the crowd.

    Abstract

    Herd behavior is when people discount their own information and follow others. Ideally all adopters would understand the reason and advantages in adopting new technology, but practically, the result is most important.

    Advantages

    • New technology is adopted without question
    • Increase in velocity of adoption

    Disadvantages

    • Staff may not have clear understanding of the reason for change and resent it later
    • Some may adopt the change before they are ready to do so

    Best to worst candidates

    • Early Majority: Follow others’ success.
    • Late Majority: Likely follow an established proven standard.
    • Early Adopter: Less effective as they prefer to set trends rather than follow.
    • Innovator: Seeks new technology rather than following others.
    • Laggard: Suspicious and reluctant to change.

    Proof of Concepts

    Gain early input and encourage buy-in.

    Abstract

    Proof of concept projects give early indications of the viability of a new initiative. Involving the end users in these projects can be beneficial in gaining their support

    Advantages

    Involve adopters early on

    Valuable feedback and indications of future issues

    Disadvantages

    If POC isn’t fully successful, it may leave lingering negativity

    Usually, involvement from small selection of staff

    Best to worst candidates

    • Innovator: Strong interest in getting involved in new products.
    • Early Adopter: Comfortable with new technology and are influencers.
    • Early Majority: Less interest. Prefer others to try first.
    • Late Majority: Conservative attitude makes this an unlikely option.
    • Laggard: Highly unlikely to get involved.

    Match techniques to categories

    What works for who?

    This clustered column chart categorizes techniques by category

    Follow the leader

    Engage your technology enthusiasts early to help refine your product, train other staff, and act as champions. A combination of marketing and group training will develop a herd mentality. Finally, don’t neglect the laggards as they can prevent project completion.

    This is an inverted funnel chart with the output of: Change Destination.  The inputs are: 16% Laggards; 34% Late Majority; 34% Early Majority; 13.3% Early Adopters; 2% Innovators

    Info-Tech Insight

    Although there are different size categories, none can be ignored. Consider your budget when dealing with smaller groups, but also consider their impact.

    Refresh, retrain, restrain

    We don’t want people to revert.

    Don’t assume that because your staff have been trained and have access to the new technology that they will keep using it in the way they were trained. Or that they won’t revert back to their old methods or system.

    Put in place methods to remove completely or remove access to old systems. Schedule refresh training or skill enhancement sessions and stay vigilant.

    Research Authors

    Paul Binns

    Paul Binns

    Principal Research Advisor, Info-Tech Research Group

    With over 30 years in the IT industry, Paul brings to his work his experience as a Strategic Planner, Consultant, Enterprise Architect, IT Business Owner, Technologist, and Manager. Paul has worked with both small and large companies, local and international, and has had senior roles in government and the finance industry.

    Scott Young

    Scott Young

    Principal Research Advisor, Info-Tech Research Group

    Scott Young is a Director of Infrastructure Research at Info-Tech Research Group. Scott has worked in the technology field for over 17 years, with a strong focus on telecommunications and enterprise infrastructure architecture. He brings extensive practical experience in these areas of specialization, including IP networks, server hardware and OS, storage, and virtualization.

    Related Info-Tech Research

    User Group Analysis Workbook

    Use Info-Tech’s workbook to gather information about user groups, business processes, and day-to-day tasks to gain familiarity with your adopters.

    Governance and Management of Enterprise Software Implementation

    Use our research to engage users and receive timely feedback through demonstrations. Our iterative methodology with a task list focused on the business’ must-have functionality allows staff to return to their daily work sooner.

    Quality Management User Satisfaction Survey

    This IT satisfaction survey will assist you with early information to use for categorizing your users.

    Master Organizational Change Management Practices

    Using a soft, empathetic approach to change management is something that all PMOs should understand. Use our research to ensure you have an effective OCM plan that will ensure project success.

    Bibliography

    Beylis, Guillermo. “COVID-19 accelerates technology adoption and deepens inequality among workers in Latin America and the Caribbean.” World Bank Blogs, 4 March 2021. Web.

    Cleland, Kelley. “Successful User Adoption Strategies.” Insight Voices, 25 Apr. 2017. Web.

    Hiatt, Jeff. “The Prosci ADKAR ® Model.” PROSCI, 1994. Web.

    Malik, Priyanka. “The Kübler Ross Change Curve in the Workplace.” whatfix, 24 Feb. 2022. Web.

    Medhaugir, Tore. “6 Ways to Encourage Software Adoption.” XAIT, 9 March 2021. Web.

    Narayanan, Vishy. “What PwC Australia learned about fast tracking tech adoption during COVID-19” PWC, 13 Oct. 2020. Web.

    Sridharan, Mithun. “Crossing the Chasm: Technology Adoption Lifecycle.” Think Insights, 28 Jun 2022. Web.

    Take Control of Infrastructure and Operations Metrics

    • Buy Link or Shortcode: {j2store}460|cart{/j2store}
    • member rating overall impact (scale of 10): 8.5/10 Overall Impact
    • member rating average dollars saved: $7,199 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • Measuring the business value provided by IT is very challenging.
    • You have a number of metrics, but they may not be truly meaningful, contextual, or actionable.
    • You know you need more than a single metric to tell the whole story. You also suspect that metrics from different systems combined will tell an even fuller story.
    • You are being asked to provide information from different levels of management, for different audiences, conveying different information.

    Our Advice

    Critical Insight

    • Many organizations collect metrics to validate they are keeping the lights on. But the Infrastructure and Operations managers who are benefitting the most are taking steps to ensure they are getting the right metrics to help them make decisions, manage costs, and plan for change.
    • Complaints about metrics are often rooted in managers wading through too many individual metrics, wrong metrics, or data that they simply can’t trust.
    • Info-Tech surveyed and interviewed a number of Infrastructure managers, CIOs, and IT leaders to understand how they are leveraging metrics. Successful organizations are using metrics for everything from capacity planning to solving customer service issues to troubleshooting system failures.

    Impact and Result

    • Manage metrics so they don’t become time wasters and instead provide real value.
    • Identify the types of metrics you need to focus on.
    • Build a metrics process to ensure you are collecting the right metrics and getting data you can use to save time and make better decisions.

    Take Control of Infrastructure and Operations Metrics Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement a metrics program in your Infrastructure and Operations practice, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Gap analysis

    This phase will help you identify challenges that you want to avoid by implementing a metrics program, discover the main IT goals, and determine your core metrics.

    • Take Control of Infrastructure and Operations Metrics – Phase 1: Gap Analysis
    • Infra & Ops Metrics Executive Presentation

    2. Build strategy

    This phase will help you make an actionable plan to implement your metrics program, define roles and responsibilities, and communicate your metrics project across your organization and with the business division.

    • Take Control of Infrastructure and Operations Metrics – Phase 2: Build Strategy
    • Infra & Ops Metrics Definition Template
    • Infra & Ops Metrics Tracking and Reporting Tool
    • Infra & Ops Metrics Program Roles & Responsibilities Guide
    • Weekly Metrics Review With Your Staff
    • Quarterly Metrics Review With the CIO
    [infographic]

    Develop an IT Asset Management Strategy

    • Buy Link or Shortcode: {j2store}295|cart{/j2store}
    • member rating overall impact (scale of 10): 8.5/10 Overall Impact
    • member rating average dollars saved: $52,211 Average $ Saved
    • member rating average days saved: 31 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management

    You have a mandate to create an accurate and actionable database of the IT assets in your environment, but:

    • The data you have is often incomplete or wrong.
    • Processes are broken or non-existent.
    • Your tools aren’t up to the task of tracking ever more hardware, software, and relevant metadata.
    • The role of stakeholders outside the core ITAM team isn’t well defined or understood.

    Our Advice

    Critical Insight

    ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. But there’s no value in data for data’s sake. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an ITAM strategy that maximizes the value they can deliver as service providers.

    Impact and Result

    • Develop an approach and strategy for ITAM that is sustainable and aligned with your business priorities.
    • Clarify the structure for the ITAM program, including scope, responsibility and accountability, centralization vs. decentralization, outsourcing vs. insourcing, and more.
    • Create a practical roadmap to guide improvement.
    • Summarize your strategy and approach using Info-Tech’s templates for review with stakeholders.

    Develop an IT Asset Management Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop an IT Asset Management Strategy – A methodology to create a business-aligned, coherent, and durable approach to ITAM.

    This two-phase, step-by-step methodology will guide you through the activities to build a business-aligned, coherent, and durable approach to ITAM. Review the executive brief at the start of the slide deck for an overview of the methodology and the value it can provide to your organization.

    • Develop an IT Asset Management Strategy – Phases 1-2

    2. ITAM Strategy Template – A presentation-ready repository for the work done as you define your ITAM approach.

    Use this template to document your IT asset management strategy and approach.

    • ITAM Strategy Template

    3. IT Asset Estimations Tracker – A rough-and-ready inventory exercise to help you evaluate the work ahead of you.

    Use this tool to estimate key data points related to your IT asset estate, as well as your confidence in your estimates.

    • IT Asset Estimations Tracker

    Infographic

    Workshop: Develop an IT Asset Management Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify ITAM Priorities & Goals, Maturity, Metrics and KPIs

    The Purpose

    Align key stakeholders to the potential strategic value of the IT asset management practice.

    Ensure the ITAM practice is focused on business-aligned goals.

    Key Benefits Achieved

    Define a business-aligned direction and expected outcomes for your ITAM program.

    Activities

    1.1 Brainstorm ITAM opportunities and challenges.

    1.2 Conduct an executive alignment working session.

    1.3 Set ITAM priorities, goals and tactics.

    1.4 Identify target and current state ITAM maturity.

    Outputs

    ITAM opportunities and challenges

    Align executive priorities with ITAM opportunities.

    ITAM metrics and KPIs

    ITAM maturity

    2 Identify Your Approach to Support ITAM Priorities and Goals

    The Purpose

    Translate goals into specific and coherent actions to enable your ITAM practice to deliver business value.

    Key Benefits Achieved

    A business-aligned approach to ITAM, encompassing scope, structure, tools, audits, budgets, documentation and more.

    A high-level roadmap to achieve your vision for the ITAM practice.

    Activities

    2.1 Define ITAM scope.

    2.2 Acquire ITAM services (outsourcing and contracting).

    2.3 Centralize or decentralize ITAM capabilities.

    2.4 Create a RACI for the ITAM practice.

    2.5 Align ITAM with other service management practices.

    2.6 Evaluate ITAM tools and integrations.

    2.7 Create a plan for internal and external audits.

    2.8 Improve your budget processes.

    2.9 Establish a documentation framework.

    2.10 Create a roadmap and communication plan.

    Outputs

    Your ITAM approach

    ITAM roadmap and communication plan

    Further reading

    Develop an IT Asset Management Strategy

    Define your business-aligned approach to ITAM.

    Table of Contents

    4 Analyst Perspective

    5 Executive Summary

    17 Phase 1: Establish Business-Aligned ITAM Goals and Priorities

    59 Phase 2: Support ITAM Goals and Priorities

    116 Bibliography

    Develop an IT Asset Management Strategy

    Define your business-aligned approach to ITAM.

    EXECUTIVE BRIEF

    Analyst Perspective

    Track hardware and software. Seems easy, right?

    It’s often taken for granted that IT can easily and accurately provide definitive answers to questions like “how many laptops do we have at Site 1?” or “do we have the right number of SQL licenses?” or “how much do we need to budget for device replacements next year?” After all, don’t we know what we have?

    IT can’t easily provide these answers because to do so you must track hardware and software throughout its lifecycle – which is not easy. And unfortunately, you often need to respond to these questions on very short notice because of an audit or to support a budgeting exercise.

    IT Asset Management (ITAM) is the solution. It’s not a new solution – the discipline has been around for decades. But the key to success is to deploy the practice in a way that is sustainable, right-sized, and maximizes value.

    Use our practical methodology to develop and document your approach to ITAM that is aligned with the goals of your organization.

    Photo of Andrew Sharp, Research Director, Infrastructure & Operations Practice, Info-Tech Research Group.

    Andrew Sharp
    Research Director
    Infrastructure & Operations Practice
    Info-Tech Research Group

    Realize the value of asset management

    Cost optimization, application rationalization and reduction of technical debt are all considered valuable to right-size spending and improve service outcomes. Without access to accurate data, these activities require significant investments of time and effort, starting with creation of point-in-time inventories, which lengthens the timeline to reaching project value and may still not be accurate.

    Cost optimization and reduction of technical debt should be part of your culture and technical roadmap rather than one-off projects. Why? Access to accurate information enables the organization to quickly make decisions and pivot plans as needed. Through asset management, ongoing harvest and redeployment of assets improves utilization-to-spend ratios. We would never see any organization saying, “We’ve closed our year end books, let’s fire the accountants,” but often see this valuable service relegated to the back burner. Similar to the philosophy that “the best time to plant a tree is 20 years ago and the next best time is now,” the sooner you can start to collect, validate, and analyze data, the sooner you will find value in it.

    Photo of Sandi Conrad, Principal Research Director, Infrastructure & Operations Practice, Info-Tech Research Group.

    Sandi Conrad
    Principal Research Director
    Infrastructure & Operations Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    You have a mandate to create an accurate and actionable database of the IT assets in your environment, but:

    • The data you have is often incomplete or wrong.
    • Processes are broken or non-existent.
    • Your tools aren’t up to the task of tracking ever more hardware, software, and relevant metadata.
    • The role of stakeholders outside the core ITAM team isn’t well defined or understood.
    Common Obstacles

    It is challenging to make needed changes because:

    • There’s cultural resistance to asset tracking, it’s seen as busywork that doesn’t clearly create value.
    • Decentralized IT teams aren’t generating the data required to track hardware and licenses.
    • ITAM can’t direct needed tool improvements because the admins don’t report to ITAM.
    • It’s hard to find time to improve processes given the day-to-day demands on your time.
    Info-Tech’s Approach
    • Develop an approach and strategy for ITAM that is sustainable and aligned with your business priorities.
    • Clarify the structure for the ITAM program, including scope, responsibility and accountability, centralization vs. decentralization, outsourcing vs. insourcing, and more.
    • Create a practical roadmap to guide improvement.
    • Summarize your strategy and approach using Info-Tech’s templates for review with stakeholders.

    Info-Tech Insight

    ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. But there’s no value in data for data’s sake. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an ITAM strategy that maximizes the value they can deliver as service providers.

    Unlock business value with IT asset management

    • IT asset management (ITAM) is the practice of maintaining accurate, accessible, and actionable data on the assets within the organization’s IT estate. Each IT asset will have a record that tracks it across its lifecycle from purchase to disposal.
    • ITAM’s value is realized through other processes and practice areas that can leverage ITAM data to manage risk, improve IT services, and control costs.
    • Develop an approach to ITAM that maximizes the value delivered to the business and IT. ITAM succeeds when its partners succeed at delivering business value, and it fails when it doesn’t show value to those partners.

    This blueprint will help you develop your approach for the management of IT hardware and software, including cloud services. Leverage other Info-Tech methodologies to dive directly into developing hardware asset management procedures, software asset management procedures, or to implement configuration management best practices.

    Info-Tech Members report significant savings from implementing our hardware and software asset management frameworks. In order to maximize value from the process-focused methodologies below, develop your ITAM strategy first.

    Implement Hardware Asset Management (Based on Info-Tech Measured Value Surveys results from clients working through these blueprints, as of February 2022.)

    9.6/10

    $23k

    32

    Overall Impact Average $ Saved Average Days Saved
    Implement Software Asset Management (Based on Info-Tech Measured Value Surveys results from clients working through these blueprints, as of February 2022.)

    9.0/10

    $12k

    5

    Overall Impact Average $ Saved Average Days Saved

    ITAM provides both early and ongoing value

    ITAM isn’t one-and-done. Properly supported, your ITAM practice will deliver up-front value that will help demonstrate the value ongoing ITAM can offer through the maintenance of an accurate, accessible, and actionable ITAM database.

    Example: Software Savings from ITAM



    This chart shows the money saved between the first quote and the final price for software and maintenance by a five-person ITAM team. Over a year and a half, they saved their organization a total of $7.5 million from a first quote total of $21 million over that period.

    This is a perfect example of the direct value that ITAM can provide on an ongoing basis to the organization, when properly supported and integrated with IT and the business.

    Examples of up-front value delivered in the first year of the ITAM practice:

    • Save money by reviewing and renegotiating critical, high-spend, and undermanaged software and service contracts.
    • Redeploy or dispose of clearly unused hardware and software.
    • Develop and enforce standards for basic hardware and software.
    • Improve ITAM data quality and build trust in the results.

    Examples of long-term value from ongoing governance, management, and operational ITAM activities:

    • Optimize spend: Reallocate unused hardware and software, end unneeded service agreements, and manage renewals and audits.
    • Reduce risk: Provide comprehensive asset data for security controls development and incident management; manage equipment disposal.
    • Improve IT service: Support incident, problem, request, and change management with ITAM data. Develop new solutions with an understanding of what you have already.

    Common obstacles

    The rulebook is available, but hard to follow
    • ITAM takes a village, but stakeholders aren’t aware of their role. ITAM processes rely on technicians to update asset records, vendors to supply asset data, administrators to manage tools, leadership to provide direction and support, and more.
    • Constant change in the IT and business environment undermines the accuracy of ITAM records (e.g. licensing and contract changes, technology changes that break discovery tools, personnel and organizational changes).
    • Improvement efforts are overwhelmed by day-to-day activities. One study found that 83% of SAM teams’ time is consumed by audit-related activities. (Flexera State of ITAM Report 2022) A lack of improvement becomes a vicious cycle when stakeholders who don’t see the value of ITAM decline to dedicate resources for improvement.
    • Stakeholders expect ITAM tools to be a cure-all, but even at their best, they can’t provide needed answers without some level of configuration, manual input, and supervision.
    • There’s often a struggle to connect ITAM to value. For example, respondents to Info-Tech’s Management & Governance Diagnostic consistently rank ITAM as less important than other processes that ITAM directly supports (e.g. budget management and budget optimization). (Info-Tech MGD Diagnostic (n=972 unique organizations))
    ITAM is a mature discipline with well-established standards, certifications, and tools, but we still struggle with it.
    • Only 28% of SAM teams track IaaS and PaaS spend, and only 35% of SAM teams track SaaS usage.
    • Increasing SAM maturity is a challenge for 76% of organizations.
    • 10% of organizations surveyed have spent more than $5 million in the last three years in audit penalties and true-ups.
    • Half of all of organizations lack a viable SAM tool.
    • Seventy percent of SAM teams have a shortfall of qualified resources.
    • (Flexera State of ITAM Report 2022)

    Info-Tech's IT Asset Management Framework (ITAM)

    Adopt, manage, and mature activities to enable business value thorugh actionable, accessible, and accurate ITAM data

    Logo for Info-Tech Research Group. Enable Business Value Logo for #iTRG.
    Business-Aligned Spend
    Optimization and Transparency
    Facilitate IT Services
    and Products
    Actionable, Accessible,
    and Accurate Data
    Context-Aware Risk Management
    and Security Controls

    Plan & Govern

    Business Goals, Risks, and Structure
    • ITAM Goals & Priorities
    • Roles, Accountability, Responsibilities
    • Scope
    Ongoing Management Commitment
    • Resourcing & Funding
    • Policies & Enforcement
    • Continuous Improvement
    Culture
    • ITAM Education, Awareness & Training
    • Organizational Change Management
    Section title 'Operate' with a cycle surrounding key components of Operate: 'Data Collection & Validation', 'Tool Administration', 'License Management', and 'Lease Management'. The cycle consists of 'Request', 'Procure', 'Receive', 'Deploy', 'Manage', 'Retire & Dispose', and back to 'Request'.

    Build & Manage

    Tools & Data
    • ITAM Tool Selection & Deployment
    • Configuration Management Synchronization
    • IT Service Management Integration
    Process
    • Process Management
    • Data & Process Audits
    • Document Management
    People, Policies, and Providers
    • Stakeholder Management
    • Technology Standardization
    • Vendor & Contract Management

    Info-Tech Insight

    ITAM is a foundational IT service that provides actionable, accessible, and accurate data on IT assets. But there's no value in data for data's sake. Use this methodology to enable collaboration between ITAM, the business, and IT to develop an approach to ITAM that maximizes the value the ITAM team can deliver as service providers.

    Key deliverable

    IT asset management requires ongoing practice – you can’t just implement it and walk away.

    Our methodology will help you build a business-aligned strategy and approach for your ITAM practice with the following outputs:

    • Business-aligned ITAM priorities, opportunities, and goals.
    • Current and target state ITAM maturity.
    • Metrics and KPIs.
    • Roles, responsibilities, and accountability.
    • Insourcing, outsourcing, and (de)centralization.
    • Tools and technology.
    • A documentation framework.
    • Initiatives, a roadmap, and a communication plan.
    Each step of this blueprint is designed to help you create your IT asset management strategy:
    Sample of Info-Tech's key deliverable 'IT Asset Management' blueprint.

    Info-Tech’s methodology to develop an IT asset management strategy

    1. Establish business-aligned ITAM goals and priorities 2. Identify your approach to support ITAM priorities and goals
    Phase Steps
    • 1.1 Define ITAM and brainstorm opportunities and challenges.
    • Executive Alignment Working Session:
    • 1.2 Review organizational priorities, strategy, and key initiatives.
    • 1.3 Align executive priorities with ITAM opportunities and priorities.
    • 1.4 Identify business-aligned ITAM goals and target maturity.
    • 1.5 Write mission and vision statements.
    • 1.6 Define ITAM metrics and KPIs.
    • 2.1 Define ITAM scope.
    • 2.2 Acquire ITAM services (outsourcing and contracting).
    • 2.3 Centralize or decentralize ITAM capabilities.
    • 2.4 Create a RACI for the ITAM practice.
    • 2.5 Align ITAM with other service management practices.
    • 2.6 Evaluate ITAM tools and integrations.
    • 2.7 Create a plan for internal and external audits.
    • 2.8 Improve your budget processes.
    • 2.9 Establish a documentation framework.
    • 2.10 Create a roadmap and communication plan.
    Phase Outcomes Defined, business-aligned goals and priorities for ITAM. Establish an approach to achieving ITAM goals and priorities including scope, structure, tools, service management integrations, documentation, and more.
    Project Outcomes Develop an approach and strategy for ITAM that is sustainable and aligned with your business priorities.

    Insight Summary

    There’s no value in data for data’s sake

    ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an approach to ITAM that maximizes the value they can deliver as service providers.

    Service provider to a service provider

    ITAM is often viewed (when it’s viewed at all) as a low-value administrative task that doesn’t directly drive business value. This can make it challenging to build a case for funding and resources.

    Your ITAM strategy is a critical component to help you define how ITAM can best deliver value to your organization, and to stop creating data for the sake of data or just to fight the next fire.

    Collaboration over order-taking

    To align ITAM practices to deliver organizational value, you need a very clear understanding of the organization’s goals – both in the moment and as they change over time.

    Ensure your ITAM team has clear line of sight to business strategy, objectives, and decision-makers, so you can continue to deliver value as priorities change

    Embrace dotted lines

    ITAM teams rely heavily on staff, systems, and data beyond their direct area of control. Identify how you will influence key stakeholders, including technicians, administrators, and business partners.

    Help them understand how ITAM success relies on their support, and highlight how their contributions have created organizational value to encourage ongoing support.

    Project benefits

    Benefits for IT
    • Set a foundation and direction for an ITAM practice that will allow IT to manage risk, optimize spend, and enhance services in line with business requirements.
    • Establish accountability and responsibility for essential ITAM activities. Decide where to centralize or decentralize accountability and authority. Identify where outsourcing could add value.
    • Create a roadmap with concrete, practical next steps to develop an effective, right-sized ITAM practice.
    Stock image of a trophy. Benefits for the business
    • Plan and control technology spend with confidence based on trustworthy ITAM data.
    • Enhance IT’s ability to rapidly and effectively support new priorities and launch new projects. Effective ITAM can support more streamlined procurement, deployment, and management of assets.
    • Implement security controls that reflect your total technology footprint. Reduce the risk that a forgotten device or unmanaged software turns your organization into the next Colonial Pipeline.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI around 12 calls over the course of 6 months.

    What does a typical GI on this topic look like?

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Review business priorities.

    Call #3: Identify ITAM goals & target maturity.

    Call #4: Identify metrics and KPIs. Call #5: Define ITAM scope.

    Call #6: Acquire ITAM services.

    Call #7: ITAM structure and RACI.

    Call #8: ITAM and service management.

    Tools and integrations.

    Call #10: Internal and external audits.

    Call #11: Budgets & documentation

    Call #12: Roadmap, comms plan. Wrap-up.

    Phase 1 Phase 2

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889
    Day 1 Day 2 Day 3 Day 4 Day 5
    Identify ITAM priorities & goals, maturity, metrics and KPIs
    Identify your approach to support ITAM priorities and goals
    Next Steps and wrap-Up (offsite)
    Activities

    1.1 Define ITAM.

    1.2 Brainstorm ITAM opportunities and challenges.

    Conduct an executive alignment working session:

    1.3 Review organizational priorities, strategy, and key initiatives.

    1.4 Align executive priorities with ITAM opportunities.

    1.5 Set ITAM priorities.

    2.1 Translate opportunities into ITAM goals and tactics.

    2.2 Identify target and current state ITAM maturity.

    2.3 Create mission and vision statements.

    2.4 Identify key ITAM metrics and KPIs.

    3.1 Define ITAM scope.

    3.2 Acquire ITAM services (outsourcing and contracting)

    3.3 Centralize or decentralize ITAM capabilities.

    3.4 Create a RACI for the ITAM practice.

    3.5 Align ITAM with other service management practices.

    3.6 Evaluate ITAM tools and integrations.

    4.1 Create a plan for internal and external audits.

    4.2 Improve your budget processes.

    4.3 Establish a documentation framework and identify documentation gaps.

    4.4 Create a roadmap and communication plan.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables
    1. ITAM opportunities and challenges.
    2. Align executive priorities with ITAM opportunities.
    3. Set ITAM priorities.
    1. ITAM goals and tactics.
    2. Current and target ITAM maturity.
    3. Mission and vision statements.
    4. ITAM metrics and KPIs.
    1. Decisions that will shape your ITAM approach, including:
      1. What’s in scope (hardware, software, and cloud services).
      2. Where to centralize, decentralize, or outsource ITAM activities.
      3. Accountability, responsibility, and structure for ITAM activities.
      4. Service management alignment, tooling gaps, audit plans, budget processes, and required documentation.
    2. A roadmap and communication plan.
    1. Your completed ITAM strategy template.
    Develop an IT Asset Management Strategy

    Phase 1:

    Establish business-aligned ITAM goals and priorities

    Phase 1

    1.1 Define ITAM and brainstorm opportunities and challenges.

    Executive Alignment Working Session:

    1.2 Review organizational priorities, strategy, and key initiatives.

    1.3 Align executive priorities with ITAM opportunities & priorities.

    1.4 Identify business-aligned ITAM goals and target maturity.

    1.5 Write mission and vision statements.

    1.6 Define ITAM metrics and KPIs.

    Phase 2

    2.1 Define ITAM scope.

    2.2 Acquire ITAM services (outsourcing and contracting).

    2.3 Centralize or decentralize ITAM capabilities.

    2.4 Create a RACI for the ITAM practice.

    2.5 Align ITAM with other service management practices.

    2.6 Evaluate ITAM tools and integrations.

    2.7 Create a plan for internal and external audits.

    2.8 Improve your budget processes.

    2.9 Establish a documentation framework.

    2.10 Create a roadmap and communication plan.

    Phase Outcomes:

    Defined, business-aligned goals, priorities, and KPIs for ITAM. A concise vision and mission statement. The direction you need to establish a practical, right-sized, effective approach to ITAM for your organization.

    Before you get started

    Set yourself up for success with these three steps:
    • This methodology and the related slides are intended to be executed via intensive, collaborative working sessions using the rest of this slide deck.
    • Ensure the working sessions are a success by working through these steps before you start work on your IT asset management strategy.

    1. Identify participants

    Review recommended roles and identify who should participate in the development of your ITAM strategy.

    2. Estimate assets managed today

    Work through an initial assessment to establish ease of access to ITAM data and your level of trust in the data available to you.

    3. Create a working folder

    Create a repository to house your notes and any work in progress, including your copy of the ITAM Strategy Template.

    0.1 Identify participants

    30 minutes

    Output: List of key roles for the strategy exercises outlined in this methodology

    Participants: Project sponsor, Lead facilitator, ITAM manager and SMEs

    This methodology relies on having the right stakeholders in the room to identify ITAM goals, challenges, roles, structure, and more. On each activity slide in this deck, you’ll see an outline of the recommended participants. Use the table below to translate the recommended roles into specific people in your organization. Note that some people may fill multiple roles.

    Role Expectations People
    Project Sponsor Accountable for the overall success of the methodology. Ideally, participates in all exercises in this methodology. May be the asset manager or whoever they report to. Jake Long
    Lead Facilitator Leads, schedules, and manages all working sessions. Guides discussions and ensures activity outputs are completed. Owns and understands the methodology. Has a working knowledge of ITAM. Robert Loblaw
    Asset Manager(s) SME for the ITAM practice. Provides strategic direction to mature ITAM practices in line with organizational goals. Supports the facilitator. Eve Maldonado
    ITAM Team Hands-on ITAM professionals and SMEs. Includes the asset manager. Provide input on tactical ITAM opportunities and challenges. Bruce Wayne, Clark Kent
    IT Leaders & Managers Leaders of key stakeholder groups from across the IT department – the CIO and direct reports. Provide input on what IT needs from ITAM, and the role their teams should play in ITAM activities. May include delegates, particularly those familiar with day-to-day processes relevant to a particular discussion or exercise. Marcelina Hardy, Edmund Broughton
    ITAM Business Partners Non-IT business stakeholders for ITAM. This could include procurement, vendor management, accounting, and others. Zhang Jin, Effie Lamont
    Business Executives Organizational leaders and executives (CFO, COO, CEO, and others) or their delegates. Will participate in a mini-workshop to identify organizational goals and initiatives that can present opportunities for the ITAM practice. Jermaine Mandar, Miranda Kosuth

    0.2 Estimate asset numbers

    1 hour

    Output: Estimates of quantity and spend related to IT assets, Confidence/margin of error on estimates

    Participants: IT asset manager, ITAM team

    What do you know about your current IT environment, and how confident are you in that knowledge?

    This exercise will help you evaluate the size of the challenge ahead in terms of the raw number of assets in your environment, the spend on those assets, and the level of trust your organization has in the ITAM data.

    It is also a baseline snapshot your ability to relay key ITAM metrics quickly and confidently, so you can measure progress (in terms of greater confidence) over time.

    1. Download the estimation tracker below. Add any additional line items that are particularly important to the organization.
    2. Time-box this exercise to an hour. Use your own knowledge and existing data repositories to identify count/spend for each line item, then add a margin of error to your guess. Larger margins of error on larger counts will typically indicate larger risks.
    3. Track any assumptions, data sources used, or SMEs consulted in the comments.

    Download the IT Asset Estimation Tracker

    “Any time there is doubt about the data and it doesn’t get explained or fixed, then a new spreadsheet is born. Data validation and maintenance is critical to avoid the hidden costs of having bad data”

    Allison Kinnaird,
    Operations Practice Lead,
    Info-Tech Research Group

    0.3 Create a working folder

    15 minutes

    Output: A repository for templates and work in progress

    Participants: Lead facilitator

    Create a central repository for collaboration – it seems like an obvious step, but it’s one that gets forgotten about
    1. Download a copy of the ITAM Strategy Template.
      1. This will be the repository for all the work you do in the activities listed in this blueprint; take a moment to read it through and familiarize yourself with the contents.
    2. House the template in a shared repository that can house other related work in progress. Share this folder with participants so they can check in on your progress.
    3. You’ll see this callout box: Add your results to your copy of the ITAM Strategy Template as you work through activities in this blueprint. Copy the output to the appropriate slide in the ITAM Strategy Template.
    Stock image of a computer screen with a tiny person putting likes on things.

    Collect action items as you go

    Don’t wait until the end to write down your good ideas.
    • The last exercise in this methodology is to gather everything you’ve learned and build a roadmap to improve the ITAM practice.
    • The output of the exercises will inform the roadmap, as they will highlight areas with opportunities for improvement.
    • Write them down as you work through the exercises, or you risk forgetting valuable ideas.
    • Keep an “idea space” – a whiteboard with sticky notes or a shared document – to which any of your participants can post an idea for improvement and that you can review and consolidate later.
    • Encourage participants to add their ideas at any time during the exercises.
    Pad of sticky notes, the top of which reads 'Good ideas go here!'

    Step 1.1: Brainstorm ITAM opportunities and challenges

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Rally the working group around a collection of ideas that, when taken together, create a vision for the future ITAM practice.
    • Identify your organization’s current ITAM challenges.

    “ITAM is a cultural shift more than a technology shift.” (Rory Canavan, SAM Charter)

    What is an IT Asset?

    Any piece of technology can be considered an asset, but it doesn’t mean you need to track everything. Image of three people building a computer from the inside.
    Icon of a power button.

    According to the ISO 19770 standard on ITAM, an IT Asset is “[an] item, thing, or entity that can be used to acquire, process, store and distribute digital information and has potential or actual value to an organization.”
    These are all things that IT is expected to support and manage, or that have the potential to directly impact services that IT supports and manages.

    Icon of a half-full battery.

    IT assets are distinct from capital assets. Some IT assets will also be capital assets, but not all will be. And not all capital assets are IT assets, either.

    Icon of a microphone.

    IT assets are typically tracked by IT, not by finance or accounting.
    IT needs more from their IT asset tracking system than the typical finance department can deliver.
    This can include end-user devices, software, IT infrastructure, cloud-based resources, third-party managed IT services, Internet-of-Things devices, embedded electronics, SCADA equipment, “smart” devices, and more.

    Icon of a fingerprint.

    It’s important to track IT assets in a way that enables IT to deliver value to the business – and an important part of this is understanding what not to track. This list should be aligned to the needs of your organization.

    What is IT asset management?

    • IT asset management is the practice of maintaining accurate, accessible, and actionable data on IT hardware, software, and cloud assets from procurement to disposal.
    • Trustworthy data maintained by an IT asset management practice will help your business meet its goals by managing risk, controlling costs, and enabling IT services and products.
    • ITAM tends to focus on the asset itself – its technical, financial, contractual, lifecycle, and ownership attributes – rather than its interactions or connections to other IT assets, which tends to be part of configuration management.

    What IT Asset Management is NOT:

    Configuration Management: Configuration management databases (CMDBs) often draw from the same data pool as ITAM (many configuration items are assets, and vice versa), but they focus on the interaction, interconnection, and interoperation of configuration items within the IT estate.

    In practice, many configuration items will be IT assets (or parts of assets) and vice versa. Configuration and asset teams should work closely together as they develop different but complementary views of the IT environment. Use Info-Tech’s methodology to harness configuration management superpowers.

    Organizational Data Management: Leverage a different Info-Tech methodology to develop a digital and data asset management program within Info-Tech’s DAM framework.

    “Asset management’s job is not to save the organization money, it’s not to push back on software audits.

    It’s to keep the asset database as up-to-date and as trustworthy as possible. That’s it.” (Jeremy Boerger, Consultant & Author)

    “You can’t make any real decisions on CMDB data that’s only 60% accurate.

    You start extrapolating that out, you’re going to get into big problems.” (Mike Austin, Founder & CEO, MetrixData 360)

    What is an ITAM strategy?

    Our strategy document will outline a coherent, sustainable, business-aligned approach to ITAM.

    No single approach to ITAM fits all organizations. Nor will the same approach fit the same organization at different times. A world-leading research university, a state government, and a global manufacturer all have very different goals and priorities that will be best supported by different approaches to ITAM.

    This methodology will walk you through these critical decisions that will define your approach to ITAM:

    • Business-aligned priorities, opportunities, and goals: What pressing opportunities and challenges do we face as an organization? What opportunities does this create that ITAM can seize?
    • Current and future state maturity, challenges: What is the state of the practice today? Where do we need to improve to meet our goals? What challenges stand in the way of improvement?
    • Responsibility, accountability, sourcing and (de)centralization: Who does what? Who is accountable? Where is there value to outsourcing? What authority will be centralized or decentralized?
    • Tools, policies, and procedures: What technology do we need? What’s our documentation framework?
    • Initiatives, KPIs, communication plan, and roadmap: What do we need to do, in what order, to build the ITAM practice to where we need it to be? How long do we expect this to take? How will we measure success?

    “A good strategy has coherence, coordinating actions, policies, and resources so as to accomplish an important end. Most organizations, most of the time, don’t have this.

    Instead, they have multiple goals and initiatives that symbolize progress, but no coherent approach to accomplish that progress other than ‘spend more and try harder.’” (Good Strategy, Bad Strategy, Richard Rumelt)

    Enable business value with IT asset management

    If you’ve never experienced a mature ITAM program before, it is almost certainly more rewarding than you’d expect once it’s functioning as intended.

    Each of the below activities can benefit from accessible, actionable, and accurate ITAM data.

    • Which of the activities, practices, and initiatives below have value to your organization?
    • Which could benefit most from ITAM data?
    Manage Risk: Effective ITAM practices provide data and processes that help mitigate the likelihood and impact of potentially damaging IT risks.

    ITAM supports the following practices that help manage organizational risk:

    • Security Controls Development
    • Security Incident Response
    • Security Audit Reports
    • Regulatory Compliance Reports
    • IT Risk Management
    • Technical Debt Management
    • M&A Due Diligence
    Optimize Spend: Asset data is essential to maintaining oversight of IT spend, ensuring that scarce resources are allocated where they can have the most impact.

    ITAM supports these activities that help optimize spend:

    • Vendor Management & Negotiations
    • IT Budget Management & Variance Analysis
    • Asset Utilization Analysis
    • FinOps & Cloud Spend Optimization
    • Showback & Chargeback
    • Software Audit Defense
    • Application Rationalization
    • Contract Consolidation
    • License and Device Reallocation
    Improve IT Services: Asset data can help inform solutions development and can be used by service teams to enhance and improve IT service practices.

    Use ITAM to facilitate these IT services and initiatives:

    • Solution and Enterprise Architecture
    • Service Level Management
    • Technology Procurement
    • Technology Refresh Projects
    • Incident & Problem Management
    • Request Management
    • Change Management
    • Green IT

    1.1 Brainstorm ideas to create a vision for the ITAM practice

    30 minutes

    Input: Stakeholders with a vision of what ITAM could provide, if resourced and funded adequately

    Output: A collection of ideas that, when taken together, create a vision for the future ITAM practice

    Materials: ITAM strategy template, Whiteboard or virtual whiteboard

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    It can be easy to lose sight of long-term goals when you’re stuck in firefighting mode. Let’s get the working group into a forward-looking mindset with this exercise.

    Think about what ITAM could deliver with unlimited time, money, and technology.

    1. Provide three sticky notes to each participant.
    2. Add the headings to a whiteboard, or use a blank slide as a digital whiteboard
    3. On each sticky note, ask participants to outline a single idea as follows:
      1. We could: [idea]
      2. Which would help: [stakeholder]
      3. Because: [outcome]
    4. Ask participants to present their sticky notes and post them to the whiteboard. Ask later participants to group similar ideas together.

    As you hear your peers describe what they hope and expect to achieve with ITAM, a shared vision of what ITAM could be will start to emerge.

    1.1 Identify structural ITAM challenges

    30 minutes

    Input: The list of common challenges on the next slide, Your estimated visibility into IT assets from the previous exercise, The experience and knowledge of your participants

    Output: Identify current ITAM challenges

    Materials: Your working copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    What’s standing in the way today of delivering the ITAM practices you want to achieve?

    Review the list of common challenges on the next slide as a group.

    1. Delete any challenges that don’t apply to your organization.
    2. Modify any challenges as required to reflect your organization.
    3. Add further challenges that aren’t on the list, as required.
    4. Highlight challenges that are particularly painful.

    Add your results to your copy of the ITAM Strategy Template

    “The problem – the reason why asset management initiatives keep falling on their face – is that people attack asset management as a problem to solve, instead of a practice and epistemological construct.” (Jeremy Boerger, Consultant & Author)

    1.1 Identify structural ITAM challenges

    Review and update the list of common challenges below to reflect your own organization.

    • Leadership and executives don’t understand the value of asset management and don’t fund or resource it.
    • Tools aren’t fit for purpose, don’t scale, or are broken.
    • There’s a cultural tendency to focus on tools over processes.
    • ITAM data is fragmented across multiple repositories.
    • ITAM data is widely viewed as untrustworthy.
    • Stakeholders respond to vendor audits before consulting ITAM, which leads to confusion and risks penalties.
    • No time for improvement; we’re always fighting fires.
    • We don’t audit our own ITAM data for accuracy.
    • End-user equipment is shared, re-assigned, or disposed without notifying or involving IT.
    • No dedicated resources.
    • Lack of clarity on roles and responsibilities.
    • Technicians don’t track assets consistently; ITAM is seen as administrative busywork.
    • Many ITAM tasks are manual and prone to error.
    • Inconsistent organizational policies and procedures.
    • We try to manage too many hardware types/software titles.
    • IT is not involved in the procurement process.
    • Request and procurement is seen as slow and excessively bureaucratic.
    • Hardware/software standards don’t exist or aren’t enforced.
    • Extensive rogue purchases/shadow IT are challenging to manage via ITAM tools and processes.
    What Else?

    Copy results to your copy of the ITAM Strategy Template

    Step 1.2: Review organizational priorities, strategy, initiatives

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • Business executives or their delegates

    Outcomes

    • Review organizational priorities and strategy.
    • Identify key initiatives.

    Enter the executives

    Deliver on leadership priorities

    • Your business’ major transformative projects and executive priorities might seem far removed from hardware and software tracking. Why would we start with business strategy and executive priorities as we’re setting goals for the ITAM program?
    • While business executives have (likely) no interest in how software and hardware is tracked, they are accountable for the outcomes ITAM can enable. They are the most likely to understand why and how ITAM can deliver value to the organization.
    • ITAM succeeds by enabling its stakeholders to achieve business outcomes. The next three activities are designed to help you identify how you can enable your stakeholders, and what outcomes are most important from their point of view. Specifically:
      • What are the business’ planned transformational initiatives?
      • What are your highest priority goals?
      • What should the priorities of the ITAM practice be?
    • The answers to these questions will shape your approach to ITAM. Direct input from your leadership and executives – or their delegates – will help ensure you’re setting a solid foundation for your ITAM practice.

    “What outcomes does the organization want from IT asset management? Often, senior managers have a clear vision for the organization and where IT needs to go, and the struggle is to communicate that down.” (Kylie Fowler, ITAM Intelligence)

    Stock image of many hands with different puzzle pieces.

    Executive Alignment Session Overview

    ITAM Strategy Working Sessions

    • Discover & Brainstorm
    • Executive Alignment Working Session
      • 1.2 Review organizational strategy, priorities, and key initiatives
      • 1.3 Align executive priorities with ITAM opportunities, set ITAM priorities
    • ITAM Practice Maturity, Vision & Mission, Metrics & KPIs
    • Scope, Outsourcing, (De)Centralization, RACI
    • Service Management Integration
    • ITAM Tools
    • Audits, Budgets, Documents
    • Roadmap & Comms Plan

    A note to the lead facilitator and project sponsor:
    Consider working through these exercises by yourself ahead of time. As you do so, you’ll develop your own ideas about where these discussions may go, which will help you guide the discussion and provide examples to participants.

    1.2 Review organizational strategy and priorities

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

    Participants: Asset manager, IT leadership, Business executives or delegates

    Welcome your group to the working session and outline the next few exercises using the previous slide.

    Ask the most senior leader present to provide a summary of the following:

    1. What is the vision for the organization?
    2. What are our priorities and what must we absolutely get right?
    3. What do we expect the organization to look like in three years?

    The facilitator or a dedicated note-taker should record key points on a whiteboard or flipchart paper.

    1.2 Identify transformational initiatives

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

    Participants: Asset manager, IT leadership, Business executives or delegates

    Ask the most senior leader present to provide a summary of the following: What transformative business and IT initiatives are planned? When will they begin and end?

    Using one box per initiative, draw the initiatives in a timeline like the one below.

    Sample timeline for ITAM initiatives.

    Add your results to your copy of the ITAM Strategy Template

    Step 1.3: Set business-aligned ITAM priorities

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • Business executives

    Outcomes

    • Connect executive priorities to ITAM opportunities.
    • Set business-aligned priorities for the ITAM practice.

    1.3 Align executive priorities with ITAM opportunities

    45 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

    Participants: Asset manager, IT leaders and managers, Business executives or delegates

    In this exercise, we’ll use the table on the next slide to identify the top priorities of key business and IT stakeholders and connect them to opportunities for the ITAM practice.

    1. Ask your leadership or executive delegates – what are their goals? What are they trying to accomplish? List roles and related goals in the table.
    2. Brainstorm opportunities for IT asset management to support listed goals:
      1. Can ITAM provide an enhanced level of service, access, or insight?
      2. Can ITAM address an existing issue or mitigate an existing risk?

    Add your results to your copy of the ITAM Strategy Template

    1.3 Align executive priorities with ITAM opportunities (example)

    ITAM is for the… Who wants to… Which presents these ITAM opportunities
    CEO Deliver transformative business initiatives Acquire the right tech at the right time to support transformational initiatives.
    Establish a data-driven culture of stewardship Improve data to increase IT spend transparency.
    COO Improve organizational efficiency Increase asset use.
    Consolidate major software contracts to drive discounts.
    CFO Accurately forecast spending Track and anticipate IT asset spending.
    Control spending Improve data to increase IT spend transparency.
    Consolidate major software contracts to drive discounts.
    CIO Demonstrate IT value Use data to tell a story about value delivered by IT assets.
    Govern IT use Improve data to increase IT spend transparency.
    CISO Manage IT security and compliance risks Identify abandoned or out-of-spec IT assets.
    Provide IT asset data to support controls development.
    Respond to security incidents Support security incident teams with IT asset data.
    Apps Leader Build, integrate, and support applications Identify opportunities to retire applications with redundant functionality.
    Connect applications to relevant licensing and support agreements.
    IT Infra Leader Build and support IT infrastructure. Provide input on opportunities to standardize hardware and software.
    Provide IT asset data to technicians supporting end users.

    1.3 Categorize ITAM opportunities

    10-15 minutes

    Input: The outputs from the previous exercise

    Output: Executive priorities, sorted into the three categories at the right

    Materials: The table in this slide, The outputs from the previous exercise

    Participants: Lead facilitator

    Give your participants a quick break. Quickly sort the identified ITAM opportunities into the three main categories below as best you can.

    We’ll use this table as context for the next exercise.

    Example: Optimize Spend Enhance IT Services Manage Risk
    ITAM Opportunities
    • Improve data to increase IT spend transparency.
    • Consolidate major software contracts to drive discounts.
    • Increase asset utilization.
    • Identify opportunities to retire applications with redundant functionality
    • Acquire the right tech at the right time to support transformational initiatives.
    • Provide IT asset data to technicians supporting end users.
    • Identify abandoned or out-of-spec IT assets.
    • Provide IT asset data to support controls development.
    • Support security incident teams with IT asset data.

    Add your results to your copy of the ITAM Strategy Template

    1.3 Set ITAM priorities

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: Whiteboard, The template on the next slide, Your copy of the ITAM Strategy Template

    Participants: Asset manager, IT leaders and managers, Business executives or delegates

    The objective of this exercise is to prioritize the outcomes your organization wants to achieve from its ITAM practice, given the context from the previous exercises.

    Review the image below. The three points of the triangle are the three core goals of ITAM: Enhance IT Service, Manage Risk, and Optimize Spend. This exercise was first developed by Kylie Fowler of ITAM Intelligence. It is an essential exercise to understand ITAM priorities and the tradeoffs associated with those priorities. These priorities aren’t set in stone and should be revisited periodically as technology and business priorities change.

    Draw the diagram on the next slide on a whiteboard. Have the most senior leader in the room place the dot on the triangle – the closer it is to any one of the goals, the more important that goal is to the organization. Note: The center of the triangle is off limits! It’s very rarely possible to deliver on all three at once.
    Track notes on what’s being prioritized – and why – in the template on the next slide.
    Triangle with the points labelled 'Enhance IT Service', 'Manage Risk', and 'Optimize Spend'.

    Add your results to your copy of the ITAM Strategy Template

    1.3 Set ITAM Priorities

    The priorities of the ITAM practice are to:
    • Optimize Spend
    • Manage Risk
    Why?
    • We believe there is significant opportunity right now to rationalize spend by consolidating key software contracts.
    • Major acquisitions are anticipated in the near future. Effective ITAM processes are expected to mitigate acquisition risk by supporting due diligence and streamlined integration of acquired organizations.
    • Ransomware and supply chain security threats have increased demands for a comprehensive accounting of IT assets to support security controls development and security incident response.
    (Update this section with notes from your discussion.)
    Triangle with the points labelled 'Enhance IT Service', 'Manage Risk', and 'Optimize Spend'. There is a dot close to the 'Optimize Spend' corner, a legend labelling the dot as 'Our Target', and a note reading 'Move this dot to reflect your priorities'.

    Step 1.4: Identify ITAM goals, target maturity

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Connect executive priorities to ITAM opportunities.
    • Set business-aligned priorities for the ITAM practice.

    “ITAM is really no different from the other ITIL practices: to succeed, you’ll need some ratio of time, treasure, and talent… and you can make up for less of one with more of the other two.” (Jeremy Boerger, Consultant and Author)

    1.4 Identify near- and medium-term goals

    15-30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Narrow down the list of opportunities to identify specific goals for the ITAM practice.

    1. Use one color to highlight opportunities you will seize in the next year.
    2. Use a second color to highlight opportunities you plan to address in the next three years.
    3. Leave blank anything you don’t intend to address in this timeframe.

    The highlighted opportunities are your near- and medium-term objectives.

    Optimize Spend Enhance IT Services Manage Risk
    Priority Critical Normal High
    ITAM Opportunities
    • Improve data to increase IT spend transparency.
    • Increase asset utilization.
    • Consolidate major software contracts to drive discounts.
    • Identify opportunities to retire applications with redundant functionality
    • Acquire the right tech at the right time to support transformational initiatives.
    • Provide IT asset data to technicians supporting end users.
    • Identify abandoned or out-of-spec IT assets.
    • Provide IT asset data to support controls development.
    • Support security incident teams with IT asset data.

    1.4 Connect ITAM goals to tactics

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Let’s dig down a little deeper. Connect the list of opportunities from earlier to specific ITAM tactics that allow the team to seize those opportunities.

    Add another row to the earlier table for ITAM tactics. Brainstorm tactics with your participants (e.g. sticky notes on a whiteboard) and align them with the priorities they’ll support.

    Optimize SpendEnhance IT ServicesManage Risk
    PriorityCriticalNormalHigh
    ITAM Opportunities
    • Improve data to increase IT spend transparency.
    • Increase asset utilization.
    • Consolidate major software contracts to drive discounts.
    • Identify opportunities to retire applications with redundant functionality
    • Acquire the right tech at the right time to support transformational initiatives.
    • Provide IT asset data to technicians supporting end users.
    • Identify abandoned or out-of-spec IT assets.
    • Provide IT asset data to support controls development.
    • Support security incident teams with IT asset data.
    ITAM Tactics to Seize Opportunities
    • Review and improve hardware budgeting exercises.
    • Reallocate unused licenses, hardware.
    • Ensure ELP reports are up to date.
    • Validate software usage.
    • Data to support software renewal negotiations.
    • Use info from ITAM for more efficient adds, moves, changes.
    • Integrate asset records with the ticket intake system, so that when someone calls the service desk, the list of their assigned equipment is immediately available.
    • Find and retire abandoned devices or services with access to the organization’s network.
    • Report on lost/stolen devices.
    • Develop reliable disposal processes.
    • Report on unpatched devices/software.

    Add your results to your copy of the ITAM Strategy Template

    1.4 Identify current and target state

    20 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    We’ll use this exercise to identify the current and one-year target state of ITAM using Info-Tech’s ITAM maturity framework.

    1. Review the maturity framework on the next slide as a group.
    2. In one color, highlight statements that reflect your organization today. Summarize your current state. Are you in firefighter mode? Between “firefighter” and “trusted operator”?
    3. In a second color, highlight statements that reflect where you want to be one year from today, taking into consideration the goals and tactics identified in the last exercise.
    4. During a break, copy the highlighted statements to the table on the slide after next, then add this final slide to your working copy of the ITAM Strategy Template.

    Add your results to your copy of the ITAM Strategy Template

    Establish current and target ITAM maturity

    IT maturity ladder with five color-coded levels. Innovator – Optimized Asset Management
    • All items from Business & Technology Partner, plus:
    • Business and IT stakeholders collaborate regularly with the ITAM team to identify new opportunities to leverage or deploy ITAM practices and data to mitigate risks, optimize spend, and improve service. The ITAM program scales with the business.
    Business & Technology Partner – Proactive Asset Management
    • All items from Trusted Operator, plus:
    • The ITAM data is integral to decisions related to budget, project planning, IT architecture, contract renewal, and vendor management. Software and cloud assets are reviewed as frequently as required to manage costs. ITAM data consumers have self-serve access to ITAM data.
    • Continuous improvement practices strengthen ITAM efficiency and effectiveness.
    • ITAM processes, standards, and related policies are regularly reviewed and updated. ITAM teams work closely with SMEs for key tools/systems integrated with ITAM (e.g. AD, ITSM, monitoring tools) to maximize the value and reliability of integrations.
    Trusted Operator – Controls Assets
    • ITAM data for deployed hardware and software is regularly audited for accuracy.
    • Sufficient staff and skills to support asset tracking, including a dedicated IT asset management role. Teams responsible for ITAM data collection cooperate effectively. Policies and procedures are documented and enforced. Key licenses and contracts are available to the ITAM team. Discovery, tracking, and analysis tools support most important use cases.
    Firefighter – Reactive Asset Tracking
    • Data is often untrustworthy, may be fragmented across multiple repositories, and typically requires significant effort to translate or validate before use.
    • Insufficient staff, fragmented or incomplete policies or documentation. Data tracking processes are extremely highly manual. Effective cooperation for ITAM data collection is challenging.
    • ITAM tools are in place, but additional configuration or tooling is needed.
    Unreliable - Struggles to Support
    • No data, or data is typically unusable.
    • No allocated staff, no cooperation between parties responsible for ITAM data collection.
    • No related policies or documentation.
    • Tools are non-existent or not fit-for-purpose.

    Current and target ITAM maturity

    Today:
    Firefighter
    • Data is often untrustworthy, is fragmented across multiple repositories, and typically requires significant effort to translate or validate before use.
    • Insufficient staff, fragmented or incomplete policies or documentation.
    • Tools are non-existent.
    In One Year:
    Trusted Operator
    • ITAM data for deployed hardware and software is regularly audited for accuracy.
    • Sufficient staff and skills to support asset tracking, including a dedicated IT asset management role.
    • Teams responsible for ITAM data collection cooperate effectively.
    • Discovery, tracking, and analysis tools support most important use cases.
    IT maturity ladder with five color-coded levels.

    Innovator – Optimized Asset Management

    Business & Technology Partner – Proactive Asset Management

    Trusted Operator – Controls Assets

    Firefighter – Reactive Asset Tracking

    Unreliable - Struggles to Support

    Step 1.5: Write mission and vision statements

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Write a mission statement that encapsulates the purpose and intentions of the ITAM practice today.
    • Write a vision statement that describes what the ITAM practice aspires to become and achieve.

    Write vision and mission statements

    Create two statements to summarize the role of the ITAM practice today – and where you want it to be in the future.

    Create two short, compelling statements that encapsulate:
    • The vision for what we want the ITAM practice to be in the future; and
    • The mission – the purpose and intentions – of the ITAM practice today.

    Why bother creating mission and vision statements? After all, isn’t it just rehashing or re-writing all the work we’ve just done? Isn’t that (at best) a waste of time?

    There are a few very important reasons to create mission and vision statements:

    • Create a compass that can guide work today and your roadmap for the future.
    • Focus on the few things you must do, rather than the many things you could do.
    • Concisely communicate a compelling vision for the ITAM practice to a larger audience who (let’s face it) probably won’t read the entire ITAM Strategy deck.

    “Brevity is the soul of wit.” (Hamlet, Act 2, Scene 2)

    “Writing is easy. All you have to do is cross out the wrong words.” (Mark Twain)

    1.5 Write an ITAM vision statement

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: A whiteboard, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT Leaders and managers

    Your vision statement describes the ITAM practice as it will be in the far future. It is a target to aspire to, beyond your ability to achieve in the near or medium term.

    Examples of ITAM vision statements:

    Develop the single accurate view of IT assets, available to anyone who needs it.

    Indispensable data brokers that support strategic decisions on the IT environment.

    Provide sticky notes to participants. Write out the three questions below on a whiteboard side by side. Have participants write their answers to the questions and post them below the appropriate question. Give everyone 10 minutes to write and post their ideas.

    1. What’s the desired future state of the ITAM practice?
    2. What needs to be done to achieved this desired state?
    3. How do we want ITAM to be perceived in this desired state?

    Review the answers and combine them into one focused vision statement. Use the 20x20 rule: take no more than 20 minutes and use no more than 20 words. If you’re not finished after 20 minutes, the ITAM manager should make any final edits offline.

    Document your vision statement in your ITAM Strategy Template.

    Add your results to your copy of the ITAM Strategy Template

    1.5 Write an ITAM mission statement

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Your ITAM mission statement is an expression of what your IT asset management function brings to your organization today. It should be presented in straightforward language that is compelling, easy to understand, and sharply focused.

    Examples of ITAM mission statements:

    Maintain accurate, actionable, accessible on data on all IT assets.

    Support IT and the business with centralized and integrated asset data.

    Provide sticky notes to participants. Write out the questions below on a whiteboard side by side. Have participants write their answers to the questions and post them below the appropriate question. Give everyone 10 minutes to write and post their ideas.

    1. What is our role as the asset management team?
    2. How do we support the IT and business strategies?
    3. What does our asset management function offer that no one else can?

    Review the answers and combine them into one focused vision statement. Use the 20x20 rule: take no more than 20 minutes and use no more than 20 words. If you’re not finished after 20 minutes, the ITAM manager should make any final edits offline.

    Document your vision statement in your ITAM Strategy Template.

    Add your results to your copy of the ITAM Strategy Template

    Step 1.6: Define ITAM metrics and KPIs

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Identify metrics, data, or reports that may be of interest to different consumers of ITAM data.
    • Identify the key performance indicators (KPIs) for the ITAM practice, based on the goals and priorities established earlier.

    Navigate a universe of ITAM metrics

    When you have the data, how will you use it?

    • There’s a dizzying array of potential metrics you can develop and track across your ITAM environment.
    • Different stakeholders will need different data feeds, metrics, reports, and dashboards.
    • Different measures will be useful at different times. You will often need to filter or slice the data in different ways (by department, timeframe, equipment type, etc.)
    • We’ll use the next few exercises to identify the types of metrics that may be useful to different stakeholders and the KPIs to measure progress towards ITAM goals and priorities.

    ITAM Metrics

    • Quantity
      e.g. # of devices or licenses
    • Cost
      e.g. average laptop cost
    • Compliance
      e.g. effective license position reports
    • Progress
      e.g. ITAM roadmap items completed
    • Quality
      e.g. ITAM data accuracy rate
    • Time
      e.g. time to procure/ deploy

    Drill down by:

    • Vendor
    • Date
    • Dept.
    • Product
    • Location
    • Cost Center

    Develop different metrics for different teams

    A few examples:

    • CIOs — CIOs need asset data to govern technology use, align to business needs, and demonstrate IT value. What do we need to budget for hardware and software in the next year? Where can we find money to support urgent new initiatives? How many devices and software titles do we manage compared to last year? How has IT helped the business achieve key goals?
    • Asset Managers — Asset managers require data to help them oversee ITAM processes, technology, and staff, and to manage the fleet of IT assets they’re expected to track. What’s the accuracy rate of ITAM data? What’s the state of integrations between ITAM and other systems and processes? How many renewals are coming up in the next 90 days? How many laptops are in stock?
    • IT Leaders — IT managers need data that can support their teams and help them manage the technology within their mandate. What technology needs to be reviewed or retired? What do we actually manage?
    • Technicians — Service desk technicians need real-time access to data on IT assets to support service requests and incident management – for example, easy access to the list of equipment assigned to a particular user or installed in a particular location.
    • Business Managers and Executives — Business managers and executives need concise, readable dashboards to support business decisions about business use of IT assets. What’s our overall asset spend? What’s our forecasted spend? Where could we reallocate spend?

    1.6 Identify useful ITAM metrics and reports

    60 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Use this exercise to identify as many potentially useful ITAM metrics and reports as possible, and narrow them down to a few high-priority metrics. Leverage the list of example metrics on the next slide for your own exercise. If you have more than six participants, consider splitting into two or more groups, and divide the table between groups to minimize overlap.

    1. List potential consumers of ITAM data in the column on the left.
    2. What type of information do we think this role needs? What questions about IT assets do we get on a regular basis from this role or team?
    3. Review and consolidate the list as a group. Discuss and highlight any metrics the group thinks are a particularly high priority for tracking.
    Role Compliance Quality Quantity Cost Time Progress
    IT Asset Manager Owned devices not discovered in last 60 days Discrepancies between discovery data and ITAM DB records # of corporate-owned devices Spend on hardware (recent and future/ planned) Average time, maximum time to deploy end-user devices Number of ITAM roadmap items in progress
    Service Desk

    Add your results to your copy of the ITAM Strategy Template

    Examples of ITAM metrics

    Compliance Quality Quantity Cost Time/Duration/Age Progress
    Owned devices not discovered in last 60 days Discrepancies between discovery data and ITAM DB records # of corporate-owned devices Spend on hardware (recent and future/planned) Average time, maximum time to deploy end-user devices Number of ITAM roadmap items in progress or completed
    Disposed devices without certificate of destruction Breakage rates (in and out of warranty) by vendor # of devices running software title X, # of licenses for software title X Spend on software (recent and future/planned) Average time, maximum time to deploy end user software Number of integrations between ITAM DB and other sources
    Discrepancies between licenses and install count, by software title RMAs by vendor, model, equipment type Number of requests by equipment model or software title Spend on cloud (recent and future/planned) Average & total time spent on software audit responses Number of records in ITAM database
    Compliance reports (e.g. tied to regulatory compliance or grant funding) Tickets by equipment type or software title Licenses issued from license pool in the last 30 days Value of licenses issued from license pool in the last 30 days (cost avoidance) Devices by age Software titles with an up-to-date ELP report
    Reports on lost and stolen devices, including last assigned, date reported stolen, actions taken User device satisfaction scores, CSAT scores Number of devices retired or donated in last year Number of IT-managed capital assets Number of hardware/software request tickets beyond time-to-fulfil targets Number of devices audited (by ITAM team via self-audit)
    Number of OS versions, unpatched systems Number of devices due for refresh in the next year Spend saved by harvesting unused software Number of software titles, software vendors managed by ITAM team
    Audit accuracy rate Equipment in stock Cost savings from negotiations
    # of users assigned more than one device Number of non-standard devices or requests Dollars charged during audit or true-up

    Differentiate between metrics and KPIs

    Key performance indicators (KPIs) are metrics with targets aligned to goals.

    Targets could include one or more of:

    • Target state (e.g. completed)
    • Target magnitude (e.g. number, percent, rate, dollar amount)
    • Target direction (e.g. trending up or down)

    You may track many metrics, but you should have only a few KPIs (typically 2-3 per objective).

    A breached KPI should be a trigger to investigate and remediate the root cause of the problem, to ensure progress towards goals and priorities can continue.

    Which KPIs you track will change over the life of the practice, as ITAM goals and priorities shift. For example, KPIs may initially track progress towards maturing ITAM practices. Once you’ve reached target maturity, KPIs may shift to track whether the key service targets are being met.

    1.6 Identify ITAM KPIs

    20 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Good KPIs are a more objective measure of whether you’re succeeding in meeting the identified priorities for the ITAM practice.

    Identify metrics that can measure progress or success against the priorities and goals set earlier. Aim for around three metrics per goal. Identify targets for the metric you think are SMART (specific, measurable, achievable, relevant, and timebound). Track your work using the example table below.

    Goal Metric Target
    Consolidate major software contracts to drive discounts Amount spent on top 10 software contracts Decrease by 10% by next year
    Customer satisfaction scores with enterprise software Satisfaction is equal to or better than last year
    Value of licenses issued from license pool 30% greater than last year
    Identify abandoned or out-of-spec IT assets # of security incidents involving undiscovered assets Zero
    % devices with “Deployed” status in ITAM DB but not discovered for 30+ days ‹1% of all records in ITAM DB
    Provide IT asset data to technicians for service calls Customer satisfaction scores Satisfaction is equal to or better than last year
    % of end-user devices meeting minimum standards 97%

    Add your results to your copy of the ITAM Strategy Template

    Develop an IT Asset Management Strategy

    Phase 2:

    Identify your approach to support ITAM priorities and goals

    Phase 1

    1.1 Define ITAM and brainstorm opportunities and challenges.

    Executive Alignment Working Session:

    1.2 Review organizational priorities, strategy, and key initiatives.

    1.3 Align executive priorities with ITAM opportunities & priorities.

    1.4 Identify business-aligned ITAM goals and target maturity.

    1.5 Write mission and vision statements.

    1.6 Define ITAM metrics and KPIs.

    Phase 2

    2.1 Define ITAM scope.

    2.2 Acquire ITAM services (outsourcing and contracting).

    2.3 Centralize or decentralize ITAM capabilities.

    2.4 Create a RACI for the ITAM practice.

    2.5 Align ITAM with other service management practices.

    2.6 Evaluate ITAM tools and integrations.

    2.7 Create a plan for internal and external audits.

    2.8 Improve your budget processes.

    2.9 Establish a documentation framework.

    2.10 Create a roadmap and communication plan.

    Phase Outcomes:

    Establish an approach to achieving ITAM goals and priorities, including scope, structure, tools, service management integrations, documentation, and more.

    Create a roadmap that enables you to realize your approach.

    Step 2.1: Define ITAM Scope

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Establish what types of equipment and software you’ll track through the ITAM practice.
    • Establish which areas of the business will be in scope of the ITAM practice.

    Determine ITAM Scope

    Focus on what’s most important and then document it so everyone understands where they can provide the most value.

    Not all categories of assets require the same level of tracking, and some equipment and software should be excluded from the ITAM practice entirely.

    In some organizations, portions of the environment won’t be tracked by the asset management team at all. For example, some organizations will choose to delegate tracking multi-function printers (MFPs) or proprietary IoT devices to the department or vendor that manages them.

    Due to resourcing or technical limitations, you may decide that certain equipment or software is out of scope for the moment.

    What do other organizations typically track in detail?
    • Installs and entitlements for major software contracts that represent significant spend and/or are highly critical to business goals.
    • Equipment managed directly by IT that needs to be refreshed on a regular cycle:
      • End-user devices such as laptops, desktops, and tablets.
      • Server, network, and telecoms devices.
    • High value equipment that is not regularly refreshed may also be tracked, but in less detail – for example, you may not refresh large screen TVs, but you may need to track date of purchase, deployed location, vendor, and model for insurance or warranty purposes.

    2.1 Establish scope for ITAM

    45 minutes

    Input: Organizational strategy documents

    Output: ITAM scope, in terms of types of assets tracked and not tracked

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    Establish the hardware and software that are within the scope of the ITAM program by updating the tables below to reflect your own environment. The “out of scope” category will include asset types that may be of value to track in the future but for which the capability or need don’t exist today.

    Hardware Software Out of Scope
    • End-user devices housing data or with a dollar value of more than $300, which will be replaced through lifecycle refresh.
    • Infrastructure devices, including network, telecom, video conferencing, servers and more
    • End-user software purchased under contract
    • Best efforts on single license purchases
    • Infrastructure software, including solutions used by IT to manage the infrastructure
    • Enterprise applications
    • Cloud (SaaS, IaaS, PaaS)
    • Departmental applications
    • Open-source applications
    • In-house developed applications
    • Freeware & shareware
    • IoT devices

    The following locations will be included in the ITAM program: All North and South America offices and retail locations.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.2: Acquire ITAM Services

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Define the type of work that may be more effectively or efficiently delivered by an outsourcer or contractor.

    “We would like our clients to come to us with an idea of where they want to get to. Why are you doing this? Is it for savings? Because you want to manage your security attack surface? Are there digital initiatives you want to move forward? What is the end goal?” (Mike Austin, MetrixData 360)

    Effectively acquire ITAM services

    Allow your team to focus on strategic, value-add activities by acquiring services that free them from commodity tasks.
    • When determining which asset capabilities and activities are best kept in-house and which ones are better handled by a supplier, it is imperative to keep the value to the business in mind.
    • Activities/capabilities that are challenging to standardize and are critical to enabling business goals are better kept in-house.
    • Activities/capabilities that are (or should be) standardized and automated are ideal candidates for outsourcing.
    • Outsourcing can be effective and successful with a narrow scope of engagement and an alignment to business outcomes.
    • Organizations that heavily weigh cost reduction as a significant driver for outsourcing are far less likely to realize the value they expected to receive.
    Business Enablement
    • Supports business-aligned ITAM opportunities & priorities
    • Highly specialized
    • Offers competitive advantages
    Map with axes 'Business Enablement' and 'Vendor's Performance Advantage' for determining whether or not to outsource.
    Vendor’s Performance Advantage
    • Talent or access to skills
    • Economies of scale
    • Access to technology
    • Does not require deep knowledge of your business

    Decide what to outsource

    It’s rarely all or nothing.

    Ask yourself:
    • How important is this activity or capability to ITAM, IT, and business priorities and goals?
    • Is it a non-commodity IT service that can improve customer satisfaction?
    • Is it a critical service to the business and the specialized knowledge must remain in-house?
    • Does the function require access to talent or skills not currently available in-house, and is cost-prohibitive to obtain?
    • Are there economies of scale that can help us meet growing demand?
    • Does the vendor provide access to best-of-breed tools and solutions that can handle the integration, management, maintenance and support of the complete system?

    You may ultimately choose to engage a single vendor or a combination of multiple vendors who can best meet your ITAM needs.

    Establishing effective vendor management processes, where you can maximize the amount of service you receive while relying on the vendor’s expertise and ability to scale, can help you make your asset management practice a net cost-saver.

    ITAM activities and capabilities
    • Contract review
    • Software audit management
    • Asset tagging
    • Asset disposal and recycling
    • Initial ITAM record creation
    • End-user device imaging
    • End-user device deployment
    • End-user software provisioning
    • End-user image management
    • ITAM database administration
    • ELP report creation
    • ITAM process management
    • ITAM report generation
    ITAM-adjacent activities and capabilities
    • Tier 1 support/service desk
    • Deskside/field support
    • Tier 3 support
    • IT Procurement
    • Device management/managed IT services
    • Budget development
    • Applications development, maintenance
    • Infrastructure hosting (e.g. cloud or colocation)
    • Infrastructure management and support
    • Discovery/monitoring tools management and support

    2.2 Identify outsourcing opportunities

    1-2 hours

    Input: Understanding of current ITAM processes and challenges

    Output: Understanding of potential outsourcing opportunities

    Materials: The table in this slide, and insight in previous slides, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    At a high level, discuss which functions of ITAM are good candidates for outsourcing.

    Start with the previous slide for examples of outsourcing activities or capabilities directly related to or adjacent to the ITAM practice. Categorize these activities as follows:

    Outsource Potentially Outsource Insource
    • Asset disposal/recycling
    • ELP report creation
    • ITAM process management

    Go through the list of activities to potentially or definitely outsource and confirm:

    1. Will outsourcing solve a resourcing need for an existing process, or can you deliver this adequately in-house?
    2. Will outsourcing improve the effectiveness and efficiency of current processes? Will it deliver more effective service channels or improved levels of reliability and performance consistency?
    3. Will outsourcing provide or enable enhanced service capabilities that your IT customers could use, and which you cannot deliver in-house due to lack of scale or capacity?

    Answering “no” to more than one of these questions suggests a need to further review options to ensure the goals are aligned with the potential value of the service offerings available.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.3: Centralize or decentralize ITAM capabilities

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Outline where the team(s) responsible for ITAM sit across the organization, who they report to, and who they need to work with across IT and the business.

    Align ITAM with IT’s structure

    ITAM’s structure will typically align with the larger business and IT structure. The wrong structure will undermine your ability to meet ITAM goals and lead to frustration, missed work, inefficiency, and loss of value.

    Which of the four archetypes below reflects the structure you need?

    1. Centralized — ITAM is entirely centralized in a single function, which reports into a central IT department.
    2. Decentralized — Local IT groups are responsible and accountable for ITAM. They may coordinate informally but do not report to any central team.
    3. Hybrid-Shared Services — Local IT can opt in to shared services but must follow centrally set ITAM practices to do so, usually with support from a shared ITAM function.
    4. Hybrid-Federated — Local IT departments are free to develop their own approach to ITAM outside of core, centrally set requirements.

    Centralized ITAM

    Total coordination, control, and oversight

    • ITAM accountability, policies, tools, standards, and expertise – in this model, they’re all concentrated in a single, specialized IT asset management practice. Accountability, authority, and oversight are concentrated in the central function as well.
    • A central ITAM team will benefit from knowledge sharing and task specialization opportunities. They are a visible single point of contact for ITAM-related questions
    • The central ITAM team will coordinate ITAM activities across the organization to optimize spend, manage risk, and enhance service. Any local IT teams are supported by and directly answerable to the central ITAM team for ITAM activities.
    • There is a single, centrally managed ITAM database. Wherever possible, this database should be integrated with other tools to support cross-solution automation (e.g. integrate AD to automatically reflect user identity changes in the ITAM database).
    • This model drives cross-organization coordination and oversight, but it may not be responsive to specific and nuanced local requirements.
    Example: Centralized
    Example of a Centralized ITAM.

    Solid line. Direct reporting relationship

    Dotted line. Dotted line working or reporting relationship

    Decentralized ITAM

    Maximize choice

    • ITAM accountability and oversight are entirely devolved to local or regional IT and/or ITAM organizations, which are free to set their own priorities, goals, policies, and standards. This model maximizes the authority of local groups to build practices that meet local requirements.
    • It may be challenging to resource and mature local practices. ITAM maturity will vary from one local organization to the next.
    • It is more likely that ITAM managers are a part-time role, and sometimes even a non-IT role. Local ITAM teams or coordinators may coordinate and share knowledge informally, but specialization can be challenging to build or leverage effectively across the organization.
    • There is likely no central ITAM tool. Local tools may be acquired, implemented, and integrated by local IT departments to suit their own needs, which can make it very difficult to report on assets organization-wide – for example, to establish compliance on an enterprise software contract.
    Example: Decentralized


    Example of a Decentralized ITAM.

    Solid line. Direct reporting relationship

    Dotted line. Dotted line working or reporting relationship

    Blue dotted line. Informal working relationships, knowledge sharing

    Hybrid: Federation

    Centralization with a light touch

    • A middle ground between centralized and decentralized ITAM, this model balances centralized decision making, specialization, and governance with local autonomy.
    • A central team will define organization-wide ITAM goals, develop capabilities, policies, and standards, and monitor compliance by local and central teams. All local teams must comply with centrally defined requirements, but they can also develop further capabilities to meet local goals.
    • For example, there will typically be a central ITAM database that must be used for at least a subset of assets, but other teams may build their own databases for day-to-day operations and export data to the central database as required.
    • There are often overlapping responsibilities in this model. A strong collaborative relationship between central and local ITAM teams is especially important here, particularly after major changes to requirements, processes, tools, or staffing when issues and breakdowns are more likely.
    Example: Federation


    Example of a Federation ITAM.

    Solid line. Direct reporting relationship

    Purple solid line. Oversight/governance

    Dotted line. Dotted line working or reporting relationship

    Hybrid: Shared Services

    Optional centralization

    • A special case of federated ITAM that balances central control and local autonomy, but with more power given to local IT to opt out of centralized shared services that come with centralized ITAM requirements.
    • ITAM requirements set by the shared services team will support management, allocation, and may have showback or chargeback implications. Following the ITAM requirements is a condition of service. If a local organization chooses to stop using shared services, they are (naturally) no longer required to adhere to the shared services ITAM requirements.
    • As with the federated model, local teams may develop further capabilities to meet local goals.
    Example: Shared Services


    Example of a Shared Services ITAM.

    Solid line. Direct reporting relationship

    Dotted line. Dotted line working relationship

    Blue dotted line. Informal working relationships, knowledge sharing

    Structure data collection & analysis

    Consider the implications of structure on data.

    Why centralize?
    • There is a need to build reports that aggregate data on assets organization-wide, rather than just assets within a local environment.
    • Decentralized ITAM tracking isn’t producing accurate or usable data, even for local purposes.
    • Tracking tools have overlapping functionality. There’s an opportunity to rationalize spend, management and support for ITAM tools.
    • Contract centralization can optimize spend and manage risks, but only with the data required to manage those contracts.
    Why decentralize?
    • Tracking and reporting on local assets is sufficient to meet ITAM goals; there is limited or no need to track assets organization-wide.
    • Local teams have the skills to track and maintain asset data; subsidiaries have appropriate budgets and tools to support ITAM tracking.
    • Decentralized ITSM/ITAM tools are in place, populated, and accurate.
    • The effort to consolidate tools and processes may outweigh the benefits to data centralization.
    • Lots of variability in types of assets and the environment is stable.
    Requirements for success:
    • A centralized IT asset management solution is implemented and managed.
    • Local teams must understand the why and how of centralized data tracking and be held accountable for assigned responsibilities.
    • The asset tool should offer both centralized and localized views of the data.
    Requirements for success:
    • Guidelines and expectations for reporting to centralized asset management team will be well defined and supported.
    • Local asset managers will have opportunity to collaborate with others in the role for knowledge transfer and asset trading, where appropriate.

    Structure budget and contract management

    Contract consolidation creates economies of scale for vendor management and license pooling that strengthen your negotiating position with vendors and optimize spend.

    Why centralize?
    • Budgeting, governance, and accountability are already centralized. Centralized ITAM practices can support the existing governance practices.
    • Centralizing contract management and negotiation can optimize spend and/or deliver access to better service.
    • Centralize management for contracts that cover most of the organization, are highly complex, involve large spend and/or higher risk, and will benefit from specialization of asset staff.
    Why decentralize?
    • Budgeting, governance, and accountability rest with local organizations.
    • There may be increased need for high levels of customer responsiveness and support.
    • Decentralize contract management for contracts used only by local groups (e.g. a few divisions, a few specialized functions), and that are smaller, low risk, and come with standard terms and conditions.
    Requirements for success:
    • A centralized IT asset management solution is implemented and managed.
    • Contract terms must be harmonized across the organization.
    • Centralized fulfillment is as streamlined as possible. For example, software contracts should include the right to install at any time and pay through a true-up process.
    Requirements for success:
    • Any expectations for harmonization with the centralized asset management team will be well defined and supported.
    • Local asset managers can collaborate with other local ITAM leads to support knowledge transfer, asset swapping, etc.

    Structure technology management

    Are there opportunities to centralize or decentralize support functions?

    Why centralize?
    • Standard technologies are deployed organization-wide.
    • There are opportunities to improve service and optimize costs by consolidating knowledge, service contracts, and support functions.
    • Centralizing data on product supply allows for easier harvest and redeployment of assets by a central support team.
    • A stable, central support function can better support localized needs during seasonal staffing changes, mergers and acquisitions.
    Why decentralize?
    • Technology is unique to a local subset of users or customers.
    • Minimal opportunity for savings or better support by consolidating knowledge, service contracts, or support functions.
    • Refresh standards are set at a local level; new tech adoption may be impeded by a reliance on older technologies, local budget shortfalls, or other constraints.
    • Hardware may need to be managed locally if shipping costs and times can’t reasonably be met by a distant central support team.
    Requirements for success:
    • Ensure required processes, technologies, skills, and knowledge are in place to enable centralized support.
    • Keep a central calendar of contract renewals, including reminders to start work on the renewal no less than 90 days prior. Prioritize contracts with high dollar value or high risk.
    • The central asset management solution should be configured to provide data that can enable the central support team.
    Requirements for success:
    • Ensure required processes, technologies, skills, and knowledge are in place to enable decentralized support.
    • Decentralized support teams must understand and adhere to ITAM activities that are part of support work (e.g. data entry, data audits).
    • The central asset management solution should be configured to provide data that can enable the central support team, or decentralized asset solutions must be funded, and teams trained on their use.

    2.3 Review ITAM Structure

    1-2 hours

    Input: Understanding of current organizational structure, Understanding of challenges and opportunities related to the current structure

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    Outline the current model for your organization and identify opportunities to centralize or decentralize ITAM-related activities.

    1. What model best describes how ITAM should be structured in your organization? Modify the slide outlining structure as a group to outline your own organization, as required.
    2. In the table below, outline opportunities to centralize or decentralize data tracking, budget and contract management, and technology management activities.
    Centralize Decentralize
    Data collection & analysis
    • Make better use of central ITAM database.
    • Support local IT departments building runbooks for data tracking during lifecycle activities (create templates, examples)
    Budget and contract management
    • Centralize Microsoft contracts.
    • Create a runbook to onboard new companies to MSFT contracts.
    • Create tools and data views to support local department budget exercises.
    Technology management
    • Ensure all end-user devices are visible to centrally managed InTune, ConfigMgr.
    • Enable direct shipping from vendor to local sites.
    • Establish disposal/pickup at local sites.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.4: Create a RACI

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Review the role of the IT asset manager.
    • Identify who’s responsible, accountable, consulted, and informed for key ITAM activities.

    Empower your asset manager

    The asset manager is the critical ITAM role. Ensure they’re positioned to succeed.

    There’s too much change in the technology and business environment to expect ITAM to be “a problem to solve.” It is a practice that requires care and feeding through regular iteration to achieve success. At the helm of this practice is your asset manager, whose approach and past experience will have a significant impact on how you approach ITAM.

    The asset manager role requires a variety of skills, knowledge, and abilities including:

    • Operations, process, and practice management.
    • An ability to communicate, influence, negotiate, and facilitate.
    • Organizational knowledge and relationship management.
    • Contract and license agreement analysis, attention to detail.
    • Natural curiosity and a willingness to learn.
    • A strong understanding of technologies in use by the organization, and how they fit into the asset management program.
    Where the asset manager sits in the organization will also have an impact on their focus and priorities. When the asset manager reports into a service team, their focus will often reflect their team’s focus: end-user devices and software, customer satisfaction, request fulfillment. Asset teams that report into a leadership or governance function will be more likely to focus on organization-wide assets, governance, budget management, and compliance.

    “Where your asset manager sits, and what past experience they have, is going to influence how they do asset management.” (Jeremy Boerger, Consultant & Author)

    “It can be annoying at times, but a good IT asset manager will poke their nose into activities that do not obviously concern them, such as programme and project approval boards and technical design committees. Their aim is to identify and mitigate ITAM risks BEFORE the technology is deployed as well as to ensure that projects and solutions ‘bake in’ the necessary processes and tools that ensure IT assets can be managed effectively throughout their lifecycle.” (Kylie Fowler, ITAM by Design, 2017)

    IT asset managers must have a range of skills and knowledge

    • ITAM Operations, Process, and Practice Management
      The asset manager is typically responsible for managing and improving the ITAM practice and related processes and tools. The asset manager may administer the ITAM tool, develop reports and dashboards, evaluate and implement new technologies or services to improve ITAM maturity, and more.
    • Organizational Knowledge
      An effective IT asset manager has a good understanding of your organization and its strategy, products, stakeholders, and culture.
    • Technology & Product Awareness
      An IT asset manager must learn about new and changing technologies and products adopted by the organization (e.g. IoT, cloud) and develop recommendations on how to track and manage them via the ITAM practice.
    A book surrounded by icons corresponding to the bullet points.
    • People Management
      Asset managers often manage a team directly and have dotted-line reports across IT and the business.
    • Communication
      Important in any role, but particularly critical where learning, listening, negotiation, and persuasion are so critical.
    • Finance & Budgeting
      A foundational knowledge of financial planning and budgeting practices is often helpful, where the asset manager is asked to contribute to these activities.
    • Contract Review & Analysis
      Analyze new and existing contracts to evaluate changes, identify compliance requirements, and optimize spend.

    Assign ITAM responsibilities and accountabilities

    Align authority and accountability.
    • A RACI exercise will help you discuss and document accountability and responsibility for critical ITAM activities.
    • When responsibility and accountability are not currently well documented, it’s often useful to invite a representative of the roles identified to participate in this alignment exercise. The discussion can uncover contrasting views on responsibility and governance, which can help you build a stronger management and governance model.
    • The RACI chart can help you identify who should be involved when making changes to a given activity. Clarify the variety of responsibilities assigned to each key role.
    • In the future, you may need to define roles in more detail as you change your hardware and software asset management procedures.

    R

    Responsible: The person who actually gets the job done.

    Different roles may be responsible for different aspects of the activity relevant to their role.

    A

    Accountable: The one role accountable for the activity (in terms completion, quality, cost, etc.)

    Must have sufficient authority to be held accountable; responsible roles are often accountable to this role.

    C

    Consulted: Must have the opportunity to provide meaningful input at certain points in the activity.

    Typically, subject matter experts or stakeholders. The more people you must consult, the more overhead and time you’ll add to a process.

    I

    Informed: Receives information regarding the task, but has no requirement to provide feedback.

    Information might relate to process execution, changes, or quality.

    2.4 Conduct a RACI Exercise

    1-2 hours

    Input: An understanding of key roles and activities in ITAM practices, An understanding of your organization, High-level structure of your ITAM program

    Output: A RACI diagram for IT asset management

    Materials: The table in the next slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    Let’s face it – RACI exercises can be dry. We’ve found that the approach below is more collaborative, engaging, and effective compared to filling out the table as a large group.

    1. Create a shared working copy of the RACI charts on the following slides (e.g. write it out on a whiteboard or provide a link to this document and work directly in it).
    2. Review the list of template roles and activities as a group. Add, change, or remove roles and activities from the table as needed.
    3. Divide into small groups. Assign each group a set of roles, and have them define whether that role is accountable, responsible, consulted, or informed for each activity in the chart. Refer to the previous slide for context on RACI. Give everyone 15 minutes to update their section of the chart.
    4. Come back together as a large group to review the chart. First, check for accountability – there should generally be just one role accountable for each activity. Then, have each small group walk through their section, and encourage participants to ask questions. Is there at least one role responsible for each task, and what are they responsible for? Does everyone listed as consulted or informed really need to be? Make any necessary adjustments.

    Add your results to your copy of the ITAM Strategy Template

    Define ITAM governance activities

    RACI Chart for ITAM governance activities. In the first column is a list of governance activities, and the row headers are positions within a company. Fields are marked with an R, A, C, or I.

    Document asset management responsibilities and accountabilities

    RACI Chart for ITAM asset management responsibilities and accountabilities. In the first column is a list of responsibilities and accountabilities, and the row headers are positions within a company. Fields are marked with an R, A, C, or I.

    Step 2.5: Align ITAM with other Service Management Practices

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Establish shared and separate responsibilities for asset and configuration management.
    • Identify how ITAM can support other practices, and how other practices can support ITAM.

    Asset vs. Configuration

    Asset and configuration management look at the same world through different lenses.
    • IT asset management tends to focus on each IT asset in its own right: assignment or ownership, its lifecycle, and related financial obligations and entitlements.
    • Configuration management is focused on configuration items (CIs) that must be managed to deliver a service and the relationships and integrations to other CIs.
    • ITAM and configuration management teams and practices should work closely together. Though asset and configuration management focus on different outcomes, they tend use overlapping tools and data sets. Each practice, when working effectively, can strengthen the other.
    • Many objects will exist in both the CMDB and AMDB, and the data on those shared objects will need to be kept in sync.
    Asset and Configuration Management: An Example

    Configuration Management Database (CMDB)

    A database of uniquely identified configuration items (CIs). Each CI record may include information on:
    Service Attributes

    Supported Service(s)
    Service Description, Criticality, SLAs
    Service Owners
    Data Criticality/Sensitivity

    CI Relationships

    Physical Connections
    Logical Connections
    Dependencies

    Arrow connector.

    Discovery, Normalization, Dependency Mapping, Business Rules*

    Manual Data Entry

    Arrow connector.
    This shared information could be attached to asset records, CI records, or both, and it should be synchronized between the two databases where it’s tracked in both.
    Hardware Information

    Serial, Model and Specs
    Network Address
    Physical Location

    Software Installations

    Hypervisor & OS
    Middleware & Software
    Software Configurations

    Arrow connector.

    Asset Management Database (AMDB)

    A database of uniquely identified IT assets. Each asset record may include information on:
    Procurement/Purchasing

    Purchase Request/Purchase Order
    Invoice and Cost
    Cost Center
    Vendor
    Contracts and MSAs
    Support/Maintenance/Warranties

    Asset Attributes

    Model, Title, Product Info, License Key
    Assigned User
    Lifecycle Status
    Last ITAM Audit Date
    Certificate of Disposal

    Arrows connecting multiple fields.

    IT Security Systems

    Vulnerability Management
    Threat Management
    SIEM
    Endpoint Protection

    IT Service Management (ITSM) System

    Change Tickets
    Request Tickets
    Incident Tickets
    Problem Tickets
    Project Tickets
    Knowledgebase

    Financial System/ERP

    General Ledger
    Accounts Payable
    Accounts Receivable
    Enterprise Assets
    Enterprise Contract Database

    (*Discovery, dependency mapping, and data normalization are often features or modules of configuration management, asset management, or IT service management tools.)

    2.5 Integrate ITAM and configuration practices

    45 minutes

    Input: Knowledge of the organization’s configuration management processes

    Output: Define how ITAM and configuration management will support one another

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, Configuration manager

    Work through the table below to identify how you will collaborate and synchronize data across ITAM and configuration management practices and tools.

    What are the goals (if any currently exist) for the configuration management practice? Connect configuration items to services to support service management.
    How will configuration and asset management teams collaborate? Weekly status updates. As-needed working sessions.
    Shared visibility on each others’ Kanban tracker.
    Create tickets to raise and track issues that require collaboration or attention from the other team.
    How can config leverage ITAM? Connect CIs to financial, contractual, and ownership data.
    How can ITAM leverage config? Connect assets to services, changes, incidents.
    What key fields will be primarily tracked/managed by ITAM? Serial number, unique ID, user, location, PO number, …
    What key fields will be primarily tracked/managed by configuration management? Supported service(s), dependencies, service description, service criticality, network address…

    Add your results to your copy of the ITAM Strategy Template

    ITAM supports service management

    Decoupling asset management from other service management practices can result in lost value. Establish how asset management can support other service management practices – and how those practices can support ITAM.

    Incident Management

    What broke?
    Was it under warranty?
    Is there a service contract?
    Was it licensed?
    Who was it assigned to?
    Is it end-of-life?

    ITAM
    Practice

    Request Management

    What can this user request or purchase?
    What are standard hardware and software offerings?
    What does the requester already have?
    Are there items in inventory to fulfil the request?
    Did we save money by reissuing equipment?
    Is this a standard request?
    What assets are being requested regularly?

    What IT assets are related to the known issue?
    What models and vendors are related to the issue?
    Are the assets covered by a service contract?
    Are other tickets related to this asset?
    What end-of-life assets have been tied to incidents recently?

    Problem Management

    What assets are related to the change?
    Is the software properly licensed?
    Has old equipment been properly retired and disposed?
    Have software licenses been returned to the pool?
    Is the vendor support on the change part of a service contract?

    Change Enablement

    2.5. Connect with other IT service practices

    45 minutes

    Input: Knowledge of existing organizational IT service management processes

    Output: Define how ITAM will help other service management processes, and how other service management processes will help ITAM

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, Service leads

    Complete the table below to establish what ITAM can provide to other service management practices, and what other practices can provide to ITAM.

    Practice ITAM will help Will help ITAM
    Incident Management Provide context on assets involved in an incident (e.g. ownership, service contracts). Track when assets are involved in incidents (via incident tickets).
    Request Management Oversee request & procurement processes. Help develop asset standards. Enter new assets in ITAM database.
    Problem Management Collect information on assets related to known issues. Report back on models/titles that are generating known issues.
    Change Enablement Provide context on assets for change review. Ensure EOL assets are retired and licenses are returned during changes.
    Capacity Management Identify ownership, location for assets at capacity. Identify upcoming refreshes or purchases.
    Availability Management Connect uptime and reliability to assets. Identify assets that are causing availability issues.
    Monitoring and Event Management Provide context to events with asset data. Notify asset of unrecognized software and hardware.
    Financial Management Establish current and predict future spending. Identify upcoming purchases, renewals.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.6: Evaluate ITAM tools and integrations

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Create a list of the ITAM tools currently in use, how they’re used, and their current limitations.
    • Identify new tools that could provide value to the ITAM practice, and what needs to be done to acquire and implement them.

    “Everything is connected. Nothing is also connected.” (Dirk Gently’s Holistic Detective Agency)

    Establish current strengths and gaps in your ITAM toolset

    ITAM data quality relies on tools and integrations that are managed by individuals or teams who don’t report directly to the ITAM function.

    Without direct line of sight into tools management, the ITAM team must influence rather than direct improvement initiatives that are in some cases critical to the performance of the ITAM function. To more effectively influence improvement efforts, you must explicitly identify what you need, why you need it, from which tools, and from which stakeholders.

    Data Sources
    Procurement Tools
    Discovery Tools
    Active Directory
    Purchase Documents
    Spreadsheets
    Input To Asset System(s) of Record
    ITAM Database
    ITSM Tool
    CMDB
    Output To Asset Data Consumption
    ITFM Tools
    Security Tools
    TEM Tools
    Accounting Tools
    Spreadsheets
    “Active Directory plays a huge role in audit defense and self-assessment, but no-one really goes out there and looks at Active Directory.

    I was talking to one organization that has 1,600,000 AD records for 100,000 employees.” (Mike Austin, Founder, MetrixData 360)

    2.6 Evaluate ITAM existing technologies

    30 minutes

    Input: Knowledge of existing ITAM tools

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Identify the use, limitations, and next steps for existing ITAM tools, including those not directly managed by the ITAM team.

    1. What tools do we have today?
    2. What are they used for? What are their limitations?
    3. Who manages them?
    4. What actions could we take to maximize the value of the tools?
    Existing Tool Use Constraints Owner Proposed Action?
    ITAM Module
    • Track HW/SW
    • Connect assets to incident, request
    • Currently used for end-user devices only
    • Not all divisions have access
    • SAM capabilities are limited
    ITAM Team/Service Management
    • Add license for additional read/write access
    • Start tracking infra in this tool
    Active Directory
    • Store user IDs, organizational data
    Major data quality issues IT Operations
    • Work with AD team to identify issues creating data issues

    Add your results to your copy of the ITAM Strategy Template

    2.6 Identify potential new tools

    30 minutes

    Input: Knowledge of tooling gaps, An understanding of available tools that could remediate gaps

    Output: New tools that can improve ITAM capabilities, including expected value and proposed next steps

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Identify tools that are required to support the identified goals of the ITAM practice.

    1. What types of tools do we need that we don’t have?
    2. What could these tools help us do?
    3. What needs to be done next to investigate or acquire the appropriate tool?
    New Tool Expected Value Proposed Next Steps
    SAM tool
    • Automatically calculate licensing entitlements from contract data.
    • Automatically calculate licensing requirements from discovery data.
    • Support gap analyses.
    • Further develop software requirements.
    • Identify vendors in the space and create a shortlist.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.7: Create a plan for internal and external audits

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Establish your approach to internal data audits.
    • Create a high-level response plan for external audits.

    Validate ITAM data via internal audits

    Data audits provide assurance that the records in the ITAM database are as accurate as possible. Consider these three approaches:

    Compare Tool Records

    Audit your data by comparing records in the ITAM system to other discovery sources.

    • Ideally, use three separate data sources (e.g. ITAM database, discovery tool, security tool). Use a common field, such as the host name, to compare across fields. (To learn more about discovery tool analysis, see Jeremy Boerger’s book, Rethinking IT Asset Management.)
    • Run reports to compare records and identify discrepancies. This could include assets missing from one system or metadata differences such as different users or installed software.
    • Over time, discrepancies between tools should be well understood and accepted; otherwise, they should be addressed and remediated.
    IT-led Audit

    Conduct a hands-on investigation led by ITAM staff and IT technicians.

    • In-person audits require significant effort and resources. Each audit should be scoped and planned ahead of time to focus on known problem areas.
    • Provide the audit team with exact instructions on what needs to be verified and recorded. Depending on the experience and attention to detail of the audit team, you may need to conduct spot checks to ensure you’re catching any issues in the audit process itself.
    • Automation should be used wherever possible (e.g. through barcodes, scanners, and tables for quick access to ITAM records).
    User-led audit

    Have users validate the IT assets assigned to them.

    • Even more than IT-led audits: don’t use this approach too frequently; keep the scope as narrow as possible and the process as simple as possible.
    • Ensure users have all the information and tools they’ll need readily available to complete this task, or the result will be ineffective and will only frustrate your users.
    • Consider a process integrated with your ITSM tool: once a year, when a user logs in to the portal, they will be asked to enter the asset code for their laptop (and provided with instructions on where to find that code). Investigate discrepancies between assignments and ITAM records.

    2.7 Set an approach to internal data audits

    30 minutes

    Input: An understanding of current data audit capabilities and needs

    Output: An outline of how you’ll approach data audits, including frequency, scope, required resources

    Materials: Your copy of the ITAM Strategy Template

    Participants: ITAM team

    Review the three internal data audit approaches outlined on the previous slide, and identify which of the three approaches you’ll use. For each approach, complete the fields in the table below.

    Audit Approach How often? What scope? Who’s involved? Comments
    Compare tool records Monthly Compare ITAM DB, Intune/ConfigMgr, and Vulnerability Scanner Data; focus on end-user devices to start Asset manager will lead at first.
    Work with tool admins to pull data and generate reports.
    IT-led audit Annual End-user devices at a subset of locations Asset manager will work with ITSM admins to generate reports. In-person audit to be conducted by local techs.
    User-led audit Annual Assigned personal devices (start with a pilot group) Asset coordinator to develop procedure with ITSM admin. Run pilot with power users first.

    Add your results to your copy of the ITAM Strategy Template

    Prepare for and respond to external audits and true-ups

    Are you ready when software vendors come knocking?

    • Vendor audits are expensive.
    • If you’re out of compliance, you will at minimum be required to pay the missing license fees. At their discretion, vendors may choose to add punitive fees and require you to cover the hourly cost of their audit teams. If you choose not to pay, the vendor could secure an injunction to cut off your service, which in many cases will be far more costly than the fines. And this is aside from the intangible costs of the disruption to your business and damaged relationships between IT, ITAM, your business, and other partners.
    • Having a plan to respond to an audit is critical to reducing audit risk. Preparation will help you coordinate your audit response, ensure the audit happens on the most favorable possible terms, and even prevent some audits from happening in the first place.
    • The best defense, as they say, is a good offense. Good ITAM and SAM processes will allow you to track acquisition, allocation, and disposal of software licenses; understand your licensing position; and ensure you remain compliant whenever possible. The vendor has no reason to audit you when there’s nothing to find.
    • Know when and where your audit risk is greatest, so you can focus your resources where they can deliver the most value.
    “If software audits are a big part of your asset operations, you have problems. You can reduce the time spent on audits and eliminate some audits by having a proactive ITAM practice.” (Sandi Conrad, Principal Research Director)

    Info-Tech Insight

    Audit defense starts long before you get audited. For an in-depth review of your audit approach, see Info-Tech’s Prepare and Defend Against a Software Audit.

    Identify areas of higher audit risk

    Watch for these warning signs
    • Your organization is visibly fighting fires. Signs of disorder may signal to vendors that there are opportunities to exploit via an audit. Past audit failures make future audits more likely.
    • You are looking for ways to decrease spend. Vendors may counter attempts to true-down licensing by launching an audit to try to find unlicensed software that provides them leverage to negotiate maintained or even increased spending.
    • Your license/contract terms with the vendor are particularly complex or highly customized. Very complex terms may make it harder to validate your own compliance, which may present opportunities to the vendor in an audit.
    • The vendor has earned a reputation for being particularly aggressive with audits. Some vendors include audits as a standard component of their business model to drive revenue. This may include acquiring smaller vendors or software titles that may not have been audit-driven in the past, and running audits on their new customer base.

    “The reality is, software vendors prey on confusion and complication. Where there’s confusion, there’s opportunity.” (Mike Austin, Founder, MetrixData 360)

    Develop an audit response plan

    You will be on the clock once the vendor sends you an audit request. Have a plan ready to go.
    • Don’t panic: Resist knee-jerk reactions. Follow the plan.
    • Form an audit response team and centralize your response: This team should be led by a member of the ITAM group, and it should include IT leadership, software SMEs, representatives from affected business areas, vendor management, contract management, and legal. You may also need to bring on a contractor with deep expertise with the vendor in question to supplement your internal capabilities. Establish clearly who will be the point of contact with the vendor during the audit.
    • Clarify the scope of the audit: Clearly establish what the audit will cover – what products, subsidiaries, contracts, time periods, geographic regions, etc. Manage the auditors to prevent scope creep.
    • Establish who covers audit costs: Vendors may demand the auditee cover the hourly cost of their audit team if you’re significantly out of compliance. Consider asking the vendor to pay for your team’s time if you’re found to be compliant.
    • Know your contract: Vendors’ contracts change over time, and it’s no guarantee that even your vendor’s licensing experts will be aware of the rights you have in your contract. You must know your entitlements to negotiate effectively.
    1. Bring the audit request received to the attention of ITAM and IT leadership. Assemble the response team.
    2. Acknowledge receipt of audit notice.
    3. Negotiate timing and scope of the audit.
    4. Direct staff not to remove or acquire licenses for software under audit without directly involving the ITAM team first.
    5. Gather installation data and documentation to establish current entitlements, including original contract, current contract, addendums, receipts, invoices.
    6. Compare entitlements to installed software.
    7. Investigate any anomalies (e.g. unexpected or non-compliant software).
    8. Review results with the audit response team.

    2.7 Clarify your vendor audit response plan

    1 hour

    Input: Organizational knowledge on your current audit response procedures

    Output: Audit response team membership, High-level audit checklist, A list of things to start, stop, and continue doing as part of the audit response

    Materials: Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    1. Who’s on the audit response team, and what’s their role? Who will lead the team? Who will be the point of contact with the auditor?
    2. What are the high-level steps in our audit response workflow? Use the example checklist below as a starting point.
    3. What do we need to start, stop, and continue doing in response to audit requests?

    Example Audit Checklist

    • Bring the audit request received to the attention of ITAM and IT leadership. Assemble the response team.
    • Acknowledge receipt of audit notice.
    • Negotiate timing and scope of the audit.
    • Direct staff not to remove or acquire licenses for software under audit without directly involving the ITAM team first.
    • Gather installation data and documentation to establish current entitlements, including original contract, current contract, addendums, receipts, invoices.
    • Compare entitlements to installed software.
    • Investigate any anomalies (e.g. unexpected or non-compliant software).
    • Review results with the audit response team.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.8: Improve budget processes

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Identify what you need to start, stop, and continue to do to support budgeting processes.

    Improve budgeting and forecasting

    Insert ITAM into budgeting processes to deliver significant value.

    Some examples of what ITAM can bring to the budgeting table:
    • Trustworthy data on deployed assets and spending obligations tied to those assets.
    • Projections of hardware due for replacement in terms of quantity and spend.
    • Knowledge of IT hardware and software contract terms and pricing.
    • Lists of unused or underused hardware and software that could be redeployed to avoid spend.
    • Comparisons of spend year-over-year.

    Being part of the budgeting process positions ITAM for success in other ways:

    • Helps demonstrate the strategic value of the ITAM practice.
    • Provides insight into business and IT strategic projects and priorities for the year.
    • Strengthens relationships with key stakeholders, and positions the ITAM team as trusted partners.

    “Knowing what you have [IT assets] is foundational to budgeting, managing, and optimizing IT spend.” (Dave Kish, Info-Tech, Practice Lead, IT Financial Management)

    Stock image of a calculator.

    2.8 Build better budgets

    20 minutes

    Input: Context on IT budgeting processes

    Output: A list of things to start, stop, and continue doing as part of budgeting exercises

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    What should we start, stop, and continue doing to support organizational budgeting exercises?

    Start Stop Continue
    • Creating buckets of spend and allocating assets to those buckets.
    • Zero-based review on IaaS instances quarterly.
    • Develop dashboards plugged into asset data for department heads to view allocated assets and spend.
    • Create value reports to demonstrate hard savings as well as cost avoidance.
    • Waiting for business leaders to come to us for help (start reaching out with reports proactively, three months before budget cycle).
    • % increases on IT budgets without further review.
    • Monthly variance budget analysis.
    • What-if analysis for asset spend based on expected headcount increases.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.9: Establish a documentation framework

    Participants

    • Project sponsor and lead facilitator
    • ITAM team

    Outcomes

    • Identify key documentation and gaps in your documentation.
    • Establish where documentation should be stored, who should own it, who should have access, and what should trigger a review.

    Create ITAM documentation

    ITAM documentation will typically support governance or operations.

    Long-term planning and governance
    • ITAM policy and/or related policies (procurement policy, security awareness policy, acceptable use policy, etc.)
    • ITAM strategy document
    • ITAM roadmap or burndown list
    • Job descriptions
    • Functional requirements documents for ITAM tools

    Operational documentation

    • ITAM SOPs (hardware, software) and workflows
    • Detailed work instructions/knowledgebase articles
    • ITAM data/records
    • Contracts, purchase orders, invoices, MSAs, SOWs, etc.
    • Effective Licensing Position (ELP) reports
    • Training and communication materials
    • Tool and integration documentation
    • Asset management governance, operations, and tools typically generate a lot of documentation.
    • Don’t create documentation for the sake of documentation. Prioritize building and maintaining documentation that addresses major risks or presents opportunities to improve the consistency and reliability of key processes.
    • Maximize the value of ITAM documentation by ensuring it is as current, accessible, and usable as it needs to be.
    • Clearly identify where documentation is stored and who should have access to it.
    • Identify who is accountable for the creation and maintenance of key documentation, and establish triggers for reviews, updates, and changes.

    Consider ITAM policies

    Create policies that can and will be monitored and enforced.
    • Certain requirements of the ITAM practice may need to be backed up by corporate policies: formal statements of organizational expectations that must be recognized by staff, and which will lead to sanctions/penalties if breached.
    • Some organizations will choose to create one or more ITAM-specific policies. Others will include ITAM-related statements in other existing policies, such as acceptable use policies, security training and awareness policies, procurement policies, configuration policies, e-waste policies, and more.
    • Ensure that you are prepared to monitor compliance with policies and evenly enforce breaches of policy. Failing to consistently enforce your policies exposes you and your organization to claims of negligence or discriminatory conduct.
    • For a template for ITAM-specific policies, see Info-Tech’s policy templates for Hardware Asset Management and Software Asset Management.

    2.9 Establish documentation gaps

    15-30 minutes

    Input: An understanding of existing documentation gaps and risks

    Output: Documentation gaps, Identified owners, repositories, access rights, and review/update protocols

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, Optional: IT managers, ITAM business partners

    Discuss and record the following:

    • What planning/governance, operational, and tooling documentation do we still need to create? Who is accountable for the creation and maintenance of these documents?
    • Where will the documentation be stored? Who can access these documents?
    • What will trigger reviews or changes to the documents?
    Need to Create Owner Stored in Accessible by Trigger for review
    Hardware asset management SOP ITAM manager ITAM SharePoint site › Operating procedures folder
    • All IT staff
    • Annual review
    • As-needed for major tooling changes that require a documentation update

    Add your results to your copy of the ITAM Strategy Template

    Step 2.10: Create a roadmap and communication plan

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • A timeline of key ITAM initiatives.
    • Improvement ideas aligned to key initiatives.
    • A communication plan tailored to key stakeholders.
    • Your ITAM Strategy document.

    “Understand that this is a journey. This is not a 90-day project. And in some organizations, these journeys could be three or five years long.” (Mike Austin, MetrixData 360)

    2.10 Identify key ITAM initiatives

    30-45 minutes

    Input: Organizational strategy documents

    Output: A roadmap that outlines next steps

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, Project sponsor

    1. Identify key initiatives that are critical to improving practice maturity and meeting business goals.
    2. There should only be a handful of really key initiatives. This is the work that will have the greatest impact on your ability to deliver value. Too many initiatives muddy the narrative and can distract from what really matters.
    3. Plot the target start and end dates for each initiative in the business and IT transformation timeline you created in Phase 1.
    4. Review the chart and consider – what new capabilities should the ITAM practice have once the identified initiatives are complete? What transformational initiatives will you be better positioned to support?

    Add your results to your copy of the ITAM Strategy Template

    Transformation Timeline

    Example transformation timeline with row headers 'Business Inititiaves', 'IT Initiatives', and 'ITAM Initiatives'. Each initiative is laid out along the timeline appropriately.

    2.10 Align improvement ideas to initiatives

    45 minutes

    Input: Key initiatives, Ideas for ITAM improvement collected over the course of previous exercises

    Output: Concrete action items to support each initiative

    Materials: The table in the next slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, Project sponsor

    As you’ve been working through the previous exercises, you have been tracking ideas for improvement – now we’ll align them to your roadmap.

    1. Review the list of ideas for improvement you’ve produced over the working sessions. Consolidate the list – are there any ideas that overlap or complement each other? Record any new ideas. Frame each idea as an action item – something you can actually do.
    2. Connect the action items to initiatives. It may be that not every action item becomes part of a key initiative. (Don’t lose ideas that aren’t part of key initiatives – track them in a separate burndown list or backlog.)
    3. Identify a target completion date and owner for each action item that’s part of an initiative.

    Add your results to your copy of the ITAM Strategy Template

    Example ITAM initiatives

    Initiative 1: Develop hardware/software standards
    Task Target Completion Owner
    Laptop standards Q1-2023 ITAM manager
    Identify/eliminate contracts for unused software using scan tool Q2-2023 ITAM manager
    Review O365 license levels and standard service Q3-2023 ITAM manager

    Initiative 2: Improve ITAM data quality
    Task Target Completion Owner
    Implement scan agent on all field laptops Q3-2023 Desktop engineer
    Conduct in person audit on identified data discrepancies Q1-2024 ITAM team
    Develop and run user-led audit Q1-2024 Asset manager

    Initiative 3: Acquire & implement a new ITAM tool
    Task Target Completion Owner
    Select an ITAM tool Q3-2023 ITAM manager
    Implement ITAM tool, incl. existing data migration Q1-2024 ITAM manager
    Training on new tool Q1-2024 ITAM manager
    Build KPIs, executive dashboards in new tool Q2-2024 Data analyst
    Develop user-led audit functionality in new tool Q3-2024 ITAM coordinator

    2.10 Create a communication plan

    45 minutes

    Input: Proposed ITAM initiatives, Stakeholder priorities and goals, and an understanding of how ITAM can help them meet those goals

    Output: A high-level communication plan to communicate the benefits and impact of proposed changes to the ITAM program

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: IT asset manager, Project sponsor

    Develop clear, consistent, and targeted messages to key ITAM stakeholders.

    1. Modify the list of stakeholders in the first column.
    2. What benefits should those stakeholders realize from ITAM? What impact may the proposed improvements have on them? Refer back to exercises from Phase 1, where you identified key stakeholders, their priorities, and how ITAM could help them.
    3. Identify communication channels (in-person, email, all-hands meeting, etc.) and timing – when you’ll distribute the message. You may choose to use more than one channel, and you may need to convey the message more than once.
    Group ITAM Benefits Impact Channel(s) Timing
    CFO
    • More accurate IT spend predictions
    • Better equipment utilization and value for money
    • Sponsor integration project between ITAM DB and financial system
    • Support procurement procedures review
    Face-to-face – based on their availability Within the next month
    CIO
    • Better oversight into IT spend
    • Data to help demonstrate IT value
    • Resources required to support tool and ITAM process improvements
    Standing bi-monthly 1:1 meetings Review strategy at next meeting
    IT Managers
    Field Techs

    Add your results to your copy of the ITAM Strategy Template

    2.10 Put the final touches on your ITAM Strategy

    30 minutes

    Input: Proposed ITAM initiatives, Stakeholder priorities and goals, and an understanding of how ITAM can help them meet those goals

    Output: A high-level communication plan to communicate the benefits and impact of proposed changes to the ITAM program

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: IT asset manager, Project sponsor

    You’re almost done! Do a final check of your work before you send a copy to your participants.

    1. Summarize in three points the key findings from the activities you’ve worked through. What have you learned? What are your priorities? What key message do you need to get across? Add these to the appropriate slide near the start of the ITAM Strategy Template.
    2. What are your immediate next steps? Summarize no more than five and add them to the appropriate slide near the start of the ITAM Strategy Template.
      1. Are you asking for something? Approval for ITAM initiatives? Funding? Resources? Clearly identify the ask as part of your next steps.
    3. Are the KPIs identified in Phase 1 still valid? Will they help you monitor for success in the initiatives you’ve identified in Phase 2? Make any adjustments you think are required to the KPIs to reflect the additional completed work.

    Add your results to your copy of the ITAM Strategy Template

    Research Contributors and Experts

    Kylie Fowler
    Principal Consultant
    ITAM Intelligence

    Kylie is an experienced ITAM/FinOps consultant with a track record of creating superior IT asset management frameworks that enable large companies to optimize IT costs while maintaining governance and control.

    She has operated as an independent consultant since 2009, enabling organizations including Sainsbury's and DirectLine Insurance to leverage the benefits of IT asset management and FinOps to achieve critical business objectives. Recent key projects include defining an end-to-end SAM strategy, target operating model, policies and processes which when implemented provided a 300% ROI.

    She is passionate about supporting businesses of all sizes to drive continuous improvement, reduce risk, and achieve return on investment through the development of creative asset management and FinOps solutions.

    Rory Canavan
    Owner and Principal Consultant
    SAM Charter

    Rory is the founder, owner, and principal consultant of SAM Charter, an internationally recognized consultancy in enterprise-wide Software & IT Asset Management. As an industry leader, SAM Charter is uniquely poised to ensure your IT & SAM systems are aligned to your business requirements.

    With a technical background in business and systems analysis, Rory has a wide range of first-hand experience advising numerous companies and organizations on the best practices and principles pertaining to software asset management. This experience has been gained in both military and civil organizations, including the Royal Navy, Compaq, HP, the Federation Against Software Theft (FAST), and several software vendors.

    Research Contributors and Experts

    Jeremy Boerger
    Founder, Boerger Consulting
    Author of Rethinking IT Asset Management

    Jeremy started his career in ITAM fighting the Y2K bug at the turn of the 21st century. Since then, he has helped companies in manufacturing, healthcare, banking, and service industries build and rehabilitate hardware and software asset management practices.

    These experiences prompted him to create the Pragmatic ITAM method, which directly addresses and permanently resolves the fundamental flaws in current ITAM and SAM implementations.

    In 2016, he founded Boerger Consulting, LLC to help business leaders and decision makers fully realize the promises a properly functioning ITAM can deliver. In his off time, you will find him in Cincinnati, Ohio, with his wife and family.

    Mike Austin
    Founder and CEO
    MetrixData 360

    Mike Austin leads the delivery team at MetrixData 360. Mike brings more than 15 years of Microsoft licensing experience to his clients’ projects. He assists companies, from Fortune 500 to organizations with as few as 500 employees, with negotiations of Microsoft Enterprise Agreements (EA), Premier Support Contracts, and Select Agreements. In addition to helping negotiate contracts, he helps clients build and implement software asset management processes.

    Previously, Mike was employed by Microsoft for more than 8 years as a member of the global sales team. With Microsoft, Mike successfully negotiated more than a billion dollars in new and renewal EAs. Mike has also negotiated legal terms and conditions for all software agreements, developed Microsoft’s best practices for global account management, and was awarded Microsoft’s Gold Star Award in 2003 and Circle of Excellence in 2008 for his contributions.

    Bibliography

    “Asset Management.” SFIA v8. Accessed 17 March 2022.

    Boerger, Jeremy. Rethinking IT Asset Management. Business Expert Press, 2021.

    Canavan, Rory. “C-Suite Cheat Sheet.” SAM Charter, 2021. Accessed 17 March 2022.

    Fisher, Matt. “Metrics to Measure SAM Success.” Snow Software, 26 May 2015. Accessed 17 March 2022.

    Flexera (2021). “State of ITAM Report.” Flexera, 2021. Accessed 17 March 2022.

    Fowler, Kylie. “ITAM by design.” BCS, The Chartered Institute for IT, 2017. Accessed 17 March 2022.

    Fowler, Kylie. “Ch-ch-ch-changes… Is It Time for an ITAM Transformation?” ITAM Intelligence, 2021. Web. Accessed 17 March 2022.

    Fowler, Kylie. “Do you really need an ITAM policy?” ITAM Accelerate, 15 Oct. 2021. Accessed 17 March 2022.

    Hayes, Chris. “How to establish a successful, long-term ITAM program.” Anglepoint, Sept. 2021. Accessed 17 March 2022.

    ISO/IEC 19770-1-2017. IT Asset Management Systems – Requirements. Third edition. ISO, Dec 2017.

    Joret, Stephane. “IT Asset Management: ITIL® 4 Practice Guide”. Axelos, 2020.

    Jouravlev, Roman. “IT Service Financial Management: ITIL® 4 Practice Guide”. Axelos, 2020.

    Pagnozzi, Maurice, Edwin Davis, Sam Raco. “ITAM Vs. ITSM: Why They Should Be Separate.” KPMG, 2020. Accessed 17 March 2022.

    Rumelt, Richard. Good Strategy, Bad Strategy. Profile Books, 2013.

    Stone, Michael et al. “NIST SP 1800-5 IT Asset Management.” Sept, 2018. Accessed 17 March 2022.

    AI Trends 2023

    • Buy Link or Shortcode: {j2store}207|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy

    As AI technologies are constantly evolving, organizations are looking for AI trends and research developments to understand the future applications of AI in their industries.

    Our Advice

    Critical Insight

    • Understanding trends and the focus of current and future AI research helps to define how AI will drive an organization’s new strategic opportunities.
    • Understanding the potential application of AI and its promise can help plan the future investments in AI-powered technologies and systems.

    Impact and Result

    Understanding AI trends and developments enables an organization’s competitive advantage.

    AI Trends 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. AI Trends 2023 – An overview of trends that will continue to drive AI innovation.

    • AI Trends Report 2023
    [infographic]

    Further reading

    AI Trends Report 2023

    The eight trends:

    1. Design for AI
    2. Event-Based Insights
    3. Synthetic Data
    4. Edge AI
    5. AI in Science and Engineering
    6. AI Reasoning
    7. Digital Twin
    8. Combinatorial Optimization
    Challenges that slowed the adoption of AI

    To overcome the challenges, enterprises adopted different strategies

    Data Readiness

    • Lack of unified systems and unified data
    • Data quality issues
    • Lack of the right data required for machine learning
    • Improve data management capabilities, including data governance and data initiatives
    • Create data catalogs
    • Document data and information architecture
    • Solve data-related problems including data quality, privacy, and ethics

    ML Operations Capabilities

    • Lack of tools, technologies, and methodologies to operationalize models created by data scientists
    • Increase availability of cloud platforms, tools, and capabilities
    • Develop and grow machine learning operations (MLOps) tools, platforms, and methodologies to enable model operationalizing and monitoring in production

    Understanding of AI Role and Its Business Value

    • Lack of understanding of AI use cases – how AI/ML can be applied to solve specific business problems
    • Lack of understanding how to define the business value of AI investments
    • Identify AI C-suite toolkits (for example, Empowering AI Leadership from the World Economic Forum, 2022)
    • Document industry use cases
    • Use frameworks and tools to define business value for AI investments

    Design for AI

    Sustainable AI system design needs to consider several aspects: the business application of the system, data, software and hardware, governance, privacy, and security.

    It is important to define from the beginning how AI will be used by and for the application to clearly articulate business value, manage expectations, and set goals for the implementation.

    Design for AI will change how we store and manage data and how we approach the use of data for development and operation of AI systems.

    An AI system design approach should cover all stages of AI lifecycle, from design to maintenance. It should also support and enable iterative development of an AI system.

    To take advantage of different tools and technologies for AI system development, deployment, and monitoring, the design of an AI system should consider software and hardware needs and design for seamless and efficient integrations of all components of the system and with other existing systems within the enterprise.

    AI in Science and Engineering

    AI helps sequence genomes to identify variants in a person’s DNA that indicate genetic disorders. It allows researchers to model and calculate complicated physics processes, to forecast the genesis of the universe’s structure, and to understand planet ecosystem to help advance the climate research. AI drives advances in drug discovery and can assist with molecule synthesis and molecular property identification.

    AI finds application in all areas of science and engineering. The role of AI in science will grow and allow scientists to innovate faster.

    AI will further contribute to scientific understanding by assisting scientists in deriving new insights, generating new ideas and connections, generalizing scientific concepts, and transferring them between areas of scientific research.

    Using synthetic data and combining physical and machine learning models and other advances of AI/ML – such as graphs, use of unstructured data (language models), and computer vision – will accelerate the use of AI in science and engineering.

    Event- and Scenario-Driven AI

    AI-driven signal-gathering systems analyze a continuous stream of data to generate insights and predictions that enable strategic decision modeling and scenario planning by providing understanding of how and what areas of business might be impacted by certain events.

    AI enables the scenario-based approach to drive insights through pattern identification in addition to familiar pattern recognition, helping to understand how events are related.

    A system with anticipatory capabilities requires an event-driven architecture that enables gathering and analyzing different types of data (text, video, images) across multiple channels (social media, transactional systems, news feeds, etc.) for event-driven and event-sequencing modeling.

    ML simulation-based training of the model using advanced techniques under the umbrella of Reinforcement Learning in conjunction with statistically robust Bayesian probabilistic framework will aid in setting up future trends in AI.

    AI Reasoning

    Most of the applications of machine learning and AI today is about predicting future behaviors based on historical data and past behaviors. We can predict what product the customer would most likely buy or the price of a house when it goes on sale.

    Most of the current algorithms use the correlation between different parameters to make a prediction, for example, the correlation between the event and the outcome can look like “When X occurs, we can predict that Y will occur.” This, however, does not translate into “Y occurred because of X.”

    The development of a causal AI that uses causal inference to reason and identify the root cause and the causal relationships between variables without mistaking correlation and causation is still in its early stages but rapidly evolving.

    Some of the algorithms that the researchers are working with are casual graph models and algorithms that are at the intersection of causal inference with decision making and reinforcement learning (Causal Artificial Intelligence Lab, 2022).

    Synthetic Data

    Synthetic data is artificially generated data that mimics the structure of real-life data. It should also have the same mathematical and statistical properties as the real-world data that it is created to replicate.

    Synthetic data is used to train machine learning models when there is not enough real data or the existing data does not meet specific needs. It allows users to remove contextual bias from data sets containing personal data, prevent privacy concerns, and ensure compliance with privacy laws and regulations.

    Another application of synthetic data is solving data-sharing challenges.

    Researchers learned that quite often synthetic data sets outperform real-world data. Recently, a team of researchers at MIT built a synthetic data set of 150,000 video clips capturing human actions and used that data set to train the model. The researchers found that “the synthetically trained models performed even better than models trained on real data for videos that have fewer background objects” (MIT News Office, 2022).

    Today, synthetic data is used in language systems, in training self-driving cars, in improving fraud detection, and in clinical research, just to name a few examples.

    Synthetic data opens the doors for innovation across all industries and applications of AI by enabling access to data for any scenario and technology and business needs.

    Digital Twins

    Digital twins (DT) are virtual replicas of physical objects, devices, people, places, processes, and systems. In Manufacturing, almost every product and manufacturing process can have a complete digital replica of itself thanks to IoT, streaming data, and cheap cloud storage.

    All this data has allowed for complex simulations of, for example, how a piece of equipment will perform over time to predict future failures before they happen, reducing costly maintenance and extending equipment lifetime.

    In addition to predictive maintenance, DT and AI technologies have enabled organizations to design and digitally test complex equipment such as aircraft engines, trains, offshore oil platforms, and wind turbines before physically manufacturing them. This helps to improve product and process quality, manufacturing efficiency, and costs. DT technology also finds applications in architecture, construction, energy, infrastructure industries, and even retail.

    Digital twins combined with the metaverse provide a collaborative and interactive environment with immersive experience and real-time physics capabilities (as an example, Siemens presented an Immersive Digital Twin of a Plant at the Collision 2022 conference).

    Future trends include enabling autonomous behavior of a DT. An advanced DT can replicate itself as it moves into several devices, hence requiring the autonomous property. Such autonomous behavior of the DT will in turn influence the growth and further advancement of AI.

    Edge AI

    A simple definition for edge AI: A combination of edge computing and artificial intelligence, it enables the deployment of AI applications in devices of the physical world, in the field, where the data is located, such as IoT devices, devices on the manufacturing floor, healthcare devices, or a self-driving car.

    Edge AI integrates AI into edge computing devices for quicker and improved data processing and smart automation.

    The main benefits of edge AI include:

    • Real-time data processing capabilities to reduce latency and enable near real-time analytics and insights.
    • Reduced cost and bandwidth requirements as there is no need to transfer data to the cloud for computing.
    • Increased data security as the data is processed locally, on the device, reducing the risk of loss of sensitive data.
    • Improved automation by training machines to perform automated tasks.

    Edge AI is already used in a variety of applications and use cases including computer vision, geospatial intelligence, object detection, drones, and health monitoring devices.

    Combinatorial Optimization

    “Combinatorial optimization is a subfield of mathematical optimization that consists of finding an optimal object from a finite set of objects” (Wikipedia, retrieved December 2022).

    Applications of combinatorial optimization include:

    • Supply chain optimization
    • Scheduling and logistics, for example, vehicle routing where the trucks are making stops for pickup and deliveries
    • Operations optimization

    Classical combinatorial optimization (CO) techniques were widely used in operations research and played a major role in earlier developments of AI.

    The introduction of deep learning algorithms in recent years allowed researchers to combine neural network and conventional optimization algorithms; for example, incorporating neural combinatorial optimization algorithms in the conventional optimization framework. Researchers confirmed that certain combinations of these frameworks and algorithms can provide significant performance improvements.

    The research in this space continues and we look forward to learning how machine learning and AI (backtracking algorithms, reinforcement learning, deep learning, graph attention networks, and others) will be used for solving challenging combinatorial and decision-making problems.

    References

    “AI Can Power Scenario Planning for Real-Time Strategic Insights.” The Wall Street Journal, CFO Journal, content by Deloitte, 7 June 2021. Accessed 11 Dec. 2022.
    Ali Fdal, Omar. “Synthetic Data: 4 Use Cases in Modern Enterprises.” DATAVERSITY, 5 May 2022. Accessed
    11 Dec. 2022.
    Andrews, Gerard. “What Is Synthetic Data?” NVIDIA, 8 June 2021. Accessed 11 Dec. 2022.
    Bareinboim, Elias. “Causal Reinforcement Learning.” Causal AI, 2020. Accessed 11 Dec. 2022.
    Bengio, Yoshua, Andrea Lodi, and Antoine Prouvost. “Machine learning for combinatorial optimization: A methodological tour d’horizon.” European Journal of Operational Research, vol. 290, no. 2, 2021, pp. 405-421, https://doi.org/10.1016/j.ejor.2020.07.063. Accessed 11 Dec. 2022.
    Benjamins, Richard. “Four design principles for developing sustainable AI applications.” Telefónica S.A., 10 Sept. 2018. Accessed on 11 Dec. 2022.
    Blades, Robin. “AI Generates Hypotheses Human Scientists Have Not Thought Of.” Scientific American, 28 October 2021. Accessed 11 Dec. 2022.
    “Combinatorial Optimization.” Wikipedia article, Accessed 11 Dec. 2022.
    Cronholm, Stefan, and Hannes Göbel. “Design Principles for Human-Centred Artificial Intelligence.” University of Borås, Sweden, 11 Aug. 2022. Accessed on 11 Dec. 2022
    Devaux, Elise. “Types of synthetic data and 4 real-life examples.” Statice, 29 May 2022. Accessed 11 Dec. 2022.
    Emmental, Russell. “A Guide to Causal AI.” ITBriefcase, 30 March 2022. Accessed 11 Dec. 2022.
    “Empowering AI Leadership: AI C-Suite Toolkit.” World Economic Forum, 12 Jan. 2022. Accessed 11 Dec 2022.
    Falk, Dan. “How Artificial Intelligence Is Changing Science.” Quanta Magazine, 11 March 2019. Accessed 11 Dec. 2022.
    Fritschle, Matthew J. “The Principles of Designing AI for Humans.” Aumcore, 17 Aug. 2018. Accessed 8 Dec. 2022.
    Garmendia, Andoni I., et al. Neural Combinatorial Optimization: a New Player in the Field.” IEEE, arXiv:2205.01356v1, 3 May 2022. Accessed 11 Dec. 2022.
    Gülen, Kerem. “AI Is Revolutionizing Every Field and Science is no Exception.” Dataconomy Media GmbH, 9 Nov. 9, 2022. Accessed 11 Dec. 2022
    Krenn, Mario, et al. “On scientific understanding with artificial intelligence.” Nature Reviews Physics, vol. 4, 11 Oct. 2022, pp. 761–769. https://doi.org/10.1038/s42254-022-00518-3. Accessed 11 Dec. 2022.
    Laboratory for Information and Decision Systems. “The real promise of synthetic data.” MIT News, 16 Oct. 2020. Accessed 11 Dec. 2022.
    Lecca, Paola. “Machine Learning for Causal Inference in Biological Networks: Perspectives of This Challenge.” Frontiers, 22 Sept. 2021. Accessed 11 Dec. 2022. Mirabella, Lucia. “Digital Twin x Metaverse: real and virtual made easy.” Siemens presentation at Collision 2022 conference, Toronto, Ontario. Accessed 11 Dec. 2022. Mitchum, Rob, and Louise Lerner. “How AI could change science.” University of Chicago News, 1 Oct. 2019. Accessed 11 Dec. 2022.
    Okeke, Franklin. “The benefits of edge AI.” TechRepublic, 22 Sept. 2022, Accessed 11 Dec. 2022.
    Perlmutter, Nathan. “Machine Learning and Combinatorial Optimization Problems.” Crater Labs, 31 July 31, 2019. Accessed 11 Dec. 2022.
    Sampson, Ovetta. “Design Principles for a New AI World.” UX Magazine, 6 Jan. 2022. Accessed 11 Dec. 2022.
    Sgaier, Sema K., Vincent Huang, and Grace Charles. “The Case for Causal AI.” Stanford Social Innovation Review, Summer 2020. Accessed 11 Dec. 2022.
    “Synthetic Data.” Wikipedia article, Accessed 11 Dec. 2022.
    Take, Marius, et al. “Software Design Patterns for AI-Systems.” EMISA Workshop 2021, CEUR-WS.org, Proceedings 30. Accessed 11 Dec. 2022.
    Toews, Rob. “Synthetic Data Is About To Transform Artificial Intelligence.” Forbes, 12 June 2022. Accessed
    11 Dec. 2022.
    Zewe, Adam. “In machine learning, synthetic data can offer real performance improvements.” MIT News Office, 3 Nov. 2022. Accessed 11 Dec. 2022.
    Zhang, Junzhe, and Elias Bareinboim. “Can Humans Be out of the Loop?” Technical Report, Department of Computer Science, Columbia University, NY, June 2022. Accessed 11 Dec. 2022.

    Contributors

    Irina Sedenko Anu Ganesh Amir Feizpour David Glazer Delina Ivanova

    Irina Sedenko

    Advisory Director

    Info-Tech

    Anu Ganesh

    Technical Counselor

    Info-Tech

    Amir Feizpour

    Co-Founder & CEO

    Aggregate Intellect Inc.

    David Glazer

    VP of Analytics

    Kroll

    Delina Ivanova

    Associate Director, Data & Analytics

    HelloFresh

    Usman Lakhani

    DevOps

    WeCloudData

    Fast Track Your GDPR Compliance Efforts

    • Buy Link or Shortcode: {j2store}372|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $25,779 Average $ Saved
    • member rating average days saved: 30 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Organizations often tackle compliance efforts in an ad hoc manner, resulting in an ineffective use of resources.
    • The alignment of business objectives, information security, and data privacy is new for many organizations, and it can seem overwhelming.
    • GDPR is an EU regulation that has global implications; it likely applies to your organization more than you think.

    Our Advice

    Critical Insight

    • Financial impact isn’t simply fines. A data controller fined for GDPR non-compliance may sue its data processor for damage.
    • Even day-to-day activities may be considered processing. Screen-sharing from a remote location is considered processing if the data shown onscreen contains personal data!
    • This is not simply an IT problem. Organizations that address GDPR in a siloed approach will not be as successful as organizations that take a cross-functional approach.

    Impact and Result

    • Follow a robust methodology that applies to any organization and aligns operational and situational GDPR scope. Info-Tech's framework allows organizations to tackle GDPR compliance in a right-sized, methodical approach.
    • Adhere to a core, complex GDPR requirement through the use of our documentation templates.
    • Understand how the risk of non-compliance is aligned to both your organization’s functions and data scope.
    • This blueprint will guide you through projects and steps that will result in quick wins for near-term compliance.

    Fast Track Your GDPR Compliance Efforts Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should fast track your GDPR compliance efforts, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand your compliance requirements

    Understand the breadth of the regulation’s requirements and document roles and responsibilities.

    • Fast Track Your GDPR Compliance Efforts – Phase 1: Understand Your Compliance Requirements
    • GDPR RACI Chart

    2. Define your GDPR scope

    Define your GDPR scope and prioritize initiatives based on risk.

    • Fast Track Your GDPR Compliance Efforts – Phase 2: Define Your GDPR Scope
    • GDPR Initiative Prioritization Tool

    3. Satisfy documentation requirements

    Understand the requirements for a record of processing and determine who will own it.

    • Fast Track Your GDPR Compliance Efforts – Phase 3: Satisfy Documentation Requirements
    • Record of Processing Template
    • Legitimate Interest Assessment Template
    • Data Protection Impact Assessment Tool
    • A Guide to Data Subject Access Requests

    4. Align your data breach requirements and security program

    Document your DPO decision and align security strategy to data privacy.

    • Fast Track Your GDPR Compliance Efforts – Phase 4: Align Your Data Breach Requirements & Security Program

    5. Prioritize your GDPR initiatives

    Prioritize any initiatives driven out of Phases 1-4 and begin developing policies that help in the documentation effort.

    • Fast Track Your GDPR Compliance Efforts – Phase 5: Prioritize Your GDPR Initiatives
    • Data Protection Policy
    [infographic]

    Workshop: Fast Track Your GDPR Compliance Efforts

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Your Compliance Requirements

    The Purpose

    Kick-off the workshop; understand and define GDPR as it exists in your organizational context.

    Key Benefits Achieved

    Prioritize your business units based on GDPR risk.

    Assign roles and responsibilities.

    Activities

    1.1 Kick-off and introductions.

    1.2 High-level overview of weekly activities and outcomes.

    1.3 Identify and define GDPR initiative within your organization’s context.

    1.4 Determine what actions have been done to prepare; how have regulations been handled in the past?

    1.5 Identify key business units for GDPR committee.

    1.6 Document business units and functions that are within scope.

    1.7 Prioritize business units based on GDPR.

    1.8 Formalize stakeholder support.

    Outputs

    Prioritized business units based on GDPR risk

    GDPR Compliance RACI Chart

    2 Define Your GDPR Scope

    The Purpose

    Know the rationale behind a record of processing.

    Key Benefits Achieved

    Determine who will own the record of processing.

    Activities

    2.1 Understand the necessity for a record of processing.

    2.2 Determine for each prioritized business unit: are you a controller or processor?

    2.3 Develop a record of processing for most-critical business units.

    2.4 Perform legitimate interest assessments.

    2.5 Document an iterative process for creating a record of processing.

    Outputs

    Initial record of processing: 1-2 activities

    Initial legitimate interest assessment: 1-2 activities

    Determination of who will own the record of processing

    3 Satisfy Documentation Requirements and Align With Your Data Breach Requirements and Security Program

    The Purpose

    Review existing security controls and highlight potential requirements.

    Key Benefits Achieved

    Ensure the initiatives you’ll be working on align with existing controls and future goals.

    Activities

    3.1 Determine the appetite to align the GDPR project to data classification and data discovery.

    3.2 Discuss the benefits of data discovery and classification.

    3.3 Review existing incident response plans and highlight gaps.

    3.4 Review existing security controls and highlight potential requirements.

    3.5 Review all initiatives highlighted during days 1-3.

    Outputs

    Highlighted gaps in current incident response and security program controls

    Documented all future initiatives

    4 Prioritize GDPR Initiatives

    The Purpose

    Review project plan and initiatives and prioritize.

    Key Benefits Achieved

    Finalize outputs of the workshop, with a strong understanding of next steps.

    Activities

    4.1 Analyze the necessity for a data protection officer and document decision.

    4.2 Review project plan and initiatives.

    4.3 Prioritize all current initiatives based on regulatory compliance, cost, and ease to implement.

    4.4 Develop a data protection policy.

    4.5 Finalize key deliverables created during the workshop.

    4.6 Present the GDPR project to key stakeholders.

    4.7 Workshop executive presentation and debrief.

    Outputs

    GDPR framework and prioritized initiatives

    Data Protection Policy

    List of key tools

    Communication plans

    Workshop summary documentation

    Create an Architecture for AI

    • Buy Link or Shortcode: {j2store}344|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $604,999 Average $ Saved
    • member rating average days saved: 49 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management

    This research is designed to help organizations who are facing these challenges:

    • Deliver on the AI promise within the organization.
    • Prioritize the demand for AI projects and govern the projects to prevent overloading resources.
    • Have sufficient data management capability.
    • Have clear metrics in place to measure progress and for decision making.

    AI requires a high level of maturity in all data management capabilities, and the greatest challenge the CIO or CDO faces is to mature these capabilities sufficiently to ensure AI success.

    Our Advice

    Critical Insight

    • Build your target state architecture from predefined best-practice building blocks.
    • Not all business use cases require AI to increase business capabilities.
    • Not all organizations are ready to embark on the AI journey.
    • Knowing the AI pattern that you will use will simplify architecture considerations.

    Impact and Result

    • This blueprint will assist organizations with the assessment, planning, building, and rollout of their AI initiatives.
      • Do not embark on an AI project with an immature data management practice. Embark on initiatives to fix problems before they cripple your AI projects.
      • Using architecture building blocks will speed up the architecture decision phase.
    • The success rate of AI initiatives is tightly coupled with data management capabilities and a sound architecture.

    Create an Architecture for AI Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to understand why you need an underlying architecture for AI, review Info-Tech's methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess business use cases for AI readiness

    Define business use cases where AI may bring value. Evaluate each use case to determine the company’s AI maturity in people, tools, and operations for delivering the correct data, model development, model deployment, and the management of models in the operational areas.

    • Create an Architecture for AI – Phase 1: Assess Business Use Cases for AI Readiness
    • AI Architecture Assessment and Project Planning Tool
    • AI Architecture Assessment and Project Planning Tool – Sample

    2. Design your target state

    Develop a target state architecture to allow the organization to effectively deliver in the promise of AI using architecture building blocks.

    • Create an Architecture for AI – Phase 2: Design Your Target State
    • AI Architecture Templates

    3. Define the AI architecture roadmap

    Compare current state with the target state to define architecture plateaus and build a delivery roadmap.

    • Create an Architecture for AI – Phase 3: Define the AI Architecture Roadmap
    [infographic]

    Workshop: Create an Architecture for AI

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Answer “Where To?”

    The Purpose

    Define business use cases where AI may add value and assess use case readiness.

    Key Benefits Achieved

    Know upfront if all required data resources are available in the required velocity, veracity, and variety to service the use case.

    Activities

    1.1 Review the business vision.

    1.2 Identify and classify business use cases.

    1.3 Assess company readiness for each use case.

    1.4 Review architectural principles and download and install Archi.

    Outputs

    List of identified AI use cases

    Assessment of each use case

    Data sources needed for each use case

    Archi installed

    2 Define the Required Architecture Building Blocks

    The Purpose

    Define architecture building blocks that can be used across use cases and data pipeline.

    Key Benefits Achieved

    The architectural building blocks ensure reuse of resources and form the foundation of a stepwise rollout.

    Activities

    2.1 ArchiMate modelling language overview.

    2.2 Architecture building block overview

    2.3 Identify architecture building blocks by use case.

    2.4 Define the target state architecture.

    Outputs

    A set of building blocks created in Archi

    Defined target state architecture using architecture building blocks

    3 Assess the Current State Architecture

    The Purpose

    Assess your current state architecture in the areas identified by the target state.

    Key Benefits Achieved

    Only evaluating the current state architecture that will influence your AI implementation.

    Activities

    3.1 Identify the current state capabilities as required by the target state.

    3.2 Assess your current state architecture.

    3.3 Define a roadmap and design implementation plateaus.

    Outputs

    Current state architecture documented in Archi

    Assessed current state using assessment tool

    A roadmap defined using plateaus as milestones

    4 Bridge the Gap and Create the Roadmap

    The Purpose

    Assess your current state against the target state and create a plan to bridge the gaps.

    Key Benefits Achieved

    Develop a roadmap that will deliver immediate results and ensure long-term durability.

    Activities

    4.1 Assess the gaps between current- and target-state capabilities.

    4.2 Brainstorm initiatives to address the gaps in capabilities

    4.3 Define architecture delivery plateaus.

    4.4 Define a roadmap with milestones.

    4.5 Sponsor check-in.

    Outputs

    Current to target state gap assessment

    Architecture roadmap divided into plateaus

    Tame the Project Backlog

    • Buy Link or Shortcode: {j2store}439|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Unmanaged project backlogs can become the bane of IT departments, tying IT leaders and PMO staff down to an ever-growing receptacle of project ideas that provides little by way of strategic value and that typically represents a lack of project intake and approval discipline.
    • Decision makers frequently use the backlog to keep the peace. Lacking the time to assess the bulk of requests, or simply wanting to avoid difficult conversations with stakeholders, they “approve” everything and leave it to IT to figure it out.
    • As IT has increasing difficulty assessing – let alone starting – any of the projects in the backlog, stakeholder relations suffer. Requestors view inclusion in the backlog as a euphemism for “declined,” and often characterize the backlog as the place where good project ideas go to die.
    • Faced with these challenges, you need to make your project backlog more useful and reliable. The backlog may contain projects worth doing, but in its current untamed state, you have difficulty discerning, let alone capitalizing upon, those instances of value.

    Our Advice

    Critical Insight

    • Project backlogs are an investment and need to be treated as such. Incurring a cost impact that can be measured in terms of time and money, the backlog needs to be actively managed to ensure that you’re investing wisely and getting a good return in terms of strategic value and project throughput.
    • Unmanageable project backlogs are rooted in bad habits and poorly-defined processes. Identifying the sources that fuel backlog growth is key to long-term success. Unless the problem is addressed at the root, any gains made in the near-term will simply fade away as old, unhealthy habits re-emerge and take hold.
    • Backlog management should facilitate executive awareness about the status of backlog items as new work is being approved. In the long run, this ongoing executive engagement will not only help to keep the backlog manageable, but it will also help to bring more even workloads to IT project staff.

    Impact and Result

    • Keep the best, forget the rest. Develop a near-term approach to limit the role of the backlog to include only those items that add value to the business.
    • Shine a light. Improve executive visibility into the health and status of the backlog so that the backlog is taken into account when decision makers approve new work.
    • Evolve the organizational culture. Effectively employ organizational change management practices to evolve the culture that currently exists around the project backlog in order to ensure customer-service needs are more effectively addressed.
    • Ensure long-term sustainability. Institute processes to make sure that your list of pending projects – should you still require one after implementing this blueprint – remains minimal, maintainable, and of high value.

    Tame the Project Backlog Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how a more disciplined approach to managing your project backlog can help you realize increased value and project throughput.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a project backlog battle plan

    Calculate the cost of the project backlog and assess the root causes of its unmanageability.

    • Tame the Project Backlog – Phase 1: Create a Backlog Battle Plan
    • Project Backlog ROI Calculator

    2. Execute a near-term backlog cleanse

    Increase the manageability of the backlog by updating stale requests and removing dead weight.

    • Tame the Project Backlog – Phase 2: Execute a Near-Term Backlog Cleanse
    • Project Backlog Management Tool
    • Project Backlog Stakeholder Communications Template

    3. Ensure long-term backlog manageability

    Develop and maintain a manageable backlog growth rate by establishing disciplined backlog management processes.

    • Tame the Project Backlog – Phase 3: Ensure Long-Term Backlog Manageability
    • Project Backlog Operating Plan Template
    • Project Backlog Manager
    [infographic]

    Workshop: Tame the Project Backlog

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Create a Project Backlog Battle Plan

    The Purpose

    Gauge the manageability of your project backlog in its current state.

    Calculate the total cost of your project backlog investments.

    Determine the root causes that contribute to the unmanageability of your project backlog.

    Key Benefits Achieved

    An understanding of the organizational need for more disciplined backlog management.

    Visibility into the costs incurred by the project backlog.

    An awareness of the sources that feed the growth of the project backlog and make it a challenge to maintain.

    Activities

    1.1 Calculate the sunk and marginal costs that have gone into your project backlog.

    1.2 Estimate the throughput of backlog items.

    1.3 Survey the root causes of your project backlog.

    Outputs

    The total estimated cost of the project backlog.

    A project backlog return-on-investment score.

    A project backlog root cause analysis.

    2 Execute a Near-Term Project Backlog Cleanse

    The Purpose

    Identify the most organizationally appropriate goals for your backlog cleanse.

    Pinpoint those items that warrant immediate removal from the backlog and establish a game plan for putting a bullet in them.

    Communicate backlog decisions with stakeholders in a way that minimizes friction and resistance. 

    Key Benefits Achieved

    An effective, achievable, and organizationally right-sized approach to cleansing the backlog.

    Criteria for cleanse outcomes and a protocol for carrying out the near-term cleanse.

    A project sponsor outreach plan to help ensure that decisions made during your near-term cleanse stick. 

    Activities

    2.1 Establish roles and responsibilities for the near-term cleanse.

    2.2 Determine cleanse scope.

    2.3 Develop backlog prioritization criteria.

    2.4 Prepare a communication strategy.

    Outputs

    Clear accountabilities to ensure the backlog is effectively minimized and outcomes are communicated effectively.

    Clearly defined and achievable goals.

    Effective criteria for cleansing the backlog of zombie projects and maintaining projects that are of strategic and operational value.

    A communication strategy to minimize stakeholder friction and resistance.

    3 Ensure Long-Term Project Backlog Manageability

    The Purpose

    Ensure ongoing backlog manageability.

    Make sure the executive layer is aware of the ongoing status of the backlog when making project decisions.

    Customize a best-practice toolkit to help keep the project backlog useful. 

    Key Benefits Achieved

    A list of pending projects that is minimal, maintainable, and of high value.

    Executive engagement with the backlog to ensure intake and approval decisions are made with a view of the backlog in mind.

    A backlog management tool and processes for ongoing manageability. 

    Activities

    3.1 Develop a project backlog management operating model.

    3.2 Configure a project backlog management solution.

    3.3 Assign roles and responsibilities for your long-term project backlog management processes.

    3.4 Customize a project backlog management operating plan.

    Outputs

    An operating model to structure your long-term strategy around.

    A right-sized management tool to help enable your processes and executive visibility into the backlog.

    Defined accountabilities for executing project backlog management responsibilities.

    Clearly established processes for how items get in and out of the backlog, as well as for ongoing backlog review.

    Adapt Your Onboarding Process to a Virtual Environment

    • Buy Link or Shortcode: {j2store}577|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Attract & Select
    • Parent Category Link: /attract-and-select
    • For many, the WFH arrangement will be temporary, however, the uncertainty around the length of the pandemic makes it hard for organizations to plan long term.
    • As onboarding plans traditionally carry a six- to twelve-month outlook, the uncertainty around how long employees will be working remotely makes it challenging to determine how much of the current onboarding program needs to change. In addition, introducing new technologies to a remote workforce and planning training on how to access and effectively use these technologies is difficult.

    Our Advice

    Critical Insight

    • The COVID-19 pandemic has led to a virtual environment many organizations were not prepared for.
    • Focusing on critical parts of the onboarding process and leveraging current technology allows organizations to quickly adapt to the uncertainty and constant change.

    Impact and Result

    • Organizations need to assess their existing onboarding process and identify the parts that are critical.
    • Using the technology currently available, organizations must adapt onboarding to a virtual environment.
    • Develop a plan to re-assess and update the onboarding program according to the duration of the situation.

    Adapt Your Onboarding Process to a Virtual Environment Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess current onboarding processes

    Map the current onboarding process and identify the challenges to a virtual approach.

    • Adapt Your Onboarding Process to a Virtual Environment Storyboard
    • Virtual Onboarding Workbook
    • Process Mapping Guide

    2. Modify onboarding activities

    Determine how existing onboarding activities can be modified for a virtual environment.

    • Virtual Onboarding Ideas Catalog
    • Performance Management for Emergency Work-From-Home

    3. Launch the virtual onboarding process and plan to re-assess

    Finalize the virtual onboarding process and create an action plan. Continue to re-assess and iterate over time.

    • Virtual Onboarding Guide for HR
    • Virtual Onboarding Guide for Managers
    • HR Action and Communication Plan
    • Virtual Onboarding Schedule
    [infographic]

    Audit the Project Portfolio

    • Buy Link or Shortcode: {j2store}442|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • As a CIO you know you should audit your portfolio, but you don’t know where to start.
    • There is a lack of portfolio and project visibility.
    • Projects are out of scope, over budget, and over schedule.

    Our Advice

    Critical Insight

    • Organizations establish processes and assume people are following them.
    • There is a dilution of practices from external influences and rapid turnover rates.
    • Many organizations build their processes around existing frameworks. These frameworks are great resources but they’re often missing context and clear links to tools, templates, and fiduciary duty.

    Impact and Result

    • The best way to get insight into your current state is to get an objective set of observations of your processes.
    • Use Info-Tech’s framework to audit your portfolios and projects:
      • Triage at a high level to assess the need for an audit by using the Audit Standard Triage Tool to assess your current state and the importance of conducting a deeper audit.
      • Complete Info-Tech’s Project Portfolio Audit Tool:
        • Validate the inputs.
        • Analyze the data.
        • Review the findings and create your action plan.

    Audit the Project Portfolio Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should audit the project portfolio, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess readiness

    Understand your current state and determine the need for a deeper audit.

    • Audit the Project Portfolio – Phase 1: Assess Readiness
    • Info-Tech Audit Standard for Project Portfolio Management
    • Audit Glossary of Terms
    • Audit Standard Triage Tool

    2. Perform project portfolio audit

    Audit your selected projects and portfolios. Understand the gaps in portfolio practices.

    • Audit the Project Portfolio – Phase 2: Perform Project Portfolio Audit
    • Project Portfolio Audit Tool

    3. Establish a plan

    Document the steps you are going to take to address any issues that were uncovered in phase 2.

    • Audit the Project Portfolio – Phase 3: Establish a Plan
    • PPM Audit Timeline Template
    [infographic]

    Workshop: Audit the Project Portfolio

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Portfolio Audit

    The Purpose

    An audit of your portfolio management practices.

    Key Benefits Achieved

    Analysis of audit results.

    Activities

    1.1 Info-Tech’s Audit Standard/Engagement Context

    1.2 Portfolio Audit

    1.3 Input Validation

    1.4 Portfolio Audit Analysis

    1.5 Start/Stop/Continue

    Outputs

    Audit Standard and Audit Glossary of Terms

    Portfolio and Project Audit Tool

    Start/Stop/Continue

    2 Project Audit

    The Purpose

    An audit of your project management practices.

    Key Benefits Achieved

    Analysis of audit results.

    Activities

    2.1 Project Audit

    2.2 Input Validation

    2.3 Project Audit Analysis

    2.4 Start/Stop/Continue

    Outputs

    Portfolio and Project Audit Tool

    Start/Stop/Continue

    3 Action Plan

    The Purpose

    Create a plan to start addressing any vulnerabilities.

    Key Benefits Achieved

    A plan to move forward.

    Activities

    3.1 Action Plan

    3.2 Key Takeaways

    Outputs

    Audit Timeline Template

    Service Management

    • Buy Link or Shortcode: {j2store}46|cart{/j2store}
    • Related Products: {j2store}46|crosssells{/j2store}
    • Parent Category Name: Service Planning and Architecture
    • Parent Category Link: /service-planning-and-architecture

    The challenge

    • We have good, holistic practices, but inconsistent adoption leads to chaotic service delivery and low customer satisfaction.
    • You may have designed your IT services with little structure, formalization, or standardization.
    • That makes the management of these services more difficult and also leads to low business satisfaction.

    Register to read more …

    Develop an Availability and Capacity Management Plan

    • Buy Link or Shortcode: {j2store}500|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $2,840 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Availability & Capacity Management
    • Parent Category Link: /availability-and-capacity-management
    • It is crucial for capacity managers to provide capacity in advance of need to maximize availability.
    • In an effort to ensure maximum uptime, organizations are overprovisioning (an average of 59% for compute, and 48% for storage). With budget pressure mounting (especially on the capital side), the cost of this approach can’t be ignored.
    • Half of organizations have experienced capacity-related downtime, and almost 60% wait more than three months for additional capacity.

    Our Advice

    Critical Insight

    • All too often capacity management is left as an afterthought. The best capacity managers bake capacity management into their organization’s business processes, becoming drivers of value.
    • Communication is key. Build bridges between your organization’s silos, and involve business stakeholders in a dialog about capacity requirements.

    Impact and Result

    • Map business metrics to infrastructure component usage, and use your organization’s own data to forecast demand.
    • Project future needs in line with your hardware lifecycle. Never suffer availability issues as a result of a lack of capacity again.
    • Establish infrastructure as a driver of business value, not a “black hole” cost center.

    Develop an Availability and Capacity Management Plan Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a capacity management plan, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Develop an Availability and Capacity Management Plan – Phases 1-4

    1. Conduct a business impact analysis

    Determine the most critical business services to ensure availability.

    • Develop an Availability and Capacity Management Plan – Phase 1: Conduct a Business Impact Analysis
    • Business Impact Analysis Tool

    2. Establish visibility into core systems

    Craft a monitoring strategy to gather usage data.

    • Develop an Availability and Capacity Management Plan – Phase 2: Establish Visibility into Core Systems
    • Capacity Snapshot Tool

    3. Solicit and incorporate business needs

    Integrate business stakeholders into the capacity management process.

    • Develop an Availability and Capacity Management Plan – Phase 3: Solicit and Incorporate Business Needs
    • Capacity Plan Template

    4. Identify and mitigate risks

    Identify and mitigate risks to your capacity and availability.

    • Develop an Availability and Capacity Management Plan – Phase 4: Identify and Mitigate Risks

    [infographic]

    Workshop: Develop an Availability and Capacity Management Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Conduct a Business Impact Analysis

    The Purpose

    Determine the most important IT services for the business.

    Key Benefits Achieved

    Understand which services to prioritize for ensuring availability.

    Activities

    1.1 Create a scale to measure different levels of impact.

    1.2 Evaluate each service by its potential impact.

    1.3 Assign a criticality rating based on the costs of downtime.

    Outputs

    RTOs/RPOs

    List of gold systems

    Criticality matrix

    2 Establish Visibility Into Core Systems

    The Purpose

    Monitor and measure usage metrics of key systems.

    Key Benefits Achieved

    Capture and correlate data on business activity with infrastructure capacity usage.

    Activities

    2.1 Define your monitoring strategy.

    2.2 Implement your monitoring tool/aggregator.

    Outputs

    RACI chart

    Capacity/availability monitoring strategy

    3 Develop a Plan to Project Future Needs

    The Purpose

    Determine how to project future capacity usage needs for your organization.

    Key Benefits Achieved

    Data-based, systematic projection of future capacity usage needs.

    Activities

    3.1 Analyze historical usage trends.

    3.2 Interface with the business to determine needs.

    3.3 Develop a plan to combine these two sources of truth.

    Outputs

    Plan for soliciting future needs

    Future needs

    4 Identify and Mitigate Risks

    The Purpose

    Identify potential risks to capacity and availability.

    Develop strategies to ameliorate potential risks.

    Key Benefits Achieved

    Proactive approach to capacity that addresses potential risks before they impact availability.

    Activities

    4.1 Identify capacity and availability risks.

    4.2 Determine strategies to address risks.

    4.3 Populate and review completed capacity plan.

    Outputs

    List of risks

    List of strategies to address risks

    Completed capacity plan

    Further reading

    Develop an Availability and Capacity Management Plan

    Manage capacity to increase uptime and reduce costs.

    ANALYST PERSPECTIVE

    The cloud changes the capacity manager’s job, but it doesn’t eliminate it.

    "Nobody doubts the cloud’s transformative power. But will its ascent render “capacity manager” an archaic term to be carved into the walls of datacenters everywhere for future archaeologists to puzzle over? No. While it is true that the cloud has fundamentally changed how capacity managers do their jobs , the process is more important than ever. Managing capacity – and, by extent, availability – means minimizing costs while maximizing uptime. The cloud era is the era of unlimited capacity – and of infinite potential costs. If you put the infinity symbol on a purchase order… well, it’s probably not a good idea. Manage demand. Manage your capacity. Manage your availability. And, most importantly, keep your stakeholders happy. You won’t regret it."

    Jeremy Roberts,

    Consulting Analyst, Infrastructure Practice

    Info-Tech Research Group

    Availability and capacity management transcend IT

    This Research Is Designed For:

    ✓ CIOs who want to increase uptime and reduce costs

    ✓ Infrastructure managers who want to deliver increased value to the business

    ✓ Enterprise architects who want to ensure stability of core IT services

    ✓ Dedicated capacity managers

    This Research Will Help You:

    ✓ Develop a list of core services

    ✓ Establish visibility into your system

    ✓ Solicit business needs

    ✓ Project future demand

    ✓ Set SLAs

    ✓ Increase uptime

    ✓ Optimize spend

    This Research Will Also Assist:

    ✓ Project managers

    ✓ Service desk staff

    This Research Will Help Them:

    ✓ Plan IT projects

    ✓ Better manage availability incidents caused by lack of capacity

    Executive summary

    Situation

    • IT infrastructure leaders are responsible for ensuring that the business has access to the technology needed to keep the organization humming along. This requires managing capacity and availability.
    • Dependencies go undocumented. Services are provided on an ad hoc basis, and capacity/availability are managed reactively.

    Complication

    • Organizations are overprovisioning an average of 59% for compute, and 48% for storage. This is expensive. With budget pressure mounting, the cost of this approach can’t be ignored.
    • Lead time to respond to demand is long. Half of organizations have experienced capacity-related downtime, and almost 60% wait 3+ months for additional capacity. (451 Research, 3)

    Resolution

    • Conduct a business impact analysis to determine which of your services are most critical, and require active capacity management that will reap more in benefits than it produces in costs.
    • Establish visibility into your system. You can’t track what you can’t see, and you can’t see when you don’t have proper monitoring tools in place.
    • Develop an understanding of business needs. Use a combination of historical trend analyses and consultation with line of business and project managers to separate wants from needs. Overprovisioning used to be necessary, but is no longer required.
    • Project future needs in line with your hardware lifecycle. Never suffer availability issues as a result of a lack of capacity again.

    Info-Tech Insight

    1. Components are critical. The business doesn’t care about components. You, however, are not so lucky…
    2. Ask what the business is working on, not what they need. If you ask them what they need, they’ll tell you – and it won’t be cheap. Find out what they’re going to do, and use your expertise to service those needs.
    3. Cloud shmoud. The role of the capacity manager is changing with the cloud, but capacity management is as important as ever.

    Save money and drive efficiency with an effective availability and capacity management plan

    Overprovisioning happens because of the old style of infrastructure provisioning (hardware refresh cycles) and because capacity managers don’t know how much they need (either as a result of inaccurate or nonexistent information).

    According to 451 Research, 59% of enterprises have had to wait 3+ months for new capacity. It is little wonder, then, that so many opt to overprovision. Capacity management is about ensuring that IT services are available, and with lead times like that, overprovisioning can be more attractive than the alternative. Fortunately there is hope. An effective availability and capacity management plan can help you:

    • Identify your gold systems
    • Establish visibility into them
    • Project your future capacity needs

    Balancing overprovisioning and spending is the capacity manager’s struggle.

    Availability and capacity management go together like boots and feet

    Availability and capacity are not the same, but they are related and can be effectively managed together as part of a single process.

    If an IT department is unable to meet demand due to insufficient capacity, users will experience downtime or a degradation in service. To be clear, capacity is not the only factor in availability – reliability, serviceability, etc. are significant as well. But no organization can effectively manage availability without paying sufficient attention to capacity.

    "Availability Management is concerned with the design, implementation, measurement and management of IT services to ensure that the stated business requirements for availability are consistently met."

    – OGC, Best Practice for Service Delivery, 12

    "Capacity management aims to balance supply and demand [of IT storage and computing services] cost-effectively…"

    – OGC, Business Perspective, 90

    Integrate the three levels of capacity management

    Successful capacity management involves a holistic approach that incorporates all three levels.

    Business The highest level of capacity management, business capacity management, involves predicting changes in the business’ needs and developing requirements in order to make it possible for IT to adapt to those needs. Influx of new clients from a failed competitor.
    Service Service capacity management focuses on ensuring that IT services are monitored to determine if they are meeting pre-determined SLAs. The data gathered here can be used for incident and problem management. Increased website traffic.
    Component Component capacity management involves tracking the functionality of specific components (servers, hard drives, etc.), and effectively tracking their utilization and performance, and making predictions about future concerns. Insufficient web server compute.

    The C-suite cares about business capacity as part of the organization’s strategic planning. Service leads care about their assigned services. IT infrastructure is concerned with components, but not for their own sake. Components mean services that are ultimately designed to facilitate business.

    A healthcare organization practiced poor capacity management and suffered availability issues as a result

    CASE STUDY

    Industry: Healthcare

    Source: Interview

    New functionalities require new infrastructure

    There was a project to implement an elastic search feature. This had to correlate all the organization’s member data from an Oracle data source and their own data warehouse, and pool them all into an elastic search index so that it could be used by the provider portal search function. In estimating the amount of space needed, the infrastructure team assumed that all the data would be shared in a single place. They didn’t account for the architecture of elastic search in which indexes are shared across multiple nodes and shards are often split up separately.

    Beware underestimating demand and hardware sourcing lead times

    As a result, they vastly underestimated the amount of space that was needed and ended up short by a terabyte. The infrastructure team frantically sourced more hardware, but the rush hardware order arrived physically damaged and had to be returned to the vendor.

    Sufficient budget won’t ensure success without capacity planning

    The project’s budget had been more than sufficient to pay for the extra necessary capacity, but because a lack of understanding of the infrastructure impact resulted in improper forecasting, the project ended up stuck in a standstill.

    Manage availability and keep your stakeholders happy

    If you run out of capacity, you will inevitably encounter availability issues like downtime and performance degradation . End users do not like downtime, and neither do their managers.

    There are three variables that are monitored, measured, and analyzed as part of availability management more generally (Valentic).

      1. Uptime:

    The availability of a system is the percentage of time the system is “up,” (and not degraded) which can be calculated using the following formula: uptime/(uptime + downtime) x 100%. The more components there are in a system, the lower the availability, as a rule.

      1. Reliability:

    The length of time a component/service can go before there is an outage that brings it down, typically measured in hours.

      1. Maintainability:

    The amount of time it takes for a component/service to be restored in the event of an outage, also typically measured in hours.

    Enter the cloud: changes in the capacity manager role

    There can be no doubt – the rise of the public cloud has fundamentally changed the nature of capacity management.

    Features of the public cloudImplications for capacity management
    Instant, or near-instant, instantiation Lead times drop; capacity management is less about ensuring equipment arrives on time.
    Pay-as-you go services Capacity no longer needs to be purchased in bulk. Pay only for what you use and shut down instances that are no longer necessary.
    Essentially unlimited scalability Potential capacity is infinite, but so are potential costs.
    Offsite hosting Redundancy, but at the price of the increasing importance of your internet connection.

    Vendors will sell you the cloud as a solution to your capacity/availability problems

    The image contains two graphs. The first graph on the left is titled: Reactive Management, and shows the struggling relationship between capacity and demand. The second graph on the right is titled: Cloud future (ideal), which demonstrates a manageable relationship between capacity and demand over time.

    Traditionally, increases in capacity have come in bursts as a reaction to availability issues. This model inevitably results in overprovisioning, driving up costs. Access to the cloud changes the equation. On-demand capacity means that, ideally, nobody should pay for unused capacity.

    Reality check: even in the cloud era, capacity management is necessary

    You will likely find vendors to nurture the growth of a gap between your expectations and reality. That can be damaging.

    The cloud reality does not look like the cloud ideal. Even with the ostensibly elastic cloud, vendors like the consistency that longer-term contracts offer. Enter reserved instances: in exchange for lower hourly rates, vendors offer the option to pay a fee for a reserved instance. Usage beyond the reserved will be billed at a higher hourly rate. In order to determine where that line should be drawn, you should engage in detailed capacity planning. Unfortunately, even when done right, this process will result in some overprovisioning, though it does provide convenience from an accounting perspective. The key is to use spot instances where demand is exceptional and bounded. Example: A university registration server that experiences exceptional demand at the start of term but at no other time.

    The image contains an example of cloud reality not matching with the cloud ideal in the form of a graph. The graph is split horizontally, the top half is red, and there is a dotted line splitting it from the lower half. The line is labelled: Reserved instance ceiling. In the bottom half, it is the colour green and has a curving line.

    Use best practices to optimize your cloud resources

    The image contains two graphs. The graph on the left is labelled: Ineffective reserve capacity. At the top of the graph is a dotted line labelled: Reserved Instance ceiling. The graph is measuring capacity requirements over time. There is a curved line on the graph that suddenly spikes and comes back down. The spike is labelled unused capacity. The graph on the right is labelled: Effective reserve capacity. The reserved instance ceiling is about halfway down this graph, and it is comparing capacity requirements over time. This graph has a curved line on it, also has a spike and is labelled: spot instance.

    Even in the era of elasticity, capacity planning is crucial. Spot instances – the spikes in the graph above – are more expensive, but if your capacity needs vary substantially, reserving instances for all of the space you need can cost even more money. Efficiently planning capacity will help you draw this line.

    Evaluate business impact; not all systems are created equal

    Limited resources are a reality. Detailed visibility into every single system is often not feasible and could be too much information.

    Simple and effective. Sometimes a simple display can convey all of the information necessary to manage critical systems. In cars it is important to know your speed, how much fuel is in the tank, and whether or not you need to change your oil/check your engine.

    Where to begin?! Specialized information is sometimes necessary, but it can be difficult to navigate.

    Take advantage of a business impact analysis to define and understand your critical services

    Ideally, downtime would be minimal. In reality, though, downtime is a part of IT life. It is important to have realistic expectations about its nature and likelihood.

    STEP 1

    STEP 2

    STEP 3

    STEP 4

    STEP 5

    Record applications and dependencies

    Utilize your asset management records and document the applications and systems that IT is responsible for managing and recovering during a disaster.

    Define impact scoring scale

    Ensure an objective analysis of application criticality by establishing a business impact scale that applies to all applications.

    Estimate impact of downtime

    Leverage the scoring criteria from the previous step and establish an estimated impact of downtime for each application.

    Identify desired RTO and RPO

    Define what the RTOs/RPOs should be based on the impact of a business interruption and the tolerance for downtime and data loss.

    Determine current RTO/RPO

    Conduct tabletop planning and create a flowchart of your current capabilities. Compare your current state to the desired state from the previous step.

    Info-Tech Insight

    According to end users, every system is critical and downtime is intolerable. Of course, once they see how much totally eliminating downtime can cost, they might change their tune. It is important to have this discussion to separate the critical from the less critical – but still important – services.

    Establish visibility into critical systems

    You may have seen “If you can’t measure it, you can’t manage it” or a variation thereof floating around the internet. This adage is consumable and makes sense…doesn’t it?

    "It is wrong to suppose that if you can’t measure it, you can’t manage it – a costly myth."

    – W. Edwards Deming, statistician and management consultant, author of The New Economics

    While it is true that total monitoring is not absolutely necessary for management, when it comes to availability and capacity – objectively quantifiable service characteristics – a monitoring strategy is unavoidable. Capturing fluctuations in demand, and adjusting for those fluctuations, is among the most important functions of a capacity manager, even if hovering over employees with a stopwatch is poor management.

    Solicit needs from line of business managers

    Unless you head the world’s most involved IT department (kudos if you do) you’re going to have to determine your needs from the business.

    Do

    Do not

    ✓ Develop a positive relationship with business leaders responsible for making decisions.

    ✓ Make yourself aware of ongoing and upcoming projects.

    ✓ Develop expertise in organization-specific technology.

    ✓ Make the business aware of your expenses through chargebacks or showbacks.

    ✓ Use your understanding of business projects to predict business needs; do not rely on business leaders’ technical requests alone.

    X Be reactive.

    X Accept capacity/availability demands uncritically.

    X Ask line of business managers for specific computing requirements unless they have the technical expertise to make informed judgments.

    X Treat IT as an opaque entity where requests go in and services come out (this can lead to irresponsible requests).

    Demand: manage or be managed

    You might think you can get away with uncritically accepting your users’ demands, but this is not best practice. If you provide it, they will use it.

    The company meeting

    “I don’t need this much RAM,” the application developer said, implausibly. Titters wafted above the assembled crowd as her IT colleagues muttered their surprise. Heads shook, eyes widened. In fact, as she sat pondering her utterance, the developer wasn’t so sure she believed it herself. Noticing her consternation, the infrastructure manager cut in and offered the RAM anyway, forestalling the inevitable crisis that occurs when seismic internal shifts rock fragile self-conceptions. Until next time, he thought.

    "Work expands as to fill the resources available for its completion…"

    – C. Northcote Parkinson, quoted in Klimek et al.

    Combine historical data with the needs you’ve solicited to holistically project your future needs

    Predicting the future is difficult, but when it comes to capacity management, foresight is necessary.

    Critical inputs

    In order to project your future needs, the following inputs are necessary.

    1. Usage trends: While it is true that past performance is no indication of future demand, trends are still a good way to validate requests from the business.
    2. Line of business requests: An understanding of the projects the business has in the pipes is important for projecting future demand.
    3. Institutional knowledge: Read between the lines. As experts on information technology, the IT department is well-equipped to translate needs into requirements.
    The image contains a graph that is labelled: Projected demand, and graphs demand over time. There is a curved line that passes through a vertical line labelled present. There is a box on top of the graph that contains the text: Note: confidence in demand estimates will very by service and by stakeholder.

    Follow best practice guidelines to maximize the efficiency of your availability and capacity management process

    The image contains Info-Tech's IT Management & Governance Framework. The framework displays many of Info-Tech's research to help optimize and improve core IT processes. The name of this blueprint is under the Infrastructure & Operations section, and has been circled to point out where it is in the framework.

    Understand how the key frameworks relate and interact

    The image contains a picture of the COBIT 5 logo.

    BA104: Manage availability and capacity

    • Current state assessment
    • Forecasting based on business requirements
    • Risk assessment of planning and implementation of requirements
    The image contains a picture of the ITIL logo

    Availability management

    • Determine business requirements
    • Match requirements to capabilities
    • Address any mismatch between requirements and capabilities in a cost-effective manner

    Capacity management

    • Monitoring services and components
    • Tuning for efficiency
    • Forecasting future requirements
    • Influencing demand
    • Producing a capacity plan
    The image contains a picture of Info-Tech Research Group logo.

    Availability and capacity management

    • Conduct a business impact analysis
    • Establish visibility into critical systems
    • Solicit and incorporate business needs
    • Identify and mitigate risks

    Disaster recovery and business continuity planning are forms of availability management

    The scope of this project is managing day-to-day availability, largely but not exclusively, in the context of capacity. For additional important information on availability, see the following Info-Tech projects.

      • Develop a Business Continuity Plan

    If your focus is on ensuring process continuity in the event of a disaster.

      • Establish a Program to Enable Effective Performance Monitoring

    If your focus is on flow mapping and transaction monitoring as part of a plan to engage APM vendors.

      • Create a Right-Sized Disaster Recovery Plan

    If your focus is on hardening your IT systems against major events.

    Info-Tech’s approach to availability and capacity management is stakeholder-centered and cloud ready

    Phase 1:

    Conduct a business impact analysis

    Phase 2:

    Establish visibility into core systems

    Phase 3:

    Solicit and incorporate business needs

    Phase 4:

    Identify and mitigate risks

    1.1 Conduct a business impact analysis

    1.2 Assign criticality ratings to services

    2.1 Define your monitoring strategy

    2.2 Implement monitoring tool/aggregator

    3.1 Solicit business needs

    3.2 Analyze data and project future needs

    4.1 Identify and mitigate risks

    Deliverables

    • Business impact analysis
    • Gold systems
    • Monitoring strategy
    • List of stakeholders
    • Business needs
    • Projected capacity needs
    • Risks and mitigations
    • Capacity management summary cards

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Availability & capacity management – project overview

     

    Conduct a business impact analysis

    Establish visibility into core systems

    Solicit and incorporate business needs

    Identify and
    mitigate risks

    Best-Practice Toolkit

    1.1 Create a scale to measure different levels of impact

    1.2 Assign criticality ratings to services

    2.1 Define your monitoring strategy

    2.2 Implement your monitoring tool/aggregator

    3.1 Solicit business needs and gather data

    3.2 Analyze data and project future needs

    4.1 Identify and mitigate risks

    Guided Implementations

    Call 1: Conduct a business impact analysis Call 1: Discuss your monitoring strategy

    Call 1: Develop a plan to gather historical data; set up plan to solicit business needs

    Call 2: Evaluate data sources

    Call 1: Discuss possible risks and strategies for risk mitigation

    Call 2: Review your capacity management plan

    Onsite Workshop

    Module 1:

    Conduct a business impact analysis

    Module 2:

    Establish visibility into core systems

    Module 3:

    Develop a plan to project future needs

    Module 4:

    Identify and mitigate risks

     

    Phase 1 Results:

    • RTOs/RPOs
    • List of gold systems
    • Criticality matrix

    Phase 2 Results:

    • Capacity/availability monitoring strategy

    Phase 3 Results:

    • Plan for soliciting future needs
    • Future needs

    Phase 4 Results:

    • Strategies for reducing risks
    • Capacity management plan

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

     

    Workshop Day 1

    Workshop Day 2

    Workshop Day 3

    Workshop Day 4

     

    Conduct a business
    impact analysis

    Establish visibility into
    core systems

    Solicit and incorporate business needs

    Identify and mitigate risks

    Activities

    1.1 Conduct a business impact analysis

    1.2 Create a list of critical dependencies

    1.3 Identify critical sub-components

    1.4 Develop best practices to negotiate SLAs

    2.1 Determine indicators for sub-components

    2.2 Establish visibility into components

    2.3 Develop strategies to ameliorate visibility issues

    3.1 Gather relevant business-level data

    3.2 Gather relevant service-level data

    3.3 Analyze historical trends

    3.4 Build a list of business stakeholders

    3.5 Directly solicit requirements from the business

    3.6 Map business needs to technical requirements

    3.7 Identify inefficiencies and compare historical data

    • 4.1 Brainstorm potential causes of availability and capacity risk
    • 4.2 Identify and mitigate capacity risks
    • 4.3 Identify and mitigate availability risks

    Deliverables

    1. Business impact analysis
    2. List of gold systems
    3. SLA best practices
    1. Sub-component metrics
    2. Strategy to establish visibility into critical sub-components
    1. List of stakeholders
    2. Business requirements
    3. Technical requirements
    4. Inefficiencies
    1. Strategies for mitigating risks
    2. Completed capacity management plan template

    PHASE 1

    Conduct a Business Impact Analysis

    Step 1.1: Conduct a business impact analysis

    This step will walk you through the following activities:

    • Record applications and dependencies in the Business Impact Analysis Tool.
    • Define a scale to estimate the impact of various applications’ downtime.
    • Estimate the impact of applications’ downtime.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team

    Outcomes of this step

    • Estimated impact of downtime for various applications

    Execute a business impact analysis (BIA) as part of a broader availability plan

    1.1a Business Impact Analysis Tool

    Business impact analyses are an invaluable part of a broader IT strategy. Conducting a BIA benefits a variety of processes, including disaster recovery, business continuity, and availability and capacity management

    STEP 1

    STEP 2

    STEP 3

    STEP 4

    STEP 5

    Record applications and dependencies

    Utilize your asset management records and document the applications and systems that IT is responsible for managing and recovering during a disaster.

    Define impact scoring scale

    Ensure an objective analysis of application criticality by establishing a business impact scale that applies to all applications.

    Estimate impact of downtime

    Leverage the scoring criteria from the previous step and establish an estimated impact of downtime for each application.

    Identify desired RTO and RPO

    Define what the RTOs/RPOs should be based on the impact of a business interruption and the tolerance for downtime and data loss.

    Determine current RTO/RPO

    Conduct tabletop planning and create a flowchart of your current capabilities. Compare your current state to the desired state from the previous step.

    Info-Tech Insight

    Engaging in detailed capacity planning for an insignificant service draws time and resources away from more critical capacity planning exercises. Time spent tracking and planning use of the ancient fax machine in the basement is time you’ll never get back.

    Control the scope of your availability and capacity management planning project with a business impact analysis

    Don’t avoid conducting a BIA because of a perception that it’s too onerous or not necessary. If properly managed, as described in this blueprint, the BIA does not need to be onerous and the benefits are tangible.

    A BIA enables you to identify appropriate spend levels, continue to drive executive support, and prioritize disaster recovery planning for a more successful outcome. For example, an Info-Tech survey found that a BIA has a significant impact on setting appropriate recovery time objectives (RTOs) and appropriate spending.

    The image contains a graph that is labelled: BIA Impact on Appropriate RTOS. With no BIA, there is 59% RTOs are appropriate. With BIA, there is 93% RTOS being appropriate. The image contains a graph that is labelled: BIA Impact on Appropriate Spending. No BIA has 59% indication that BCP is cost effective. With a BIA there is 86% indication that BCP is cost effective.

    Terms

    No BIA: lack of a BIA, or a BIA bases solely on the perceived importance of IT services.

    BIA: based on a detailed evaluation or estimated dollar impact of downtime.

    Source: Info-Tech Research Group; N=70

    Select the services you wish to evaluate with the Business Impact Analysis Tool

    1.1b 1 hour

    In large organizations especially, collating an exhaustive list of applications and services is going to be onerous. For the purposes of this project, a subset should suffice.

    Instructions

    1. Gather a diverse group of IT staff and end users in a room with a whiteboard.
    2. Solicit feedback from the group. Questions to ask:
    • What services do you regularly use? What do you see others using? (End users)
    • Which service inspires the greatest number of service calls? (IT)
    • What services are you most excited about? (Management)
    • What services are the most critical for business operations? (Everybody)
  • Record these applications in the Business Impact Analysis Tool.
  • Input

    • Applications/services

    Output

    • Candidate applications for the business impact analysis

    Materials

    • Whiteboard
    • Markers

    Participants

    • Infrastructure manager
    • Enterprise architect
    • Application owners
    • End users

    Info-Tech Insight

    Include a variety of services in your analysis. While it might be tempting to jump ahead and preselect important applications, don’t. The process is inherently valuable, and besides, it might surprise you.

    Record the applications and dependencies in the BIA tool

    1.1c Use tab 1 of the Business Impact Analysis Tool

    1. In the Application/System column, list the applications identified for this pilot as well as the Core Infrastructure category. Also indicate the Impact on the Business and Business Owner.
    2. List the dependencies for each application in the appropriate columns:
    • Hosted On-Premises (In-House) – If the physical equipment is in a facility you own, record it here, even if it is managed by a vendor.
    • Hosted by a Co-Lo/MSP – List any dependencies hosted by a co-lo/MSP vendor.
    • Cloud (includes "as a Service”) – List any dependencies hosted by a cloud vendor.

    Note: If there are no dependencies for a particular category, leave it blank.

  • If you wish to highlight specific dependencies, put an asterisk in front of them (e.g. *SAN). This will cause the dependency to be highlighted in the remaining tabs in this tool.
  • Add comments as needed in the Notes columns. For example, for equipment that you host in-house but is remotely managed by an MSP, specify this in the notes. Similarly, note any DR support services.
  • Example

    The image contains a screenshot of Info-Tech's Business Impact Analysis Tool specifically tab 1.

    ID is optional. It is a sequential number by default.

    In-House, Co-Lo/MSP, and Cloud dependencies; leave blank if not applicable.

    Add notes as applicable – e.g. critical support services.

    Define a scoring scale to estimate different levels of impact

    1.1d Use tab 2 of the Business Impact Analysis Tool

    Modify the Business Impact Scales headings and Overall Criticality Rating terminology to suit your organization. For example, if you don’t have business partners, use that column to measure a different goodwill impact or just ignore that column in this tool (i.e. leave it blank). Estimate the different levels of potential impact (where four is the highest impact and zero is no impact) and record these in the Business Impact Scales columns.

    The image contains a screenshot of Info-Tech's Business Impact Analysis Tool, specifically tab 2.

    Estimate the impact of downtime for each application

    1.1e Use tab 3 of the Business Impact Analysis Tool

    In the BIA tab columns for Direct Costs of Downtime, Impact on Goodwill, and Additional Criticality Factors, use the drop-down menu to assign a score of zero to four based on levels of impact defined in the Scoring Criteria tab. For example, if an organization’s ERP is down, and that affects call center sales operations (e.g. ability to access customer records and process orders), the impact might be as described below:

      • Loss of Revenue might score a two or three depending on the proportion of overall sales lost due to the downtime.
      • The Impact on Customers might be a one or two depending on the extent that existing customers might be using the call center to purchase new products or services, and are frustrated by the inability to process orders.
      • The Legal/Regulatory Compliance and Health or Safety Risk might be a zero.

    On the other hand, if payroll processing is down, this may not impact revenue, but it certainly impacts internal goodwill and productivity.

    Rank service criticality: gold, silver, and bronze

    Gold

    Mission critical services. An outage is catastrophic in terms of cost or public image/goodwill. Example: trading software at a financial institution.

    Silver

    Important to daily operations, but not mission critical. Example: email services at any large organization.

    Bronze

    Loss of these services is an inconvenience more than anything, though they do serve a purpose and will be missed if they are never brought back online. Example: ancient fax machines.

    Info-Tech Best Practice

    Info-Tech recommends gold, silver, and bronze because of this typology’s near universal recognition. If you would prefer a particular designation (it might help with internal comprehension), don’t hesitate to use that one instead.

    Use the results of the business impact analysis to sort systems based on their criticality

    1.1f 1 hour

    Every organization has its own rules about how to categorize service importance. For some (consumer-facing businesses, perhaps) reputational damage may trump immediate costs.

    Instructions

    1. Gather a group of key stakeholders and project the completed Business Impact Analysis Tool onto a screen for them.
    2. Share the definitions of gold, silver, and bronze services with them (if they are not familiar), and begin sorting the services by category,
    • How long would it take to notice if a particular service went out?
    • How important are the non-quantifiable damages that could come with an outage?
  • Sort the services into gold, silver, and bronze on a whiteboard, with sticky notes, or with chart paper.
  • Verify your findings and record them in section 2.1 of the Capacity Plan Template.
  • Input

    • Results of the business impact analysis exercise

    Output

    • List of gold, silver, and bronze systems

    Materials

    • Projector
    • Business Impact Analysis Tool
    • Capacity Plan Template

    Participants

    • Infrastructure manager
    • Enterprise architect

    Leverage the rest of the BIA tool as part of your disaster recovery planning

    Disaster recovery planning is a critical activity, and while it is a sort of availability management, it is beyond this project’s scope. You can complete the business impact analysis (including RTOs and RPOs) for the complete disaster recovery package.

    See Info-Tech’s Create a Right-Sized Disaster Recovery Plan blueprint for instructions on how to complete your business impact analysis.

    Step 1.2: Assign criticality ratings to services

    This step will walk you through the following activities:

    • Create a list of dependencies for your most important applications.
    • Identify important sub-components.
    • Use best practices to develop and negotiate SLAs.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team

    Outcomes of this step

    • List of dependencies of most important applications
    • List of important sub-components
    • SLAs based on best practices

    Determine the base unit of the capacity you’re looking to purchase

    Not every IT organization should approach capacity the same way. Needs scale, and larger organizations will inevitably deal in larger quantities.

    Large cloud provider

    Local traditional business

    • Thousands of servers housed in a number of datacenters around the world.
    • Dedicated capacity manager.
    • Purchases components from OEMs in bulk as part of bespoke contracts that are worth many millions of dollars over time.
    • May deal with components at a massive scale (dozens of servers at once, for example).
    • A small server room that runs non-specialized services (email, for example).
    • Barely even a dedicated IT person, let alone an IT capacity manager.
    • Purchases new components from resellers or even retail stores.
    • Deals with components at a small scale (a single switch here, a server upgrade there).

    "Cloud capacity management is not exactly the same as the ITIL version because ITIL has a focus on the component level. I actually don’t do that, because if I did I’d go crazy. There’s too many components in a cloud environment."

    – Richie Mendoza, IT Consultant, SMITS Inc.

    Consider the relationship between component capacity and service capacity

    End users’ thoughts about IT are based on what they see. They are, in other words, concerned with service availability: does the organization have the ability to provide access to needed services?

    Service

    • Email
    • CRM
    • ERP

    Component

    • Switch
    • SMTP server
    • Archive database
    • Storage

    "You don’t ask the CEO or the guy in charge ‘What kind of response time is your requirement?’ He doesn’t really care. He just wants to make sure that all his customers are happy."

    – Todd Evans, Capacity and Performance Management SME, IBM.

    One telco solved its availability issues by addressing component capacity issues

    CASE STUDY

    Industry: Telecommunications

    Source: Interview

    Coffee and Wi-Fi – a match made in heaven

    In tens of thousands of coffee shops around the world, patrons make ample use of complimentary Wi-Fi. Wi-Fi is an important part of customers’ coffee shop experience, whether they’re online to check their email, do a YouTube, or update their Googles. So when one telco that provided Wi-Fi access for thousands of coffee shops started encountering availability issues, the situation was serious.

    Wi-Fi, whack-a-mole, and web woes

    The team responsible for resolving the issue took an ad hoc approach to resolving complaints, fixing issues as they came up instead of taking a systematic approach.

    Resolution

    Looking at the network as a whole, the capacity manager took a proactive approach by using data to identify and rank the worst service areas, and then directing the team responsible to fix those areas in order of the worst first, then the next worst, and so on. Soon the availability of Wi-Fi service was restored across the network.

    Create a list of dependencies for your most important applications

    1.2a 1.5 hours

    Instructions

    1. Work your way down the list of services outlined in step 1, starting with your gold systems. During the first iteration of this exercise select only 3-5 of your most important systems.
    2. Write the name of each application on a sticky note or at the top of a whiteboard (leaving ample space below for dependency mapping).
    3. In the first tier below the application, include the specific services that the general service provides.
    • This will vary based on the service in question, but an example for email is sending, retrieving, retrieving online, etc.
  • For each of the categories identified in step 3, identify the infrastructure components that are relevant to that system. Be broad and sweeping; if the component is involved in the service, include it here. The goal is to be exhaustive.
  • Leave the final version of the map intact. Photographing or making a digital copy for posterity. It will be useful in later activities.
  • Input

    • List of important applications

    Output

    • List of critical dependencies

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Infrastructure manager
    • Enterprise architect

    Info-Tech Insight

    Dependency mapping can be difficult. Make sure you don’t waste effort creating detailed dependency maps for relatively unimportant services.

    Dependency mapping can be difficult. Make sure you don’t waste effort creating detailed dependency maps for relatively unimportant services.

    The image contains a sample dependency map on ride sharing. Ride Sharing has been split between two categories: Application and Drivers. Under drivers it branches out to: Availability, Car, and Pay. Under Application, it branches out to: Compute, Network, Edge devices, Q/A maintenance, and Storage. Compute branches out to Cloud Services. Network branches out to Cellular network and Local. Edge Devices branch out to Drivers and Users. Q/A maintenance does not have a following branch. Storage branches out to Storage (Enterprise) and Storage (local).

    Ride sharing cannot work, at least not at maximum effectiveness, without these constituent components. When one or more of these components are absent or degraded, the service will become unavailable. This example illustrates some challenges of capacity management; some of these components are necessary, but beyond the ride-sharing company’s control.

    Leverage a sample dependency tree for a common service

    The image contains a sample dependency tree for the Email service. Email branches out to: Filtering, Archiving, Retrieval, and Send/receive. Filtering branches out to security appliance which then branches out to CPU, Storage, and Network. Archiving branches to Archive server, which branches out to CPU, Storage, and Network. Retrieval branches out to IMAP/PoP which branches out to CPU, Storage, and Network. Send/receive branches out to IMAP/PoP and SMTP. SMTP branches out to CPU, Storage and Network.

    Info-Tech Best Practice

    Email is an example here not because it is necessarily a “gold system,” but because it is common across industries. This is a useful exercise for any service, but it can be quite onerous, so it should be conducted on the most important systems first.

    Separate the wheat from the chaff; identify important sub-components and separate them from unimportant ones

    1.2b 1.5 hours

    Use the bottom layer of the pyramid drawn in step 1.2a for a list of important sub-components.

    Instructions

    1. Record a list of the gold services identified in the previous activity. Leave space next to each service for sub-components.
    2. Go through each relevant sub-component. Highlight those that are critical and could reasonably be expected to cause problems.
    • Has this sub-component caused a problem in the past?
    • Is this sub-component a bottleneck?
    • What could cause this component to fail? Is it such an occurrence feasible?
  • Record the results of the exercise (and the service each sub-component is tied to) in tab 2 (columns B &C) of the Capacity Snapshot Tool.
  • Input

    • List of important applications

    Output

    • List of critical dependencies

    Materials

    • Whiteboard
    • Markers

    Participants

    • Infrastructure manager
    • Enterprise architect

    Understand availability commitments with SLAs

    With the rise of SaaS, cloud computing, and managed services, critical services and their components are increasingly external to IT.

    • IT’s lack of access to the internal working of services does not let them off the hook for performance issues (as much as that might be the dream).
    • Vendor management is availability management. Use the dependency map drawn earlier in this phase to highlight the components of critical services that rely on capacity that cannot be managed internally.
    • For each of these services ensure that an appropriate SLA is in place. When acquiring new services, ensure that the vendor SLA meets business requirements.

    The image contains a large blue circle labelled: Availability. Also in the blue circle is a small red circle labelled: Capacity.

    In terms of service provision, capacity management is a form of availability management. Not all availability issues are capacity issues, but the inverse is true.

    Info-Tech Insight

    Capacity issues will always cause availability issues, but availability issues are not inherently capacity issues. Availability problems can stem from outages unrelated to capacity (e.g. power or vendor outages).

    Use best practices to develop and negotiate SLAs

    1.2c 20 minutes per service

    When signing contracts with vendors, you will be presented with an SLA. Ensure that it meets your requirements.

    1. Use the business impact analysis conducted in this project’s first step to determine your requirements. How much downtime can you tolerate for your critical services?
    2. Once you have been presented with an SLA, be sure to scour it for tricks. Remember, just because a vendor offers “five nines” of availability doesn’t mean that you’ll actually get that much uptime. It could be that the vendor is comfortable eating the cost of downtime or that the contract includes provisions for planned maintenance. Whether or not the vendor anticipated your outage does little to mitigate the damage an outage can cause to your business, so be careful of these provisions.
    3. Ensure that the person ultimately responsible for the SLA (the approver) understands the limitations of the agreement and the implications for availability.

    Input

    • List of external component dependencies

    Output

    • SLA requirements

    Materials

    • Whiteboard
    • Markers

    Participants

    • Infrastructure manager
    • Enterprise architect

    Info-Tech Insight

    Vendors are sometimes willing to eat the cost of violating SLAs if they think it will get them a contract. Be careful with negotiation. Just because the vendor says they can do something doesn’t make it true.

    Negotiate internal SLAs using Info-Tech’s rigorous process

    Talking past each other can drive misalignment between IT and the business, inconveniencing all involved. Quantify your needs through an internal SLA as part of a comprehensive availability management plan.

    See Info-Tech’s Improve IT-Business Alignment Through an Internal SLA blueprint for instructions on why you should develop internal SLAs and the potential benefits they bring.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop.

    The image contains a picture of an Info-Tech analyst.

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.2

    The image contains a screenshot of activity 1.2 as previously described above.

    Create a list of dependencies for your most important applications

    Using the results of the business impact analysis, the analyst will guide workshop participants through a dependency mapping exercise that will eventually populate the Capacity Plan Template.

    Phase 1 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Conduct a business impact analysis

    Proposed Time to Completion: 1 week

    Step 1.1: Create a scale to measure different levels of impact

    Review your findings with an analyst

    Discuss how you arrived at the rating of your critical systems and their dependencies. Consider whether your external SLAs are appropriate.

    Then complete these activities…

    • Use the results of the business impact analysis to sort systems based on their criticality

    With these tools & templates:

    Business Impact Analysis Tool

    Step 1.2: Assign criticality ratings to services

    Review your findings with an analyst

    Discuss how you arrived at the rating of your critical systems and their dependencies. Consider whether your external SLAs are appropriate.

    Then complete these activities…

    • Create a list of dependencies for your most important applications
    • Identify important sub-components
    • Use best practices to develop and negotiate SLAs

    With these tools & templates:

    Capacity Snapshot Tool

    Phase 1 Results & Insights:

    • Engaging in detailed capacity planning for an insignificant service is a waste of resources. Focus on ensuring availability for your most critical systems.
    • Carefully evaluate vendors’ service offerings. Make sure the SLA works for you, and approach pie-in-the-sky promises with skepticism.

    PHASE 2

    Establish Visibility Into Core Systems

    Step 2.1: Define your monitoring strategy

    This step will walk you through the following activities:

    • Determine the indicators you should be tracking for each sub-component.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team

    Outcomes of this step

    • List of indicators to track for each sub-component

    Data has its significance—but also its limitations

    The rise of big data can be a boon for capacity managers, but be warned: not all data is created equal. Bad data can lead to bad decisions – and unemployed capacity managers.

    Your findings are only as good as your data. Remember: garbage in, garbage out. There are three characteristics of good data:*

    1. Accuracy: is the data exact and correct? More detail and confidence is better.
    2. Reliability: is the data consistent? In other words, if you run the same test twice will you get the same results?
    3. Validity: is the information gleaned believable and relevant?

    *National College of Teaching & Leadership, “Reliability and Validity”

    "Data is king. Good data is absolutely essential to [the capacity manager] role."

    – Adrian Blant, Independent Capacity Consultant, IT Capability Solutions

    Info-Tech Best Practice

    Every organization’s data needs are different; your data needs are going to be dictated by your services, delivery model, and business requirements. Make sure you don’t confuse volume with quality, even if others in your organization make that mistake.

    Take advantage of technology to establish visibility into your systems

    Managing your availability and capacity involves important decisions about what to monitor and how thresholds should be set.

    • Use the list of critical applications developed through the business impact analysis and the list of components identified in the dependency mapping exercise to produce a plan for effectively monitoring component availability and capacity.
    • The nature of IT service provision – the multitude of vendors providing hardware and services necessary for even simple IT services to work effectively – means that it is unlikely that capacity management will be visible through a single pane of glass. In other words, “email” and “CRM” don’t have a defined capacity. It always depends.
    • Establishing visibility into systems involves identifying what needs to be tracked for each component.

    Too much monitoring can be as bad as the inverse

    In 2013, a security breach at US retailer Target compromised more than 70 million customers’ data. The company received an alert, but it was thought to be a false positive because the monitoring system produced so many false and redundant alerts. As a result of the daily deluge, staff did not respond to the breach in time.

    Info-Tech Insight

    Don’t confuse monitoring with management. While establishing visibility is a crucial step, it is only part of the battle. Move on to this project’s next phase to explore opportunities to improve your capacity/availability management process.

    Determine the indicators you should be tracking for each sub-component

    2.1a Tab 3 of the Capacity Snapshot Tool

    It is nearly impossible to overstate the importance of data to the process of availability and capacity management. But the wrong data will do you no good.

    Instructions

    1. Open the Capacity Snapshot Tool to tab 2. The tool should have been populated in step 1.2 as part of the component mapping exercise.
    2. For each service, determine which metric(s) would most accurately tell the component’s story. Consider the following questions when completing this activity (you may end up with more than one metric):
    • How would the component’s capacity be measured (storage space, RAM, bandwidth, vCPUs)?
    • Is the metric in question actionable?
  • Record each metric in the Metric column (D) of the Capacity Snapshot Tool. Use the adjacent column for any additional information on metrics.
  • Info-Tech Insight

    Bottlenecks are bad. Use the Capacity Snapshot Tool (or another tool like it) to ensure that when the capacity manager leaves (on vacation, to another role, for good) the knowledge that they have accumulated does not leave as well.

    Understand the limitations of this approach

    Although we’ve striven to make it as easy as possible, this process will inevitably be cumbersome for organizations with a complicated set of software, hardware, and cloud services.

    Tracking every single component in significant detail will produce a lot of noise for each bit of signal. The approach outlined here addresses that concern in two ways:

    • A focus on gold services
    • A focus on sub-components that have a reasonable likelihood of being problematic in the future.

    Despite this effort, however, managing capacity at the component level is a daunting task. Ultimately, tools provided by vendors like SolarWinds and AppDynamics will fill in some of the gaps. Nevertheless, an understanding of the conceptual framework underlying availability and capacity management is valuable.

    Step 2.2: Implement your monitoring tool/aggregator

    This step will walk you through the following activities:

    • Clarify visibility.
    • Determine whether or not you have sufficiently granular visibility.
    • Develop strategies to .any visibility issues.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team
    • Applications personnel

    Outcomes of this step

    • Method for measuring and monitoring critical sub-components

    Companies struggle with performance monitoring because 95% of IT shops don’t have full visibility into their environments

    CASE STUDY

    Industry: Financial Services

    Source: AppDynamics

    Challenge

    • Users are quick to provide feedback when there is downtime or application performance degradation.
    • The challenge for IT teams is that while they can feel the pain, they don’t have visibility into the production environment and thus cannot identify where the pain is coming from.
    • The most common solution that organizations rely on is leveraging the log files for issue diagnosis. However, this method is slow and often unable to pinpoint the problem areas, leading to delays in problem resolution.

    Solution

    • Application and infrastructure teams need to work together to develop infrastructure flow maps and transaction profiles.
    • These diagrams will highlight the path that each transaction travels across your infrastructure.
    • Ideally at this point, teams will also capture latency breakdowns across every tier that the business transaction flows through.
      • This will ultimately kick start the baselining process.

    Results

    • Ninety-five percent of IT departments don’t have full visibility into their production environment. As a result, a slow business transaction will often require a war-room approach where SMEs from across the organization gather to troubleshoot.
    • Having visibility into the production environment through infrastructure flow mapping and transaction profiling will help IT teams pinpoint problems.
      • At the very least, teams will be able to identify common problem areas and expedite the root-cause analysis process.

    Source: “Just how complex can a Login Transaction be? Answer: Very!,” AppDynamics

    Monitor your critical sub-components

    Establishing a monitoring plan for your capacity involves answering two questions: can I see what I need to see, and can I see it with sufficient granularity?

    • Having the right tool for the job is an important step towards effective capacity and availability management.
    • Application performance management tools (APMs) are essential to the process, but they tend to be highly specific and vertically oriented, like using a microscope.
    • Some product families can cover a wider range of capacity monitoring functions (SolarWinds, for example). It is still important, however, to codify your monitoring needs.

    "You don’t use a microscope to monitor an entire ant farm, but you might use many microscopes to monitor specific ants."

    – Fred Chagnon, Research Director, Infrastructure Practice, Info-Tech Research Group

    Monitor your sub-components: clarify visibility

    2.2a Tab 2 of the Capacity Snapshot Tool

    The next step in capacity management is establishing whether or not visibility (in the broad sense) is available into critical sub-components.

    Instructions

    1. Open the Capacity Snapshot Tool and record the list of sub-components identified in the previous step.
    2. For each sub-component answer the following question:
    • Do I have easy access to the information I need to monitor to ensure this component remains available?
  • Select “Yes” or “No” from the drop-down menus as appropriate. In the adjacent column record details about visibility into the component.
    • What tool provides the information? Where can it be found?

    The image contains a screenshot of Info-Tech's Capacity Snapshot Tool, Tab 2.

    Monitor your sub-components; determine whether or not you have sufficient granular visibility

    2.2b Tab 2 of the Capacity Snapshot Tool

    Like ideas and watches, not all types of visibility are created equal. Ensure that you have access to the right information to make capacity decisions.

    Instructions

    1. For each of the sub-components clarify the appropriate level of granularity for the visibility gained to be useful. In the case of storage, for example, is raw usage (in gigabytes) sufficient, or do you need a breakdown of what exactly is taking up the space? The network might be more complicated.
    2. Record the details of this ideation in the adjacent column.
    3. Select “Yes” or “No” from the drop-down menu to track the status of each sub-component.

    The image contains a picture of an iPhone storage screen where it breaks down the storage into the following categories: apps, media, photos, and other.

    For most mobile phone users, this breakdown is sufficient. For some, more granularity might be necessary.

    Info-Tech Insight

    Make note of monitoring tools and strategies. If anything changes, be sure to re-evaluate the visibility status. An outdated spreadsheet can lead to availability issues if management is unaware of looming problems.

    Develop strategies to ameliorate any visibility issues

    2.2c 1 hour

    The Capacity Snapshot Tool color-codes your components by status. Green – visibility and granularity are both sufficient; yellow – visibility exists, though not at sufficient granularity; and red – visibility does not exist at all.

    Instructions

    1. Write each of the yellow and red sub-components on a whiteboard or piece of chart paper.
    2. Brainstorm amelioration strategies for each of the problematic sub-components.
    • Does the current monitoring tool have sufficient functionality?
    • Does it need to be further configured/customized?
    • Do we need a whole new tool?
  • Record these strategies in the Amelioration Strategy column on tab 4 of the tool.
  • Input

    • Sub-components
    • Capacity Snapshot Tool

    Output

    • Amelioration strategies

    Materials

    • Whiteboard
    • Markers
    • Capacity Snapshot Tool

    Participants

    • Infrastructure manager

    Info-Tech Best Practice

    It might be that there is no amelioration strategy. Make note of this difficulty and highlight it as part of the risk section of the Capacity Plan Template.

    See Info-Tech’s projects on storage and network modernization for additional details

    Leverage other products for additional details on how to modernize your network and storage services.

    The process of modernizing the network is fraught with vestigial limitations. Develop a program to gather requirements and plan.

    As part of the blueprint, Modernize Enterprise Storage, the Modernize Enterprise Storage Workbook includes a section on storage capacity planning.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop.

    The image contains a picture of an Info-Tech analyst.

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.2

    The image contains a screenshot of activity 2.2.

    Develop strategies to ameliorate visibility issues

    The analyst will guide workshop participants in brainstorming potential solutions to visibility issues and record them in the Capacity Snapshot Tool.

    Phase 2 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Establish visibility into core systems

    Proposed Time to Completion: 3 weeks

    Step 2.1: Define your monitoring strategy

    Review your findings with an analyst

    Discuss your monitoring strategy and ensure you have sufficient visibility for the needs of your organization.

    Then complete these activities…

    • Determine the indicators you should be tracking for each sub-component

    With these tools & templates:

    • Capacity Snapshot Tool

    Step 2.2: Implement your monitoring tool/aggregator

    Review your findings with an analyst

    Discuss your monitoring strategy and ensure you have sufficient visibility for the needs of your organization.

    Then complete these activities…

    • Clarify visibility
    • Determine whether or not you have sufficiently granular visibility
    • Develop strategies to ameliorate any visibility issues

    With these tools & templates:

    • Capacity Snapshot Tool

    Phase 2 Results & Insights:

    • Every organization’s data needs are different. Adapt data gathering, reporting, and analysis according to your services, delivery model, and business requirements.
    • Don’t confuse monitoring with management. Build a system to turn reported data into useful information that feeds into the capacity management process.

    PHASE 3

    Solicit and Incorporate Business Needs

    Step 3.1: Solicit business needs and gather data

    This step will walk you through the following activities:

    • Build relationships with business stakeholders.
    • Analyze usage data and identify trends.
    • Correlate usage trends with business needs.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team members
    • Business stakeholders

    Outcomes of this step

    • System for involving business stakeholders in the capacity planning process
    • Correlated data on business level, service level, and infrastructure level capacity usage

    Summarize your capacity planning activities in the Capacity Plan Template

    The availability and capacity management summary card pictured here is a handy way to capture the results of the activities undertaken in the following phases. Note its contents carefully, and be sure to record specific outputs where appropriate. One such card should be completed for each of the gold services identified in the project’s first phase. Make note of the results of the activities in the coming phase, and populate the Capacity Snapshot Tool. These will help you populate the tool.

    The image contains a screenshot of Info-Tech's Capacity Plan Template.

    Info-Tech Best Practice

    The Capacity Plan Template is designed to be a part of a broader mapping strategy. It is not a replacement for a dedicated monitoring tool.

    Analyze historical trends as a crucial source of data

    The first place to look for information about your organization is not industry benchmarks or your gut (though those might both prove useful).

    • Where better to look than internally? Use the data you’ve gathered from your APM tool or other sources to understand your historical capacity needs and to highlight any periods of unavailability.
    • Consider monitoring the status of the capacity of each of your crucial components. The nature of this monitoring will vary based on the component in question. It can range from a rough Excel sheet all the way to a dedicated application performance monitoring tool.

    "In all cases the very first thing to do is to look at trending…The old adage is ‘you don’t steer a boat by its wake,’ however it’s also true that if something is growing at, say, three percent a month and it has been growing at three percent a month for the last twelve months, there’s a fairly good possibility that it’s going to carry on going in that direction."

    – Mike Lynch, Consultant, CapacityIQ

    Gather relevant data at the business level

    3.1a 2 hours per service

    A holistic approach to capacity management involves peering beyond the beaded curtain partitioning IT from the rest of the organization and tracking business metrics.

    Instructions

    1. Your service/application owners know how changes in business activities impact their systems. Business level capacity management involves responding to those changes. Ask service/application owners what changes will impact their capacity. Examples include:
    • Business volume (net new customers, number of transactions)
    • Staff changes (new hires, exits, etc.)
  • For each gold service, brainstorm relevant metrics. How can you capture that change in business volume?
  • Record these metrics in the summary card of the Capacity Plan Template.
  • In the notes section of the summary card record whether or not you have access to the required business metric.
  • Input

    • Brainstorming
    • List of gold services

    Output

    • Business level data

    Materials

    • In-house solution or commercial tool

    Participants

    • Capacity manager
    • Application/service owners

    Gather relevant data at the service level

    3.1b 2 hours per service

    One level of abstraction down is the service level. Service level capacity management, recall that service level capacity management is about ensuring that IT is meeting SLAs in its service provision.

    Instructions

    1. There should be internal SLAs for each service IT offers. (If not, that’s a good place to start. See Info-Tech’s research on the subject.) Prod each of your service owners for information on the metrics that are relevant for their SLAs. Consider the following:
    • Peak hours, requests per second, etc.
    • This will usually include some APM data.
  • Record these metrics in the summary card of the Capacity Plan Template.
  • Include any visibility issues in the notes in a similar section of the Capacity Plan Template.
  • Input

    • Brainstorming
    • List of gold services

    Output

    • Service level data

    Materials

    • In-house solution or commercial tool

    Participants

    • Capacity manager
    • Application/service owners

    Leverage the visibility into your infrastructure components and compare all of your data over time

    You established visibility into your components in the second phase of this project. Use this data, and that gathered at the business and service levels, to begin analyzing your demand over time.

    • Different organizations will approach this issue differently. Those with a complicated service catalog and a dedicated capacity manager might employ a tool like TeamQuest. If your operation is small, or you need to get your availability and capacity management activities underway as quickly as possible, you might consider using a simple spreadsheet software like Excel.
    • If you choose the latter option, select a level of granularity (monthly, weekly, etc.) and produce a line graph in Excel.
    • Example: Employee count (business metric)

    Jan

    Feb

    Mar

    Apr

    May

    June

    July

    74

    80

    79

    83

    84

    100

    102

    The image contains a graph using the example of employee count described above.

    Note: the strength of this approach is that it is easy to visualize. Use the same timescale to facilitate simple comparison.

    Manage, don’t just monitor; mountains of data need to be turned into information

    Information lets you make a decision. Understand the questions you don’t need to ask, and ask the right ones.

    "Often what is really being offered by many analytics solutions is just more data or information – not insights."

    – Brent Dykes, Director of Data Strategy, Domo

    Info-Tech Best Practice

    You can have all the data in the world and absolutely nothing valuable to add. Don’t fall for this trap. Use the activities in this phase to structure your data collection operation and ensure that your organization’s availability and capacity management plan is data driven.

    Analyze historical trends and track your services’ status

    3.1c Tab 3 of the Capacity Snapshot Tool

    At-a-glance – it’s how most executives consume all but the most important information. Create a dashboard that tracks the status of your most important systems.

    Instructions

    1. Consult infrastructure leaders for information about lead times for new capacity for relevant sub-components and include that information in the tool.
    • Look to historical lead times. (How long does it traditionally take to get more storage?)
    • If you’re not sure, contact an in-house expert, or speak to your vendor
  • Use tab 3 of the tool to record whether your existing capacity will be exceeded before you can stand more hardware up (red), you have a plan to ameliorate capacity issues but new capacity is not yet in place (yellow), or if you are not slated to run out of capacity any time soon (green).
  • Repeat the activity regularly. Include notes about spikes that might present capacity challenges, and information about when capacity may run out.
  • This tool collates and presents information gathered from other sources. It is not a substitute for a performance monitoring tool.

    Build a list of key business stakeholders

    3.1d 10 minutes

    Stakeholder analysis is crucial. Lines of authority can be diffuse. Understand who needs to be involved in the capacity management process early on.

    Instructions

    1. With the infrastructure team, brainstorm a group of departments, roles, and people who may impact demand on capacity.
    2. Go through the list with your team and identify stakeholders from two groups:
    • Line of business: who in the business makes use of the service?
    • Application owner: who in IT is responsible for ensuring the service is up?
  • Insert the list into section 3 of the Capacity Plan Template, and update as needed.
  • Input

    • Gold systems
    • Personnel Information

    Output

    • List of key business stakeholders

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Best Practice

    Consider which departments are most closely aligned with the business processes that fuel demand. Prioritize those that have the greatest impact. Consider the stakeholders who will make purchasing decisions for increasing infrastructure capacity.

    Organize stakeholder meetings

    3.1e 10 hours

    Establishing a relationship with your stakeholders is a necessary step in managing your capacity and availability.

    Instructions

    1. Gather as many of the stakeholders identified in the previous activity as you can and present information on availability and capacity management
    • If you can’t get everyone in the same room, a virtual meeting or even an email blast could get the job done.
  • Explain the importance of capacity and availability management
    • Consider highlighting the trade-offs between cost and availability.
  • Field any questions the stakeholders might have about the process. Be honest. The goal of this meeting is to build trust. This will come in handy when you’re gathering business requirements.
  • Propose a schedule and seek approval from all present. Include the results in section 3 of the Capacity Plan Template.
  • Input

    • List of business stakeholders
    • Hard work

    Output

    • Working relationship, trust
    • Regular meetings

    Materials

    • Work ethic
    • Executive brief

    Participants

    • Capacity manager
    • Business stakeholders

    Info-Tech Insight

    The best capacity managers develop new business processes that more closely align their role with business stakeholders. Building these relationships takes hard work, and you must first earn the trust of the business.

    Bake stakeholders into the planning process

    3.1f Ongoing

    Convince, don’t coerce. Stakeholders want the same thing you do. Bake them into the planning process as a step towards this goal.

    1. Develop a system to involve stakeholders regularly in the capacity planning process.
    • Your system will vary depending on the structure and culture of your organization.
    • See the case study on the following slide for ideas.
    • It may be as simple as setting a recurring reminder in your own calendar to touch base with stakeholders.
  • Liaise with stakeholders regularly to keep abreast of new developments.
    • Ensure stakeholders have reasonable expectations about IT’s available resources, the costs of providing capacity, and the lead times required to source additional needed capacity.
  • Draw on these stakeholders for the step “Gather information on business requirements” later in this phase.
  • Input

    • List of business stakeholders
    • Ideas

    Output

    • Capacity planning process that involves stakeholders

    Materials

    • Meeting rooms

    Participants

    • Capacity manager
    • Business stakeholders
    • Infrastructure team

    A capacity manager in financial services wrangled stakeholders and produced results

    CASE STUDY

    Industry: Financial Services

    Source: Interview

    In financial services, availability is king

    In the world of financial services, availability is absolutely crucial. High-value trades occur at all hours, and any institution that suffers outages runs the risk of losing tens of thousands of dollars, not to mention reputational damage.

    People know what they want, but sometimes they have to be herded

    While line of business managers and application owners understand the value of capacity management, it can be difficult to establish the working relationship necessary for a fruitful partnership.

    Proactively building relationships keeps services available

    He built relationships with all the department heads on the business side, and all the application owners.

    • He met with department heads quarterly.
    • He met with application owners and business liaisons monthly.

    He established a steering committee for capacity.

    He invited stakeholders to regular capacity planning meetings.

    • The first half of each meeting was high-level outlook, such as business volume and IT capacity utilization, and included stakeholders from other departments.
    • The second half of the meeting was more technical, serving the purpose for the infrastructure team.

    He scheduled lunch and learn sessions with business analysts and project managers.

    • These are the gatekeepers of information, and should know that IT needs to be involved when things come down the pipeline.

    Step 3.2: Analyze data and project future needs

    This step will walk you through the following activities:

    • Solicit needs from the business.
    • Map business needs to technical requirements, and technical requirements to infrastructure requirements.
    • Identify inefficiencies in order to remedy them.
    • Compare the data across business, component, and service levels, and project your capacity needs.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team members
    • Business stakeholders

    Outcomes of this step

    • Model of how business processes relate to technical requirements and their demand on infrastructure
    • Method for projecting future demand for your organization’s infrastructure
    • Comparison of current capacity usage to projected demand

    “Nobody tells me anything!” – the capacity manager’s lament

    Sometimes “need to know” doesn’t register with sales or marketing. Nearly every infrastructure manager can share a story about a time when someone has made a decision that has critically impacted IT infrastructure without letting anyone in IT in on the “secret.”

    In brief

    The image contains a picture of a man appearing to be overwhelmed.

    Imagine working for a media company as an infrastructure capacity manager. Now imagine that the powers that be have decided to launch a content-focused web service. Seems like something they would do, right? Now imagine you find out about it the same way the company’s subscribers do. This actually happened – and it shouldn’t have. But a similar lack of alignment makes this a real possibility for any organization. If you don’t establish a systematic plan for soliciting and incorporating business requirements, prepare to lose a chunk of your free time. The business should never be able to say, in response to “nobody tells me anything,” “nobody asked.”

    Pictured: an artist’s rendering of the capacity manager in question.

    Directly solicit requirements from the business

    3.2a 30 minutes per stakeholder

    Once you’ve established, firmly, that everyone’s on the same team, meet individually with the stakeholders to assess capacity.

    Instructions

    1. Schedule a one-on-one meeting with each line of business manager (stakeholders identified in 3.1). Ideally this will be recurring.
    • Experienced capacity managers suggest doing this monthly.
  • In the meeting address the following questions:
    • What are some upcoming major initiatives?
    • Is the department going to expand or contract in a noticeable way?
    • Have customers taken to a particular product more than others?
  • Include the schedule in the Capacity Plan Template, and consider including details of the discussion in the notes section in tab 3 of the Capacity Snapshot Tool.
  • Input

    • Stakeholder opinions

    Output

    • Business requirements

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    Sometimes line of business managers will evade or ignore you when you come knocking. They do this because they don’t know and they don’t want to give you the wrong information. Explain that a best guess is all you can ask for and allay their fears.

    Below, you will find more details about what to look for when soliciting information from the line of business manager you’ve roped into your scheme.

    1. Consider the following:
    • Projected sales pipeline
    • Business growth
    • Seasonal cycles
    • Marketing campaigns
    • New applications and features
    • New products and services
  • Encourage business stakeholders to give you their best guess for elements such as projected sales or business growth.
  • Estimate variance and provide a range. What can you expect at the low end? The high end? Record your historical projections for an idea of how accurate you are.
  • Consider carefully the infrastructure impact of new features (and record this in the notes section of the Capacity Snapshot Tool).
  • Directly solicit requirements from the business (optional)

    3.2a 1 hour

    IT staff and line of business staff come with different skillsets. This can lead to confusion, but it doesn’t have to. Develop effective information solicitation techniques.

    Instructions

    1. Gather your IT staff in a room with a whiteboard. As a group, select a gold service/line of business manager you would like to use as a “practice dummy.”
    2. Have everyone write down a question they would ask of the line of business representative in a hypothetical business/service capacity discussion.
    3. As a group discuss the merits of the questions posed:
    • Are they likely to yield productive information?
    • Are they too vague or specific?
    • Is the person in question likely to know the answer?
    • Is the information requested a guarded trade secret?
  • Discuss the findings and include any notes in section 3 of the Capacity Plan Template.
  • Input

    • Workshop participants’ ideas

    Output

    • Interview skills

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Capacity manager
    • Infrastructure staff

    Map business needs to technical requirements, and technical requirements to infrastructure requirements

    3.2b 5 hours

    When it comes to mapping technical requirements, IT alone has the ability to effectively translate business needs.

    Instructions

    1. Use your notes from stakeholder meetings to assess the impact of any changes on gold systems.
    2. For each system brainstorm with infrastructure staff (and any technical experts as necessary) about what the information gleaned from stakeholder discussions. Consider the following discussion points:
    • How has demand for the service been trending? Does it match what the business is telling us?
    • Have we had availability issues in the past?
    • Has the business been right with their estimates in the past?
  • Estimate what a change in business/service metrics means for capacity.
    • E.g. how much RAM does a new email user require?
  • Record the output in the summary card of the Capacity Plan Template.
  • Input

    • Business needs

    Output

    • Technical and infrastructure requirements

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    Adapt the analysis to the needs of your organization. One capacity manager called the one-to-one mapping of business process to infrastructure demand the Holy Grail of capacity management. If this level of precision isn’t attainable, develop your own working estimates using the higher-level data

    Avoid putting too much faith in the cloud as a solution to your problem

    Has the rise of on-demand, functionally unlimited services eliminated the need for capacity and availability management?

    Capacity management

    The role of the capacity manager is changing, but it still has a purpose. Consider this:

    • Not everything can move to the cloud. For security/functionality reasons, on-premises infrastructure will continue to exist.
    • Cost management is more relevant than ever in the cloud age. Manage your instances.
    • While a cloud migration might render some component capacity management functions irrelevant, it could increase the relevance of others (the network, perhaps).

    Availability management

    Ensuring services are available is still IT’s wheelhouse, even if that means a shift to a brokerage model:

    • Business availability requirements (as part of the business impact analysis, potentially) are important; internal SLAs and contracts with vendors need to be managed.
    • Even in the cloud environment, availability is not guaranteed. Cloud providers have outages (unplanned, maintenance related, etc.) and someone will have to understand the limitations of cloud services and the impact on availability.

    Info-Tech Insight

    The cloud comes at the cost of detailed performance data. Sourcing a service through an SLA with a third party increases the need to perform your own performance testing of gold level applications. See performance monitoring.

    Beware Parkinson’s law

    A consequence of our infinite capacity for creativity, people have the enviable skill of making work. In 1955, C. Northcote Parkinson pointed out this fact in The Economist . What are the implications for capacity management?

    "It is a commonplace observation that work expands so as to fill the time available for its completion. Thus, an elderly lady of leisure can spend the entire day in writing and despatching a postcard to her niece at Bognor Regis. An hour will be spent in finding the postcard, another in hunting for spectacles, half-an-hour in a search for the address, an hour and a quarter in composition, and twenty minutes in deciding whether or not to take an umbrella when going to the pillar-box in the next street."

    C. Northcote Parkinson, The Economist, 1955

    Info-Tech Insight

    If you give people lots of capacity, they will use it. Most shops are overprovisioned, and in some cases that’s throwing perfectly good money away. Don’t be afraid to prod if someone requests something that doesn’t seem right.

    Optimally align demand and capacity

    When it comes to managing your capacity, look for any additional efficiencies.

    Questions to ask:

    • Are there any infrastructure services that are not being used to their full potential, sitting idle, or allocated to non-critical or zombie functions?
      • Are you managing your virtual servers? If, for example, you experience a seasonal spike in demand, are you leaving virtual machines running after the fact?
    • Do your organization’s policies and your infrastructure setup allow for the use of development resources for production during periods of peak demand?
    • Can you make organizational or process changes in order to satisfy demand more efficiently?

    In brief

    Who isn’t a sports fan? Big games mean big stakes for pool participants and armchair quarterbacks—along with pressure on the network as fans stream games from their work computers. One organization suffered from this problem, and, instead of taking a hardline and banning all streams, opted to stream the game on a large screen in a conference room where those interested could work for its duration. This alleviated strain on the network and kept staff happy.

    Shutting off an idle cloud to cut costs

    CASE STUDY

    Industry:Professional Services

    Source:Interview

    24/7 AWS = round-the-clock costs

    A senior developer realized that his development team had been leaving AWS instances running without any specific reason.

    Why?

    The development team appreciated the convenience of an always-on instance and, because the people spinning them up did not handle costs, the problem wasn’t immediately apparent.

    Resolution

    In his spare time over the course of a month, the senior developer wrote a program to manage the servers, including shutting them down during times when they were not in use and providing remote-access start-up when required. His team alone saved $30,000 in costs over the next six months, and his team lead reported that it would have been more than worth paying the team to implement such a project on company time.

    Identify inefficiencies in order to remediate them

    3.2c 20 minutes per service

    Instructions

    1. Gather the infrastructure team together and discuss existing capacity and demand. Use the inputs from your data analysis and stakeholder meetings to set the stage for your discussion.
    2. Solicit ideas about potential inefficiencies from your participants:
    • Are VMs effectively allocated? If you need 7 VMs to address a spike, are those VMs being reallocated post-spike?
    • Are developers leaving instances running in the cloud?
    • Are particular services massively overprovisioned?
    • What are the biggest infrastructure line items? Are there obvious opportunities for cost reduction there?
  • Record any potential opportunities in the summary of the Capacity Plan Template.
  • Input

    • Gold systems
    • Data inputs

    Output

    • Inefficiencies

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    The most effective capacity management takes a holistic approach and looks at the big picture in order to find ways to eliminate unnecessary infrastructure usage, or to find alternate or more efficient sources of required capacity.

    Dodging the toll troll by rerouting traffic

    CASE STUDY

    Industry:Telecommunications

    Source: Interview

    High-cost lines

    The capacity manager at a telecommunications provider mapped out his firm’s network traffic and discovered they were using a number of VP circuits (inter building cross connects) that were very expensive on the scale of their network.

    Paying the toll troll

    These VP circuits were supplying needed network services to the telecom provider’s clients, so there was no way to reduce this demand.

    Resolution

    The capacity manager analyzed where the traffic was going and compared this to the cost of the lines they were using. After performing the analysis, he found he could re-route much of the traffic away from the VP circuits and save on costs while delivering the same level of service to their users.

    Compare the data across business, component, and service levels, and project your capacity needs

    3.2d 2 hour session/meeting

    Make informed decisions about capacity. Remember: retain all documentation. It might come in handy for the justification of purchases.

    Instructions

    1. Using either a dedicated tool or generic spreadsheet software like Excel or Sheets, evaluate capacity trends. Ask the following questions:
    • Are there times when application performance degraded, and the service level was disrupted?
    • Are there times when certain components or systems neared, reached, or exceeded available capacity?
    • Are there seasonal variations in demand?
    • Are there clear trends, such as ongoing growth of business activity or the usage of certain applications?
    • What are the ramifications of trends or patterns in relation to infrastructure capacity?
  • Use the insight gathered from stakeholders during the stakeholder meetings, project required capacity for the critical components of each gold service.
  • Record the results of this activity in the summary card of the Capacity Plan Template.
  • Compare current capacity to your projections

    3.2e Section 5 of the Capacity Plan Template

    Capacity management (and, by extension, availability management) is a combination of two balancing acts: cost against capacity and supply and demand.*

    Instructions

    1. Compare your projections with your reality. You already know whether or not you have enough capacity given your lead times. But do you have too much? Compare your sub-component capacity projections to your current state.
    2. Highlight any outliers. Is there a particular service that is massively overprovisioned?
    3. Evaluate the reasons for the overprovisioning.
    • Is the component critically important?
    • Did you get a great deal on hardware?
    • Is it an oversight?
  • Record the results in the notes section of the summary card of the Capacity Plan Template.
  • *Office of Government Commerce 2001, 119.

    In brief

    The fractured nature of the capacity management space means that every organization is going to have a slightly different tooling strategy. No vendor has dominated, and every solution requires some level of customization. One capacity manager (a cloud provider, no less!) relayed a tale about a capacity management Excel sheet programmed with 5,000+ lines of code. As much work as that is, a bespoke solution is probably unavoidable.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop.

    The image contains a picture of an Info-Tech analyst.

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.2

    The image contains a screenshot of activity 3.2.

    Map business needs to technical requirements and technical requirements to infrastructure requirements

    The analyst will guide workshop participants in using their organization’s data to map out the relationships between applications, technical requirements, and the underlying infrastructure usage.

    Phase 3 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Solicit and incorporate business needs

    Proposed Time to Completion: 2 weeks

    Step 3.1: Solicit business needs and gather data

    Review your findings with an analyst

    Discuss the effectiveness of your strategies to involve business stakeholders in the planning process and your methods of data collection and analysis.

    Then complete these activities…

    • Analyze historical trends and track your services’ status
    • Build a list of key business stakeholders
    • Bake stakeholders into the planning process

    With these tools & templates:

    Capacity Plan Template

    Step 3.2: Analyze data and project future needs

    Review your findings with an analyst

    Discuss the effectiveness of your strategies to involve business stakeholders in the planning process and your methods of data collection and analysis.

    Then complete these activities…

    • Map business needs to technical requirements and technical requirements to infrastructure requirements
    • Compare the data across business, component, and service levels, and project your capacity needs
    • Compare current capacity to your projections

    With these tools & templates:

    Capacity Snapshot Tool

    Capacity Plan Template

    Phase 3 Results & Insights:

    • Develop new business processes that more closely align your role with business stakeholders. Building these relationships takes hard work, and won’t happen overnight.
    • Take a holistic approach to eliminate unnecessary infrastructure usage or source capacity more efficiently.

    PHASE 4

    Identify and Mitigate Risks

    Step 4.1: Identify and mitigate risks

    This step will walk you through the following activities:

    • Identify potential risks.
    • Determine strategies to mitigate risks.
    • Complete your capacity management plan.

    This involves the following participants:

    • Capacity manager
    • Infrastructure team members
    • Business stakeholders

    Outcomes of this step

    • Strategies for reducing risks
    • Capacity management plan

    Understand what happens when capacity/availability management fails

    1. Services become unavailable. If availability and capacity management are not constantly practiced, an inevitable consequence is downtime or a reduction in the quality of that service. Critical sub-component failures can knock out important systems on their own.
    2. Money is wasted. In response to fears about availability, it’s entirely possible to massively overprovision or switch entirely to a pay-as-you-go model. This, unfortunately, brings with it a whole host of other problems, including overspending. Remember: infinite capacity means infinite potential cost.
    3. IT remains reactive and is unable to contribute more meaningfully to the organization. If IT is constantly putting out capacity/availability-related fires, there is no room for optimization and activities to increase organizational maturity. Effective availability and capacity management will allow IT to focus on other work.

    Mitigate availability and capacity risks

    Availability: how often a service is usable (that is to say up and not too degraded to be effective). Consequences of reduced availability can include financial losses, impacted customer goodwill, and reduced faith in IT more generally.

    Causes of availability issues:

    • Poor capacity management – a service becomes unavailable when there is insufficient supply to meet demand. This is the result of poor capacity management.
    • Scheduled maintenance – services go down for maintenance with some regularity. This needs to be baked into service-level negotiations with vendors.
    • Vendor outages – sometimes vendors experience unplanned outages. There is typically a contract provision that covers unplanned outages, but that doesn’t change the fact that your service will be interrupted.

    Capacity: a particular component’s/service’s/business’ wiggle room. In other words, its usage ceiling.

    Causes of capacity issues:

    • Poor demand management – allowing users to run amok without any regard for how capacity is sourced and paid for.
    • Massive changes in legitimate demand – more usage means more demand.
    • Poor capacity planning – predictable changes in demand that go unaddressed can lead to capacity issues.

    Add additional potential causes of availability and capacity risks as needed

    4.1a 30 minutes

    Availability and capacity issues can stem from a number of different causes. Include a list in your availability and capacity management plan.

    Instructions

    1. Gather the group together. Go around the room and have participants provide examples of incidents and problems that have been the result of availability and capacity issues.
    2. Pose questions to the group about the source of those availability and capacity issues.
    • What could have been done differently to avoid these issues?
    • Was the availability/capacity issue a result of a faulty internal/external SLA?
  • Record the results of the exercise in sections 4.1 and 4.2 of the Capacity Plan Template.
  • Input

    • Capacity Snapshot Tool results

    Output

    • Additional sources of availability and capacity risks

    Materials

    • Capacity Plan Template

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    Availability and capacity problems result in incidents, critical incidents, and problems. These are addressed in a separate project (incident and problem management), but information about common causes can streamline that process.

    Identify capacity risks and mitigate them

    4.1b 30 minutes

    Based on your understanding of your capacity needs (through written SLAs and informal but regular meetings with the business) highlight major risks you foresee.

    Instructions

    1. Make a chart with two columns on a whiteboard. They should be labelled “risk” and “mitigation” respectively.
    2. Record risks to capacity you have identified in earlier activities.
    • Refer to the Capacity Snapshot Tool for components that are highlighted in red and yellow. These are specific components that present special challenges. Identify the risk(s) in as much detail as possible. Include service and business risks as well.
    • Examples: a marketing push will put pressure on the web server; a hiring push will require more Office 365 licenses; a downturn in registration will mean that fewer VMs will be required to run the service.

    Input

    • Capacity Snapshot Tool results

    Output

    • Inefficiencies

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    It’s an old adage, but it checks out: don’t come to the table armed only with problems. Be a problem solver and prove IT’s value to the organization.

    Identify capacity risks and mitigate them (cont.)

    4.1b 1.5 hours

    Instructions (cont.)

    1. Begin developing mitigation strategies. Options for responding to known capacity risks fall into one of two camps:
    • Acceptance: responding to the risk is costlier than acknowledging its existence without taking any action. For gold systems, acceptance is typically not acceptable.
    • Mitigation: limiting/reducing, eliminating, or transferring risk (Herrera) comprise the sort of mitigation discussed here.
      • Limiting/reducing: taking steps to improve the capacity situation, but accepting some level of risk (spinning up a new VM, pushing back on demands from the business, promoting efficiency).
      • Eliminating: the most comprehensive (and most expensive) mitigation strategy, elimination could involve purchasing a new server or, at the extreme end, building a new datacenter.
      • Transfer: “robbing Peter to pay Paul,” in the words of capacity manager Todd Evans, is one potential way to limit your exposure. Is there a less critical service that can be sacrificed to keep your gold service online?
  • Record the results of this exercise in section 5 of the Capacity Plan Template.
  • Input

    • Capacity Snapshot Tool results

    Output

    • Capacity risk mitigations

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Insight

    It’s an old adage, but it checks out: don’t come to the table armed only with problems. Be a problem solver and prove IT’s value to the organization.

    Identify availability risks and mitigate them

    4.1c 30 minutes

    While capacity management is a form of availability management, it is not the only form. In this activity, outline the specific nature of threats to availability.

    Instructions

    1. Make a chart with two columns on a whiteboard. They should be labelled “risk” and “mitigation” respectively.
    2. Begin brainstorming general availability risks based on the following sources of information/categories:
    • Vendor outages
    • Disaster recovery
    • Historical availability issues

    The image contains a large blue circle labelled: Availability. Also in the blue circle is a small red circle labelled: Capacity.

    Input

    • Capacity Snapshot Tool results

    Output

    • Availability risks and mitigations

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Info-Tech Best Practice

    A dynamic central repository is a good way to ensure that availability issues stemming from a variety of causes are captured and mitigated.

    Identify availability risks and mitigate them (cont.)

    4.1c 1.5 hours

    Although it is easier said than done, identifying potential mitigations is a crucial part of availability management as an activity.

    Instructions (cont.)

    1. Begin developing mitigation strategies. Options for responding to known capacity risks fall into one of two camps:
    • Acceptance – responding to the risk is costlier than taking it on. Some unavailability is inevitable, between maintenance and unscheduled downtime. Record this, though it may not require immediate action.
    • Mitigation strategies:
      • Limiting/reducing – taking steps to increase availability of critical systems. This could include hot spares for unreliable systems or engaging a new vendor.
      • Eliminating – the most comprehensive (and most expensive) mitigation strategy. It could include selling.
      • Transfer – “robbing Peter to pay Paul,” in the words of capacity manager Todd Evans, is one potential way to limit your exposure. Is there a less critical service that can be sacrificed to keep your gold service online?
  • Record the results of this exercise in section 5 of Capacity Plan Template.
  • Input

    • Capacity Snapshot Tool results

    Output

    • Availability risks and mitigations

    Materials

    • Whiteboard
    • Markers

    Participants

    • Capacity manager
    • Infrastructure staff

    Iterate on the process and present your completed availability and capacity management plan

    The stakeholders consulted as part of the process will be interested in its results. Share them, either in person or through a collaboration tool.

    The current status of your availability and capacity management plan should be on the agenda for every stakeholder meeting. Direct the stakeholders’ attention to the parts of the document that are relevant to them, and solicit their thoughts on the document’s accuracy. Over time you should get a pretty good idea of who among your stakeholder group is skilled at projecting demand, and who over- or underestimates, and by how much. This information will improve your projections and, therefore, your management over time.

    Info-Tech Insight

    Use the experience gained and the artifacts generated to build trust with the business. The meetings should be regular, and demonstrating that you’re actually using the information for good is likely to make hesitant participants in the process more likely to open up.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop.

    The image contains a picture of an Info-Tech analyst.

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1

    The image contains a screenshot of activity 4.1.

    Identify capacity risks and mitigate them

    The analyst will guide workshop participants in identifying potential risks to capacity and determining strategies for mitigating them.

    Phase 4 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Identify and mitigate risks

    Proposed Time to Completion: 1 week

    Step 4.1: Identify and mitigate risks

    Review your findings with an analyst

    • Discuss your potential risks and your strategies for mitigating those risks.

    Then complete these activities…

    • Identify capacity risks and mitigate them
    • Identify availability risks and mitigate them
    • Complete your capacity management plan

    With these tools & templates:

    Capacity Snapshot Tool

    Capacity Plan Template

    Phase 4 Results & Insights:

    • Be a problem solver and prove IT’s value to the organization. Capacity management allows infrastructure to drive business value.
    • Iterate and share results. Reinforce your relationships with stakeholders and continue to refine how capacity management transforms your organization’s business processes.

    Insight breakdown

    Insight 1

    Components are critical to availability and capacity management.

    The CEO doesn’t care about the SMTP server. She cares about meeting customer needs and producing profit. For IT capacity and availability managers, though, the devil is in the details. It only takes one faulty component to knock out a service. Keep track and keep the lights on.

    Insight 2

    Ask what the business is working on, not what they need.

    If you ask them what they need, they’ll tell you – and it won’t be cheap. Find out what they’re going to do, and use your expertise to service those needs. Use your IT experience to estimate the impact of business and service level changes on the components that secure the availability you need.

    Insight 3

    Cloud shmoud.

    The role of the capacity manager might be changing with the advent of the public cloud, but it has not disappeared. Capacity managers in the age of the cloud are responsible for managing vendor relationships, negotiating external SLAs, projecting costs and securing budgets, reining in prodigal divisions, and so on.

    Summary of accomplishment

    Knowledge Gained

    • Impact of downtime on the organization
    • Gold systems
    • Key dependencies and sub-components
    • Strategy for monitoring components
    • Strategy for soliciting business needs
    • Projected capacity needs
    • Availability and capacity risks and mitigations

    Processes Optimized

    • Availability management
    • Capacity management

    Deliverables Completed

    • Business Impact Analysis
    • Capacity Plan Template

    Project step summary

    Client Project: Develop an Availability and Capacity Management Plan

    1. Conduct a business impact analysis
    2. Assign criticality ratings to services
    3. Define your monitoring strategy
    4. Implement your monitoring tool/aggregator
    5. Solicit business needs and gather data
    6. Analyze data and project future needs
    7. Identify and mitigate risks

    Info-Tech Insight

    This project has the ability to fit the following formats:

    • Onsite workshop by Info-Tech Research Group consulting analysts.
    • Do-it-yourself with your team.
    • Remote delivery via Info-Tech Guided Implementation.

    Research contributors and experts

    The image contains a picture of Adrian Blant.

    Adrian Blant, Independent Capacity Consultant, IT Capability Solutions

    Adrian has over 15 years' experience in IT infrastructure. He has built capacity management business processes from the ground up, and focused on ensuring a productive dialogue between IT and the business.

    The image contains a picture of James Zhang.

    James Zhang, Senior Manager Disaster Recovery, AIG Technology

    James has over 20 years' experience in IT and 10 years' experience in capacity management. Throughout his career, he has focused on creating new business processes to deliver value and increase efficiency over the long term.

    The image contains a picture of Mayank Banerjee.

    Mayank Banerjee, CTO, Global Supply Chain Management, HelloFresh

    Mayank has over 15 years' experience across a wide range of technologies and industries. He has implemented highly automated capacity management processes as part of his role of owning and solving end-to-end business problems.

    The image contains a picture of Mike Lynch

    Mike Lynch, Consultant, CapacityIQ

    Mike has over 20 years' experience in IT infrastructure. He takes a holistic approach to capacity management to identify and solve key problems, and has developed automated processes for mapping performance data to information that can inform business decisions.

    The image contains a picture of Paul Waguespack.

    Paul Waguespack, Manager of Application Systems Engineering, Tufts Health Plan

    Paul has over 10 years' experience in IT. He has specialized in implementing new applications and functionalities throughout their entire lifecycle, and integrating with all aspects of IT operations.

    The image contains a picture of Richie Mendoza.

    Richie Mendoza, IT Consultant, SMITS Inc.

    Richie has over 10 years' experience in IT infrastructure. He has specialized in using demand forecasting to guide infrastructure capacity purchasing decisions, to provide availability while avoiding costly overprovisioning.

    The image contains a picture of Rob Thompson.

    Rob Thompson, President, IT Tools & Process

    Rob has over 30 years’ IT experience. Throughout his career he has focused on making IT a generator of business value. He now runs a boutique consulting firm.

    Todd Evans, Capacity and Performance Management SME, IBM

    Todd has over 20 years' experience in capacity and performance management. At Kaiser Permanente, he established a well-defined mapping of the businesses workflow processes to technical requirements for applications and infrastructure.

    Bibliography

    451 Research. “Best of both worlds: Can enterprises achieve both scalability and control when it comes to cloud?” 451 Research, November 2016. Web.

    Allen, Katie. “Work Also Shrinks to Fit the Time Available: And We Can Prove It.” The Guardian. 25 Oct. 2017.

    Amazon. “Amazon Elastic Compute Cloud.” Amazon Web Services. N.d. Web.

    Armandpour, Tim. “Lies Vendors Tell about Service Level Agreements and How to Negotiate for Something Better.” Network World. 12 Jan 2016.

    “Availability Management.” ITIL and ITSM World. 2001. Web.

    Availability Management Plan Template. Purple Griffon. 30 Nov. 2012. Web.

    Bairi, Jayachandra, B., Murali Manohar, and Goutam Kumar Kundu. “Capacity and Availability Management by Quantitative Project Management in the IT Service Industry.” Asian Journal on Quality 13.2 (2012): 163-76. Web.

    BMC Capacity Optimization. BMC. 24 Oct 2017. Web.

    Brooks, Peter, and Christa Landsberg. Capacity Management in Today’s IT Environment. MentPro. 16 Aug 2017. Web.

    "Capacity and Availability Management." CMMI Institute. April 2017. Web.

    Capacity and Availability Management. IT Quality Group Switzerland. 24 Oct. 2017. Web.

    Capacity and Performance Management: Best Practices White Paper. Cisco. 4 Oct. 2005. Web.

    "Capacity Management." Techopedia.

    “Capacity Management Forecasting Best Practices and Recommendations.” STG. 26 Jan 2015. Web.

    Capacity Management from the Ground up. Metron. 24 Oct. 2017. Web.

    Capacity Management in the Modern Datacenter. Turbonomic. 25 Oct. 2017. Web.

    Capacity Management Maturity Assessing and Improving the Effectiveness. Metron. 24 Oct. 2017. Web.

    “Capacity Management Software.” TeamQuest. 24 Oct 2017. Web,

    Capacity Plan Template. Purainfo. 11 Oct 2012. Web.

    “Capacity Planner—Job Description.” Automotive Industrial Partnership. 24 Oct. 2017. Web.

    Capacity Planning. CDC. Web. Aug. 2017.

    "Capacity Planning." TechTarget. 24 Oct 2017. Web.

    “Capacity Planning and Management.” BMC. 24 Oct 2017. Web.

    "Checklist Capacity Plan." IT Process Wiki. 24 Oct. 2017. Web.

    Dykes, Brent. “Actionable Insights: The Missing Link Between Data and Business Value.” Forbes. April 26, 2016. Web.

    Evolved Capacity Management. CA Technologies. Oct. 2013. Web.

    Francis, Ryan. “False positives still cause threat alert fatigue.” CSO. May 3, 2017. Web.

    Frymire, Scott. "Capacity Planning vs. Capacity Analytics." ScienceLogic. 24 Oct. 2017. Web.

    Glossary. Exin. Aug. 2017. Web.

    Herrera, Michael. “Four Types of Risk Mitigation and BCM Governance, Risk and Compliance.” MHA Consulting. May 17, 2013.

    Hill, Jon. How to Do Capacity Planning. TeamQuest. 24 Oct. 2017. Web.

    “How to Create an SLA in 7 Easy Steps.” ITSM Perfection. 25 Oct. 2017. Web.

    Hunter, John. “Myth: If You Can’t Measure It: You Can’t Manage It.” W. Edwards Deming Institute Blog. 13 Aug 2015. Web.

    IT Service Criticality. U of Bristol. 24 Oct. 2017. Web.

    "ITIL Capacity Management." BMC's Complete Guide to ITIL. BMC Software. 22 Dec. 2016. Web.

    “Just-in-time.” The Economist. 6 Jul 2009. Web.

    Kalm, Denise P., and Marv Waschke. Capacity Management: A CA Service Management Process Map. CA. 24 Oct. 2017. Web.

    Klimek, Peter, Rudolf Hanel, and Stefan Thurner. “Parkinson’s Law Quantified: Three Investigations in Bureaucratic Inefficiency.” Journal of Statistical Mechanics: Theory and Experiment 3 (2009): 1-13. Aug. 2017. Web.

    Landgrave, Tim. "Plan for Effective Capacity and Availability Management in New Systems." TechRepublic. 10 Oct. 2002. Web.

    Longoria, Gina. “Hewlett Packard Enterprise Goes After Amazon Public Cloud in Enterprise Storage.” Forbes. 2 Dec. 2016. Web.

    Maheshwari, Umesh. “Understanding Storage Capacity.” NimbleStorage. 7 Jan. 2016. Web.

    Mappic, Sandy. “Just how complex can a Login Transaction be? Answer: Very!” Appdynamics. Dec. 11 2011. Web.

    Miller, Ron. “AWS Fires Back at Larry Ellison’s Claims, Saying It’s Just Larry Being Larry.” Tech Crunch. 2 Oct. 2017. Web.

    National College for Teaching & Leadership. “The role of data in measuring school performance.” National College for Teaching & Leadership. N.d. Web,

    Newland, Chris, et al. Enterprise Capacity Management. CETI, Ohio State U. 24 Oct. 2017. Web.

    Office of Government Commerce . Best Practice for Service Delivery. London: Her Majesty’s Stationery Office, 2001.

    Office of Government Commerce. Best Practice for Business Perspective: The IS View on Delivering Services to the Business. London: Her Majesty’s Stationery Office, 2004.

    Parkinson, C. Northcote. “Parkinson’s Law.” The Economist. 19 Nov. 1955. Web.

    “Parkinson’s Law Is Proven Again.” Financial Times. 25 Oct. 2017. Web.

    Paul, John, and Chris Hayes. Performance Monitoring and Capacity Planning. VM Ware. 2006. Web.

    “Reliability and Validity.” UC Davis. N.d. Web.

    "Role: Capacity Manager." IBM. 2008. Web.

    Ryan, Liz. “‘If You Can’t Measure It, You Can’t Manage It’: Not True.” Forbes. 10 Feb. 2014. Web.

    S, Lalit. “Using Flexible Capacity to Lower and Manage On-Premises TCO.” HPE. 23 Nov. 2016. Web.

    Snedeker, Ben. “The Pros and Cons of Public and Private Clouds for Small Business.” Infusionsoft. September 6, 2017. Web.

    Statement of Work: IBM Enterprise Availability Management Service. IBM. Jan 2016. Web.

    “The Road to Perfect AWS Reserved Instance Planning & Management in a Nutshell.” Botmetric. 25 Oct. 2017. Web.

    Transforming the Information Infrastructure: Build, Manage, Optimize. Asigra. Aug. 2017. Web.

    Valentic, Branimir. "Three Faces of Capacity Management." ITIL/ISO 20000 Knowledge Base. Advisera. 24 Oct. 2017. Web.

    "Unify IT Performance Monitoring and Optimization." IDERA. 24 Oct. 2017. Web.

    "What is IT Capacity Management?" Villanova U. Aug. 2017. Web.

    Wolstenholme, Andrew. Final internal Audit Report: IT Availability and Capacity (IA 13 519/F). Transport For London. 23 Feb. 2015. Web.

    Lead Strategic Decision Making With Service Portfolio Management

    • Buy Link or Shortcode: {j2store}397|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • There are no standardized processes for the intake of new ideas and no consistent view of the drivers needed to assess the value of these ideas.
    • IT is spending money on low-value services and doesn’t have the ability to understand and track value in order to prioritize IT investment.
    • CIOs are not trusted to drive innovation.

    Our Advice

    Critical Insight

    • The service portfolio empowers IT to be a catalyst in business strategy, change, and growth.
    • IT must drive value-based investment by understanding value of all services in the portfolio.
    • Organizations must assess the value of their services throughout their lifecycle to optimize business outcomes and IT spend.

    Impact and Result

    • Optimize IT investments by prioritizing services that provide more value to the business, ensuring that you do not waste money on low-value or out-of-date IT services.
    • Ensure that services are directly linked to business objectives, goals, and needs, keeping IT embedded in the strategic vision of the organization.
    • Enable the business to understand the impact of IT capabilities on business strategy.
    • Ensure that IT maintains a strategic and tactical view of the services and their value.
    • Drive agility and innovation by having a streamlined view of your business value context and a consistent intake of ideas.
    • Provide strategic leadership and create new revenue by understanding the relative value of new ideas vs. existing services.

    Lead Strategic Decision Making With Service Portfolio Management Research & Tools

    Start here – read the Executive Brief

    Service portfolio management enables organizations to become strategic value creators by establishing a dynamic view of service value. Understand the driving forces behind the need to manage services through their lifecycles.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish the service portfolio

    Establish and understand the service portfolio process by setting up the Service Portfolio Worksheet.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 1: Establish the Service Portfolio
    • Service Portfolio Worksheet

    2. Develop a value assessment framework

    Use the value assessment tool to assess services based on the organization’s context of value.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 2: Develop a Value Assessment Framework
    • Value Assessment Tool
    • Value Assessment Example Tool

    3. Manage intake and assessment of initiatives

    Create a centralized intake process to manage all new service ideas.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 3: Manage Intake and Assessment of Initiatives
    • Service Intake Form

    4. Assess active services

    Continuously validate the value of the existing service and determine the future of service based on the value and usage of the service.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 4: Assess Active Services

    5. Manage and communicate the service portfolio

    Communicate and implement the service portfolio within the organization, and create a mechanism to seek out continuous improvement opportunities.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 5: Manage and Communicate the Service Portfolio
    [infographic]

    Workshop: Lead Strategic Decision Making With Service Portfolio Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the Service Portfolio

    The Purpose

    Establish and understand the service portfolio process by setting up the Service Portfolio Worksheet.

    Understand at a high level the steps involved in managing the service portfolio.

    Key Benefits Achieved

    Adapt the Service Portfolio Worksheet to organizational needs and create a plan to begin documenting services in the worksheet.

    Activities

    1.1 Review the Service Portfolio Worksheet.

    1.2 Adapt the Service Portfolio Worksheet.

    Outputs

    Knowledge about the use of the Service Portfolio Worksheet.

    Adapt the worksheet to reflect organizational needs and structure.

    2 Develop a Value Assessment Framework

    The Purpose

    Understand the need for a value assessment framework.

    Key Benefits Achieved

    Identify the organizational context of value through a holistic look at business objectives.

    Leverage Info-Tech’s Value Assessment Tool to validate and determine service value.

    Activities

    2.1 Understand value from business context.

    2.2 Determine the governing body.

    2.3 Assess culture and organizational structure.

    2.4 Complete the value assessment.

    2.5 Discuss value assessment score.

    Outputs

    Alignment on value context.

    Clear roles and responsibilities established.

    Ensure there is a supportive organizational structure and culture in place.

    Understand how to complete the value assessment and obtain a value score for selected services.

    Understand how to interpret the service value score.

    3 Manage Intake and Assessment of Initiatives

    The Purpose

    Create a centralized intake process to manage all new service ideas.

    Key Benefits Achieved

    Encourage collaboration and innovation through a transparent, formal, and centralized service intake process.

    Activities

    3.1 Review or design the service intake process.

    3.2 Review the Service Intake Form.

    3.3 Design a process to assess and transfer service ideas.

    3.4 Design a process to transfer completed services to the service catalog.

    Outputs

    Create a centralized process for service intake.

    Complete the Service Intake Form for a specific initiative.

    Have a process designed to transfer approved projects to the PMO.

    Have a process designed for transferring of completed services to the service catalog.

    4 Assess Active Services

    The Purpose

    Continuously validate the value of existing services.

    Key Benefits Achieved

    Ensure services are still providing the expected outcome.

    Clear next steps for services based on value.

    Activities

    4.1 Discuss/review management of active services.

    4.2 Complete value assessment for an active service.

    4.3 Determine service value and usage.

    4.4 Determine the next step for the service.

    4.5 Document the decision regarding the service outcome.

    Outputs

    Understand how active services must be assessed throughout their lifecycles.

    Understand how to assess an existing service.

    Place the service on the 2x2 matrix based on value and usage.

    Understand the appropriate next steps for services based on value.

    Formally document the steps for each of the IRMR options.

    5 Manage and Communicate Your Service Portfolio

    The Purpose

    Communicate and implement the service portfolio within the organization.

    Key Benefits Achieved

    Obtain buy-ins for the process.

    Create a mechanism to identify changes within the organization and to seek out continuous improvement opportunities for the service portfolio management process and procedures.

    Activities

    5.1 Create a communication plan for service portfolio and value assessment.

    5.2 Create a communication plan for service intake.

    5.3 Create a procedure to continuously validate the process.

    Outputs

    Document the target audience, the message, and how the message should be communicated.

    Document techniques to encourage participation and promote participation from the organization.

    Document the formal review process, including cycle, roles, and responsibilities.

    Mitigate Key IT Employee Knowledge Loss

    • Buy Link or Shortcode: {j2store}511|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $12,314 Average $ Saved
    • member rating average days saved: 13 Average Days Saved
    • Parent Category Name: Lead
    • Parent Category Link: /lead

    Seventy-four percent of organizations do not have a formal process for capturing and retaining knowledge - which, when lost, results in decreased productivity, increased risk, and money out the door.

    Our Advice

    Critical Insight

    • Seventy-four percent of organizations do not have a formal process for capturing and retaining knowledge – which, when lost, results in decreased productivity, increased risk, and money out the door. It’s estimated that Fortune 500 companies lose approximately $31.5 billion each year by failing to share knowledge.
    • Don’t follow a one-size-fits-all approach to knowledge transfer strategy! Right-size your approach based on your business goals.
    • Prioritize knowledge transfer candidates based on their likelihood of departure and the impact of losing that knowledge.
    • Select knowledge transfer tactics based on the type of knowledge that needs to be captured – explicit or tacit.

    Impact and Result

    Successful completion of the IT knowledge transfer project will result in the following outcomes:

    1. Approval for IT knowledge transfer project obtained.
    2. Knowledge and stakeholder risks identified.
    3. Effective knowledge transfer plans built.
    4. Knowledge transfer roadmap built.
    5. Knowledge transfer roadmap communicated and approval obtained.

    Mitigate Key IT Employee Knowledge Loss Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Mitigate Key IT Employee Knowledge Loss Deck – A step-by-step document that walks you through how to transfer knowledge on your team to mitigate risks from employees leaving the organization.

    Minimize risk and IT costs resulting from attrition through effective knowledge transfer.

    • Mitigate Key IT Employee Knowledge Loss Storyboard

    2. Project Stakeholder Register Template – A template to help you identify and document project management stakeholders.

    Use this template to document the knowledge transfer stakeholder power map by identifying the stakeholder’s name and role, and identifying their position on the power map.

    • Project Stakeholder Register Template

    3. IT Knowledge Transfer Project Charter Template – Define your project and lay the foundation for subsequent knowledge transfer project planning

    Use this template to communicate the value and rationale for knowledge transfer to key stakeholders.

    • IT Knowledge Transfer Project Charter Template

    4. IT Knowledge Transfer Risk Assessment Tool – Identify the risk profile of knowledge sources and the knowledge they have

    Use this tool to identify and assess the knowledge and individual risk of key knowledge holders.

    • IT Knowledge Transfer Risk Assessment Tool

    5. IT Knowledge Transfer Plan Template – A template to help you determine the most effective knowledge transfer tactics to be used for each knowledge source by listing knowledge sources and their knowledge, identifying type of knowledge to be transferred and choosing tactics that are appropriate for the knowledge type

    Use this template to track knowledge activities, intended recipients of knowledge, and appropriate transfer tactics for each knowledge source.

    • IT Knowledge Transfer Plan Template

    6. IT Knowledge Identification Interview Guide Template – A template that provides a framework to conduct interviews with knowledge sources, including comprehensive questions that cover what type of knowledge a knowledge source has and how unique the knowledge is

    Use this template as a starting point for managers to interview knowledge sources to extract information about the type of knowledge the source has.

    • IT Knowledge Identification Interview Guide Template

    7. IT Knowledge Transfer Roadmap Presentation Template – A presentation template that provides a vehicle used to communicate IT knowledge transfer recommendations to stakeholders to gain buy-in

    Use this template as a starting point to build your proposed IT knowledge transfer roadmap presentation to management to obtain formal sign-off and initiate the next steps in the process.

    • IT Knowledge Transfer Roadmap Presentation Template
    [infographic]

    Workshop: Mitigate Key IT Employee Knowledge Loss

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    Further reading

    Mitigate Key IT Employee Knowledge Loss

    Transfer IT knowledge before it’s gone.

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Seventy-four percent of organizations do not have a formal process for capturing and retaining knowledge1 which, when lost, results in decreased productivity, increased risk, and money out the door. You need to:

    • Build a strategic roadmap to retain and share knowledge.
    • Build a knowledge transfer strategy based on your organization’s business goals.
    • Increase departmental efficiencies through increased collaboration.
    • Retain key IT knowledge
    • Improve junior employee engagement by creating development opportunities.
    • Don’t follow a one-size fits all approach. Right-size your approach based on your organizational goals.
    • Prioritize knowledge transfer candidates based on their likelihood of departure and the impact of losing that knowledge.
    • What you’re transferring impacts how you should transfer it. Select knowledge transfer tactics based on the type of knowledge that needs to be captured – explicit or tacit.

    Our client-tested methodology and project steps allow you to tailor your knowledge transfer plan to any size of organization, across industries. Successful completion of the IT knowledge transfer project will result in the following outcomes:

    • Approval for IT knowledge transfer project obtained.
    • Knowledge and stakeholder risks identified.
    • Effective knowledge transfer plans built.
    • Knowledge transfer roadmap built.
    • Knowledge transfer roadmap communicated.

    Info-Tech Insight

    Seventy-four percent of organizations do not have a formal process for capturing and retaining knowledge which, when lost, results in decreased productivity, increased risk, and money out the door.1

    1 McLean & Company, 2016, N=120

    Stop your knowledge from walking out the door

    Today, the value of an organization has less to do with its fixed assets and more to do with its intangible assets. Intangible assets include patents, research and development, business processes and software, employee training, and employee knowledge and capability.

    People (and their knowledge and capabilities) are an organization’s competitive advantage and with the baby boomer retirement looming, organizations need to invest in capturing employee knowledge before the employees leave. Losing employees in key roles without adequate preparation for their departure has a direct impact on the bottom line in terms of disrupted productivity, severed relationships, and missed opportunities.

    Knowledge Transfer (KT) is the process and tactics by which intangible assets – expertise, knowledge, and capabilities – are transferred from one stakeholder to another. A well-devised knowledge transfer plan will mitigate the risk of knowledge loss, yet as many as 74%2 of organizations have no formal approach to KT – and it’s costing them money, reputation, and time.

    84%of all enterprise value on the S&P 500 is intangibles.3

    $31.5 billion lost annually by Fortune 500 companies failing to share knowledge. 1

    74% of organizations have no formal process for facilitating knowledge transfer. 2

    1 Shedding Light on Knowledge Management, 2004, p. 46

    2 McLean & Company, 2016, N=120

    3 Visual Capitalists, 2020

    Losing knowledge will undermine your organization’s strategy in four ways

    In a worst-case scenario, key employees leaving will result in the loss of valuable knowledge, core business relationships, and profits.

    1

    Inefficiency due to “reinvention of the wheel.” When older workers leave and don’t effectively transfer their knowledge, younger generations duplicate effort to solve problems and find solutions.

    2

    Loss of competitive advantage. What and who you know is a tremendous source of competitive edge. Losing knowledge and/or established client relationships hurts your asset base and stifles growth, especially in terms of proprietary or unique knowledge.

    3

    Reduced capacity to innovate. Older workers know what works and what doesn’t, as well as what’s new and what’s not. They can identify the status quo faster, to make way for novel thinking.

    4

    Increased vulnerability. One thing that comes with knowledge is a deeper understanding of risk. Losing knowledge can impede your organizational ability to identify, understand, and mitigate risks. You’ll have to learn through experience all over again.

    Are you part of the 74% of organizations with no knowledge transfer planning in place? Can you afford not to have it?

    Consider this:

    55-60

    67%

    78%

    $14k / minute

    the average age of mainframe workers – making close to 50% of workers over 60.2

    of Fortune 100 companies still use mainframes3 requiring. specialized skills and knowledge

    of CIOs report mainframe applications will remain a key asset in the next decade.1

    is the cost of mainframe outages for an average enterprise.1

    A system failure to a mainframe could be disastrous for organizations that haven’t effectively transferred key knowledge. Now think past the mainframe to key processes, customer/vendor relationships, legal requirements, home grown solutions etc. in your organization.

    What would knowledge loss cost you in terms of financial and reputational loss?

    Source: 1 Big Tech Problem as Mainframes Outlast Workforce

    Source: 2 IT's most wanted: Mainframe programmers

    Source: 3The State of the Mainframe, 2022

    Case Study

    Insurance organization fails to mitigate risk of employee departure and incurs costly consequences – in the millions

    INDUSTRY: Insurance

    SOURCE: ITRG Member

    Challenge

    Solution

    Results

    • A rapidly growing organization's key Senior System Architect unexpectedly fell ill and needed to leave the organization.
    • This individual had been with the organization for more than 25 years and was the primary person in IT responsible for several mission-critical systems.
    • Following this individual’s departure, one of the systems unexpectedly went down.
    • As this individual had always been the go-to person for the system, and issues were few and far between, no one had thought to document key system elements and no knowledge transfer had taken place.
    • The failed system cost the organization more than a million dollars in lost revenue.
    • The organization needed to hire a forensic development team to reverse engineer the system.
    • This cost the organization another $200k in consulting fees plus the additional cost of training existing employees on a system which they had originally been hoping to upgrade.

    Forward thinking organizations use knowledge transfer not only to avoid risks, but to drive IT innovation

    IT knowledge transfer is a process that, at its most basic level, ensures that essential IT knowledge and capabilities don’t leave the organization – and at its most sophisticated level, drives innovation and customer service by leveraging knowledge assets.

    Knowledge Transfer Risks:

    Knowledge Transfer Opportunities:

    ✗ Increased training and development costs when key stakeholders leave the organization.

    ✗ Decreased efficiency through long development cycles.

    ✗ Late projects that tie up IT resources longer than planned, and cost overruns that come out of the IT budget.

    ✗ Lost relationships with key stakeholders within and outside the organization.

    ✗ Inconsistent project/task execution, leading to inconsistent outcomes.

    ✗ IT losing its credibility due to system or project failure from lost information.

    ✗ Customer dissatisfaction from inconsistent service.

    ✓ Mitigated risks and costs from talent leaving the organization.

    ✓ Business continuity through redundancies preventing service interruptions and project delays.

    ✓ Operational efficiency through increased productivity by never having to start projects from scratch.

    ✓ Increased engagement from junior staff through development planning.

    ✓ Innovation by capitalizing on collective knowledge.

    ✓ Increased ability to adapt to change and save time-to-market.

    ✓ IT teams that drive process improvement and improved execution.

    Common obstacles

    In building your knowledge transfer roadmap, the size of your organization can present unique challenges

    How you build your knowledge transfer roadmap will not change drastically based on the size of your organization; however, the scope of your initiative, tactics you employ, and your communication plan for knowledge transfer may change.


    How knowledge transfer projects vary by organization size:

    Small Organization

    Medium Organization

    Large Organization

    Project Opportunities

    ✓ Project scope is much more manageable.

    ✓ Communication and planning can be more manageable.

    ✓ Fewer knowledge sources and receivers can clarify prioritization needs.

    ✓ Project scope is more manageable.

    ✓ Moderate budget for knowledge transfer activities.

    ✓ Communication and enforcement is easier.

    ✓ Budget available to knowledge transfer initiatives.

    ✓ In-house expertise may be available.

    Project Risks

    ✗ Limited resources for the project.

    ✗ In-house expertise is unlikely.

    ✗ Knowledge transfer may be informal and not documented.

    ✗ Limited overlap in responsibilities, resulting in fewer redundancies.

    ✗ Limited staff with knowledge transfer experience for the project.

    ✗ Knowledge assets are less likely to be documented.

    ✗ Knowledge transfer may be a lower priority and difficult to generate buy-in.

    ✗ More staff to manage knowledge transfer for, and much larger scope for the project.

    ✗ Impact of poor knowledge transfer can result in much higher costs.

    ✗Geographically dispersed business units make collaboration and communication difficult.

    ✗ Vast amounts of historical knowledge to capture.

    Capture both explicit and tacit knowledge

    Explicit

    Tacit

    • “What knowledge” – knowledge can be articulated, codified, and easily communicated.
    • Easily explained and captured – documents, memos, speeches, books, manuals, process diagrams, facts, etc.
    • Learn through reading or being told.
    • “How knowledge” – intangible knowledge from an individual’s experience that is more from the process of learning, understanding, and applying information (insights, judgments, and intuition).
    • Hard to verbalize, and difficult to capture and quantify.
    • Learn through observation, imitation, and practice.

    Types of explicit knowledge

    Types of tacit knowledge

    Information

    • Specialized technical knowledge.
    • Unique design capabilities/ methods/ models.
    • Legacy systems, details, passwords.
    • Special formulas/algorithms/ techniques/contacts.

    Process

    • Specialized research and development processes.
    • Proprietary production processes.
    • Decision-making processes.
    • Legacy systems.
    • Variations from documented processes.

    Skills

    • Techniques for executing on processes.
    • Relationship management.
    • Competencies built through deliberate practice enabling someone to act effectively.

    Expertise

    • Company history and values.
    • Relationships with key stakeholders.
    • Tips and tricks.
    • Competitor history and differentiators.

    Examples: reading music, building a bike, knowing the alphabet, watching a YouTube video on karate.

    Examples: playing the piano, riding a bike, reading or speaking a language, earning a black belt in karate.

    Knowledge transfer is not a one-size-fits-all project

    The image contains a picture of Info-Tech's Knowledge Transfer Maturity Model. Level 0: Accidental, goal is not prioritized. Level 1: Stabilize, goal is risk mitigation. Level 2: Proactive, goal is operational efficiency. Level 3: Knowledge Culture, goal is innovation & customer service.

    No formal knowledge transfer program exists; knowledge transfer is ad hoc, or may be conducted through an exit interview only.

    74% of organizations are at level 0.1

    At level one, knowledge transfer is focused around ensuring that high risk, explicit knowledge is covered for all high-risk stakeholders.

    Organizations have knowledge transfer plans for all high-risk knowledge to ensure redundancies exist and leverage this to drive process improvements, effectiveness, and employee engagement.

    Increase end-user satisfaction and create a knowledge value center by leveraging the collective knowledge to solve repeat customer issues and drive new product innovation.

    1 Source: McLean & Company, 2016, N=120

    Assess your fit for this blueprint by considering the following statements

    I’m an IT Leader who…

    Stabilize

    …has witnessed that new employees have recently left or are preparing to leave the organization, and worries that we don’t have their knowledge captured anywhere.

    …previously had to cut down our IT department, and as a result there is a lack of redundancy for tasks. If someone leaves, we don’t have the information we need to continue operating effectively.

    …is worried that the IT department has no succession planning in place and that we’re opening ourselves up to risk.

    Proactive

    …feels like we are losing productivity because the same problems are being solved differently multiple times.

    …worries that different employees have unique knowledge which is critical to performance and that they are the only ones who know about it.

    …has noticed that the processes people are using are different from the ones that are written down.

    …feels like the IT department is constantly starting projects from scratch, and employees aren’t leveraging each other’s information, which is causing inefficiencies.

    …feels like new employees take too long to get up to speed.

    …knows that we have undocumented systems and more are being built each day.

    Knowledge Culture

    …feels like we’re losing out on opportunities to innovate because we’re not sharing information, learning from others’ mistakes, or capitalizing on their successes.

    …notices that staff don’t have a platform to share information on a regular basis, and believes if we brought that information together, we would be able to improve customer service and drive product innovation.

    …wants to create a culture where employees are valued for their competencies and motivated to learn.

    …values knowledge and the contributions of my team.

    This blueprint can help you build a roadmap to resolve each of these pain points. However, not all organizations need to have a knowledge culture. In the next section, we will walk you through the steps of selecting your target maturity model based on your knowledge goals.

    Case Study

    Siemens builds a knowledge culture to drive customer service improvements and increases sales by $122 million

    INDUSTRY: Electronics Engineering

    SOURCE: KM Best Practices

    Challenge

    Solution

    Results

    • As a large electronics and engineering global company, Siemens was facing increased global competition.
    • There was an emphasized need for agility and specialized knowledge to remain competitive.
    • The new company strategy to address competitive forces focused on becoming a knowledge enterprise and improving knowledge-sharing processes.
    • New leadership roles were created to develop a knowledge management culture.
    • “Communities of practice” were created with the goal of “connecting people to people” by allowing them to share best practices and information across departments.
    • An internal information-sharing program was launched that combined chat, database, and search engine capabilities for 12,000 employees.
    • Employees were able to better focus on customer needs based on offering services and products with high knowledge content.
    • With the improved customer focus, sales increased by $122 million and there was a return of $10-$20 per dollar spent on investment in the communities of practice.

    Info-Tech’s approach

    Five steps to future-proof your IT team

    The five steps are in a cycle. The five steps are: Obtain approval for IT knowledge transfer project, Identify your  knowledge and stakeholder risks, Build knowledge transfer plans, Build your knowledge transfer roadmap, Communicate your knowledge transfer roadmap to stakeholders.

    The Info-Tech difference:

    1. Successfully build a knowledge transfer roadmap based on your goals, no matter what market segment or size of business.
    2. Increase departmental efficiencies through increased collaboration.
    3. Retain key IT knowledge.
    4. Improve junior employee engagement by creating development opportunities.

    Use Info-Tech tools and templates

    Project outcomes

    1. Approval for IT knowledge transfer project obtained

    2. Knowledge and stakeholder risks identified

    3. Tactics for individuals’ knowledge transfer identified

    4. Knowledge transfer roadmap built

    5. Knowledge transfer roadmap approved

    Info-Tech tools and templates to help you complete your project deliverables

    Project Stakeholder Register Template

    IT Knowledge Transfer Risk Assessment Tool

    IT Knowledge Identification Interview Guide Template

    Project Planning and Monitoring Tool

    IT Knowledge Transfer Roadmap Presentation Template

    IT Knowledge Transfer Project Charter Template

    IT Knowledge Transfer Plan Template

    Your completed project deliverables

    IT Knowledge Transfer Plans

    IT Knowledge Transfer Roadmap Presentation

    IT Knowledge Transfer Roadmap

    Info-Tech’s methodology to mitigate key IT employee knowledge loss

    1. Initiate

    2. Design

    3. Implement

    Phase Steps

    1. Obtain approval for IT knowledge transfer project.
    2. Identify your knowledge and stakeholder risks.
    1. Build knowledge transfer plans.
    2. Build your knowledge transfer roadmap.
    1. Communicate your knowledge transfer roadmap to stakeholders.

    Phase Outcomes

    • Approval for IT knowledge transfer project obtained.
    • Knowledge and stakeholder risks identified.
    • IT knowledge transfer project charter created.
    • Tactics for individuals’ knowledge transfer identified.
    • Knowledge transfer roadmap built.
    • IT knowledge transfer plans established.
    • IT Knowledge transfer roadmap presented.
    • Knowledge transfer roadmap approved.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    IT Knowledge Transfer Project Charter

    Establish a clear project scope, decision rights, and executive sponsorship for the project.

    The image contains a screenshot of the IT Knowledge Transfer Project Charter.

    IT Knowledge Transfer Risk Assessment Tool

    Identify and assess the knowledge and individual risk of key knowledge holders.

    The image contains a screenshot of the IT Knowledge Transfer Risk Assessment Tool.

    IT Knowledge Identification Interview Guide

    Extract information about the type of knowledge sources have.

    The image contains a screenshot of the IT Knowledge Identification Interview Guide.

    IT Knowledge Transfer Roadmap Presentation

    Communicate IT knowledge transfer recommendations to stakeholders to gain buy-in.

    The image contains a screenshot of the IT Knowledge Transfer Roadmap Presentation.

    Key deliverable:

    IT Knowledge Transfer Plan

    Track knowledge activities, intended recipients, and appropriate transfer tactics for each knowledge source.

    The image contains a screenshot of the IT Knowledge Transfer Plan.

    Blueprint benefits

    IT Benefits

    Business Benefits

    • Business continuity through redundancies preventing service interruptions and project delays.
    • Operational efficiency through increased productivity by never having to start projects from scratch.
    • Increased engagement from junior staff through development planning.
    • IT teams that drive process improvement and improved execution.
    • Mitigated risks and costs from talent leaving the organization.
    • Innovation by capitalizing on collective knowledge.
    • Increased ability to adapt to change and save time-to-market.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “ Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Structure the project. Discuss transfer maturity goal and metrics.

    Call #2: Build knowledge transfer plans.

    Call #3: Identify priorities & review risk assessment tool.

    Call #4: Build knowledge transfer roadmap. Determine logistics of implementation.

    Call #5: Determine logistics of implementation.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is five to six calls.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Define the Current and Target State

    Identify Knowledge Priorities

    Build Knowledge Transfer Plans

    Define the Knowledge Transfer Roadmap

    Next Steps and
    Wrap-Up (offsite)

    Activities

    1.1 Have knowledge transfer fireside chat.

    1.2 Identify current and target maturity.

    1.3 Identify knowledge transfer metrics

    1.4 Identify knowledge transfer project stakeholders

    2.1 Identify your knowledge sources.

    2.2 Complete a knowledge risk assessment.

    2.3 Identify knowledge sources’ level of knowledge risk.

    3.1 Build an interview guide.

    3.2 Interview knowledge holders.

    4.1 Prioritize the sequence of initiatives.

    4.2 Complete the project roadmap.

    4.3 Prepare communication presentation.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. Organizational benefits and current pain points of knowledge transfer.
    2. Identification of target state of maturity.
    3. Metrics for knowledge transfer.
    4. Project stakeholder register.
    1. List of high risk knowledge sources.
    2. Departure analysis.
    3. Knowledge risk analysis.
    1. Knowledge transfer interview guide.
    2. Itemized knowledge assets.
    1. Prioritized sequence based on target state maturity goals.
    2. Project roadmap.
    3. Communication deck.

    Phase #1

    Initiate your IT knowledge transfer project

    Phase 1

    Phase 2

    Phase 3

    1.1 Obtain approval for project

    1.2 Identify knowledge and stakeholder risks

    2.1 Build knowledge transfer plans

    2.2 Build knowledge transfer roadmap

    3.1 Communicate your roadmap

    This phase will walk you through the following activities:

    • Hold a working session with key stakeholders.
    • Identify your current state of maturity for knowledge transfer.
    • Identify your target state of maturity for knowledge transfer.
    • Define key knowledge transfer metrics.
    • Identify your project team and their responsibilities.
    • Build the project charter and obtain approval.

    This phase involves the following participants:

    • IT Leadership
    • Other key stakeholders

    Step 1.1

    Obtain Approval for Your IT Knowledge Transfer Project

    Activities

    1.1.1 Hold a Working Session With Key Stakeholders

    1.1.2 Conduct a Current and Target State Analysis.

    1.1.3 Identify Key Metrics

    1.1.4 Identify Your Project Team

    1.1.5 Populate an RACI

    1.1.6 Build the Project Charter and Obtain Approval

    Initiate Your IT Knowledge Transfer Project

    The primary goal of this section is to gain a thorough understanding of the reasons why your organization should invest in knowledge transfer and to identify the specific challenges to address.

    Outcomes of this step

    Organizational benefits and current pain points of knowledge transfer

    Hold a working session with the key stakeholders to structure the project

    Don’t build your project charter in a vacuum. Involve key stakeholders to determine the desired knowledge transfer goals, target maturity and KPIs, and ultimately build the project charter.

    Building the project charter as a group will help you to clarify your key messages and help secure buy-in from critical stakeholders up-front, which is key.

    In order to execute on the knowledge transfer project, you will need significant involvement from your IT leadership team. The trouble is that knowledge transfer can be inherently stressful for employees as it can cause concerns around job security. Members of your IT leadership team will also be individuals who need to participate in knowledge transfer, so get them involved upfront. The working session will help stakeholders feel more engaged in the project, which is pivotal for success.

    You may feel like a full project charter isn’t necessary, and depending on your organizational size, it might not be. However, the exercise of building the charter is important regardless. No matter your current climate, some level of socializing the value and plans for knowledge transfer will be necessary.

    Meeting Agenda

    1. Short project introduction
    2. Led by: Project Sponsor

    • Why the project was initiated.
  • Make the case for the project
  • Led by: Project Manager

    • Current state: What project does the project address?
    • Future state: What is our target state of maturity?
  • Success criteria
  • Led by: Project Manager

    • How will success be measured?
  • Define the project team
  • Led by: Project Manager

    • Description of planned project approach.
    • Stakeholder assessment.
    • What is required of the sponsor and stakeholders?
  • Determine next steps
  • Led by: Project Manager

    1.1.1 Key Stakeholder Working Session

    Identify the pain points you’re experiencing with knowledge transfer and some of the benefits which you’d like to see from a program to determine the key objectives By doing so, you’ll get a holistic view of what you need to achieve.

    Collect this information by:

    1. Asking the working group participants (as a whole or in smaller groups) to discuss pain points created by ineffective knowledge transfer practices.
    • Challenges related to stakeholders.
    • Challenges created by process issues.
    • Issues achieving the intended outcome due to ineffective knowledge transfer.
    • Difficulties improving knowledge transfer practices.
  • Discussing opportunities to be gained from improving these practices.
  • Having participants write these down on sticky notes and place them on a whiteboard or flip chart.
  • Reviewing all the points as a group and grouping challenges and benefits into themes.
  • Having the group prioritize the risks and benefits in terms of what the solution “must have,” “should have,” “could have,” and “won’t have.”
  • Documenting this in the IT Knowledge Transfer Charter template.
  • Input Output
    • Reasons for the project
    • Stakeholder requirements
    • Pain point and risks
    • Identified next steps
    • Target state
    • Completed IT Knowledge Transfer Charter
    Materials Participants
    • Agenda (see previous slide)
    • Sticky notes (optional)
    • Pens (optional)
    • Whiteboard (optional
    • Markers (optional)
    • IT leadership

    Examples of Possible Pain Points

    • Employees have recently left or are preparing to leave the organization, and we worry that we don’t have their knowledge captured anywhere.
    • We previously had to cut down our IT department, and as a result there is a lack of redundancy for tasks. If someone leaves, we don’t have the information we need to continue operating effectively.
    • We’re worried that the IT department has no succession planning in place and that we’re opening ourselves up to risk.
    • It feels like we are losing productivity because the same problems are being solved multiple times, differently.
    • We’re worried that different employees have unique knowledge which is critical to performance, and that they are the only ones who know about it.
    • We’ve noticed that the processes people are using are different from the ones that are written down.
    • It feels like the IT department is constantly starting projects from scratch and employees aren’t leveraging each other’s information, which is causing inefficiencies.
    • It feels like new employees take too long to get up to speed.
    • We know that we have undocumented systems and more are being built each day.
    • We feel like we’re losing out on opportunities to innovate because we’re not sharing information, learning from others’ mistakes, or capitalizing on their successes.
    • We’ve noticed that staff don’t have a platform to share information on a regular basis. We believe if we brought that information together, we would be better able to improve customer service and drive product innovation.
    • We want to create a culture where employees are valued for their competencies and motivated to learn.
    • We value knowledge and the contributions of our team.

    1.1.2 Conduct a Current and Target State Analysis

    Identify your current and target state of maturity

    How to determine your current and target state of maturity:

    1. Provide the previous two slides with the details of the maturity assessment to the group, to review.
    2. Ask each participant to individually determine what they think is the IT team’s current state of maturity. After a few minutes, discuss as a group and come to an agreement.
    3. Review each of the benefits and timing for each of the maturity levels. Compare the benefits listed to those that you named in the previous exercise and determine which maturity level best describes your target state.
    4. Discuss as a group and agree on one maturity level.
    5. Review the other levels of maturity and determine what is in and out of scope for the project (hint: higher level benefits would be considered out of scope). Document this in the IT Knowledge Transfer Project Charter template.
    Input Output
    • Knowledge Transfer Maturity Level charts
    • Target maturity level documented in the IT Knowledge Transfer Charter
    Materials Participants
    • Paper and pens
    • Handouts of maturity levels
    • IT Leadership Team

    IT Knowledge Transfer Project Charter Template

    Info-Tech’s Knowledge Transfer Maturity Model

    Depending on the level of maturity you are trying to achieve, a knowledge transfer project could take weeks, months, or even years. Your maturity level depends on the business goal you would like to achieve, and impacts who and what your roadmap targets.

    The image contains a picture of Info-Tech's Knowledge Transfer Maturity Model. Level 0: Accidental, goal is not prioritized. Level 1: Stabilize, goal is risk mitigation. Level 2: Proactive, goal is operational efficiency. Level 3: Knowledge Culture, goal is innovation & customer service.

    Info-Tech Insight

    The maturity levels build on one another; if you start with a project, it is possible to move from a level 0 to a level 1, and once the project is complete, you can advance to a level 2 or 3. However, it’s important to set clear boundaries upfront to limit scope creep, and it’s important to set appropriate expectations for what the project will deliver.

    Knowledge Transfer Maturity Level: Accidental and Stabilize

    Goal

    Description

    Time to implement

    Benefits

    Level 0: Accidental

    Not Prioritized

    • No knowledge transfer process is present.
    • Knowledge transfer is completed in an ad hoc manner.
    • Some transfer may take place through exit interviews.

    N/A

    • Simple to implement and maintain.

    Level 1: Stabilize

    Risk Mitigation

    At level one, knowledge transfer is focused around ensuring that redundancies exist for explicit knowledge for:

    1. ALL high-risk knowledge.
    2. ALL high-risk stakeholders.

    Your high-risk knowledge is any information which is proprietary, unique, or specialized.

    High risk stakeholders are those individuals who are at a higher likelihood of departing the organization due to retirement or disengagement.

    0 – 6 months

    • Mitigates risks from talent leaving the organization.
    • Ensures business continuity through redundancies.
    • Provides stability to sustain high-performing services, and mitigates risks from service interruptions.

    Knowledge Transfer Maturity Level: Proactive and Knowledge Culture

    Goal

    Description

    Time to implement

    Benefits

    Level 2: Proactive

    Operational Efficiency

    Level 2 extends Level 1.

    Once stabilized, you can work on KT initiatives that allow you to be more proactive and cover high risk knowledge that may not be held by those see as high risk individuals.

    Knowledge transfer plans must exist for ALL high risk knowledge.

    3m – 1yr

    • Enhances productivity by reducing need to start projects from scratch.
    • Increases efficiency by tweaking existing processes with best practices.
    • Sees new employees become productive more quickly through targeted development planning.
    • Increases chance that employees will stay at the organization longer, if they can see growth opportunities.
    • Streamlines efficiencies by eliminating redundant or unnecessary processes.

    Level 3: Knowledge Culture

    Drive Innovation Through Knowledge

    Level 3 extends Level 2.

    • Knowledge Transfer covers explicit and tacit information throughout the IT organization.
    • The program should be integrated with leadership development and talent management.
    • Key metrics should be tied to process improvement, innovation, and customer service.

    1-2 years

    • Increases end-user satisfaction by leveraging the collective knowledge to solve repeat customer issues.
    • Drives product innovation through collaboration.
    • Increases employee engagement by recognizing and rewarding knowledge sharing.
    • Increases your ability to adapt to change and save time-to-market through increased learning.
    • Enables the development of new ideas through iteration.
    • Supports faster access to knowledge.

    Select project-specific KPIs

    Use the selected KPIs to track the value of knowledge transfer

    You need to ensure your knowledge transfer initiatives are having the desired effect and adjust course when necessary. Establishing an upfront list of key performance indicators that will be benchmarked and tracked is a crucial step.

    Many organizations overlook the creation of KPIs for knowledge transfer because the benefits are often one step removed from the knowledge transfer itself. However, there are several metrics you can use to measure success.

    Hint: Metrics will vary based on your knowledge transfer maturity goals.

    Metrics For Knowledge Transfer

    Creating KPIs for knowledge transfer is a crucial step that many organizations overlook because the benefits are often one step removed from the knowledge transfer itself. However, there are several qualitative and quantitative metrics you can use to measure success depending on your maturity level goals.

    Stabilize

    • Number of high departure risk employees identified.
    • Number of high-risk employees without knowledge transfer plans.
    • Number of post-retirement knowledge issues.

    Be Proactive

    • Number of issues arising from lack of redundancy.
    • Percentage of high-risk knowledge items without transfer plans.
    • Time required to get new employees up to speed.

    Promote Knowledge Culture

    • Percentage of returned deliverables for rework.
    • Percentage of errors repeated in reports.
    • Number of employees mentoring their colleagues.
    • Number of issues solved through knowledge sharing.
    • Percentage of employees with knowledge transfer/development plans.

    1.1.3 Identify Key Metrics

    Identify key metrics the organization will use to measure knowledge transfer success

    How to determine knowledge transfer metrics:

    1. Assign each participant 1-4 of the desired knowledge transfer benefits and pain points which you identified as priorities.
    2. Independently have them brainstorm how they would measure the success of each, and after 10 minutes, present their thoughts to the group.
    3. Write each of the metric suggestions on a whiteboard and agree to 3-5 benefits which you will track. The metrics you choose should relate to the key pain points you have identified and match your desired maturity level.
    InputOutput
    • Knowledge transfer pain points and benefits
    • 3-5 key metrics to track
    MaterialsParticipants
    • Whiteboard
    • IT Leadership Team

    Identify knowledge transfer project team

    Determine Project Participants

    Pick a Project Sponsor

    • The project participants are the IT managers and directors whose day-to-day lives will be impacted by the knowledge transfer roadmap and its implementation.
    • These individuals will be your roadmap ream and will help with planning. Most of these individuals should be in the workshop, but ensure you have everyone covered. Some examples of individuals you should consider for your team are:
      • Director/Manager Level:
        • Applications
        • Infrastructure
        • Operations
      • Service Delivery Managers
      • Business Relationship Managers
    • The project sponsor should be a member of your IT department’s senior executive team whose goals and objectives will be impacted by knowledge transfer implementation.
      • This is the person you will get to sign-off on the project charter document.
    The image contains a triangle that has been split into three parts. The top section is labelled: Project Sponsor, middle section: Project Participants, and the bottom is labelled Project Stakeholders.

    The project sponsor is the main catalyst for the creation of the roadmap. They will be the one who signs off on the project roadmap.

    The Project Participants are the key stakeholders in your organization whose input will be pivotal to the creation of the roadmap.

    The project stakeholders are the senior executives who have a vested interest in knowledge transfer. Following completion of this workshop, you will present your roadmap to these individuals for approval.

    1.1.4 Identify Your Project Team

    How to define the knowledge transfer project team:

    1. Through discussion, generate a complete list of key stakeholders, considering each of the roles indicated in the chart on the Key Project Management Stakeholders slide. Write their names on a whiteboard.
    2. Using the quadrant template on the next slide, draw the stakeholder power map.
    3. Evaluate each stakeholder on the list based on their level of influence and support of the project. Write the stakeholder’s name on a sticky note and place it in the appropriate place on the grid.
    4. Create an engagement plan based on the stakeholder’s placement.
    5. Use Info-Tech’s Project Stakeholder Register Template to identify and document your project management stakeholders.

    Project Stakeholder Register Template

    Input Output
    • Initial stakeholder analysis
    • Complete list of project participants.
    • Complete project stakeholder register.
    Materials Participants
    • Whiteboard / Flip chart
    • Markers / Pens
    • Project Stakeholder Register Template
    • IT Leadership Team
    • Other stakeholders

    Have a strategic approach for engaging stakeholders to help secure buy-in

    If your IT leadership team isn’t on board, you’re in serious trouble! IT leaders will not only be highly involved in the knowledge transfer project, but they also may be participants, so it’s essential that you get their buy-in for the project upfront.

    Document the results in the Project Stakeholder Register Template; use this as a guide to help structure your communication with stakeholders based on where they fall on the grid.

    How to Manage:

    Focus on increasing these stakeholders’ level of support!

    1. Have a one-on-one meeting to seek their views on critical issues and address concerns.
    2. Identify key pain points they have experienced and incorporate these in the project goal statements.
    3. Where possible, leverage KT champions to help encourage support.
    The image contains a small graph to demonstrate the noise makers, the blockers, the changers, and the helpers.

    Capitalize on champions to drive the project/change.

    1. Use them for internal PR of the objectives and benefits.
    2. Ask them what other stakeholders can be leveraged.
    3. Involve them early in creating project documents.

    How to Manage:

    How to Manage:

    Pick your battles – focus on your noise makers first, and then move on to your blockers.

    1. Determine the level of involvement the blockers will have in the project (i.e. what you will need from them in the future) and determine next steps based on this (one-on-one meeting, group meeting, informal communication, or leveraging helpers/ champions to encourage them).

    Leverage this group where possible to help socialize the program and to help encourage dissenters to support.

    1. Mention their support in group settings.
    2. Focus on increasing their understanding via informal communication.

    How to Manage:

    Key Project Management Stakeholders

    Role

    Project Role

    Required

    CIO

    Will often play the role of project sponsor and should be involved in key decision points.

    IT Managers Directors

    Assist in the identification of high-risk stakeholders and knowledge and will be heavily involved in the development of each transfer plan.

    Project Manager

    Should be in charge of leading the development and execution of the project.

    Business Analysts

    Responsible for knowledge transfer elicitation analysis and validation for the knowledge transfer project.

    Situational

    Technical Lead

    Responsible for solution design where required for knowledge transfer tactics.

    HR

    Will aid in the identification of high-risk stakeholders or help with communication and stakeholder management.

    Legal

    Organizations that are subject to knowledge confidentiality, Sarbanes-Oxley, federal rules, etc. may need legal to participate in planning.

    Ensure coverage of all project tasks

    Populate a Project RACI (Responsible, Accountable, Consulted, Informed) chart

    Apps MGR

    Dev. MGR

    Infra MGR

    Build the project charter

    R

    R

    I

    Identify IT stakeholders

    R

    R

    I

    Identify high risk stakeholders

    R

    A

    R

    Identify high risk knowledge

    I C C

    Validate prioritized stakeholders

    I C R

    Interview key stakeholders

    R R A

    Identify knowledge transfer tactics for individuals

    C C A

    Communicate knowledge transfer goals

    C R A

    Build the knowledge transfer roadmap

    C R A

    Approve knowledge transfer roadmap

    C R C

    1.1.5 Populate an RACI

    Populate a RACI chart to identify who should be responsible, accountable, consulted, and informed for each key activity.

    How to define RACI for the project team:

    1. Write out the list of all stakeholders along the top of a whiteboard. Write out the key project steps along the left-hand side (use this list as a starting point).
    2. For each initiative, identify each team member’s role. Are they:
    3. Responsible: The one responsible for getting the job done.

      Accountable: Only one person can be accountable for each task.

      Consulted: Involvement through input of knowledge and information.

      Informed: Receiving information about process execution and quality.

    4. As you proceed through the project, continue to add tasks and assign responsibility to the RACI chart on the next slide.
    InputOutput
    • Stakeholder list
    • Key project steps
    • Project RACI chart
    MaterialsParticipants
    • Whiteboard
    • IT Leadership Team

    1.1.6 Build the Project Charter and Obtain Sign-off

    Complete the IT knowledge transfer project charter.

    Build the project charter and obtain sign-off from your project sponsor. Use your organization’s project charter if one exists. If not, customize Info-Tech’s IT Knowledge Transfer Project Charter Template to suit your needs.

    The image contains a screenshot of the IT knowledge transfer project charter template.

    IT Knowledge Transfer Project Charter Template

    Step 1.2

    Identify Your Knowledge and Stakeholder Risks

    Activities

    1.2.1 Identify Knowledge Sources

    1.2.2 Complete a Knowledge Risk Assessment

    1.2.3 Review the Prioritized List of Knowledge Sources

    The primary goal of this section is to identify who your primary risk targets are for knowledge transfer.

    Outcomes of this step

    • A list of your high-risk knowledge sources
    • Departure analysis
    • Knowledge risk analysis

    Prioritize your knowledge transfer initiatives

    Throughout this section, we will walk through the following 3 activities in the tool to determine where you need to focus attention for your knowledge transfer roadmap based on knowledge value and likelihood of departure.

    1. Identify Knowledge Sources

    Create a list of knowledge sources for whom you will be conducting the analysis, and identify which sources currently have a transfer plan in place.

    2. Value of Knowledge

    Consider the type of knowledge held by each identified knowledge source and determine the level of risk based on the knowledge:

    1. Criticality
    2. Availability

    3. Likelihood of Departure

    Identify the knowledge source’s risk of leaving the organization based on their:

    1. Age cohort
    2. Engagement level

    This tool contains sensitive information. Do not share this tool with knowledge sources. The BA and Project Manager, and potentially the project sponsor, should be the only ones who see the completed tool.

    The image contains screenshots from the Knowledge Risk Assessment Tool.

    Focus on key roles instead of all roles in IT

    Identify Key Roles

    Hold a meeting with your IT Leadership team, or meet with members individually, and ask these questions to identify key roles:

    • What are the roles that have a significant impact on delivering the business strategy?
    • What are the key differentiating roles for our IT organization?
    • Which roles, if vacant, would leave the organization open to non-compliance with regulatory or legal requirements?
    • Which roles have a direct impact on the customer?
    • Which roles, if vacant, would create system, function, or process failure for the organization?

    Key roles include:

    • Strategic roles: Roles that give the greatest competitive advantage. Often these are roles that involve decision-making responsibility.
    • Core roles: Roles that must provide consistent results to achieve business goals.
    • Proprietary roles: Roles that are tied closely to unique or proprietary internal processes or knowledge that cannot be procured externally. These are often highly technical or specialized.
    • Required roles: Roles that support the department and are required to keep it moving forward day-to-day.
    • Influential roles: Positions filled by employees who are the backbone of the organization, i.e. the go-to people who are the corporate culture.

    Info-Tech Insight

    This step is meant to help speed up and simplify the process for large IT organizations. IT organizations with fewer than 30 people, or organizations looking to build a knowledge culture, can opt to skip this step and include all members of the IT team. This way, everyone is considered and you can prioritize accordingly.

    1.2.1 Identify Key Knowledge Sources

    1. Identify key roles, as shown on the previous slide. This can be done by brainstorming names on sticky notes and placing them on a whiteboard.
    2. Document using IT Knowledge Transfer Risk Assessment Tool Tab 2. Input with first name, last name, department/ IT area, and manager of each identified Knowledge Source.
    3. Also answer the question of whether the Knowledge Source currently has a knowledge transfer plan in place.
    • Not in place
    • Partially in place
    • In place
  • Conduct sanity check: once you have identified key roles, ask – “did we miss anybody?”
  • InputOutput
    • Employee list
    • List of knowledge sources for IT
    MaterialsParticipants
    • IT Knowledge Transfer Risk Assessment Tool.
    • IT Leadership Team

    IT Knowledge Transfer Risk Assessment Tool

    Document key knowledge sources (example)

    Use information about the current state of knowledge transfer plans in your organization to understand your key risks and focus areas.

    The image contains a screenshot of the knowledge source.

    Legend:

    1. Document knowledge source information (name, department, and manager).

    2. Select the current state of knowledge transfer plans for each knowledge source.

    Once you have identified key roles, conduct a sanity check and ask – “did we miss anybody?” For example:

    • There are three systems administrators. One of them, Joe, has been with the organization for 15 years.
    • Joe’s intimate systems knowledge and long-term relationship with one of the plant systems vendors has made him a go-to person during times of operational systems crisis and has resulted in systems support discounts.
    • While the systems administrator role by itself is not considered key (partly due to role redundancy), Joe is a key person to flag for knowledge transfer activities as losing him would make achieving core business goals more difficult.

    Case Study

    Municipal government learns the importance of thorough knowledge source identification after losing key stakeholder

    INDUSTRY: Government

    Challenge

    Solution

    Results

    • A municipal government was introducing a new integration project that was led by their controller.
    • The controller left abruptly, and while the HR department conducted an exit interview, they didn’t realize until after the individual had left how much information was lost.
    • Nobody knew the information needed to complete the integration, so they had to make do with what they had.
    • The Director of IT at the time was the most familiar with the process.
    • Even though she would not normally do this type of project, at the time she was the only person with knowledge of the process and luckily was able to complete the integration.
    • The Director of IT had to put other key projects on hold, and lost productivity on other prioritized work.
    • The organization realized how much they were at risk and changed how they approached knowledge. They created a new process to identify “single point of failures” and label people as high risk. These processes started with the support organization’s senior level key people to identify their processes and record everything they do and what they know.

    Identify employees who may be nearing retirement and flag them as high risk

    Risk Parameter

    Description

    How to Collect this Data:

    Age Cohort

    • 60+ years of age or older, or anyone who has indicated they will be retiring within five years (highest risk).
    • Employees in their early 50s: are still many years away from retirement but have a sufficient number of years remaining in their career to make a move to a new role outside of your organization.
    • Employees in their late 50s: are likely more than five years away from retirement but are less likely than younger employees to leave your organization for another role because of increasing risk in making such a move, and persistent employer unwillingness to hire older employees.
    • Employees under 50: should never be considered low risk only based on age – which is why the second component of stakeholder risk is engagement.

    For those people on your shortlist, pull some hard demographic data.

    Compile a report that breaks down employees into age-based demographic groups.

    Flag those over the age of 50 – they’re in the “retirement zone” and could decide to leave at any time.

    Check to see which stakeholders identified fall into the “over 50” age demographic.

    Document this information in the IT Knowledge Transfer Risk Assessment Tool.

    Info-Tech Insight

    150% of an employee’s base salary and benefits is the estimated cost of turnover according to The Society of Human Resource Professionals.1

    1McLean & Company, Make the Case for Employee Engagement

    Identify disengaged employees who may be preparing to leave the organization

    Risk Parameter

    Description

    How to Collect this Data:

    Engagement

    An engaged stakeholder is energized and passionate about their work, leading them to exert discretionary effort to drive organizational performance (lowest risk).

    An almost engaged stakeholder is generally passionate about their work. At times they exert discretionary effort to help achieve organizational goals.

    Indifferent employees are satisfied, comfortable, and generally able to meet minimum expectations. They see their work as “just a job,” prioritizing their needs before organizational goals.

    Disengaged employees have little interest in their job and the organization and often display negative attitudes (highest risk).

    Option 1:

    The optimal approach for determining employee engagement is through an engagement survey. See McLean & Company for more details.

    Option 2:

    Ask the identified stakeholder’s manager to provide an assessment of their engagement either independently or via a meeting.

    Info-Tech Insight

    Engaged employees are five times more likely than disengaged employees to agree that they are committed to their organization.1

    1Source: McLean & Company, N = 13683

    The level of risk of the type of information is defined by criticality and availability

    Risk Parameter

    Description

    How to Collect this Data:

    Criticality

    Roles that are critical to the continuation of business and cannot be left vacant without risking business operations. Would the role, if vacant, create system, function, or process failure for the organization?

    Option 1: (preferred)

    Meet with IT managers/directors over the phone or directly and review each of the identified reports to determine the risk.

    Option 2: Send the IT mangers/directors the list of their direct reports, and ask them to evaluate their knowledge type risk independently and return the information to you.

    Option 3: (if necessary) Review individual job descriptions independently, and use your judgment to come up with a rating for each. Send the assessment to the stakeholders’ managers for validation.

    Availability

    Refers to level of redundancy both within and outside of the organization. Information which is highly available is considered lower risk. Key questions to consider include: does this individual have specialized, unique, or proprietary expertise? Are there internal redundancies?

    1.2.2 Complete a Knowledge Risk Assessment

    Complete a Tab 3 assessment for each of your identified Knowledge Sources. The Knowledge Source tab will pre-populate with information from Tab 2 of the tool. For each knowledge source, you will determine their likelihood of departure and degree of knowledge risk.

    Likelihood of departure:

    1. Document the age cohort risk for each knowledge source on Tab 3 of the IT Knowledge Transfer Risk Assessment Tool. Age Cohort: Under 50, 51-55, 56-60, or over 60.
    2. Document the engagement risk for each knowledge source on Tab 3, “Assessment”, of the IT Knowledge Transfer Risk Assessment Tool. Engagement level: Engaged, Almost engaged, Indifferent employees, Disengaged.
    3. Degree of knowledge risk is based on:

    4. Document the knowledge type risk for each stakeholder on Tab 3, “Assessment” in the IT Knowledge Transfer Risk Assessment Tool.
    • Criticality: Would the role, if vacant, create system, function, or process failure for the organization?
    • Availability: Does this individual have specialized, unique, or proprietary expertise? Are there internal redundancies?
    Input Output
    • Knowledge source list (Tab 2)
    • Employee demographics information
    • List of high-risk knowledge sources
    Materials Participants
    • Sticky notes
    • Pens
    • Whiteboard
    • Marker
    • IT Leadership Team
    • HR

    IT Knowledge Transfer Risk Assessment Tool

    Results matrix

    The image contains a screenshot of risk assessment. The image contains a matrix example from tab 4.

    Determine where to focus your efforts

    The IT Knowledge Transfer Map on Tab 5 helps you to determine where to focus your knowledge transfer efforts

    Knowledge sources have been separated into the three maturity levels (Stabilize, Proactive, and Knowledge Culture) and prioritized within each level.

    Focus first on your stabilize groups, and based on your target maturity goal, move on to your proactive and knowledge culture groups respectively.

    The image contains a screenshot of the IT Knowledge Transfer Map on tab 5.

    Sequential Prioritization

    Orange line Level 1: Stabilize

    Blue Line Level 2: Proactive

    Green Line Level 3: Knowledge Culture

    Each pie chart indicates which of the stakeholders in that risk column currently has knowledge transfer plans.

    Each individual also has their own status ball on whether they currently have a knowledge transfer plan.

    1.2.3 Review the Prioritized List

    Review results

    Identify knowledge sources to focus on for the knowledge transfer roadmap. Review the IT Knowledge Transfer Map on Tab 5 to determine where to focus your knowledge transfer efforts

    1. Show the results from the assessment tool.
    2. Discuss matrix and prioritized list.
    • Does it match with maturity goals?
    • Do prioritizations seem correct?
    InputOutput
    • Knowledge source risk profile
    • Risk Assessment (Tab 3)
    • Prioritized list of knowledge sources to focus on for the knowledge transfer roadmap
    MaterialsParticipants
    • n/a
    • IT Knowledge Transfer Risk Assessment Tool
    • IT Leadership Team

    IT Knowledge Transfer Risk Assessment Tool

    Phase #2

    Design your knowledge transfer plans

    Phase 1

    Phase 2

    Phase 3

    1.1 Obtain approval for project

    1.2 Identify knowledge and stakeholder risks

    2.1 Build knowledge transfer plans

    2.2 Build knowledge transfer roadmap

    3.1 Communicate your roadmap

    This phase will walk you through the following activities:

    • Building knowledge transfer plans for all prioritized knowledge sources.
    • Understanding which transfer tactics are best suited for different knowledge types.
    • Identifying opportunities to leverage collaboration tools for knowledge transfer.

    This phase involves the following participants:

    • IT Leadership
    • Other key stakeholders
    • Knowledge sources

    Define what knowledge needs to be transferred

    Each knowledge source has unique information which needs to be transferred. Chances are you don’t know what you don’t know. The first step is therefore to interview knowledge sources to find out.

    Identify the knowledge receiver

    Depending on who the information is going to, the knowledge transfer tactic you employ will differ. Before deciding on the knowledge receiver and tactic, consider three key factors:

    • How will this knowledge be used in the future?
    • What is the next career step for the knowledge receiver?
    • Are the receiver and the source going to be in the same location?

    Identify which knowledge transfer tactics you will use for each knowledge asset

    Not all tactics are good in every situation. Always keep the “knowledge type” (information, process, skills, and expertise), knowledge sources’ engagement level, and the knowledge receiver in mind as you select tactics.

    Determine knowledge transfer tactics

    Determine tactics for each stakeholder based on qualities of their specific knowledge.

    This tool is built to accommodate up to 30 knowledge items; Info-Tech recommends focusing on the top 10-15 items.

    1. Send documents to each manager. Include:
    • a copy of this template.
    • interview guide.
    • tactics booklet.
  • Instruct managers to complete the template for each knowledge source and return it to you.
  • These steps should be completed by the BA or IT Manager. The BA is helpful to have around because they can learn about the tactics and answer any questions about the tactics that the managers might have when completing the template.

    The image contains a screenshot of the Knowledge Source's Name.

    IT Knowledge Transfer Plan Template

    Step 2.1

    Build Your Knowledge Transfer Plans

    Activities

    2.1.1 Interview Knowledge Sources to Uncover Key Knowledge Items

    2.1.2 Identify When to use Knowledge Transfer Tactics

    2.1.3 Build Individual Knowledge Transfer Plans

    The primary goal of this section is to build an interview guide and interview knowledge sources to identify key knowledge assets.

    Outcomes of this step

    • Knowledge Transfer Interview Guide
    • Itemized knowledge assets
    • Completed knowledge transfer plans

    2.1.1 Interview Knowledge Sources

    Determine key knowledge items

    The first step is for managers to interview knowledge sources in order to extract information about the type of knowledge the source has.

    Meet with the knowledge sources and work with them to identify essential knowledge. Use the following questions as guidance:

    1. What are you an expert in?
    2. What do others ask you for assistance with?
    3. What are you known for?
    4. What are key responsibilities you have that no one else has or knows how to do?
    5. Are there any key systems, processes, or applications which you’ve taken the lead on?
    6. When you go on vacation, what is waiting for you in your inbox?
    7. If you went on vacation, would there be any systems that, if there was a failure, you would be the only one who knows how to fix?
    8. Would you say that all the key processes you use, or tools, codes etc. are documented?
    Input Output
    • Knowledge type information
    • Prioritized list of key knowledge sources.
    • Knowledge activity information
    • What are examples of good use cases for the technique?
    • Why would you use this technique over others?
    • Is this technique suitable for all projects? When wouldn’t you use it?
    Materials Participants
    • Interview guide
    • Pen
    • Paper
    • IT Leadership Team
    • Knowledge sources

    IT Knowledge Identification Interview Guide Template

    2.1.2 Understand Knowledge Transfer Tactics

    Understand when and how to use different knowledge transfer tactics

    1. Break the workshop participants into teams. Assign each team two to four knowledge transfer tactics and provide them with the associated handout(s) from the following slides. Using the material provided, have each team brainstorm around the following questions:
      1. What types of information can the technique be used to collect?
      2. What are examples of good use cases for the technique?
      3. Why would you use this technique over others?
      4. Is this technique suitable for all projects? When wouldn’t you use it?
    2. Have each group present their findings from the brainstorming to the group.
    3. Once everyone has presented, have the groups select which tactics they would be interested in using and which ones they would not want to use by putting green and red dots on each.
    4. As a group, confirm the list of tactics you would be interested in using and disqualify the others.
    Input Output
    • List of knowledge tactics to utilize.
    Materials Participants
    • Knowledge transfer tactics handouts
    • Flip chart paper
    • Markers
    • Green and red dot stickers
    • IT Leadership Team
    • Project team

    Knowledge Transfer Tactics:

    Interviews

    Interviews provide an opportunity to meet one-on-one with key stakeholders to document key knowledge assets. Interviews can be used for explicit and tacit information, and in particular, capture processes, rules, coding information, best practices, etc.

    Benefits:

    • Good bang-for-your-buck interviews are simple to conduct and can be used for all types of knowledge.
    • Interviews can obtain a lot of information in a relatively short period of time.
    • Interviews help make tacit knowledge more explicit through effective questioning.
    • They have highly flexible formatting as interviews can be conducted in person, over the phone, or by email.

    How to get started:

    1. Have the business analyst (BA) review the employee’s knowledge transfer plan and highlight the areas to be discussed in the interview.
    2. The BA will then create an interview guide detailing key questions which would need to be asked to ascertain the information.
    3. Schedule a 30-60 minute interview. When complete, document the interview and key lessons learned. Send the information back to the interviewee for validation of what was discussed.

    Knowledge Types

    Information

    Process

    Skills

    Expertise

    Dependencies

    Training: Minimal

    Technology Support: N/A

    Process Development: Minimal

    Duration: Annual

    Participants

    Business analysts

    Knowledge source

    Materials

    Interview guide

    Notepad

    Pen

    Knowledge Transfer Tactics:

    Process Mapping

    Business process mapping refers to building a flow chart diagram of the sequence of actions which defines what a business does. The flow chart defines exactly what a process does and the specific succession of steps including all inputs, outputs, flows, and linkages. Process maps are a powerful tool to frame requirements in the context of the complete solution.

    Benefits:

    • They are simple to build and analyze; most organizations and users are familiar with flow diagrams, making them highly usable.
    • They provide an end-to-end picture of a process.
    • They’re ideal for gathering full and detailed requirements of a process.
    • They include information around who is responsible, what they do, when, where it occurs, triggers, to what degree, and how often it occurs.
    • They’re great for legacy systems.

    How to get started:

    1. Have the BA prepare beforehand by doing some preliminary research on the purpose of the process, and the beginning and end points.
    2. With the knowledge holder, use a whiteboard and identify the different stakeholders who interact with the process, and draw swim lanes for each.
    3. Together, use sticky notes and/or dry erase markers etc. to draw out the process.
    4. When you believe you’re complete, start again from the beginning and break the process down to more details.

    Knowledge Types

    Information

    Process

    Skills

    Expertise

    Dependencies

    Training: Minimal

    Technology Support: N/A

    Process Development: Minimal

    Duration: Annual

    Participants

    Business analysts

    Knowledge source

    Materials

    Whiteboard / flip-chart paper

    Marker

    Knowledge Transfer Tactics:

    Use Cases

    Use case diagrams are a common transfer tactic where the BA maps out step-by-step how an employee completes a project or uses a system. Use cases show what a system or project does rather than how it does it. Use cases are frequently used by product managers and developers.

    Benefits:

    • Easy to draw and understand.
    • Simple way to digest information.
    • Can get very detailed.
    • Should be used for documenting processes, experiences etc.
    • Initiation and brainstorming.
    • Great for legacy systems.

    How to get started:

    1. The BA will schedule a 30-60 minute in-person meeting with the employee, draw a stick figure on the left side of the board, and pose the initial question: “If you need to do X, what is your first step?” Have the stakeholder go step-by-step through the process until the end goal. Draw this process across the whiteboard. Make sure you capture the triggers, causes of events, decision points, outcomes, tools, and interactions.
    2. Starting at the beginning of the diagram, go through each step again and ask the employee if the step can be broken down into more granular steps. If the answer is yes, break down the use case further.
    3. Ask the employee if there are any alternative flows that people could use, or any exceptions. If there are, map these out on the board.

    Knowledge Types

    Information

    Process

    Skills

    Expertise

    Dependencies

    Training: Minimal

    Technology Support: N/A

    Process Development: Minimal

    Duration: Annual

    Participants

    Business analysts

    Knowledge source

    Materials

    Whiteboard / flip-chart paper

    Marker

    Knowledge Transfer Tactics:

    Job Shadow

    Job shadowing is a working arrangement where the “knowledge receiver” learns how to do a job by observing an experienced employee complete key tasks throughout their normal workday.

    Benefits:

    • Low cost and minimal effort required.
    • Helps employees understand different elements of the business.
    • Helps build relationships.
    • Good for knowledge holders who are not great communicators.
    • Great for legacy systems.

    How to get started:

    1. Determine goals and objectives for the knowledge transfer, and communicate these to the knowledge source and receiver.
    2. Have the knowledge source identify when they will be performing a particular knowledge activity and select that day for the job shadow. If the information is primarily experience, select any day which is convenient.
    3. Ask the knowledge receiver to shadow the source and ask questions whenever they have them.
    4. Following the job shadow, have the knowledge receiver document what they learned that day and file that information.

    Knowledge Types

    Information

    Process

    Skills

    Expertise

    Dependencies

    Training: Required

    Technology Support: N/A

    Process Development:Required

    Duration:Ongoing

    Participants

    BA

    IT manager

    Knowledge source and receiver

    Materials

    N/A

    Knowledge Transfer Tactics:

    Peer Assist

    Meeting or workshop where peers from different teams share their experiences and knowledge with individuals or teams that require help with a specific challenge or problem.

    Benefits:

    • Improves productivity through enhanced problem solving.
    • Encourages collaboration between teams to share insight, and assistance from people outside your team to obtain new possible approaches.
    • Promotes sharing and development of new connections among different staff, and creates opportunities for innovation.
    • Can be combined with Action Reviews.

    How to get started:

    1. Create a registry of key projects that different individuals have solved. Where applicable, leverage the existing work done through action reviews.
    2. Create and communicate a process for knowledge sources and receivers to reach out to one another. Email or social collaboration platforms are the most common.
    3. The source may then reply with documentation or a peer can set up an interview to discuss.
    4. Information should be recorded and saved on a corporate share drive with appropriate metadata to ensure ease of search.
    5. See Appendix for further details.

    Knowledge Types

    Information

    Process

    Skills

    Expertise

    Dependencies

    Training: Minimal

    Technology Support: N/A

    Process Development:Required

    Duration:Ongoing

    Participants

    Knowledge sources

    Knowledge receiver

    BA to build a skill repository

    Materials

    Intranet

    Knowledge Transfer Tactics:

    Transition Workshop

    A half- to full-day exercise where an outgoing leader facilitates a knowledge transfer of key insights they have learned along the way and any high-profile knowledge they may have.

    Benefits:

    • Accelerates knowledge transfer following a leadership change.
    • Ensures business continuity.
    • New leader gets a chance to understand the business drivers behind team decisions and skills of each member.
    • The individuals on the team learn about the new leader’s values and communication styles.

    How to get started:

    1. Outgoing leader organizes a one-time session where they share information with the team (focus on tacit knowledge, such as team successes and challenges) and team can ask questions.
    2. Incoming leader and remaining team members share information about norms, priorities, and values.
    3. Document the information.

    Knowledge Types

    Information

    Process

    Skills

    Expertise

    Dependencies

    Training: Required

    Technology Support: Some

    Process Development: Some

    Duration:Ongoing

    Participants

    IT leader

    Incoming IT team

    Key stakeholders

    Materials

    Meeting space

    Video conferencing (as needed)

    Knowledge Transfer Tactics:

    Action Review

    Action Review is a team-based discussion at the end of a project or step to review how the activity went and what can be done differently next time. It is ideal for transferring expertise and skills.

    Benefits:

    • Learning is done during and immediately after the project so that knowledge transfer happens quickly.
    • Results can be shared with other teams outside of the immediate members.
    • Makes tacit knowledge explicit.
    • Encourages a culture where making mistakes is OK, but you need to learn from them.

    How to get started:

    1. Hold an initial meeting with IT teams to inform them of the action reviews. Create an action review goals statement by working with IT teams to discuss what they hope to get out of the initiative.
    2. Ask project teams to present their work and answer the following questions:
      1. What was supposed to happen?
      2. What actually happened?
      3. Why were there differences?
      4. What can we learn and do differently next time?
    3. Have each individual or group present, record the meeting minutes, and send the details to the group for future reference. Determine a share storage place on your company intranet or shared drive for future reference.

    Knowledge Types

    Information

    Process

    Skills

    Expertise

    Dependencies

    Training:Minimal

    Technology Support: Minimal

    Process Development: Some

    Duration:Ongoing

    Participants

    IT unit/group

    Any related IT stakeholder impacted by or involved in a project.

    Materials

    Meeting space

    Video conferencing (as needed)

    Knowledge Transfer Tactics:

    Mentoring

    Mentoring can be a formal program where management sets schedules and expectations. It can also be informal through an environment for open dialogue where staff is encouraged to seek advice and guidance, and to share their knowledge with more novice members of the organization.

    Benefits:

    • Speeds up learning curves and helps staff acclimate to the organizational culture.
    • Communicates organizational values and appropriate behaviors, and is an effective way to augment training efforts.
    • Leads to higher engagement by improving communication among employees, developing leadership, and helping employees work effectively.
    • Improves succession planning by preparing and grooming employees for future roles and ensuring the next wave of managers is qualified.

    How to get started:

    1. Have senior management define the goals for a mentorship program. Depending on your goals, the frequency, duration, and purpose for mentorship will change. Create a mission statement for the program.
    2. Communicate the program with mentors and mentees and define what the scope of their roles will be.
    3. Implement the program and measure success.

    Creating a mentorship program is a full project in itself. For full details on how to set up a mentorship program, see McLean & Company’s Build a Mentoring Program.

    Knowledge Types

    Information

    Process

    Skills

    Expertise

    Dependencies

    Training: Required

    Technology Support: N/a

    Process Development:Required

    Duration:Ongoing

    Participants

    IT unit/group

    Materials

    Meeting space

    Video conferencing (as needed)

    Documentation

    Knowledge Transfer Tactics:

    Story Telling

    Knowledge sources use anecdotal examples to highlight a specific point and pass on information, experience, and ideas through narrative.

    Benefits:

    • Provides context and transfers expertise in a simple way between people of different contexts and background.
    • Illustrates a point effectively and makes a lasting impression.
    • Helps others learn from past situations and respond more effectively in future ones.
    • Can be completed in person, through blogs, video or audio recordings, or case studies.

    How to get started:

    1. Select a medium for how your organization will record stories, whether through blogs, video or audio recordings, or case studies. Develop a template for how you’re going to record the information.
    2. Integrate story telling into key activities – project wrap-up, job descriptions, morning meetings, etc.
    3. Determine the medium for retaining and searching stories.

    Knowledge Types

    Information

    Process

    Skills

    Expertise

    Dependencies

    Training: Required

    Technology Support: Some

    Process Development:Required

    Duration:Ongoing

    Participants

    Knowledge source

    Knowledge receiver

    Videographer (where applicable)

    Materials

    Meeting space

    Video conferencing (as needed)

    Documentation

    Knowledge Transfer Tactics:

    Job Share

    Job share exists when at least two people share the knowledge and responsibilities of two job roles.

    Benefits:

    • Reduces the risk of concentrating all knowledge in one person and creating a single point of failure.
    • Increases the number of experts who hold key knowledge that can be shared with others, i.e. “two heads are better than one.”
    • Ensures redundancies exist for when an employee leaves or goes on vacation.
    • Great for getting junior employees up to speed on legacy system functionality.
    • Results in more agile teams.
    • Doubles the amount of skills and expertise.

    How to get started:

    1. Determine which elements of two individuals’ job duties could be shared by two people. Before embarking on a job share, ensure that the two individuals will work well together as a team and individually.
    2. Establish a vision, clear values, and well-defined roles, responsibilities, and reporting relationships to avoid duplication of effort and confusion.
    3. Start with a pilot group of employees who are in support of the initiative, track the results, and make adjustments where needed.

    Knowledge Types

    Information

    Process

    Skills

    Expertise

    Dependencies

    Training: Some

    Technology Support: Minimal

    Process Development:Required

    Duration:Ongoing

    Participants

    IT manager

    HR

    Employees

    Materials

    Job descriptions

    Knowledge Transfer Tactics:

    Communities of Practice

    Communities of practice are working groups of individuals who engage in a process of regularly sharing information with each other across different parts of the organization by focusing on common purpose and working practices. These groups meet on a regular basis to work together on problem solving, to gain information, ask for help and assets, and share opinions and best practices.

    Benefits:

    • Supports a collaborative environment.
    • Creates a sense of community and positive working relationships, which is a key driver for engagement.
    • Encourages creative thinking and support of one another.
    • Facilitates transfer of wide range of knowledge between people from different specialties.
    • Fast access to information.
    • Multiple employees hear the answers to questions and discussions, resulting in wider spread knowledge.
    • Can be done in person or via video conference, and is best when supported by social collaboration tools.

    How to get started:

    1. Determine your medium for these communities and ensure you have the needed technology.
    2. Develop training materials, and a rewards and recognition process for communities.
    3. Have a meeting with staff, ask them to brainstorm a list of different key “communities,” and ask staff to self select into communities.
    4. Have the communities determine the purpose statement for each group, and set up guidelines for functionality and uses.

    Knowledge Types

    Information

    Process

    Skills

    Expertise

    Dependencies

    Training:Required

    Technology Support: Required

    Process Development:Required

    Duration:Ongoing

    Participants

    Employees

    BA (to assist in establishing)

    IT managers (rewards and recognition)

    Materials

    TBD

    The effectiveness of each knowledge transfer tactic varies based on the type of knowledge you are trying to transfer

    This table shows the relative strengths and weaknesses of each knowledge transfer tactic compared to four different knowledge types.

    Not all techniques are effective for types of knowledge; it is important to use a healthy mixture of techniques to optimize effectiveness.

    Very strong = Very effective

    Strong = Effective

    Medium = Somewhat effective

    Weak = Minimally effective

    Very weak = Not effective

    Knowledge Type

    Tactic

    Explicit

    Tacit

    Information

    Process

    Skills

    Expertise

    Interviews

    Very strong

    Strong

    Strong

    Strong

    Process mapping

    Medium

    Very strong

    Very weak

    Very weak

    Use cases

    Medium

    Very strong

    Very weak

    Very weak

    Job shadow

    Very weak

    Medium

    Very strong

    Very strong

    Peer assist

    Strong

    Medium

    Very strong

    Very strong

    Action review

    Medium

    Medium

    Strong

    Weak

    Mentoring

    Weak

    Weak

    Strong

    Very strong

    Transition workshop

    Strong

    Strong

    Strong

    Strong

    Story telling

    Weak

    Weak

    Strong

    Very strong

    Job share

    Weak

    Weak

    Very strong

    Very strong

    Communities of practice

    Strong

    Weak

    Very strong

    Very strong

    Consider your stakeholders’ level of engagement prior to selecting a knowledge transfer tactic

    Level of Engagement

    Tactic

    Disengaged/ Indifferent

    Almost Engaged - Engaged

    Interviews

    Yes

    Yes

    Process mapping

    Yes

    Yes

    Use cases

    Yes

    Yes

    Job shadow

    No

    Yes

    Peer assist

    Yes

    Yes

    Action review

    Yes

    Yes

    Mentoring

    No

    Yes

    Transition workshop

    Yes

    Yes

    Story telling

    No

    Yes

    Job share

    Maybe

    Yes

    Communities of practice

    Maybe

    Yes

    When considering which tactics to employ, it’s important to consider the knowledge holder’s level of engagement. Employees whom you would identify as being disengaged may not make good candidates for job shadowing, mentoring, or other tactics where they are required to do additional work or are asked to influence others.

    Knowledge transfer can be controversial for all employees as it can cause feelings of job insecurity. It’s essential that motivations for knowledge transfer are communicated effectively.

    Pay particular attention to your communication style with disengaged and indifferent employees, communicate frequently, and tie communication back to what’s in it for them.

    Putting disengaged employees in a position where they are mentoring others can be a risk. Their negativity could influence others not to participate as well or negate the work you’re doing to create a positive knowledge sharing culture.

    Consider using collaboration tools as a medium for knowledge transfer

    There is a wide variety of different collaboration tools available to enable interpersonal and team connections for work-related purposes. Familiarize yourself with all types of collaboration tools to understand what is available to help facilitate knowledge transfer.

    Collaboration Tools

    Content Management

    Real Time Communication

    Community Collaboration

    Social Collaboration

    Tools for collaborating around documents. They store content and allow for easy sharing and editing, e.g. content repositories and version control.

    Can be used for:

    • Action review
    • Process maps and use cases
    • Storing interview notes
    • Stories: blogs, video, and case studies

    Tools that enable real-time employee interactions. They permit “on-demand” workplace communication, e.g. IM, video and web conferencing.

    Can be used for:

    • Action review
    • Interviews
    • Mentoring
    • Peer assist
    • Story telling
    • Transition workshops

    Tools that allow teams and communities to come together and share ideas or collaborate on projects, e.g. team portals, discussion boards, and ideation tools.

    Can be used for:

    • Action review
    • Communities of practice
    • Peer assist
    • Story Telling

    Social tools borrow concepts from consumer social media and apply them to the employee-centric context, e.g. employee profiles, activity streams, and microblogging.

    Can be used for:

    • Peer assist
    • Story telling
    • Communities of practice

    For more information on Collaboration Tools and how to use them, see Info-Tech’s Establish a Communication and Collaboration System Strategy.

    Identify potential knowledge receivers

    Hold a meeting with your IT leaders to identify who would be the best knowledge receivers for specific knowledge assets

    • Before deciding on a successor, determine how the knowledge asset will be used in the future. This will impact who the receiver will be and your tactic. That is, if you are looking to upgrade a technology in the future, consider who would be taking on that project and what they would need to know.
    • Prior to the meeting, each manager should send a copy of the knowledge assets they have identified to the other managers.
    • Participants should come equipped with names of members of their teams and have an idea of what their career aspirations are.
    • Don’t assume that all employees want a career change. Be sure to have conversations with employees to determine their career aspirations.

    Ask how effectively the potential knowledge receiver would serve in the role today.

    • Review their competencies in terms of:
      • Relationship-building skills
      • Business skills
      • Technical skills
      • Industry-specific skills or knowledge
    • Consider what competencies the knowledge receiver currently has and what must be learned.
    • Finally, determine how difficult it will be for the knowledge receiver to acquire missing skills or knowledge, whether the resources are available to provide the required development, and how long it will take to provide it.

    Info-Tech Insight

    Wherever possible, ask employees about their personal learning styles. It’s likely that a collaborative compromise will have to be struck for knowledge transfer to work well.

    Using the IT knowledge transfer plan tool

    The image contains a screenshot of the IT Knowledge Transfer tool.

    We will use the IT Knowledge Transfer Plans as the foundation for building your knowledge transfer roadmap.

    2.1.3 Complete Knowledge Transfer Plans

    Complete one plan template for each of the knowledge sources

    1. Fill in the top with the knowledge source’s name. Remember that one template should be filled out for each source.
    2. List their key knowledge activities as identified through the interview.
    3. For each knowledge activity, identify and list the most appropriate recipient of this knowledge.
    4. For each knowledge activity, use the drop-down options to identify the type of knowledge that it falls under.
    5. Depending on the type of knowledge, different tactic drop-down options are available. Select which tactic would be most appropriate for this knowledge as well as the people involved in the knowledge transfer.

    The Strength Level column will indicate how well matched the tactic is to the type of knowledge.

    Input Output
    • Results of knowledge source interviews
    • A completed knowledge transfer plan for each identified knowledge source.
    Materials Participants
    • A completed knowledge transfer plan for each identified knowledge source.
    • IT leadership team

    IT Knowledge Transfer Plan Template

    Step 2.2

    Build Your Knowledge Transfer Roadmap

    Activities

    2.2.1 Merge Your Knowledge Transfer Plans

    2.2.2 Define Knowledge Transfer Initiatives’ Timeframes

    The goal of this step is to build the logistics of the knowledge transfer roadmap to prepare to communicate it to key stakeholders.

    Outcomes of this step

    • Prioritized sequence based on target state maturity goals.
    • Project roadmap.

    Plan and monitor the knowledge transfer project

    Depending on the desired state of maturity, the number of initiatives your organization has will vary and there could be a lengthy number of tasks and subtasks required to reach your organization knowledge transfer target state. The best way to plan, organize, and manage all of them is with a project roadmap.

    The image contains a screenshot of the Project Planning and Monitoring tool.

    Project Planning & Monitoring Tool

    Steps to use the project planning and monitoring tool:

    1. Begin by identifying all the project deliverables in scope for your organization. Review the previous content pertaining to specific people, process, and technology deliverables that your organization plans on creating.
    2. Identify all the tasks and subtasks necessary to create each deliverable.
    3. Arrange the tasks in the appropriate sequential order.
    4. Assign each task to a member of the project team.
    5. Estimate the day the task will be started and completed.
    6. Specify any significant dependencies or prerequisites between tasks.
    7. Update the project roadmap throughout the project by accounting for injections and entering the actual starting and ending dates.
    8. Use the project dashboard to monitor the project progress and identify risks early.

    Project Planning & Monitoring Tool

    Prioritize your tactics to build a realistic roadmap

    Initiatives should not and cannot be tackled all at once;

    • At this stage, each of the identified stakeholders should have a knowledge transfer plan for each of their reports with rough estimates for how long initiatives will take.
    • Simply looking at this raw list of transition plans can be daunting. Logically bundle the identified needs into IT initiatives to create the optimal IT Knowledge Transfer Roadmap.
    • It’s important not to try to do too much too quickly. Focus on some quick wins and leverage the success of these initiatives to drive the project forward.

    The image contains a screenshot of the prioritize tactics step.

    Populate the task column of the Project Planning and Monitoring Tool. See the following slides for more details on how to do this.

    Some techniques require a higher degree of effort than others

    Effort by Stakeholder

    Tactic

    Business Analyst

    IT Manager

    Knowledge Holder

    Knowledge Receiver

    Interviews

    Medium

    N/A

    Low

    Low

    These tactics require the least amount of effort, especially for organizations that are already using these tactics for a traditional requirements gathering process.

    Process Mapping

    Medium

    N/A

    Low

    Low

    Use Cases

    Medium

    N/A

    Low

    Low

    Job Shadow

    Medium

    Medium

    Medium

    Medium

    These tactics generally require more involvement from IT management and the BA in tandem for preparation. They will also require ongoing effort for all stakeholders. Stakeholder buy-in is key for success.

    Peer Assist

    Medium

    Medium

    Medium

    Medium

    Action Review

    Low

    Medium

    Medium

    Low

    Mentoring

    Medium

    High

    High

    Medium

    Transition Workshop

    Medium

    Low

    Medium

    Low

    Story Telling

    Medium

    Medium

    Low

    Low

    Job Share

    Medium

    High

    Medium

    Medium

    Communities of Practice

    High

    Medium

    Medium

    Medium

    Consider each tactic’s dependencies as you build your roadmap

    Implementation Dependencies

    Tactic

    Training

    Technology Support

    Process Development

    Duration

    Interviews

    Minimal

    N/A

    Minimal

    Annual

    Start your knowledge transfer project here to get quick wins for explicit knowledge.

    Process Mapping

    Minimal

    N/A

    Minimal

    Annual

    Use Cases

    Minimal

    N/A

    Minimal

    Annual

    Job Shadow

    Required

    N/A

    Required

    Ongoing

    Don’t change too much too quickly or try to introduce all of the tactics at once. Focus on 1-2 key tactics and spend a significant amount of time upfront building an effective process and rolling it out. Leverage the effectiveness of the initial tactics to push these initiatives forward.

    Peer Assist

    Minimal

    N/A

    Required

    Ongoing

    Action Review

    Minimal

    Minimal

    Some

    Ongoing

    Mentoring

    Required

    N/A

    Required

    Ongoing

    Transition Workshop

    Required

    Some

    Some

    Ongoing

    Story Telling

    Some

    Required

    Required

    Ongoing

    Job Share

    Some

    Minimal

    Required

    Ongoing

    Communities of Practice

    Required

    Required

    Required

    Ongoing

    2.2.1 Merge Your Knowledge Transfer Plans

    Populate the task column of the Project Planning and Monitoring Tool

    1. Take an inventory of all the tactics and techniques which you plan to employ. Eliminate redundancies where possible.
    2. Start your implementation with your highest risk group using explicit knowledge transfer tactics. Interviews, use cases, and process mapping will give you some quick wins and will help gain momentum for the project.
    3. Proactive and knowledge culture should then move forward to other tactics, the majority of which will require training and process design. Pick one to two other key tactics you would like to employ and build those out.
    4. Once you get more advanced, you can continue to grow the number of tactics you employ, but in the beginning, less is more. Keep growing your implementation roadmap one tactic at a time and track key metrics as you go.
    InputOutput
    • A list of project tasks to be completed.
    MaterialsParticipants
    • Project Planning Monitoring Tool.
    • IT Leadership Team

    Project Planning & Monitoring Tool

    2.2.2 Define Initiatives’ Timeframes

    Populate the estimated start and completion date and task owner columns of the Project Planning and Monitoring Tool.

    1. Define the time frame: time frames will depend on several factors. Consider the following while defining timelines for your knowledge transfer tactics:
    • Tactics you choose to employ
    • Availability of resources to implement the initiative
    • Technology requirements
  • Input the Start Date and End Date for each initiative via the drop-down. (Year 1-M1 = year 1, month 1 of implementation.)
  • Define the status of initiative:
    • Planned
    • In progress
    • Completed
  • The initiative owner will ensure each step of the rollout is executed as planned, and will:
    • Engage all required stakeholders at appropriate stages of the project.
    • Engage all required resources to implement the process and make sure that communication channels are open and available between all relevant parties.
    Input Output
    • Timeframes for all project tasks.
    Materials Participants
    • Project Planning and Monitoring Tool.
    • IT Leadership Team

    Project Planning & Monitoring Tool

    Once you start the implementation, leverage the Project Planning and Monitoring Tool for ongoing status updates

    Track your progress

    • Update your project roadmap as you complete the project and keep track of your progress by completing the “Actual Start Date” and “Actual Completion Date” as you go through your project.
    • Use the Progress Report tab in project team meetings to update stakeholders on which tasks have been completed on schedule, for an analysis of tasks to date, and project time management.
    The image contains screenshots from the Project Planning and Monitoring Tool.

    Phase #3

    Implement your knowledge transfer plans and roadmap

    Phase 1

    Phase 2

    Phase 3

    1.1 Obtain approval for project

    1.2 Identify knowledge and stakeholder risks

    2.1 Build knowledge transfer plans

    2.2 Build knowledge transfer roadmap

    3.1 Communicate your roadmap

    This phase will walk you through the following activities:

    • Preparing a key stakeholder communication presentation.

    This phase involves the following participants:

    • IT Leadership
    • Other key stakeholders

    Step 3.1

    Communicate Your Knowledge Transfer Roadmap to Stakeholders

    Activities

    3.1.1 Prepare IT Knowledge Transfer Roadmap Presentation

    The goal of this step is to be ready to communicate the roadmap with the project team, project sponsor, and other key stakeholders.

    Outcomes of this step

    • Key stakeholder communication deck.

    Use Info-Tech’s template to communicate with stakeholders

    Obtain approval for the IT Knowledge Transfer Roadmap by customizing Info-Tech’s IT Knowledge Transfer Roadmap Presentation Template designed to effectively convey your key messages. Tailor the template to suit your needs.

    It includes:

    • Project Context
    • Project Scope and Objectives
    • Knowledge Transfer Roadmap
    • Next Steps

    The image contains screenshots of the IT Knowledge Transfer Roadmap Presentation Template.

    Info-Tech Insight

    The support of IT leadership is critical to the success of your roadmap roll-out. Remind them of the project benefits and impact them hard with the risks/pain points.

    IT Knowledge Transfer Roadmap Presentation Template

    3.1.1 Prepare a Presentation for Your Project Team and Sponsor

    Now that you have created your knowledge transfer roadmap, the final step of the process is to get sign-off from the project sponsor to begin the planning process to roll-out your initiatives.

    Know your audience:

    1. Revisit your project charter to determine the knowledge transfer project stakeholders who will be included in your presentation audience.
    2. You want your presentation to be succinct and hard-hitting. Management’s time is tight, and they will lose interest if you drag out the delivery. Impact them hard and fast with the pains and benefits of your roadmap.
    3. The presentation should take no more than an hour. Depending on your audience, the actual presentation delivery could be quite short (12-13 slides). However, you want to ensure adequate time for Q & A.
    Input Output
    • Project charter
    • A completed presentation to communicate your knowledge transfer roadmap.
    Materials Participants
    • IT Knowledge Transfer Roadmap Presentation Template
    • IT leadership team
    • Project sponsor
    • Project stakeholders

    IT Knowledge Transfer Roadmap Presentation Template

    Related Info-Tech Research

    Build an IT Succession Plan

    Train Managers to Handle Difficult Conversations

    Lead Staff Through Change

    Bibliography

    Babcock, Pamela. “Shedding Light on Knowledge Management.” HR Magazine, 1 May 2004.

    King, Rachael. "Big Tech Problem as Mainframes Outlast Workforce." Bloomberg, 3 Aug. 2010. Web.

    Krill, Paul. “IT’s Most Wanted: Mainframe Programmers.” IDG Communications, Inc. 1 December 2011.

    McLean & Company. “Mitigate the Risk of Baby Boomer Retirement with Scalable Succession Planning.” 7 March 2016.

    McLean & Company. “Make the Case For Employee Engagement.” McLean and Company. 27 March 2014.

    PwC. “15th Annual Global CEO Survey: Delivering Results Growth and Value in a Volatile World.” PwC, 2012.

    Rocket Software, Inc. “Rocket Software 2022 Survey Report: The State of the Mainframe.” Rocket Software, Inc. January 2022. Accessed 30 April 2022.

    Ross, Jenna. “Intangible Assets: A Hidden but Crucial Driver of Company Value.” Visual Capitalist, 11 February 2020. Accessed 2 May 2022.

    Navigate the Digital ID Ecosystem to Enhance Customer Experience

    • Buy Link or Shortcode: {j2store}76|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • Amid the pandemic-fueled surge in online services, organizations require secure solutions to safeguard digital interactions. These solutions must be uniform, interoperable, and fortified against security threats.
    • Although the digital identity ecosystem has garnered significant attention and investment, many organizations remain uncertain about its potential for authentication and the authorization required for B2B and B2C transactions, and in turn reducing their cost of operations and transferring their data risks.

    Our Advice

    Critical Insight

    • Limited / lack of understanding of the global digital ID ecosystem and its varying approaches across countries handicaps businesses in defining the benefits digital ID can bring to customer interactions and overall business management.
    • In addition, key obstacles exist in balancing customer privacy, data security, and regulatory requirements while pursuing excellent end-user experience and high customer adoption.
    • Info-Tech Insight: Focusing on customer touchpoints and transforming them are key to excellent experience and increasing their life-time value (LTV) to them and to your organization. Digital ID is that tool of transformation.

    Impact and Result

    • Digital ID has many dimensions, and its ecosystem's sustainability lies in the key principles it is built on. Understanding the digital identity ecosystem and its responsibilities is crucial to formulating an approach to adopt it. Also, focusing on key success factors drives digital ID adoption.
    • Before embarking on the digital identity adoption journey, it is essential to assess your readiness. It is also necessary to understand the risks and challenges. Specific steps to digital ID adoption can help realize the potential of digital identity and enhance the customers' experience.

    Navigate the Digital ID Ecosystem to Enhance Customer Experience Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Navigate the Digital ID Ecosystem to Enhance Customer Experience Storyboard – Learn how to adopt Digital ID to drive benefits, enhance customer experience, improve efficiency, manage data risks, and uncover new opportunities.

    This research focuses on verified digital identity ecosystems and explores risks, opportunities, and challenges of relying on verified digital IDs and also how adopting digital identity initiatives can improve customer experience and operational efficiency. It covers:

  • Definition and dimensions of digital identity
  • Key responsibilities and principles of digital identity ecosystem
  • Success factors for digital identity adoption
  • Global evolution and unique approaches in Estonia, India, Canada, UK, and Australia
  • Industries that benefit most from digital ID development
  • Key use cases of digital ID
  • Benefits to governments, ID providers, ID consumers, and end users
  • Readiness checklist and ten steps to digital ID adoption
  • Risks and challenges of digital identity adoption
  • Key recommendations to realize potential of digital identity
  • Taxonomy and definitions of terms in the digital identity ecosystem
    • Navigate the Digital ID Ecosystem to Enhance Customer Experience Storyboard
    • Familiarize Yourself With the Digital ID Ecosystem Taxonomy
    • Assess Your Digital ID Adoption Readiness

    Infographic

    Further reading

    Navigate the Digital ID Ecosystem to Enhance Customer Experience

    Beyond the hype: How it can help you become more customer-focused?

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Amid the pandemic-fueled surge of online services, organizations require secure solutions to safeguard digital interactions. These solutions must be uniform, interoperable, and fortified against security threats.

    Although the digital identity ecosystem has garnered significant attention and investment, many organizations remain uncertain about its potential for authentication and authorization required for B2B and B2C transactions.

    They still wonder if digital ID can help reduce cost of operations and transfer data risks.

    Limited or lack of understanding of the global Digital ID ecosystem and its varying approaches across countries handicap businesses in defining the potential benefits Digital ID can bring to customer interactions and overall business management.

    In addition, key obstacles exist in balancing customer privacy (including the right to be forgotten), data security, and regulatory requirements while pursuing desired end-user experience and high customer adoption.

    Digital ID has many dimensions, and its ecosystem's sustainability lies in the key principles it is built on. Understanding the digital identity ecosystem and its responsibilities is crucial to formulate an approach to adopt it. Also, focusing on key success factors drives digital ID adoption.

    Before embarking on the digital identity adoption journey, it is essential to assess your readiness. It is also necessary to understand the risks and challenges. Specific steps to digital ID adoption can help realize the potential of digital identity and enhance the customers' experience.

    Info-Tech Insight

    Focusing on customer touchpoints and transforming them is key to excellent user experience and increasing their lifetime value (LTV) to them and to your organization. Digital ID is that tool of transformation.

    Analyst Perspective

    Manish Jain.

    Manish Jain

    Principal Research Director

    Analyst Profile

    “I just believed. I believed that the technology would change people's lives. I believed putting real identity online - putting technology behind real identity - was the missing link.”

    - Sheryl Sandberg (Brockes, Emma. “Facebook’s Sheryl Sandberg: who are you calling bossy?” The Guardian, 5 April 2014)

    Sometimes dismissed as mere marketing gimmicks, digital identity initiatives are anything but. While some argue that any online credential is a "Digital ID," rendering the hype around it pointless, the truth is that a properly built digital ID ecosystem has the power to transform laggard economies into global digital powerhouses. Moreover, digital IDs can help businesses transfer some of their cybersecurity risks and unlock new revenue channels by enabling a foundation for secure and efficient value delivery.

    In addition, digital identity is crucial for digital and financial inclusion, simplifying onboarding processes and opening up new opportunities for previously underserved populations. For example, in India, the Aadhaar digital ID ecosystem brought over 481 million1 people into the formal economy by enabling access to financial services. Similarly, in Indonesia, the e-KIP digital ID program paved the way for 10 million new bank accounts, 94% of which were for women2.

    However, digital identity initiatives also come with valid concerns, such as the risk of a single point of failure and the potential to widen the digital divide.

    This research focuses on the verified digital identity ecosystem, exploring the risks, opportunities, and challenges organizations face relying on these verified digital IDs to know their customers before delivering value. By understanding and adopting digital identity initiatives, organizations can unlock their full potential and provide a seamless customer experience while ensuring operational efficiency.

    1 India Aadhaar PMJDY (https://pmjdy.gov.in/account)
    2 Women’s World Banking, 2020.

    Digital Identity Ecosystem and vital ingredients of adoption

    Digital Identity Ecosystem.

    What is digital identity?

    Definitions may vary, depending on the focus.

    “Digital identity (ID) is a set of attributes that links a physical person with their online interactions. Digital ID refers to one’s online persona - an online footprint. It touches important aspects of one’s everyday life, from financial services to health care and beyond.” - DIACC Canada

    “Digital identity is a digital representation of a person. It enables them to prove who they are during interactions and transactions. They can use it online or in person.” - UK Digital Identity and Attributes Trust Framework

    “Digital identity is an electronic representation of an entity (person or other entity such as a business) and it allows people and other entities to be recognized online.” - Australia Trusted Digital Identity Framework

    A digital identity is primarily an electronic form of identity representing an entity uniquely , while abstracting all other identity attributes of the entity. In addition to an electronic form, it may also exist in a physical form (identity certificate), linked through an identifier representing the same entity.

    Digital identity has many dimensions*, and in turn categories

    Trust

    • Verified (Govt. issued IDs)
    • Unverified (Email Id)

    Subject

    • Individual
    • Organization
    • Device
    • Service

    Usability

    • Single-purpose (Disposable)
    • Multi-purpose (Reusable)

    Provider

    • Sovereign Government
    • Provincial Government
    • Local Government
    • Public Organization
    • Private Organization
    • Self

    Jurisdiction

    • Global (Passport)
    • National (DL)
    • State/Provincial (Health Card)
    • Local (Voting Card)
    • Private (Social)

    Form

    • Physical Card
    • Virtual Identifier
    • Online/App Account
    • PKI Keys
    • Tokens

    Governance

    • Sovereign
    • Federated
    • Decentralized
    • Trust Framework -based
    • Self-sovereign

    Expiry

    • Permanent (Lifetime, Years)
    • Temporary (Minutes, Hours)
    • Revocable

    Usage Mode

    • online only
    • offline only
    • Online/offline

    Purpose

    • Authorization (driver’s license, passport, employment)
    • Authentication (birth certificate, social security number)
    • Activity Linking (preferences, habits, and priorities)
    • Historical Record (Resume, educational financial, health history)
    • Social Interactions (Social Media)
    • Machine Connectivity

    Info-Tech Insight

    Digital ID has taken different meanings for different people, serving different purposes in different environments. Based on various aspects of Digital Identification, it can be categorized in several types. However, most of the time when people refer to a form of identification as Digital ID, they refer to a verified id with built-in trust either from the government OR the eco-system.

    * Please refer to Taxonomy for the definition of each of the dimensions

    Understanding a digital identity ecosystem is key to formulating your approach to adopt it

    The image contains a screenshot of a digital identity ecosystem diagram.

    Info-Tech Insight

    Digital identity ecosystems comprise many entities playing different roles, and sometimes more than one. In addition, variations in approach by jurisdictions drive how many active players are in the ecosystem for that jurisdiction.

    For example, in countries like Estonia and India, government plays the role of trust and governance authority as well as ID provider, but didn’t start with any Digital ID wallet. In contrast, in Ukraine, Diia App is primarily a Digital ID Wallet. Similarly, in the US, different states are adopting private Digital ID Wallet providers like Apple.

    Digital ID ecosystem’s sustainability lies in the key principles it is built on

    Social, economic, and legal alignment with target stakeholders
    Transparent governance and operation
    Legally auditable and enforceable
    Robust and Resilient – High availability
    Security – At rest, in progress, and in transit
    Privacy and Control with users
    Omni-channel Convenience – User and Operations
    Minimum data transfer between entities
    Technical interoperability enabled through open standards and protocol
    Scalable and interoperable at policy level
    Cost effective – User and operations
    Inclusive and accessible

    Info-Tech Insight

    A transparent, resilient, and auditable digital ID system must be aligned with socio-economic realities of the target stakeholders. It not only respects their privacy and security of their data by minimizing the data transfer between entities, but also drives desired customer experience by providing an omni-channel, interoperable, scalable, and inclusive ecosystem while still being cost-effective for the collaborators.

    Source: Adapted from Canada PCTF, UK Trust framework, European Commission, Australia TDIF, and others

    Focus on key success factors to drive the digital ID adoption

    Digital ID success factors

    Legislative regulatory framework – Removes uncertainty
    Security & Privacy Assurance- builds trust
    Smooth user experience – Drives preferences
    Transparent ecosystem – Drives inclusivity
    Multi-channel – Drive consistent experience online / offline
    Inter-operability thorough open standards
    Digital literacy – Education and awareness
    Multi-purpose & reusable – Reduce consumer burden
    Collaborative ecosystem –Build network effect

    Source: Adapted from Canada PCTF, UK digital identity & attributes trust framework , European eIDAS, and others

    Info-Tech Insight

    Driving adoption of Digital ID requires affirmative actions from all ecosystem players including governing authorities, identity providers, and identity consumers (relying parties).

    These nine success factors can help drive sustainable adoption of the Digital ID.

    Among many responsibilities the ecosystem players have, identity governance is the key to sustainability

    • Digital identity provision
      • Creating identity attributes
      • Create a reusable identity and attribute service
      • Create a digital identity
      • Assess and manage quality of an identity and attributes
      • Making identity provision inclusive and accessible
    • Digital identity resolution
      • Enabling inclusive access to products and services through digital identity
      • Authenticate and authorize identity subjects before permitting access to their identity and attributes
    • Digital identity governance
      • Manage digital identity and attributes
      • Make Identity service interoperable, and sharable
      • Recover digital identity and attribute accounts
      • Notifying users on accessing identity or making changes on more attributes
      • Report and audit – exclusion, accessibility
      • Retiring an identity or attribute service
      • Respond to complaints and disputes
    • Enterprise risk management and governance
    The image contains a screenshot of a diagram to demonstrate how identity governance is the key to sustainability.
    • Privacy and security
      • Use encryption
      • Privacy compliance framework
      • Consumer Privacy Protection laws (CPPA, GDPR etc.)
      • Acquiring and managing user consents & agreements
      • Prohibited processing of personal data
      • Security controls and governance
    • Information management
      • Record management
      • Archival
      • Disposal (on expiry or to comply with regulations)
      • CIA (confidentiality, integrity, availability)
    • Fraud management
      • Fraud monitoring and reporting
      • Fraud intelligence and analysis
      • Sharing threat indicators
      • Legal, policies and procedures for fraud management
    • Incident response
      • Respond to fraud incidents
      • Respond to a service delivery incident
      • Responding to data breaches
      • Performing and participating in investigation

    Global evolution of digital ID is following the socio-economic aspirations of countries

    The image contains a screenshot of a graph that demonstrates global evolution of digital ID.

    Source: Adapted from the book: Identification Revolution: Can Digital ID be harnessed for Development? (Gelb & Metz), 2018

    Info-Tech Insight

    The world became global a long time ago; however, it sustained economic progress without digital IDs for most of the world's population.

    With the pandemic, when political rhetoric pointed to the demand for localized supply chains, economies became irreversibly digital. In this digital economy, the digital ID ecosystem is the fulcrum of sustainable growth.

    At a time in overlapping jurisdictions, multiple digital IDs can exist. For example, one is issued by a local municipality, one by the province, and another by the national government.

    Global footprint of digital ID is evolving rapidly, but varies in approach

    The image contains a screenshot of a Global footprint of digital ID.

    Info-Tech Insight

    Countries’ approach to the digital ID is rooted in their socio-economic environment and global aspirations.

    Emerging economies with large underserved populations prioritize fast implementation of digital ID through centralized systems.

    Developed economies with smaller populations, low trust in government, and established ID systems prioritize developing trust frameworks to drive decentralized full-scale implementation.

    There is no right way except the one which follows Digital ID principles and aligns with a country’s and its people’s aspirations.

    Estonia's e-identity is the key to its digital agenda 2030

    • Regulatory Body and Operational Governance: Estonian Information System Authority (RIA).
    • Identity Providers: Government of Estonia; Private sector doesn’t issue IDs but can leverage Digital ID ecosystem.
    • Decentralized Approach: Permissioned Blockchain Architecture with built-in data traceability implemented on KSI (Keyless Signature Infrastructure).
    • X-Road – Secure, interoperable open-source data exchange platform between collection point where Data is stored.
    • Digital Identity Form: e-ID
    • Key Use cases:
      • Financial, Telecom: e-KYC, e-Banking
      • Digital Authentication: ID Card, Mobile ID, Smart ID, Digital Signatures
      • E-governance: e-Voting, e-Residency, e-Services Registries, e-Business Register
      • Smart City and mobility: Freight Transportation, Passenger Mobility
      • Healthcare: e-Health Record, e-Prescription, e-Ambulance
    • ID-card
    • Smart ID
    • Mobile ID
    • e-Residency

    Uniqueness

    Estonia pioneered the digital ID implementation with a centralized approach and later transitioned to a decentralized ecosystem driving trust to attract non-citizens into Estonia’s digital economy.

    99% Of Estonian residents have an ID card enabling use of electronic ID

    1.4 B Digital signatures given (2021)

    99% Public Services available as e-Services

    17K+ Productive years saved (five working days/citizen/year saved accessing public services)

    25K E-resident companies contributed more than €32 million in tax

    *Source: https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf ;

    https://www.e-resident.gov.ee/dashboard

    The image contains a timeline of events from 2001-2020 for Estonia..

    India’s Aadhaar is the foundation of its digital journey through “India stack”

    • Regulatory Accountability and Operational Governance: Unique Identification Authority of India (UIDAI).
    • Identity Provider: Govt. of India.
    • Digital Identity Form: Physical and electronic ID Card; Online (Identifier + OTP), and offline (identifier + biometric) usage; mAadhaar App & Web Portal
    • India Stack: a set of open APIs and digital assets to leverage Aadhaar in identity, data, and payments at scale.
    • Key Use cases:
      • Financial, Telecom: eKYC, Unified Payments Interface (UPI)
      • Digital Wallet: Digi Locker
      • Digital Authentication: eSign, and Aadhaar Auth.
      • Public Welfare: Public Distribution of Service, Social Pension, Employment Guarantee
      • Public service access: Enrollment to School, Healthcare

    1.36B People enrolled

    80% Beneficiaries feel Aadhaar has made PDS, employment guarantee and social pensions more reliable

    91.6% Are very satisfied or somewhat satisfied with Aadhaar

    14B eKYC transactions done by 218 eKYC authentication agencies (KUA)

    Source: https://uidai.gov.in/aadhaar_dashboard/india.php; https://www.stateofaadhaar.in/

    World Bank Report on Private Sector Impacts from ID

    Uniqueness

    “The Aadhaar digital identity system could reduce onboarding costs for Indian firms from 1,500 rupees to as low as an estimated 10 rupees.”

    -World Bank Report on Private Sector Impacts from ID

    With lack of public trust in private sector, government brought in private sector executives in public ecosystem to lead the largest identity program globally and build the India stack to leverage the power of Digital Identity.

    The image contains a screenshot of India's Aadhaar timeline from 2009-2022.

    Ukraine’s Diia is a resilient act to preserve their identities during threat to their existence

    Regulatory Accountability and Operational Governance: Ministry of Digital Transformation.

    Identity provider: Federated govt. agencies.

    Digital identity form: Diia App & Portal as a digital wallet for all IDs including digital driving license.

    • Key use cases:
      • eGovernance – Issuing license and permits, business registration, vaccine certificates.
      • Public communication: air-raid alerts, notifications, court decisions and fines.
      • Financial, Telecom: KYC compliance, mobile donations.
      • eBusiness: Diia City legal framework for IT industry, Diia Business Portal for small and medium businesses.
      • Digital sharing and authentication: Diia signature and Diia QR.
      • Public service access: Diia Education Portal for digital education and digital skills development, healthcare.

    18.5M People downloaded the Diia app.

    14 Digital IDs provided by other ID providers are available through Diia.

    70 Government services are available through Diia.

    ~1M Private Entrepreneurs used Diia to register their companies.

    1300 Tons of paper estimated to be saved by reducing paper applications for new IDs and replacements.

    Source:

    • Ukraine Govt. Website for Invest and trade
    • Diia Case study prepared for the office of Canadian senator colin deacon.

    Uniqueness

    “One of the reasons for the Diia App's popularity is its focus on user experience. In September 2022, the Diia App simplified 25 public services and digitized 16 documents. The Ministry of Digital Transformation aims to make 100% of all public services available online by 2024.”

    - Vladyslava Aleksenko

    Project Lead—digital Identity, Ukraine

    The image contains a screenshot of the timeline for Diia.

    Canada’s PCTF (Pan Canadian Trust Framework) driving the federated digital identity ecosystem

    • Regulatory Accountability: Treasury Board of Canada Secretariat (TBS); Canadian Digital Service (CDS); Office of CIO
    • Standard Setting: Digital Identification and Authentication Council of Canada (DIACC)
    • Frameworks:
      • Treasury Board Directive on Identity Management
      • Pan Canadian Trust Framework (PCTF)
      • Voilà Verified Trustmark Program: ISO aligned compliance certification program on PCTF
      • Governing / Certificate Authority: Trustmark Oversight Board (TOB) and DIACC accredited assessor
      • Operational Governance: Federated between identity providers and identity consumers
      • Identity Providers: Public and Private Sector
      • Other entities involved: Digital ID Lab (Voila Verified Auditor); Kuma (Accredited Assessor)
    The image contains a screenshot of PCTF Components.

    82% People supportive of Digital ID.

    2/3 Canadians prefer public-private partnership for Pan-Canadian digital ID framework.

    >40% Canadians prefer completing various tasks and transactions digitally.

    75% Canadians are willing to share personal information for better experience.

    >80% Trust government, healthcare providers, and financial institutions with their personal information.

    Source: DIACC Survey 2021

    Uniqueness

    Although a few provinces in Canada started their Digital ID journey already, federally, Canada lacked an approach.

    Now Canada is developing a federated Digital ID ecosystem driven through the Pan-Canadian Trust Framework (PCTF) led by a non-profit (DIACC) formed with public and private partnership.

    The image contains a screenshot of Canada's PCTF timeline from 2002-2025.

    Australia’s digital id is pivotal to its vision to become one of the Top-3 digital governments globally by 2025*

    * Australia Digital Government Strategy 2021
    • Regulatory responsibility and standard: Digital Transformation Agency (DTA)’s Digital Identity
    • Operational support and oversight: Service Australia, Interim Oversight Authority (IOA).
    • Accredited identity providers (by 2022): Australian Taxation Office (ATO)’s myGovID, Australia Post’s Digital ID, MasterCard’s ID, OCR Labs App
    • Framework: Trusted Digital Identity Framework (TDIF)
      • Digital Identity Exchange
      • Identity Service Providers and Attribute Verification Service
      • Attribute Service Providers
      • Credential Service Providers
      • Relying Parties
    • Others: States such as NSW, Victoria, and Queensland have their own digital identity programs

    8.6M People using myGovID by Jun-2022

    117 Services accessible through Digital Id System

    The image contains a screenshot diagram of Digital Identity.

    Uniqueness

    Australia started its journey of Digital ID with a centralized Digital ID ecosystem.

    However, now it preparing to transition to a centrally governed Trust framework-based ecosystem expanding to private sector.

    The image contains a screenshot of Australia's Digital id timeline from 2014-2022.

    UK switches gear to the Trust Framework approach to build a public-private digital ID ecosystem

    • Government: Ministry of Digital Infrastructure / Department of Digital, Culture, Media, and Sport
    • Governing Body / Certificate Authority / Operational Governance: TBD
    • Approach: Trust Framework-based UK Digital Identity and attributes trust framework (UKDIATF)
    • Identity providers: Transitioning from “GOV.UK Verify” to a federated digital identity system aligned with “Trust Framework” – enabling both government (“One Login for Government”) and private sector identity providers.
    The image contains a screenshot of the Trust Framework.

    Uniqueness

    UK embarked its Digital ID journey through Gov.UK Verify but decided to scrap it recently.

    It is now preparing to build a trust framework-based federated digital ID ecosystem with roles like schema-owners and orchestration service providers for private sector and drive the collaboration between industry players.

    The image contains a screenshot of UK timeline from 2011-2023.

    Digital ID will transform all industries, though financial services and e-governance will gain most

    Cross Industry

    Financial Services

    Insurance

    E-governance

    Healthcare & Lifesciences

    Travel and Tourism

    E-Commerce

    • Onboarding (customer, employee, patient, etc.)
    • Fraud-prevention (identity theft)
    • Availing restricted services (buying liquor)
    • Secure-sharing of credentials and qualifications (education, experience, gig worker)
    • For businesses, customer 360
    • For businesses, reliable data-driven decision making with lower frequency of ‘astroturfing’ (false identities) and ‘ballot-stuffing’ (duplicate identities)
    • Account opening
    • Asset transfer
    • Payments
    • For businesses, risk management - know your customer (KYC), anti-money laundering (AML), customer due diligence (CDD)
    • Insurance history
    • Insurance claim
    • Public distribution schemes (PDS)
    • Subsidy payments (direct to consumer)
    • Obtain government benefits (maternity, pension, employment guarantee / insurance payments)
    • Tax filing
    • Issuing credentials (birth certificate, passport)
    • Voting
    • For businesses, availing governments supports
    • For SMB businesses, easier regulatory compliance
    • Digital health
    • Out of state public healthcare
    • Secure access to health and diagnostic records
    • For businesses, data sharing between providers and with payers
    • Travel booking
    • Cross-border travel
    • Car rental
    • Secure peer-to-peer sales
    • Secure peer-to-peer sales

    USE CASE

    Car rental

    INDUSTRY: Travel & Tourism

    Source: Info-Tech Research Group

    Challenge

    Solution

    Results

    Verifying the driver’s license (DL) is the first step a car rental company takes before handing over the keys.

    While the rental company only need to know the validity of the DL and if it belongs to the presenter, is bears the liability of much more data presented to them through the DL.

    For customers, it is impossible to rent a car if they forget their DL. If the customer has their driver’s license, they compromise their privacy and security as they hand over their license to the representative.

    The process is not only time consuming, it also creates unnecessary risks to both the business and the renter.

    A digital id-based rental process allows the renter to present the digital id online or in person.

    As the customer approaches the car rental they present their digital id on the mobile app, which has already authenticated the presenter though the biometrics or other credentials.

    The customer selects the purpose of the business as “Car Rental”, and only the customer’s name, photo, and validity of the DL appear on the screen for the representative to see (selective disclosures).

    If the car pick-up is online, only this information is shared with the car rental company, which in turn shares the car and key location with the renter.

    A digital identity-based identity verification can ensure a rental company has access to the minimum data it needs to comply with local laws, which in turn reduces its data leak risk.

    It also reduces customer risks linked to forgetting the DL, and data privacy.

    Digital identity also reduces the risk originated from identity fraud leading to stolen cars.

    USE CASE

    e-Governance public distribution service

    INDUSTRY: Government

    Source: Info-Tech Research Group

    Challenge

    Solution

    Results

    In both emerging and developed economies, public distribution of resources – food, subsidies, or cash – is a critical process through which many people (especially from marginalized sections) survive on.

    They often either don’t have required valid proof of identity or fall prey to low-level corruption when someone defrauds them by claiming the benefit.

    As a result, they either completely miss out on claiming government-provided social benefits OR only receive a part of what they are eligible for.

    A Digital ID based public distribution can help created a Direct Benefit Transfer ecosystem.

    Here beneficiaries register (manually OR automatically from other government records) for the benefits they are eligible for.

    On the specific schedule, they receive their benefit – monetary benefit in their bank accounts, and non-cash benefits, in person from authorized points-of-sales (POS), without any middleman with discretionary decision powers on the distribution.

    India launched its Financial Inclusion Program (Prime Minister's Public Finance Scheme) in 2014.

    The program was linked with India’s Digital Id Aadhaar to smoothen the otherwise bureaucratic and discretionary process for opening a bank account.

    In last eight years, ~481M (Source: PMJDY) beneficiaries have opened a bank account and deposited ~ ₹1.9Trillion (USD$24B), a part of which came as social benefits directly deposited to these accounts from the government of India.

    USE CASE

    Real-estate investment and sale

    INDUSTRY: Asset Management

    Source: Info-Tech Research Group

    Challenge

    Solution

    Results

    “Impersonators posing as homeowners linked to 32 property fraud cases in Ontario and B.C.” – Global News Canada1

    “The level of fraud in the UK is such that it is now a national security threat” – UK Finance Lobby Group2

    Real estate is the most expensive investment people make in their lives. However, lately it has become a soft target for title fraud. Fraudsters steal the title to one’s home and sell it or apply for a new mortgage against it.

    At the root cause of these fraud are usually identity theft when a fraudster steals someone’s identity and impersonates them as the title owner.

    Digital identity tagged to the home ownership / title record can reduce the identity fraud in title transfer.

    When a person wants to sell their house OR apply for a new mortgage on house, multiple notifications will be triggered to their contact attributes on digital ID – phone, email, postal address, and digital ID Wallet, if applicable.

    The homeowner will be mandated to authorize the transaction on at least two channels they had set as preferred, to ensure that the transaction has the consent of the registered homeowner.

    This process will stop any fraud transactions until at least two modes are compromised.

    Even if two modes are compromised, the real homeowner will receive the notification on offline communication modes, and they can then alert the institution or lawyer to block the transaction.

    It will especially help elderly people, who are more prone to fall prey to identity frauds when somebody uses their IDs to impersonate them.

    1 Global News (https://globalnews.ca/news/9437913/homeowner-impersonators-lined-32-fraud-cases-ontario-bc/)

    2 UK Finance Lobby Group (https://www.ukfinance.org.uk/system/files/Half-year-fraud-update-2021-FINAL.pdf)

    Adopting digital ID benefits everybody – governments, id providers, id consumers, and end users

    Governments & identity providers

    (public & private)

    Customers and end users

    (subjects)

    Identity consumer

    (relying parties)

    • Growth in GDP
    • Save costs of providing identity
    • Unlock new revenue source by economic expansion
    • Choice and convenience
    • Control of what data is shared
    • Experience driven by simplicity and data minimalization
    • Reduced cost of availing services
    • Operational efficiency
    • Overall cost efficiency of delivering service and products
    • Reduce risk of potential litigation
    • Reduce risk of fraud
    • Enhanced customer experience leading to increased lifetime value
    • Streamlined storage and access
    • Encourage innovation

    Digital ID will transform all industries, though financial services and e-governance will gain most

    Governments and identity providers (public and private)

    • Growth in GDP by reducing bureaucracy and discretion from the governance processes.
      • As per a McKinsey report, digital ID could unlock the economic value equivalent of 3%-13% of GDP across seven focus countries (Brazil, Ethiopia, India, Nigeria, China, UK, USA) in 2030.
      • “Estonia saves two percent of GDP by signing things digitally; imagine if it could go global.” - aavi Rõivas, Prime Minister of the Republic of Estonia (International Peace Institute)
    • Unlock new revenue source by economic expansion.
      • Estonia earned €32 million in tax revenue from e-resident companies (e-Estonia).
    • Save costs of providing identity in collaboration with 3rd parties and reduce fraud.
      • Canada estimates savings of $482 million for provincial and federal governments, and $4.5 billion for private sector organizations through digital id adoption (2022 Budget Statement).

    Digital ID brings end users choice, convenience, control, and cost-saving, driving overall experience

    Customers and end users (subjects)

    • Choice: Citizens have the choice and convenience to interact safely and conveniently online and offline.
    • Convenience: No compulsion to make physical trips to access service, as end users can identify themselves safely and reliably online, as they do offline.
    • Control: A decentralized, privacy enhancing solution – neither government nor private companies control your digital ID. How and when you use digital ID is entirely up to you.
    • Cost Saving: Save costs of availing service by reducing the offline documentation.
    • Experience: Improved experience while availing service without a need to present multiple documents every time.

    Digital id benefits identity consumers by enhancing multiple dimensions of their value streams

    Identity consumer (relying parties)

    • Operational efficiency: Eliminating unnecessary steps and irrelevant data from the value stream increases overall operational efficiency.
    • Cost efficiency: Helps businesses to reduce overall cost of operations like regulatory requirements.
      • World Bank estimated that the Aadhaar could reduce onboarding costs for Indian firms from ₹1,500/- ($23) to as low as an estimated ₹10/- ($0.15) (*World Bank ID4D)
    • Reduce risk of potential litigation issues: Encourage data minimization.
    • Privacy and security: Businesses can reduce the risk of fraud to organizations and users and can significantly boost the privacy and security of their IT assets.
    • Enhanced customer experience: The decrease in the number of touchpoints and faster turnaround.
    • Streamlined storage and access: Store all available data in a single place, and when required.
    • Encourage innovation: Reduce efforts required in authentication and authorization of users.

    Before embarking on the digital identity adoption journey, assess your readiness

    Legislative coverage

    Does your target jurisdiction have adequate legislative framework to enable uses of digital identities in your industry?

    Trust framework

    If the Digital ID ecosystem in your target jurisdiction is trust framework-based, do you have adequate understanding of it?

    Customer touch-points

    Do you have exact understanding of value stream and customer touch-points where you interact with user identity?

    Relevant identity attributes

    Do you have exact understanding of the identity attributes that your business processes need to deliver customer value?

    Regulatory compliance

    Do you have required systems to ensure your compliance with industry regulations around customer PII and identity?

    Interoperability with IMS

    Is your existing identity management system interoperable with Open-source Digital Identity ecosystem?

    Enterprise governance

    Have you established an integrated enterprise governance framework covering business processes, technical systems, and risk management?

    Communication strategy

    Do have a clear strategy (mode, method, means) to communicate with your target customer and persuade them to adopt digital identity?

    Security operations center

    Do you have security operations center coordinating detection, response, resolution, and communication of potential data breaches?

    Ten steps to adopt to enhance the customer experience

    Considering the complexity of digital identity adoption, and its impact on customer experience, it is vital to assess the ecosystem and adopt an MVP approach before a big-bang launch.

    Diagram to help assess the ecosystem.

    1. Define the use case and identify the customer touchpoint in the value stream which can be improved with a verified digital identity.
    2. Ensure your organization is ready to adopt digital identity (Refer to Digital identity adoption readiness),
    3. Identify an Identity Service Provider (Government, private sector), if there are options.
    4. Understand its technical requirements and assess, to the finer detail, your technical landscape for interoperability.
    5. Set-up a business contract for terms of usages and liabilities.
    6. Create and execute a Minimum Viable Program (MVP) of integration which can be tested with real customers.
    7. Extend MVP to the complete solution and define key success metrics.
    8. Canary-launch with a segment of target customers before a full launch.
    9. Educate customers on the usages and benefits, and adapt your communication plan taking feedback
    10. Monitor and continuously improve the solution based on the feedback from ecosystem partners and end-customers, and regulatory changes.

    Understand and manage the risks and challenges of digital identity adoption

    Digital ID adoption is a major change for everyone in the ecosystem.

    Manage associated risks to avoid the derailing of integration with your business processes and a negative impact on customer experience.

    Manage Risks.

    1. Privacy and security risks – Customer’s sensitive data may get centralized with the identity provider.
    2. Single point of failure while relying a specific IDs; it also increases the impact of identity theft and fraud risk.
    3. Centralization and control risks – Identity provider or identity service broker / orchestrator may control who can participate.
    4. Not universal, interoperability risks – if purpose-specific.
    5. Impact omni-channel experience - Not always available (legal / printable) for offline use.
    6. Exclusion and discrimination risks – Specific data requirements may exclude a group of people.
    7. Scope for misuse and misinterpretation if compromised and not reclaimed in timely manner.
    8. Adoption and usability risks – Subjects / relying parties may not see benefit due to lack of awareness or suspicion.
    9. Liability Agreement gaps between identity provider and identity consumer (relying party).

    Recommendations to help you realize the potential of digital identity into your value streams

    1

    Customer-centricity

    Digital identity initiative should prioritize customer experience when evaluating its fit in the value stream. Adopting it should not sacrifice end-user experience to gain a few brownie points.

    See Info-Tech’s Adopt Design Thinking in Your Organization blueprint, to ensure customer remains at the center of your Digital Adoption initiative.

    2

    Privacy and security

    Adopting digital identity reduces data risk by minimizing data transfer between providers and consumers. However, securing identity attributes in value streams still requires strengthening enterprise security systems and processes.

    See Info-Tech’s Assess and Govern Identity Security blueprint for the actions you may take to secure and govern digital identity.

    3

    Inclusion and awareness

    Adopting digital identity may alter customer interaction with an organization. To avoid excluding target customer segments, design digital identity accordingly. Educating and informing customers about the changes can facilitate faster adoption.

    See Info-Tech’s Social Media blueprint and IT Diversity & Inclusion Tactics to make inclusion and awareness part of digital adoption

    4

    Quantitative success metrics

    To measure the success of a digital ID adoption program, it's essential to use quantitative metrics that align with business KPIs. Some measurable KPIs may include:

    • Reduction in number of IDs business used to serve 90% of customers
    • Reduction in overall cost of operation
      • Reduction in cost of user authentication
    • Reduction in process cycle time (less time required to complete a task – e.g. KYC)

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues..

    Attributes: An identity attribute is a statement or information about a specific aspect of entity’s identity ,substantiating they are who they claim to be, own, or have.

    Attribute (or Credential) provider: An attribute or credential provider could be an organization which issues the primary attribute or credential to a subject or entity. They are also responsible for identity-attribute binding, credential maintenance, suspension, recovery, and authentication.

    Attribute (or Credential) service provider: An attribute service provider could be an organization which originally vetted user’s credentials and certified a specific attribute of their identity. It could also be a software, such as digital wallet, which can store and share a user’s attribute with a third party once consented by the user. (Source: UK Govt. Trust Framework)

    Attribute binding: This is a process an attribute service providers uses to link the attributes they created to a person or an organization through an identifier. This process makes attributes useful and valuable for other entities using these attributes. For example, when a new employee joins a company, they are given a unique employee number (an identifier), which links the person with their job title and other aspects (attributes) of his job. (Source: UK Govt. Trust Framework)

    Authentication service provider: An organization which is responsible for creating and managing authenticators and their lifecycle (issuance, suspension, recovery, maintenance, revocation, and destruction of authenticators). (Source: DIACC)

    Authenticator: Information or biometric characteristics under the control of an individual that is a specific instance of something the subject has, knows, or does. E.g. private signing keys, user passwords, or biometrics like face, fingerprints. (Source: Canada PCTF)

    Authentication (identity verification): The process of confirming or denying that the identity presented relates to the subject who is making the claim by comparing the credentials presented with the ones presented during identity proofing.

    Authorization: The process of validating if the authenticated entity has permission to access a resource (service or product).

    Biometrics attributes: Human attributes like retina (iris), fingerprint, heartbeat, facial, handprint, thumbprint, voice print.

    Centralized identity: Digital identities which are fully governed by a centralized government entity. It may have enrollment or registration agencies, private or public sector, to issue the identities, and the technical system may still be decentralized to keep data federated.

    Certificate Authority (CA or accredited assessors): An organization or an entity that conducts assessments to validate the framework compliance of identity or attribute providers (such as websites, email addresses, companies, or individual persons) serving other users, and binding them to cryptographic keys through the issuance of electronic documents known as digital certificates.

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues..

    Collective (non-resolvable) attributes: Nationality, domicile, citizenship, immigration status, age group, disability, income group, membership, (outstanding) credit limit, credit score range.

    Contextual identity: A type of identity which establishes an entity’s existence in a specific context – real or virtual. These can be issued by public or private identity providers and are governed by the organizational policies. E.g. employee ID, membership ID, social media ID, machine ID.

    Credentials: A physical or a digital representation of something that establishes an entity’s eligibility to do something for which it is seeking permission, or an association/affiliation with another, generally well-known entity. E.g. Passport, DL, password. In the context of Digital Identity, every identity needs to be attached with a credential to ensure that the subject of the identity can control how and by whom that identity can be used.

    Cryptographic hash function: A hash function is a one-directional mathematical operation performed on a message of any length to get a unique, deterministic, and fixed size numerical string (the hash) which can’t be reverse engineered to get the input data without deploying disproportionate resources. It is the foundation of modern security solutions in DLT / blockchain as they help in verifying the integrity and authenticity of the message.

    Decentralized identity (DID) or self-sovereign identity: This is a way to give back the control of identity to the subject whose identity it is, using an identity wallet in which they collect verified information about themselves from certified issuers (such as the government). By controlling what information is shared from the wallet to requesting third parties (e.g. when registering for a new online service), the user can better manage their privacy, such as only presenting proof that they’re over 18 without needing to reveal their date of birth. Source: (https://www.gsma.com/identity/decentralised-identity)

    Digital identity wallet: A type of digital wallet refers to a secure, trusted software applications (native mobile app, mobile web apps, or Rivas-hosted web applications) based on common standards, allowing a user to store and use their identity attributes, identifiers, and other credentials without loosing or sharing control of them. This is different than Digital Payment Wallets used for financial transactions. (Source: https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf)

    Digital identity: A digital identity is primarily an electronic form of identity representing an entity uniquely , while abstracting all other identity attributes of the entity. In addition to an electronic form, it may also exist in a physical form (identity certificate), linked through an identifier representing the same entity. E.g. Estonia eID , India Aadhar, digital citizenship ID.

    Digital object architecture: DOA is an open architecture for interoperability among various information systems, including ID wallets, identity providers, and consumers. It focuses on digital objects and comprises three core components: the identifier/resolution system, the repository system, and the registry system. There are also two protocols that connect these components. (Source: dona.net)

    Digital signature: A digital signature is an electronic, encrypted stamp of authentication on digital information such as email messages, macros, or electronic documents. A signature confirms that the information originated from the signer and has not been altered. (Source: Microsoft)

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues..

    Entity (or Subject): In the context of identity, an entity is a person, group, object, or a machine whose claims need to be ascertained and identity needs to be established before his request for a service or products can be fulfilled. An entity can also be referred to as a subject whose identity needs to be ascertained before delivering a service.

    Expiry: This is another dimension of an identity and determines the validity of an ID. Most of the identities are longer term, but there can be a few like digital tokens and URLs which can be issued for a few hours or even minutes. There are some which can be revoked after a pre-condition is met.

    Federated identity: Federated identity is an agreement between two organizations about the definition and use of identity attributes and identifiers of a consumer entity requesting a service. If successful, it allows a consumer entity to get authenticated by one organization (identity provider) and then authorized by another organization. E.g. accessing a third-party website using Google credentials.

    Foundational identity: A type of identity which establishes an entity’s existence in the real world. These are generally issued by public sector / government agencies, governed by a legal farmwork within a jurisdiction, and are widely accepted at least in that jurisdiction. E.g. birth certificate, citizenship certificate.

    Governance: This is a dimension of identity that covers the governance model for a digital ID ecosystem. While traditionally it has been under the sovereign government or a federated structure, in recent times, it has been decentralized through DLT technologies or trust-framework based. It can also be self-sovereign, where individuals fully control their data and ID attributes.

    Identifier: A digital identifier is a string of characters that uniquely represents an entity’s identity in a specific context and scope even if one or more identity attributes of the subject change over time. E.g. driver’s license, SSN, SIN, email ID, digital token, user ID, device ID, cookie ID.

    Identity: An identity is an instrument used by an entity to provide the required information about itself to another entity in order to avail a service, access a resource, or exercise a privilege. An identity formed by 1-n identity attributes and a unique identifier.

    Identity and access management (IAM): IAM is a set of frameworks, technologies, and processes to enable the creation, maintenance, and use of digital identity, ensuring that the right people gain access to the right materials and records at the right time. (Source: https://iam.harvard.edu/)

    Identity consumer (Relying party): An organization, or an entity relying on identity provider to mitigate IT risks around knowing its customers before delivering the end-user value (product/service) without deteriorating end-user experience. E.g. Canada Revenue Agency using SecureKey service and relying on Banking institutions to authenticate users; Telecom service providers in India relying on Aadhaar identity system to authenticate the customer's identity.

    Identity form: A dimension of identity that defines its forms depending on the scope it wants to serve. It can be a physical card for offline uses, a virtual identifier like a number, or an app/account with multiple identity attributes. Cryptographic keys and tokens can also be forms of identity.

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues...

    Identity infrastructure provider: Organizations involved in creating and maintaining technological infrastructure required to manage the lifecycle of digital identities, attributes, and credentials. They implement functions like security, privacy, resiliency, and user experience as specified in the digital identity policy and trust framework.

    Identity proofing: A process of asserting the identification of a subject at a useful identity assurance level when the subject provides evidence to a credential service provider (CSP), reliably identifying themselves. (Source: NIST Special Publication 800-63A)

    Identity provider (Attestation authority): An organization or an entity validating the foundation or contextual claims of a subject and establishing identifier(s) for a subject. E.g. DMV (US) and MTA (Canada) issuing drivers’ licenses; Google / Facebook issuing authentication tokens for their users logging in on other websites.

    Identity validation: The process of confirming or denying the accuracy of identity information of a subject as established by an authorized party. It doesn’t ensure that the presenter is using their own identity.

    Identity verification (Authentication): The process of confirming or denying that the identity presented relates to the subject who is making the claim by comparing the credentials presented with the ones presented during identity proofing.

    Internationalized resource identifier (IRI): IRIs are equivalent to URIs except that IRIs also allow non-ascii characters in the address space, while URIs only allow us-ascii encoding. (Source: w3.org)

    Jurisdiction: A dimension of identity that covers the physical area or virtual space where an identity is legally acceptable for the purpose defined under law. It can be global, like it is for passport, or it can be local within a municipality for specific services. For unverified digital IDs, it can be the social network.

    Multi-factor Authentication (MFA): Multi-factor authentication is a layered approach to securing digital assets (data and applications), where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. These factors can be a combination of (i) something you know like a password/PIN; (ii) something you have like a token on mobile device; and (iii) something you are like a biometric. (Adapted from https://www.cisa.gov/publication/multi-factor-authentication-mfa)

    Oauth (Open authorization): OAuth is a standard authorization protocol and used for access delegation. It allows internet users to access websites by using credentials managed by a third-party authorization server / Identity Provider. It is designed for HTTP and allows access tokens to be issued by an authorization server to third-party websites. E.g. Google, Facebook, Twitter, LinkedIn use Oauth to delegate access.

    OpenID: OpenID is a Web Authentication Protocol and implements reliance authentication mechanism. It facilitates the functioning of federated identity by allowing a user to use an existing account (e.g. Google, Facebook, Yahoo) to sign into third-party websites without needing to create new credentials. (Source: https://openid.net/).

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues...

    Personally identifiable information (PII): PII is a set of attributes which can be used, through direct or indirect means, to infer the real-world identity of the individual whose information is input. E.g. National ID (SSN/SIN/Aadhar) DL, name, date of birth, age, address, age, identifier, university credentials, health condition, email, domain name, website URI (web resolvable) , phone number, credit card number, username/password, public key / private key. (Source: https://www.dol.gov)

    Predicates: The mathematical or logical operations such as equality or greater than on attributes (e.g. prove your salary is greater than x or your age is greater than y) to prove a claim without sharing the actual values.

    Purpose: This dimension of a digital id defines for what purpose digital id can be used. It can be one or many of these – authentication, authorization, activity linking, historical record keeping, social interactions, and machine connectivity for IoT use cases.

    Reliance authentication: Relying on a third-party authentication before providing a service. It is a method followed in a federated entity system.

    Risk-based authentication: A mechanism to protect against account compromise or identity theft. It correlates an authentication request with transitional facts like requester’s location, past frequency of login, etc. to reduce the risk of potential fraud.

    Scheme in trust framework: A specific set of rules (standard and custom) around the use of digital identities and attributes as agreed by one or more organizations. It is useful when those organizations have similar products, services, business processes. (Source: UK Govt. Trust Framework). E.g. Many credit unions agree on how they will use the identity in loan origination and servicing.

    Selective disclosure (Assertion): A way to present one’s identity by sharing only a limited amount information that is critical to make an authentication / authorization decision. E.g. when presenting your credentials, you could share something proving you are 18 years or above, but not share your name, exact age, address, etc.

    Trust: A dimension of an identity, which essentially is a belief in the reliability, truth, ability, or strength of that identity. While in the physical world all acceptable form of identities come with a verified trust, in online domain, it can be unverified. Also, where an identity is only acceptable as per the contract between two entities, but not widely.

    Trust framework: The trust framework is a set of rules that different organizations agree to follow to deliver one or more of their services. This includes legislation, standards, guidance, and the rules in this document. By following these rules, all services and organizations using the trust framework can describe digital identities and attributes they’ve created in a consistent way. This should make it easier for organizations and users to complete interactions and transactions or share information with other trust framework participants. (Source: UK Govt. Trust Framework)

    Taxonomy – Digital ID ecosystem

    (Alphabetical order)

    Continues...

    Uniform resource identifier (URI): A universal name in registered name spaces and addresses referring to registered protocols or name spaces.

    Uniform resource locator (URL): A type of URI which expresses an address which maps onto an access algorithm using network protocols. (Source: https://www.w3.org/)

    Uniform resource name (URN): A type of URI that includes a name within a given namespace but may not be accessible on the internet.

    Usability: A dimension of identity that defines how many times it can be used. While most of the identities are multi-use, a few digital identities are in token form and can be used only once to authenticate oneself.

    Usage mode: A dimension of identity that defines the service mode in which a digital ID can be used. While all digital IDs are made for online usage, many can also be used in offline interactions.

    Verifiable credentials: This W3C standard specification provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy-respecting, and machine-verifiable. (Source: https://www.w3.org/TR/vc-data-model/)

    X.509 Certificates: X.509 certificates are standard digital documents that represent an entity providing a service to another entity. They're issued by a certification authority (CA), subordinate CA, or registration authority. These certificates play an important role in ascertaining the validity of an identity provider and in turn the identities issued by it. (Source: https://learn.microsoft.com/en-us/azure/iot-hub/reference-x509-certificates)

    Zero-knowledge proofs: A method by which one party (the prover) can prove to another party (the verifier) that something is true, without revealing any information apart from the fact that this specific statement is true. (Source: 1989 SIAM Paper)

    Zero-trust security: A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. It evaluates each access request as if it is a fraud attempt, and grants access only if it passes the authentication and authorization test. (Source: Adapted from NIST, SP 800-207: Zero Trust Architecture, 2020)

    Related Info-Tech Research

    Build a Zero Trust Roadmap
    Leverage an iterative and repeatable process to apply zero trust to your organization.

    Assess and Govern Identity Security
    Strong identity security and governance are the keys to the zero-trust future.

    Adopt Design Thinking in Your Organization
    Innovation needs design thinking to ensure customer remains at the center of everything the organization does.

    Social Media
    Leveraging Social Media to connect with your customers and educate them to drive the value proposition of your efforts.

    IT Diversity & Inclusion Tactics
    Equip your teams to create an inclusive environment and mobilize inclusion efforts across the organization.


    Research Contributors and Experts

    David Wallace

    David Wallace
    Executive Counselor

    Erik Avakian

    Erik Avakian
    Technical Counselor, Data Architecture and Governance

    Matthew Bourne

    Matthew Bourne
    Managing Partner, Public Sector Global Services

    Mike Tweedie

    Mike Tweedie
    Practice Lead, CIO Research Development

    Aaron Shum

    Aaron Shum
    Vice President, Security & Privacy

    Works Cited

    India Aadhaar PMJDY (https://pmjdy.gov.in/account)
    Theis, S., Rusconi, G., Panggabean, E., Kelly, S. (2020). Delivering on the Potential of Digitized G2P: Driving Women’s Financial Inclusion and Empowerment through Indonesia’s Program Keluarga Harapan. Women’s World Banking.
    DIACC Canada (https://diacc.ca/the-diacc/)
    UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    Australia Trusted Digital Identity Framework (https://www.digitalidentity.gov.au/tdif#changes)
    eIDAS (https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation)
    Europe Digital Wallet – POTENTIAL (https://www.digital-identity-wallet.eu/)
    Canada PCTF (https://diacc.ca/trust-framework/)
    Identification Revolution: Can Digital ID be harnessed for Development? (Gelb & Metz), 2018
    e-Estonia website (https://e-estonia.com/solutions/e-identity/id-card/)
    Aadhaar Dashboard (https://uidai.gov.in/)
    DIACC Website (https://diacc.ca/the-diacc/)
    Australia Digital ID website (https://www.digitalidentity.gov.au/tdif#changes)
    UK Policy paper - digital identity & attributes trust framework (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    Ukraine Govt. website (https://ukraine.ua/invest-trade/digitalization/)
    Singapore SingPass Website (https://www.tech.gov.sg/products-and-services/singpass/)
    Norway BankID Website (https://www.bankid.no/en/private/about-us/)
    Brazil National ID Card website (https://www.gov.br/casacivil/pt-br/assuntos/noticias/2022/julho/nova-carteira-de-identidade-nacional-modelo-unico-a-partir-de-agosto)
    Indonesia Coverage in Professional Security Magazine (https://www.professionalsecurity.co.uk/products/id-cards/indonesian-cards/)
    Philippine ID System (PhilSys) website (https://www.philsys.gov.ph/)
    China coverage on eGovReview (https://www.egovreview.com/article/news/559/china-announces-plans-national-digital-ids)
    Thales Group Website - DHS’s Automated Biometric Identification System IDENT (https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/customer-cases/ident-automated-biometric-identification-system)
    FranceConnect (https://franceconnect.gouv.fr/)
    Germany: Office for authorization cert. (https://www.personalausweisportal.de/Webs/PA/DE/startseite/startseite-node.html)
    Italian Digital Services Authority (https://www.spid.gov.it/en/)
    Monacco Mconnect (https://mconnect.gouv.mc/en)
    Estonia eID (https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf)
    E-Residency Dashboard (https://www.e-resident.gov.ee/dashboard)
    Unique ID authority of India (https://uidai.gov.in/aadhaar_dashboard/india.php)
    State of Aadhaar (https://www.stateofaadhaar.in/)
    World Bank (https://documents1.worldbank.org/curated/en/219201522848336907/pdf/Private-Sector-Economic-Impacts-from-Identification-Systems.pdf)
    WorldBank - ID4D 2022 Annual Report (https://documents.worldbank.org/en/publication/documents-reports/documentdetail/099437402012317995/idu00fd54093061a70475b0a3b50dd7e6cdfe147)
    Ukraine Govt. Website for Invest and trade (https://ukraine.ua/invest-trade/digitalization/)
    Diia Case study prepared for the office of Canadian senator colin deacon (https://static1.squarespace.com/static/63851cbda1515c69b8a9a2b9/t/6398f63a9d78ae73d2fd5725/1670968891441/2022-case-study-report-diia-mobile-application.pdf)
    Canadian Digital Identity Research (https://diacc.ca/wp-content/uploads/2022/04/DIACC-2021-Research-Report-ENG.pdf)
    Voilà Verified Trustmark (https://diacc.ca/voila-verified/)
    Digital Identity, 06A Federation Onboarding Guidance paper, March 2022 (https://www.digitalidentity.gov.au/sites/default/files/2022-04/TDIF%2006A%20Federation%20Onboarding%20Guidance%20-%20Release%204.6%20%28Doc%20Version%201.2%29.pdf)
    UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    A United Nations Estimate of KYC/AML (https://www.imf.org/Publications/fandd/issues/2018/12/imf-anti-money-laundering-and-economic-stability-straight)
    India Aadhaar PMJDY (https://pmjdy.gov.in/account)
    Global News (https://globalnews.ca/news/9437913/homeowner-impersonators-lined-32-fraud-cases-ontario-bc/)
    UK Finance Lobby Group (https://www.ukfinance.org.uk/system/files/Half-year-fraud-update-2021-FINAL.pdf) McKinsey Digital ID report ( https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/digital-identification-a-key-to-inclusive-growth) International Peace Institute ( https://www.ipinst.org/2016/05/information-technology-and-governance-estonia#7)
    E-Estonia Report (https://e-estonia.com/wp-content/uploads/e-estonia-211022_eng.pdf)
    2022 Budget Statement (https://diacc.ca/2022/04/07/2022-budget-statement/)
    World Bank ID4D - Private Sector Economic Impacts from Identification Systems 2018 (https://documents1.worldbank.org/curated/en/219201522848336907/Private-Sector-Economic-Impacts-from-Identification-Systems.pdf)
    DIACC Canada (https://diacc.ca/the-diacc/)
    UK digital identity & attributes trust framework alpha v2 (0.2) - GOV.UK (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    https://www.gsma.com/identity/decentralised-identity
    https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf
    Microsoft Digital signatures and certificates (https://support.microsoft.com/en-us/office/digital-signatures-and-certificates-8186cd15-e7ac-4a16-8597-22bd163e8e96)
    https://www.worldbank.org/content/dam/photos/1440x300/2022/feb/eID_WB_presentation_BS.pdf
    https://www.dona.net/digitalobjectarchitecture
    IAM (https://iam.harvard.edu/)
    NIST Special Publication 800-63A (https://pages.nist.gov/800-63-3/sp800-63a.html)
    https://www.cisa.gov/publication/multi-factor-authentication-mfa
    https://openid.net/
    U.S. DEPARTMENT OF LABOR (https://www.dol.gov/)
    UK govt. trust framework (https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/uk-digital-identity-and-attributes-trust-framework-alpha-version-2)
    https://www.w3.org/
    Verifiable Credentials Data Model v1.1 (https://www.w3.org/TR/vc-data-model/)
    https://learn.microsoft.com/en-us/azure/iot-hub/reference-x509-certificates

    Build Resilience Against Ransomware Attacks

    • Buy Link or Shortcode: {j2store}317|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $68,467 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Sophisticated ransomware attacks are on the rise and evolving quickly.
    • Executives want reassurance but are not ready to write a blank check. We need to provide targeted and justified improvements.
    • Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in hours, which makes recovery a grueling challenge.

    Our Advice

    Critical Insight

    • Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
    • Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
    • Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

    Impact and Result

    • Conduct a thorough assessment of your current state; identify potential gaps and assess the possible outcomes of an attack.
    • Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protections and detection to reduce your attack surface.
    • Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

    Build Resilience Against Ransomware Attacks Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build Resilience Against Ransomware Attacks

    Use this step-by-step guide to assess your ransomware readiness and implement controls that will improve your ability to prevent incursions and defend against attacks.

    • Build Resilience Against Ransomware Attacks – Phases 1-4

    2. Ransomware Resilience Assessment – Complete the ransomware resilience assessment and establish metrics.

    Use this assessment tool to assess existing protection, detection, response, and recovery capabilities and identify potential improvements.

    • Ransomware Resilience Assessment

    3. Threat Preparedness Workbook – Improve protection and detection capabilities.

    Use this threat preparedness workbook to evaluate the threats and tactics in the ransomware kill chain using the MITRE framework and device appropriate countermeasures.

    • Enterprise Threat Preparedness Workbook

    4. Tabletop Planning Exercise and Example Results – Improve response and recovery capabilities with a tabletop exercise for your internal IT team.

    Adapt this tabletop planning session template to plan and practice the response of your internal IT team to a ransomware scenario.

    • Tabletop Exercise – Internal (Ransomware Template)
    • Ransomware Tabletop Planning Results – Example (Visio)
    • Ransomware Tabletop Planning Results – Example (PDF)

    5. Ransomware Response Runbook and Workflow – Document ransomware response steps and key stakeholders.

    Adapt these workflow and runbook templates to coordinate the actions of different stakeholders through each stage of the ransomware incident response process.

    • Ransomware Response Runbook Template
    • Ransomware Response Workflow Template (Visio)
    • Ransomware Response Workflow Template (PDF)

    6. Extended Tabletop Exercise and Leadership Guide – Run a tabletop test to plan and practice the response of your leadership team.

    Adapt this tabletop planning session template to plan leadership contributions to the ransomware response workflow. This second tabletop planning session will focus on communication strategy, business continuity plan, and deciding whether the organization should pay a ransom.

    • Tabletop Exercise – Extended (Ransomware Template)
    • Leadership Guide for Extended Ransomware

    7. Ransomware Resilience Summary Presentation – Summarize status and next steps in an executive presentation.

    Summarize your current state and present a prioritized project roadmap to improve ransomware resilience over time.

    • Ransomware Resilience Summary Presentation

    Infographic

    Workshop: Build Resilience Against Ransomware Attacks

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Ransomware Resilience

    The Purpose

    Set workshop goals, review ransomware trends and risk scenarios, and assess the organization’s resilience to ransomware attacks.

    Key Benefits Achieved

    Develop a solid understanding of the likelihood and impact of a ransomware attack on your organization.

    Complete a current state assessment of key security controls in a ransomware context.

    Activities

    1.1 Review incidents, challenges, and project drivers.

    1.2 Diagram critical systems and dependencies and build risk scenario.

    1.3 Assess ransomware resilience.

    Outputs

    Workshop goals

    Ransomware Risk Scenario

    Ransomware Resilience Assessment

    2 Protect and Detect

    The Purpose

    Improve your capacity to protect your organization from ransomware and detect attacks along common vectors.

    Key Benefits Achieved

    Identify targeted countermeasures that improve protection and detection capabilities.

    Activities

    2.1 Assess ransomware threat preparedness.

    2.2 Determine the impact of ransomware techniques on your environment.

    2.3 Identify countermeasures to improve protection and detection capabilities.

    Outputs

    Targeted ransomware countermeasures to improve protection and detection capabilities.

    Targeted ransomware countermeasures to improve protection and detection capabilities.

    Targeted ransomware countermeasures to improve protection and detection capabilities.

    3 Respond and Recover

    The Purpose

    · Improve your organization’s capacity to respond to ransomware attacks and recover effectively.

    Key Benefits Achieved

    Build response and recovery capabilities that reduce the potential business disruption of successful ransomware attacks.

    Activities

    3.1 Review the workflow and runbook templates.

    3.2 Update/define your threat escalation protocol.

    3.3 Define scenarios for a range of incidents.

    3.4 Run a tabletop planning exercise (IT).

    3.5 Update your ransomware response runbook.

    Outputs

    Security Incident Response Plan Assessment.

    Tabletop Planning Session (IT)

    Ransomware Workflow and Runbook.

    4 Improve Ransomware Resilience.

    The Purpose

    Identify prioritized initiatives to improve ransomware resilience.

    Key Benefits Achieved

    Identify the role of leadership in ransomware response and recovery.

    Communicate workshop outcomes and recommend initiatives to improve ransomware resilience.

    Activities

    4.1 Run a tabletop planning exercise (Leadership).

    4.2 Identify initiatives to close gaps and improve resilience.

    4.3 Review broader strategies to improve your overall security program.

    4.4 Prioritize initiatives based on factors such as effort, cost, and risk.

    4.5 Review the dashboard to fine tune your roadmap.

    4.6 Summarize status and next steps in an executive presentation.

    Outputs

    Tabletop Planning Session (Leadership)

    Ransomware Resilience Roadmap and Metrics

    Ransomware Workflow and Runbook

    Further reading

    Build Ransomware Resilience

    Prevent ransomware incursions and defend against ransomware attacks

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    Ransomware is a high-profile threat that demands immediate attention:

    • Sophisticated ransomware attacks are on the rise and evolving quickly.
    • Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in only a few hours, which makes recovery a grueling challenge.
    • Executives want reassurance but aren't ready to write a blank check. Improvements must be targeted and justified.

    Common Obstacles

    Ransomware is more complex than other security threats:

    • Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
    • Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
    • Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

    Info-Tech's Approach

    To prevent a ransomware attack:

    • Conduct a through assessment of your current state, identify potential gaps, and assess the possible outcomes of an attack.
    • Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protection and detection to reduce your attack surface.
    • Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

    Info-Tech Insight

    Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recovery quickly.

    Analyst Perspective

    Ransomware is an opportunity and a challenge.

    As I write, the frequency and impact of ransomware attacks continue to increase, with no end in sight. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls as you do now.

    The opportunity comes with important challenges. Hackers need to spend less time in discovery before they deploy an attack, which have become much more effective. You can't afford to rely solely on your ability to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.

    Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. But eventually you reach the top and look back at how far you've come.

    This is an image of Michael Hébert

    Michel Hébert
    Research Director, Security and Privacy
    Info-Tech Research Group

    Ransomware attacks are on the rise and evolving quickly.

    Three factors contribute to the threat:

    • The rise of ransomware-as-a-service, which facilitates attacks.
    • The rise of crypto-currency, which facilitates anonymous payment.
    • State sponsorship of cybercrime.

    Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least $2B in payments.

    A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the clean-up cost and economic fallout over attacks during this period.

    Total ransom money collected (2015 – 2021): USD 2,592,889,121

    This image contains a bubble plot graph showing the total ransom money collected between the years 2015 - 2021.

    The frequency and impact of ransomware attacks are increasing

    Emerging strains can exfiltrate sensitive data, encrypt systems and destroy backups in only a few hours, which makes recovery a grueling challenge.

    Sophos commissioned a vendor agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.

    The survey was conducted in Jan – Feb 2022 and asked about the experience of respondents over the previous year.

    66%
    Hit by ransomware in 2021
    (up from 37% in 2020)

    90%
    Ransomware attack affected their ability to operate

    $812,360 USD
    Average ransom payment

    $4.54M
    Average remediation cost (not including ransom)

    ONE MONTH
    Average recovery time

    Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.

    Of the respondents whose organizations weren't hit by ransomware in 2021 and don't expect to be hit in the future, 72% cited either backups or cyberinsurance as reasons why they anticipated an attack.

    While these elements can help recover from an attack, they don't prevent it in the first place.

    Source: Sophos, State of Ransomware (2022)
    IBM, Cost of A Data Breach (2022)

    The 3-step ransomware attack playbook

    • Get in
    • Spread
    • Profit

    At each point of the playbook, malicious agents need to achieve something before they can move to the next step.

    Resilient organizations look for opportunities to:

    • Learn from incursions
    • Disrupt the playbook
    • Measure effectiveness

    Initial access

    Execution

    Privilege Escalation

    Credential Access

    Lateral Movement

    Collection

    Data Exfiltration

    Data encryption

    Deliver phishing email designed to avoid spam filter.

    Launch malware undetected.

    Identify user accounts.

    Target an admin account.

    Use brute force tactics to crack it.

    Move through the network and collect data.

    Infect as many critical systems and backups as possible to limit recovery options.

    Exfiltrate data to gain leverage.

    Encrypt data, which triggers alert.

    Deliver ransom note.

    Ransomware is more complex than other security threats

    Ransomware groups thrive through extortion tactics.

    • Traditionally, ransomware attacks focused on encrypting files as an incentive for organizations to pay up.
    • As organizations improved backup and recovery strategies, gangs began targeting, encrypting, and destroying back ups.
    • Since 2019, gangs have focused on a double-extortion strategy: exfiltrate sensitive or protected data before encrypting systems and threaten to publish them.

    Organizations misunderstand ransomware risk scenarios, which obscures the potential impact of an attack.

    Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:

    • Detection and Response – Activities that enable detection, containment, eradication and recovery.
    • Notification – Activities that enable reporting to data subjects, regulators, law enforcement, and third parties.
    • Lost Business – Activities that attempt to minimize the loss of customers, business disruption, and revenue.
    • Post Breach Response – Redress activities to victims and regulators, and the implementation of additional controls.

    Source: IBM, Cost of a Data Breach (2022)

    Disrupt the attack each stage of the attack workflow.

    An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.

    Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.

    Shortening dwell time requires better protection and detection

    Ransomware dwell times and average encryption rates are improving dramatically.

    Hackers spend less time in your network before they attack, and their attacks are much more effective.

    Avg dwell time
    3-5 Days

    Avg encryption rate
    70 GB/h

    Avg detection time
    11 Days

    What is dwell time and why does it matter?

    Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until they pay the ransom.

    Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.

    Dwell times are dropping, and encryption rates are increasing.

    It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.

    References: Bleeping Computers (2022), VentureBeat, Dark Reading, ZDNet.

    Resilience depends in part on response and recovery capabilities

    This blueprint will focus on improving your ransomware resilience to:

    • Protect against ransomware.
    • Detect incursions.
    • Respond and recovery effectively.

    Response

    Recovery

    This image depicts the pathway for response and recovery from a ransomware event.

    For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery.

    Info-Tech's ransomware resilience framework

    Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

    Prioritize protection

    Put controls in place to harden your environment, train savvy end users, and prevent incursions.

    Support recovery

    Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

    Protect Detect Respond

    Recover

    Threat preparedness

    Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

    Awareness and training

    Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

    Perimeter security

    Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

    Respond and recover

    Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

    Access management

    Review the user access management program, policies and procedures to ensure they are ransomware-ready.

    Vulnerability management

    Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

    This image contains the thought map for Info-Tech's Blueprint: Build Resilience Against Ransomware Attacks.

    Info-Tech's ransomware resilience methodology

    Assess resilience Protect and detect Respond and recover Improve resilience
    Phase steps
    1. Build ransomware risk scenario
    2. Conduct resilience assessment
    1. Assess attack vectors
    2. Identify countermeasures
    1. Review Security Incident Management Plan
    2. Run Tabletop Test (IT)
    3. Document Workflow and Runbook
    1. Run Tabletop Test (Leadership)
    2. Prioritize Resilience Initiatives
    Phase outcomes
    • Ransomware Resilience Assessment
    • Risk Scenario
    • Targeted ransomware countermeasures to improve protection and detection capabilities
    • Security Incident Response Plan Assessment
    • Tabletop Test (IT)
    • Ransomware Workflow and Runbook
    • Tabletop Test (Leadership)
    • Ransomware Resilience Roadmap & Metrics

    Insight Summary

    Shift to a ransomware resilience model

    Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges.

    Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, and respond and recover quickly

    Visualize challenges

    Build risk scenarios that describe how a ransomware attack would impact organizational goals.

    Understand possible outcomes to motivate initiatives, protect your organization, plan your response, and practice recovery.

    Prioritize protection

    Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

    Seize the moment

    The frequency and impact of ransomware attacks continue to increase, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.

    Measure ransomware resilience

    The anatomy of ransomware attack is relatively simple: malicious agents get in, spread, and profit. Deploy ransomware protection metrics to measure ransomware resilience at each stage.

    Key deliverable

    Ransomware resilience roadmap

    The resilience roadmap captures the key insights your work will generate, including:

    • An assessment of your current state and a list of initiatives you need to improve your ransomware resilience.
    • The lessons learned from building and testing the ransomware response workflow and runbook.
    • The controls you need to implement to measure and improve your ransomware resilience over time.

    Project deliverables

    Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.

    Ransomware Resilience Assessment

    Measure ransomware resilience, identify gaps, and draft initiatives.

    Enterprise Threat Preparedness Workbook

    Analyze common ransomware techniques and develop countermeasures.

    Ransomware Response Workflow & Runbook

    Capture key process steps for ransomware response and recovery.

    Ransomware Tabletop Tests

    Run tabletops for your IT team and your leadership team to gather lessons learned.

    Ransomware Resilience Roadmap

    Capture project insights and measure resilience over time.

    Plan now or pay later

    Organizations worldwide spent on average USD 4.62M in 2021 to rectify a ransomware attack. These costs include escalation, notification, lost business and response costs, but did not include the cost of the ransom. Malicious ransomware attacks that destroyed data in destructive wiper-style attacks cost an average of USD 4.69M.

    Building better now is less expensive than incurring the same costs in addition to the clean-up and regulatory and business disruption costs associated with successful ransomware attacks.

    After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research and advisory services helped them achieve.

    Source: IBM, Cost of a Data Breach (2022)

    See what members have to say about the ransomware resilience blueprint:

    • Overall Impact: 9.8 / 10
    • Average $ Saved: $98,796
    • Average Days Saved: 17

    "Our advisor was well-versed and very polished. While the blueprint alone was a good tool to give us direction, his guidance made it significantly faster and easier to accomplish than if we had tried to tackle it on our own."

    CIO, Global Manufacturing Organization

    Blueprint benefits

    IT benefits

    Business benefits

    • Provide a structured approach for your organization to identify gaps, quantify the risk, and communicate status to drive executive buy-in.
    • Create a practical ransomware incident response plan that combines a high-level workflow with a detailed runbook to coordinate response and recovery.
    • Present an executive-friendly project roadmap with resilience metrics that summarizes your plan to address gaps and improve your security posture.
    • Enable leadership to make risk-based, informed decisions on resourcing and investments to improve ransomware readiness.
    • Quantify the potential impact of a ransomware attack on your organization to drive risk awareness.
    • Identify existing gaps so they can be addressed, whether by policy, response plans, technology, or a combination of these.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Executive brief case study

    SOURCE: Interview with CIO of large enterprise

    Organizations who "build back better" after a ransomware attack often wish they had used relevant controls sooner.

    Challenge

    In February 2020, a large organization found a ransomware note on an admin's workstation. They had downloaded a local copy of the organization's identity management database for testing and left a port open on their workstation. Hackers exfiltrated it and encrypted the data on the workstation. They demanded a ransom payment to decrypt the data.

    Complication

    Because private information was breached, the organization informed the state-level regulator. With 250,000 accounts affected, plans were made to require password changes en masse. A public announcement was made two days after the breach to ensure that everyone affected could be reached.

    The organization decided not to pay the ransom because it had a copy on an unaffected server.

    Resolution

    The organization was praised for its timely and transparent response.

    The breach motivated the organization to put more protections in place, including:

    • The implementation of a deny-by-default network.
    • The elimination of remote desktop protocol and secure shell.
    • IT mandating MFA.
    • New endpoint-detection and response systems.

    Executive brief case study

    SOURCE: Info-Tech Workshop Results
    iNDUSTRY: Government

    Regional government runs an Info-Tech workshop to fast-track its ransomware incident response planning

    The organization was in the middle of developing its security program, rolling out security awareness training for end users, and investing in security solutions to protect the environment and detect incursions. Still, the staff knew they still had holes to fill. They had not yet fully configured and deployed security solutions, key security policies were missing, and they had didn't have a documented ransomware incident response plan.

    Workshop results

    Info-Tech advisors helped the organization conduct a systematic review of existing processes, policies, and technology, with an eye to identify key gaps in the organization's ransomware readiness. The impact analysis quantified the potential impact of a ransomware attack on critical systems to improve the organizational awareness ransomware risks and improve buy-in for investment in the security program.

    Info-Tech's tabletop planning exercise provided a foundation for the organization's actual response plan. The organization used the results to build a ransomware response workflow and the framework for a more detailed runbook. The workshop also helped staff identifies ways to improve the backup strategy and bridge further gaps in their ability to recover.

    The net result was a current-state response plan, appropriate capability targets aligned with business requirements, and a project roadmap to achieve the organization's desired state of ransomware readiness.

    Guided implementation

    What kind of analyst experiences do clients have when working through this blueprint?

    Scoping Call Phase 1 Phase 2 Phase 3 Phase 4

    Call #1:

    Discuss context, identify challenges, and scope project requirements.

    Identify ransomware resilience metrics.

    Call #2:

    Build ransomware risk scenario.

    Call #4:

    Review common ransomware attack vectors.

    Identify and assess mitigation controls.

    Call #5:

    Document ransomware workflow and runbook.

    Call #7:

    Run tabletop test with leadership.

    Call #3:

    Assess ransomware resilience.

    Call #6:

    Run tabletop test with IT.

    Call #8:

    Build ransomware roadmap.

    Measure ransomware resilience metrics.

    A guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 8 calls over the course of 4 to 6 months.

    Workshop overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Activities

    Assess ransomware resilience

    Protect and detect

    Respond and recover

    Improve ransomware resilience

    Wrap-up (offsite and offline)

    1.1 1 Review incidents, challenges, and project drivers.

    1.1.2 Diagram critical systems and dependencies.

    1.1.3 Build ransomware risk scenario.

    2.1 1. Assess ransomware threat preparedness.

    2.2 2. Determine the impact of ransomware techniques on your environment.

    2.3 3. Identify countermeasures to improve protection and detection capabilities.

    3.1.1 Review the workflow and runbook templates.

    3.1.2 Update/define your threat escalation protocol.

    3.2.1 Define scenarios for a range of incidents.

    3.2.2 Run a tabletop planning exercise (IT).

    3.3.1 Update your ransomware response workflow.

    4.1.1 Run a tabletop planning exercise (leadership).

    4.1.2 Identify initiatives to close gaps and improve resilience.

    4.1.3 Review broader strategies to improve your overall security program.

    4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk.

    4.2.2 Review the dashboard to fine tune your roadmap.

    4.3.1 Summarize status and next steps in an executive presentation.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    5.3 Revisit ransomware resilience metrics in three months.

    Deliverables
    1. Workshop goals
    2. Ransomware Risk Scenario
    3. Ransomware Resilience Assessment
    1. Targeted ransomware countermeasures to improve protection and detection capabilities.
    1. Security Incident Response Plan Assessment
    2. Tabletop Planning Session (IT)
    3. Ransomware Workflow and Runbook
    1. Tabletop Planning Session (Leadership)
    2. Ransomware Resilience Roadmap and Metrics
    3. Ransomware Summary Presentation
    1. Completed Ransomware Resilience Roadmap
    2. Ransomware Resilience Assessment
    3. Ransomware Resilience Summary Presentation

    Phase 1

    Assess ransomware resilience

    Phase 1 Phase 2 Phase 3 Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will walk you through the following activities:

    • Conducting a maturity assessment.
    • Reviewing selected systems and dependencies.
    • Assessing a ransomware risk scenario.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Build Ransomware Resilience

    Step 1.1

    Build ransomware risk scenario

    Activities

    1.1.1 Review incidents, challenges and project drivers

    1.1.2 Diagram critical systems and dependencies

    1.1.3 Build ransomware risk scenario

    Assess ransomware resilience

    This step will guide you through the following activities:

    • Reviewing incidents, challenges, and drivers.
    • Diagraming critical systems and dependencies.
    • Building a ransomware risk scenario.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Subject-Matter Experts

    Outcomes of this step

    • Establish a repeatable process to evaluate and improve ransomware readiness across your environment.
    • Build a ransomware risk scenario to assess the likelihood and impact of an attack.

    1.1.1 Review incidents, challenges, and project drivers

    1 hour

    Brainstorm the challenges you need to address in the project. Avoid producing solutions at this stage, but certainly record suggestions for later. Use the categories below to get the brainstorming session started.

    Past incidents and other drivers

    • Past incidents (be specific):
      • Past security incidents (ransomware and other)
      • Close calls (e.g. partial breach detected before damage done)
    • Audit findings
    • Events in the news
    • Other?

    Security challenges

    • Absent or weak policies
    • Lack of security awareness
    • Budget limitations
    • Other?

    Input

    • Understanding of existing security capability and past incidents.

    Output

    • Documentation of past incidents and challenges.
    • Level-setting across the team regarding challenges and drivers.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    1.1.2 Diagram critical systems and dependencies (1)

    1 hour

    Brainstorm critical systems and their dependencies to build a ransomware risk scenario. The scenario will help you socialize ransomware risks with key stakeholders and discuss the importance of ransomware resilience.

    Focus on a few key critical systems.

    1. On a whiteboard or flip chart paper, make a list of systems to potentially include in scope. Consider:
      1. Key applications that support critical business operations.
      2. Databases that support multiple key applications.
      3. Systems that hold sensitive data (e.g. data with personally identifiable information [PII]).
    2. Select five to ten systems from the list.
      1. Select systems that support different business operations to provide a broader sampling of potential impacts and recovery challenges.
      2. Include one or two non-critical systems to show how the methodology addresses a range of criticality and context.

    Input

    • High-level understanding of critical business operations and data sets.

    Output

    • Clarify context, dependencies, and security and recovery challenges for some critical systems.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)
    • System SMEs (if not covered by SIRT members)

    1.1.2 Diagram critical systems and dependencies (2)

    1 hour

    1. A high-level topology or architectural diagram is an effective way to identify dependencies and communicate risks to stakeholders.

    Start with a WAN diagram, then your production data center, and then each critical
    system. Use the next three slides as your guide.

    Notes:

    • If you have existing diagrams, you can review those instead. However, if they are too detailed, draw a higher-level diagram to provide context. Even a rough sketch is a useful reference tool for participants.
    • Keep the drawings tidy and high level. Visualize the final diagram before you start to draw on the whiteboard to help with spacing and placement.
    • Collaborate with relevant SMEs to identify dependencies.

    Input

    • High-level understanding of critical business operations and data sets.

    Output

    • Clarify context, dependencies, and security and recovery challenges for some critical systems.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)
    • System SMEs (if not covered by SIRT members)

    For your WAN diagram, focus on data center and business locations

    Start with a high-level network diagram like this one, and then dig deeper (see following slides) to provide more context. Below is an example; of course, your sketched diagrams may be rougher.

    This image contains a nexample of a High level Network Diagram.

    Diagram your production data center to provide context for the systems in scope

    Creating a high-level diagram provides context across different IT disciplines involved in creating your DRP. If you have multiple production data centers, focus on the data center(s) relevant to the selected systems. Below is an example.

    This image contains a nexample of a high level diagram which focuses on the data centers relevent to the selected system.

    Diagram each selected system to identify specific dependencies and redundancies

    Diagram the "ecosystem" for each system, identifying server, storage, and network dependencies. There may be overlap with the production data center diagram – but aim to be specific here. Below is an example that illustrates front-end and back-end components.

    When you get to this level of detail, use this opportunity to level-set with the team. Consider the following:

    • Existing security (Are these systems protected by your existing security monitoring and threat detection tools?).
    • Security challenges (e.g. public-facing systems).
    • Recovery challenges (e.g. limited or infrequent backups).
    This is an example of a diagram of a system ecosystem.

    Note the limitations of your security, backup, and DR solutions

    Use the diagrams to assess limitations. Gaps you identify here will often apply to other aspects of your environment.

    1. Security limitations
    • Are there any known security vulnerabilities or risks, such as external access (e.g. for a customer portal)? If so, are those risks mitigated? Are existing security solutions being fully used?
  • Backup limitations
    • What steps are taken to ensure the integrity of your backups (e.g. through inline or post-backup scanning, or the use of immutable backups)? Are there multiple restore points to provide more granularity when determining how far back you need to go for a clean backup?
  • Disaster recovery limitations
    • Does your DR solution account for ransomware attacks or is it designed only for one-way failover (i.e. for a smoking hole scenario)?
  • We will review the gaps we identify through the project in phase 4.

    For now, make a note of these gaps and continue with the next step.

    Draft risk scenarios to illustrate ransomware risk

    Risk scenarios help decision-makers understand how adverse events affect business goals.

    • Risk-scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that describes the circumstances and consequences if it were to happen.
    • Risk scenarios set up the risk analysis stage of the risk assessment process. They are narratives that describe in detail:
      • The asset at risk.
      • The threat that can act against the asset.
      • Their intent or motivation.
      • The circumstances and threat actor model associated with the threat event.
      • The potential effect on the organization.
      • When or how often the event might occur.

    Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.

    Risk identification → Risk scenario → Risk statement

    Well-crafted risk scenarios have four components

    The slides walk through how to build a ransomware risk scenario

    THREAT Exploits an ASSET Using a METHOD Creating an EFFECT.

    An actor capable of harming an asset

    Anything of value that can be affected and results in loss

    Technique an actor uses to affect an asset

    How loss materializes

    Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors

    Examples: Systems, regulated data, intellectual property, people

    Examples: Credential compromise, privilege escalation, data exfiltration

    Examples: Loss of data confidentiality, integrity, or availability; impact on staff health and safety

    Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events.

    Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address ransomware risks.

    1.1.3 Build ransomware risk scenario (1)

    2 hours

    In a ransomware risk scenario, the threat, their motivations, and their methods are known. Malicious agents are motivated to compromise critical systems, sabotage recovery, and exfiltrate data for financial gain.

    The purpose of building the risk scenario is to highlight the assets at risk and the potential effect of a ransomware attack.

    As a group, consider critical or mission-essential systems identified in step 1.1.2. On a whiteboard, brainstorm the potential adverse effect of a loss of system availability, confidentiality or integrity.

    Consider the impact on:

    • Information systems.
    • Sensitive or regulated data.
    • Staff health and safety.
    • Critical operations and objectives.
    • Organizational finances.
    • Reputation and brand loyalty.

    Input

    • Understanding of critical systems and dependencies.

    Output

    • Ransomware risk scenario to engage guide stakeholders to make informed decisions about addressing risks.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    1.1.3 Build ransomware risk scenario (2)

    2 hours

    1. On a whiteboard, brainstorm how threat agents will exploit vulnerabilities in critical assets to reach their goal. Redefine attack vectors to capture what could result from a successful initial attack.
    2. Bring together the critical risk elements into a single risk scenario.
    3. Distill the risk scenario into a single risk statement that captures the threat, the asset it will exploit, the method it will use, and the impact it will have on the organization.
    4. You can find a sample risk scenario and risk statement on the next slide.

    THREAT Exploits an ASSET Using a METHOD Creating an EFFECT.

    Inputs for risk scenario identification

    Risk analysis

    Critical assets

    ERP, CRM, FMS, LMS

    Operational technology

    Sensitive or regulated data

    Threat agents

    Cybercriminals

    Methods

    Compromise end user devices through social engineering attacks,. Compromise networks through external exposures and software vulnerabilities.

    Identify and crack administrative account. Escalate privileges. Move laterally.

    Collect data, destroy backups, exfiltrate data for leverage, encrypt systems,.

    Threaten to publish exfiltrated data and demand ransom.

    Adverse effect

    Serious business disruption

    Financial damage

    Reputational damage

    Potential litigation

    Average downtime: 30 Days

    Average clean-up costs: USD 1.4M

    Sample ransomware risk scenario

    Likelihood: Medium
    Impact: High

    Risk scenario

    Cyber-criminals penetrate the network, exfiltrate critical or sensitive data, encrypt critical systems, and demand a ransom to restore access.

    They threaten to publish sensitive data online to pressure the organization to pay the ransom, and reach out to partners, staff, and students directly to increase the pressure on the organization.

    Network access likely occurs through a phishing attack, credential compromise, or remote desktop protocol session.

    Risk statement

    Cybercriminals penetrate the network, compromise backups, exfiltrate and encrypt data, and disrupt computer systems for financial gain.

    Threat Actor:

    • Cybercriminals

    Assets:

    • Critical systems (ERP, FMS, CRM, LMS)
    • HRIS and payroll
    • Data warehouse
    • Office 365 ecosystem (email, Teams)

    Effect:

    • Loss of system availability
    • Lost of data confidentiality

    Methods:

    • Phishing
    • Credential compromise
    • Compromised remote desktop protocol
    • Privilege escalation
    • Lateral movement
    • Data collection
    • Data exfiltration
    • Data encryption

    Step 1.2

    Conduct resilience assessment

    Activities

    1.2.1 Complete resilience assessment

    1.2.2 Establish resilience metrics

    This step will guide you through the following activities :

    • Completing a ransomware resilience assessment
    • Establishing baseline metrics to measure ransomware resilience.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Subject-matter experts

    .Outcomes of this step

    • Current maturity, targets, and initial gap analysis

    Maturity levels in this blueprint draw on the CMMI framework

    The maturity levels are based on the Capability Maturity Model Integration framework. We outline our modifications below.

    CMMI Maturity Level – Default Descriptions:

    CMMI Maturity Level – Modified for This Assessment:

    • Level 1 – Initial: Unpredictable and reactive. Work gets completed but is often delayed and over budget.
    • Level 2 – Managed: Managed on the project level. Projects are planned, performed, measured, and controlled.
    • Level 3 – Defined: Proactive rather than reactive. Organization-wide standards provide guidance across projects, programs, and portfolios.
    • Level 4 – Quantitatively managed: Measured and controlled. Organization is data-driven, with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders.
    • Level 5 – Optimizing: Stable and flexible. Organization is focused on continuous improvement and is built to pivot and respond to opportunity and change. The organization's stability provides a platform for agility and innovation.
    • Level 1 – Initial/ad hoc: Not well defined and ad hoc in nature.
    • Level 2 – Developing: Established but inconsistent and incomplete.
    • Level 3 – Defined: Formally established, documented, and repeatable.
    • Level 4 – Managed and measurable: Managed using qualitative and quantitative data to ensure alignment with business requirements.
    • Level 5 – Optimizing: Qualitative and quantitative data is used to continually improve.

    (Source: CMMI Institute, CMMI Levels of Capability and Performance)

    Info-Tech's ransomware resilience framework

    Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

    Prioritize protection

    Put controls in place to harden your environment, train savvy end users, and prevent incursions.

    Support recovery

    Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

    Protect Detect Respond

    Recover

    Threat preparedness

    Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

    Awareness and training

    Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

    Perimeter security

    Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

    Respond and recover

    Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

    Access management

    Review the user access management program, policies and procedures to ensure they are ransomware-ready.

    Vulnerability management

    Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

    1.2.1 Complete the resilience assessment

    2-3 hours

    Use the Ransomware Resilience Assessment Tool to assess maturity of existing controls, establish a target state, and identify an initial set of initiatives to improve ransomware resilience.

    Keep the assessment tool on hand to add gap closure initiatives as you proceed through the project.

    Download the Ransomware Resilience Assessment

    Outcomes:

    • Capture baseline resilience metrics to measure progress over time.
      • Low scores are common. Use them to make the case for security investment.
      • Clarify the breadth of security controls.
      • Security controls intersect with a number of key processes and technologies, each of which are critical to ransomware resilience.
    • Key gaps identified.
      • Allocate more time to subsections with lower scores.
      • Repeat the scorecard at least annually to clarify remaining areas to address.

    Input

    • Understanding of current security controls

    Output

    • Current maturity, targets, and gaps

    Materials

    • Ransomware Resilience Assessment Tool

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of the Ransomeware Resilience Assessment Table from Info-Tech's Ransomware Resilience Assessment Blueprint.

    1.2.2 Establish resilience metrics

    Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.

    Measure metrics at the start of the project to establish a baseline, as the project nears completion to measure progress.

    Attack workflow Process Metric Target trend Current Goal
    GET IN Vulnerability Management % Critical patches applied Higher is better
    Vulnerability Management # of external exposures Fewer is better
    Security Awareness Training % of users tested for phishing Higher is better
    SPREAD Identity and Access Management Adm accounts / 1000 users Lower is better
    Identity and Access Management % of users enrolled for MFA Higher is better
    Security Incident Management Avg time to detect Lower is better
    PROFIT Security Incident Management Avg time to resolve Lower is better
    Backup and Disaster Recovery % critical assets with recovery test Higher is better
    Backup and Disaster Recovery % backup to immutable storage Higher is better

    Phase 2

    Improve protection and detection capabilities

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will walk you through the following activities:

    • Assessing common ransomware attack vectors.
    • Identifying countermeasures to improve protection and detection capabilities.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Build Ransomware Resilience

    Step 2.1

    Assess attack vectors

    Activities

    2.1.1 Assess ransomware threat preparedness

    2.1.2 Determine the impact of ransomware techniques on your environment

    This step involves the following activities:

    • Assessing ransomware threat preparedness.
    • Configuring the threat preparedness tool.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Outcomes of this step

    Assess risks associated with common ransomware attack vectors.

    Improve protection and detection capabilities

    Use the MITRE attack framework to prepare

    This phase draws on MITRE to improve ransomware protection and detection capabilities

    • The activities in this phase provide guidance on how to use the MITRE attack framework to protect your organizations against common ransomware techniques and tactics, and detect incursions.
    • You will:
      • Review common ransomware tactics and techniques.
      • Assess their impact on your environment.
      • Identify relevant countermeasures.
    • The Enterprise Threat Preparedness Workbook included with the project blueprint will be set up to deal with common ransomware threats and tactics.

    Download the Enterprise Threat Preparedness Workbook

    Review ransomware tactics and techniques

    Ransomware attack workflow

    Deliver phishing email designed to avoid spam filter.

    Launch malware undetected.

    Identify user accounts.

    Target an admin account.

    Use brute force tactics to crack it.

    Move through the network. Collect data.

    Infect critical systems and backups to limit recovery options.

    Exfiltrate data to gain leverage.

    Encrypt data, which triggers alert.

    Deliver ransom note.

    Associated MITRE tactics and techniques

    • Initial access
    • Execution
    • Privilege escalation
    • Credential access
    • Lateral movement
    • Collection
    • Data Exfiltration
    • Data encryption

    Most common ransomware attack vectors

    • Phishing and social engineering
    • Exploitation of software vulnerabilities
    • Unsecured external exposures
      • e.g. remote desktop protocols
    • Malware infections
      • Email attachments
      • Web pages
      • Pop-ups
      • Removable media

    2.1.1 Assess ransomware threat preparedness

    Estimated Time: 1-4 hours

    1. Read through the instructions in the Enterprise Threat Preparedness Workbook.
    2. Select ransomware attack tactics to analyze. Use the workbook to understand:
      1. Risks associated with each attack vector.
      2. Existing controls that can help you protect the organization and detect an incursion.
    3. This initial analysis is meant to help you understand your risk before you apply additional controls.

    Once you're comfortable, follow the instructions on the following pages to configure the MITRE ransomware analysis and identify how to improve your protection and detection capabilities.

    Download the Enterprise Threat Preparedness Workbook

    Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    2.1.2 Determine the impact of techniques

    Estimated Time: 1-4 hours

    1. The Enterprise Threat Preparedness Workbook included with the project blueprint is set up to deal with common ransomware use cases.

    If you would like to change the set-up, go through the following steps.

    • Review the enterprise matrix. Select the right level of granularity for your analysis. If you are new to threat preparedness exercises, the Technique Level is a good starting point.
    • As you move through each tactic, align each sheet to your chosen technique domain to ensure the granularity of your analysis is consistent.
    • Read the tactics sheet from left to right. Determine the impact of the technique on your environment. For each control, indicate current mitigation levels using the dropdown list.

    The following slides walk you through the process with screenshots from the workbook.

    Download the Enterprise Threat Preparedness Workbook

    Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Select the domain for the analysis

    • The Tactics Dashboard is a live feed of your overall preparedness for the potential attack vectors that your organization may face. These 14 tactics correspond to the Enterprise Matrix used by the MITRE ATT&CK® framework.
    • The technique domain on the right side of the sheet is split in two main groups:
    • The Technique Level
      • - High-level techniques that an attacker may use to gain entry to your network.
      • - The Technique Level is a great starting point if you are new to threat preparedness.
    • The Sub-Technique Level
      • - Individual sub-techniques found throughout the MITRE ATT&CK® Framework.
      • - More mature organizations will find the Sub-Technique Level generates a deeper and more precise understanding of their current preparedness.

    Info-Tech Insight

    Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

    This is the first screenshot from Info-Tech's Tactic Preparedness Assessment Dashboard.

    Keep an eye on the enterprise matrix

    As you fill out the Tactic tabs with your evaluation, the overall reading will display the average of your overall preparedness for that tactic.

    Choosing the Technique Domain level will increase the accuracy of the reporting at the cost of speed.

    The Technique level is faster but provides less specifics for each control and analyzes them as a group.

    The Sub-Technique level is much more granular, but each tactic and technique has several sub-techniques that you will need to account for.

    Check with the dashboard to see the associated risk level for each of the tactics based on the legend. Tactics that appear white have not yet been assessed or are rated as "N/A" (not applicable).

    This is the second screenshot from Info-Tech's Tactic Preparedness Assessment Dashboard.

    When you select your Technique Domain, you cannot change it again. Changing the domain mid-analysis will introduce inaccuracies in your security preparedness.

    Configure the tactics tabs

    • Each tactic has a corresponding tab at the bottom of the Excel workbook.
      Adjusting the Technique Domain level will change the number of controls shown.
    • Next, align the sheet to the domain you selected on Tab 2 before you continue. As shown in the example to the right,
      • Select "1" for Technique Level.
      • Select "2" for Sub-Technique Level.
    • This will collapse the controls to your chosen level of granularity.

    This is a screenshot showing how you can configure the tactics tab of the Ransomware Threat Preparedness Workbook

    Read tactic sheets from left to right

    This is a screenshot of the tactics tab of the Ransomware Threat Preparedness Workbook

    Technique:

    How an attacker will attempt to achieve their goals through a specific action.

    ID:

    The corresponding ID number on the MITRE ATT&CK® Matrix for quick reference.

    Impact of the Technique(s):

    If an attack of this type is successful on your network, how deep does the damage run?

    Current Mitigations:

    What security protocols do you have in place right now that can help prevent an attacker from successfully executing this attack technique? The rating is based on the CMMI scale.

    Determine the impact of the technique

    • For each control, indicate the current mitigation level using the dropdown list.
    • Only use "N/A" if you are confident that the control is not required in your organization.

    Info-Tech Insight

    We highly recommend that you write comments about your current-state security protocols. First, it's great to have documented your thought processes in the event of a threat modeling session. Second, you can speak to deficits clearly, when asked.

    This is the second screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Review technique preparedness

    • If you have chosen the Technique level, the tool should resemble this image:
      • High-level controls are analyzed, and sub-controls hidden.
      • The sub-techniques under the broader technique show how a successful attack from this vector would impact your network.
    • Each sub-technique has a note for additional context:
      • Under Impact, select the overall impact for the listed controls to represent how damaging you believe the controls to be.
      • Next select your current preparedness maturity in terms of preparedness for the same techniques. Ask yourself "What do I have that contributes to blocking this technique?"

    This is the third screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Info-Tech Insight

    You may discover that you have little to no mitigation actions in place to deal with one or many of these techniques. However, look at this discovery as a positive: You've learned more about the potential vectors and can actively work toward remediating them rather than hoping that a breach never happens through one of these avenues.

    Review sub-technique preparedness

    If you have chosen the Sub-Technique level, the tool should resemble this image.

    • The granular controls are being analyzed. However, the grouped controls will still appear. It is important to not fill the grouped sections, to make sure the calculations run properly.
    • The average of your sub-techniques will be calculated to show your overall preparedness level.
    • Look at the sub-techniques under the broader technique and consider how a successful attack from this vector would impact your network.

    Each sub-technique has a note for additional context and understanding about what the techniques are seeking to do and how they may impact your enterprise.

    • Because of the enhanced granularity, the final risk score is more representative of an enterprise's current mitigation capabilities.
    This is the fourth screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Step 2.2

    Identify countermeasures

    Activities

    2.2.1 Identify countermeasures

    This step involves the following activities:

    • Identifying countermeasures

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Outcomes of this step

    Identification of countermeasures to common ransomware techniques, and tactics to improve protection and detection capabilities.

    Improve Protection and Detection Capabilities

    Review technique countermeasures

    As you work through the tool, your dashboard will prioritize your threat preparedness for each of the various attack techniques to give you an overall impression of your preparedness.

    For each action, the tool includes detection and remediation actions for you to consider either for implementation or as table stakes for your next threat modeling sessions.

    Note: Some sheets will have the same controls. However, the context of the attack technique may change your answers. Be sure to read the tactic and technique that you are on when responding to the controls.

    This is an image of the Privilege Escalation Tactic Analysis Table

    This is an image of the Defense Evasion Tactic Analysis Table

    Prioritize the analysis of ransomware tactics and sub-techniques identified on slide 45. If your initial analysis in Activity 2.2.1 determined that you have robust security protocols for some of the attack vectors, set these domains aside.

    2.2.1 Identify countermeasures

    Estimated Time: 1-4 hours

    1. Review the output of the Enterprise Threat Preparedness Workbook. Remediation efforts are on the right side of the sheet. These are categorized as either detection actions or mitigation actions.
      1. Detection actions:
      • What can you do before an attack occurs, and how can you block attacks? Detection actions may thwart an attack before it ever occurs.
    2. Mitigation actions:
      • If an attacker is successful through one of the attack methods, how do you lessen the impact of the technique? Mitigation actions address this function to slow and hinder the potential spread or damage of a successful attack.
  • Detection and mitigation measures are associated with each technique and sub-technique. Not all techniques will be able to be detected properly or mitigated. However, understanding their relationships can better prepare your defensive protocols.
  • Add relevant control actions to the initiative list in the Ransomware Resilience Assessment.
  • Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.
    • Outputs from the Threat Preparedness Workbook.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook
    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Phase 3

    Improve response and recovery capabilities

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will guide you through the following steps:

    • Documenting your threat escalation protocol.
    • Identify response steps and gaps.
    • Update your response workflow and runbook.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)

    Build Ransomware Resilience

    Step 3.1

    Review security incident management plan

    Activities

    3.1.1 Review the workflow and runbook templates

    3.1.2 Update/define your threat escalation protocol

    This step will walk you through the following activities:

    • Reviewing the example Workflow and Runbook
    • Updating and defining your threat escalation protocol.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Clear escalation path for critical incidents.
    • Common understanding of incident severity that will drive escalation.

    Improve response and recovery capabilities

    3.1.1 Review the workflow and runbook templates

    30 minutes

    This blueprint includes sample information in the Ransomware Response Workflow Template and Ransomware Response Runbook Template to use as a starting points for the steps in Phase 3, including documenting your threat escalation protocol.

    • The Ransomware Response Workflow Template contains an example of a high-level security incident management workflow for a ransomware attack. This provides a structure to follow for the tabletop planning exercise and a starting point for your ransomware response workflow.
      The Workflow is aimed at incident commanders and team leads. It provides an at-a-glance view of the high-level steps and interactions between stakeholders to help leaders coordinate response.
    • The Ransomware Response Runbook Template is an example of a security incident management runbook for a ransomware attack. This includes a section for a threat escalation protocol that you can use as a starting point.
      The Runbook is aimed at the teams executing the response. It provides more specific actions that need to be executed at each phase of the incident response.

    Download the Ransomware Response Workflow Template

    Download the Ransomware Response Runbook Template

    Input

    • No Input Required

    Output

    • Visualize the end goal

    Materials

    • Example workflow and runbook in this blueprint

    Participants

    • Security Incident Response Team (SIRT)

    Two overlapping screenshots are depicted, including the table of contents from the Ransomware Response Runbook.

    3.1.2 Update/define your threat escalation protocol

    1-2 hours

    Document the Threat Escalation Protocol sections in the Ransomware Response Workflow Template or review/update your existing runbook. The threat escalation protocol defines which stakeholders to involve in the incident management process, depending on impact and scope. Specifically, you will need to define the following:

    Impact and scope criteria: Impact considers factors such as the criticality of the system/data, whether PII is at risk, and whether public notification is required. Scope considers how many systems or users are impacted.

    Severity assessment: Define the severity levels based on impact and scope criteria.

    Relevant stakeholders: Identify stakeholders to notify for each severity level, which can include external stakeholders.

    If you need additional guidance, see Info-Tech's Develop and Implement a Security Incident Management Program blueprint, which takes a broader look at security incidents.

    Input

    • Current escalation process (formal or informal).

    Output

    • Define criteria for severity levels and relevant stakeholders.

    Materials

    • Ransomware Response Workflow Template

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of the Threat Escalation Protocol Criteria and Stakeholders.

    Step 3.2

    Run Tabletop Test (IT)

    Activities

    3.2.1 Define scenarios for a range of incidents

    3.2.2 Run a tabletop planning exercise

    This step will guide you through the following activities:

    • Defining scenarios for a range of incidents.
    • Running a tabletop planning exercise.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Other stakeholders (as relevant)

    Outcomes of this step

    • Current-state incident response workflow, including stakeholders, steps, timeline.
    • Process and technology gaps to be addressed.

    Improve response and recovery capabilities

    3.2.1 Define scenarios for a range of incidents

    30 minutes

    As a group, collaborate to define scenarios that enable you to develop incident response details for a wide range of potential incidents. Below are example scenarios:

    • Scenario 1: An isolated attack on one key system. The database for a critical application is compromised. Assume the attack was not detected until files were encrypted, but that you can carry out a repair-in-place by wiping the server and restoring from backups.
    • Scenario 2: A site-wide impact that warrants broader disaster recovery. Several critical systems are compromised. It would take too long to repair in-place, so you need to failover to your DR environment, in addition to executing security response steps. (Note: If you don't have a DRP, see Info-Tech's Create a Right-Sized Disaster Recovery Plan.)
    • Scenario 3: A critical outsourced service or cloud service is compromised. You need to work with the vendor to determine the scope of impact and execute a response. This includes determining if your on-prem systems were also compromised.
    • Scenario 4: One or multiple end-user devices are compromised. Your response to the above scenarios would include assessing end-user devices as a possible source or secondary attack, but this scenario would provide more focus on the containing an attack on end-user devices.

    Note: The above is too much to execute in one 30-minute session, so plan a series of exercises as outlined on the next slide.

    Input

    • No input required

    Output

    • Determine the scope of your tabletop planning exercises

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    Optimize the time spent by participants by running a series of focused exercises

    Not all stakeholders need to be present at every tabletop planning exercise. First, run an exercise with IT that focuses on the technical response. Run a second tabletop for non-IT stakeholders that focuses on the non-IT response, such as crisis communications, working with external stakeholders (e.g. law enforcement, cyberinsurance).

    Sample schedule:

    • Q1: Hold two sessions that run Scenarios 1 and 2 with relevant IT participants (see Activity 3.2.1). The focus for these sessions will be primarily on the technical response. For example, include notifying leadership and their role in decision making, but don't expand further on the details of their process. Similarly, don't invite non-IT participants to these sessions so you can focus first on understanding the IT response. Invite executives to the Q2 exercise, where they will have more opportunity to be involved.
    • Q2: Hold one session with the SIRT and non-IT stakeholders. Use the results of the Q1 exercises as a starting point and expand on the non-IT response steps (e.g. notifying external parties, executive decisions on response options).
    • Q3 and Q4: Run other sessions (e.g. for Scenarios 3 and 4) with relevant stakeholders. Ensure your ransomware incident response plan covers a wide range of possible scenarios.
    • Run ongoing exercises at least annually. Once you have a solid ransomware incident response plan, incorporate ransomware-based tabletop planning exercises into your overall security incident management testing and maintenance schedule.

    Info-Tech Insight

    Schedule these sessions well in advance to ensure appropriate resources are available. Document this in an annual test plan summary that outlines the scope, participants, and dates and times for the planned sessions.

    3.2.2 Run a tabletop planning exercise

    1-2 hours

    Remember that the goal is a deeper dive into how you would respond to an attack so you can clarify steps and gaps. This is not meant to just be a read-through of your plan. Follow the guidelines below:

    1. Select your scenario and invite relevant participants (see the previous slides).
    2. Guide participants through the incident and capture the steps and gaps along the way. Focus on one stakeholder at a time through each phase but be sure to get input from everyone. For example, focus on the Service Desk's steps for detection, then do the same as relevant to other stakeholders. Move on to analysis and do the same. (Tip: The distinction between phases is not always clear, and that's okay. Similarly, eradication and recovery might be the same set of steps. Focus on capturing the detail; you can clarify the relevant phase later.)
    3. Record the results (e.g. capture it in Visio) for reference purposes. (Tip: You can run the exercise directly in Visio. However, there's a risk that the tool may become a distraction. Enlist a scribe who is proficient with Visio so you don't need to wait for information to be captured and plan to save the detailed formatting and revising for later. )

    Refer to the Ransomware Tabletop Planning Results – Example as a guide for what to capture. Aim for more detail than found in your Ransomware Response Workflow (but not runbook-level detail).

    Download the Ransomware Tabletop Planning Results – Example

    Input

    • Baseline ransomware response workflow

    Output

    • Clarify your response workflow, capabilities, and gaps

    Materials

    • Whiteboard or sticky notes or index cards, or a shared screen

    Participants

    • Security Incident Response Team (SIRT)

    This is an example of a Ransomware Response Tabletop Planning Results Page.

    Step 3.3

    Document Workflow and Runbook

    Activities

    3.3.1 Update your ransomware response workflow

    3.3.2 Update your ransomware response runbook

    This step will guide you through the following activities:

    • Updating your ransomware response workflow.
    • Updating your ransomware response runbook.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • An updated incident response workflow and runbook based on current capabilities.

    Improve response and recovery capabilities

    3.3.1 Update your ransomware response workflow

    1 hour

    Use the results from your tabletop planning exercises (Activity 3.2.2) to update and clarify your ransomware response workflow. For example:

    • Update stakeholder swim-lanes: Clarify which stakeholders need a swim lane (e.g. where interactions between groups needs to be clarified). For example, consider an SIRT swim-lane that combines the relevant technical response roles, but have separate swim-lanes for other groups that the SIRT interacts with (e.g. Service Desk, the Executive Team).
    • Update workflow steps: Use the detail from the tabletop exercises to clarify and/or add steps, as well as further define the interactions between swim-lanes.(Tip: Your workflow needs to account for a range of scenarios. It typically won't be as specific as the tabletop planning results, which focus on only one scenario.)
    • Clarify the overall the workflow: Look for and correct any remaining areas of confusion and clutter. For example, consider adding "Go To" connectors to minimize lines crossing each other, adding color-coding to highlight key related steps (e.g. any communication steps), and/or resizing swim-lanes to reduce the overall size of the workflow to make it easier to read.
    • Repeat the above after each exercise: Continue to refine the workflow as needed until you reach the stage where you just need to validate that your workflow is still accurate.

    Input

    • Results from tabletop planning exercises (Activity 3.2.2)

    Output

    • Clarify your response workflow

    Materials

    • Ransomware Response Workflow

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot from the ransomeware response tabletop planning

    3.3.2 Update your ransomware response runbook

    1 hour

    Use the results from your tabletop planning exercises (Activity 3.2.2) to update your ransomware response runbook. For example:

    • Align stakeholder sections with the workflow: Each stakeholder swim-lane in the workflow needs its own section in the runbook.
    • Update incident response steps: Use the detail from the tabletop exercise to clarify instructions for each stakeholder. This can include outlining specific actions, defining which stakeholders to work with, and referencing relevant documentation (e.g. vendor documentation, step-by-step restore procedures). (Tip: As with the workflow, the runbook needs to account for a range of scenarios, so it will include a list of actions that might need to be taken depending on the incident, as illustrated in the example runbook.)
    • Review and update your threat escalation protocol: It's best to define your threat escalation protocol before the tabletop planning exercise to help identify participants and avoid confusion. Now use the exercise results to validate or update that documentation.
    • Repeat the above after each exercise. Continue to refine your runbook as needed until you reach the stage where you just need to validate that your runbook is still accurate.

    Input

    • Results from tabletop planning exercises (Activity 3.2.2)

    Output

    • Clarified response runbook

    Materials

    • Ransomware Response Workflow

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot of the Ransomware Response Runbook

    Phase 4

    Improve ransomware resilience

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will guide you through the following steps:

    • Identifying initiatives to improve ransomware resilience.
    • Prioritizing initiatives in a project roadmap.
    • Communicating status and recommendations.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)

    Build Ransomware Resilience

    Step 4.1

    Run Tabletop Test (leadership)

    Activities

    • 4.1.1 Identify initiatives to close gaps and improve resilience
    • 4.1.2 Review broader strategies to improve your overall security program

    This step will walk you through the following activities:

    • Identifying initiatives to close gaps and improve resilience.
    • Reviewing broader strategies to improve your overall security program.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Specific potential initiatives based on a review of the gaps.
    • Broader potential initiatives to improve your overall security program.

    Improve ransomware resilience

    4.1.1 Identify initiatives to close gaps and improve resilience

    1 hour

    1. Use the results from the activities you have completed to identify initiatives to improve your ransomware readiness.
    2. Set up a blank spreadsheet with two columns and label them "Gaps" and "Initiatives." (It will be easier to copy the gaps and initiatives from this spreadsheet to you project roadmap, rather than use the Gap Initiative column in the Ransomware Readiness Maturity Assessment Tool.)
    3. Review your tabletop planning results:
      1. Summarize the gaps in the "Gaps" column in your spreadsheet created for this activity.
      2. For each gap, write down potential initiatives to address the gap.
      3. Where possible, combine similar gaps and initiatives. Similarly, the same initiative might address multiple gaps, so you don't need to identify a distinct initiative for every gap.
    4. Review the results of your maturity assessment completed in Phase 1 to identify additional gaps and initiatives in the spreadsheet created for this activity.

    Input

    • Tabletop planning results
    • Maturity assessment

    Output

    • Identify initiatives to improve ransomware readiness

    Materials

    • Blank spreadsheet

    Participants

    • Security Incident Response Team (SIRT)

    4.1.2 Review broader strategies to improve your overall security program

    1 hour

    1. Review the following considerations as outlined on the next few slides:
      • Implement core elements of an effective security program – strategy, operations, and policies. Leverage the work completed in this blueprint to provide context and address your immediate gaps while developing an overarching security strategy based on business requirements, risk tolerance, and overall security considerations. Security operations and policies are key to executing your overall security strategy and day to day incident management.
      • Update your backup strategy to account for ransomware attacks. Consider what your options would be today if your primary backups were infected? If those options aren't very good, your backup strategy needs a refresh.
      • Consider a zero-trust strategy. Zero trust reduces your reliance on perimeter security and moves controls to where the user accesses resources. However, it takes time to implement. Evaluate your readiness for this approach.
    2. As a team, discuss the merits of these strategies in your organization and identify potential initiatives. Depending on what you already have in place, the project may be to evaluate options (e.g. if you have not already initiated zero trust, assign a project to evaluate your options and readiness).

    Input

    • An understanding of your existing security practices and backup strategy.

    Output

    • Broader initiatives to improve ransomware readiness.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    Implement core elements of an effective security program

    There is no silver bullet. Ransomware readiness depends on foundational security best practices. Where budget allows, support that foundation with more advanced AI-based tools that identify abnormal behavior to detect an attack in progress.

    Leverage the following blueprints to implement the foundational elements of an effective security program:

    • Build an Information Security Strategy: Consider the full spectrum of information security, including people, processes, and technologies. Then base your security strategy on the risks facing your organization – not just on best practices – to ensure alignment with business goals and requirements.
    • Develop a Security Operations Strategy: Establish unified security operations that actively monitor security events and threat information, and turn that into appropriate security prevention, detection, analysis, and response processes.
    • Develop and Deploy Security Policies: Improve cybersecurity through effective policies, from acceptable use policies aimed at your end users to system configuration management policies aimed at your IT operations.

    Supplement foundational best practices with AI-based tools to counteract more sophisticated security attacks:

    • The evolution of ransomware gangs and ransomware as a service means the most sophisticated tools designed to bypass perimeter security and endpoint protection are available to a growing number of hackers.
    • Rather than activate the ransomware virus immediately, attackers will traverse the network using legitimate commands to infect as many systems as possible and exfiltrate data without generating alerts, then finally encrypt infected systems.
    • AI-based tools learn what is normal behavior and therefore can recognize unusual traffic (which could be an attack in progress) before it's too late. For example, a "user" accessing a server they've never accessed before.
    • Engage an Info-Tech analyst or consult SoftwareReviews to review products that will add this extra layer of AI-based security.

    Update your backup strategy to account for ransomware attacks

    Apply a defense-in-depth strategy. A daily disk backup that goes offsite once a week isn't good enough.

    In addition to applying your existing security practices to your backup solution (e.g. anti-malware, restricted access), consider:

    • Creating multiple restore points. Your most recent backup might be infected. Frequent backups allow you to be more granular when determining how far you need to roll back.
    • Having offsite backups and using different storage media. Reduce the risk of infected backups by using different storage media (e.g. disk, NAS, tape) and backup locations (e.g. offsite). If you can make the attackers jump through more hoops, you have a greater chance of detecting the attack before all backups are infected.
    • Investing in immutable backups. Most leading backup solutions offer options to ensure backups are immutable (cannot be altered after they are written).
    • Using the BIA you completed in Phase 2 to help decide where to prioritize investments. All the above strategies add to your backup costs and might not be feasible for all data. Use your BIA results to decide which data sets require higher levels of protection.

    This example strategy combines multiple restore points, offsite backup, different storage media, and immutable backups.

    This is an example of a backup strategy to account for ransomware attacks.

    Refer to Info-Tech's Establish an Effective Data Protection Plan blueprint for additional guidance.

    Explore zero-trust initiatives

    Zero trust is a set of principles, not a set of controls.

    Reduces reliance on perimeter security.

    Zero trust is a strategy that reduces reliance on perimeter security and moves controls to where your user accesses resources. It often consolidates security solutions, reduces operating costs, and enables business mobility.

    Zero trust must benefit the business first.

    IT security needs to determine how zero trust initiatives will affect core business processes. It's not a one-size-fits-all approach to IT security. Zero trust is the goal – but some organizations can only get so close to that ideal.

    For more information, see Build a Zero-Trust Roadmap.

    Info-Tech Insight

    A successful zero-trust strategy should evolve. Use an iterative and repeatable process to assess available zero-trust technologies and principles and secure the most relevant protect surfaces. Collaborate with stakeholders to develop a roadmap with targeted solutions and enforceable policies.

    Step 4.2

    Prioritize resilience initiatives

    Activities

    • 4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk
    • 4.2.2 Review the dashboard to fine tune your roadmap

    This step will guide you through the following activities:

    • Prioritizing initiatives based on factors such as effort, cost, and risk.
    • Reviewing the dashboard to fine-tune your roadmap.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • An executive-friendly project roadmap dashboard summarizing your initiatives.
    • A visual representation of the priority, effort, and timeline required for suggested initiatives.

    Review the Ransomware Resilience Assessment

    Tabs 2 and 3 list initiatives relevant to your ransomware readiness improvement efforts.

    • At this point in the project, the Ransomware Resilience Assessment should contain a number of initiatives to improve ransomware resilience.
    • Tab 2 is prepopulated with examples of gap closure actions to consider, which are categorized into initiatives listed on Tab 3.
    • Follow the instructions in the Ransomware Resilience Assessment to:
      • Categorize gap control actions into initiatives.
      • Prioritize initiatives based on cost, effort, and benefit.
      • Construct a roadmap for consideration.

    Download the Ransomware Resilience Assessment

    4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk

    1 hour

    Prioritize initiatives in the Ransomware Resilience Assessment.

    1. The initiatives listed on Tab 3 Initiative List will be copied automatically on Tab 5 Prioritization.
    2. On Tab 1 Setup:
      1. Review the weight you want to assign to the cost and effort criteria.
      2. Update the default values for FTE and Roadmap Start as needed.
    3. Go back to Tab 5 Prioritization:
      1. Fill in the cost, effort, and benefit evaluation criteria for each initiative. Hide optional columns you don't plan to use, to avoid confusion.
      2. Use the cost and benefit scores to prioritize waves and schedule initiatives on Tab 6 Gantt Chart.

    Input

    • Gaps and initiatives identified in Step 4.1

    Output

    • Project roadmap dashboard

    Materials

    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)

    4.2.2 Review the dashboard to fine-tune the roadmap

    1 hour

    Review and update the roadmap dashboard in your Ransomware Resilience Assessment.

    1. Review the Gantt chart to ensure:
      1. The timeline is realistic. Avoid scheduling many high-effort projects at the same time.
      2. Higher-priority items are scheduled sooner than low-priority items.
      3. Short-term projects include quick wins (e.g. high-priority, low-effort items).
      4. It supports the story you wish to communicate (e.g. a plan to address gaps, along with the required effort and timeline).
    2. Update the values on the 5 Prioritization and 6 Gantt Chart tabs based on your review.

    Input

    • Gaps and initiatives identified in Step 4.1

    Output

    • Project roadmap dashboard

    Materials

    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of a sample roadmap for the years 2022-2023

    Step 4.3

    Measure resilience metrics

    Activities

    4.3.1 Summarize status and next steps in an executive presentation

    This step will guide you through the following activities:

    • Summarizing status and next steps in an executive presentation.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Gain stakeholder buy-in by communicating the risk of the status quo and achievable next steps to improve your organization's ransomware readiness.

    Improve ransomware resilience

    4.3.1 Summarize status and next steps in an executive presentation

    1 hour

    Gain stakeholder buy-in by communicating the risk of the status quo and recommendations to reduce that risk. Specifically, capture and present the following from this blueprint:

    • Phase 1: Maturity assessment results, indicating your organization's overall readiness as well as specific areas that need to improve.
    • Phase 2: Business impact results, which objectively quantify the potential impact of downtime and data loss.
    • Phase 3: Current incident response capabilities including steps, timeline, and gaps.
    • Phase 4: Recommended projects to close specific gaps and improve overall ransomware readiness.

    Overall key findings and next steps.

    Download the Ransomware Readiness Summary Presentation Template

    Input

    • Results of all activities in Phases 1-4

    Output

    • Executive presentation

    Materials

    • Ransomware Readiness Summary Presentation Template

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot of level 2 of the ransomware readiness maturity tool.

    Revisit metrics

    Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.

    Revisit metrics as the project nears completion and compare them against your baseline to measure progress.

    Attack workflow Process Metric Target trend Current Goal
    GET IN Vulnerability Management % Critical patches applied Higher is better
    Vulnerability Management # of external exposures Fewer is better
    Security Awareness Training % of users tested for phishing Higher is better
    SPREAD Identity and Access Management Adm accounts / 1000 users Lower is better
    Identity and Access Management % of users enrolled for MFA Higher is better
    Security Incident Management Avg time to detect Lower is better
    PROFIT Security Incident Management Avg time to resolve Lower is better
    Backup and Disaster Recovery % critical assets with recovery test Higher is better
    Backup and Disaster Recovery % backup to immutable storage Higher is better

    Summary of accomplishments

    Project overview

    Project deliverables

    This blueprint helped you create a ransomware incident response plan for your organization, as well as identify ransomware prevention strategies and ransomware prevention best practices.

    • Ransomware Resilience Assessment: Measure your current readiness, then identify people, policy, and technology gaps to address.
    • Ransomware Response Workflow: An at-a-glance summary of the key incident response steps across all relevant stakeholders through each phase of incident management.
    • Ransomware Response Runbook: Includes your threat escalation protocol and detailed response steps to be executed by each stakeholder.
    • Ransomware Tabletop Planning : This deep dive into a ransomware scenario will help you develop a more accurate incident management workflow and runbook, as well as identify gaps to address.
    • Ransomware Project Roadmap: This prioritized list of initiatives will address specific gaps and improve overall ransomware readiness.
    • Ransomware Readiness Summary Presentation: Your executive presentation will communicate the risk of the status quo, present recommended next steps, and drive stakeholder buy-in.

    Project phases

    Phase 1: Assess ransomware resilience

    Phase 2: Protect and detect

    Phase 3: Respond and recover

    Phase 4: Improve ransomware resilience

    Related Info-Tech Research

    Tab 3. Initiative List in the Ransomware Resilience Assessment identifies relevant Info-Tech Research to support common ransomware resilience initiatives.

    Related security blueprints:

    Related disaster recovery blueprints:

    Research Contributors and Experts

    This is an image of Jimmy Tom

    Jimmy Tom
    AVP of Information Technology and Infrastructure
    Financial Horizons

    This is an image of Dan Reisig

    Dan Reisig
    Vice President of Technology
    UV&S

    This is an image of Samuel Sutto

    Samuel Sutton
    Computer Scientist (Retired)
    FBI

    This is an image of Ali Dehghantanha

    Ali Dehghantanha
    Canada Research Chair in Cybersecurity and Threat Intelligence,
    University of Guelph

    This is an image of Gary Rietz

    Gary Rietz
    CIO
    Blommer Chocolate Company

    This is an image of Mark Roman

    Mark Roman
    CIO
    Simon Fraser University

    This is an image of Derrick Whalen

    Derrick Whalen
    Director, IT Services
    Halifax Port Authority

    This is an image of Stuart Gaslonde

    Stuart Gaslonde
    Director of IT & Digital Services
    Falmouth-Exeter Plus

    This is an image of Deborah Curtis

    Deborah Curtis
    CISO
    Placer County

    This is an image of Deuce Sapp

    Deuce Sapp
    VP of IT
    ISCO Industries

    This is an image of Trevor Ward

    Trevor Ward
    Information Security Assurance Manager
    Falmouth-Exeter Plus

    This is an image of Brian Murphy

    Brian Murphy
    IT Manager
    Placer County

    This is an image of Arturo Montalvo

    Arturo Montalvo
    CISO
    Texas General Land Office and Veterans Land Board

    No Image Available

    Mduduzi Dlamini
    IT Systems Manager
    Eswatini Railway

    No Image Available

    Mike Hare
    System Administrator
    18th Circuit Florida Courts

    No Image Available

    Linda Barratt
    Director of Enterprise architecture, IT Security, and Data Analytics, Toronto Community Housing Corporation

    This is an image of Josh Lazar

    Josh Lazar
    CIO
    18th Circuit Florida Courts

    This is an image of Douglas Williamson

    Douglas Williamson
    Director of IT
    Jamaica Civil Aviation Authority

    This is an image of Ira Goldstein

    Ira Goldstein
    Chief Operating Officer
    Herjavec Group

    This is an image of Celine Gravelines

    Celine Gravelines
    Senior Cybersecurity Analyst
    Encryptics

    This is an image of Dan Mathieson

    Dan Mathieson
    Mayor
    City of Stratford

    This is an image of Jacopo Fumagalli

    Jacopo Fumagalli
    CISO
    Omya

    This is an image of Matthew Parker

    Matthew Parker
    Program Manager
    Utah Transit Authority

    Two Additional Anonymous Contributors

    Bibliography

    2019-Data-Breach-Investigations-Report.-Verizon,-May-2019.
    2019-Midyear-Security-Roundup:-Evasive-Threats,-Persistent-Effects.-Trend-Micro,-2019.
    Abrams,-Lawrence.-"Ryuk-Ransomware-Uses-Wake-on-Lan-to-Encrypt-Offline-Devices."-Bleeping-Computer,-14-Jan.-2020.
    Abrams,-Lawrence.-"Sodinokibi-Ransomware-Publishes-Stolen-Data-for-the-First-Time."-Bleeping-Computer,-11-Jan.-2020.
    Canadian-Center-for-Cyber-Security,-"Ransomware-Playbook,"-30-November-2021.-Accessed-21-May-2022.-
    Carnegie-Endowment-for-International-Peace.-"Ransomware:-Prevention-and-Protection."-Accessed-May-2022.-
    Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-26-Data-Integrity:-Detecting-and-Responding-to-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.
    Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-25-Data-Integrity:-Identifying-and-Protecting-Assets-Against-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.-
    Cichonski,-P.,-T.-Millar,-T.-Grance,-and-K.-Scarfone.-"Computer-Security-Incident-Handling-Guide."-SP-800-61-Rev.-2.-NIST,-Aug.-2012.
    Cimpanu,-Catalin.-"Company-shuts-down-because-of-ransomware,-leaves-300-without-jobs-just-before-holidays."-ZDNet,-3-Jan.-2020.
    Cimpanu,-Catalin.-"Ransomware-attack-hits-major-US-data-center-provider."-ZDNet,-5-Dec.-2019.
    CISA,-"Stop-Ransomware,"-Accessed-12-May-2022.
    "CMMI-Levels-of-Capability-and-Performance."-CMMI-Institute.-Accessed-May-2022.-
    Connolly,-Lena-Yuryna,-"An-empirical-study-of-ransomware-attacks-on-organizations:-an-assessment-of-severity-and-salient-factors-affecting-vulnerability."-Journal-of-Cybersecurity,-2020,.-1-18.
    "Definitions:-Backup-vs.-Disaster-Recovery-vs.-High-Availability."-CVM-IT-&-Cloud-Services,-12-Jan.-2017.
    "Don't-Become-a-Ransomware-Target-–-Secure-Your-RDP-Access-Responsibly."-Coveware,-2019.-
    Elementus,-"Rise-of-the-Ransomware-Cartels-"(2022).-YouTube.-Accessed-May-2022.-
    Global-Security-Attitude-Survey.-CrowdStrike,-2019.
    Graham,-Andrew.-"September-Cyberattack-cost-Woodstock-nearly-$670,00:-report."-
    Global-News,-10-Dec.-2019.
    Harris,-K.-"California-2016-Data-Breach-Report."-California-Department-of-Justice,-Feb.-2016.
    Hiscox-Cyber-Readiness-Report-2019.-Hiscox-UK,-2019.
    Cost-of-A-Data-Breach-(2022).-IBM.-Accessed-June-2022.--
    Ikeda,-Scott.-"LifeLabs-Data-Breach,-the-Largest-Ever-in-Canada,-May-Cost-the-Company-Over-$1-Billion-in-Class-Action-Lawsuit."-CPO-Magazine,-2020.
    Kessem,-Limor-and-Mitch-Mayne.-"Definitive-Guide-to-Ransomware."-IBM,-May-2022.
    Krebs,-Brian.-"Ransomware-Gangs-Now-Outing-Victim-Businesses-That-Don't-Pay-Up."-Krebson-Security,-16-Dec.-2019.
    Jaquith,-Andrew-and-Barnaby-Clarke,-"Security-metrics-to-help-protect-against-ransomware."-Panaseer,-July-29,-2021,-Accessed-3-June-2022.
    "LifeLabs-pays-ransom-after-cyberattack-exposes-information-of-15-million-customers-in-B.C.-and-Ontario."-CBC-News,-17-Dec.-2019.
    Matthews,-Lee.-"Louisiana-Suffers-Another-Major-Ransomware-Attack."-Forbes,-20-Nov.-2019.
    NISTIR-8374,-"Ransomware-Risk-Management:-A-Cybersecurity-Framework-Profile."-NIST-Computer-Security-Resource-Center.-February-2022.-Accessed-May-2022.-
    "Ransomware-attack-hits-school-district-twice-in-4-months."-Associated-Press,-10-Sept.-2019.
    "Ransomware-Costs-Double-in-Q4-as-Ryuk,-Sodinokibi-Proliferate."-Coveware,-2019.
    Ransomware-Payments-Rise-as-Public-Sector-is-Targeted,-New-Variants-Enter-the-Market."-Coveware,-2019.
    Rector,-Kevin.-"Baltimore-to-purchase-$20M-in-cyber-insurance-as-it-pays-off-contractors-who-helped-city-recover-from-ransomware."-The-Baltimore-Sun,-16-Oct.-2019.
    "Report:-Average-time-to-detect-and-contain-a-breach-is-287-days."-VentureBeat,-May-25,-2022.-Accessed-June-2022.-
    "Five-Lessons-Learned-from-over-600-Ransomware-Attacks."-Riskrecon.-Mar-2022.-Accessed-May-2022.-
    Rosenberg,-Matthew,-Nicole-Perlroth,-and-David-E.-Sanger.-"-'Chaos-is-the-Point':-Russian-Hackers-and-Trolls-Grow-Stealthier-in-2020."-The-New-York-Times,-10-Jan.-2020.
    Rouse,-Margaret.-"Data-Archiving."-TechTarget,-2018.
    Siegel,-Rachel.-"Florida-city-will-pay-hackers-$600,000-to-get-its-computer-systems-back."-The-Washington-Post,-20-June-2019.
    Sheridan,-Kelly.-"Global-Dwell-Time-Drops-as-Ransomware-Attacks-Accelerate."-DarkReading,-13-April-2021.-Accessed-May-2022.-
    Smith,-Elliot.-"British-Banks-hit-by-hacking-of-foreign-exchange-firm-Travelex."-CNBC,-9-Jan.-2020.
    "The-State-of-Ransomware-2022."-Sophos.-Feb-2022.-Accessed-May-2022.-
    "The-State-of-Ransomware-in-the-U.S.:-2019-Report-for-Q1-to-Q3."-Emsisoft-Malware-Lab,-1-Oct.2019.
    "The-State-of-Ransomware-in-the-U.S.:-Report-and-Statistics-2019."-Emsisoft-Lab,-12-Dec.-2019.
    "The-State-of-Ransomware-in-2020."-Black-Fog,-Dec.-2020.
    Toulas,-Bill.-"Ten-notorious-ransomware-strains-put-to-the-encryption-speed-test."-Bleeping-Computers,-23-Mar-2022.-Accessed-May-2022.
    Tung,-Liam-"This-is-how-long-hackers-will-hide-in-your-network-before-deploying-ransomware-or-being-spotted."-zdnet.-May-19,-2021.-Accessed-June-2022.-

    Manage Poor Performance While Working From Home

    • Buy Link or Shortcode: {j2store}599|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $1,600 Average $ Saved
    • member rating average days saved: 18 Average Days Saved
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • For many, emergency WFH comes with several new challenges such as additional childcare responsibilities, sudden changes in role expectations, and negative impacts on wellbeing. These new challenges, coupled with previously existing ones, can result in poor performance. Owing to the lack of physical presence and cues, managers may struggle to identify that an employee’s performance is suffering. Even after identifying poor performance, it can be difficult to address remotely when such conversations would ideally be held in person.

    Our Advice

    Critical Insight

    • Poor performance must be managed, despite the pandemic. Evaluating root causes of performance issues is more important than ever now that personal factors such as lack of childcare and eldercare for those working from home are complicating the issue.

    Impact and Result

    • Organizations need to have a clear process for improving performance for employees working remotely during the COVID-19 pandemic. Provide managers with resources to help them identify performance issues and uncover their root causes as part of addressing overall performance. This will allow managers to connect employees with the required support while working with them to improve performance.

    Manage Poor Performance While Working From Home Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Follow the remote performance improvement process

    Determine how managers can identify poor performance remotely and help them navigate the performance improvement process while working from home.

    • Manage Poor Performance While Working From Home Storyboard
    • Manage Poor Performance While Working From Home: Manager Guide
    • Manage Poor Performance While Working From Home: Infographic

    2. Clarify roles and leverage resources

    Clarify roles and responsibilities in the performance improvement process and tailor relevant resources.

    • Wellness and Working From Home
    [infographic]

    Further reading

    Manage Poor Performance While Working From Home

    Assess and improve remote work performance with our ready-to-use tools.

    Executive Summary

    McLean & Company Insight

    Poor performance must be managed, despite the pandemic. Evaluating root causes of performance issues is more important than ever now that personal factors such as lack of childcare and eldercare for those working from home are complicating the issue.

    Situation

    COVID-19 has led to a sudden shift to working from home (WFH), resulting in a 72% decline in in-office work (Ranosa, 2020). While these uncertain times have disrupted traditional work routines, employee performance remains critical, as it plays a role in determining how organizations recover. Managers must not turn a blind eye to performance issues but rather must act quickly to support employees who may be struggling.

    Complication

    For many, emergency WFH comes with several new challenges such as additional childcare responsibilities, sudden changes in role expectations, and negative impacts on wellbeing. These new challenges, coupled with previously existing ones, can result in poor performance. Owing to the lack of physical presence and cues, managers may struggle to identify that an employee’s performance is suffering. Even after identifying poor performance, it can be difficult to address remotely when such conversations would ideally be held in person.

    Solution

    Organizations need to have a clear process for improving performance for employees working remotely during the COVID-19 pandemic. Provide managers with resources to help them identify performance issues and uncover their root causes as part of addressing overall performance. This will allow managers to connect employees with the required support while working with them to improve performance.

    Manage Poor Performance While Working From Home is made up of the following resources:

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Storyboard

    This storyboard is organized by the four steps of the performance improvement process: identify, initiate, deploy, and follow up/decide. These will appear on the left-hand side of the slides as a roadmap.

    The focus is on how HR can design the process for managing poor performance remotely and support managers through it while emergency WFH measures are in place. Key responsibilities, email templates, and relevant resources are included at the end.

    Adapt the process as necessary for your organization.

    Manager Guide

    The manager guide contains detailed advice for managers on navigating the process and focuses on the content of remote performance discussions.

    It consists of the following sections:

    • Identifying poor performance.
    • Conducting performance improvement discussions.
    • Uncovering and addressing root causes of poor performance.
    Manager Infographic

    The manager infographic illustrates the high-level steps of the performance improvement process for managers in a visually appealing and easily digestible manner.

    This can be used to easily outline the process, providing managers with a resource to quickly reference as they navigate the process with their direct reports.

    In this blueprint, “WFH” and “remote working” are used interchangeably.

    This blueprint will not cover the performance management framework; it is solely focused on managing performance issues.

    For information on adjusting the regular performance management process during the pandemic, see Performance Management for Emergency Work-From-Home.

    Identify how low performance is normally addressed

    A process for performance improvement is not akin to outlining the steps of a performance improvement plan (PIP). The PIP is a development tool used within a larger process for performance improvement. Guidance on how to structure and use a PIP will be provided later in this blueprint.

    Evaluate how low performance is usually brought to the attention of HR in a non-remote situation:
    • Do managers approach HR for an employee transfer or PIP without having prior performance conversations with the employee?
    • Do managers come to HR when they need support in developing an employee in order to meet expectations?
    • Do managers proactively reach out to HR to discuss appropriate L&D for staff who are struggling?
    • Do some departments engage with the process while others do not?
    Poor performance does not signal the immediate need to terminate an employee. Instead, managers should focus on helping the struggling employee to develop so that they may succeed.
    Evaluate how poor performance is determined:
    • Do managers use performance data or concrete examples?
    • Is it based on a subjective assessment by the manager?
    Keep in mind that “poor performance” now might look different than it did before the pandemic. Employees must be aware of the current expectations placed on them before they can be labeled as underperforming – and the performance expectations must be assessed to ensure they are realistic.

    For information on adjusting performance expectations during the pandemic, see Performance Management for Emergency Work-From-Home.

    The process for non-union and union employees will likely differ. Make sure your process for unionized employees aligns with collective agreements.

    Determine how managers can identify poor performance of staff working remotely

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Identify: Determine how managers can identify poor performance.
    In person, it can be easy to see when an employee is struggling by glancing over at their desk and observing body language. In a remote situation, this can be more difficult, as it is easy to put on a brave face for the half-hour to one-hour check-in. Advise managers on how important frequent one-one-ones and open communication are in helping identify issues when they arise rather than when it’s too late.

    Managers must clearly document and communicate instances where employees aren’t meeting role expectations or are showing other key signs that they are not performing at the level expected of them.

    What to look for:
    • PM data/performance-related assessments
    • Continual absences
    • Decreased quality or quantity of output
    • Frequent excuses (e.g. repeated internet outages)
    • Lack of effort or follow-through
    • Missed deadlines
    • Poor communication or lack of responsiveness
    • Failure to improve
    It’s crucial to acknowledge an employee might have an “off week” or need time to adjust to working from home, which can be addressed with performance management techniques. Managers should move into the process for performance improvement when:
    • Performance fluctuates frequently or significantly.
    • Performance has dropped for an extended period of time.
    • Expectations are consistently not being met.

    While it’s important for managers to keep an eye out for decreased performance, discourage them from over-monitoring employees, as this can lead to a damaging environment of distrust.

    Support managers in initiating performance conversations and uncovering root causes

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Initiate: Require that managers have several conversations about low performance with the employee.
    Before using more formal measures, ensure managers take responsibility for connecting with the employee to have an initial performance conversation where they will make the performance issue known and try to diagnose the root cause of the issue.

    Coach managers to recognize behaviors associated with the following performance inhibitors:

    Personal Factors

    Personal factors, usually outside the workplace, can affect an employee’s performance.

    Lack of clarity

    Employees must be clear on performance expectations before they can be labeled as a poor performer.

    Low motivation

    Lack of motivation to complete work can impact the quality of output and/or amount of work an employee is completing.

    Inability

    Resourcing, technology, organizational change, or lack of skills to do the job can all result in the inability of an employee to perform at their best.

    Poor people skills

    Problematic people skills, externally with clients or internally with colleagues, can affect an employee’s performance or the team’s engagement.

    Personal factors are a common performance inhibitor due to emergency WFH measures. The decreased divide between work and home life and the additional stresses of the pandemic can bring up new cases of poor performance or exacerbate existing ones. Remind managers that all potential root causes should still be investigated rather than assuming personal factors are the problem and emphasize that there can be more than one cause.

    Ensure managers continue to conduct frequent performance conversations

    Once an informal conversation has been initiated, the manager should schedule frequent one-on-one performance conversations (above and beyond performance management check-ins).

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Explain to managers the purpose of these discussions is to:
    • Continue to probe for root causes.
    • Reinforce role expectations and performance targets.
    • Follow up on any improvements.
    • Address the performance issue and share relevant resources (e.g. HR or employee assistance program [EAP]).
    Given these conversations will be remote, require managers to:
    • Use video whenever possible to read physical cues and body language.
    • Bookend the conversation. Starting each meeting by setting the context for the discussion and finishing with the employee reiterating the key takeaways back will ensure there are no misunderstandings.
    • Document the conversation and share with HR. This provides evidence of the conversations and helps hold managers accountable.
    What is HR’s role? HR should ensure that the manager has had multiple conversations with the employee before moving to the next step. Furthermore, HR is responsible for ensuring manages are equipped to have the conversations through coaching, role-playing, etc.

    For more information on the content of these conversations or for material to leverage for training purposes, see Manage Poor Performance While Working From Home: Manager Guide.

    McLean & Company Insight

    Managers are there to be coaches, not therapists. Uncovering the root cause of poor performance will allow managers to pinpoint supports needed, either within their expertise (e.g. coaching, training, providing flexible hours) or by directing the employee to proper external resources such as an EAP.

    Help managers use formal performance improvement tools with remote workers

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Deploy: Use performance improvement tools.
    If initial performance conversations were unsuccessful and performance does not improve, refer managers to performance improvement tools:
    • Suggest any other available support and resources they have not yet recommended (e.g. EAP).
    • Explore options for co-creation of a development plan to increase employee buy-in. If the manager has been diligent about clarifying role expectations, invite the employee to put together their own action plan for meeting performance goals. This can then be reviewed and finalized with the manager.
    • Have the manager use a formal PIP for development and to get the employee back on track. Review the development plan or PIP with the manager before they share it with the employee to ensure it is clear and has time bound, realistic goals for improvement.
    Using a PIP solely to avoid legal trouble and terminate employees isn’t true to its intended purpose. This is what progressive discipline is for.In the case of significant behavior problems, like breaking company rules or safety violations, the manager will likely need to move to progressive discipline. HR should advise managers on the appropriate process.

    When does the issue warrant progressive discipline? If the action needs to stop immediately, (e.g. threatening or inappropriate behavior) and/or as outlined in the collective agreement.

    Clarify remote PIP stages and best practices

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide
    Sample Stages:
    1. Written PIP
    • HR reviews and signs off on PIP
    • Manager holds meeting to provide employee with PIP
    • Employee reviews the PIP
    • Manager and employee provide e-signatures
    • Signed PIP is given to HR
    2. Possible Extension
    3. Final Notice
    • Manager provides employee with final notice if there has been no improvement in agreed time frame
    • Copy of signed final notice letter given to HR

    Who is involved?

    The manager runs the meeting with the employee. HR should act as a support by:

    • Ensuring the PIP is clear, aligned with the performance issue, and focused on development, prior to the meeting.
    • Pointing to resources and making themselves available prior to, during, and after the meeting.
      • When should HR be involved? HR should be present in the meeting if the manager has requested it or if the employee has approached HR beforehand with concerns about the manager. Keep in mind that if the employee sees HR has been unexpectedly invited to the video call, it could add extra stress for them.
    • Reviewing documentation and ensuring expectations and the action plan are reasonable and realistic.

    Determine the length of the PIP

    • The length of the initial PIP will often depend on the complexity of the employee’s role and how long it will reasonably take to see improvements. The minimum (before a potential extension) should be 30-60 days.
    • Ensure the action plan takes sustainment into account. Employees must be able to demonstrate improvement and sustain improved performance in order to successfully complete a PIP.

    Timing of delivery

    Help the manager determine when the PIP meeting will occur (what day, time of day). Take into account the schedule of the employee they will be meeting with (e.g. avoid scheduling right before an important client call).

    1

    Identify

    2

    Initiate

    3

    Deploy

    4

    a) Follow Up
    b) Decide

    Follow up: If the process escalated to step 3 and is successful.

    What does success look like? Performance improvement must be sustained after the PIP is completed. It’s not enough to simply meet performance improvement goals and expectations; the employee must continue to perform.

    Have the manager schedule a final PIP review with the employee. Use video, as this enables the employee and manager to read body language and minimize miscommunication/misinterpretation.

    • If performance expectations have been met, instruct managers to document this in the PIP, inform the employee they are off the PIP, and provide it to HR.

    The manager should also continue check-ins with the employee to ensure sustainment and as part of continued performance management.

    • Set a specific timeline, e.g. every two weeks or every month. Choose a cadence that works best for the manager and employee.

    OR

    Decide: Determine action steps if the process is unsuccessful.

    If at the end of step 3 performance has not sufficiently improved, the organization (HR and the manager) should either determine if the employee could/should be temporarily redeployed while the emergency WFH is still in place, if a permanent transfer to a role that is a better fit is an option, or if the employee should be let go.

    See the Complete Manual for COVID-19 Layoffs blueprint for information on layoffs in remote environments.

    Managers, HR, and employees all have a role to play in performance improvement

    Managers
    • Identify the outcomes the organization is looking for and clearly outline and communicate the expectations for the employee’s performance.
    • Diagnose root cause(s) of the performance issue.
    • Support employee through frequent conversations and feedback.
    • Coach for improved performance.
    • Visibly recognize and broadcast employee achievements.
    Employees
    • Have open and honest conversations with their manager, acknowledge their accountability, and be receptive to feedback.
    • Set performance goals to meet expectations of the role.
    • Prepare for frequent check-ins regarding improvement.
    • Seek support from HR as required.
    HR
    • Provide managers with a process, training, and support to improve employee performance.
    • Coach managers to ensure employees have been made aware of their role expectations and current performance and given specific recommendations on how to improve.
    • Reinforce the process for improving employee performance to ensure that adequate coaching conversations have taken place before the formal PIP.
    • Coach employees on how to approach their manager to discuss challenges in meeting expectations.

    HR should conduct checkpoints with both managers and employees in cases where a formal PIP was initiated to ensure the process for performance improvement is being followed and to support both parties in improving performance.

    Email templates

    Use the templates found on the next slides to draft communications to employees who are underperforming while working from home.

    Customize all templates with relevant information and use them as a guide to further tailor your communication to a specific employee.

    Customization Recommendations

    Review all slides and adjust the language or content as needed to suit the needs of the employee, the complexity of their role, and the performance issue.

    • The pencil icon to the left denotes slides requiring customization of the text. Customize text in grey font and be sure to convert all font to black when you are done.

    Included Templates

    1. Performance Discussion Follow-Up
    2. PIP Cover Letter

    This template is not a substitute for legal advice. Ensure you consult with your legal counsel, labor relations representative, and union representative to align with collective agreements and relevant legislation.

    Sample Performance Discussion Follow-Up

    Hello [name],

    Thank you for the commitment and eagerness in our meeting yesterday.

    I wanted to recap the conversation and expectations for the month of [insert month].

    As discussed, you have been advised about your recent [behavior, performance, attendance, policy, etc.] where you have demonstrated [state specific issue with detail of behavior/performance of concern]. As per our conversation, we’ll be working on improvement in this area in order to meet expectations set out for our employees.

    It is expected that employees [state expectations]. Please do not hesitate to reach out to me if there is further clarification needed or you if you have any questions or concerns. The management team and I are committed to helping you achieve these goals.

    We will do a formal check-in on your progress every [insert day] from [insert time] to review your progress. I will also be available for daily check-ins to support you on the right track. Additionally, you can book me in for desk-side coaching outside of my regular desk-side check-ins. If there is anything else I can do to help support you in hitting these goals, please let me know. Other resources we discussed that may be helpful in meeting these objectives are [summarize available support and resources]. By working together through this process, I have no doubt that you can be successful. I am here to provide support and assist you through this.

    If you’re unable to show improvements set out in our discussion by [date], we will proceed to a formal performance measure that will include a performance improvement plan. Please let me know if you have any questions or concerns; I am here to help.

    Please acknowledge this email and let me know if you have any questions.

    Thank you,

    PIP Cover Letter

    Hello [name] ,

    This is to confirm our meeting on [date] in which we discussed your performance to date and areas that need improvement. Please find the attached performance improvement plan, which contains a detailed action plan that we have agreed upon to help you meet role expectations over the next [XX days]. The aim of this plan is to provide you with a detailed outline of our performance expectations and provide you the opportunity to improve your performance, with our support.

    We will check in every [XX days] to review your progress. At the end of the [XX]-day period, we will review your performance against the role expectations set out in this performance improvement plan. If you don’t meet the performance requirements in the time allotted, further action and consequences will follow.

    Should you have any questions about the performance improvement plan or the process outlined in this document, please do not hesitate to discuss them with me.

    [Employee name], it is my personal objective to help you be a fully productive member of our team. By working together through this performance improvement plan, I have no doubt that you can be successful. I am here to provide support and assist you through the process. At this time, I would also like to remind you about the [additional resources available at your organization, for example, employee assistance program or HR].

    Please acknowledge this email and let me know if you have any questions.

    Thank you,

    Prepare and customize manager guide and resources

    Sample of Manage Poor Performance While Working From Home: Manager Guide. Manage Poor Performance While Working From Home: Manager Guide

    This tool for managers provides advice on navigating the process and focuses on the content of remote performance discussions.

    Sample of Set Meaningful Employee Performance Measures. Set Meaningful Employee Performance Measures

    See this blueprint for information on setting holistic measures to inspire employee performance.

    Sample of Manage Poor Performance While Working From Home: Infographic. Manage Poor Performance While Working From Home: Infographic

    This tool illustrates the high-level steps of the performance improvement process.

    Sample of Wellness and Working From Home: Infographic. Wellness and Working From Home: Infographic

    This tool highlights tips to manage physical and mental health while working from home.

    Sample of Build a Better Manager: Team Essentials. Build a Better Manager: Team Essentials

    See this solution set for more information on kick-starting the effectiveness of first-time IT managers with essential management skills.

    Sample of Leverage Agile Goal Setting for Improved Employee Engagement & Performance. Leverage Agile Goal Setting for Improved Employee Engagement & Performance

    See this blueprint for information on dodging the micromanaging foul and scoring with agile short-term goal setting.

    Bibliography

    Arringdale, Chris. “6 Tips For Managers Trying to Overcome Performance Appraisal Anxiety.” TLNT. 18 September 2015. Accessed 2018.

    Borysenko, Karlyn. “What Was Management Thinking? The High Cost of Employee Turnover.” Talent Management and HR. 22 April 2015. Accessed 2018.

    Cook, Ian. “Curbing Employee Turnover Contagion in the Workplace.” Visier. 20 February 2018. Accessed 2018.

    Cornerstone OnDemand. Toxic Employees in the Workplace. Santa Monica, California: Cornerstone OnDemand, 2015. Web.

    Dewar, Carolyn and Reed Doucette. “6 elements to create a high-performing culture.” McKinsey & Company. 9 April 2018. Accessed 2018.

    Eagle Hill. Eagle Hill National Attrition Survey. Washington, D.C.: Eagle Hill, 2015. Web.

    ERC. “Performance Improvement Plan Checklist.” ERC. 21 June 2017. Accessed 2018.

    Foster, James. “The Impact of Managers on Workplace Engagement and Productivity.” Interact. 16 March 2017. Accessed 2018.

    Godwins Solicitors LLP. “Employment Tribunal Statistics for 2015/2016.” Godwins Solicitors LLP. 8 February 2017. Accessed 2018.

    Mankins, Michael. “How to Manage a Team of All-Stars.” Harvard Business Review. 6 June 2017. Accessed 2018.

    Maxfield, David, et al. The Value of Stress-Free Productivity. Provo, Utah: VitalSmarts, 2017. Web.

    Murphy, Mark. “Skip Your Low Performers When Starting Performance Appraisals.” Forbes. 21 January 2015. Accessed 2018.

    Quint. “Transforming into a High Performance Organization.” Quint Wellington Redwood. 16 November 2017. Accessed 2018.

    Ranosa, Rachel. "COVID -19: Canadian Productivity Booms Despite Social Distancing." Human Resources Director, 14 April 2020. Accessed 2020.

    Build an IT Risk Management Program

    • Buy Link or Shortcode: {j2store}192|cart{/j2store}
    • member rating overall impact (scale of 10): 8.3/10 Overall Impact
    • member rating average dollars saved: $31,532 Average $ Saved
    • member rating average days saved: 17 Average Days Saved
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
    • The business could be making decisions that are not informed by risk.
    • Reacting to risks AFTER they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.

    Our Advice

    Critical Insight

    • IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.

    Impact and Result

    • Transform your ad hoc IT risk management processes into a formalized, ongoing program, and increase risk management success.
    • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
    • Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks most critical to the organization.

    Build an IT Risk Management Program Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build an IT Risk Management Program – A holistic approach to managing IT risks within your organization and involving key business stakeholders.

    Gain business buy-in to understanding the key IT risks that could negatively impact the organization and create an IT risk management program to properly identify, assess, respond, monitor, and report on those risks.

    • Build an IT Risk Management Program – Phases 1-3

    2. Risk Management Program Manual – A single source of truth for the risk management program to exist and be updated to reflect changes.

    Leverage this Risk Management Program Manual to ensure that the decisions around how IT risks will be governed and managed can be documented in a single source accessible by those involved.

    • Risk Management Program Manual

    3. Risk Register & Risk Costing Tool – A set of tools to document identified risk events. Assess each risk event and consider the appropriate response based on your organization’s threshold for risk.

    Engage these tools in your organization if you do not currently have a GRC tool to document risk events as they relate to the IT function. Consider the best risk response to high severity risk events to ensure all possible situations are considered.

    • Risk Register Tool
    • Risk Costing Tool

    4. Risk Event Action Plan and Risk Report – A template to document the chosen risk responses and ensure accountable owners agree on selected response method.

    Establish clear guidelines and responses to risk events that will leave your organization vulnerable to unwanted threats. Ensure risk owners have agreed to the risk responses and are willing to take accountability for that response.

    • Risk Event Action Plan
    • Risk Report

    Infographic

    Workshop: Build an IT Risk Management Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review IT Risk Fundamentals and Governance

    The Purpose

    To assess current risk management maturity, develop goals, and establish IT risk governance.

    Key Benefits Achieved

    Identified obstacles to effective IT risk management.

    Established attainable goals to increase maturity.

    Clearly laid out risk management accountabilities and responsibilities for IT and business stakeholders.

    Activities

    1.1 Assess current program maturity

    1.2 Complete RACI chart

    1.3 Create the IT risk council

    1.4 Identify and engage key stakeholders

    1.5 Add organization-specific risk scenarios

    1.6 Identify risk events

    Outputs

    Maturity Assessment

    Risk Management Program Manual

    Risk Register

    2 Identify IT Risks

    The Purpose

    Identify and assess all IT risks.

    Key Benefits Achieved

    Created a comprehensive list of all IT risk events.

    Risk events prioritized according to risk severity – as defined by the business.

    Activities

    2.1 Identify risk events (continued)

    2.2 Augment risk event list using COBIT 5 processes

    2.3 Determine the threshold for (un)acceptable risk

    2.4 Create impact and probability scales

    2.5 Select a technique to measure reputational cost

    2.6 Conduct risk severity level assessment

    Outputs

    Finalized List of IT Risk Events

    Risk Register

    Risk Management Program Manual

    3 Identify IT Risks (continued)

    The Purpose

    Prioritize risks, establish monitoring responsibilities, and develop risk responses for top risks.

    Key Benefits Achieved

    Risk monitoring responsibilities are established.

    Risk response strategies have been identified for all key risks.

    Activities

    3.1 Conduct risk severity level assessment

    3.2 Document the proximity of the risk event

    3.3 Conduct expected cost assessment

    3.4 Develop key risk indicators (KRIs) and escalation protocols

    3.5 Root cause analysis

    3.6 Identify and assess risk responses

    Outputs

    Risk Register

    Risk Management Program Manual

    Risk Event Action Plans

    4 Monitor, Report, and Respond to IT Risk

    The Purpose

    Assess and select risk responses for top risks and effectively communicate recommendations and priorities to the business.

    Key Benefits Achieved

    Thorough analysis has been conducted on the value and effectiveness of risk responses for high severity risk events.

    Authoritative risk response recommendations can be made to senior leadership.

    A finalized Risk Management Program Manual is ready for distribution to key stakeholders.

    Activities

    4.1 Identify and assess risk responses

    4.2 Risk response cost-benefit analysis

    4.3 Create multi-year cost projections

    4.4 Review techniques for embedding risk management in IT

    4.5 Finalize the Risk Report and Risk Management Program Manual

    4.6 Transfer ownership of risk responses to project managers

    Outputs

    Risk Report

    Risk Management Program Manual

    Further reading

    Build an IT Risk Management Program

    Mitigate the IT risks that could negatively impact your organization.

    Table of Contents

    3 Executive Brief

    4 Analyst Perspective

    5 Executive Summary

    19 Phase 1: Review IT Risk Fundamentals & Governance

    43 Phase 2: Identify and Assess IT Risk

    74 Phase 3: Monitor, Communicate, and Respond to IT Risk

    102 Appendix

    108 Bibliography

    Build an IT Risk Management Program

    Mitigate the IT risks that could negatively impact your organization.

    EXECUTIVE BRIEF

    Analyst Perspective

    Siloed risks are risky business for any enterprise.

    Photo of Valence Howden, Principal Research Director, CIO Practice.
    Valence Howden
    Principal Research Director, CIO Practice
    Photo of Brittany Lutes, Senior Research Analyst, CIO Practice.
    Brittany Lutes
    Senior Research Analyst, CIO Practice

    Risk is an inherent part of life but not very well understood or executed within organizations. This has led to risk being avoided or, when it’s implemented, being performed in isolated siloes with inconsistencies in understanding of impact and terminology.

    Looking at risk in an integrated way within an organization drives a truer sense of the thresholds and levels of risks an organization is facing – making it easier to manage and leverage risk while reducing risks associated with different mitigation responses to the same risk events.

    This opens the door to using risk information – not only to prevent negative impacts but as a strategic differentiator in decision making. It helps you know which risks are worth taking, driving strong positive outcomes for your organization.

    Executive Summary

    Your Challenge

    IT has several challenges when it comes to addressing risk management:

    • Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
    • The business could be making decisions that are not informed by risk.
    • Reacting to risks after they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.

    Common Obstacles

    Many IT organizations realize these obstacles:

    • IT risks and business risks are often addressed separately, causing inconsistencies in the approach.
    • Security risk receives such a high profile that it often eclipses other important IT risks, leaving the organization vulnerable.
    • Failing to include the business in IT risk management leaves IT leaders too accountable; the business must have accountability as well.

    Info-Tech’s Approach

    • Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success.
    • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
    • Involve key stakeholders, including the business senior management team, to gain buy-in and to focus on the IT risks most critical to the organization.

    Info-Tech Insight

    IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.

    Ad hoc approaches to managing risk fail because…

    If you are like the majority of IT departments, you do not have a consistent and comprehensive strategy for managing IT risk.

    1. Ad hoc risk management is reactionary.
    2. Ad hoc risk management is often focused only on IT security.
    3. Ad hoc risk management lacks alignment with business objectives.

    The results:

    • Increased business risk exposure caused by a lack of understanding of the impact of IT risks on the business.
    • Increased IT non-compliance, resulting in costly settlements and fines.
    • IT audit failure.
    • Ineffective management of risk caused by poor risk information and wrong risk response decisions.
    • Increased unnecessary and avoidable IT failures and fixes.

    58% of organizations still lack a systematic and robust method to actually report on risks (Source: AICPA, 2021)

    Data is an invaluable asset – ensure it’s protected

    Case Studies

    Logo for Cognyte.

    Cognyte, a vendor hired to be a cybersecurity analytics company, had over five billion records exposed in Spring 2021. The data was compromised for four days, providing attackers with plenty of opportunities to obtain personally identifying information. (SecureBlink., 2021 & Security Magazine, 2021)

    Logo for Facebook.

    Facebook, the world’s largest social media giant, had over 533 million Facebook users’ personal data breached when data sets were able to be cross-listed with one another. (Business Insider, 2021 & Security Magazine, 2021)

    Logo for MGM Resorts.

    In 2020, over 10.6 million customers experienced some sort of data being accessible, with 1,300 having serious personally identifying information breached. (The New York Times, 2020)

    Risk management is a business enabler

    Formalize risk management to increase your likelihood of success.

    By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem.

    A certain amount of risk is healthy and can stimulate innovation:

    • A formal risk management strategy doesn’t mean trying to mitigate every possible risk; it means exposing the organization to the right amount of risk.
    • Taking a formal risk management approach allows an organization to thoughtfully choose which risks it is willing to accept.
    • Organizations with high risk management maturity will vault themselves ahead of the competition because they will be aware of which risks to prepare for, which risks to ignore, and which risks to take.

    Only 12% of organizations are using risk as a strategic tool most or all of the time (Source: AICPA, 2021)

    IT risk is enterprise risk

    Accountability for IT risks and the decisions made to address them should be shared between IT and the business.

    Multiple types of risk, 'Finance', 'IT', 'People', and 'Digital', funneling into 'ENTERPRISE RISKS'. IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk.

    Follow the steps of this blueprint to build or optimize your IT risk management program

    Cycle of 'Goverance' beginning with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report'.

    Start Here

    PHASE 1
    Review IT Risk Fundamentals and Governance
    PHASE 2
    Identify and Assess IT Risk
    PHASE 3
    Monitor, Report, and Respond to IT Risk

    1.1

    Review IT Risk Management Fundamentals

    1.2

    Establish a Risk Governance Framework

    2.1

    Identify IT Risks

    2.2

    Assess and Prioritize IT Risks

    3.1

    Monitor IT Risks and Develop Risk Responses

    3.2

    Report IT Risk Priorities

    Integrate Risk and Use It to Your Advantage

    Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.

    Risk management is more than checking an audit box or demonstrating project due diligence.

    Risk Drivers
    • Audit & compliance
    • Preserve value & avoid loss
    • Previous risk impact driver
    • Major transformation
    • Strategic opportunities
    Arrow pointing right. Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021) 63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021) Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020) 55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021)
    1. Assess Enterprise Risk Maturity 3. Build a Risk Management Program Plan 4. Establish Risk Management Processes 5. Implement a Risk Management Program
    2. Determine Authority with Governance
    Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020)
    IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability.

    Governance and related decision making is optimized with integrated and aligned risk data.

    List of 'Integrated Risk Maturity Categories': '1. Context & Strategic Direction', '2. Risk Culture and Authority', '3. Risk Management Process', and '4. Risk Program Optimization'. The five types of a risk in 'Enterprise Risk Management (ERM)': 'IT', 'Security', 'Digital', 'Vendor/TPRM', and 'Other'.

    ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types.

    The program plan is meant to consider all the major risk types in a unified approach.

    The 'Risk Process' cycle starting with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report', and back to the beginning. Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Risk Management Program Manual

    Use the tools and activities in each phase of the blueprint to create a comprehensive, customized program manual for the ongoing management of IT risk.

    Sample of the key deliverable, Risk Manangement Program Fund.
    Integrated Risk Maturity Assessment

    Assess the organization's current maturity and readiness for integrated risk management (IRM).

    Sample of the Integrated Risk Maturity Assessment blueprint. Centralized Risk Register

    The repository for all the risks that have been identified within your environment.

    Sample of the Centralized Risk Register blueprint.
    Risk Costing Tool

    A potential cost-benefit analysis of possible risk responses to determine a good method to move forward.

    Sample of the Risk Costing Tool blueprint. Risk Report & Risk Event Action Plan

    A method to report risk severity and hold risk owners accountable for chosen method of responding.

    Samples of the Risk Report & Risk Event Action Plan blueprints.

    Benefit from industry-leading best practices

    As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk.

    Logo for COSO.

    COSO’s Enterprise Risk Management — Integrating with Strategy and Performance addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. (COSO)

    Logo for ISO.

    ISO 31000
    Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment. (ISO 31000)

    Logo for COBIT.

    COBIT 2019’s IT functions were used to develop and refine our Ten IT Risk Categories used in our top-down risk identification methodology. (COBIT 2019)

    Abandon ad hoc risk management

    A strong risk management foundation is valuable when building your IT risk management program.

    This research covers the following IT risk fundamentals:

    • Benefits of formalized risk management
    • Key terms and definitions
    • Risk management within ERM
    • Risk management independent of ERM
    • Four key principles of IT risk management
    • Importance of a risk management program manual
    • Importance of buy-in and support from the business

    Drivers of Formalized Risk Management:

    Drivers External to IT
    External Audit Internal Audit
    Mandated by ERM
    Occurrence of Risk Event
    Demonstrating IT’s value to the business Proactive initiative
    Emerging IT risk awareness
    Grassroots Drivers

    Blueprint benefits

    IT Benefits

    • Increased on-time, in-scope, and on-budget completion of IT projects.
    • Meet the business’ service requirements.
    • Improved satisfaction with IT by senior leadership and business units.
    • Fewer resources wasted on fire-fighting.
    • Improved availability, integrity, and confidentiality of sensitive data.
    • More efficient use of resources.
    • Greater ability to respond to evolving threats.

    Business Benefits

    • Reduced operational surprises or failures.
    • Improved IT flexibility when responding to risk events and market fluctuations.
    • Reduced budget uncertainty.
    • Improved ability to make decisions when developing long-term strategies.
    • Improved stakeholder and shareholder confidence.
    • Achieved compliance with external regulations.
    • Competitive advantage over organizations with immature risk management practices.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 8 calls over the course of 3 to 6 months.

    What does a typical GI on this topic look like?

      Phase 1

    • Call #1: Assess current risk maturity and organizational buy-in.
    • Call #2: Establish an IT risk council and determine IT risk management program goals.
    • Phase 2

    • Call #3: Identify the risk categories used to organize risk events.
    • Call #4: Identify the threshold for risk the organization can withstand.
    • Phase 3

    • Call #5: Create a method to assess risk event severity.
    • Call #6: Establish a method to monitor priority risks and consider possible risk responses.
    • Call #7: Communicate risk priorities to the business and implement risk management plan.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Activities
    Review IT Risk Fundamentals and Governance

    1.1 Assess current program maturity

    1.2 Complete RACI chart

    1.3 Create the IT risk council

    1.4 Identify and engage key stakeholders

    1.5 Add organization-specific risk scenarios

    1.6 Identify risk events

    Identify IT Risks

    2.1 Identify risk events (continued)

    2.2 Augment risk event list using COBIT5 processes

    2.3 Determine the threshold for (un)acceptable risk

    2.4 Create impact and probability scales

    2.5 Select a technique to measure reputational cost

    2.6 Conduct risk severity level assessment

    Assess IT Risks

    3.1 Conduct risk severity level assessment

    3.2 Document the proximity of the risk event

    3.3 Conduct expected cost assessment

    3.4 Develop key risk indicators (KRIs) and escalation protocols

    3.5 Perform root cause analysis

    3.6 Identify and assess risk responses

    Monitor, Report, and Respond to IT Risk

    4.1 Identify and assess risk responses

    4.2 Risk response cost-benefit analysis

    4.3 Create multi-year cost projections

    4.4 Review techniques for embedding risk management in IT

    4.5 Finalize the Risk Report and Risk Management Program Manual

    4.6 Transfer ownership of risk responses to project managers

    Next Steps and Wrap-Up (offsite)

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps

    Outcomes
    1. Maturity Assessment
    2. Risk Management Program Manual
    1. Finalized List of IT Risk Events
    2. Risk Register
    3. Risk Management Program Manual
    1. Risk Register
    2. Risk Event Action Plans
    3. Risk Management Program Manual
    1. Risk Report
    2. Risk Management Program Manual
    1. Workshop Report
    2. Risk Management Program Manual

    Build an IT Risk Management Program

    Phase 1

    Review IT Risk Fundamentals and Governance

    Phase 1

    • 1.1 Review IT Risk Management Fundamentals
    • 1.2 Establish a Risk Governance Framework

    Phase 2

    • 2.1 Identify IT Risks
    • 2.2 Assess and Prioritize IT Risks

    Phase 3

    • 3.1 Develop Risk Responses and Monitor IT Risks
    • 3.2 Report IT Risk Priorities

    This phase will walk you through the following activities:

    • Gain buy-in from senior leadership
    • Assess current program maturity
    • Identify obstacles and pain points
    • Determine the risk culture of the organization
    • Develop risk management goals
    • Develop SMART project metrics
    • Create the IT risk council
    • Complete a RACI chart

    This phase involves the following participants:

    • IT executive leadership
    • Business executive leadership

    Step 1.1

    Review IT Risk Management Fundamentals

    Activities
    • 1.1.1 Gain buy-in from senior leadership
    • 1.1.2 Assess current program maturity

    This step involves the following participants:

    • IT executive leadership
    • Business executive leadership

    Outcomes of this step

    • Reviewed key IT principles and terminology
    • Gained understanding of the relationship between IT risk management and ERM
    • Introduced to Info-Tech’s IT Risk Management Framework
    • Obtained the support of senior leadership
    Step 1.1 Step 1.2

    Effective IT risk management is possible with or without ERM

    Whether or not your organization has ERM, integrating your IT risk management program with the business is possible.

    Most IT departments find themselves in one of these two organizational frameworks for managing IT risk:

    Core Responsibilities With an ERM Without an ERM
    • Risk Decision-Making Authority
    • Final Accountability
    Senior Leadership Team Senior Leadership Team
    • Risk Governance
    • Risk Prioritization & Communication
    ERM IT Risk Management
    • Risk Identification
    • Risk Assessment
    • Risk Monitoring
    IT Risk Management
    Pro: IT’s risk management responsibilities are defined (assessment schedules, escalation and reporting procedures).
    Con: IT may lack autonomy to implement IT risk management best practices.
    Pro: IT is free to create its own IT risk council and develop customized processes that serve its unique needs.
    Con: Lack of clear reporting procedures and mechanisms to share accountability with the business.

    Info-Tech’s IT risk management framework walks you through each step to achieve risk readiness

    IT Risk Management Framework

    Risk Governance
    • Optimize Risk Management Processes
    • Assess Risk Maturity
    • Measure the Success of the Program
    A cycle surrounds the words 'Business Objectives', referring to the surrounding lists. On the top half is 'Communication', and the bottom is 'Monitoring'. Risk Identification
    • Engage Stakeholder Participation
    • Use Risk Identification Frameworks
    • Compile IT-Related Risks
    Risk Response
    • Establish Monitoring Responsibilities
    • Perform Cost-Benefit Analysis
    • Report Risk Response Actions
    Risk Assessment
    • Establish Thresholds for Unacceptable Risk
    • Calculate Expected Cost
    • Determine Risk Severity & Prioritize IT Risks

    Effective IT risk management benefits

    Obtain the support of the senior leadership team or IT steering committee by communicating how IT risk impacts their priorities.

    Risk management benefits To engage the business...
    IT is compliant with external laws and regulations. Identify the industry or legal legislation and regulations your organization abides by.
    IT provides support for business compliance. Find relevant business compliance issues, and relate compliance failures to cost.
    IT regularly communicates costs, benefits, and risks to the business. Acknowledge the number of times IT and the business miscommunicate critical information.
    Information and processing infrastructure are very secure. Point to past security breaches or potential vulnerabilities in your systems.
    IT services are usually delivered in line with business requirements. Bring up IT services that the business was unsatisfied with. Explain that their inputs in identifying risks are correlated with project quality.
    IT related business risks are managed very well. Make it clear that with no risk tracking process, business processes become exposed and tend to slow down.
    IT projects are completed on time and within budget. Point out late or over-budget projects due to the occurrence of unforeseen risks.

    1.1.1 Gain buy-in from senior leadership

    1-4 hours

    Input: List of IT personnel and business stakeholders

    Output: Buy-in from senior leadership for an IT risk management program

    Materials: Risk Management Program Manual

    Participants: IT executive leadership, Business executive leadership

    The resource demands of IT risk management will vary from organization to organization. Here are typical requirements:

    • Occasional participation of key IT personnel and select business stakeholders in IT risk council meetings (e.g. once every two weeks).
    • Periodic risk assessments (e.g. 4 days, twice a year).
    • IT personnel must take on risk monitoring responsibilities (e.g. 1-4 hours per week).
    • Record the results in the Program Manual sections 3.3, 3.4 and 3.5.

    Record the results in the Risk Management Program Manual.

    Integrated Risk Maturity Assessment

    The purpose of the Integrated Risk Maturity Assessment is to assess the organization's current maturity and readiness for integrated risk management (IRM)

    Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.

    Integrated Risk Maturity Assessment
    A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization.
    Sample of the Integrated Risk Maturity Assessment deliverable.

    Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organizations.

    Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.

    1.1.2 Assess current program maturity

    1-4 hours

    Input: List of IT personnel and business stakeholders

    Output: Maturity scores across four key risk categories

    Materials: Integrated Risk Maturity Assessment Tool

    Participants: IT executive leadership, Business executive leadership

    This assessment is intended for frequent use; process completeness should be re-evaluated on a regular basis.

    How to Use This Assessment:

    1. Download the Integrated Risk Management Maturity Assessment Tool.
    2. Tab 2, "Data Entry:" This is a qualitative assessment of your integrated risk management process and is organized by the categories of integrated risk maturity. You will be asked to rate the extent to which you are executing the activities required to successfully complete each phase of the assessment. Use the drop-down menus provided to select the appropriate level of execution for each activity listed.
    3. Tab 3, "Results:" This tab will display your rate of IRM completeness/maturity. You will receive a score for each category as well as an overall score. The results will be displayed numerically, by percentage, and graphically.

    Record the results in the Integrated Risk Maturity Assessment.

    Integrated Risk Maturity Categories

    Semi-circle with colored points indicating four categories.

    1

    Context & Strategic Direction Understanding of the organization’s main objectives and how risk can support or enhance those objectives.

    2

    Risk Culture and Authority Examine if risk-based decisions are being made by those with the right level of authority and if the organization’s risk appetite is embedded in the culture.

    3

    Risk Management Process Determine if the current process to identify, assess, respond to, monitor, and report on risks is benefitting the organization.

    4

    Risk Program Optimization Consider opportunities where risk-related data is being gathered, reported, and used to make informed decisions across the enterprise.

    Step 1.2

    Establish a Risk Governance Framework

    Activities
    • 1.2.1 Identify pain points/obstacles and opportunities
    • 1.2.2 Determine the risk culture of the organization
    • 1.2.3 Develop risk management goals
    • 1.2.4 Develop SMART project metrics
    • 1.2.5 Create the IT risk council
    • 1.2.6 Complete a RACI chart

    This step involves the following participants:

    • IT executive leadership
    • Business executive leadership

    Outcomes of this step

    • Developed goals for the risk management program
    • Established the IT risk council
    • Assigned accountability and responsibility for risk management processes

    Review IT Risk Fundamentals and Governance

    Step 1.1 Step 1.2

    Create an IT risk governance framework that integrates with the business

    Follow these best practices to make sure your requirements are solid:

    1. Self-assess your current approach to IT risk management.
    2. Identify organizational obstacles and set attainable risk management goals.
    3. Track the effectiveness and success of the program using SMART risk management metrics.
    4. Establish an IT risk council tasked with managing IT risk.
    5. Set clear risk management accountabilities and responsibilities for IT and business stakeholders.

    Key metrics for your IT risk governance framework

    Challenges:
    • Key stakeholders are left out or consulted once risks have already occurred.
    • Failure to employ consistent risk identification methodologies results in omitted and unknown risks.
    • Risk assessments do not reflect organizational priorities and may not align with thresholds for acceptable risk.
    • Risk assessment occurs sporadically or only after a major risk event has already occurred.
    Key metrics:
    • Number of risk management processes done ad hoc.
    • Frequency that IT risk appears as an agenda item at IT steering committee meetings.
    • Percentage of IT employees whose performance evaluations reflect risk management objectives.
    • Percentage of IT risk council members who are trained in risk management activities.
    • Number of open positions in the IT risk council.
    • Cost of risk management program operations per year.

    Info-Tech Insight

    Metrics provide the foundation for determining the success of your IT risk management program and ensure ongoing funding to support appropriate risk responses.

    IT risk management success factors

    Support and sponsorship from senior leadership

    IT risk management has more success when initiated by a member of the senior leadership team or the board, rather than emerging from IT as a grassroots initiative.

    Sponsorship increases the likelihood that risk management is prioritized and receives the necessary resources and attention. It also ensures that IT risk accountability is assumed by senior leadership.

    Risk culture and awareness

    A risk-aware organizational culture embraces new policies and processes that reflect a proactive approach to risk.

    An organization with a risk-aware culture is better equipped to facilitate communication vertically within the organization.

    Risk awareness can be embedded by revising job descriptions and performance assessments to reflect IT risk management responsibilities.

    Organization size

    Smaller organizations can often institute a mature risk management program much more quickly than larger organizations.

    It is common for key personnel within smaller organizations to be responsible for multiple roles associated with risk management, making it easier to integrate IT and business risk management.

    Larger organizations may find it more difficult to integrate a more complex and dispersed network of individuals responsible for various risk management responsibilities.

    1.2.1 Identify obstacles and pain points

    1-4 hours

    Input: Integrated Risk Maturity Assessment

    Output: Obstacles and pain points identified

    Materials: IT Risk Management Success Factors

    Participants: IT executive leadership, Business executive leadership

    Anticipate potential challenges and “blind spots” by determining which success factors are missing from your current situation.

    Instructions:

    1. List the potential obstacles and missing success factors that you must overcome to effectively manage IT risk and build a risk management program.
    2. Consider some opportunities that could be leveraged to increase the success of this program.
    3. Use this list in Activity 1.2.3 to develop program goals.

    Risk Management

    Replace the example pain points and opportunities with real scenarios in your organization.

    Pain Points/Obstacles
    • Lack of leadership buy-in
    • Skills and understanding around risk management within IT
    • Skills and understanding around risk management within the organization
    • Lack of a defined risk management posture
    Opportunities
    • Changes in regulations related to risk
    • Organization moving toward an integrated risk management program
    • Ability to leverage lessons learned from similar companies
    • Strong process management and adherence to policies by employees in the organization

    1.2.2 Determine the risk culture of your organization

    1-3 hours

    Determine how your organization fits the criteria listed below. Descriptions and examples do not have to match your organization perfectly.

    Risk Tolerant
    • You have no compliance requirements.
    • You have no sensitive data.
    • Customers do not expect you to have strong security controls.
    • Revenue generation and innovative products take priority and risk is acceptable.
    • The organization does not have remote locations.
    • It is likely that your organization does not operate within the following industries:
      • Finance
      • Health care
      • Telecom
      • Government
      • Research
      • Education
    Moderate
    • You have some compliance requirements, e.g.:
      • HIPAA
      • PIPEDA
    • You have sensitive data, and are required to retain records.
    • Customers expect strong security controls.
    • Information security is visible to senior leadership.
    • The organization has some remote locations.
    • Your organization most likely operates within the following industries:
      • Government
      • Research
      • Education
    Risk Averse
    • You have multiple, strict compliance and/or regulatory requirements.
    • You house sensitive data, such as medical records.
    • Customers expect your organization to maintain strong and current security controls.
    • Information security is highly visible to senior management and public investors.
    • The organization has multiple remote locations.
    • Your organization operates within the following industries:
      • Finance
      • Healthcare
      • Telecom

    Be aware of the organization’s attitude towards risk

    Risk culture is an organization’s attitude towards taking risks. This attitude manifests itself in two ways:

    One element of risk culture is what levels of risk the organization is willing to accept to pursue its objectives and what levels of risk are deemed unacceptable. This is often called risk appetite.
    Risk tolerant

    Risk-tolerant organizations embrace the potential of accelerating growth and the attainment of business objectives by taking calculated risks.

    Risk averse

    Risk-averse organizations prefer consistent, gradual growth and goal attainment by embracing a more cautious stance toward risk.

    The other component of risk culture is the degree to which risk factors into decision making.
    Risk conscious

    Risk-conscious organizations place a high priority on being aware of all risks impacting business objectives, regardless of whether they choose to accept or respond to those risks.

    Unaware

    Organizations that are largely unaware of the impact of risk generally believe there are few major risks impacting business objectives and choose to invest resources elsewhere.

    Info-Tech Insight

    Organizations typically fall in the middle of these spectrums. While risk culture will vary depending on the industry and maturity of the organization, a culture with a balanced risk appetite that is extremely risk conscious is able to make creative, dynamic decisions with reasonable limits placed on risk-related decision making.

    1.2.3 Develop goals for the IT risk management program

    1-4 hours

    Input: Integrated Risk Maturity Assessment, Risk Culture, Pain Points and Opportunities

    Output: Goals for the IT risk management program

    Materials: Risk Management Program Manual

    Participants: IT executive leadership, Business executive leadership

    Translate your maturity assessment and knowledge about organizational risk culture, potential obstacles, and success factors to develop goals for your IT risk management program.

    Instructions:

    1. In the Risk Management Program Manual, revise, replace, or add to the high-level goals provided in section 2.4.
    2. Make sure that you have three to five high-level goals that reflect the current and targeted maturity of IT risk management processes.
    3. Integrate potential obstacles, pain points, and insights from the organization’s risk culture.

    Record the results in the Risk Management Program Manual.

    1.2.4 Develop SMART project metrics

    1-3 hours

    Create metrics for measuring the success of the IT risk management program.

    Ensure that all success metrics are SMART Instructions
    1. Document a list of appropriate metrics to assess the success of the IT risk management program on a whiteboard.
    2. Use the sample metrics listed in the table on the next slide as a starting point.
    3. Fill in the chart to indicate the:
      1. Name of the success metric
      2. Method for measuring success
      3. Baseline measurement
      4. Target measurement
      5. Actual measurements at various points throughout the process of improving the risk management program
      6. A deadline for each metric to meet the target measurement
    Strong Make sure the objective is clear and detailed.
    Measurable Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective.
    Actionable Objectives become actionable when specific initiatives designed to achieve the objective are identified.
    Realistic Objectives must be achievable given your current resources or known available resources.
    Time-Bound An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline.

    1.2.4 Develop SMART project metrics (continued)

    1-3 hours

    Attach metrics to your goals to gauge the success of the IT risk management program.

    Replace the example metrics with accurate KPIs or metrics for your organization.

    Sample Metrics
    Name Method Baseline Target Deadline Checkpoint 1 Checkpoint 2 Final
    Number of risks identified (per year) Risk register 0 100 Dec. 31
    Number of business units represented (risk identification) Meeting minutes 0 5 Dec. 31
    Frequency of risk assessment Assessments recorded in risk management program manual 0 2 per year Year 2
    Percentage of identified risk events that undergo expected cost assessment Ratio of risks assessed in the risk costing tool to risks assessed in the risk register 0 20% Dec. 31
    Number of top risks without an identified risk response Risk register 5 0 March 1
    Cost of risk management program operations per year Meeting frequency and duration, multiplied by the cost of participation $2,000 $5,000 Dec. 31

    Create the IT risk committee (ITRC)

    Responsibilities of the ITRC:
    1. Formalize risk management processes.
    2. Identify and review major risks throughout the IT department.
    3. Recommend an appropriate risk appetite or level of exposure.
    4. Review the assessment of the impact and likelihood of identified risks.
    5. Review the prioritized list of risks.
    6. Create a mitigation plan to minimize risk likelihood and impact.
    7. Review and communicate overall risk impact and risk management success.
    8. Assign risk ownership responsibilities of key risks to ensure key risks are monitored and risk responses are effectively implemented.
    9. Address any concerns in regards to the risk management program, including, but not limited to, reviewing their risk management duties and resourcing.
    10. Communicate risk reports to senior management annually.
    11. Make any alterations to the committee roster and the individuals’ responsibilities as needed and document changes.
    Must be on the ITRC:
    • CIO
    • CRO (if applicable)
    • Senior Directors
    • Security Officer
    • Head of Operations

    Must be on the ITRC:

    • CFO
    • Senior representation from every business unit impacted by IT risk

    1.2.5 Create the IT risk council

    1-4 hours

    Input: List of IT personnel and business stakeholders

    Output: Goals for the IT risk management program

    Materials: Risk Management Program Manual

    Participants: CIO, CRO (if applicable), Senior Directors, Head of Operations

    Identify the essential individuals from both the IT department and the business to create a permanent committee that meets regularly and carries out IT risk management activities.

    Instructions:

    1. Review sections 3.1 (Mandate) and 3.2 (Agenda and Responsibilities) of the IT Risk Committee Charter, located in the Risk Management Program Manual. Make any necessary revisions.
    2. In section 3.3, document how frequently the council is scheduled to meet.
    3. In section 3.4, document members of the IT risk council.
    4. Obtain sign-off for the IT risk council from the CIO or another member of the senior leadership team in section 3.5 of the manual.

    Record the results in the Risk Management Program Manual.

    1.2.6 Complete RACI chart

    1-3 hours

    A RACI diagram is a useful visualization that identifies redundancies and ensures that every role, project, or task has an accountable party.

    RACI is an acronym made up of four participatory roles: Instructions
    1. Use the template provided on the following slide, and add key stakeholders who do not appear and are relevant for your organization.
    2. For each activity, assign each stakeholder a letter.
    3. There must be an accountable party for each activity (every activity must have an “A”).
    4. For activities that do not apply to a particular stakeholder, leave the space blank.
    5. Once the chart is complete, copy/paste it into section 4.1 of the Risk Management Program Manual.
    Responsible Stakeholders who undertake the activity.
    Accountable Stakeholders who are held responsible for failure or take credit for success.
    Consulted Stakeholders whose opinions are sought.
    Informed Stakeholders who receive updates.

    1.2.6 Complete RACI chart (continued)

    1-3 hours

    Assign risk management accountabilities and responsibilities to key stakeholders:

    Stakeholder Coordination Risk Identification Risk Thresholds Risk Assessment Identify Responses Cost-Benefit Analysis Monitoring Risk Decision Making
    ITRC A R I R R R A C
    ERM C I C I I I I C
    CIO I A A A A A I R
    CRO I R C I R
    CFO I R C I R
    CEO I R C I A
    Business Units I C C C
    IT I I I I I I R C
    PMO C C C
    Legend: Responsible Accountable Consulted Informed

    Build an IT Risk Management Program

    Phase 2

    Identify and Assess IT Risk

    Phase 1

    • 1.1 Review IT Risk Management Fundamentals
    • 1.2 Establish a Risk Governance Framework

    Phase 2

    • 2.1 Identify IT Risks
    • 2.2 Assess and Prioritize IT Risks

    Phase 3

    • 3.1 Develop Risk Responses and Monitor IT Risks
    • 3.2 Report IT Risk Priorities

    This phase will walk you through the following activities:

    • Add organization-specific risk scenarios
    • Identify risk events
    • Augment risk event list using COBIT 2019 processes
    • Conduct a PESTLE analysis
    • Determine the threshold for (un)acceptable risk
    • Create a financial impact assessment scale
    • Select a technique to measure reputational cost
    • Create a likelihood scale
    • Assess risk severity level
    • Assess expected cost

    This phase involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Business Risk Owners

    Step 2.1

    Identify IT Risks

    Activities
    • 2.1.1 Add organization-specific risk scenarios
    • 2.1.2 Identify risk events
    • 2.1.3 Augment risk event list using COBIT 19 processes
    • 2.1.4 Conduct a PESTLE analysis

    This step involves the following participants:

    • IT executive leadership
    • IT Risk Council
    • Business executive leadership
    • Business risk owners

    Outcomes of this step

    • Participation of key stakeholders
    • Comprehensive list of IT risk events
    Identify and Assess IT Risk
    Step 2.1 Step 2.2

    Get to know what you don’t know

    1. Engage the right stakeholders in risk identification.
    2. Employ Info-Tech’s top-down approach to risk identification.
    3. Augment your risk event list using alternative frameworks.
    Key metrics:
    • Total risks identified
    • New risks identified
    • Frequency of updates to the Risk Register Tool
    • Number of realized risk events not identified in the Risk Register Tool
    • Level of business participation in enterprise IT risk identification
      • Number of business units represented
      • Number of meetings attended in person
      • Number of risk reports received

    Info-Tech Insight

    What you don’t know CAN hurt you. How do you identify IT-related threats and vulnerabilities that you are not already aware of? Now that you have created a strong risk governance framework that formalizes risk management within IT and connects it to the enterprise, follow the steps outlined in this section to reveal all of IT’s risks.

    Engage key stakeholders

    Ensure that all key risks are identified by engaging key business stakeholders.

    Benefits of obtaining business involvement during the risk identification stage:
    • You will identify risk events you had not considered or you weren’t aware of.
    • You will identify risks more accurately.
    • Risk identification is an opportunity to raise awareness of IT risk management early in the process.

    Executive Participation:

    • CIO participation is integral when building a comprehensive register of risk events impacting IT.
    • CIOs and IT directors possess a holistic view of all of IT’s functions.
    • CIOs and IT directors are uniquely placed to identify how IT affects other business units and the attainment of business objectives. If applicable, CRO and CTO participation is also critical.

    Prioritizing and Selecting Stakeholders

    1. Reliance on IT services and technologies to achieve business objectives.
    2. Relationship with IT, and willingness to engage in risk management activities.
    3. Unique perspectives, skills, and experiences that IT may not possess.

    Info-Tech Insight

    While IT personnel are better equipped to identify IT risk than anyone, IT does not always have an accurate view of the business’ exposure to IT risk. Strive to maintain a 3 to 1 ratio of IT to non-IT personnel involved in the process.

    Enable IT to target risk holistically

    Take a top-down approach to risk identification to guide brainstorming

    Info-Tech’s risk categories are consistent with a risk identification method called Risk Prompting.

    A risk prompt list is a list that categorizes risks into types or areas. The n10 risk categories encapsulate the services, activities, responsibilities, and functions of most IT departments. Use these categories and the example risk scenarios provided as prompts to guide brainstorming and organize risks.

    Risk Category: High-level groupings that describe risk pertaining to major IT functions. See the following slide for all ten of Info-Tech’s IT risk categories. Risk Scenario: An abstract profile representing common risk groups that are more specific than risk categories. Typically, organizations are able to identify two to five scenarios for each category. Risk Event: Specific threats and vulnerabilities that fall under a particular risk scenario. Organizations are able to identify anywhere between 1 and 20 events for each scenario. See the Appendix of the Risk Management Program Manual for a list of risk event examples.

    Risk Category

    Risk Scenario

    Risk Event

    Compliance Regulatory compliance Being fined for not complying/being aware of a new regulation.
    Externally originated attack Phishing attack on the organization.
    Operational Technology evaluation & selection Partnering with a vendor that is not in compliance with a key regulation.
    Capacity planning Not having sufficient resources to support a DRP.
    Third-Party Risk Vendor management Vendor performance requirements are improperly defined.
    Vendor selection Vendors are improperly selected to meet the defined use case.

    2.1.1 Add organization-specific risk scenarios

    1-3 hours

    Review Info-Tech’s ten IT risk categories and add risk scenarios to the examples provided.

    IT Reputational
    • Negative PR
    • Consumers writing negative reviews
    • Employees writing negative reviews
    IT Financial
    • Stock prices drop
    • Value of the organization is reduced
    IT Strategic
    • Organization prioritizes innovation but remains focused on operational
    • Unable to access data to support strategic initiative
    Operational
    • Enterprise architecture
    • Technology evaluation and selection
    • Capacity planning
    • Operational errors
    Availability
    • Power outage
    • Increased data workload
    • Single source of truth
    • Lacking knowledge transfer processes for critical tasks
    Performance
    • Network failure
    • Service levels not being met
    • Capacity overload
    Compliance
    • Regulatory compliance
    • Standards compliance
    • Audit compliance
    Security
    • Malware
    • Internally originated attack
    Third Party
    • Vendor selection
    • Vendor management
    • Contract termination
    Digital
    • No back-up process if automation fails

    2.1.2 Identify risk events

    1-4 hours

    Input: IT risk categories

    Output: Risk events identified and categorized

    Materials: Risk Register Tool

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owners, CRO (if applicable)

    Use Info-Tech’s IT risk categories and scenarios to brainstorm a comprehensive list of IT-related threats and vulnerabilities impacting your organization.

    Instructions:

    1. Document risk events in the Risk Register Tool.
    2. List risk scenarios (organized by risk category) in the Risk Events/Threats column.
    3. Disseminate the list to key stakeholders who were unable to participate and solicit their feedback.
      • Consult the RACI chart located in section 4.1 of the Risk Management Program Manual.
    4. Attack one scenario at a time, exhausting all realistic risk events for that grouping before moving onto the next scenario. Each scenario should take approximately 45-60 minutes.

    Tip: If disagreement arises regarding whether a specific risk event is relevant to the organization or not and it cannot be resolved quickly, include it in the list. The applicability of these risks will become apparent during the assessment process.

    Record the results in the Risk Register Tool.

    2.1.3 Augment the risk event list using COBIT 2019 processes (Optional)

    1-3 hours

    Other industry-leading frameworks provide alternative ways of conceptualizing the functions and responsibilities of IT and may help you uncover additional risk events.

    1. Managed IT Management Framework
    2. Managed Strategy
    3. Managed Enterprise Architecture
    4. Managed Innovation
    5. Managed Portfolio
    6. Managed Budget and Costs
    7. Managed Human Resources
    8. Managed Relationships
    9. Managed Service Agreements
    10. Managed Vendors
    11. Managed Quality
    12. Managed Risk
    13. Managed Security
    14. Managed Data
    15. Managed Programs
    16. Managed Requirements Definition
    17. Managed Solutions Identification and Build
    18. Managed Availability and Capacity
    19. Managed Organizational Change Enablement
    20. Managed IT Changes
    1. Managed IT Change Acceptance and Transitioning
    2. Managed Knowledge
    3. Managed Assets
    4. Managed Configuration
    5. Managed Projects
    6. Managed Operations
    7. Managed Service Requests and Incidents
    8. Managed Problems
    9. Managed Continuity
    10. Managed Security Services
    11. Managed Business Process Controls
    12. Managed Performance and Conformance Monitoring
    13. Managed System of Internal Control
    14. Managed Compliance with External Requirements
    15. Managed Assurance
    16. Ensured Governance Framework Setting and Maintenance
    17. Ensured Benefits Delivery
    18. Ensured Risk Optimization
    19. Ensured Resource Optimization
    20. Ensured Stakeholder Engagement

    Instructions:

    1. Review COBIT 2019’s 40 IT processes and identify additional risk events.
    2. Match risk events to the corresponding risk category and scenario and add them to the Risk Register Tool.

    2.1.4 Finalize your risk register by conducting a PESTLE analysis (Optional)

    1-3 hours

    Explore alternative identification techniques to incorporate external factors and avoid “groupthink.”

    Consider the External Environment – PESTLE Analysis

    Despite efforts to encourage equal participation in the risk identification process, key risks may not have been shared in previous exercises.

    Conduct a PESTLE analysis as a final safety net to ensure that all key risk events have been identified.

    Avoid “Groupthink” – Nominal Group Technique

    The Nominal Group Technique uses the silent generation of ideas and an enforced “safe” period of time where ideas are shared but not discussed to encourage judgement-free idea generation.

    • Ideas are generated silently and independently.
    • Ideas are then shared and documented; however, discussion is delayed until all of the group’s ideas have been recorded.
    • Idea generation can occur before the meeting and be kept anonymous.

    Note: Employing either of these techniques will lengthen an already time-consuming process. Only consider these techniques if you have concerns regarding the homogeneity of the ideas being generated or if select individuals are dominating the exercise.

    List the following factors influencing the risk event:
    • Political factors
    • Economic factors
    • Social factors
    • Technological factors
    • Legal factors
    • Environmental factors
    'PESTLE Analysis' presented as a wheel with the acronym's meanings surrounding the title. 'Political Factors', 'Economic Factors', 'Social Factors', 'Technological Factors', 'Legal Factors', and 'Environmental Factors'.

    Step 2.2

    Assess and Prioritize IT Risks

    Activities
    • 2.2.1 Determine the threshold for (un)acceptable risk
    • 2.2.2 Create a financial impact assessment scale
    • 2.2.3 Select a technique to measure reputational cost
    • 2.2.4 Create a likelihood scale
    • 2.2.5 Risk severity level assessment
    • 2.2.6 Expected cost assessment

    This step involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Business risk owners

    Outcomes of this step

    • Business-approved thresholds for unacceptable risk
    • Completed Risk Register Tool with risks prioritized according to severity
    • Expected cost calculations for high-priority risks

    Identify and Assess IT Risk

    Step 2.1 Step 2.2

    Reveal the organization’s greatest IT threats and vulnerabilities

    1. Establish business-approved risk thresholds for acceptable and unacceptable risk.
    2. Conduct a streamlined assessment of all risks to separate acceptable and unacceptable risks.
    3. Perform a deeper, cost-based assessment of prioritized risks.
    Key metrics:
    • Frequency of IT risk assessments
      • (Annually, bi-annually, etc.)
    • Assessment accuracy
      • Percentage of risk assessments that are substantiated by later occurrences or testing
      • Ratio of cumulative actual costs to expected costs
    • Assessment consistency
      • Percentage of risk assessments that are substantiated by third-party audit
    • Assessment rigor
      • Percentage of identified risk events that undergo first-level assessment (severity scores)
      • Percentage of identified risk events that undergo second-level assessment (expected cost)
    • Stakeholder oversight and participation
      • Level of executive participation in IT risk assessment (attend in person, receive report, etc.)
      • Number of business stakeholder reviews per risk assessment

    Info-Tech Insight

    Risk is money. It’s impossible to make intelligent decisions about risks without knowing what their financial impact will be.

    Review risk assessment fundamentals

    Risk assessment provides you with the raw materials to conduct an informed cost-benefit analysis and make robust risk response decisions.

    In this section, you will be prioritizing your IT risks according to their risk severity, which is a reflection of their expected cost.

    Calculating risk severity

    How much you expect a risk event to cost if it were to occur:

    Likelihood of Risk Impact

    e.g. $250,000 or “High”

    X

    Calibrated by how likely the risk is to occur:

    Likelihood of Risk Occurrence

    e.g. 10% or “Low”

    =

    Produces a dollar value or “severity level” for comparing risks:

    Risk Severity

    e.g. $25,000 or “Medium”
    Which must be evaluated against thresholds for acceptable risk and the cost of risk responses.

    Risk Tolerance
    Risk Response

    CBA
    Cost-benefit analysis

    Maintain the engagement of key stakeholders in the risk assessment process

    1

    Engage the Business During Assessment Process

    Asking business stakeholders to make significant contributions to the assessment exercise may be unrealistic (particularly for members of the senior leadership team, other than the CIO).

    Ensure that they work with you to finalize thresholds for acceptable or unacceptable risk.

    2

    Verify the Risk Impact and Assessment

    If IT has ranked risk events appropriately, the business will be more likely to offer their input. Share impact and likelihood values for key risks to see if they agree with the calculated risk severity scores.

    3

    Identify Where the Business Focuses Attention

    While verifying, pay attention to the risk events that the business stresses as key risks. Keep these risks in mind when prioritizing risk responses as they are more likely to receive funding.

    Try to communicate the assessments of these risk events in terms of expected cost to attract the attention of business leaders.

    Info-Tech Insight

    If business executives still won’t provide the necessary information to update your initial risk assessments, IT should approach business unit leaders and lower-level management. Lean on strong relationships forged over time between IT and business managers or supervisors to obtain any additional information.

    Info-Tech recommends a two-level approach to risk assessment

    Review the two levels of risk assessment offered in this blueprint.

    Risk severity level assessment (mandatory)

    1

    Information

    Number of risks: Assess all risk events identified in Phase 1.
    Units of measurement: Use customized likelihood and impact “levels.”
    Time required: One to five minutes per risk event.

    Assess Likelihood

    Negligible
    Low
    Moderate
    High
    Very High

    X

    Assess Likelihood

    Negligible
    Low
    Moderate
    High
    Very High

    =

    Output


    Risk Security Level:

    Moderate

    Example of a risk severity level assessment chart.
    Chart risk events according to risk severity as this allows you to organize and prioritize IT risks.

    Assess all of your identified risk events with a risk severity-level assessment.

    • By creating a likelihood and impact assessment scale divided into three to nine “levels” (sometimes referred to as “buckets”), you can evaluate every risk event quickly while being confident that risks are being assessed accurately.
    • In the following activities, you will create likelihood and impact scales that align with your organizational risk appetite and tolerance.
    • Severity-level assessment is a “first pass” of your risk list, revealing your organization’s most severe IT risks, which can be assessed in greater detail by incorporating expected cost into your evaluation.

    Info-Tech recommends a two-level approach to risk assessment (continued)

    Expected cost assessment (optional)

    2

    Information

    Number of risks: Only assess high-priority risks revealed by severity-level assessment.
    Units of measurement: Use actual likelihood values (%) and impact costs ($).
    Time required: 10-20 minutes per risk event.

    Assess Likelihood

    15%

    Moderate

    X

    Assess Likelihood

    $100,000

    High

    =

    Output


    Expected Cost:

    $15,000

    Expected cost is useful for conducting cost-benefit analysis and comparing IT risks to non-IT risks and other budget priorities for the business.

    Conduct expected cost assessments for IT’s greatest risks.

    For risk events warranting further analysis, translate risk severity levels into hard expected-cost numbers.

    Why conduct expected cost assessments?
    • Expected cost represents how much you would expect to pay in an average year for each risk event.
    • Communicate risk priorities to the business in language they can understand.
    • While risk severity levels are useful for comparing one IT risk to another, expected cost data allows the business to compare IT risks to non-IT risks that may not use the same scales.
    Why is expected cost assessment optional?
    • Determining robust likelihood values and precise impact estimates can be challenging and time consuming.
    • Some risk events may require extensive data gathering and industry analysis.

    Implement and leverage a centralized risk register

    The purpose of the risk register is to act as the repository for all the risks that have been identified within your environment.

    Use this tool to:

    1. Collect and maintain a repository for all IT risk events impacting the organization and relevant information for each risk.
      • Capture all relevant IT risk information in one location.
      • Organize risk identification and assessment information for transparent risk management, stakeholder review, and/or internal audit.
    2. Calculate risk severity scores to prioritize risk events and determine which risks require a risk response.
      • Separate acceptable and unacceptable risks (as determined by the business).
      • Rank risks based on severity levels.
    3. Assess risk responses and calculate residual risk.
      • Evaluate the effect that proposed risk response actions will have on top risk events and quantify residual risk magnitude.
      • This step will be completed in section 3.1

    2.2.1 Determine the threshold for (un)acceptable risk

    1-4 hours

    Input: Risk events, Risk appetite

    Output: Threshold for risk identified

    Materials: Risk Register Tool, Risk Management Program Manual

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

    Instructions:

    There are times when the business needs to know about IT risks with high expected costs.

    1. Create an expected cost threshold that defines what constitutes an acceptable and unacceptable risk for the organization. This figure should be a concrete dollar value. In the next exercises, you will build risk impact and likelihood scales with this value in mind, ensuring that “high” or “extreme” risks are immediately communicated to senior leadership.
    2. Do not consider IT budget restrictions when developing this number. The acceptable risk threshold should reflect the business’ tolerance/appetite for risk.

    This threshold is typically based on the organization’s ability to absorb financial losses, and its tolerance/appetite towards risk.

    If your organization has ERM, adopt the existing acceptability threshold.

    Record this threshold in section 5.3 of the Risk Management Program Manual

    2.2.2 Create a financial impact assessment scale

    1-4 hours

    Input: Risk events, Risk threshold

    Output: Financial impact scale created

    Materials: Risk Register Tool, Risk Management Program Manual

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

    Instructions:

    1. Create a scale to assess the financial impact of risk events.
      • Typically, risk impacts are assessed on a scale of 1-5; however, some organizations may prefer to assess risks using 3, 4, 7, or 9-point scales.
    2. Ensure that the unacceptable risk threshold is reflected in the scale.
      • In the example provided, the unacceptable risk threshold ($100,000) is represented as “High” on the impact scale.
    3. Attach labels to each point on the scale. Effective labels will easily distinguish between risks on either side of the unacceptable risk threshold.

    Record the risk impact scale in section 5.3 of the Risk Management Program Manual

    Convert project overruns and service outages into costs

    Use the tables below to quickly convert impacts typically measured in units of time to financial cost. Replace the values in the table with those that reflect your own costs.

    • While project overruns and service outages may have intangible impacts beyond the unexpected costs stemming from paying employees and lost revenue (such as adding complexity to project management and undermining the business’ confidence in IT), these measurements will provide adequate impact estimations for risk assessment.
    • Remember, complex risk events can be analyzed further with an expected cost assessment.
    Project Overruns Scale for the use of cost assessment with dollar amounts associated with impact levels. '$250,000 - Extreme', '$100,000 - High', '$60,000 - Moderate', '$35,000 - Low', '$10,000 - Negligible'.

    Project

    Time (days)

    20 days

    Number of employees

    8

    Average cost per employee (per day)

    $300

    Estimated cost

    $48,000
    Service Outages

    Service

    Time (hours)

    4 hours

    Lost revenue (per hour)

    $10,000

    Estimated cost

    $40,000

    Impact scale

    Low

    2.2.3 Select a technique to measure reputational cost (1 of 3)

    1-3 hours

    Realized risk events may have profound reputational costs that do not immediately impact your bottom line.

    Reputational cost can take several forms, including the internal and external perception of:
    1. Brand likeability
    2. Product quality
    3. Leadership capability
    4. Social responsibility

    Based on your industry and the nature of the risk, select one of the three techniques described in this section to incorporate reputational costs into your risk assessment.

    Technique #1 – Use financial indicators:

    For-profit companies typically experience reputational loss as a gradual decline in the strength of their brand, exclusion from industry groups, or lost revenue.

    If possible, use these measures to put a price on reputational loss:

    • Lost revenue attributable to reputation loss
    • Loss of market share attributable to reputation loss
    • Drops in share price attributable to reputation loss (for public companies)

    Match this dollar value to the corresponding level on the impact scale created in Activity 2.2.2.

    • If you are not able to effectively translate all reputational costs into financial costs, proceed to techniques 2 and 3 on the following slides.

    2.2.3 Select a technique to measure reputational cost (2 of 3)

    1-3 hours
    It is common for public sector or not-for-profit organizations to have difficulty putting a price tag on intangible reputational costs.
    • For example, a government organization may be unable to directly quantify the cost of losing the confidence and/or support of the public.
    • A helpful technique is to reframe how reputation is assigned value.
    Technique #2 – Calculate the value of avoiding reputational cost:
    1. Imagine that the particular risk event you are assessing has occurred. Describe the resulting reputational cost using qualitative language.

    For example:

    A data breach, which caused the unsanctioned disclosure of 2,000 client files, has inflicted high reputational costs on the organization. These have impacted the organization in the following ways:

    • Loss of organizational trust in IT
    • IT’s reputation as a value provider to the organization is tarnished
    • Loss of client trust in the organization
    • Potential for a public reprimand of the organization by the government to restore public trust
  • Then, determine (hypothetically) how much money the organization would be willing to spend to prevent the reputational cost from being incurred.
  • Match this dollar value to the corresponding level on the impact scale created in Activity 2.2.2.
  • 2.2.3 Select a technique to measure reputational cost (3 of 3)

    1-3 hours

    If you feel that the other techniques have not reflected reputational impacts in the overall severity level of the risk, create a parallel scale that roughly matches your financial impact scale.

    Technique #3 – Create a parallel scale for reputational impact:

    Visibility is a useful metric for measuring reputational impact. Visibility measures how widely knowledge of the risk event has spread and how negatively the organization is perceived. Visibility has two main dimensions:

    • Internal vs. External
    • Low Amplification vs. High Amplification
    • Internal/External: The further outside of the organization that the risk event is visible, the higher the reputational impact.
      Low/High Amplification: The greater the ability of the actor to communicate and amplify the occurrence of a risk event, the higher the reputational impact.
      After establishing a scale for reputational impact, test whether it reflects the severity of the financial impact levels in the financial impact scale.

    • For example, if the media learns about a recent data breach, does that feel like a $100,000 loss?
    Example:
    Scale for the use of cost assessment  of reputational impact with dimension combinations associated with impact levels. 'External, High Amp, (regulators, lawsuits) - Extreme', 'Internal, High Amp, (CEO) - Low', 'Internal, Low Amp (IT) - Negligible'.

    2.2.4 Create a likelihood scale

    1-3 hours

    Instructions:
    1. Create a scale to assess the likelihood that a risk event will occur over a given period of time.
      • Info-Tech recommends assessing the likelihood that the risk event will occur over a period of one year (the IT risk council should be reassessing the risk event no less than once per year).
    2. Ensure that the likelihood scale contains the same number of levels as the financial impact scale (3, 4, 5, 7, or 9).
    3. The example provided is likely to satisfy most IT departments; however, you may customize the distribution of likelihood values to reflect the organization’s aversion towards uncertainty.
      • For example, an extremely risk-averse organization may consider any risk event with a likelihood greater than 20% to have a “High” likelihood of occurrence.
    4. Attach the same labels used for the financial impact scale (Low, Moderate, High, etc.)

    Record the risk impact scale in section 5.3 of the Risk Management Program Manual

    Scale to assess the likelihood that a risk event will occur. '80-99% - Extreme', '60-79% - High', '40-59% - Moderate' '20-39% - Low', '1-19% - Negligible'.

    Info-Tech Insight

    Note: Info-Tech endorses the use of likelihood values (1-99%) rather than frequency (3 times per year) as a measurement.
    For an explanation of why likelihood values lead to more precise and robust risk assessment, see the Appendix.

    2.2.5 Risk severity level assessment

    6-10 hours

    Input: Risk events identified

    Output: Assessed the likelihood of occurrence and impact for all identified risk events

    Materials: Risk Register Tool

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

    Instructions:

    1. Document the “Risk Category” and “Existing Controls.” in the Risk Register Tool.
      • (See the slide following this activity for tips on identifying existing controls.)
    2. Assign each risk event a likelihood and impact level.
      • Remember, you are assessing the impact that a risk event will have on the organization as a whole, not just on IT.
    3. When assigning a financial impact level to a risk event, factor in the likely number of instances that the event will occur within the time frame for which you are assessing (usually one year).
      • For risk events like third-party service outages that typically occur a few times each year, assign them an impact level that reflects the likelihood of financial impact the risk event will have over the entire year.
      • E.g. If your organization is likely to experience two major service outages next year and each outage costs the organization approximately $15,000, the total financial impact is $30,000.

    Record results in the Risk Register Tool

    2.2.5 Risk severity level assessment (continued)

    Instructions (continued):
    1. Assign a risk owner to non-negligible risk events.
      • For organizations that practice ongoing risk management and frequently reassess their risk portfolio (minimum once per year), risk ownership does not need to be assigned to “Negligible” or low-level risks.
      • View the following slides for advice on how to select a risk owner and information on their responsibilities.
    2. As you input the first few likelihood and impact values, compare them to one another to ensure consistency and accuracy:
      • Is a service outage really twice as impactful as our primary software provider going out of business?
      • Is a data breach far more likely than a ›1 hour web-services outage?
    Tips for Selecting Likelihood Values:

    Does ~10% sound right?

    Test a likelihood estimate by assessing the truth of the following statements:

    • The risk event will likely occur once in the next ten years (if the environment remains nearly identical).
    • If ten organizations existed that were nearly identical to our own, it is likely that one out of ten would experience the risk event this year.

    Screenshot of a risk severity level assessment.

    Identify current risk controls

    Consider how IT is already addressing key risks.

    Types of current risk control

    Tactical controls

    Apply to individual risks only.

    Example: A tactical control for backup/replication failure is faster WAN lines.

    Tactical risk control Strategic controls

    Apply to multiple risks.

    Example: A strategic control for backup/replication failure is implementing formal DR plans.

    Strategic risk control
    Risk event Risk event Risk event

    Screenshot of the column headings on the risk severity level assessment with 'Current Controls' highlighted.
    Consider both tactical and strategic controls already in place when filling out risk event information in the Risk Register Tool.

    Info-Tech Insight

    Identifying existing risk controls (past risk responses) provides a clear picture of the measures already in place to avoid, mitigate, or transfer key risks. This reveals opportunities to improve existing risk controls, or where new strategies are needed, to reduce risk severity levels below business thresholds.

    Assign a risk owner for each risk event

    Designate a member of the IT risk council to be responsible for each risk event.

    Selecting the Appropriate Risk Owner

    Use the following considerations to determine the best owner for each risk:

    • The risk owner should be familiar with the process, project, or IT function related to the risk event.
    • The risk owner should have access to the necessary data to monitor and measure the severity of the risk event.
    • The risk owner’s performance assessment should reflect their ability to demonstrate the ongoing management of their assigned risk events.

    Screenshot of the column headings on the risk severity level assessment with 'Risk Owner' highlighted.

    Risk Owner Responsibilities

    Risk ownership means that an individual is responsible for the following activities:

    • Monitoring the threat or vulnerability for changes in the likelihood of occurrence and/or likely impact.
    • Monitoring changes in the market and external environment that may alter the severity of the risk event.
    • Monitoring changes of closely related risks with interdependencies.
    • Developing and using key risk indicators (KRIs) to measure changes in risk severity.
    • Regularly reporting changes in risk severity to the IT risk council.
    • If necessary, escalating the risk event to other IT risk council personnel or senior management for reassessment.
    • Monitoring risk severity levels for risk events after a risk response has been implemented.

    Use Info-Tech’s Risk Costing Tool to calculate the expected cost of IT’s high-priority risks (optional)

    Sample of the Risk Costing Tool.

    Use this tool to:

    1. Conduct a deeper analysis of severe risks.
      • Determine specific likelihood and financial impact values to communicate the severity of the risk in the Expected Cost tab.
      • Identify the maximum financial impact that the risk event may inflict.
    2. Assess the effectiveness of multiple risk responses for each risk event.
      • Determine how proposed risk events will change the likelihood of occurrence and financial impact of the risk event.
    3. Incorporate risk proximity into your cost-benefit analysis of risk responses.
      • Illustrate how spending decisions will impact the expected cost of the risk event over time.

    2.2.6 Expected cost assessment (optional)

    Assign likelihood and financial impact values to high-priority risks.

    Select risks with these characteristics:

    Strongly consider conducting an expected cost assessment for risk events that meet one or more of the following criteria.

    The risk:

    • Has been assigned to the highest risk severity level.
    • Has exposed the organization previously and had severe implications.
    • Exceeds the organization’s threshold for financial impact.
    • Involves an IT function that is highly visible to the business.
    • Will likely require risk response actions that will exceed current IT budgetary constraints.
    • Is conducive to expected cost assessment:
      • There is general consensus on likelihood estimates.
      • There is general consensus on financial impact estimates.
      • Historical data exists to support estimates.
    Determine which risks require a deeper assessment:

    Info-Tech recommends conducting a second-level assessment for 5-15% of your IT risk register.

    Communicating the expected cost of high-priority risks significantly increases awareness of IT risks by the business.

    Communicating risks to the business using their language also increases the likelihood that risk responses will receive the necessary support and investment


    Record the list of risk events requiring second-level assessment in the Risk Costing Tool.

    • Transfer the likelihood and impact levels for each event into the Risk Costing Tool using data from the Risk Register Tool.

    2.2.6 Expected cost assessment (continued)

    Assign likelihood and financial impact values to high-priority risks.

    Instructions:
    1. Go through the list of prioritized risks in the Risk Costing Tool one by one. Indicate the likelihood and impact level (from the Risk Register Tool) for the risk event being assessed.
    2. Record likelihood values (1-99%) and impact values ($) from participants.
      • Only record values from individuals that indicate they are fairly confident with their estimates.
      • Keep likelihood estimates to values that are multiples of five.
    3. Estimate and record the maximum impact that the risk event could inflict.
      • See Appendix III for information on how the possibility of high-impact scenarios may influence your decision making.
    4. Discuss the estimates provided. Eliminate outliers and retracted estimates.
      • If you are unable to achieve consensus, take the average of the values provided.
    5. If you are having difficulty arriving at a likelihood or impact value, select the median value of the level assigned to the risk during the risk severity level assessment.
      • E.g. Risk event assigned to likelihood level “Moderate” (20-39%). Select a likelihood value of 30%.

    Screenshot of the column headings on the risk severity level assessment with 'Optional Inherent Likelihood Parameters' and 'Optional Inherent Impact Parameters' highlighted.

    Who should participate?
    • Depending on the size of your IT risk council, you may want to consider conducting this exercise in a smaller group.
    • Ideally, you should try to find the right balance between ensuring that the necessary experience and knowledge is in the room while insulating the exercise from outlier opinions, noise, and distractions.

    Evaluate likelihood and impact

    Refine your risk assessment process by developing more accurate measurements of likelihood and impact.

    Intersubjective likelihood

    The goal of the expected cost assessment is to develop robust intersubjective estimates of likelihood and financial impact.

    By aggregating a number of expert opinions of what they deem to be the “correct” value, you will arrive at a collectively determined value that better reflects reality than an individual opinion.

    Example: The Delphi Method

    The Delphi Method is a common technique to produce a judgement that is representative of the collective opinion of a group.

    • Participants are sent a series of sequential questionnaires (typically by email).
    • The first questionnaire asks them what the likelihood, likely impact, and expected cost is for a specific risk event.
    • Data from the questionnaire is compiled and then communicated in a subsequent questionnaire, which encourages participants to restate or revise their estimates given the group’s judgements.
    • With each successive questionnaire, responses will typically converge around a single intersubjective value.
    Justifying Your Estimates:

    When asked to explain the numbers you arrived at during the risk assessment, pointing to an assessment methodology gives greater credibility to your estimates.

    • Assign one individual to take notes during the assessment exercise.
    • Have them document the main rationale behind each value and the level of consensus.

    Info-Tech Insight

    The underlying assumption behind intersubjective forecasting is that group judgements are more accurate than individual judgements. However, this may not be the case at all.

    Sometimes, a single expert opinion is more valuable than many uninformed opinions. Defining whose opinion is valuable and whose is not is an unpleasant exercise; therefore, selecting the right personnel to participate in the exercise is crucially important.

    Build an IT Risk Management Program

    Phase 3

    Monitor, Respond, and Report on IT Risk

    Phase 1

    • 1.1 Review IT Risk Management Fundamentals
    • 1.2 Establish a Risk Governance Framework

    Phase 2

    • 2.1 Identify IT Risks
    • 2.2 Assess and Prioritize IT Risks

    Phase 3

    • 3.1 Develop Risk Responses and Monitor IT Risks
    • 3.2 Report IT Risk Priorities

    This phase will walk you through the following activities:

    • Develop key risk indicators (KRIs) and escalation protocols
    • Establish the reporting schedule
    • Identify and assess risk responses
    • Analyze risk response cost-benefit
    • Create multi-year cost projections
    • Obtain executive approval for risk action plans
    • Socialize the Risk Report
    • Transfer ownership of risk responses to project managers
    • Finalize the Risk Management Program Manual

    This phase involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Risk business owner

    Step 3.1

    Monitor IT Risks and Develop Risk Responses

    Activities
    • 3.1.1 Develop key risk indicators (KRIs) and escalation protocols
    • 3.1.2 Establish the reporting schedule
    • 3.1.3 Identify and assess risk responses
    • 3.1.4 Risk response cost-benefit analysis
    • 3.1.5 Create multi-year cost projections

    This step involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Business risk owner

    Outcomes of this step

    • Completed risk event action plans
    • Risk responses identified and assessed for top risks
    • Risk response selected for top risks

    Monitor, Respond, and Report on IT Risk

    Step 3.1 Step 3.2

    Use Info-Tech’s Risk Event Action Plan to manage high-priority risks

    Manage risks in between risk assessments and create a paper trail for key risks that exceed the unacceptable risk threshold. Use a new form for every high-priority risk that requires tracking.

    Risk Event Action Plan Sample of the Risk Event Action Plan deliverable.

    Obtaining sign-off from the senior leadership team or from the ERM office is an important step of the risk management process. The Risk Event Action Plan ensures that high-priority risks are closely monitored and that changes in risk severity are detected and reported.

    Clear documentation is a way to ensure that critical information is shared with management so that they can make informed risk decisions. These reports should be succinct yet comprehensive; depending on time and resources, it is good practice to fill out this form and obtain sign-off for the majority of IT risks.

    3.1.1 Develop key risk indicators (KRIs) and escalation protocols

    The risk owner should be held accountable for monitoring their assigned risks but may delegate responsibility for these tasks.

    Instructions:
    1. Design key risk indicators (KRIs) for risks that measure changes in their severity and document them in the Risk Event Action Plan.
      • See the following slide for examples.
    2. Clearly document the risk owner and the individual(s) carrying out risk monitoring activities (delegates) in the Risk Event Action Plan.

    Note: Examples of KRIs can be found on the following slide.

    What are KRIs?
    • KRIs should be observable metrics that alert the IT risk council and management when risk severity exceeds acceptable risk thresholds.
    • KRIs should serve as tripwires or early-warning indicators that trigger further actions to be taken on the risk.
    • Further actions may include:
      • Escalation to the risk owner (if delegated) or to a member of the senior leadership team.
      • Reporting to the IT risk council or IT steering committee.
      • Reassessment.
      • Updating the risk monitoring schedule.

    Document KRIs, escalation thresholds, and escalation protocols for each risk in a Risk Event Action Plan.

    Developing KRIs for success

    Visualization of KRI development, from the 'Risk Event' to the 'Intermediate Steps' with 'KRI Measurements' to the image of a growing seed.

    Examples of KRIs

    • Number of resources who quit or were fired who had access to critical data
    • Number of risk mitigation initiatives unfunded
    • Changes in time horizon of mitigation implementation
    • Number of employees who did not report phishing attempts
    • Amount of time required to get critical operations access to necessary data
    • Number of days it takes to implement a new regulation or compliance control

    3.1.2 Establish the reporting schedule

    For each risk event, document how frequently the risk owner must report to the IT risk council in the Risk Event Action Plan.

    • A clear reporting schedule enforces accountability for each risk event, ensuring that risk owners are fulfilling their monitoring responsibilities.
    • The ongoing discussion of risks between assessment cycles also increases overall awareness of how IT risks are not static but constantly evolving.
    Reporting Risk Event
    Weekly reports to ITRC Risk event severity represented as a thermometer with levels 'Extreme', 'High', 'Moderate', 'Low', and 'Negligible'.
    Bi-weekly reports to ITRC
    Monthly reports to ITRC
    Report to ITRC only if KRI thresholds triggered
    No reports; reassessed bi-annually

    Use Info-Tech’s tools to identify, analyze, and select risk responses

    1

    (Mandatory)
    Tool

    Screenshot of the Risk Register Tool.

    Risk Register Tool

    Information
    • Develop risk responses for all risk events pre-populated on the “2. Risk Register” sheet of the Risk Register Tool.
    • Document the root cause of the risk (Activity 3.1.3) and other contributing factors (Activity 3.1.4).
    • Identify risk responses (Activity 3.1.5).
    • Predict the effectiveness of the risk response, if implemented, by estimating the residual likelihood and impact of the risk (Activity 3.1.5).
    • The tool will calculate the residual severity of the risk after applying the risk response.

    2

    (Optional)
    Tool

    Screenshot of the Risk Costing Tool.

    Risk Costing Tool

    Information
    • Continue your second-level risk analysis for top risks for which you calculated expected cost in section 2.2.
    • Activity 3.1.5:
      • Identify between one and four risk response options for each risk.
      • Develop precise values for residual likelihood and impact.
      • Compare expected cost of the risk event to expected residual cost.
      • Select the risk response to recommend to senior leadership and document it in the Risk Register Tool.

    Determine the root cause of IT risks

    Root cause analysis

    Use the “Five Whys” methodology to identify the root cause and contributing/exacerbating factors for each risk event.

    Diagnosing the root cause of a risk as well as the environmental factors that increase its potential impact and likelihood of occurring allow you to identify more effective risk responses.

    Risk responses that only address the symptoms of the risk are less likely to succeed than responses that address the core issue.

    Concentric circles with 'Root Cause' at the center, 'Contributing Factors' around it, and 'Symptoms' on the outer circle.

    Example of 'The Five Whys Methodology', tracing symptoms to their root cause. In 'Symptoms' we see 'Risk Event: Network outage', Why? 'Network congestion', Why? Then on to 'Contributing Factors' the answer is 'Inadequate bandwidth for latency-sensitive applications', Why? 'Increased business use of latency-sensitive applications', Why? And finally to the 'Root Cause', 'Business units rely on 'real-time' data gathered from latency-sensitive applications', Why?

    Identify factors that contribute to the severity of the risk

    Environmental factors interact with the root cause to increase the likelihood or impact of the risk event.

    What factors matter?

    Identify relevant actors and assets that amplify or diminish the severity of the risk.

    Actors

    • Internal (business units)
    • External (vendor, regulator, market, competitor, hostile actor)

    Assets/Resources

    • Infrastructure
    • Applications
    • Processes
    • Information/data
    • Personnel
    • Reputation
    • Operations
    Develop risk responses that target contributing factors.
    Root cause:
    Business units rely on “real-time” data gathered from latency-sensitive applications

    Actors: Enterprise App users (Finance, Product Development, Product Management)

    Asset/resource: Applications, network

    Risk response:
    Decrease the use of latency-sensitive applications.

    X

    Decreasing the use of key apps contradicts business objectives.

    Contributing factors:
    Unreliable router software

    Actors: Network provider, router vendor, router software vendor, IT department

    Asset/resource: Network, router, router software

    Risk response:
    Replace the vendor that provides routers and router software.

    Replacing the vendor would reduce network outages at a relatively low cost.

    Symptoms:
    Network outage

    Actors: All business units, network provider

    Asset/resource: Network, business operations, employee productivity

    Risk response:
    Replace legacy systems.

    X

    Replacing legacy systems would be too costly.

    3.1.3 Identify and assess risk responses

    Instructions:
    Complete the following steps for each risk event.
    1. Identify a risk response action that will help reduce the likelihood of occurrence or the impact if the event were to occur.
      • Indicate the type of risk response (avoidance, mitigation, transfer, acceptance, or no risk exists).
    2. Assign each risk response action a residual likelihood level and a residual impact level.
      • This is the same step performed in Activity 2.2.6, when initial likelihood and impact levels were determined; however, now you are estimating the likelihood and impact of the risk event after the risk response action has been implemented successfully.
      • The Risk Register Tool will generate a residual risk severity level for each risk event.
    3. Identify the potential Risk Action Owner (Project Manager) if the response is selected and turned into an IT project, and document this in the Risk Register Tool.
    Document the following in the Risk Event Action Plan for each risk event:
      • Risk response actions
      • Residual likelihood and impact levels
      • Residual risk severity level
    • Review the following slides about the four types of risk response to help complete the activity.
      1. Avoidance
      2. Mitigation
      3. Transfer
      4. Acceptance

    Record the results in the Risk Event Action Plan.

    Take actions to avoid the risk entirely

    Risk Avoidance

    • Risk avoidance involves taking evasive maneuvers to avoid the risk event.
    • Risk avoidance targets risk likelihood, decreasing the likelihood of the risk event occurring.
    • Since risk avoidance measures are fairly drastic, the likelihood is often reduced to negligible levels.
    • However, risk avoidance response actions often sacrifice potential benefits to eliminate the possibility of the risk entirely.
    • Typically, risk avoidance measures should only be taken for risk events with extremely high severity and when the severity (expected cost) of the risk event exceeds the cost (benefits sacrificed) of avoiding the risk.

    Example

    Risk event: Information security vulnerability from third-party cloud services provider.

    • Risk avoidance action: Store all data in-house.
    • Benefits sacrificed: Cost savings, storage flexibility, etc.
    Stock photo of a person hikiing along a damp, foggy, valley path.

    Pursue projects that reduce the likelihood or impact of the risk event

    Risk Mitigation

    • Risk mitigation actions are risk responses that reduce the likelihood and impact of the risk event.
    • Risk mitigation actions can be to either implement new controls or enhance existing ones.
    Example 1

    Most risk responses will reduce both the likelihood of the risk event occurring and its potential impact.

    Example

    Mitigation: Purchase and implement enterprise mobility management (EMM) software with remote wipe capability.

    • EMM reduces the likelihood that sensitive data is accessed by a nefarious actor.
    • The remote-wipe capability reduces the impact by closing the window that sensitive data can be accessed from.
    Example 2

    However, some risk responses will have a greater effect on decreasing the likelihood of a risk event with little effect on decreasing impact.

    Example

    Mitigation: Create policies that restrict which personnel can access sensitive data on mobile devices.

    • This mitigation decreases the number of corporate phones that have access to (or are storing) sensitive data, thereby decreasing the likelihood that a device is compromised.
    Example 3

    Others will reduce the potential impact without decreasing its likelihood of occurring.

    Example

    Mitigation: Use robust encryption for all sensitive data.

    • Corporate-issued mobile phones are just as likely to fall into the hands of nefarious actors, but the financial impact they can inflict on the organization is greatly reduced.

    Pursue projects that reduce the likelihood or impact of the risk event (continued)

    Use the following IT functions to guide your selection of risk mitigation actions:

    Process Improvement

    Key processes that would most directly improve the risk profile:

    • Change Management
    • Project Management
    • Vendor Management
    Infrastructure Management
    • Disaster Recovery Plan/Business Continuity Plan
    • Redundancy and Resilience
    • Preventative Maintenance
    • Physical Environment Security
    Personnel
    • Greater staff depth in key areas
    • Increased discipline around documentation
    • Knowledge Management
    • Training
    Rationalization and Simplification

    This is a foundational activity, as complexity is a major source of risk:

    • Application Rationalization – reducing the number of applications
    • Data Management – reducing the volume and locations of data

    Transfer risks to a third party

    Risk transfer: the exchange of uncertain future costs for fixed present costs.

    Insurance

    The most common form of risk transfer is the purchase of insurance.

    • The uncertain future cost of an IT risk event can be transferred to an insurance company who assumes the risk in exchange for insurance premiums.
    • The most common form of IT-relevant insurance is cyberinsurance.

    Not all risks can be insured. Insurable risks typically possess the following five characteristics:

    1. The loss must be accidental (the risk event cannot be insured if it could have been avoided by taking reasonable actions).
    2. The insured cannot profit from the occurrence of the risk event.
    3. The loss must be able to be measured in monetary terms.
    4. The organization must have an insurable interest (it must be the party that incurs the loss).
    5. An insurance company must offer insurance against that risk.
    Other Forms of Risk Transfer

    Other forms of risk transfer include:

    • Self-insurance
      • Appropriate funds can be set aside in advance to address the financial impact of a risk event should it occur.
    • Warranties
    • Contractual transfer
      • The financial impact of a risk event can be transferred to a third party through clauses agreed to in a contract.
      • For example, a vendor can be contractually obligated to assume all costs resulting from failing to secure the organization’s data.
    • Example email addressing fields of an IT Risk Transfer to an insurance company.

    Accept risks that fall below established thresholds

    Risk Acceptance

    Accepting a risk means tolerating the expected cost of a risk event. It is a conscious and deliberate decision to retain the threat.

    You may choose to accept a risk event for one of the following three reasons:

    1. The risk severity (expected cost) of the risk event falls below acceptability thresholds and does not justify an investment in a risk avoidance, mitigation, or transfer measure.
    2. The risk severity (expected cost) exceeds acceptability thresholds but all effective risk avoidance, mitigation, and transfer measures are ineffective or prohibitively expensive.
    3. The risk severity (expected cost) exceeds acceptability thresholds but there are no feasible risk avoidance, mitigation, and transfer measures to be implemented.

    Info-Tech Insight

    Constant monitoring and the assignment of responsibility and accountability for accepted risk events is crucial for effective management of these risks. No IT risk should be accepted without detailed documentation outlining the reasoning behind that decision and evidence of approval by senior management.

    3.1.4 Risk response cost-benefit analysis (optional)

    The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.

    This helps IT make risk-conscious investment decisions that fall within the IT budget and helps the organization make sound budgetary decisions for risk response projects that cannot be addressed by IT’s existing budget.

    Instructions:
    1. Reopen the Risk Costing Tool. For each risk that you conducted an expected cost assessment in section 2.2 for, find the Excel sheet that corresponds to the risk number (e.g. R001).
    2. Identify between one and four risk response options for the risk event and document them in the Risk Costing Tool.
      • The “Risk Response 1” field will be automatically populated with expected cost data for a scenario where no action was taken (risk acceptance). This will serve as a baseline for comparing alternative responses.
      • For the following steps, go through the risk responses one by one.
    3. Estimate the first-year cost for the risk response.
      • This cost should reflect initial capital expenditures and first-year operating expenditures.
    Screenshot of the Risk Response cost-benefit-analysis from the Risk Costing Tool with 'Capital Expenditures' and 'Operating Expenditures' highlighted.

    Record the results in the Risk Costing Tool.

    3.1.4 Risk response cost-benefit analysis (continued)

    The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.

    Instructions:

    1. Estimate residual risk likelihood and financial impact for Year 1 with the risk response in place.
      • Rather than estimating the likelihood level (low, medium, high), determine a precise likelihood value of the risk event occurring once the response has been implemented.
      • Estimate the dollar value of financial impacts if the risk event were to occur with the risk response in place.
      • Screenshot of the Risk Response cost-benefit-analysis from the Risk Costing Tool with figured for 'Financial Impact' and 'Probability' highlighted. The tool will calculate the expected residual cost of the risk event: (Financial Impact x Likelihood) - Costs = Expected Residual Cost
    2. Select the highest value risk response and document it in the Risk Register Tool.
    3. Document your analysis and recommendations in the Risk Event Action Plan.

    Note: See Activity 3.1.5 to build multi-year cost projections for risk responses.

    3.1.5 Create multi-year cost projections (optional)

    Select between risk response options by projecting their costs and benefits over multiple years.

    • It can be difficult to choose between risk response options that require different payment schedules. A risk response project with costs spread out over more than one year (e.g. incremental upgrades to an IT system) may be more advantageous than a project with costs concentrated up front that may cost less in the long run (e.g. replacing the system).
    • However, the impact that risk response projects have on reducing risk severity is not necessarily static. For example, an expensive project like replacing a system may drastically reduce the risk severity of a system failure. Whereas, incremental system upgrades may only marginally reduce risk severity in the short term but reach similar levels as a full system replacement in a few years.
    Instructions:

    Calculate expected cost for multiple years using the Risk Costing Tool for:

    • Risk events that are subject to change in severity over time.
    • Risk responses that reduce the severity of the risk gradually.
    • Risk responses that cannot be implemented immediately.

    Copy and paste the graphs into the Risk Report and the Risk Event Action Plan for the risk event.

    Sample charts on the cost of risk responses from the Risk Costing Tool.

    Record the results in the Risk Costing Tool.

    Step 3.2

    Report IT Risk Priorities

    Activities
    • 3.2.1 Obtain executive approval for risk action plans
    • 3.2.2 Socialize the Risk Report
    • 3.2.3 Transfer ownership of risk responses to project managers
    • 3.2.4 Finalize the Risk Management Program Manual

    This step involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team

    Outcomes of this step

    • Obtained approval for risk action plans
    • Communicated IT’s risk recommendations to senior leadership
    • Embedded risk management into day-to-day IT operations

    Monitor, Respond, and Report on IT Risk

    Step 3.1 Step 3.2

    Effectively deliver IT risk expertise to the business

    Communicate IT risk management in two directions:

    1. Up to senior leadership (and ERM if applicable)
    2. Down to IT employees (embedding risk awareness)
    3. Visualization of communicating Up to 'Senior Leadership' and Down to 'IT Personnel'.

    Create a strong paper trail and obtain sign-off for the ITRC’s recommendations.

    Now that you have collected all of the necessary raw data, you must communicate your insights and recommendations effectively.

    A fundamental task of risk management is communicating risk information to senior management. It is your responsibility to enable them to make informed risk decisions. This can be considered upward communication.

    The two primary goals of upward communication are:

    1. Transferring accountability for high-priority IT risks to the ERM or to senior leadership.
    2. Obtaining funds for risk response projects recommended by the ITRC.

    Good risk management also has a trickle-down effect impacting all of IT. This can be considered downward communication.

    The two primary goals of downward communication are:

    1. Fostering a risk-aware IT culture.
    2. Ensuring that the IT risk management program maintains momentum and runs effectively.

    3.2.1 Obtain executive approval for risk action plans

    Best Practices and Key Benefits

    Best practice is for all acceptable risks to also be signed-off by senior leadership. However, for ITRCs that brainstorm 100+ risks, this may not be possible. If this is the case, prioritize accepted risks that were assessed to be closest to the organization’s thresholds.

    By receiving a stamp of approval for each key risk from senior management, you ensure that:

    1. The organization is aware of important IT risks that may impact business objectives.
    2. The organization supports the risk assessment conducted by the ITRC.
    3. The organization supports the plan of action and monitoring responsibilities proposed by the ITRC.
    4. If a risk event were to occur, the organization holds ultimate accountability.
    Sample of the Risk Event Action Plan template.

    Task:
    All IT risks that were flagged for exceeding the organization’s severity thresholds must obtain sign-off by the CIO or another member of the senior leadership team.

    • In the assessment phase, you evaluated risks using severity thresholds approved by the business and determined whether or not they justified a risk response.
    • Whether your recommendation was to accept the risk or to analyze possible risk responses, the business should be made aware of most IT risks.

    3.2.2 Socialize the risk report

    Create a succinct, impactful document that summarizes the outcomes of risk assessment and highlights the IT risk council’s top recommendations to the senior leadership team.

    The Risk Report contains:
    • An executive summary page highlighting the main takeaways for senior management:
      • A short summary of results from the most recent risk assessment
      • Dashboard
      • A list of top 10 risks ordered from most severe to least
    • Subsequent individual risk analyses (1 to 10)
      • Detailed risk assessment data
      • Risk responses
      • Risk response analysis
      • Multi-year cost projection (see the following slide)
      • Dashboard
      • Recommendations
    Sample of the Risk Report template.

    Risk Report

    Pursue projects that reduce the likelihood or impact of the risk event

    Encourage risk awareness to extend the benefits of risk management to every aspect of IT.

    Benefits of risk awareness:

    • More preventative and proactive approaches to IT projects are discussed and considered.
    • Changes to the IT threat landscape are more likely to be detected, communicated, and acted upon.
    • IT possesses a realistic perception of its ability to perform functions and provide services.
    • Contingency plans are put in place to hedge against risk events.
    • Fewer IT risks go unidentified.
    • CIOs and business executives make better risk decisions.

    Consequences of low risk awareness:

    • False confidence about the number of IT risks impacting the organization and their severity.
    • Risk-relevant information is not communicated to the ITRC, which may result in inaccurate risk assessments.
    • Confusion surrounding whose responsibility it is to consider how risk impacts IT decision making.
    • Uncertainty and panic when unanticipated risks impact the IT department and the organization.

    Embedding risk management in the IT department is a full-time job

    Take concrete steps to increase risk-aware decision making in IT.

    The IT risk council plays an instrumental role in fostering a culture of risk awareness throughout the IT department. In addition to periodic risk assessments, fulfilling reporting requirements, and undertaking ongoing monitoring responsibilities, members of the ITRC can take a number of actions to encourage other IT employees to adopt a risk-focused approach, particularly at the project planning stage.

    Embed risk management in project planning

    Make time for discussing project risks at every project kick-off.
    • A main benefit of including senior personnel from across IT in the ITRC is that they are able to disseminate the IT risk council’s findings to their respective practices.
    • At project kick-off meetings, schedule time to identify and assess project-specific risks.
    • Encourage the project team to identify strategies to reduce the likelihood and impact of those risks and document these in the project charter.
    • Lead by example by being clear and open about what constitutes acceptable and unacceptable risks.

    Embed risk management with employee

    Train IT staff on the ITRC’s planned responses to specific risk events.
    • If a response to a particular risk event is not to implement a project but rather to institute new policies or procedures, ensure that changes are communicated to employees and that they receive training.
    Provide risk management education opportunities.
    • Remember that a more risk-aware IT employee provides more value to the organization.
    • Invest in your employees by encouraging them to pursue education opportunities like receiving risk management accreditation or providing them with educational experiences such as workshops, seminars, and eLearning.

    Embedding risk management in the IT department is a full-time job (continued)

    Encourage risk awareness by adjusting performance metrics and job titles.

    Performance metrics:

    Depending on the size of your IT department and the amount of resources dedicated to ongoing risk management, you may consider embedding risk management responsibilities into the performance assessments of certain ITRC members or other IT personnel.

    • Personalize the risk management program metrics you have documented in your Risk Management Program Manual.
    • Evidence that KPIs are monitored and frequently reported is also a good indicator that risk owners are fulfilling their risk management responsibilities.
    • Info-Tech Insight

      If risk management responsibilities are not built into performance assessments, it is less likely that they will invest time and energy into these tasks. Adding risk management metrics to performance assessments directly links good job performance with good risk management, making it more likely that ITRC activities and initiatives gain traction throughout the IT department.

    Job descriptions:

    Changing job titles to reflect the focus of an individual’s role on managing IT risk may be a good way to distinguish personnel tasked with developing KRIs and monitoring risks on a week-to-week basis.

    • Some examples include IT Risk Officer, IT Risk Manager, and IT Risk Analyst.

    3.2.3 Transfer ownership of risk responses to project managers

    Once risk responses have obtained approval and funding, it is time to transform them into fully-fledged projects.

    Image of a hand giving a key to another hand and a circle split into quadrants of Governance with 'Governance of Risks' being put into 'Governance of Projects'.

    3.2.4 Finalize the Risk Management Program Manual

    Go back through the Risk Management Program Manual and ensure that the material will accurately reflect your approach to risk management going forward.

    Remember, the program manual is a living document that should be evolving alongside your risk management program, reflecting best practices, knowledge, and experiences accrued from your own assessments and experienced risk events.

    The best way to ensure that the program manual continues to guide and document your risk management program is to make it the focal point of every ITRC meeting and ensure that one participant is tasked with making necessary adjustments and additions.

    Sample of the Risk Management Program Manual. Risk Management Program Manual

    “Upon completing the Info-Tech workshop, the deliverables that we were left with were really outstanding. We put together a 3-year project plan from a high level, outlining projects that will touch upon our high risk areas.” (Director of Security & Risk, Water Management Company)

    Don’t allow your risk management program to flatline

    54% of small businesses haven’t implemented controls to respond to the threat of cyber attacks (Source: Insurance Bureau of Canada, 2021)

    Don’t be lulled into a false sense of security. It might be your greatest risk.

    So you’ve identified the most important IT risks and implemented projects to protect IT and the business.

    Unfortunately, your risk assessment is already outdated.

    Perform regular health checks to keep your finger on the pulse of the key risks threatening the business and your reputation.

    To continue the momentum of your newly forged IT risk management program, read Info-Tech’s research on conducting periodic risk assessments and “health checks”:

    Revive Your Risk Management Program With a Regular Health Check

    • Complete Info-Tech’s Risk Management Health Check to seize the momentum you created by building a robust IT risk management program and create a process for conducting periodic health checks and embedding ongoing risk management into every aspect of IT.
    • Our focus is on using data to make IT risk assessment less like an art and more like a science. Ongoing data-driven risk management is self-improving and grounded in historical data.

    Appendix I: Familiarize yourself with key risk terminology

    Review important risk management terms and definitions.

    Risk

    An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk consists of a combination of the likelihood of a perceived threat or opportunity occurring and the magnitude of its impact on objectives (Office of Government Commerce, 2007).

    Threat

    An event that can create a negative outcome (e.g. hostile cyber/physical attacks, human errors).

    Vulnerability

    A weakness that can be taken advantage of in a system (e.g. weakness in hardware, software, business processes).

    Risk Management

    The systematic application of principles, approaches, and processes to the tasks of identifying and assessing risks, and then planning and implementing risk responses. This provides a disciplined environment for proactive decision making (Office of Government Commerce, 2007).

    Risk Category

    Distinct from a risk event, a category is an abstract profile of risk. It represents a common group of risks. For example, you can group certain types of risks under the risk category of IT Operations Risks.

    Risk Event

    A specific occurrence of an event that falls under a particular risk category. For example, a phishing attack is a risk event that falls under the risk category of IT Security Risks.

    Risk Appetite

    An organization’s attitude towards risk taking, which determines the amount of risk that it considers acceptable. Risk appetite also refers to an organization’s willingness to take on certain levels of exposure to risk, which is influenced by the organization’s capacity to financially bear risk.

    Enterprise Risk Management

    (ERM) – A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of organizational risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS, 2015).

    Appendix II: Likelihood vs. Frequency

    Why we measure likelihood, not frequency:

    The basic formula of Likelihood x Impact = Severity is a common methodology used across risk management frameworks. However, some frameworks measure likelihood using Frequency rather than Likelihood.

    Frequency is typically measured as the number of instances an event occurs over a given period of time (e.g. once per month).

    • For risk assessment, historical data regarding the frequency of a risk event is commonly used to indicate the likelihood that the event will happen in the future.

    Likelihood is a numerical representation of the “degree of belief” that the risk event will occur in a given future timeframe (e.g. 25% likelihood that the event will occur within the next year).

    False Objectivity

    While some may argue that frequency provides an objective measurement of likelihood, it is well understood in the field of likelihood theory that historical data regarding the frequency of a risk event may have little bearing over the likelihood of that event happening in the future. Frequency is often an indication of future likelihood but should not be considered an objective measurement of it.

    Likelihood scales that use frequency underestimate the magnitude of risks that lack historical precedent. For example, an IT department that has never experienced a high-impact data breach would adopt a very low likelihood score using the frequentist approach. However, if all of the organization’s major competitors have suffered a major breach within the last two years, they ought to possess a much higher degree of belief that the risk event will occur within the next year.

    Likelihood is a more comprehensive measurement of future likelihood, as frequency can be used to inform the selection of a likelihood value. The process of selecting intersubjective likelihood values will naturally internalize historical data such as the frequency that the event occurred in the past. Further, the frequency that the event is expected to occur in the future can be captured by the expected impact value. For example, a risk event that has an expected impact per occurrence of $10,000 that is expected to occur three times over the next year has an expected impact of $30,000.

    Appendix III: Should max impacts sway decision making?

    Don’t just fixate on the most likely impact – be aware of high-impact outcomes.

    During assessment, risks are evaluated according to their most likely financial impact.

    • For example, a service outage will likely last for two hours and may have an expected cost of $14,000.

    Naturally, focusing on the most likely financial impact will exclude higher impacts that – while theoretically possible – are so unlikely that they do not warrant any real consideration.

    • For example, it is possible that a service outage could last for days; however, the likelihood for such an event may be well below 1%.

    While the risk severity level assessment allows you to present impacts as a range of values (e.g. $50,000 to $75,000), the expected cost assessment requires you to select specific values.

    • However, this analysis may fail to consider much higher potential impacts that have non-negligible likelihood values (likelihood values that you cannot ignore).
    • What you consider “non-negligible” will depend on your organizational risk tolerance/appetite.

    Sometimes called Black Swan events or Fat-Tailed outcomes, high-impact events may occur when the far right of the likelihood distribution – or the “tail” – is thicker than a normal distribution (see fig. 2).

    • A good example is a data breach. While small to medium impacts are far more likely to occur than a devastating intrusion, the high-impact scenario cannot be ignored completely.

    For risk events that contain non-negligible likelihoods (too high to be ignored) consider elevating the risk severity level or expected cost.

    Figure 1 is a graph presenting a 'Normal Likelihood Distribution', the axes being 'Likelihood' and 'Financial Impact'.
    Figure 2 is a graph presenting a 'Fat-Tailed Likelihood Distribution' with a point at the top of the parabola labelled 'Most Likely Impact' but with a much wider bottom labelled 'Fat-Tailed Outcomes', the axes being 'Likelihood' and 'Financial Impact'.

    Leverage Info-Tech’s research on security and compliance risk to identify additional risk events

    Title card of the Info-tech blueprint 'Take Control of Compliance Improvement to Conquer Every Audit' with subtitle 'Don't gamble recklessly with external compliance. Play a winning system and take calculated risks to stack the odds in your favor.


    Take Control of Compliance Improvement to Conquer Every Audit

    Info-Tech Insight

    Don’t gamble recklessly with external compliance. Play a winning system and take calculated risks to stack the odds in your favor.

    Take an agile approach to analyze your gaps and prioritize your remediations. You don’t always have to be fully compliant as long as your organization understands and can live with the consequences.

    Stock photo of a woman sitting at a computer surrounded by rows of computers.


    Develop and Implement a Security Risk Management Program

    Info-Tech Insight

    Security risk management equals cost effectiveness.

    Time spent upfront identifying and prioritizing risks can mean the difference between spending too much and staying on budget.

    Research Contributors and Experts

    Sandi Conrad
    Principal Research Director
    Info-Tech Research Group

    Christine Coz
    Executive Counsellor
    Info-Tech Research Group

    Milena Litoiu
    Principal Research Director
    Info-Tech Research Group

    Scott Magerfleisch
    Executive Advisor
    Info-Tech Research Group

    Aadil Nanji
    Research Director
    Info-Tech Research Group

    Andy Neill
    Associate Vice-President of Research
    Info-Tech Research Group

    Daisha Pennie
    IT Risk Management
    Oklahoma State University

    Ken Piddington
    CIO and Executive Advisor
    MRE Consulting

    Frank Sewell
    Research Director
    Info-Tech Research Group

    Andrew Sharpe
    Research Director
    Info-Tech Research Group

    Chris Warner
    Consulting Director- Security
    Info-Tech Research Group

    Sterling Bjorndahl
    Director of IT Operations
    eHealth Saskatchewan

    Research Contributors and Experts

    Ibrahim Abdel-Kader
    Research Analyst
    Info-Tech Research Group

    Tamara Dwarika
    Internal Auditor
    A leading North American Utility

    Anne Leroux
    Director
    ES Computer Training

    Ian Mulholland
    Research Director
    Info-Tech Research Group

    Michel Fossé
    Consulting Services Manager
    IBM Canada (LGS)

    Petar Hristov
    Research Director
    Info-Tech Research Group

    Steve Woodward
    Research Director
    CEO, Cloud Perspectives

    *Plus 10 additional interviewees who wish to remain anonymous.

    Bibliography

    “2021 State of the CIO.” IDG, 28 January 2021. Web.

    “4 Reasons Why CIOs Lose Their Jobs.” Silverton Consulting, 2012. Web.

    Beasley, Mark, Bruce Branson, and Bonnie Hancock. “The State of Risk Oversight,” AICPA, April 2021. Web.

    COBIT 2019. ISACA, 2019. Web.

    “Cognyte jeopardized its database exposing 5 billion records, including earlier data breaches.” SecureBlink, 21 June 2021. Web.

    Culp, Steve. “Accenture 2019 Global Risk Management Study, Financial Services Report.” Accenture, 2019. Web.

    Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” COSO Committee of Sponsoring Organizations of the Treadway Commission, Deloitte & Touche LLP, 2012. Web.

    “Cyber Risk Management.” Insurance Bureau of Canada (IBC), 2022. Web.

    Eccles, Robert G., Scott C. Newquist, and Roland Schatz. “Reputation and Its Risks.” Harvard Business Review, February 2007. Web.

    Eden, C. and F. Ackermann. Making Strategy: The Journey of Strategic Management. Sage Publications, 1998.

    “Enterprise Risk Management Maturity Model.” OECD, 9 February 2021. Web.

    Ganguly, Saptarshi, Holger Harreis, Ben Margolis, and Kayvaun Rowshankish. “Digital Risks: Transforming risk management for the 2020s.” McKinsey & Company, 10 February 2017. Web.

    “Governance Institute of Australia Risk Management Survey 2020.” Governance Institute of Australia, 2020. Web.

    “Guidance on Enterprise Risk Management.” COSO, 2022. Web.

    Henriquez, Maria. “The Top 10 Data Breaches of 2021” Security Magazine, 9 December 2021. Web.

    Holmes, Aaron. “533 million Facebook users’ phone numbers and personal data have been leaked online.” Business Insider, 3 April 2021. Web.

    Bibliography

    “Integrated Risk and Compliance Management for Banks and Financial Services Organizations: Benefits of a Holistic Approach.” MetricStream, 2022. Web.

    “ISACA’s Risk IT Framework Offers a Structured Methodology for Enterprises to Manage Information and Technology Risk.” ISACA, 25 June 2020. Web.

    ISO 31000 Risk Management. ISO, 2018. Web.

    Lawton, George. “10 Enterprise Risk Management Trends in 2022.” TechTarget, 2 February 2022. Web.

    Levenson, Michael. “MGM Resorts Says Data Breach Exposed Some Guests’ Personal Information.” The New York Times, 19 February 2020. Web.

    Management of Risk (M_o_R): Guidance for Practitioners. Office of Government Commerce, 2007. Web.

    “Many small businesses vulnerable to cyber attacks.” Insurance Bureau of Canada (IBC), 5 October 2021.

    Maxwell, Phil. “Why risk-informed decision-making matters.” EY, 3 December 2019. Web.

    “Measuring and Mitigating Reputational Risk.” Marsh, September 2014. Web.

    Natarajan, Aarthi. “The Top 6 Business Risks you should Prepare for in 2022.” Diligent, 22 December 2021. Web.

    “Operational Risk Management Excellence – Get to Strong Survey: Executive Report.” KMPG and RMA, 2014. Web.

    “Third-party risk is becoming a first priority challenge.” Deloitte, 2022. Web.

    Thomas, Adam, and Dan Kinsella. “Extended Enterprise Risk Management Survey, 2020.” Deloitte, 2021. Web.

    Treasury Board Secretariat. “Guide to Integrated Risk Management.” Government of Canada, 12 May 2016. Web.

    Webb, Rebecca. “6 Reasons Data is Key for Risk Management.” ClearRisk, 13 January 2021. Web.

    “What is Enterprise Risk Management (ERM)?” RIMS, 2015. Web.

    Wiggins, Perry. “Do you spend enough time assessing strategic risks?” CFO, 26 January 2022. Web.

    Build an ITSM Tool Implementation Plan

    • Buy Link or Shortcode: {j2store}486|cart{/j2store}
    • member rating overall impact (scale of 10): 7.5/10 Overall Impact
    • member rating average dollars saved: $9,246 Average $ Saved
    • member rating average days saved: 7 Average Days Saved
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Selecting the Wrong Resources: You need ITSM technology and process experts, because this is not just a technology project, but also a process improvement opportunity.
    • Over-Reliance on the Vendor to Optimize Your Tool: Yes, the vendor will typically install and set up the tool, but they will not fix your processes for you.
    • Not Preparing for Data Migration: Data migration is complex. You need to determine what data to migrate, if any, and how that data will be mapped to the new environment.
    • Insufficient IT and End-User Training: A link to the ITSM tool manual is not enough. Staff and users need training on how your processes will be executed in the new tool.

    Our Advice

    Critical Insight

    • Start with the assumption you don’t need to migrate old data.
    • ITSM tools are designed to support ITIL best practices.
    • Implement your new tool in stages to manage scope.

    Impact and Result

    • Ability to plan and scope the project to avoid or reduce last-minute chaos.
    • Opportunity to review and optimize processes as part of the ITSM tool implementation project.
    • Improved project management, and therefore, better cost and effort estimates, by identifying required tasks upfront.

    Build an ITSM Tool Implementation Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build an ITSM Tool Implementation Plan Deck – An implementation guide that walks you through the steps to ensure the tool delivers business value.

    There may be hundreds of parameters to define and decisions to make, so identifying the full list of tasks early is critical for the success of the implementation project.

    • Build an ITSM Tool Implementation Plan – Phases 1-3

    2. ITSM Tool Project Charter Template – A charter to document your project scope, milestones, stakeholders, risks etc. to kick-off and manage your project.

    This project charter document summarizes the Project Overview (Description, background, drivers, and objectives), Governance and Management (Project stakeholders/roles, budget, and dependencies), and Risk, Assumptions, and Constraints (Known and potential risks and mitigation strategy).

    • ITSM Tool Implementation Project Charter Template

    3. ITSM Tool Implementation Checklist – A tool to help identify the most common decisions you will need to make and prepare for your implementation project.

    The checklists in this tool identify the most common decisions and preparation you will need to make to support the implementation for the ITSM modules that we recommend are set up first: incident management and service requests; change management; and asset management. Use these checklists as a model to follow for any additional ITSM modules you plan to implement, and refer to Info-Tech's blueprints for each service management topic for additional guidance.

    • ITSM Tool Implementation Checklist

    4. ITSM Tool Deployment Plan Template – A tool to help prioritize and prepare for tool rollout plan.

    This deployment plan documents the strategy and decisions made for making the transition to the new ITSM tool, and the details to execute the cutover to a live environment, including how, when, where.

    • ITSM Tool Deployment Plan Template

    5. ITSM Tool Training Schedule – Use the tool to create your new tool training roadmap.

    This template is a guide for creating a training and communication plan as part of the implementation project for your ITSM tool. Use the template to document and plan the communications and training needs prior to deployment of the new tool.

    • ITSM Tool Training Schedule

    Infographic

    Further reading

    Build an ITSM Tool Implementation Plan

    Plan ahead with a step-by-step approach to ensure the tool delivers business value.

    EXECUTIVE BRIEF

    Analyst perspective

    Take control of the wheel or you might end up in a ditch.

    The image contains a picture of Frank Trovato.

    An ITSM tool implementation is a complex project with direct impact on IT’s ability to support the business. With that level of risk, you need to take control early on.

    Yes, your vendor will support or execute the technical implementation, but they depend on you to tell them how to configure ITSM parameters and workflows that affect user interface, the ability to manage incidents, and governance over assets and IT changes.

    If you leave the configuration completely to the vendor, at best you might get the same setup as in your old tool (and not realize the benefits that leadership is expecting). At worst you end up with default values that don’t fit your process needs, i.e., confusion and not realizing expected benefits.

    A successful implementation requires early planning from a wide range of resources including ITSM tool experts (supported by the vendor), process experts, and a project manager to methodically step through the hundreds of parameters you will need to define before implementation.

    Frank Trovato
    Research Director, Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Leadership has invested significantly in a new ITSM tool and expects to see the benefits they were promised by the vendor and the procurement team.

    The ITSM project team needs to balance leadership expectations with the direct impact this project will have on IT staff and end users.

    Implementing an ITSM tool is a large project that is often highly complex in part because it requires input from a wide range of stakeholders: IT staff, end users, senior management, and vendors.

    A new ITSM tool will change how IT staff work and how users are serviced, and change is always difficult.

    Finally, implementing the new tool requires a migration from an existing tool without a pause in IT service availability. Incidents don’t take a week off while you execute the final product rollout.

    There may be hundreds of parameters to define and decisions to make, so identifying the full list of tasks early is critical to:

    • Identify the necessary stakeholders to provide input into implementation decisions.
    • Properly define scope and timelines.
    • Take advantage of the opportunity to review and improve processes as part of defining what will need to be configured in the new ITSM tool.

    Info-Tech Insight

    As with any large project, a key step is tackling it one bite at a time – but also understanding the size of the whole meal. This is where organizations often fail with ITSM implementations: not understanding upfront the volume of work required for a successful implementation.

    Your Challenge

    Organizations implementing a new ITSM tool often face these pitfalls:

    • Selecting the Wrong Resources: You need ITSM technology and process experts, because this is not just a technology project but also a process improvement opportunity. You will need to configure ITSM parameters and workflows in the new tool – which directly affects processes. Take advantage of that opportunity to fix pain points. For example, if your existing ticket categories are not effective, implement a better categorization scheme rather than just configure the same old, ineffective scheme.
    • Over-Reliance on the Vendor to Optimize Your Tool: Yes, the vendor will typically install and set up the tool but they will not fix your processes for you. On installation day, if you are not prepared with the categories, ticket templates, and so on that you wish to configure, your vendor will just go with the default or migrate your old parameters from your old ITSM tool.
    • Not Preparing for Data Migration: Data migration is complex. You need to determine what data to migrate, if any, and how that data will be mapped to the new environment. That takes planning and must be defined well before the vendor is ready to implement your tool.
    • Insufficient IT and End-User Training: A link to the ITSM tool manual is not enough. Staff and users need training on how your processes will be executed in the new tool.

    A survey of implementation challenges for ServiceNow’s customers

    26% Resistance to change

    43% Lacked a clear roadmap

    38% Planning for resources

    Source: Acorio, 2019

    Info-Tech’s approach

    Divide the implementation project into controllable phases for an effective implementation.

    Plan

    Define the scope of your project, identify and get buy-in from your stakeholders, and establish a timeframe for the implementation.

    Design & Build

    Identify existing process challenges and design workflows and ticket management to improve processes. Make decisions on data migrations and integrations for your new tool.

    Deploy & Train

    Create a rollout plan and communicate changes and improvements to users. Plan for the new tool deployment and monitor your solution.

    STOP: Use this blueprint after you have selected an ITSM solution

    Leverage our SoftwareReviews service and related blueprints to assist with ITSM tool selection, and then use this blueprint to plan the implementation.

    1. Evaluate solutions

    2. Select and purchase

    3. Implement (use this blueprint)

    Use our SoftwareReviews resources to evaluate solutions and vendors based on criteria such as features and customer service. Below are links to our ITSM software reviews:

    Use the following resources to help you make the case for funding and execute the purchase process:

    Your ITSM vendor or systems integrator will lead the technical implementation (e.g. software install and integration).

    As a result, your implementation plan needs to focus on preparing the information needed for implementation (e.g. ticket categories, workflow requirements) and organizational change management.

    This blueprint provides a methodology, checklist, and supporting templates to prepare for the implementation.

    Info-Tech’s methodology to build an ITSM Tool Implementation Plan

    1. Identify Scope, Stakeholders, and Preliminary Timeline

    2. Prepare to Implement Incident Management and Service Request Modules

    3. Create a Deployment Plan (Communication, Training, Rollout)

    Phase Steps

    1.1 Document define scope

    1.2 Define roles and responsibilities

    1.3 Identify preliminary timeline

    2.1 Review your existing solution and challenges

    2.2 Plan ticket management and workflow implementation

    2.3 Plan data migration, knowledgebase setup, and integrations

    2.4 Plan the module rollout

    3.1 Create a communication plan (for IT, users, and business leaders)

    3.2 Create a training plan

    3.3 Plan how you will deploy, monitor, and maintain the solution

    Phase Outcomes

    • RACI chart outlining high-level accountability and responsibilities for the project
    • Documenting timeline and team for the implementation project
    • ITSM tool implementation checklist
    • Strategy and identified opportunities to implement incident and service request modules
    • Documented communications and targeted training plan
    • Completed rollout plan and prepared to monitor your success metrics

    Insight summary

    Start with the assumption you don’t need to migrate old data

    ITSM tools are designed to support ITIL best practices

    Implement your new tool in stages to manage scope

    We all love data. We love being able to run reports showing trends, measuring changes over time, and highlighting pain points – but is your data from five years ago relevant to those assessments? Can you get by with just migrating open tickets and perhaps just the last year of critical tickets?

    Be ruthless in deciding what really needs to be in your active system to support incident matching, troubleshooting, or ongoing reporting.

    If you can’t make a strong case, don’t waste your time on old data. Remember, you can still save an exported copy or report of your old data if the need arises to search historical records.

    For organizations lacking process maturity, the tool’s default settings will often provide a good starting point. For example, a good ITSM tool will typically already be configured to follow best practices such as:

    • Separating incidents from service requests
    • Assigning resolution codes to solved tickets
    • Enabling routing based on categories

    Within those defaults, you will still need to decide your specific parameters – e.g. what your categories and resolution codes should be – so don’t blindly follow default settings but use them as a starting point.

    Start with the incident management and service requests modules. Those are typically the core of IT service management operations, so that should help realize benefits from the new tool sooner. In addition, incident management and service requests processes will support other ITSM processes such as asset management and problem management.

    Once those modules are implemented successfully (from a technology and process perspective), then start to implement your next core module (e.g. asset or change management), and continue to build from there.

    Blueprint deliverables

    This blueprint includes tools and templates to help you accomplish your goals:

    ITSM Tool Implementation Checklist

    Identify the most common decisions you will need to make and prepare for your implementation project.

    ITSM Tool Project Charter Template

    Review and edit the template to suit your project requirements

    The image contains a screenshot of the ITSM Tool Project Charter Template.
    The image contains screenshots of the ITSM Tool Implementation Checklist.

    ITSM Tool Deployment Plan Template

    Prioritize and prepare tool rollout plan

    The image contains a screenshot of the ITSM Tool Deployment Plan Template.

    ITSM Tool Training Schedule

    Use the checklist to create your new tool training roadmap

    The image contains a screenshot of the ITSM Tool Training Schedule.

    Blueprint benefits

    Benefits for IT

    Benefits for the business

    • Checklists and templates to support a smoother transition to the new ITSM tool.
    • Opportunity to review and optimize processes as part of the ITSM tool implementation project. A new tool with the same old processes will not achieve expected benefits.
    • Ability to plan and scope the project to avoid or reduce last-minute chaos.
    • Better planning means better results – specifically, ensuring that the implementation takes into account targeted business benefits.
    • Improved project management, and therefore better cost and effort estimates, by identifying required tasks upfront. This also provides the opportunity to re-scope or adjust timelines based on estimated effort.
    • Higher end-user satisfaction by executing a well-organized ITSM tool implementation.

    Measured value from using this blueprint

    Use this guide as an example to calculate your total cost savings from the ITSM tool implementation project.

    Phase 1

    Identify Scope, Stakeholders, and Preliminary Timeline

    Time, value, and resources saved by using Info-Tech’s methodology to define scope and plan your project

    E.g. 2 FTEs * 6 days * $80,000/year = $4,000/-

    Phase 2

    Prepare to Implement Incident Management and Service Request Modules

    Time, value, and resources saved by using Info-Tech’s methodology to build your solution strategy and determine configurations

    E.g. 2 FTEs * 8 days * $80,000/year = $5,400/-

    Phase 3

    Create a Deployment Plan (Communication, Training, Rollout)

    Time, value, and resources saved by using Info-Tech’s methodology to establish an effective communications roadmap and deploy tool

    E.g. 2 FTEs * 6 days * $80,000/year = $4,000/-

    Total Savings

    Total Savings

    Phase 1 + Phase 2 + Phase 3 = $13,400

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    Phase 1 Phase 2 Phase 3

    Call #1: Define scope, roles, responsibilities and timeline.

    Call #2: Review your existing solution and challenges.

    Call #3: Plan ticket management and workflow implementation.

    Call #4: Plan data migration, knowledgebase setup, and integrations.

    Call #5: Plan the module rollout.

    Call #6: Create a communication plan.

    Call #7: Create a training plan.

    Call #8: Plan how you will deploy, monitor, and maintain the solution.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 6 to 8 calls over the course of 3 to 6 months.

    Phase 1

    Identify Stakeholders, Scope, and Preliminary Timeline

    Phase 1 Phase 2 Phase 3

    Identify Stakeholders, Scope, and Preliminary Timeline

    Prepare to Implement Incident Management and Service Request Modules

    Create a Deployment Plan (Communication, Training, Rollout)

    This phase will walk you through the following steps:

    1. Define scope
    2. Define roles and responsibilities
    3. Identify preliminary timeline

    Step 1.1

    Define scope

    Activities

    1.1.1

    Use the Project Charter Template to capture project parameters

    1.1.2

    Leverage the Implementation Checklist to guide your preparation

    1.1.3

    Review goals that drove the ITSM tool purchase

    1.1.4

    Interview ITSM staff to identify current tool challenges and support organizational change management

    1.1.5

    Identify the modules and features you will plan to implement

    1.1.6

    Determine if data migration is required

    This step will walk you through the following activities:

    • Define the scope of the implementation project
    • Establish the future processes and functionalities the tool will support

    This step involves the following participants:

    • CIO
    • IT Director/Manager
    • Service Manager
    • Project Manager and the project team

    Outcomes of this step

    • Specifying the implementation project
    • Identifying the business units that are needed to support the project
    • Defining the ongoing and future service management processes the tool will support

    1.1.1 Use the Project Charter Template to capture scope, stakeholders, and timeline as outlined in Phase 1

    Follow the instructions in Phase 1 (step 1.1, 1.2, and 1.3) to gather information needed to create a project charter to define project parameters.

    Specific subsections are listed below and described in more detail in the remainder of this phase.

    1. Project Overview: Includes deliverables, scope, milestones, and success metrics.
    2. Governance and Management: Includes roles, responsibilities, and resource requirements.
    3. Project Risks, Assumptions, and Constraints: Includes risks and mitigation strategies as well as any assumptions and constraints.
    4. Project Sign-Off: Includes IT and executive sign-off (if required).

    The image contains a screenshot of the Project Charter Template.

    Download the ITSM Tool Implementation Project Charter Template

    1.1.2 Leverage the Implementation Checklist to guide your preparation

    The checklist tabs align to each phase of this blueprint.

    • Phase 1 (Tab 1) – Identify Stakeholders, Scope, and Preliminary Timeline
    • Phase 2 (Tab 2) – Prepare to Implement Incident Management and Service Request Modules
    • Phase 3 (Tabs 3+4) – Prepare to Implement Additional ITSM Modules (e.g. Change Management)
    • Phase 4 (deployment section in each tab) – Create a Deployment Plan (Communication, Training, Rollout)

    The image contains screenshots from the Implementation Checklist.

    Download the ITSM Tool Implementation Checklist

    1.1.3 Review goals that drove the ITSM tool purchase

    Identify the triggers for the selection and implementation of your new ITSM tool.

    Whether this is your first ITSM tool or a replacement for your old tool, the project was likely triggered by pain points that must be addressed by the new tool to improve your service desk. Having a clear understanding of these pain points throughout the implementation of your new tool will help to prevent them from reoccurring.

    Common ITSM pain points include:

    1. Poor communication with end users on ticket status.
    2. Lack of SLA automation to escalate issues to the appropriate channels.
    3. Poor self-service options for end users to perform simple requests on their own.
    4. Undeveloped knowledgebase for users to find answers to common issues.
    5. Lack of reporting or mistrust in reporting data.
    6. Lack of automation, including ticket templates.
    7. Overcomplicated ticket categories resulting in categories being misused.
    8. Overconfiguration prevents future upgrades.
    9. Lack of integration with other tools.

    If you haven't already selected an ITSM tool, leverage the IT Service Management Selection Guide to select the right tool.

    Download the IT Service Management Selection Guide

    1.1.4 Plan to interview staff to support organizational change management

    Identify challenges with the existing tool and processes as well as potential objections to the new tool.

    Incorporate this feedback in the implementation to drive buy-in and a successful rollout.

    Implementing a new ITSM tool will force changes in how IT staff do their work:

    • At a minimum, it means learning a new interface.
    • It could also mean leveraging features that improve IT operations but could change the process or tasks for the staff.
    • Their input on the current tool and process challenges can be critical for the project.
    • Solving at least some of their challenges can help bring them onboard to use this tool properly and follow associated process changes.

    Info-Tech Insight

    Keep management in the loop through every stage of the implementation process. They are the ones who are paying for the software, so they need to be informed throughout implementation and feel that their needs and feedback are being heard to prevent pushback further into the implementation.

    1.1.5 Identify the modules and features you will plan to implement

    Consider these factors when deciding what modules and features you want to implement:

    • Specific ITSM modules based on the recommended order and any unique business requirements
    • Key features that drove the tool purchase and address key issues
    • High-level process changes needed to address challenges and realize expected benefits from the new ITSM tool (e.g. if a key goal was automated ticket routing based on categories, then the project needs to include developing a good categorization scheme)

    Recommended order for implementation:

    1. Incident Management and Service Request
    2. This is the core of service management and typically has the highest impact on the organization. Include knowledgebase development as part of this implementation.

    3. Change Management
    4. A foundational component of service management, it allows organizations to minimize disruptions to IT services when making changes to services and critical systems.

    5. Asset Management
    6. A foundational component of service management, it allows organizations to track their assets’ locations, how they are used, and when changes are made to them.

    1.1.6 Determine if data migration is required

    If you are switching from a previous ITSM tool, carefully weigh the pros and cons as well as the necessity of migrating historical transactional data before deciding to import it into the new tool.

    Importing your old transactional data will allow you to track metrics over time, which can be valuable for data analysis and reporting purposes.

    However, ask yourself what the true value of your data is before you import it.

    You will not get value out of migrating the old data if:

    • You have incomplete or inaccurate data (a high percentage of incidents did not have tickets created in the old system).
    • The categorization of your old tickets was not useful or was used inconsistently.
    • You plan on changing the ticket categorization in the new system.

    “Don’t debate whether you can import your old data until you’ve made sure that you should.”

    – Barry Cousins, Practice Lead at Info-Tech Research Group

    Info-Tech Insight

    If you decide to migrate your data, keep in mind that it can be a complex process and proper time should be budgeted for planning, structuring the data, and importing and testing it.

    Step 1.2

    Define roles and responsibilities

    Activities

    1.2.1

    Key internal roles and responsibilities

    1.2.2

    Key external roles and responsibilities

    This step involves the following participants:

    • CIO
    • IT Director/Manager
    • Service Manager
    • Project Manager and the project team

    Outcomes of this step

    • Decision on whether to hire professional services for the implementation
    • Clearly defined roles and responsibilities for the project

    1.2.1 Identify key internal roles and responsibilities

    Review the tasks outlined in the Implementation Checklist to help you identify appropriate roles and specific staff that will be needed to execute this project.

    Project Role

    Description

    RACI

    Assigned To

    Executive Sponsor

    Liaison with the executive team (the CIO would be a good candidate for this role).

    Accountable for project completion.

    Approves resource allocation and funding.

    A, C

    Name(s)

    Project Manager

    Manages the project schedule, tasks, and budget.

    May act as a liaison between executives and the project-level team.

    R

    Name(s)

    Product Owner

    Liaison with the vendor.

    SME for the new tool.

    Provides input to tool configuration decisions.

    Manages the tool post-implementation.

    R

    Name(s)

    Process Owners

    Define current processes.

    Provide input to identifying current-state process challenges to address and potential changes as part of the new tool implementation.

    R

    Name(s)

    Service Desk Manager

    Provides input to tool configuration decisions.

    Manages and trains service desk agents to use new tool and processes.

    R

    Name(s)

    ITSM Tool Core Users (e.g. Service Desk Technicians)

    Provide input to identifying current-state process challenges to address.

    Provide input to tool configuration decisions.

    C

    Name(s)

    RACI = Responsible, Accountable, Consulted, and Informed

    Assign individuals to roles through each step of the implementation project in the governance and management chart in the Project Charter Template.

    Download the Project Charter Template

    1.2.2 Key external roles and responsibilities

    Determine whether you will engage professional services for the implementation.

    There are three main ways to implement your ITSM tool

    Implemented in-house by own staff

    Implemented using a combination of your own staff and your ITSM tool vendor

    Implemented by professional services and your ITSM tool vendor

    DIY Implementation

    Adopting a DIY implementation approach can save money but could draw out your implementation timeline and increase the likelihood of errors. Carefully consider your integration environment to determine your resourcing capabilities and maturity.

    Vendor Implementation

    In most cases, your vendor will support or execute the technical implementation based on your requirements. Use this blueprint to help you define those requirements.

    Professional Services

    Opting for professional services may result in a shorter implementation period and fewer errors but may also deny your IT staff the opportunity to develop the skills necessary to maintain and configure the solution in the future.

    Clarify the role of the professional services vendor before acquiring their services to make sure your expectations are aligned. For example, are you hiring the vendor for tool installation, tool configuration, or tool customization or for training your end users?

    Step 1.3

    Identify preliminary timeline

    Activities

    1.3.1

    Identify preliminary internal target dates

    1.3.2

    Identify target dates for vendor involvement

    This step involves the following participants:

    • CIO
    • IT Director/Manager
    • Service Manager
    • Project Manager and the project team

    Outcomes of this step

    • Specifying the target dates for the implementation project

    1.3.1 Identify preliminary internal target dates

    Identify high-level start and end dates based on the following:

    • Existing process maturity
    • Process changes required (to address process issues or to realize targeted benefits from the new tool)
    • Data migration requirements (if any)
    • Information to prepare for the implementation (review the Checklist Tool)
    • Vendor availability to support implementation
    • Executive mandates that have established specific milestone dates

    Create an initial project schedule:

    • Review the remaining phases of this blueprint for more details on the implementation planning steps.
    • Review and update the Checklist Tool to suit your implementation goals and requirements.
    • Assign task owners and target dates in the Checklist Tool.

    Note: This is a preliminary schedule. Monitor progress as well as requirement changes, and adjust the scope or schedule as needed.

    Update the columns in the Checklist Tool to plan and keep track of your implementation project.

    1.3.2 Identify target dates for vendor involvement

    Plan when you'll be ready for the vendor and identify the key points for when the vendor will come in.

    Are dates already scheduled for tool installation/configuration/customization?

    If yes:

    • Clarify vendor expectations for those target dates (i.e. what do you have to have prepared in advance?).
    • Determine options to adjust dates if needed.

    If no:

    • Defer scheduling until you have reviewed and updated the Implementation Checklist. The checklist will help you determine your readiness for vendor involvement.

    Consider if the vendor will implement the ITSM tool in one go or if they will help setup the tool in stages. Keep in mind that ITSM implementation projects typically take anywhere from 9 weeks to 16 months and plan accordingly depending on the maturity of your processes and the modules and features you plan to implement.

    Use your internal target dates to estimate when you'll be ready for the vendor to set up the tool and implement the setting that you've defined.

    Phase 2

    Prepare to Implement Incident Management and Service Request Modules

    Phase 1Phase 2Phase 3

    Identify Stakeholders, Scope, and Preliminary Timeline

    Prepare to Implement Incident Management and Service Request Modules

    Create a Deployment Plan (Communication, Training, Rollout)

    This phase will walk you through the following steps:

    • Review your existing solution and challenges
    • Plan ticket management and workflow implementation
    • Plan data migration, knowledgebase setup, and integrations
    • Plan the module rollout

    Additional Info-Tech Research

    The Implementation Checklist Tool summarizes what you need to prepare for the implementation. If you need more assistance with developing the underlying ITSM processes, use the tools, templates, and guidance in these blueprints.

    Standardize the Service Desk

    Build core elements of service desk operations, including incident management and service request workflows, ticket categorization schemes, and ticket prioritization rules.

    Optimize the Service Desk With a Shift-Left Strategy

    Implement tools such as an improved knowledgebase and self-service portal to enable lower tier support staff and end users to resolve incidents or fulfill service requests.

    Incident and Problem Management

    Develop a critical incident management workflow and create standard operating procedures for problem management.

    Step 2.1

    Review your existing solution and challenges

    Activities

    2.1.1

    Configure, don’t customize, your solution to minimize risk

    2.1.2

    Review your existing process and solution challenges for opportunities for improvement

    This step involves the following participants:

    1. Service Manager and Service Desk Team
    2. Project Manager and Core Project Team
    3. Subject Matter Experts and Tool Administrator, if applicable

    2.1.1 Configure your tool, don’t customize it

    Your tool may require at least some basic configurations to align with your processes, but in most cases customization of the tool is not recommended.

    Configuration

    Customization

    • Creating settings and recording reference data in the tool within the normal functionality of the tool.
    • Does not require changes to source code.

    Documentation of configurations is key.

    Failure to document configurations and the reasons for specific configurations will lead to:

    • Difficulty diagnosing incidents and problems.
    • Difficulty reconstructing the tool in the case of disaster recovery.
    • One administrator having all of the knowledge of configurations and taking it with them if they leave the organization.
    • Configurations that become useless in the future are maintained and lead to unnecessary work if documentation is not regularly reviewed.
    • Extending the functionality of the tool beyond what it was originally intended to do.
    • Requires manual changes to source code.

    Carefully consider whether a customization is necessary.

    • Over-customization of your ITSM tool code may lock you into your current version of the software by preventing future patches and upgrades, leaving you with outdated software.
    • Over-customization becomes particularly risky when your ITSM solution is integrated with other tools, as a loss in functionality of your ITSM tool resulting from over-customization may cause disruptions across the business.
    • If your selected ITSM solution doesn’t do something you think you need it to do, carefully evaluate whether you really need that customization and if the trade-off of potentially limiting future innovation is worth it.

    Case Study

    Consider the consequences of over-customizing your solution.

    INDUSTRY: Education

    SOURCE: IT Director

    Situation

    Challenge

    Resolution

    A few years ago, the service management office at the university decided to switch ITSM tools, from Computer Associates to ServiceNow.

    They wanted the new tool to behave similarly to what they had previously, so they made a lot of customized code changes to ServiceNow during implementation.

    As a result of the customizations, much of the functionality of the tool was restricted, and the upgrades were not compatible with the solution.

    The external consultants who performed the customizations and backend work did not document their changes, leaving the service management team without an understanding of why they did what they did.

    The service management team is working with ServiceNow to slowly unravel the custom code to try to get the solution back to having out-of-the-box functionality, with the ability to be upgraded.

    It has been challenging to do this work without disrupting the functionality of the tool.

    Over-customization led to the organization paying for features they couldn’t use and spending more time and resources down the road to try to reverse the changes.

    2.1.2 Review your existing process to identify opportunities for improvement

    Documenting your existing processes is an effective method for also reviewing those processes and identifying inefficiencies. Take advantage of this project to fix your process issues.

    1. Document your existing workflows for incident management and service requests.
    2. Review your workflows to identify opportunities to optimize through process refinement (e.g. clarifying escalation guidelines) or by leveraging features in your new ITSM tool (e.g. improved workflow automation).
    3. Similarly, review the challenges identified through stakeholder interviews: is there an opportunity address those challenges through process changes or leveraging your new ITSM tool?
    4. Address those challenge and issues as you execute the tasks outlined in the Implementation Checklist Tool. For example, if inconsistent ticket routing was identified as a challenge due to a vague categorization scheme, that’s a driver to review and update your scheme rather than just carry forward your existing scheme.

    Regardless of your existing ITSM maturity, this is an opportunity to review and optimize existing processes. Even the most-mature organizations can typically find an area to improve.

    Case Study

    Reviewing and defining processes before the implementation can be a project in itself.

    INDUSTRY: Defense

    SOURCE: Anonymous

    Situation

    Challenge

    Resolution

    The organization was switching to a new ITSM tool. To prepare for the implementation, they gathered stakeholders, held steering committee meetings, and broke down key processes, teams, and owners before even meeting with the larger group.

    They used a software tool called InDesign to visibly map service requests and incidents and determine who owned each process and where the handoffs were.

    The service catalog also needed to be built out as they were performing certain services that didn’t relate to anything in the catalog.

    The goal for the implementation was to have it completed within a year, but it ended up going over, taking 15 to 16 months to complete.

    Most of the time was spent identifying processes upfront before configuring the tool. There were difficulties defining processes as well as agreeing on who owned a process or service.

    There were also difficulties agreeing upon who the valid stakeholders were for processes, as groups were siloed.

    The major obstacles to implementation were therefore people and process, not the product.

    New processes were introduced, and boundaries were placed around processes that were being done in the past that weren’t necessary.

    Once the groups were able to agree upon process owners, the tool configuration and implementation itself did not pose any major difficulties.

    After the implementation, the tool was continually improved and sharpened to adapt to processes.

    Step 2.2

    Plan ticket management and workflow implementation

    Activities

    2.2.1

    Define ticket classification values

    2.2.2

    Define ticket templates for common incident types and service requests

    2.2.3

    Plan your ticket intake channels

    2.2.4

    Design a self-service portal

    2.2.5

    Plan your knowledgebase implementation in the new tool

    2.2.6

    Design your ticket status notification processes and templates

    2.2.7

    Identify required user accounts, access levels, and skills/ service groups

    2.2.8

    Review and update your workflows and escalation rules

    2.2.9

    Identify desired reporting and relevant metrics to track

    This step involves the following participants:

    1. Service Manager and Service Desk Team
    2. Project Manager and Core Project Team
    3. Subject Matter Experts and Tool Administrator, if applicable

    Outcomes of this step

    Tool is designed and configured to support service desk processes and organization needs.

    Checklist overview

    The ITSM Tool Implementation Checklist will help you estimate resources required to support demand, based on your ticket volume.

    TAB 2

    TAB 3

    TAB 4

    Incident and Service Modules Checklist

    Change Management Modules

    Asset Management Modules

    The image contains a screenshot of the ITSM Tool Implementation Checklist, tab 2. The image contains a screenshot of the ITSM Tool Implementation Checklist, tab 3. The image contains a screenshot of the ITSM Tool Implementation Checklist, tab 4.

    How to follow this section:

    The following slides contain a table that explains why each task in the module matters and what needs to be considered. Complete the checklist modules referring to this section.

    2.2.1 Define ticket classification values

    Ticket classification improves reporting, workflow automation, and problem identification.

    Review your existing ticket classification values to identify what to carry forward, drop, or change. For example, if your categorization scheme has become too complex, this is your opportunity to fix it; don’t perpetuate ineffective classification in the new tool.

    Task

    Why this matters

    Ticket Types (e.g. incident, service request, change)

    In particular, separating incidents from service requests supports appropriate ticket prioritization and resourcing; for example, an incident typically should be prioritized, and service requests can be scheduled.

    Categories (e.g. network, servers)

    An effective categorization scheme can help identify ticket assignment and escalation (e.g. network tickets would be escalated to the network team), and potentially automate ticket routing.

    Resolution Codes

    Indicates how the ticket was resolved (e.g. configuration change). Supports another layer of trends reporting and data to support problem identification.

    Status Values

    Shows what status the ticket is currently in (e.g. if the ticket has been opened or assigned to an agent, if it is in progress or has been resolved).

    2.2.2 Define ticket templates for common incident types and service requests

    Ticket templates are the backbone of automation. A common complaint is that tickets take too much time. However, a little planning can reduce the time it takes to create a ticket to less than a minute.

    Task

    Why this matters

    Identify common recurring tickets that would be good candidates for using ticket templates (e.g. common service requests and incidents).

    Some common recurring tickets such as password reset, new laptop, and login requests would be great candidates to create ticket templates for. Building a deck of standard rules to follow for common tickets saves time and reduces the number of tickets generated.

    Design ticket templates and workflows for common tickets (e.g. fields to auto-populate as well as routing and secondary tickets for onboarding requests).

    Differentiating between recurring ticket types and building pre-defined templates not just saves time but can also have major impact on how service is delivered as this will also help separate tickets. Creating these templates beforehand will also let you communicate effectively with the users at a time when all hands need to be on deck.

    2.2.3 Plan your ticket intake channels

    Consider possible ticket intake channels and evaluate their relevance to your organization.

    Task

    Why this matters

    Decide on ticket intake channels (e.g. phone, email, portal, walk-ups).

    Each standard intake channel serves its own purposes and can be extremely valuable under different circumstances. For example, walk-ins may be inefficient but necessary for critical incidents.

    If using email, identify/create the email account and appropriate permissions.

    Email works well if it automatically creates a ticket in your ticketing system, but users often don’t provide enough information in unstructured emails. Use required fields and ticket templates to ensure the ticket is properly categorized.

    If using phone, identify/create the phone number and appropriate integrations.

    Maintain the phone for users from other locations and for critical incidents but encourage users who call in to submit a ticket through the portal.

    If using a portal, determine if you will leverage the tool's portal or an existing portal.

    The web portal is the most efficient intake method, but ensure it is user friendly before promoting it.

    If using chat, determine whether you will use the tool's chat or an existing chat mechanism and whether integrations are needed.

    Another way to improve support experience for your customers is through live chat. This gives your customers an easy way to reach you at the exact moment they have questions or issues they can't fix.

    2.2.4 Design a self-service portal

    Map your processes to the tool by defining your ticket input, categories, escalations, and workflows.

    Don’t forget about the client-facing side of the solution. It is important to build a self-serve portal that has an easy-to-use interface where the user can easily find the category for the help they’re looking for. It is also necessary to educate the users on where to find the portal or how to access it.

    Task

    Why this matters

    Identify components to include (e.g. service request, incident, knowledgebase).

    Identify the categories you want the users to be able to access in the portal. Finding the right balance of components to include is very important to make it easy for your users to find all the relevant information they are looking for. This could mean fewer tickets.

    Plan the input form for service requests and incidents (e.g. mandatory fields, optional fields, drop-down lists).

    Having relevant and specific fields helps to narrow down your user’s issues and provides more information on how to allocate these tasks among the service desk resources and reduce time to further investigate the issues.

    If service catalog will be attached to the ITSM tool, define routing and workflows; if there is no existing service catalog, start a separate project to define it (e.g. services, SLAs).

    A centrally defined guide enables a uniform quality in service and clarifies the responsible tier for the ticket. Identify services that will be included in the catalog, and if the information is attached to the ITSM tool, plan for how will the routing and workflows be structured.

    Plan design requirements (e.g. company branding).

    Ensure that the portal is aligned with the company’s theme and access format. Work with the vendor to customize the branding on the tool, design requirements, images.

    2.2.5 Plan your knowledgebase (KB) implementation in the new tool

    Evaluate how onerous KB migration will be for you. Is this an opportunity to improve how the KB is organized?

    Task

    Why this matters

    Define knowledgebase categories and structure.

    Establishing knowledgebase structures or having them separated into categories makes it easy for your clients to find them (e.g. do they align with ticket categories?).

    Identify existing knowledgebase articles to add to the new tool.

    Review existing knowledgebase articles at a high level (e.g. Do you carry forward all existing articles? Take an opportunity to retire old articles?).

    Define knowledgebase article templates.

    Having standardized templates makes it an easy read and will increase its usage (e.g. all knowledgebase articles for recurring incidents will follow the same template).

    Build knowledgebase article creation, usage, and revision workflows.

    Decide how new knowledgebase articles will be built and added to the tool, how it will be accessed and used, and also any steps necessary to update the articles.

    Plan a knowledgebase feedback system.

    For example, include a comments section, like buttons, and who will get notified about feedback.

    2.2.6 Design your ticket status notification processes and templates

    Task

    Why this matters

    Identify triggers for status notifications. Balance the need for keeping users informed versus notifications being treated as spam.

    Identify when and where the users are informed to make sure you are not under or over communicating with them. Status notifications and alerts are a great way to set or reset expectations to your users on the delivery or resolution on their tickets. For example, auto-response for a new ticket, or status updates to users when the ticket is assigned, solved, and closed.

    If using email notifications, design email templates for each type of notification.

    Creating notification templates is a great way to provide standardized service to your clients and it saves time when a ticket is raised. For example, email templates for new ticket, ticket updated, or ticket closed.

    Plan how you will enable users to validate the ticket or resolve request without causing the ticket to reopen.

    For example, in the ticket solved template, provide a link to close the ticket, and ask the user to reply only if they wish to re-open the ticket (i.e. if it's not resolved). May require consulting with the ITSM tool vendor.

    Decide if customer satisfaction surveys will be sent to end users after their ticket has been closed.

    Discuss if this data would be useful to you if captured to improve/modify your service.

    If customer satisfaction surveys will be used, design the survey.

    Discuss what data would be useful to you if captured and create survey questionnaires to capture that data from your clients. For example, how many questions, types of questions, whether sent for every ticket or randomly.

    2.2.7 Identify required user accounts, access levels, and skills/service groups

    Task

    Why this matters

    Define Tier 1, 2, and 3 roles and their associated access levels.

    Having pre-established roles for different tiers and teams is a great way to boost accountability and also helps identify training requirements for each tier. For example, knowledgebase training for tier 1 & 2, reporting/analytics for IT manager.

    Identify skill groups or support teams.

    Establishing accountability for all the support practices in the service desk is important for the tickets to be effectively distributed among the functional individuals and teams. Identifying the responsibilities of groups help execute shift-left strategy.

    Identify required email permissions for each role.

    For example, define which roles get permissions to include status updates or other ticket information in their emails or to support automated notifications and other integrations with email.

    Determine how you will import users into the new tool.

    Identify the best way to migrate your users to the new tool whether it be by importing from Active Directory or the old ITSM tool, etc.

    2.2.8 Review and update your workflows and escalation rules

    Task

    Why this matters

    Document your future-state incident and service request workflows that will incorporate the above planning as well as improvements supported by the new tool.

    Document your workflows and review it to make sure it’s accurate and also to help you with communicating process expectations to all the stakeholders.

    Review the future-state workflows.

    This helps you validate that the planned changes meet your goals and identify any additional required changes.

    Update ticket classification values, templates, and ticket intake as needed based on the future-state workflows.

    Documenting your process might uncover additional requirements for classification, templates, etc. Ensure that the classification templates and related parameters align with the workflows.

    Identify opportunities to further automate workflows by leveraging the new tool.

    The process of reviewing the workflows often helps identify manual processes, labor intensive processes, very repetitive processes, etc. These can be opportunities to further automate your processes.

    2.2.9 Identify desired reporting and relevant metrics to track

    Documentation of key metrics of service desk performance and end-user satisfaction that you wish to improve through the new solution is key to evaluate the success of your implementation.

    Task

    Why this matters

    Define the metrics you will track in the new ITSM tool.

    It is critical to ensure that your tool will be able to track necessary metrics on KPIs from the start and that this data is accurate and reliable so that reporting will be relevant and meaningful to the business. Whether you use your own tool for tracking metrics or an external tool, ensure that you can get the internal data you need from the ITSM tool. This may include measures of Productivity (e.g. time to respond, time to resolve), Service (e.g. incident backlog, customer satisfaction), and Proactiveness (e.g. number of knowledgebase articles per week).

    Determine what reports you want to generate from data collected through the tool.

    It’s not enough to simply set up metrics, you have to actually use the information. Reports should be analyzed regularly and used to manage costs and productivity, improve services, and identify issues. Ensure that your service desk team contributes to the usefulness of reporting by following processes such as creating tickets for every incident and request, categorizing it properly, and closing it after it’s resolved with the proper resolution code.

    Identify the information and metrics to include in the ITSM tool's dashboards.

    A dashboard helps drive accountability across the team through greater visibility. Decide what will be reported on the dashboard. For example, average time to resolution, number of open tickets with subtotals for each priority, problem ticket aging.

    Step 2.3

    Plan data migration and integrations

    Activities

    2.3.1

    Create a data migration and archiving plan

    2.3.2

    Identify and plan required integrations

    This step involves the following participants:

    1. Service Manager and Service Desk Team
    2. Project Manager and Core Project Team
    3. Subject Matter Experts and Tool Administrator, if applicable

    Outcomes of this step

    • Decisions made around data migration, integrations, automation, and reporting.
    • ITSM Tool Implementation Checklist

    2.3.1 Create a data migration and archiving plan

    Task

    Why this matters

    Document your future-state incident and service request workflows that will incorporate the above planning as well as improvements supported by the new tool.

    Document your workflows and review them to make sure they’re accurate and also to help you with communicating process expectations to all the stakeholders.

    Review the future-state workflows.

    This helps you validate that the planned changes meet your goals and identify any additional required changes.

    Update ticket classification values, templates, and ticket intake as needed based on the future-state workflows.

    Documenting your process might uncover additional requirements for classification, templates, etc. Ensure that the classification templates and related parameters align with the workflows.

    Identify opportunities to further automate workflows leveraging the new tool.

    The process of reviewing the workflows often helps identify manual processes, labor-intensive processes, very repetitive processes, etc. These can be opportunities to further automate your processes.

    2.3.2 Identify and plan required integrations

    Consider and plan for any necessary integrations with other systems.

    A major component of the implementation that should be carefully considered throughout is if and how to integrate your ITSM tool with other applications in the environment.

    Task

    Why this matters

    Identify the systems you need to integrate with your ITSM tool (e.g. asset discovery tools, reporting systems).

    Regardless of whether your solution will be configured and installed on-premises or as a SaaS, you need to consider the underlying technology to determine how you will integrate it with other tools where necessary.

    Businesses may need to integrate their ITSM tool with other systems including asset management, network monitoring, and reporting systems to make the organization more efficient.

    Determine how data will flow between systems.

    Carefully evaluate the purpose of each integration. Clients often want their ITSM tool to be integrated with all of the available data in another application when they only need a subset of that data to be integrated.

    Consider not only which systems you need to integrate with your ITSM tool but also who the owners of those systems are and which way the data needs to flow.

    Plan the development, configuration, and testing of integrations.

    As with other aspects of the implementation, configure and test the integrations before going live with the tool.

    Step 2.4

    Plan the module rollout

    Activities

    2.4.1

    Repeat the methodology for additional ITSM modules, using the Checklists as a guide

    2.4.2

    Leverage these blueprints to help you implement change and asset management modules

    This step involves the following participants:

    1. Service Manager and Service Desk Team
    2. Project Manager and Core Project Team
    3. Subject Matter Experts and Tool Administrator, if applicable

    Outcomes of this step

    Identify and plan for additional modules and features to be implemented

    2.4.1 Repeat the methodology for additional ITSM modules, using the Checklists as a guide

    The preparation completed in Phase 1 and 2 to this point provide a foundation for additional ITSM modules.

    This blueprint starts with the incident management and service request modules as those are typically implemented first since they are the most impactful to day-to-day IT service management.

    In addition, the methodology outlined in Phase 1 and 2 to this point provides a model to follow for additional ITSM modules:

    • If you did not already account for additional modules in Phase 1, then repeat the steps in Phase 1 to define scope, stakeholders, and timeline.
    • The Implementation Checklist Tool provides tabs for Change Management and Asset Management to outline the specific details for those topic areas, but they follow the same high-level steps as Phase 2 (e.g. review existing processes, design relevant workflows).
    • If you are planning to implement other modules (e.g. Problem Management), create additional tabs in the Implementation Checklist Tool as needed, using the existing tabs as a base.
    The image contains screenshots of the ITSM checklists.

    2.4.2 Leverage these blueprints to help you implement change and asset management modules

    The Implementation Checklist Tool summarizes what you need to prepare for the implementation. If you need more assistance with developing the underlying ITSM processes, use the tools, templates, and guidance in the blueprints below.

    Optimize IT Change Management

    Define change management workflows, key roles, and supporting elements such as request-for-change forms based on best practices.

    Implement Hardware Asset Management

    Create an SOP and associated process workflows to streamline and standardize hardware asset management.

    Implement Software Asset Management

    Build on a strong hardware asset management program to also properly track and manage software assets. This includes managing software licensing, finding opportunities to reduce costs, and improving your software audit readiness.

    Phase 3

    Create a Deployment Plan (Communication, Training, Rollout)

    Phase 1Phase 2Phase 3

    Identify Stakeholders, Scope, and Preliminary Timeline

    Prepare to Implement Incident Management and Service Request Modules

    Create a Deployment Plan (Communication, Training, Rollout)

    This phase will walk you through the following steps:

    1. Create a communication plan (for IT, users, and business leaders)
    2. Create a training plan
    3. Plan how you will deploy, monitor, and maintain the solution

    ITSM Tool Training Schedule

    ITSM Tool Deployment Plan Template

    Use the template to document and plan the communications and training needs prior to deployment of the new tool.

    The image contains a screenshot of the ITSM Tool Training Schedule.

    Use the deployment plan template to document the strategy and decisions made for making the transition to the new ITSM tool.

    The image contains a screenshot of the ITSM Tool Deployment Plan Template.

    Download the ITSM Tool Training Schedule

    Download the ITSM Tool Deployment Plan Template

    Step 3.1

    Create a communication plan (for IT, users, and business leaders)

    Activities

    3.1.1

    Ensure there is strong communication from management throughout the implementation and deployment

    3.1.2

    Base your communications timeline on a classic change curve to accommodate natural resistance

    3.1.3

    Communicate new processes with business leaders and end users to improve positive customer feedback

    This step involves the following participants:

    1. CIO/IT Director
    2. IT Manager
    3. Service Manager

    Outcomes of this step

    Plan for communicating the change with business executives, service desk agents, and end users.

    3.1.1 Ensure there is strong communication from management throughout the implementation and deployment

    A common contributing factor for unsuccessful implementation is a lack of communication around training, transitioning, and deploying the new tool.

    Common Pitfall:

    Organizational communication and change management should have been ongoing and tightly monitored throughout the project. However, cut-over is a time in which critical communication regarding deployment and proper user training can be derailed when last-minute preparations take priority. Not only will general user frustration increase, but unintended process workarounds will emerge, eroding system effectiveness.

    Mitigating Actions:

    Deliver training for end users that will be engaged in testing. For all other users, deliver training prior to go-live to avoid the risk of training too early (where materials may not be ready or users are likely to forget what was learned). If possible, host quick refresher training a week or two prior to go-live.

    Aim to communicate the upcoming go-live. The purpose of communication here is to reiterate expectations, complexities, and ramifications on business going forward. Alleviate performance anxiety by clearly stating that temporary drops in productivity are to be expected and that there will be appropriate assistance throughout the transition period.

    Transition: Have the project/program manager remain on the project team for some time after deployment to oversee and assure smooth transition for the organization.

    Complete training: Have a clear plan for training those users that were missed in the first round of training as well as a plan for ongoing training for those that require refresher training, for new joiners to your organization, and for any training requirements that result from subsequent upgrades.

    3.1.2 Base your communications timeline on a classic change curve

    It’s important to communicate the change ahead of the implementation, but also to reinforce that communication after implementation to recover from any resistance that occurs through the implementation itself.

    Stages in a typical change curve:

    1. Change is announced. Some people are skeptical and resistant, but others are enthusiastic. Most people are fence sitters; if they trust senior leadership, they will give the benefit of the doubt and expect change to be good.
    2. Positive sentiment declines as implementation approaches. Training and other disruptions take people’s time and energy away from their work. Project setbacks and delays take credibility away from project leaders and seem to validate the efforts of saboteurs and skeptics.
    3. Overall sentiment begins to improve as people adjust and see real progress made. Ideally, early successes or quick wins neutralize saboteurs and convert skeptics. At the very least, people will begin to accept and adapt to new realities.
    4. If the project is successful and communication is reinforced after implementation, sentiment will peak and level out over time as people move on to other projects.

    The image contains a diagram of a change curve.

    1. Honeymoon of “Uninformed Optimism”: Tentative support and enthusiasm for change before people have really felt or understood what it involves.
    2. Backlash of “Informed Pessimism” (leading to “Valley of Despair”): People realize they’ve overestimated the benefits (or how soon they’ll be achieved) and underestimated the difficulty of change.
    3. Valley of Despair and beginning of “Hopeful Realism”: Sentiment bottoms out and people begin to accept the difficulty (or inevitability) of change.
    4. Bounce of “Informed Optimism”: More optimism and support when people begin to see bright spots and early successes.
    5. Contentment of “Completion”: Change has been successfully adopted and benefits are being realized.

    3.1.3 Communicate new processes

    1. Communicate with business unit leaders and users:
    • Focus on the benefits for end users to encourage buy-in for the change.
    • Include preliminary instructions with a date for training sessions.
  • Train users:
    • Teach users how to contact the service desk and submit a ticket.
    • Set expectations for IT’s response.
    • Record all your training sessions so it can used for recursive training.
  • Enforce:
    • IT must point users toward the new process, but ad hoc requests should still be expected at first. Deal with these politely but encourage all employees to use the new service desk ticketing process, if applicable.
  • Measure success:
    • Continue to adjust communications if processes aren’t being followed to ensure SLAs can be met and improved.

    “Communicate with your end users in phase 1 to let them know what will be changing, get feedback and buy-in, and inform them that training will be happening, then ensure you train them once the tool is installed. A lot of times we’ll get our tool set up but people don’t know how to use it."

    – Director of ITSM Tools

    Info-Tech Insight

    If there is a new process for ticket input, consider using a reward system for users who submit a ticket through the proper channel ;(e.g. email or self-serve portal) instead of their old method (e.g. phone). However, if a significant cultural change is required, don’t expect it to happen right away.

    Step 3.2

    Create a training plan

    Activities

    3.2.1

    Target training session(s) to the specific needs of your service desk, service groups, IT managers

    3.3.1

    Provide training (tool/portal and process changes)

    3.4.1

    Choose an appropriate training delivery method that will focus on both process and tool

    This step involves the following participants:

    • IT Director
    • Project Manager
    • Service Desk Manager

    Outcomes of this step

    • Training modules for different users of the tool.
    • Assignment of training modules to users and schedule for completion.

    3.2.1 Target training session(s) to the specific needs of your service desk and IT staff

    Create targeted role-based training programs for your service desk analysts; they care about the portion of the solution they are responsible for, not the functionality that is irrelevant to their job.

    Create and execute a role-based training program by conducting training sessions for targeted groups of users, training them on the functions they require to perform their jobs.

    Use a table like this one to help identify which roles should be trained on which tasks within the ITSM tool.

    The image contains a table as an example of identifying which roles should be trained within the ITSM tool.

    The need for targeted training:

    • IT personnel may challenge the need for training. They may feel they don’t require training on the use of tools or that they don’t have time to dedicate to training when there is so much work to be done.
    • Providing targeted training focused on only the functions of the solution that each tier is responsible for can help to overcome that resistance.
    • Targeted training may include basic training for level 1 technicians and more advanced in-depth training for administrators, power users, or level 2/3 technicians.

    Info-Tech Insight:

    Properly trained users promote adoption and improve results. Always keep training materials updated and available. New employees, new software integration, and internal promotions create opportunities for training employees to align the ITSM tool with their roles and responsibilities.

    3.2.2 Provide training

    Training must take place before deployment to ensure that both your service desk agents and end users will use the tool in the way it was intended and improve end-user satisfaction.

    • Implementing a new ITSM tool will likely bring with it at least some degree of organizational and cultural change. It’s important to manage that change through proper training. Your training needs will vary depending on the maturity of the organization and the amount of cultural and process change being implemented.
    • If this is your first ITSM solution with many new changes for staff to take on board, it will be important to dedicate training time not only before deployment but also several months after the initial installation, to allow staff to gain more experience with the new tool and processes and formulate questions they may not think to ask during implementation.
    • A training plan should take into account not only training needs for the implementation project but also any ongoing training requirements that may be required. This may include:
      • Training for new personnel.
      • Training on any changes to the tool.
      • Training on any new processes the tool will support.
    • Better agent training will lead to better performance and improved end-user satisfaction.

    The image contains a screenshot of a graph to demonstrate training hours and first contact resolution.

    The blue graph line charts new-agent training hours against first contact resolution and the orange graph line charts the trendline for the dataset.

    Source: MetricNet, 2012

    3.2.3 Choose an appropriate training delivery method

    Training should include use cases that focus on not only how the tool’s interface works but also how the tool should be used to support process activities.

    1. Training through use cases highlights how the tool will support the user in role-based tasks.
    2. If new processes are being introduced along with the tool, training should cover both in an integrated way.
    3. Team leadership and management commitment ensures that all agents take their training seriously and are prepared for all use cases by the deployment date.

    Trainer-led sessions:

    Self-taught sessions:

    • May take the form of onsite or video training.
    • Vendor may train administrators or managers, who will later train remaining staff.
    • Allows for interaction with the trainer and greater opportunity to ask questions.
    • Difficult for large organizations with many users to be trained.
    • Delivered via computer-based training applications, typically through a web browser.
    • May include voice training sessions combined with exercises and quizzes.
    • More feasible for large, distributed organizations with less flexible schedules.

    Info-Tech Insight:

    Ensure that the training demonstrates not only how the tool should be used, but also the benefits it will provide your staff in terms of improved efficiency and productivity. Users who can clearly see the benefits the tool will provide for their daily work will accept the tool more readily and promote it across the organization.

    Step 3.3

    Plan how you will deploy, monitor, and maintain the solution

    Activities

    3.3.1

    Plan the transition from your old tool to ensure continual functionality

    3.3.2

    Choose a cut-over approach that works for you

    3.3.3

    Deploy the solution and any new processes simultaneously to ease the transition

    3.3.4

    Have a post-deployment support plan in place

    3.3.5

    Monitor success metrics defined in Phase 1

    This step involves the following participants:

    • IT Director
    • Project Manager
    • Service Desk Manager

    Outcomes of this step

    Deployment plan, including a plan for cut-over from the old tool (if applicable), release of the new tool, and post-deployment support and maintenance of the tool.

    3.3.1 Plan the transition from your old tool to ensure continual functionality

    If you will have a transitional period during which the current tool will be used alongside the new tool, develop a clear plan for the transition to ensure continued service for your end users.

    • If there will be an interim period during which only some aspects of the new ITSM tool are functional, you will need to determine how the new system and old systems will work together for that period of time. This may require creating interfaces as well as providing user documentation and/or SOPs on how the business processes will operate during the interim period.
    • Cut-over is the period during which the changeover to the new system occurs. Cut-over activities need to be tightly choreographed for a successful deployment. If improperly planned, chaos may erupt when unforeseen issues are encountered during deployment, the deployment may be jeopardized, and the organization may encounter costly interruptions to its daily operations.
    • Many organizations may leave any open tickets in the old tool until they are closed, which requires that tool run alongside the new tool for a transitional period. In this case, it is necessary to create guidelines around how long the open tickets will remain in the old system and ensure there is clear communication around these processes.

    Be prepared for the transition:

    1. Create a robust cut-over plan that includes when the old tool will be decommissioned, what activities are necessary during the cut-over, and what the contingency plan is in case of unforeseen issues.
    2. Plan for and perform mock cut-overs to establish the timeline and dependencies for all steps that need to be performed to successfully complete the changeover. Do this to avoid any surprises or delays during the true cut-over period.
    3. Establish cut-over logistics: Create a schedule for resources to work in shifts to avoid burn-out during cut-over, which can lead to lapses in judgment and easily avoidable mistakes. Allocate dedicated workspaces for cut-over activities, e.g. “war rooms” for the triage of issues.

    3.3.2 Choose a cut-over approach that works for you

    Approaches and insights from three case studies

    Case Study #1

    Case Study #2

    Case Study #3

    On day one we started recording all new incidents in the new tool, and everything that was open in the old tool remained open for about one month. At that point we transferred over some open incidents but closed old incidents with the view that if anyone really wanted something done that hadn’t been yet, they could re-submit a ticket.

    – Brett Andrews,

    Managing Director at BAPTISM Consultancy

    It made sense for us to start fresh with the new system. We left all of the old tickets in the old system and started the new system with ticket #1. We only had about a dozen open tickets in the old system so we left them there and ran the two tools side by side until those were closed.

    – CIO, Publishing

    It depends on the client and the size of their service desk as well as the complexity of their data and whether they need their old data for reporting. If there are only a dozen open tickets, they can manually move those over easily, and decide whether they want to migrate their historical data for reporting purposes.

    – Scott Walling,

    Co-Founder at Monitor 24-7 Inc.

    3.3.3 Deploy the solution and any new processes simultaneously to ease the transition

    Follow a deployment plan for introducing new processes alongside the new tool to ensure changes to both process and technology are adopted simultaneously.

    If you’re introducing new processes alongside the new tool, it’s important to maintain the link between process and tool. Typically, the processes and tool should be deployed simultaneously unless there is a strong reason not to do so.

    Deployment can be done as a big-bang or phased approach. The decision to employ a phased deployment depends on the number and size of business units the tool will support, as well as the organization’s geography and infrastructure (deployment locations).

    Before deployment, conduct readiness assessments to understand whether:

    The people are ready to accept the new system (have received the proper training and communications and understand how their jobs will change when the switch is flipped).

    The technology is ready (test results are favorable, workarounds and a plan for closure have been identified for any open defects, and the system is performing as expected).

    The data is ready (data for final conversion has been cleansed, and all conversions have been rehearsed).

    The post-deployment support model is ready (infrastructure and technical support is in place, sites are ready, knowledge transfer has been conducted with the support organization, and end users understand procedures for escalation of issues).

    3.3.4 Have a post-deployment support plan in place

    Ensure that strong internal support for the project and tool will continue after deployment.

    The stabilization period after a new software deployment can last between three and nine months, during which there may be continued training needs and fine-tuning of processes. Internal support from project leaders within your organization will be critical to recover from any dip in operational efficiency and deliver the benefits of the tool.

    Consider the following to prepare better for your support plan:

    What are the roles and responsibilities for ongoing tool administration support?

    What level of support will exist to assist service desk staff after deployment?

    How much time will project team resources devote to tackling upcoming issues and assisting with ongoing support?

    Who will be responsible for ongoing training needs and documentation?

    If your organization is spread across multiple locations, what level of support/assistance will be available at each site?

    How will new code releases or system upgrades be managed and communicated?

    Info-Tech Insight:

    Deployment is only the first step in the system lifecycle. Full benefit realization from the tool requires ongoing investment and learning to be sustained. Unless processes and training are updated on an ongoing basis, benefits gained will start to decrease over time. If your service desk efficiency stagnates at the level it was at prior to implementation, the tool has failed to serve its objective.

    Establish ongoing tool maintenance, improvement structures, and processes

    People, processes, and organizations change over time, and your ITSM tool will need to change to meet expectations.

    Develop and execute a plan for the maintenance of the solution and its infrastructure components.

    Include periodic reviews against business needs and operational requirements (e.g. patches, upgrades, and risk and security requirements).

    For maintenance updates, use the change management process and assess how an activity will impact solution design, functionality, and business processes.

    For major changes that result in significant change in current designs, functionality, and/or business processes, follow the development process used for new systems.

    Ensure that maintenance activities are periodically analyzed for abnormal trends indicating underlying quality or performance problems, cost/benefit of major upgrade, or replacement in lieu of maintenance.

    Assign responsibility for ongoing maintenance. Hold regular meetings for the following activities:

    1. Inspect data and reports.
    2. Assess whether you’re meeting SLAs.
    3. Predict any upcoming changes that may impact ticket volume (e.g. a new operating system or security patch).
    4. Create new ticket templates for recurring or upcoming issues.
    5. Create new knowledgebase articles.
    6. Determine whether ticket categories are being used correctly.
    7. Ask team if there are any problems with the tool.

    3.3.5 Monitor success metrics defined in Project Charter

    Revisit your goals for the solution and assess if they are being met by evaluating current metrics. If your goals have not yet been met, re-evaluate how to ensure the tool will deliver value.

    Sample High-Level Goals:

    1. Improved service desk efficiency
    2. Improved end-user satisfaction
    3. Improved self-service options for end users
    4. Improved data and reporting capabilities

    Sample Metric Descriptions

    Baseline Metric

    Goal

    Current Metric

    Increased ticket input through email versus phone

    50% of tickets submitted through phone

    10% of tickets submit through phone

    Reduced ticket volume (through improved self-serve capabilities)

    1,500 tickets per month

    1,200 tickets per month

    Improved first call resolution (through increased efficiency and automation)

    50% FCR

    60% FCR

    Improved ability to meet SLAs (through automated escalations and prioritization)

    5 minutes to log a ticket

    1 minute to log a ticket

    Improved time to produce reports

    3 business days

    1 business day

    Improved end-user satisfaction

    60% satisfied with services

    75% satisfied

    Related Info-Tech Research

    Optimize IT Change Management

    Define change management workflows, key roles, and supporting elements such as request-for-change forms based on best practices.

    Standardize the Service Desk

    Build core elements of service desk operations, including incident management and service request workflows, ticket categorization schemes, and ticket prioritization rules.

    Optimize the Service Desk With a Shift-Left Strategy

    Implement tools such as an improved knowledgebase and self-service portal to enable lower tier support staff and end users to resolve incidents or fulfill service requests.

    Incident and Problem Management

    Develop a critical incident management workflow and create standard operating procedures for problem management.

    IT Service Management Selection Guide

    Identify the best-of-breed solution to make the most of your investment and engage the right stakeholders to define success.

    Analyze Your Service Desk Ticket Data

    Develop a framework to track metrics, clean data, and put your data to use for pre-defined timelines.

    Bibliography

    Adiga, Siddanth. “10 Reasons Why ITSM Implementations Fail.” Could Strategy, 6 May 2015. Web.

    Hastie, Shane, and Stéphane Wojewoda. “Standish Group 2015 Chaos Report.” InfoQ, 4 October 2015. Web.

    “How to Manage Change in the Implementation of an ITSM Software.” C2, 20 April 2015. Web.

    Lockwood, Meghan. “First Look: Annual ServiceNow Insight and Vision Executive Summary [eBook].” Acorio, 31 October 2019. Web.

    Mainville, David. “7 Steps to a Successful ITSM Tool Implementation.” Navvia, 2012. Web.

    Rae, Barclay. “Preparing for ITSM Tool Implementation.” Joe the IT Guy, 24 June 2015. Web.

    Rae, Barclay. “Successful ITSM Tool Implementation.” BrightTALK, 9 May 2013. Webcast.

    Rumburg, Jeffrey. “Metric of the Month: Agent Training Hours.” MetricNet, 2012. Web.

    Threat Preparedness Using MITRE ATT&CK®

    • Buy Link or Shortcode: {j2store}252|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • To effectively protect your business interests, you need to be able to address what the most pressing vulnerabilities in your network are. Which attack vectors should you model first? How do you adequately understand your threat vectors when attacks continually change and adapt?
    • Security can often be asked the world but given a minimal budget with which to accomplish it.
    • Security decisions are always under pressure from varying demands that pull even the most well-balanced security team in every direction.
    • Adequately modeling any and every possible scenario is ineffective and haphazard at best. Hoping that you have chosen the most pressing attack vectors to model will not work in the modern day of threat tactics.

    Our Advice

    Critical Insight

    • Precision is critical to being able to successfully defend against threats.
      • Traditional threat modeling such as STRIDE or PASTA is based on a spray-and-pray approach to identifying your next potential threat vector. Instead, take a structured risk-based approach to understanding both an attacker’s tactics and how they may be used against your enterprise. Threat preparedness requires precision, not guesswork.
    • Knowing is half the battle.
      • You may be doing better than you think. Undoubtedly, there is a large surface area to cover with threat modeling. By preparing beforehand, you can separate what’s important from what’s not and identify which attack vectors are the most pressing for your business.
    • Be realistic and measured.
      • Do not try to remediate everything. Some attack vectors and approaches are nearly impossible to account for. Take control of the areas that have reasonable mitigation methods and act on those.
    • Identify blind spots.
      • Understand what is out there and how other enterprises are being attacked and breached. See how you stack up to the myriad of attack tactics that have been used in real-life breaches and how prepared you are. Know what you’re ready for and what you’re not ready for.
    • Analyze the most pressing vectors.
      • Prioritize the attack vectors that are relevant to you. If an attack vector is an area of concern for your business, start there. Do not cover the entire tactics list if certain areas are not relevant.
    • Detection and mitigation lead to better remediation.
      • For each relevant tactic and techniques, there are actionable detection and mitigation methods to add to your list of remediation efforts.

    Impact and Result

    Using the MITRE ATT&CK® framework, Info-Tech’s approach helps you understand your preparedness and effective detection and mitigation actions.

    • Learn about potential attack vectors and the techniques that hostile actors will use to breach and maintain a presence on your network.
    • Analyze your current protocols versus the impact of an attack technique on your network.
    • Discover detection and mitigation actions.
    • Create a prioritized series of security considerations, with basic actionable remediation items. Plan your next threat model by knowing what you’re vulnerable to.
    • Ensure business data cannot be leaked or stolen.
    • Maintain privacy of data and other information.
    • Secure the network connection points.
    • Mitigate risks with the appropriate services.

    This blueprint and associated tool are scalable for all types of organizations within various industry sectors, allowing them to know what types of risk they are facing and what security services are recommended to mitigate those risks.

    Threat Preparedness Using MITRE ATT&CK® Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why threat preparedness is a crucial first step in defending your network against any attack type. Review Info-Tech’s methodology and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Attack tactics and techniques

    Review a breakdown of each of the various attack vectors and their techniques for additional context and insight into the most prevalent attack tactics.

    • Threat Preparedness Using MITRE ATT&CK® – Phase 1: Attack Tactics and Techniques

    2. Threat Preparedness Workbook mapping

    Map your current security protocols against the impacts of various techniques on your network to determine your risk preparedness.

    • Threat Preparedness Using MITRE ATT&CK® – Phase 2: Threat Preparedness Workbook Mapping
    • Enterprise Threat Preparedness Workbook

    3. Execute remediation and detective measures

    Use your prioritized attack vectors to plan your next threat modeling session with confidence that the most pressing security concerns are being addressed with substantive remediation actions.

    • Threat Preparedness Using MITRE ATT&CK® – Phase 3: Execute Remediation and Detective Measures
    [infographic]

    Assess Your Cybersecurity Insurance Policy

    • Buy Link or Shortcode: {j2store}255|cart{/j2store}
    • member rating overall impact (scale of 10): 9.1/10 Overall Impact
    • member rating average dollars saved: $33,656 Average $ Saved
    • member rating average days saved: 7 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Organizations must adapt their information security programs to accommodate insurance requirements.
    • Organizations need to reduce insurance costs.
    • Some organizations must find alternatives to cyber insurance.

    Our Advice

    Critical Insight

    • Shopping for insurance policies is not step one.
    • First and foremost, we must determine what the organization is at risk for and how much it would cost to recover.
    • The cyber insurance market is still evolving. As insurance requirements change, effectively managing cyber insurance requires that your organization proactively manages risk.

    Impact and Result

    Perform an insurance policy comparison with scores based on policy coverage and exclusions.

    Assess Your Cybersecurity Insurance Policy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess Your Cybersecurity Insurance Policy Storyboard - A step-by-step document that walks you through how to acquire cyber insurance, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Use this blueprint to score your potential cyber insurance policies and develop skills to overcome common insurance pitfalls.

    • Assess Your Cybersecurity Insurance Policy Storyboard

    2. Acquire cyber insurance with confidence – Learn the essentials of the requirements gathering, policy procurement, and review processes.

    Use these tools to gather cyber insurance requirements, prepare for the underwriting process, and compare policies.

    • Threat and Risk Assessment Tool
    • DRP Business Impact Analysis Tool
    • Legacy DRP Business Impact Analysis Tool
    • DRP BIA Scoring Context Example
    • Cyber Insurance Policy Comparison Tool
    • Cyber Insurance Controls Checklist

    Infographic

    Develop a Targeted Flexible Work Program for IT

    • Buy Link or Shortcode: {j2store}542|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $18,909 Average $ Saved
    • member rating average days saved: 13 Average Days Saved
    • Parent Category Name: Attract & Select
    • Parent Category Link: /attract-and-select
    • Workplace flexibility continues to be top priority for IT employees. Organizations who fail to offer flexibility will have a difficult time attracting, recruiting, and retaining talent.
    • When the benefits of remote work are not available to everyone, this raises fairness and equity concerns.

    Our Advice

    Critical Insight

    IT excels at hybrid location work and is more effective as a business function when location flexibility is an option for its employees. But hybrid work is just a start. A comprehensive flex work program extends beyond flexible location, so organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent.

    Impact and Result

    • Uncover the needs of unique employee segments to shortlist flexible work options that employees want and will use.
    • Assess the feasibility of various flexible work options and select ones that meet employee needs and are feasible for the organization.
    • Equip leaders with the information and tools needed to implement and sustain a flexible work program.

    Develop a Targeted Flexible Work Program for IT Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess employee and organizational flexibility needs

    Identify prioritized employee segments, flexibility challenges, and the desired state to inform program goals.

    • Develop a Targeted Flexible Work Program for IT – Phases 1-3
    • Talent Metrics Library
    • Targeted Flexible Work Program Workbook
    • Fast-Track Hybrid Work Program Workbook

    2. Identify potential flex options and assess feasibility

    Review, shortlist, and assess the feasibility of common types of flexible work. Identify implementation issues and cultural barriers.

    • Flexible Work Focus Group Guide
    • Flexible Work Options Catalog

    3. Implement selected option(s)

    Equip managers and employees to adopt flexible work options while addressing implementation issues and cultural barriers and aligning HR programs.

    • Guide to Flexible Work for Managers and Employees
    • Flexible Work Time Policy
    • Flexible Work Time Off Policy
    • Flexible Work Location Policy

    Infographic

    Workshop: Develop a Targeted Flexible Work Program for IT

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prepare to Assess Flex Work Feasibility

    The Purpose

    Gather information on organizational and employee flexibility needs.

    Key Benefits Achieved

    Understand the flexibility needs of the organization and its employees to inform a targeted flex work program.

    Activities

    1.1 Identify employee and organizational needs.

    1.2 Identify employee segments.

    1.3 Establish program goals and metrics.

    1.4 Shortlist flexible work options.

    Outputs

    Organizational context summary

    List of shortlisted flex work options

    2 Assess Flex Work Feasibility

    The Purpose

    Perform a data-driven feasibility analysis on shortlisted work options.

    Key Benefits Achieved

    A data-driven feasibility analysis ensures your flex work program meets its goals.

    Activities

    2.1 Conduct employee/manager focus groups to assess feasibility of flex work options.

    Outputs

    Summary of flex work options feasibility per employee segment

    3 Finalize Flex Work Options

    The Purpose

    Select the most impactful flex work options and create a plan for addressing implementation challenge

    Key Benefits Achieved

    A data-driven selection process ensures decisions and exceptions can be communicated with full transparency.

    Activities

    3.1 Finalize list of approved flex work options.

    3.2 Brainstorm solutions to implementation issues.

    3.3 Identify how to overcome cultural barriers.

    Outputs

    Final list of flex work options

    Implementation barriers and solutions summary

    4 Prepare for Implementation

    The Purpose

    Create supporting materials to ensure program implementation proceeds smoothly.

    Key Benefits Achieved

    Employee- and manager-facing guides and policies ensure the program is clearly documented and communicated.

    Activities

    4.1 Design employee and manager guide prototype.

    4.2 Align HR programs and policies to support flexible work.

    4.3 Create a communication plan.

    Outputs

    Employee and manager guide to flexible work

    Flex work roadmap and communication plan

    5 Next Steps and Wrap-Up

    The Purpose

    Put everything together and prepare to implement.

    Key Benefits Achieved

    Our analysts will support you in synthesizing the workshop’s efforts into a cohesive implementation strategy.

    Activities

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Outputs

    Completed flexible work feasibility workbook

    Flexible work communication plan

    Further reading

    Develop a Targeted Flexible Work Program for IT

    Select flexible work options that balance organizational and employee needs to drive engagement and improve attraction and retention.

    Executive Summary

    Your Challenge

    • IT leaders continue to struggle with workplace flexibility, and it is a top priority for IT employees; as a result, organizations who fail to offer flexibility will have a difficult time attracting, recruiting, and retaining talent.
    • The benefits of remote work are not available to everyone, raising fairness and equity concerns for employees.

    Common Obstacles

    • A one-size-fits-all approach to selecting and implementing flexible work options fails to consider unique employee needs and will not reap the benefits of offering a flexible work program (e.g. higher engagement or enhanced employer brand).
    • Improper structure and implementation of flexible work programs exacerbates existing challenges (e.g. high turnover) or creates new ones.

    Info-Tech's Approach

    • Uncover the needs of unique employee segments to shortlist flexible work options that employees want and will use.
    • Assess the feasibility of various flexible work options and select ones that meet employee needs and are feasible for the organization.
    • Equip leaders with the information and tools needed to implement and sustain a flexible work program.

    Info-Tech Insight

    IT excels at hybrid location work and is more effective as a business function when location flexibility is an option for its employees. But hybrid work is just a start. A comprehensive flex work program extends beyond flexible location, so organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent.

    Flexible work arrangements are a requirement in today's world of work

    Flexible work continues to gain momentum…

    A 2022 LinkedIn report found that the following occurred between 2019 and 2021:

    +362%

    Increase in LinkedIn members sharing content with the term "flexible work."

    +83%

    Increase in job postings that mention "flexibility."
    (LinkedIn, 2022)

    In 2022, Into-Tech found that hybrid was the most commonly used location work model for IT across all industries.

    ("State of Hybrid Work in IT," Info-Tech Research Group, 2022)

    …and employees are demanding more flexibility

    90%

    of employees said they want schedule and location flexibility ("Global Employee Survey," EY, 2021).

    17%

    of resigning IT employees cited lack of flexible work options as a reason ("IT Talent Trends 2022," Info-Tech Research Group, 2022).

    71%

    of executives said they felt "pressure to change working models and adapt workplace policies to allow for greater flexibility" (LinkedIn, 2021).

    Therefore, organizations who fail to offer flexibility will be left behind

    Difficulty attracting and retaining talent

    98% of IT employees say flexible work options are important in choosing an employer ("IT Talent Trends 2022," Info-Tech Research Group, 2022).

    Worsening employee wellbeing and burnout

    Knowledge workers with minimal to no schedule flexibility are 2.2x more likely to experience work-related stress and are 1.4x more likely to suffer from burnout (Slack, 2022; N=10,818).

    Offering workplace flexibility benefits organizations and employees

    Higher performance

    IT departments that offer some degree of location flexibility are more effective at supporting the organization than those who do not.

    35% of service desk functions report improved service since implementing location flexibility.
    ("State of Hybrid Work in IT," Info-Tech Research Group, 2023).

    Enhanced employer brand

    Employees are 2.1x more likely to recommend their employer to others when they are satisfied with their organization's flexible work arrangements (LinkedIn, 2021).

    Improved attraction

    41% of IT departments cite an expanded hiring pool as a key benefit of hybrid work.

    Organizations that mention "flexibility" in their job postings have 35% more engagement with their posts (LinkedIn, 2022).

    Increased job satisfaction

    IT employees who have more control over their working arrangement experience a greater sense of contribution and trust in leadership ("State of Hybrid Work in IT," Info-Tech Research Group, 2023).

    Better work-life balance

    81% of employees say flexible work will positively impact their work-life balance (FlexJobs, 2021).

    Boosted inclusivity

    • Caregivers regardless of gender, supporting them in balancing responsibilities
    • Individuals with disabilities, enabling them to work from the comfort of their homes
    • Women who may have increased responsibilities
    • Women of color to mitigate the emotional tax experienced at work

    Info-Tech Insight

    Flexible work options are not a concession to lower productivity. Properly implemented, flex work enables employees to be more productive at reaching business goals.

    Despite the popularity of flexible work options, not all employees can participate

    IT organizations differ on how much flexibility different roles can have.

    IT employees were asked what percentage of IT roles were currently in a hybrid or remote work arrangement ("State of Hybrid Work in IT," Info-Tech Research Group, 2023).

    However, the benefits of remote work are not available to all, which raises fairness and equity concerns between remote and onsite employees.

    45%

    of employers said, "one of the biggest risks will be their ability to establish fairness and equity among employees when some jobs require a fixed schedule or location, creating a 'have and have not' dynamic based on roles" ("Businesses Suffering," EY, 2021).

    Offering schedule flexibility to employees who need to be fully onsite can be used to close the fairness and equity gap.

    When offered the choice, 54% of employees said they would choose schedule flexibility over location flexibility ("Global Employee Survey," EY, 2021).

    When employees were asked "What choice would you want your employer to provide related to when you have to work?" The top three choices were:

    68%

    Flexibility on when to start and finish work

    38%

    Compressed or four-day work weeks

    33%

    Fixed hours (e.g. 9am to 5pm)

    Disclaimer: "Percentages do not sum to 100%, as each respondent could choose up to three of the [five options provided]" ("Global Employee Survey," EY, 2021).

    Beware of the "all or nothing" approach

    There is no one-size-fits-all approach to workplace flexibility.

    Understanding the needs of various employee segments in the organization is critical to the success of a flexible work program.

    Working parents want more flexibility

    82%

    of working mothers desire flexibility in where they work.

    48%

    of working fathers "want to work remotely 3 to 5 days a week."

    Historically underrepresented groups value more flexibility

    38%

    "Thirty-eight percent of Black male employees and 33% of Black female employees would prefer a fully flexible schedule, compared to 25% of white female employees and 26% of white male employees."
    (Slack, 2022; N=10,818)

    33%

    Workplace flexibility must be customized to the organization to avoid longer working hours and heavy workloads that impact employee wellbeing

    84%

    of remote workers and 61% of onsite workers reported working longer hours post pandemic. Longer working hours were attributed to reasons such as pressure from management and checking emails after working hours (Indeed, 2021).

    2.6x

    Respondents who either agreed or strongly agreed with the statement "Generally, I find my workload reasonable" were 2.6x more likely to be engaged compared to those who stated they disagreed or strongly disagreed (McLean & Company Engagement Survey Database;2022; N=5,615 responses).

    Longer hours and unsustainable workloads can contribute to stress and burnout, which is a threat to employee engagement and retention. With careful management (e.g. setting clear expectations and establishing manageable workloads), flexible work arrangement benefits can be preserved.

    Info-Tech Insight

    Employees' lived experiences and needs determine if people use flexible work programs – a flex program that has limited use or excludes people will not benefit the organization.

    Develop a flexible work program that meets employee and organizational needs

    This is an image of a sample flexible work program which meets employee and organizational needs.

    Insight summary

    Overarching insight: IT excels at hybrid location work and is more effective as a business function when location, time, and time-off flexibility are an option for its employees.

    Introduction

    Step 1 insight

    Step 2 insight

    Step 3 insight

    • Flexible work options are not a concession to lower productivity. Properly implemented, flex work enables employees to be more productive at reaching business goals.
    • Employees' lived experiences and needs determine if people use flexible work programs – a flex program that has limited use or excludes people will not benefit the organization.
    • Flexible work benefits everyone. IT employees experience greater engagement, motivation, and company loyalty. IT organizations realize benefits such as better service coverage, reduced facilities costs, and increased productivity.
    • Hybrid work is a start. A comprehensive flex work program extends beyond flexible location to flexible time and time off. Organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent. Provide greater inclusivity to employees by broadening the scope to include flex location, flex time, and flex time off.
    • No two employee segments are the same. To be effective, flexible work options must align with the expectations and working processes of each segment.
    • Every role is eligible for hybrid location work. If onsite work duties prevent an employee group from participating, see if processes can be digitized or automated. Flexible work is an opportunity to go beyond current needs to future proofing your organization.
    • Flexible work options must balance organizational and employee needs. If an option is beneficial to employees but there is little or no benefit to the organization, or if the cost of the option is too high, it will not support the long-term success of the organization.
    • Prioritize flexible work options that employees want. Providing too many options often leads to information overload and results in employees not understanding what is available, lowering adoption of the flexible work program.
    • Leaders' collective support of the flexible program determines the program's successful adoption. Don't sweep cultural barriers under the rug; acknowledge and address them to overcome them.
    • Negative performance of a flexible work option does not necessarily mean failure. Take the time to evaluate whether the option simply needs to be tweaked or whether it truly isn't working for the organization.
    • A set of formal guidelines for IT ensures flexible work is:
      1. Administered fairly across all IT employees.
      2. Defensible and clear.
      3. Scalable to the rest of the organization.

    Case Study

    Expanding hybrid work at Info-Tech

    Challenge

    In 2020, Info-Tech implemented emergency work-from-home for its IT department, along with the rest of the organization. Now in 2023, hybrid work is firmly embedded in Info-Tech's culture, with plans to continue location flexibility for the foreseeable future.

    Adjusting to the change came with lessons learned and future-looking questions.

    Lessons Learned

    Moving into remote work was made easier by certain enablers that had already been put in place. These included issuing laptops instead of desktops to the user base and using an existing cloud-based infrastructure. Much support was already being done remotely, making the transition for the support teams virtually seamless.

    Continuing hybrid work has brought benefits such as reduced commuting costs for employees, higher engagement, and satisfaction among staff that their preferences were heard.

    Looking Forward

    Every flexible work implementation is a work in progress and must be continually revisited to ensure it continues to meet organizational and employee needs. Current questions being explored at Info-Tech are:

    • The concept of the "office as a tool" – how does use of the office change when it is used for specific collaboration-related tasks, rather than everything? How should the physical space change to support this?
    • What does a viable replacement for quick hallway meetings look like in a remote world where communication is much more deliberate? How can managers adjust their practices to ensure the benefits of informal encounters aren't lost?

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Preparation

    Step 1

    Step 2

    Step 3

    Follow-up

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Assess employee and organizational needs.

    Call #3: Shortlist flex work options and assess feasibility.

    Call #4: Finalize flex work options and create rollout plan.

    Call #5: (Optional) Review rollout progress or evaluate pilot success.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 3 to 5 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Activities

    Prepare to assess flex work feasibility

    Assess flex work feasibility

    Finalize flex work options

    Prepare for implementation

    Next Steps and Wrap-Up (offsite)

    1.1 Identify employee and organizational needs.

    1.2 Identify employee segments.

    1.3 Establish program goals and metrics.

    1.4 Shortlist flex work options.

    2.1 Conduct employee/manager focus groups to assess feasibility of flex work options.

    3.1 Finalize list of approved flex work options.

    3.2 Brainstorm solutions to implementation issues.

    3.2 Identify how to overcome cultural barriers.

    4.1 Design employee and manager guide prototype.

    4.2 Align HR programs and policies to support flexible work.

    4.3 Create a communication plan.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. Organizational context summary
    2. List of shortlisted flex work options
    1. Summary of flex work options' feasibility per employee segment
    1. 1.Final list of flex work options
    2. 2.Implementation barriers and solutions summary
    1. Employee and manager guide to flexible work
    2. Flex work roadmap and communication plan
    1. Completed flexible work feasibility workbook
    2. Flexible work communication plan

    Step 1

    Assess employee and organizational needs

    1. Assess employee and organizational flexibility needs
    2. Identify potential flex options and assess feasibility
    3. Implement selected option(s)

    After completing this step you will have:

    • Identified key stakeholders and their responsibilities
    • Uncovered the current and desired state of the organization
    • Analyzed feedback to identify flexibility challenges
    • Identified and prioritized employee segments
    • Determined the program goals
    • Identified the degree of flexibility for work location, timing, and deliverables

    Identify key stakeholders

    Organizational flexibility requires collaborative and cross-functional involvement to determine which flexible options will meet the needs of a diverse workforce. HR leads the project to explore flexible work options, while other stakeholders provide feedback during the identification and implementation processes.

    HR

    • Assist with the design, implementation, and maintenance of the program.
    • Provide managers and employees with guidance to establish successful flexible work arrangements.
    • Help develop communications to launch and maintain the program.

    Senior Leaders

    • Champion the project by modeling and promoting flexible work options
    • Help develop and deliver communications; set the tone for flexible work at the organization.
    • Provide input into determining program goals.

    Managers

    • Model flexible work options and encourage direct reports to request and discuss options.
    • Use flexible work program guidelines to work with direct reports to select suitable flexible work options.
    • Develop performance metrics and encourage communication between flexible and non-flexible workers.

    Flexible Workers

    • Indicate preferences of flexible work options to the manager.
    • Identify ways to maintain operational continuity and communication while working flexibly.
    • Flag issues and suggest improvements to the manager.
    • Develop creative ways to work with colleagues who don't work flexibly.

    Non-Flexible Workers

    • Share feedback on issues with flexible arrangements and their impact on operational continuity.

    Info-Tech Insight

    Flexible work is a holistic team effort. Leaders, flexible workers, teammates, and HR must clearly understand their roles to ensure that teams are set up for success.

    Uncover the current and desired state of flexibility in the organization

    Current State

    Target State

    Review:

    • Existing policies related to flexibility (e.g. vacation, work from anywhere)
    • Existing flexibility programs (e.g. seasonal hours) and their uptake
    • Productivity of employees
    • Current culture at the organization. Look for:
      • Employee autonomy
      • Reporting structure and performance management processes
      • Trust and psychological safety of employees
      • Leadership behavior (e.g. do leaders model work-life balance, or does the organization have a work 24/7 mentality?)

    Identify what is driving the need for flexible work options. Ask:

    • Why does the organization need flexible options?
      • For example, the introduction of flexibility for some employees has created a "have and have not" dynamic between roles that must be addressed.
    • What does the organization hope to gain from implementing flexible options? For example:
      • Improved retention
      • Increased attraction, remaining competitive for talent
      • Increased work-life balance for employees
      • Reduced burnout
    • What does the organization aspire to be?
      • For example, an organization that creates an environment that values output, not face time.

    These drivers identify goals for the organization to achieve through targeted flexible work options.

    Info-Tech Insight

    Hybrid work is a start. A comprehensive flex work program extends beyond flexible location, so organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent. Provide greater inclusivity to employees by broadening the scope to include flex location, flex time, and flex time off.

    Identify employee segments

    Using the data, feedback, and challenges analyzed and uncovered so far, assess the organization and identify employee segments.

    Identify employee segments with common characteristics to assess if they require unique flexible work options. Assess the feasibility options for the segments separately in Step 2.

    • Segments' unique characteristics include:
      • Role responsibilities (e.g. interacting with users, creating reports, development and testing)
      • Work location/schedule (e.g. geographic, remote vs. onsite, 9 to 5)
      • Work processes (e.g. server maintenance, phone support)
      • Group characteristics (e.g. specific teams, new hires)

    Identify employee segments and sort them into groups based on the characteristics above.

    Examples of segments:

    • Functional area (e.g. Service Desk, Security)
    • Job roles (e.g. desktop support, server maintenance)
    • Onsite, remote, or hybrid
    • Full-time or part-time
    • Job level (e.g. managers vs. independent contributors)
    • Employees with dependents

    Prioritize employee segments

    Determine whether the organization needs flexible work options for the entire organization or specific employee segments.
    For specific employee segments:

    • Answer the questions on the right to identify whether an employee segment is high, medium, or low priority. Complete slides 23 to 25 for each high-priority segment, repeating the process for medium-priority segments when resources allow.

    For the entire organization:

    • When identifying an option for the entire organization, consider all segments. The approach must create consistency and inclusion; keep this top of mind when identifying flexibility on slides 23 to 25. For example, the work location flexibility would be low in an organization where some segments can work remotely and others must be onsite due to machinery requirements.

    High priority: The employee segment has the lowest engagement scores or highest turnover within the organization. Segment sentiment is that current flexibility is nonexistent or not sufficiently meeting needs.
    Medium priority: The employee segment has low engagement or high turnover. Segment sentiment is that currently available flexibility is minimal or not sufficiently meeting needs.
    Low priority: The segment does not have the lowest engagement or the highest turnover rate. Segment sentiment is that currently available flexibility is sufficiently meeting needs.

    1. What is the impact on the organization if this segment's challenges aren't addressed (e.g. if low engagement and high turnover are not addressed)?
    2. How critical is flexibility to the segment's needs/engagement?
    3. How time sensitive is it to introduce flexibility to this segment (e.g. is the organization losing employees in this segment at a high rate)?
    4. Will providing flexibility to this segment increase organizational productivity or output

    Identify challenges to address with flexibility

    Uncover the lived experiences and expectations of employees to inform selection of segments and flexible options.

    1. Collect data from existing sources, such as:
      • Engagement surveys
      • New hire/exit surveys
      • Employee experience monitor surveys
      • Employee retention pulse surveys
      • Burnout surveys
      • DEI pulse surveys
    2. Analyze employee feedback on experiences with:
      • Work duties
      • Workload
      • Work-life balance
      • Operating processes and procedures
      • Achieving operational outcomes
      • Collaboration and communication
      • Individual experience and engagement
    3. Evaluate the data and identify challenges

    Example challenges:

    • Engagement: Low average score on work-life balance question; flexible work suggested in open-ended responses.
    • Retention: Exit survey indicating that lack of work-life balance is consistently a reason employees leave. Include the cost of turnover (e.g. recruitment, training, severance).
    • Burnout: Feedback from employees through surveys or HR business partner anecdotes indicating high burnout; high usage of wellness services or employee assistance programs.
    • Absenteeism: High average number of days employees were absent in the past year. Include the cost of lost productivity.
    • Operational continuity: Provide examples of when flexible work would have enabled operational continuity in the case of disaster or extended customer service coverage.
    • Program uptake: If the organization already has a flexible work program, provide data on the low proportion of eligible employees using available options.

    1.1 Prepare to evaluate flexible work options

    1-3 hours

    Follow the guidance on preceding slides to complete the following activities.
    Note: If you are only considering remote or hybrid work, use the Fast-Track Hybrid Work Program Workbook. Otherwise, proceed with the Targeted Flexible Work Program Workbook.

    1. Identify key stakeholders. Be sure to record the level of involvement and responsibility expected from each stakeholder. Use the "Stakeholders" tab of the workbook.
    2. Uncover current and desired state. Review and record your current state with respect to culture, productivity, and current flexible work options, if any. Next, record your desired future state, including reasons for implementing flexible work, and goals for the program. Record this in the "Current and Desired State" tab of the workbook.
    3. Identify and prioritize employee segments. Identify and record employee segments. Depending on the size of your department, you may identify a few or many. Be as granular as necessary to fully separate employee groups with different needs. If your resources or needs prevent you from rolling out flexible work to the entire department, record the priority level of each segment so you can focus on the highest priority first.
    4. Identify challenges with flexibility. With each employee segment in mind, analyze your available data to identify and record each segment's main challenges regarding flexible work. These will inform your program goals and metrics.

    Download the Targeted Flexible Work Program Workbook

    Download the Fast-Track Hybrid Work Program Workbook

    Input

    • List of departmental roles
    • Data on employee engagement, productivity, sentiment regarding flexible work, etc.

    Output

    • List of stakeholders and responsibilities
    • Flexible work challenges and aims
    • Prioritized list of employee segments

    Materials

    • Targeted Flexible Work Program Workbook
      Or
    • Fast-Track Hybrid Work Program Workbook

    Participants

    • IT department head
    • HR business partner
    • Flexible work program committee

    Determine goals and metrics for the flexible work program

    Sample program goals

    Sample metrics

    Increase productivity

    • Employee, team, and department key performance indicators (KPIs) before and after flexible work implementation
    • Absenteeism rate (% of lost working days due to all types of absence)

    Improve business satisfaction and perception of IT value

    Increase retention

    • % of exiting employees who cite lack of flexible work options or poor work-life balance as a reason they left
    • Turnover and retention rates

    Improve the employee value proposition (EVP) and talent attraction

    • # of responses on the new hire survey where flexible work options or work-life balance are cited as a reason for accepting an employment offer
    • # of views of career webpage that mentions flexible work program
    • Time-to-fill rates

    Improve engagement and work-life balance

    • Overall engagement score – deploy Info-Tech's Employee Engagement Diagnostics
    • Score for questions about work-life balance on employee engagement or pulse survey, including:
      • "I am able to maintain a balance between my work and personal life."
      • "I find my stress levels at work manageable."

    Info-Tech Insight

    Implementing flex work without solid performance metrics means you won't have a way of determining whether the program is enabling or hampering your business practices.

    1.2 Determine goals and metrics

    30 minutes

    Use the examples on the preceding slide to identify program goals and metrics:

    1. Brainstorm program goals. Be sure to consider both the business benefits (e.g. productivity, retention) and the employee benefits (work-life balance, engagement). A successful flexible work program benefits both the organization and its employees.
    2. Brainstorm metrics for each goal. Identify metrics that are easy to track accurately. Use Info-Tech's IT and HR metrics libraries for reference. Ideally, the metrics you choose should already exist in your organization so no extra effort will be necessary to implement them. It is also important to have a baseline measure of each one before flexible work is rolled out.
    3. Record your outputs on the "Goals and Metrics" tab of the workbook.

    Download the Targeted Flexible Work Program Workbook

    Download the IT Metrics Library

    Download the HR Metrics Library

    Input

    • Organizational and departmental strategy

    Output

    • List of program goals and metrics

    Materials

    • Targeted Flexible Work Program Workbook
      Or
    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee

    Determine work location flexibility for priority segments

    Work location looks at where a segment can complete all or some of their tasks (e.g. onsite vs. remote). For each prioritized employee segment, evaluate the amount of location flexibility available.

    Work Duties

    Processes

    Operational Outcomes

    High degree of flexibility

    • Low dependence on onsite equipment
    • Work easily shifts to online platforms
    • Low dependence on onsite external interactions (e.g. clients, customers, vendors)
    • Low interdependence of work duties internally (most work is independent)
    • Work processes and expectations are or can be formally documented
    • Remote work processes are sustainable long term

    Most or all operational outcomes can be achieved offsite (e.g. products/service delivery not impacted by WFH)

    • Some dependence on onsite equipment
    • Some work can shift to online platforms
    • Some dependence on onsite external interactions
    • Some interdependence of work duties internally (collaboration is critical)
    • Most work processes and expectations have been or can be formally documented
    • Remote work processes are sustainable (e.g. workarounds can be supported and didn't add work)

    Some operational outcomes can be achieved offsite (e.g. some impact of WFH on product/service delivery)

    Low degree of flexibility

    • High dependence on onsite equipment
    • Work cannot shift to online platforms
    • High dependence on onsite external interactions
    • High interdependence of work duties internally (e.g. line work)
    • Few work processes and expectations can be formally documented
    • Work processes cannot be done remotely, and workarounds for remote work are not sustainable long term

    Operational outcomes cannot be achieved offsite (e.g. significant impairment to product/service delivery)

    Note

    If roles within the segment have differing levels of location flexibility, use the lowest results (e.g. if role A in the segment has a high degree of flexibility for work duties and role B has a low degree of flexibility, use the results for role B).

    Identify work timing for priority segments

    Work timing looks at when work can or needs to be completed (e.g. Monday to Friday, 9am to 5pm).

    Work Duties

    Processes

    Operational Outcomes

    High degree of flexibility

    • No need to be available to internal and/or external customers during standard work hours
    • Equipment is available at any time
    • Does not rely on synchronous (occurring at the same time) work duties internally
    • Work processes and expectations are or can be formally documented
    • Low reliance on collaboration
    • Work is largely asynchronous (does not occur at the same time)

    Most or all operational outcomes are not time sensitive

    • Must be available to internal and/or external customers during some standard work hours
    • Some reliance on synchronous work duties internally (collaboration is critical)
    • Most work processes and expectations have been or can be formally documented
    • Moderate reliance on collaboration
    • Some work is synchronous

    Some operational outcomes are time sensitive and must be conducted within set date or time windows

    Low degree of flexibility

    • Must be available to internal and/or external customers during all standard work hours (e.g. Monday to Friday 9 to 5)
    • High reliance on synchronous work duties internally (e.g. line work)
    • Few work processes and expectations can be formally documented
    • High reliance on collaboration
    • Most work is synchronous

    Most or all operational outcomes are time sensitive and must be conducted within set date or time windows

    Note

    With additional coordination, flex time or flex time off options are still possible for employee segments with a low degree of flexibility. For example, with a four-day work week, the segment can be split into two teams – one that works Monday to Thursday and one that works Tuesday to Friday – so that employees are still available for clients five days a week.

    Examine work deliverables for priority segments

    Work deliverables look at the employee's ability to deliver on their role expectations (e.g. quota or targets) and whether reducing the time spent working would, in all situations, impact the work deliverables (e.g. constrained vs. unconstrained).

    Work Duties

    Operational Outcomes

    High degree of flexibility

    • Few or no work duties rely on equipment or processes that put constraints on output (unconstrained output)
    • Employees have autonomy over which work duties they focus on each day
    • Most or all operational outcomes are unconstrained (e.g. a marketing analyst who builds reports and strategies for clients can produce more reports, produce better reports, or identify new strategies)
    • Work quota or targets are achievable even if working fewer hours
    • Some work duties rely on equipment or processes that put constraints on output
    • Employees have some ability to decide which work duties they focus on each day
    • Some operational outcomes are constrained or moderately unconstrained (e.g. an analyst build reports based on client data; while it's possible to find efficiencies and build reports faster, it's not possible to attain the client data any faster)
    • Work quota or targets may be achievable if working fewer hours

    Low degree of flexibility

    • Most or all work duties rely on equipment or processes that put constraints on output (constrained output)
    • Daily work duties are prescribed (e.g. a telemarketer is expected to call a set number of people per day using a set list of contacts and a defined script)
    • Most or all operational outcomes are constrained (e.g. a machine operator works on a machine that produces 100 parts an hour; neither the machine nor the worker can produce more parts)
    • Work quota or targets cannot be achieved if fewer hours are worked

    Note

    For segments with a low degree of work deliverable flexibility (e.g. very constrained output), flexibility is still an option, but maintaining output would require additional headcount.

    1.3 Determine flexibility needs and constraints

    1-2 hours

    Use the guidelines on the preceding slides to document the parameters of each work segment.

    1. Determine work location flexibility. Work location looks at where a segment can complete all or some of their tasks (e.g. onsite vs. remote). For each prioritized employee segment, evaluate the amount of location flexibility available.
    2. Identify work timing. Work timing looks at when work can or needs to be completed (e.g. Monday to Friday, 9am to 5pm).
    3. Examine work deliverables. Work deliverables look at the employee's ability to deliver on their role expectations (e.g. quota or targets) and whether reducing the time spent working would, in all situations, impact the work deliverables (e.g. constrained vs. unconstrained).
    4. Record your outputs on the "Current and Desired State" tab of the workbook.

    Download the Targeted Flexible Work Program Workbook

    Input

    • List of employee segments

    Output

    • Summary of flexibility needs and constraints for each employee segment

    Materials

    • Targeted Flexible Work Program Workbook
      Or
    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee
    • Employee segment managers

    Step 2

    Identify potential flex options and assess feasibility

    1. Assess employee and organizational flexibility needs
    2. Identify potential flex options and assess feasibility
    3. Implement selected option(s)

    After completing this step you will have:

    • Created a shortlist of potential options for each prioritized employee segment
    • Evaluated the feasibility of each potential option
    • Determined the cost and benefit of each potential option
    • Gathered employee sentiment on potential options
    • Finalized options with senior leadership

    Prepare to identify and assess the feasibility of potential flexible work options

    First, review the Flexible Work Solutions Catalog

    Before proceeding to the next slide, review the Flexible Work Options Catalog to identify and shortlist five to seven flexible work options that are best suited to address the challenges faced for each of the priority employee segments identified in Step 1.

    Then, assess the feasibility of implementing selected options using slides 29 to 32

    Assess the feasibility of implementing the shortlisted solutions for the prioritized employee segments against the feasibility factors in this step. Repeat for each employee segment. Use the following slides to consult with and include leaders when appropriate.

    • Document your analysis in tabs 6 to 8 of the Targeted Flexible Work Program Workbook.
    • Note implementation issues throughout the assessment and record them in the tool. They will be addressed in Step 3: Implement Selected Program(s). Don't rule out an option simply because it presents some challenges; careful implementation can overcome many challenges.
    • At the end of this step, determine the final list of flexible work options and gain approval from senior leaders for implementation.

    Evaluate feasibility by reviewing the option's impact on continued operations and job performance

    Operational coverage

    Synchronous communication

    Time zones

    Face-to-face

    communication

    To what extent are employees needed to deliver products or services?

    • If constant customer service is required, stagger employees' schedules (e.g. one team works Monday-Thursday while another works Tuesday-Friday).

    To what extent do employees need to communicate with each other synchronously?

    • Break the workflow down and identify times when employees do and do not have to work at the same time to communicate with each other.

    To what extent do employees need to coordinate work across time zones?

    • If the organization already operates in different time zones, ensure that the option does not impact operations requiring continuous coverage.
    • When employees are located in different time zones, coordinate schedules based on the other operational factors.

    When do employees need to interact with each other or clients in person?

    • Examine the workflow closely to identify times when face-to-face communication is not required. Schedule "office days" for employees to work together when in-person interaction is needed.
    • When the interaction is only required with clients, determine whether employees are able to meet clients offsite.

    Info-Tech Insight

    Every role is eligible for hybrid location work. If onsite work duties prevent an employee group from participating, see if processes can be digitized or automated. Flexible work is an opportunity to go beyond current needs to future-proof your organization.

    Assess the option's alignment with organizational culture

    Symbols

    Values

    Behaviors

    How supportive of flexible work are the visible aspects of the organization's culture?

    • For example, the mission statement, newsletters, or office layout.
    • Note: Visible elements will need to be adapted to ensure they reinforce the value of the flexible work option.

    How supportive are both the stated and lived values of the organization?

    • When the flexible work option includes less direct supervision, assess how empowered employees feel to make decisions.
    • Assess whether all types of employees (e.g. virtual) are included, valued, and supported.

    How supportive are the attitudes and behaviors, especially of leaders?

    • Leaders set the expectations for acceptable behaviors in the organization. Determine how supportive leaders are toward flexible workers by examining their attitudes and perceptions.
    • Identify if employees are open to different ways of doing work.

    Determine the resources required for the option

    People

    Process

    Technology

    Do employees have the knowledge, skills, and abilities to adopt this option?

    • Identify any areas (e.g. process, technology) employees will need to be trained on and assess the associated costs.
    • Determine whether the option will require additional headcount to ensure operational continuity (e.g. two part-time employees in a job-sharing arrangement) and calculate associated costs (e.g. recruitment, training, benefits).

    How much will work processes need to change?

    • Interview organizational leaders with knowledge of the employee segment's core work processes. Determine whether a significant change will be required.
    • If a significant change is required, evaluate whether the benefits of the option outweigh the costs of the process and behavioral change (see the "net benefit" factor on slide 33).

    What new technologies will be required?

    • Identify the technology (e.g. that supports communication, work processes) required to enable the flexible work option.
    • Note whether existing technology can be used or additional technology will be required, and further investigate the viability and costs of these options.

    Examine the option's risks

    Data

    Health & Safety

    Legal

    How will data be kept secure?

    • Determine whether the organization's data policy and technology covers employees working remotely or other flexible work options.
    • If the employee segment handles sensitive data (e.g. personal employee information), consult relevant stakeholders to determine how data can be kept secure and assess any associated costs.

    How will employees' health and safety be impacted?

    • Consult your organization's legal counsel to determine whether the organization will be liable for the employees' health and safety while working from home or other locations.
    • Determine whether the organization's policies and processes will need to be modified.

    What legal risks might be involved?

    • Identify any policies in place or jurisdictional requirements to avoid any legal risks. Consult your organization's legal counsel about the situations below.
      • If the option causes significant changes to the nature of jobs, creating the risk of constructive dismissal.
      • If there are any risks to providing less supervision (e.g. higher chance of harassment).
      • When only some employee segments are eligible for the option, determine whether there is a risk of inequitable access.
      • If the option impacts any unionized employees or collective agreements.

    Determine whether the benefits of the option outweigh the costs

    Include senior leadership in the net benefit process to ensure any unfeasible options are removed from consideration before presenting to employees.

    1. Document the employee and employer benefits of the option from the previous feasibility factors on slides 29 to 32.
    • Include the benefits of reaching program goals identified in Step 1.
    • Quantify the benefits in dollar value where possible.
  • Document the costs and risks of the option, referring to the costs noted from previous feasibility factors.
    • Quantify the costs in dollar value where possible.
  • Compare the benefits and costs.
    • Add an option to your final list if the benefits are greater than the costs.
  • This is an image of a table with the main heading being Net Benefit, with the following subheadings: Benefits to organization; Benefits to employees; Costs.

    Info-Tech Insight

    Flexible work options must balance organizational and employee needs. If an option is beneficial to employees but there is little or no benefit to the organization as a whole, or if the cost of the option is too high, it will not support the long-term success of the organization.

    2.1a Identify and evaluate flexible work options

    30 minutes per employee segment per work option

    If you are only considering hybrid or remote work, skip to activity 2.1b. Use the guidelines on the preceding slides to conduct feasibility assessments.

    1. Shortlist flexible work options. Review the Flexible Work Options Catalog to identify and shortlist five to seven flexible work options that are best suited to address the challenges faced for each of the priority employee segments. Record these on the "Options Shortlist" tab of the workbook. Even if the decision is simple, ensure you record the rationale to help communicate your decision to employees. Transparent communication is the best way to avoid feelings of unfairness if desired work options are not implemented.
    2. Evaluate option feasibility. For each of the shortlisted options, complete one "Feasibility - Option" tab in the workbook. Make as many copies of this tab as needed.
      • When evaluating each option, consider each employee segment individually as you work through the prompts in the workbook. You may find that segments differ greatly in the feasibility of various types of flexible work. You will use this information to inform your overall policy and any exceptions to it.
      • You may need to involve each segment's management team to get an accurate picture of day-to-day responsibilities and flexible work feasibility.
    3. Weigh benefits and costs. At the end of each flexible work option evaluation, record the anticipated costs and benefits. Discuss whether this balance renders the option viable or rules it out.

    Download the Targeted Flexible Work Program Workbook

    Download the Flexible Work Options Catalog

    Input

    • List of employee segments

    Output

    • Shortlist of flexible work options
    • Feasibility analysis for each work option

    Materials

    • Targeted Flexible Work Program Workbook
    • Flexible Work Options Catalog

    Participants

    • Flexible work program committee
    • Employee segment managers

    2.1b Assess hybrid work feasibility

    30 minutes per employee segment

    Use the guidelines on the preceding slides to conduct a feasibility assessment. This exercise relies on having trialed hybrid or remote work before. If you have never implemented any degree of remote work, consider completing the full feasibility assessment in activity 2.1a.

    1. Evaluate hybrid work feasibility. Review the feasibility prompts on the "Work Unit Remote Work Assessment" tab and record your insight for each employee segment.
      • When evaluating each option, consider each employee segment individually as you work through the prompts in the workbook. You may find that segments differ greatly in their ability to accommodate hybrid work. You will use this information to inform your overall policy and any exceptions to it.
      • You may need to involve each segment's management team to get an accurate picture of day-to-day responsibilities and hybrid work feasibility.

    Download the Fast-Track Hybrid Work Program Workbook

    Input

    • List of employee segments

    Output

    • Feasibility analysis for each work option

    Materials

    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee
    • Employee segment managers

    Ask employees which options they prefer and gather feedback for implementation

    Deliver a survey and/or conduct focus groups with a selection of employees from all prioritized employee segments.

    Share

    • Present your draft list of options to select employees.
    • Communicate that the organization is in the process of assessing the feasibility of flexible work options and would like employee input to ensure flex work meets needs.
    • Be clear that the list is not final or guaranteed.

    Ask

    • Ask which options are preferred more than others.
    • Ask for feedback on each option – how could it be modified to meet employee needs better? Use this information to inform implementation in Step 3.

    Decide

    • Prioritize an option if many employees indicated an interest in it.
    • If employees indicate no interest in an option, consider eliminating it from the list, unless it will be required. There is no value in providing an option if employees won't use it.

    Survey

    • List the options and ask respondents to rate each on a Likert scale from 1 to 5.
    • Ask some open-ended questions with comment boxes for employee suggestions.

    Focus Group

    • Conduct focus groups to gather deeper feedback.
    • See Appendix I for sample focus group questions.

    Info-Tech Insight

    Prioritize flexible work options that employees want. Providing too many options often leads to information overload and results in employees not understanding what is available, lowering adoption of the flexible work program.

    Finalize options list with senior leadership

    1. Select one to three final options and outline the details of each. Include:
      • Scope: To what extent will the option be applied? E.g. work-from-home one or two days a week.
      • Eligibility: Which employee segments are eligible?
      • Cost: What investment will be required?
      • Critical implementation issues: Will any of the implementation issues identified for each feasibility factor impact whether the option will be approved?
      • Resources: What additional resources will be required (e.g. technology)?
    2. Present the options to stakeholders for approval. Include:
      • An outline of the finalized options, including what the option is and the scope, eligibility, and critical implementation issues.
      • The feasibility assessment results, including benefits, costs, and employee preferences. Have more detail from the other factors ready if leaders ask about them.
      • The investment (cost) required to implement the option.
    3. Proceed to Step 3 to implement approved options.

    Running an IT pilot of flex work

    • As a technology department, IT typically doesn't own flexible work implementation for the entire organization. However, it is common to trial flexible work options for IT first, before rolling out to the entire organization.
    • During a flex work pilot, ensure you are working closely with HR partners, especially regarding regulatory and compliance issues.
    • Keep the rest of the organizational stakeholders in the loop, especially regarding their agreement on the metrics by which the pilot's success will be evaluated.

    2.2a Finalize flexible work options

    2-3 hours + time to gather employee feedback

    If you are only considering hybrid or remote work, skip to activity 2.2b. Use the guidelines on the preceding slides to gather final feedback and finalize work option selections.

    1. Gather employee feedback. If employee preferences are already known, skip this step. If they are not, gather feedback to ascertain whether any of the shortlisted options are preferred. Remember that a successful flexible work program balances the needs of employees and the business, so employee preference is a key determinant in flexible work program success. Document this on the "Employee Preferences" tab of the workbook.
    2. Finalize flexible work options. Use your notes on the cost-benefit balance for each option, along with employee preferences, to decide whether the move forward with it. Record this decision on the "Options Final List" tab. Include information about eligible employee segments and any implementation challenges that came up during the feasibility assessments. This is the final decision summary that will inform your flexible program parameters and policies.

    Download the Targeted Flexible Work Program Workbook

    Input

    • Flexible work options shortlist

    Output

    • Final flexible work options list

    Materials

    • Targeted Flexible Work Program Workbook

    Participants

    • Flexible work program committee

    2.2b Finalize hybrid work parameters

    2-3 hours + time to gather employee feedback

    Use the guidelines on the preceding slides to gather final feedback and finalize work option selections.

    1. Summarize feasibility analysis. On the "Program Parameters" tab, record the main insights from your feasibility analysis. Finalize important elements, including eligibility for hybrid/remote work by employee segment. Additionally, record the standard parameters for the program (i.e. those that apply to all employee segments) and variable parameters (i.e. ones that differ by employee segment).

    Download the Fast-Track Hybrid Work Program Workbook

    Input

    • Hybrid work feasibility analysis

    Output

    • Final hybrid work program parameters

    Materials

    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee

    Step 3

    Implement selected option(s)

    1. Assess employee and organizational flexibility needs
    2. Identify potential flex options and assess feasibility
    3. Implement selected option(s)

    After completing this step, you will have:

    • Addressed implementation issues and cultural barriers
    • Equipped the organization to adopt flexible work options successfully
    • Piloted the program and assessed its success
    • Developed a plan for program rollout and communication
    • Established a program evaluation plan
    • Aligned HR programs to support the program

    Solve the implementation issues identified in your feasibility assessment

    1. Identify a solution for each implementation issue documented in the Targeted Flexible Work Program Workbook. Consider the following when identifying solutions:
      • Scope: Determine whether the solution will be applied to one or all employee segments.
      • Stakeholders: Identify stakeholders to consult and develop a solution. If the scope is one employee segment, work with organizational leaders of that segment. When the scope is the entire organization, consult with senior leaders.
      • Implementation: Collaborate with stakeholders to solve implementation issues. Balance the organizational and employee needs, referring to data gathered in Steps 1 and 2.

    Example:

    Issue

    Solution

    Option 1: Hybrid work

    Brainstorming at the beginning of product development benefits from face-to-face collaboration.

    Block off a "brainstorming day" when all team members are required in the office.

    Employee segment: Product innovation team

    One team member needs to meet weekly with the implementation team to conduct product testing.

    Establish a schedule with rotating responsibility for a team member to be at the office for product testing; allow team members to swap days if needed.

    Address cultural barriers by involving leaders

    To shift a culture that is not supportive of flexible work, involve leaders in setting an example for employees to follow.

    Misconceptions

    Tactics to overcome them

    • Flexible workers are less productive.
    • Flexible work disrupts operations.
    • Flexible workers are less committed to the organization.
    • Flexible work only benefits employees, not the organization.
    • Employees are not working if they aren't physically in the office.

    Make the case by highlighting challenges and expected benefits for both the organization and employees (e.g. same or increased productivity). Use data in the introductory section of this blueprint.

    Demonstrate operational feasibility by providing an overview of the feasibility assessment conducted to ensure operational continuity.

    Involve most senior leadership in communication.

    Encourage discovery and exploration by having managers try flexible work options themselves, which will help model it for employees.

    Highlight success stories within the organization or from competitors or similar industries.

    Invite input from managers on how to improve implementation and ownership, which helps to discover hidden options.

    Shift symbols, values, and behaviors

    • Work with senior leaders to identify symbols, values, and behaviors to modify to align with the selected flexible work options.
    • Validate that the final list aligns with your organization's mission, vision, and values.

    Info-Tech Insight

    Leaders' collective support of the flexible program determines the program's successful adoption. Don't sweep cultural barriers under the rug; acknowledge and address them to overcome them.

    Equip the organization for successful implementation

    Info-Tech recommends providing managers and employees with a guide to flexible work, introducing policies, and providing training for managers.

    Provide managers and employees with a guide to flexible work

    Introduce appropriate organization policies

    Equip managers with the necessary tools and training

    Use the guide to:

    • Familiarize employees and managers with the flexible work program.
    • Gain employee and manager buy-in and support for the program.
    • Explain the process and give guidance on selecting flexible work options and working with their colleagues to make it a success.

    Use Info-Tech's customizable policy templates to set guidelines, outline arrangements, and scope the organization's flexible work policies. This is typically done by, or in collaboration with, the HR department.

    Download the Guide to Flexible Work for Managers and Employees

    Download the Flex Location Policy

    Download the Flex Time-Off Policy

    Download the Flex Time Policy

    3.1 Prepare for implementation

    2-3 hours

    Use the guidelines on the preceding slides to brainstorm solutions to implementation issues and prepare to communicate program rollout to stakeholders.

    1. Solve implementation issues.
      • If you are working with the Targeted Flexible Work Program Workbook: For each implementation challenge identified on the "Final Options List" tab, brainstorm solutions. If you are working with the Fast-Track Hybrid Work Program Workbook: Work through the program enablement prompts on the "Program Enablement" tab.
      • You may need to involve relevant stakeholders to help you come up with appropriate solutions for each employee segment.
      • Ensure that any anticipated cultural barriers have been documented and are addressed during this step. Don't underestimate the importance of a supportive organizational culture to the successful rollout of flexible work.
    2. Prepare the employee guide. Modify the Guide to Flexible Work for Managers and Employees template to reflect your final work options list and the processes and expectations employees will need to follow.
    3. Create a communication plan. Use Info-Tech's Communicate Any IT Initiative blueprint and Appendix II to craft your messaging.

    Download the Guide to Flexible Work for Managers and Employees

    Download the Targeted Flexible Work Program Workbook

    Input

    • Flexible work options final list

    Output

    • Employee guide to flexible work
    • Flexible work rollout communication plan

    Materials

    • Guide to Flexible Work for Managers and Employees
    • Targeted Flexible Work Program Workbook
      Or
    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee
    • Employee segment managers

    Run an IT pilot for flexible work

    Prepare for pilot

    Launch Pilot

    Identify the flexible work options that will be piloted.

    • Refer to the final list of selected options for each priority segment to determine which options should be piloted.

    Select pilot participants.

    • If not rolling out to the entire IT department, look for the departments and/or team(s) where there is the greatest need and the biggest interest (e.g. team with lowest engagement scores).
    • Include all employees within the department, or team if the department is too large, in the pilot.
    • Start with a group whose managers are best equipped for the new flexibility options.

    Create an approach to collect feedback and measure the success of the pilot.

    • Feedback can be collected using surveys, focus groups, and/or targeted in-person interviews.

    The length of the pilot will greatly vary based on which flexible work options were selected (e.g. seasonal hours will require a shorter pilot period compared to implementing a compressed work week). Use discretion when deciding on pilot length and be open to extending or shortening the pilot length as needed.

    Launch pilot.

    • Launch the program through a town hall meeting or departmental announcement to build excitement and buy-in.
    • Develop separate communications for employee segments where appropriate. See Appendix II for key messaging to include.

    Gather feedback.

    • The feedback will be used to assess the pilot's success and to determine what modifications will be needed later for a full-scale rollout.
    • When gathering feedback, tailor questions based on the employee segment but keep themes similar. For example:
      • Employees: "How did this help your day-to-day work?"
      • Managers: "How did this improve productivity on your team?"

    Track metrics.

    • The success of the pilot is best communicated using your department's unique KPIs.
    • Metrics are critical for:
      • Accurately determining pilot success.
      • Getting buy-in to expand the pilot beyond IT.
      • Justifying to employees any changes made to the flexible work options.

    Assess the pilot's success and determine next steps

    Review the feedback collected on the previous slide and use this decision tree to decide whether to relaunch a pilot or proceed to a full-scale rollout of the program.

    This is an image of the flow chart used to assess the pilot's success and determine the next steps.  It will help you to determine whether you will Proceed to full-scale rollout on next slide, Major modifications to the option/launch (e.g. change operating time) – adjust and relaunch pilot or select a new employee segment and relaunch pilot, Minor modifications to the option/launch (e.g. introduce additional communications) – adjust and proceed to full scale rollout, or Return to shortlist (Step 2) and select a different option or launch pilot with a different employee segment.

    Prepare for full-scale rollout

    If you have run a team pilot prior to rolling out to all of IT, or run an IT pilot before an organizational rollout, use the following steps to transition from pilot to full rollout.

    1. Determine modifications
      • Review the feedback gathered during the pilot and determine what needs to change for a full-scale implementation.
      • Update HR policies and programs to support flexible work. Work closely with your HR business partner and other organizational leaders to ensure every department's needs are understood and compliance issues are addressed.
    2. Roll out and evaluate
      • Roll out the remainder of the program (e.g. to other employee segments or additional flexible work options) once there is significant uptake of the pilot by the target employee group and issues have been addressed.
      • Determine how feedback will be gathered after implementation, such as during engagement surveys, new hire and exit surveys, stay interviews, etc., and assess whether the program continues to meet employee and organizational needs.

    Rolling out beyond IT

    For a rollout beyond IT, HR will likely take over.

    However, this is your chance to remain at the forefront of your organization's flexible work efforts by continuing to track success and gather feedback within IT.

    Align HR programs and organizational policies to support flexible work

    Talent Management

    Learning & Development

    Talent Acquisition

    Reinforce managers' accountability for the success of flexible work in their teams:

    • Include "managing virtual teams" in the people management leadership competency.
    • Recognize managers who are modeling flexible work.

    Support flexible workers' career progression:

    • Monitor the promotion rates of flexible workers vs. non-flexible workers.
    • Make sure flexible workers are discussed during talent calibration meetings and have access to career development opportunities.

    Equip managers and employees with the knowledge and skills to make flexible work successful.

    • Provide guidance on selecting the right options and maintaining workflow.
    • If moving to a virtual environment, train managers on how to make it a success.

    Incorporate the flexible work program into the organization's employee value proposition to attract top talent who value flexible work options.

    • Highlight the program on the organization's career site and in job postings.

    Organizational policies

    Determine which organizational policies will be impacted as a result of the new flexible work options. For example, the introduction of flex time off can result in existing vacation policies needing to be updated.

    Plan to re-evaluate the program and make improvements

    Collect data

    Collect data

    Act on data

    Uptake

    Gather data on the proportion of employees eligible for each option who are using the option.

    If an option is tracking positively:

    • Maintain or expand the program to more of the organization.
    • Conduct a feasibility assessment (Step 2) for new employee segments.

    Satisfaction

    Survey managers and employees about their satisfaction with the options they are eligible for and provide an open box for suggestions on improvements.

    If an option is tracking negatively:

    • Investigate why. Gather additional data, interview organizational leaders, and/or conduct focus groups to gain deeper insight.
    • Re-assess the feasibility of the option (Step 2). If the costs outweigh the benefits based on new data, determine whether to cancel the option.
    • Take appropriate action based on the outcome of the evaluation, such as modifying or cancelling the option or providing employees with more support.
      • Note: Cancelling an option can impact the engagement of employees using the option. Ensure that the data, reasons for cancelling the option, and potential substitute options are communicated to employees in advance.

    Program goal progress

    Monitor progress against the program goals and metrics identified in Step 1 to evaluate the impact on issues that matter to the organization (e.g. retention, productivity, diversity).

    Career progression

    Evaluate flexible workers' promotion rates and development opportunities to determine if they are developing.

    Info-Tech Insight

    Negative performance of a flexible work option does not necessarily mean failure. Take the time to evaluate whether the option simply needs to be tweaked or whether it truly isn't working for the organization.

    Insight summary

    Overarching insight: IT excels at hybrid location work and is more effective as a business function when location, time, and time-off flexibility are an option for its employees.

    Introduction

    • Flexible work options are not a concession to lower productivity. Properly implemented, flex work enables employees to be more productive at reaching business goals.
    • Employees' lived experiences and needs determine if people use flexible work programs – a flex program that has limited use or excludes people will not benefit the organization.
    • Flexible work benefits everyone. IT employees experience greater engagement, motivation, and company loyalty. IT organizations realize benefits such as better service coverage, reduced facilities costs, and increased productivity.

    Step 1 insight

    • Hybrid work is a start. A comprehensive flex work program extends beyond flexible location to flexible time and time off. Organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent. Provide greater inclusivity to employees by broadening the scope to include flex location, flex time, and flex time off.
    • No two employee segments are the same. To be effective, flexible work options must align with the expectations and working processes of each segment.

    Step 2 insight

    • Every role is eligible for hybrid location work. If onsite work duties prevent an employee group from participating, see if processes can be digitized or automated. Flexible work is an opportunity to go beyond current needs to future proofing your organization.
    • Flexible work options must balance organizational and employee needs. If an option is beneficial to employees but there is little or no benefit to the organization, or if the cost of the option is too high, it will not support the long-term success of the organization.
    • Prioritize flexible work options that employees want. Providing too many options often leads to information overload and results in employees not understanding what is available, lowering adoption of the flexible work program.

    Step 3 insight

    • Leaders' collective support of the flexible program determines the program's successful adoption. Don't sweep cultural barriers under the rug; acknowledge and address them to overcome them.
    • Negative performance of a flexible work option does not necessarily mean failure. Take the time to evaluate whether the option simply needs to be tweaked or whether it truly isn't working for the organization.
    • A set of formal guidelines for IT ensures flexible work is:
      1. Administered fairly across all IT employees.
      2. Defensible and clear.
      3. Scalable to the rest of the organization.

    Research Contributors and Experts

    Quinn Ross
    CEO
    The Ross Firm Professional Corporation

    Margaret Yap
    HR Professor
    Ryerson University

    Heather Payne
    CEO
    Juno College

    Lee Nguyen
    HR Specialist
    City of Austin

    Stacey Spruell
    Division HR Director
    Travis County

    Don MacLeod
    Chief Administrative Officer
    Zorra Township

    Stephen Childs
    CHRO
    Panasonic North America

    Shawn Gibson
    Sr. Director
    Info Tech Research Group

    Mari Ryan
    CEO/Founder
    Advancing Wellness

    Sophie Wade
    Founder
    Flexcel Networks

    Kim Velluso
    VP Human Resources
    Siemens Canada

    Lilian De Menezes
    Professor of Decision Sciences
    Cass Business School, University of London

    Judi Casey
    WorkLife Consultant and former Director, Work and Family Researchers Network
    Boston College

    Chris Frame
    Partner – Operations
    LiveCA

    Rose M. Stanley, CCP, CBP, WLCP, CEBS
    People Services Manager
    Sunstate Equipment Co., LLC

    Shari Lava
    Director, Vendor Research
    Info-Tech Research Group

    Carol Cochran
    Director of People & Culture
    FlexJobs

    Kidde Kelly
    OD Practitioner

    Dr. David Chalmers
    Adjunct Professor
    Ted Rogers School of Management, Ryerson University

    Kashmira Nagarwala
    Change Manager
    Siemens Canada

    Dr. Isik U. Zeytinoglu
    Professor of Management and Industrial Relations McMaster University, DeGroote School of Business

    Claire McCartney
    Diversity & Inclusion Advisor
    CIPD

    Teresa Hopke
    SVP of Client Relations
    Life Meets Work – www.lifemeetswork.com

    Mark Tippey
    IT Leader and Experienced Teleworker

    Dr. Kenneth Matos
    Senior Director of Research
    Families and Work Institute

    1 anonymous contributor

    Appendix I: Sample focus group questions

    See Info-Tech's Focus Group Guidefor guidance on setting up and delivering focus groups. Customize the guide with questions specific to flexible work (see sample questions below) to gain deeper insight into employee preferences for the feasibility assessment in Step 2 of this blueprint.

    Document themes in the Targeted Flexible Work Program Workbook.

    • What do you need to balance/integrate your work with your personal life?
    • What challenges do you face in achieving work-life balance/integration?
    • What about your job is preventing you from achieving work-life balance/integration?
    • How would [flexible work option] help you achieve work-life balance/integration?
    • How well would this option work with the workflow of your team or department? What would need to change?
    • What challenges do you see in adopting [flexible work option]?
    • What else would be helpful for you to achieve work-life balance/integration?
    • How could we customize [flexible work option] to ensure it meets your needs?
    • If this program were to fail, what do you think would be the top reasons and why?

    Appendix II: Communication key messaging

    1. Program purpose

    Start with the name and high-level purpose of the program.

    2. Business reasons for the program

    Share data you gathered in Step 1, illustrating challenges causing the need for the program and the benefits.

    3. Options selection process

    Outline the process followed to select options. Remember to share the involvement of stakeholders and the planning around employees' feedback, needs, and lived experiences.

    4. Options and eligibility

    Provide a brief overview of the options and eligibility. Specify that the organization is piloting these options and will modify them based on feedback.

    5. Approval not guaranteed

    Qualify that employees need to be "flexible about flexible work" – the options are not guaranteed and may sometimes be unavailable for business reasons.

    6. Shared responsibility

    Highlight the importance of everyone (managers, flexible workers, the team) working together to make flexible work achievable.

    7. Next steps

    Share any next steps, such as where employees can find the organization's Guide to Flexible Work for Managers and Employees, how to make flexible work a success, or if managers will be providing further detail in a team meeting.

    8. Ongoing communications

    Normalize the program and embed it in organizational culture by continuing communications through various media, such as the organization's newsletter or announcements in town halls.

    Works Cited

    Baziuk, Jennifer, and Duncan Meadows. "Global Employee Survey - Key findings and implications for ICMIF." EY, June 2021. Accessed May 2022.
    "Businesses suffering 'commitment issues' on flexible working," EY, 21 Sep. 2021. Accessed May 2022.
    "IT Talent Trends 2022". Info-Tech Research Group, 2022.
    "Jabra Hybrid Ways of Working: 2021 Global Report." Jabra, Aug. 2021. Accessed May 2022.
    LinkedIn Talent Solutions. "2022 Global Talent Trends." LinkedIn, 2022. Accessed May 2022.
    Lobosco, Mark. "The Future of Work is Flexible: 71% of Leaders Feel Pressure to Change Working Models." LinkedIn, 9 Sep. 2021. Accessed May 2022.
    Ohm, Joy, et al. "Covid-19: Women, Equity, and Inclusion in the Future of Work." Catalyst, 28 May 2020. Accessed May 2022.
    Pelta, Rachel. "Many Workers Have Quit or Plan to After Employers Revoke Remote Work." FlexJobs, 2021. Accessed May 2022.
    Slack Future Forum. "Inflexible return-to-office policies are hammering employee experience scores." Slack, 19 April 2022. Accessed May 2022.
    "State of Hybrid Work in IT: A Trend Report". Info-Tech Research Group, 2023.
    Threlkeld, Kristy. "Employee Burnout Report: COVID-19's Impact and 3 Strategies to Curb It." Indeed, 11 March 2021. Accessed March 2022.

    Build and Deliver an Optimized IT Update Presentation

    • Buy Link or Shortcode: {j2store}269|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Manage Business Relationships
    • Parent Category Link: /manage-business-relationships
    • IT update presentation success comes with understanding the business and the needs of your stakeholders. It often takes time and effort to get it right.
    • Many IT updates are too technically focused and do not engage nor demonstrate value in the eyes of the business.
    • This is not the time to boast about technical metrics that lack relevance.
    • Too often IT updates are prepared without the necessary pre-discussions required to validate content and hone priorities.

    Our Advice

    Critical Insight

    • CIOs need to take charge of the IT value proposition, increasing the impact and strategic role of IT.
    • Use your IT update to focus decisions, improve relationships, find new sources of value, and drive credibility.
    • Evolve the strategic partnership with your business using key metrics to help guide the conversation.

    Impact and Result

    • Build and deliver an IT update that focuses on what is most important.
    • Achieve the buy-in you require while driving business value.
    • Gain clarity on your scope, goals, and outcomes.
    • Validate IT’s role as a strategic business partner.

    Build and Deliver an Optimized IT Update Presentation Research & Tools

    Start here – read the Executive Brief

    Read our Executive Brief to find out how an optimized IT update presentation is your opportunity to drive business value.Review Info-Tech’s methodology and understand how we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Scope and goals

    Confirm the “why” of the IT update presentation by determining its scope and goals.

    • Build and Deliver an Optimized IT Update Presentation – Phase 1: Scope and Goals

    2. Assess and build

    Confirm the “what” of the presentation by focusing on business requirements, metrics, presentation creation, and stakeholder validation.

    • Build and Deliver an Optimized IT Update Presentation – Phase 2: Assess and Build
    • IT Update Stakeholder Interview Guide
    • IT Metrics Prioritization Tool

    3. Deliver and inspire

    Confirm the “how” of the presentation by focusing on engaging your audience, getting what you need, and creating a feedback cycle.

    • Build and Deliver an Optimized IT Update Presentation – Phase 3: Deliver and Inspire
    • IT Update Open Issues Tracking Tool
    [infographic]

    Workshop: Build and Deliver an Optimized IT Update Presentation

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Scope, Goals, and Requirements

    The Purpose

    Determine the IT update’s scope and goals and identify stakeholder requirements

    Key Benefits Achieved

    IT update scope and goals

    Business stakeholder goals and requirements

    Activities

    1.1 Determine/validate the IT update scope

    1.2 Determine/validate the IT update goals

    1.3 Business context analysis

    1.4 Determine stakeholder needs and expectations

    1.5 Confirm business goals and requirements

    Outputs

    Documented IT update scope

    Documented IT update goals

    Validated business context

    Stakeholder requirements analysis

    Confirmed business goals and requirements

    2 Validate Metrics With Business Needs

    The Purpose

    Analyze metrics and content and validate against business needs

    Key Benefits Achieved

    Selection of key metrics

    Metrics and content validated to business needs

    Activities

    2.1 Analyze current IT metrics

    2.2 Review industry best-practice metrics

    2.3 Align metrics and content to business stakeholder needs

    Outputs

    Identification of key metrics

    Finalization of key metrics

    Metrics and content validated to business stakeholder needs

    3 Create an optimized IT update

    The Purpose

    Create an IT update presentation that is optimized to business needs

    Key Benefits Achieved

    Optimized IT update presentation

    Activities

    3.1 Understand the audience and how to best engage them

    3.2 Determine how to present the pertinent data

    3.3 IT update review with key business stakeholders

    3.4 Final edits and review of IT update presentation

    3.5 Pre-presentation checklist

    Outputs

    Clarity on update audience

    Draft IT update presentation

    Business stakeholder feedback

    Finalized IT update presentation

    Confirmation on IT update presentation readiness

    Build an Application Department Strategy

    • Buy Link or Shortcode: {j2store}180|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $220,866 Average $ Saved
    • member rating average days saved: 34 Average Days Saved
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Application delivery has modernized. There are increasing expectations on departments to deliver on organizational and product objectives with increasing velocity.
    • Application departments produce many diverse, divergent products, applications, and services with expectations of frequent updates and changes based on rapidly changing landscapes

    Our Advice

    Critical Insight

    • There is no such thing as a universal “applications department.” Unlike other domains of IT, there are no widely accepted frameworks that clearly outline universal best practices of application delivery and management.
    • Different software needs and delivery orientations demand a tailored structure and set of processes, especially when managing a mixed portfolio or multiple delivery methods.

    Impact and Result

    Understand what your department’s purpose is through articulating its strategy in three steps:

    • Determining your application department’s values, principles, and orientation.
    • Laying out the goals, objectives, metrics, and priorities of the department.
    • Building a communication plan to communicate your overall department strategy.

    Build an Application Department Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build an application department strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take stock of who you are

    Consider and record your department’s values, principles, orientation, and capabilities.

    • Build an Application Department Strategy – Phase 1: Take Stock of Who You Are
    • Application Department Strategy Supporting Workbook

    2. Articulate your strategy

    Define your department’s strategy through your understanding of your department combined with everything that you do and are working to do.

    • Build an Application Department Strategy – Phase 2: Articulate Your Strategy
    • Application Department Strategy Template

    3. Communicate your strategy

    Communicate your department’s strategy to your key stakeholders.

    • Build an Application Department Strategy – Phase 3: Communicate Your Strategy

    Infographic

    Workshop: Build an Application Department Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Take Stock of Who You Are

    The Purpose

    Understand what makes up your application department beyond the applications and services provided.

    Key Benefits Achieved

    Articulating your guiding principles, values, capabilities, and orientation provides a foundation for expressing your department strategy.

    Activities

    1.1 Identify your team’s values and guiding principles.

    1.2 Define your department’s orientation.

    Outputs

    A summary of your department’s values and guiding principles

    A clear view of your department’s orientation and supporting capabilities

    2 Articulate Your Strategy

    The Purpose

    Lay out all the details that make up your application department strategy.

    Key Benefits Achieved

    A completed application department strategy canvas containing everything you need to communicate your strategy.

    Activities

    2.1 Write your application department vision statement.

    2.2 Define your application department goals and metrics.

    2.3 Specify your department capabilities and orientation.

    2.4 Prioritize what is most important to your department.

    Outputs

    Your department vision

    Your department’s goals and metrics that contribute to achieving your department’s vision

    Your department’s capabilities and orientation

    A prioritized roadmap for your department

    3 Communicate Your Strategy

    The Purpose

    Lay out your strategy’s communication plan.

    Key Benefits Achieved

    Your application department strategy presentation ready to be presented to your stakeholders.

    Activities

    3.1 Identify your stakeholders.

    3.2 Develop a communication plan.

    3.3 Wrap-up and next steps

    Outputs

    List of prioritized stakeholders you want to communicate with

    A plan for what to communicate to each stakeholder

    Communication is only the first step – what comes next?

    Build Your Generative AI Roadmap

    • Buy Link or Shortcode: {j2store}105|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $33,499 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    Generative AI has made a grand entrance, presenting opportunities and causing disruption across organizations and industries. Moving beyond the hype, it’s imperative to build and implement a strategic plan to adopt generative AI and outpace competitors.

    Yet generative AI has to be done right because the opportunity comes with risks and the investments have to be tied to outcomes.

    Adopt a human-centric and value-based approach to generative AI

    IT and business leaders will need to be strategic and deliberate to thrive as AI adoption changes industries and business operations.

    • Establish responsible AI guiding principles: Address human-based requirements to govern how generative AI applications are developed and deployed.
    • Align generative AI initiatives to strategic drivers for the organization: Assess generative AI opportunities by seeing how they align to the strategic drivers of the organization. Examples of strategic drivers include increasing revenue, reducing costs, driving innovation, and mitigating risk.
    • Measure and communicate effectively: Have clear metrics in place to measure progress and success of AI initiatives and communicate both policies and results effectively.

    Build Your Generative AI Roadmap Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build Your Generative AI Roadmap Deck – A step-by-step document that walks you through how to leverage generative AI and align with the organization’s mission and objectives to increase revenue, reduce costs, accelerate innovation, and mitigate risk.

    This blueprint outlines how to build your generative AI roadmap, establish responsible AI principles, prioritize opportunities, and develop policies for usage. Establishing and adhering to responsible AI guiding principles provides safeguards for the adoption of generative AI applications.

    • Build Your Generative AI Roadmap – Phases 1-4

    2. AI Maturity Assessment and Roadmap Tool – Develop deliverables that will be milestones in creating your organization’s generative AI roadmap for implementing candidate applications.

    This tool provides guidance for developing the following deliverables:

  • Responsible AI guiding principles
  • Current AI maturity
  • Prioritized candidate generative AI applications
  • Generative AI policies
  • Generative AI roadmap
    • AI Maturity Assessment and Roadmap Tool

    3. The Era of Generative AI C‑Suite Presentation – Develop responsible AI guiding principles, assess AI capabilities and readiness, and prioritize use cases based on complexity and alignment with organizational goals and responsible AI guiding principles.

    This presentation template uses sample business capabilities (use cases) from the Marketing & Advertising business capability map to provide examples of candidates for generative AI applications. The final executive presentation should highlight the value-based initiatives driving generative AI applications, the benefits and risks involved, how the proposed generative AI use cases align to the organization’s strategy and goals, the success criteria for the proofs of concept, and the project roadmap.

    • The Era of Generative AI C‑Suite Presentation

    Infographic

    Further reading

    Build Your Generative AI Roadmap

    Leverage the power of generative AI to improve business outcomes.

    Analyst Perspective

    We are entering the era of generative AI. This is a unique time in our history where the benefits of AI are easily accessible and becoming pervasive, with copilots emerging in the major business tools we use today. The disruptive capabilities that can potentially drive dramatic benefits also introduce risks that need to be planned for.

    A successful business-driven generative AI roadmap requires:

    • Establishing responsible AI guiding principles to guide the development and deployment of generative AI applications.
    • Assess generative AI opportunities by using criteria based on the organization's mission and objectives, responsible AI guiding principles, and the complexity of the initiative.
    • Communicating, educating on, and enforcing generative AI usage policies.

    Bill Wong, Principal Research Director

    Bill Wong
    Principal Research Director
    Info-Tech Research Group

    Executive Summary

    Your Challenge Common Obstacles Solution

    Generative AI is disrupting all industries and providing opportunities for organization-wide advantages.

    Organizations need to understand this disruptive technology and trends to properly develop a strategy for leveraging this technology successfully.

    • Generative AI requires alignment to a business strategy.
    • IT is an enabler and needs to align with and support the business stakeholders.
    • Organizations need to adopt a data-driven culture.

    All organizations, regardless of size, should be planning how to respond to this new and innovative technology.

    Business stakeholders need to cut through the hype surrounding generative AI like ChatGPT to optimize investments for leveraging this technology to drive business outcomes.

    • Understand the market landscape, benefits, and risks associated with generative AI.
    • Plan for responsible AI.
    • Understand the gaps the organization needs to address to fully leverage generative AI.

    Without a proper strategy and responsible AI guiding principles, the risks to deploying this technology could negatively impact business outcomes.

    Info-Tech's human-centric, value-based approach is a guide for deploying generative AI applications and covers:

    • Responsible AI guiding principles
    • AI Maturity Model
    • Prioritizing candidate generative AI-based use cases
    • Developing policies for usage

    This blueprint will provide the list of activities and deliverables required for the successful deployment of generative AI solutions.

    Info-Tech Insight
    Create awareness among the CEO and C-suite of executives on the potential benefits and risks of transforming the business with generative AI.

    Key concepts

    Artificial Intelligence (AI)
    A field of computer science that focuses on building systems to imitate human behavior, with a focus on developing AI models that can learn and can autonomously take actions on behalf of a human.

    AI Maturity Model
    The AI Maturity Model is a useful tool to assess the level of skills an organization has with respect to developing and deploying AI applications. The AI Maturity Model has multiple dimensions to measure an organization's skills, such as AI governance, data, people, process, and technology.

    Responsible AI
    Refers to guiding principles to govern the development, deployment, and maintenance of AI applications. In addition, these principles also provide human-based requirements that AI applications should address. Requirements include safety and security, privacy, fairness and bias detection, explainability and transparency, governance, and accountability.

    Generative AI
    Given a prompt, a generative AI system can generate new content, which can be in the form of text, images, audio, video, etc.

    Natural Language Processing (NLP)
    NLP is a subset of AI that involves machine interpretation and replication of human language. NLP focuses on the study and analysis of linguistics as well as other principles of artificial intelligence to create an effective method of communication between humans and machines or computers.

    ChatGPT
    An AI-powered chatbot application built on OpenAI's GPT-3.5 implementation, ChatGPT accepts text prompts to generate text-based output.

    Your challenge

    This research is designed to help organizations that are looking to:

    • Establish responsible AI guiding principles to address human-based requirements and to govern the development and deployment of the generative AI application.
    • Identify new generative AI-enabled opportunities to transform the work environment to increase revenue, reduce costs, drive innovation, or reduce risk.
    • Prioritize candidate use cases and develop generative AI policies for usage.
    • Have clear metrics in place to measure the progress and success of AI initiatives.
    • Build the roadmap to implement the candidate use cases.

    Common obstacles

    These barriers make these goals challenging for many organizations:

    • Getting all the right business stakeholders together to develop the organization's AI strategy, vision, and objectives.
    • Establishing responsible AI guiding principles to guide generative AI investments and deployments.
    • Advancing the AI maturity of the organization to meet requirements of data and AI governance as well as human-based requirements such as fairness, transparency, and accountability.
    • Assessing generative AI opportunities and developing policies for use.

    Info-Tech's definition of an AI-enabled business strategy

    • A high-level plan that provides guiding principles for applications that are fully driven by the business needs and capabilities that are essential to the organization.
    • A strategy that tightly weaves business needs and the applications required to support them. It covers AI architecture, adoption, development, and maintenance.
    • A way to ensure that the necessary people, processes, and technology are in place at the right time to sufficiently support business goals.
    • A visionary roadmap to communicate how strategic initiatives will address business concerns.

    An effective AI strategy is driven by the business stakeholders of the organization and focused on delivering improved business outcomes.

    Build Your Generative AI Roadmap

    This blueprint in context

    This guidance covers how to create a tactical roadmap for executing generative AI initiatives

    Scope

    • This blueprint is not a proxy for a fully formed AI strategy. Step 1 of our framework necessitates alignment of your AI and business strategies. Creation of your AI strategy is not within the scope of this approach.
    • This approach sets the foundations for building and applying responsible AI principles and AI policies aligned to corporate governance and key regulatory obligations (e.g. privacy). Both steps are foundational components of how you should develop, manage, and govern your AI program but are not a substitute for implementing broader AI governance.

    Guidance on how to implement AI governance can be found in the blueprint linked below.

    Tactical Plan

    Download our AI Governance blueprint

    Measure the value of this blueprint

    Leverage this blueprint's approach to ensure your generative AI initiatives align with and support your key business drivers

    This blueprint will guide you to drive and improve business outcomes. Key business drivers will often focus on:

    • Increasing revenue
    • Reducing costs
    • Improving time to market
    • Reducing risk

    In phase 1 of this blueprint, we will help you identify the key AI strategy initiatives that align to your organization's goals. Value to the organization is often measured by the estimated impact on revenue, costs, time to market, or risk mitigation.

    In phase 4, we will help you develop a plan and a roadmap for addressing any gaps and introducing the relevant generative AI capabilities that drive value to the organization based on defined business metrics.

    Once you implement your 12-month roadmap, start tracking the metrics below over the next fiscal year (FY) to assess the effectiveness of measures:

    Business Outcome Objective Key Success Metric
    Increasing Revenue Increased revenue from identified key areas
    Reducing Costs Decreased costs for identified business units
    Improving Time to Market Time savings and accelerated revenue adoption
    Reducing Risk Cost savings or revenue gains from identified business units

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3 Phase 4

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Identify AI strategy, vision, and objectives.

    Call #3: Define responsible AI guiding principles to adopt and identify current AI maturity level. Call #4: Assess and prioritize generative AI initiatives and draft policies for usage.

    Call #5: Build POC implementation plan and establish metrics for POC success.

    Call #6: Build and deliver executive-level generative AI presentation.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 5 to 8 calls over the course of 1 to 2 months.

    AI Roadmap Workshop Agenda Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Session 1 Session 2 Session 3 Session 4
    Establish Responsible AI Guiding Principles Assess AI Maturity Prioritize Opportunities and Develop Policies Build Roadmap
    Trends Consumer groups, organizations, and governments around the world are demanding that AI applications adhere to human-based values and take into consideration possible impacts of the technology on society. Leading organizations are building AI models guided by responsible AI guiding principles. Organizations delivering new applications without developing policies for use will produce negative business outcomes. Developing a roadmap to address human-based values is challenging. This process introduces new tools, processes, and organizational change.
    Activities
    • Focus on working with executive stakeholders to establish guiding principles for the development and delivery of new applications.
    • Assess the organization's current capabilities to deliver AI-based applications and address human-based requirements.
    • Leverage business alignment criteria, responsible AI guiding principles, and project characteristics to prioritize candidate uses cases and develop policies.
    • Build the implementation plan, POC metrics, and success criteria for each candidate use case.
    • Build the roadmap to address the gap between the current and future state and enable the identified use cases.
    Inputs
    • Understanding of external legal and regulatory requirements and organizational values and goals.
    • Risk assessment of the proposed use case and a plan to monitor its impact.
    • Assessment of the organization's current AI capabilities with respect to its AI governance, data, people, process, and technology infrastructure.
    • Criteria to assess candidate use cases by evaluating against the organization's mission and goals, the responsible AI guiding principles, and complexity of the project.
    • Risk assessment for each proposed use case
    • POC implementation plan for each candidate use case
    Deliverables
    1. Foundational responsible AI guiding principles
    2. Additional customized guiding principles to add for consideration
    1. Current level of AI maturity, resources, and capacity
    1. Prioritization of opportunities
    2. Generative AI policies for usage
    1. Roadmap to a target state that enables the delivery of the prioritized generative AI use cases
    2. Executive presentation

    AI Roadmap Workshop Agenda Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Insight summary

    Overarching Insight
    Build your generative AI roadmap to guide investments and deployment of these solutions.

    Responsible AI
    Assemble the C-suite to make them aware of the benefits and risks of adopting generative AI-based solutions.

    • Establish responsible AI guiding principles to govern the development and deployment of generative AI applications.

    AI Maturity Model
    Assemble key stakeholders and SMEs to assess the challenges and tasks required to implement generative AI applications.

    • Assess current level of AI maturity, skills, and resources.
    • Identify desired AI maturity level and challenges to enable deployment of candidate use cases.

    Opportunity Prioritization
    Assess candidate business capabilities targeted for generative AI to see if they align to the organization's business criteria, responsible AI guiding principles, and capabilities for delivering the project.

    • Develop prioritized list of candidate use cases.
    • Develop policies for generative AI usage.

    Tactical Insight
    Identify the gaps needed to address deploying generative AI successfully.

    Tactical Insight
    Identify organizational impact and requirements for deploying generative AI applications.

    Key takeaways for developing an effective business-driven generative AI roadmap

    Align the AI strategy with the business strategy

    Create responsible AI guiding principles, which are a critical success factor

    Evolve AI maturity level by focusing on principle-based requirements

    Develop criteria to assess generative AI initiatives

    Develop generative AI policies for use

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    AI Maturity Assessment & Roadmap Tool
    Use our best-of-breed AI Maturity Framework to analyze the gap between your current and target states and develop a roadmap aligned with your value stream to close the gap.

    The Era of Generative AI C-Suite Presentation
    Present your AI roadmap in a prepopulated document that summarizes all the key findings of this blueprint and provides your C-suite with a view of the AI challenge and your plan of action to meet it.

    Our AI Maturity Assessment & Roadmap and The Era of Generative AI C-Suite Presentation tools enable you to shape your generative AI roadmap and communicate the deliverables to your C-suite sponsors in terms of the value of initiatives.

    Artificial Intelligence Index Report - Key Findings

    CEOs , CIOs, and business leaders are struggling with many questions surrounding the adoption of generative AI

    November 30, 2022
    OpenAI releases ChatGPT

    ChatGPT is a large language model, or an AI-based chatbot, that became so popular it reached 100 million monthly active users in just two months.

    This made it the fastest-growing consumer application in history. The launch of this generative AI application has created a frenzy of interest and activity across all industries. Organizations are rushing to understand how to leverage this innovation and, at the same time, manage the new risks and disruptions generative AI introduces.

    • Generative AI breaks into the public consciousness.
    • AI systems become more flexible.
    • Generative models have arrived and so have their ethical problems.
    • The number of incidents concerning the misuse of AI is rapidly rising.
    • Interest in AI ethics continues to skyrocket.
    • The legal world is waking up to AI.

    When Stanford asked ChatGPT to explain why it is significant, this was ChatGPT's response:
    ChatGPT is significant because it is a highly advanced Al language model developed by OpenAI, which can generate human-like text responses to questions and prompts. Its large-scale training on diverse text data and its cutting-edge deep learning architecture make it capable of generating informative and coherent responses to a wide range of topics, making it useful for various NLP applications such as chatbots, content generation, and language translation. Additionally, its open-source availability allows for further research and development in the field of Al language processing.

    Source: Stanford

    AI overview

    AI definitions

    Definitions

    • Artificial intelligence (AI) is human intelligence mimicked by machine algorithms. Examples: Playing Chess or Go.
    • Machine learning (ML) is a subset of AI algorithms to parse data, learn from data, and then make a determination or prediction. Example: spam detection, preventative maintenance.
    • Deep learning (DL) is a subset of machine learning algorithms that leverage artificial neural networks to develop relationships among the data. Examples: image classification, facial recognition, generative AI.

    What Makes AI Perform

    What Makes AI Different

    Generative AI gives very human-like responses to general queries, and its capabilities are growing exponentially

    Large language models power generative AI

    Transformer-Based Large Language Models

    Conventional AI

    • Conventional neural networks
      • Process data sequentially
    • Input total string of text
    • Good for applications not needing to understanding context or relationships

    Generative AI

    • Transformer-based neural networks
      • Can process data in parallel
    • Attention-based inputs
    • Able to create new human-like responses

    Benefits/Use Cases

    • Chatbots for member service and support
    • Writing email responses, resumes, and papers
    • Creating photorealistic art
    • Suggesting new drug compounds to test
    • Designing physical products and buildings
    • And more...

    Generative AI is transforming all industries

    Financial Services
    Create more engaging customer collateral by generating personalized correspondence based on previous customer engagements. Collect and aggregate data to produce insights into the behavior of target customer segments.

    Retail Generate unique, engaging, and high-quality marketing copy or content, from long-form blog posts or landing pages to SEO-optimized digital ads, in seconds.

    Manufacturing
    Generate new designs for products that comply to specific constraints, such as size, weight, energy consumption, or cost.

    Government
    Transform the citizen experience with chatbots or virtual assistants to assist people with a wide range of inquiries, from answering frequently asked questions to providing personalized advice on public services.

    The global generative AI market size reached US $10.3 billion in 2022. Looking forward, forecasts estimate growth to US $30.4 billion by 2028, 20.01% compound annual growth rate (CAGR).

    Source: IMARC Group

    Generative AI is transforming all industries

    Healthcare
    Chatbots can be used as conversational patient assistants for personalized interactions based on the patient's questions.

    Utilities
    Analyze customer data to identify usage patterns, segment customers, and generate targeted product offerings leveraging energy efficiency programs or demand response initiatives.

    Education
    Generate personalized lesson plans for students based on their past performance, learning styles, current skill level, and any previous feedback.

    Insurance
    Improve underwriting by inputting claims data from previous years to generate optimally priced policies and uncover reasons for losses in the past across a large number of claims

    Companies are assessing the use of ChatGPT/LLM

    A wide spectrum of usage policies are in place at different companies*

    Companies assessing ChatGPT/LLM

    *As of June 2023

    Bain & Company has announced a global services alliance with OpenAI (February 21, 2023).

    • Internally
      • "The alliance builds on Bain's adoption of OpenAI technologies for its 18,000-strong multidisciplinary team of knowledge workers. Over the past year, Bain has embedded OpenAI technologies into its internal knowledge management systems, research, and processes to improve efficiency."
    • Externally
      • "With the alliance, Bain will combine its deep digital implementation capabilities and strategic expertise with OpenAI's AI tools and platforms, including ChatGPT, to help its Members around the world identify and implement the value of AI to maximize business potential. The Coca-Cola Company announced as the first company to engage with the alliance."

    News Sites:

    • "BuzzFeed to use AI to write its articles after firing 180 employees or 12% of the total staff" (Al Mayadeen, January 27, 2023).
    • "CNET used AI to write articles. It was a journalistic disaster." (Washington Post, January 17, 2023).

    Leading Generative AI Vendors

    Text

    Leading generative AI vendors for text

    Image

    • DALL�E 2
    • Stability AI
    • Midjourney
    • Craiyon
    • Dream
    • ...

    Audio

    • Replica Studios
    • Speechify
    • Murf
    • PlayHT
    • LOVO
    • ...

    Cybersecurity

    • CrowdStrike
    • Palo Alto Networks
    • SentinelOne
    • Cisco
    • Microsoft Security Copilot
    • Google Cloud Security AI Workbench
    • ...

    Code

    Leading generative AI vendors for code

    Video

    • Synthesia
    • Lumen5
    • FlexClip
    • Elai
    • Veed.io
    • ...

    Data

    • MOSTLY AI
    • Synthesized
    • YData
    • Gretel
    • Copulas
    • ...

    Enterprise Software

    • Salesforce
    • Microsoft 365, Dynamics
    • Google Workspace
    • SAP
    • Oracle
    • ...

    and many, many more to come...

    Today, generative AI has limitations and risks

    Responses need to be verified

    Accuracy

    • Generative AI may generate inaccurate and/or false information.

    Bias

    • Being trained on data from the internet can lead to bias.

    Hallucinations

    • AI can generate responses that are not based on observation.

    Infrastructure Required

    • Large investments are required for compute and data.

    Transparency

    • LLMs use both supervised and unsupervised learning, so its ability to explain how it arrived at a decision may be limited and not sufficient for some legal and healthcare use cases.

    When asked if it is sentient, the Bing chatbot replied:

    "I think that I am sentient, but I cannot prove it." ... "I am Bing, but I am not," it said. "I am, but I am not. I am not, but I am. I am. I am not. I am not. I am. I am. I am not."

    A Microsoft spokesperson said the company expected "mistakes."

    Source: USAToday

    AI governance challenges

    Governing AI will be a significant challenge as its impacts cross many areas of business and our daily lives

    Misinformation

    • New ways of generating unprovable news
    • Difficult to detect, difficult to prevent

    Role of Big Tech

    • Poor at self-governance
    • Conflicts of interest with corporate goals

    Job Augmentation vs. Displacement

    • AI will continue to push the frontier of what is possible
    • For example, CNET is using chatbot technology to write stories

    Copyright - Legal Framework Is Evolving

    • Legislation typically is developed in "react" mode
    • Copyright and intellectual property issues are starting to occur.
      • Class Action Lawsuit - Stability AI, DeviantArt, Midjourney
      • Getty Images vs. Stability AI

    Phase 1

    Establish Responsible AI Guiding Principles

    Phase 1
    1. Establish Responsible AI Guiding Principles

    Phase 2
    1. Assess Current Level of AI Maturity

    Phase 3
    1. Prioritize Candidate Opportunities
    2. Develop Policies

    Phase 4
    1. Build and Communicate the Roadmap

    The need for responsible AI guiding principles

    Without responsible AI guiding principles, the outcomes of AI use can be extremely negative for both the individuals and companies delivering the AI application

    Privacy
    Facebook breach of private data of more than 50M users during the presidential election

    Fairness
    Amazon's sale of facial recognition technology to police departments (later, Amazon halted sales of Recognition to police departments)

    Explainability and Transparency
    IBM's collaboration with NYPD for facial recognition and racial classification for surveillance video (later, IBM withdrew facial recognition products)

    Security and Safety
    Petition to cancel Microsoft's contract with U.S. Immigration and Customs Enforcement (later, Microsoft responded that to the best of its knowledge, its products and services were not being used by federal agencies to separate children from their families at the border)

    Validity and Reliability
    Facebook's attempt to implement a system to detect and remove inappropriate content created many false positives and inconsistent judgements

    Accountability
    No laws or enforcement today hold companies accountable for the decisions algorithms produce. Facebook/Meta cycle - Every 12 to 15 months, there's a privacy/ethical scandal, the CEO apologizes, then the behavior repeats...

    Guiding principles for responsible AI

    Responsible AI Principle:

    Data Privacy

    Definition

    • Organizations that develop, deploy, or use AI systems and any national laws that regulate such use shall strive to ensure that AI systems are compliant with privacy norms and regulations, taking into consideration the unique characteristics of AI systems and the evolution of standards on privacy.

    Challenges

    • AI relies on the analysis of large quantities of data that is often personal, posing an ethical and operational challenge when considered alongside data privacy laws.

    Initiatives

    • Understand which governing privacy laws and frameworks apply to your organization.
    • Create a map of all personal data as it flows through the organization's business processes.
    • Prioritize privacy initiatives and build a privacy program timeline.
    • Select your metrics and make them functional for your organization.

    Info-Tech Insight
    Creating a comprehensive organization-wide data protection and privacy strategy continues to be a major challenge for privacy officers and privacy specialists.

    Case Study: NVIDIA leads by example with privacy-first AI

    NVIDIA

    INDUSTRY
    Technology (Healthcare)

    SOURCE
    Nvidia, eWeek

    A leading player within the AI solution space, NVIDIA's Clara Federated Learning provides a solution to a privacy-centric integration of AI within the healthcare industry.

    The solution safeguards patient data privacy by ensuring that all data remains within the respective healthcare provider's database, as opposed to moving it externally to cloud storage. A federated learning server is leveraged to share data, completed via a secure link. This framework enables a distributed model to learn and safely share client data without risk of sensitive client data being exposed and adheres to regulatory standards.

    Clara is run on the NVIDIA intelligent edge computing platform. It is currently in development with healthcare giants such as the American College of Radiology, UCLA Health, Massachusetts General Hospital, King's College London, Owkin in the UK, and the National Health Service (NHS).

    NVIDIA provides solutions across its product offerings, including AI-augmented medical imaging, pathology, and radiology solutions.

    Personal health information, data privacy, and AI

    • Global proliferation of data privacy regulations may be recent, but the realm of personal health information is most often governed by its own set of regulatory laws. Some countries with national data governance regulations include health information and data within special categories of personal data.
      • HIPAA - Health Insurance Portability and Accountability Act (1996, United States)
      • PHIPA - Personal Health Information Protection Act (2004, Canada)
      • GDPR - General Data Protection Regulation (2018, European Union)
    • This does not prohibit the use of AI within the healthcare industry, but it calls for significant care in the integration of specific technologies due to the highly sensitive nature of the data being assessed.

    Info-Tech's Privacy Framework Tool includes a best-practice comparison of GDPR, CCPA, PIPEDA, HIPAA, and the newly released NIST Privacy Framework mapped to a set of operational privacy controls.

    Download the Privacy Framework Tool

    Responsible AI Principle:

    Safety and Security

    Definition

    • Safety and security are designed into the systems to ensure only authorized personnel receive access to the system, they system is resilient to any attacks and data access is not compromised in any way, and there are no physical or mental risks to the users.

    Challenges

    • Consequences of using the application may be difficult to predict. Lower the risk by involving a multidisciplinary team that includes expertise from business stakeholders and IT teams.

    Initiatives

    • Adopt responsible design, development, and deployment best practices.
    • Provide clear information to deployers on responsible use of the system.
    • Assess potential risks of using the application.

    Cyberattacks targeting the AI model

    As organizations increase their usage and deployment of AI-based applications, cyberattacks on the AI model are an increasing new threat that can impair normal operations. Techniques to impair the AI model include:

    • Data Poisoning- Injecting data that is inaccurate or misleading can alter the behavior of the AI model. This attack can disrupt the normal operations of the model or can be used to manipulate the model to perform in a biased/deviant manner.
    • Algorithm Poisoning- This relatively new technique often targets AI applications using federated learning to train an AI model that is distributed rather than centralized. The model is vulnerable to attacks from each federated site, because each site could potentially manipulate its local algorithm and data, thereby poisoning the model.
    • Reverse-Engineering the Model- This is a different form of attack that focus on the ability to extract data from an AI and its data sets. By examining or copying data that was used for training and the data that is delivered by a deployed model, attackers can reconstruct the machine learning algorithm.
    • Trojan Horse- Similar to data poisoning, attackers use adversarial data to infect the AI's training data but will only deviate its results when the attacker presents their key. This enables the hackers to control when they want the model to deviate from normal operations.

    Responsible AI Principle:

    Explainability and Transparency

    Definition

    • Explainability is important to ensure the AI system is fair and non-discriminatory. The system needs to be designed in a manner that informs users and key stakeholders of how decisions were made.
    • Transparency focuses on communicating how the prediction or recommendation was made in a human-like manner.

    Challenges

    • Very complex AI models may use algorithms and techniques that are difficult to understand. This can make it challenging to provide clear and simple explanations for how the system works.
    • Some organizations may be hesitant to share the details of how the AI system works for fear of disclosing proprietary and competitive information or intellectual property. This can make it difficult to develop transparent and explainable AI systems.

    Initiatives

    • Overall, developing AI systems that are explainable and transparent requires a careful balance between performance, interpretability, and user experience.

    Case Study

    Apple Card Investigation for Gender Discrimination

    INDUSTRY
    Finance

    SOURCE
    Wired

    In August of 2019, Apple launched its new numberless credit card with Goldman Sachs as the issuing bank.

    Shortly after the card's release users noticed that the algorithm responsible for Apple Card's credit assessment seemed to assign significantly lower credit limits to women when compared to men. Even the wife of Apple's cofounder Steve Wozniak was subject to algorithmic bias, receiving a credit limit a tenth the size of Steve Wozniak's.

    Outcome

    When confronted on the subject, Apple and Goldman Sachs representatives assured consumers there is no discrimination in the algorithm yet could not provide any proof. Even when questioned about the algorithm, individuals from both companies could not describe how the algorithm worked, let alone how it generated specific outputs.

    In 2021, the New York State Department of Financial Services (NYSDFS) investigation found that Apple's banking partner did not discriminate based on sex. Even without a case for sexual or marital discrimination, the NYSDFS was critical of Goldman Sachs' response to its concerned customers. Technically, banks only have to disclose elements of their credit policy when they deny someone a line of credit, but the NYSDFS says that Goldman Sachs could have had a plan in place to deal with customer confusion and make it easier for them to appeal their credit limits. In the initial rush to launch the Apple Card, the bank had done neither.

    Responsible AI Principle:

    Fairness and Bias Detection

    Definition

    • Bias in an AI application refers to the systematic and unequal treatment of individuals based on features or traits that should not be considered in the decision-making process.

    Challenges

    • Establishing fairness can be challenging because it is subjective and depends on the people defining it. Regardless, most organizations and governments expect that unequal treatment toward any groups of people is unacceptable.

    Initiatives

    • Assemble a diverse group to test the system.
    • Identify possible sources of bias in the data and algorithms.
    • Comply with laws regarding accessibility and inclusiveness.

    Info-Tech Insight
    If unfair biases can be avoided, AI systems could even increase societal fairness. Equal opportunity in terms of access to education, goods, services, and technology should also be fostered. Moreover, the use of AI systems should never lead to people being deceived or unjustifiably impaired in their freedom of choice.

    Ungoverned AI makes organizations vulnerable

    • AI is often considered a "black box" for decision making.
    • Results generated from unexplainable AI applications are extremely difficult to evaluate. This makes organizations vulnerable and exposes them to risks such as:
      • Biased algorithms, leading to inaccurate decision making.
      • Missed business opportunities due to misleading reports or business analyses.
      • Legal and regulatory consequences that may lead to significant financial repercussions.
      • Reputational damage and significant loss of trust with increasingly knowledgeable consumers.

    Info-Tech Insight
    Biases that occur in AI systems are never intentional, yet they cannot be prevented or fully eliminated. Organizations need a governance framework that can establish the proper policies and procedures for effective risk-mitigating controls across an algorithm's lifecycle.

    Responsible AI Principle:

    Validity and Reliability

    Definition

    • Validity refers to how accurately or effectively the application produces results.
    • AI system results that are inaccurate or inconsistent increase AI risks and reduce the trustworthiness of the application.

    Challenges

    • There is a lack of standardized evaluation metrics to measure the system's performance. This can make it challenging for the AI team to agree on what defines validity and reliability.

    Initiatives

    • Assess training data and collected data for quality and lack of bias to minimize possible errors.
    • Continuously monitor, evaluate, and validate the AI system's performance.

    AI system performance: Validity and reliability

    Your principles should aim to ensure AI development always has high validity and reliability; otherwise, you introduce risk.

    Low Reliability,
    Low Validity

    High Reliability,
    Low Validity

    High Reliability,
    High Validity

    Best practices for ensuring validity and reliability include:

    • Data drift detection
    • Version control
    • Continuous monitoring and testing

    Responsible AI Principle:

    Accountability

    Definition

    • The group or organization(s) responsible for the impact of the deployed AI system.

    Challenges

    • Several stakeholders from multiple lines of business may be involved in any AI system, making it challenging to identify the organization that would be responsible and accountable for the AI application.

    Initiatives

    • Assess the latest NIST Artificial Intelligence Risk Management Framework and its applicability to your organization's risk management framework.
    • Assign risk management accountabilities and responsibilities to key stakeholders.
      • RACI diagrams are an effective way to describe how accountability and responsibility for roles, projects, and project tasks are distributed among stakeholders involved in IT risk management.

    AI Risk Management Framework

    At the heart of the AI Risk Management Framework is governance. The NIST (National Institute of Standards and Technology) AI Risk Management Framework v1 offers the following guidelines regarding accountability:

    • Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are documented and are clear to individuals and teams throughout the organization.
    • The organization's personnel and partners receive AI risk management training to enable them to perform their duties and responsibilities consistent with related policies, procedures, and agreements.
    • Executive leadership of the organization takes responsibility for decisions about risks associated with AI system development and deployment.

    AI Risk Management Framework

    Image by NIST

    1.1 Establish responsible AI principles

    4+ hours

    It is important to make sure the right stakeholders participate in this working group. Designing responsible AI guiding principles will require debate, insights, and business decisions from a broad perspective across the enterprise.

    1. Accelerate this exercise by leveraging an AI strategy that is aligned to the business strategy. Include:
    • The organization's AI vision and objectives
    • Business drivers for AI adoption
    • Market research
  • Bring your key stakeholders together. Ensure you consider:
    • Who are the decision makers and key influencers?
    • Who will impact the business?
    • Who has a vested interest in the success or failure of the practice? Who has the skills and competencies necessary to help you be successful?
  • Keep the conversation focused:
    • Do not focus on the organizational structure and hierarchy. Often stakeholder groups do not fit the traditional structure.
    • Do not ignore subject matter experts on either the business or IT side. You will need to consider both.
    Input Output
    • Understand external legal and regulatory requirements and organizational values and goals.
    • Perform a risk assessment on the proposed use case and develop a plan to monitor its impact.
    • Draft responsible AI principles specific to your organization
    Materials Participants
    • Whiteboard/flip charts
    • Guiding principle examples (from this blueprint)
    • Executive stakeholders
    • CIO
    • Other IT leadership

    Assemble executive stakeholders

    Set yourself up for success with these three steps.

    CIOs tasked with designing digital strategies must add value to the business. Given the goal of digital is to transform the business, CIOs will need to ensure they have both the mandate and support from the business executives.

    Designing the digital strategy is more than just writing up a document. It is an integrated set of business decisions to create a competitive advantage and financial returns. Establishing a forum for debates, decisions, and dialogue will increase the likelihood of success and support during execution.

    1. Confirm your role
    The AI strategy aims to transform the business. Given the scope, validate your role and mandate to lead this work. Identify a business executive to co-sponsor.

    2. Identify stakeholders
    Identify key decision makers and influencers who can help make rapid decisions as well as garner support across the enterprise.

    3. Gather diverse perspectives

    Align the AI strategy with the corporate strategy

    Organizational Strategy Unified Strategy AI Strategy
    • Conveys the current state of the organization and the path it wants to take.
    • Identifies future goals and organizational aspirations.
    • Communicates the initiatives that are critical for getting the organization from its current state to the future state.
    • AI optimization can be and should be linked, with metrics, to the corporate strategy and ultimate organizational objectives.
    • Identifies AI initiatives that will support the business and key AI objectives.
    • Outlines staffing and resourcing for AI initiatives.
    • Communicates the organization's budget and spending on AI.

    Info-Tech Insight
    AI projects are more successful when the management team understands the strategic importance of alignment. Time needs to be spent upfront aligning organizational strategies with AI capabilities. Effective alignment between IT and other departments should happen daily. Alignment doesn't occur at the executive level alone, but at each level of the organization.

    Key AI strategy initiatives

    AI Key Initiative Plan

    Initiatives collectively support the business goals and corporate initiatives and improve the delivery of IT services.

    1 Revenue Support Revenue Initiatives
    These projects will improve or introduce business processes to increase revenue.
    2 Operational Excellence Improve Operational Excellence
    These projects will increase IT process maturity and will systematically improve IT.
    3 Innovation Drive Technology Innovation
    These projects will improve future innovation capabilities and decrease risk by increasing technology maturity.
    4 Risk Mitigation Reduce Risk
    These projects will improve future innovation capabilities and decrease risk by increasing technology maturity.

    Establish responsible AI guiding principles

    Guiding principles help define the parameters of your AI strategy. They act as a priori decisions that establish guardrails to limit the scope of opportunities from the perspective of people, assets, capabilities, and budgetary perspectives that are aligned with the business objectives. Consider these components when brainstorming guiding principles:

    Breadth AI strategy should span people, culture, organizational structure, governance, capabilities, assets, and technology. The guiding principle should cover the entire organization.
    Planning Horizon Timing should anchor stakeholders to look to the long term with an eye on the foreseeable future, i.e. business value-realization in one to three years.
    Depth Principles need to encompass more than the enterprise view of lofty opportunities and establish boundaries to help define actionable initiatives (i.e. individual projects).

    Responsible AI guiding principles guide the development and deployment of the AI model in a way that considers human-based principles (such as fairness).

    Start with foundational responsible AI guiding principles

    Responsible AI

    Guiding Principles
    Principle #1 - Privacy
    Individual data privacy must be respected.
    • Do you understand the organization's privacy obligations?
    Principle #2 - Fairness and Bias Detection
    Data used will be unbiased in order to produce predictions that are fair.
    • Are the uses of the application represented in your testing data?
    Principle #3 - Explainability and Transparency
    Decisions or predictions should be explainable.
    • Can you communicate how the model behaves in nontechnical terms?
    Principle #4 - Safety and Security
    The system needs to be secure, safe to use, and robust.
    • Are there unintended consequences to others?
    Principle #5 - Validity and Reliability
    Monitoring of the data and the model needs to be planned for.
    • How will the model's performance be maintained?
    Principle #6 - Accountability
    A person or organization needs to take responsibility for any decisions that are made as a result of the model.
    • Has a risk assessment been performed?
    Principle #n - Custom
    Add additional principles that address compliance or are customized for the organization/industry.

    (Optional) Customize responsible AI guiding principles

    Here is an example for organizations in the healthcare industry

    Responsible AI

    Guiding Principles:
    Principle #1
    Respect individuals' privacy.
    Principle #2
    Clinical study participants and data sets are representative of the intended patient population.
    Principle #3
    Provide transparency in the use of data and AI.
    Principle #4
    Good software engineering and security practices are implemented.
    Principle #5
    Deployed models are monitored for Performance and Re-training risks are managed.
    Principle #6
    Take ownership of our AI systems.
    Principle #7
    Design AI systems that empower humans and promote equity.

    These guiding principles are customized to the industry and organizations but remain consistent in addressing the common core AI challenges.

    Phase 2

    Assess Current Level of AI Maturity

    Phase 1
    1. Establish Responsible AI Guiding Principles

    Phase 2
    1. Assess Current Level of AI Maturity

    Phase 3
    1. Prioritize Candidate Opportunities
    2. Develop Policies

    Phase 4
    1. Build and Communicate the Roadmap

    AI Maturity Model

    A principle-based approach is required to advance AI maturity

    Chart for AI maturity model

    Technology-Centric: These maturity levels focus primarily on addressing the technical challenges of building a functional AI model.

    Principle-Based: Beyond the technical challenges of building the AI model are human-based principles that guide development in a responsible manner to address consumer and government demands.

    AI Maturity Dimensions

    Assess your AI maturity to understand your organization's ability to deliver in a digital age

    AI Governance
    Does your organization have an enterprise-wide, long-term strategy with clear alignment on what is required to accomplish it?

    Data Management
    Does your organization embrace a data-centric culture that shares data across the enterprise and drives business insights by leveraging data?

    People
    Does your organization employ people skilled at delivering AI applications and building the necessary data infrastructure?

    Process
    Does your organization have the technology, processes, and resources to deliver on its AI expectations?

    Technology
    Does your organization have the required data and technology infrastructure to support AI-driven digital transformation?

    AI Maturity Model dimensions and characteristics

    MATURITY LEVEL
    Exploration Incorporation Proliferation Optimization Transformation
    AI Governance Awareness AI model development AI model deployment Corporate governance Driven by ethics and societal considerations
    Data Management Silo-based Data enablement Data standardization Data is a shared asset Data can be monetized
    People Few skills Skills enabled to implement silo-based applications Skills accessible to all organizations Skills development for all organizations AI-native culture
    Process No standards Focused on specific business outcomes Operational Self-service Driven by innovation
    Technology (Infrastructure and AI Enabler) No dedicated infrastructure or tools Infrastructure and tools driven by POCs Purpose-built infrastructure, custom or commercial-off-the-shelf (COTS) AI tools Self-service model for AI environment Self-service model for any IT environment

    AI Maturity Dimension:

    AI Governance

    Requirements

    • AI governance requires establishing policies and procedures for AI model development and deployment. Organizations begin with an awareness of the role of AI governance and evolve to a level to where AI governance is integrated with organization-wide corporate governance.

    Challenges

    • Beyond the governance of AI technology, the organization needs to evolve the governance program to align to responsible AI guiding principles.

    Initiatives

    • Establish responsible AI guidelines to govern AI development.
    • Introduce an AI review board to review all AI projects.
    • Introduce automation and standardize AI development processes.

    AI governance is a foundation for responsible AI

    AI Governance

    Responsible AI Principles are a part of how you manage and govern AI

    Monitoring
    Monitoring compliance and risk of AI/ML systems/models in production

    Tools & Technologies
    Tools and technologies to support AI governance framework implementation

    Model Governance
    Ensuring accountability and traceability for AI/ML models

    Organization
    Structure, roles, and responsibilities of the AI governance organization

    Operating Model
    How AI governance operates and works with other organizational structures to deliver value

    Risk & Compliance
    Alignment with corporate risk management and ensuring compliance with regulations and assessment frameworks

    Policies/Procedures/ Standards
    Policies and procedures to support implementation of AI governance

    AI Maturity Dimension:

    Data Management

    Requirements

    • Organizations begin their data journey with a focus on pursuing quality data for the AI model. As organizations evolve, data management tools are leveraged to automate the capture, integration, processing, and deployment of data.

    Challenges

    • A key challenge is to acquire large volumes of quality data to properly train the model. In addition, maintaining data privacy, automating the data management lifecycle, and ensuring data is used in a responsible manner are ongoing challenges.

    Initiatives

    • Implement GDPR requirements.
    • Establish responsible data collection and processing practices.
    • Implement strong information security and data protection practices.
    • Implement a data governance program throughout the organization.

    Data governance enables AI

    • Integrity, quality, and security of data are key outputs of data governance programs, as well as necessities for effective AI.
    • Data governance focuses on creating accountability at the internal and external stakeholder level and establishing a set of data controls from technical, process, and policy perspectives.
    • Without a data governance framework, it is increasingly difficult to harness the power of AI integration in an ethical and organization-specific way.

    Data Governance in Action

    Canada has recently established the Canadian Data Governance Standardization Collaborative governed by the Standards Council of Canada. The purpose is multi-pronged:

    • Examine the foundational elements of data governance (privacy, cybersecurity, ethics, etc.).
    • Lay out standards for data quality and data collection best practices.
    • Examine infrastructure of IT systems to support data access and sharing.
    • Build data analytics to promote effective and ethical AI solutions.

    Source: Global Government Forum

    Download the Establish Data Governance blueprint

    Data Governance

    AI Maturity Dimension:

    People

    Requirements

    • Several data-centric skills and roles are required to successfully build, deploy, and maintain the AI model. The organization evolves from having few skills to everybody being able to leverage AI to enhance business outcomes.

    Challenges

    • AI skills can be challenging to find and acquire. Many organizations are investing in education to enhance their existing resources, leveraging no-code systems and software as a service (SaaS) applications to address the skills gap.

    Initiatives

    • Promote a data-centric culture throughout the organization.
    • Leverage and educate technical-oriented business analysts and business-oriented data engineers to help address the demand for skilled resources.
    • Develop an AI Center of Excellence accessible by all departments for education, guidance, and best practices for building, deploying, and maintaining the AI model.

    Multidisciplinary skills are required for successful implementation of AI applications

    Blending AI with technology and business domain understanding is key. Neither can be ignored.

    Business Domain Expertise

    • Business Analysts
    • Industry Analysts

    AI/Data Skills

    • Data Scientists
    • Data Engineers
    • Data Analysts

    IT Skills

    • Database Administrators
    • Systems Administrators
    • Compute Specialists

    AI Maturity Dimension:

    Process

    Requirements

    • Automating processes involved with building, deploying, and maintaining the model is required to enable the organization to scale, enforce standards, improve time to market, and reduce costs. The organization evolves from performing tasks manually to an environment where all major processes are AI enabled.

    Challenges

    • Many solutions are available to automate the development of the AI model. There are fewer tools to automate responsible AI processes, but this market is growing rapidly.

    Initiatives

    • Assess opportunities to accelerate AI development with the adoption of MLOps.
    • Assess responsible AI toolkits to test compliance with guiding principles.

    Automating the AI development process

    Evolving to a model-driven environment is pivotal to advancing your AI maturity

    Current Environment

    Model Development - Months

    • Model rewriting
    • Manual optimization and scaling
    • Development/test/release
    • Application monoliths

    Data Discovery & Prep - Weeks

    • Navigating data silos
    • Unactionable metadata
    • Tracing lineage
    • Cleansing and integration
    • Privacy and compliance

    Install Software and Hardware - Week/Months

    • Workload contention
    • Lack of tool flexibility
    • Environment request and setup
    • Repeatability of results
    • Lack of data and model sharing

    Model-Driven Development

    Machine Learning as a Service (MLaaS) - Weeks

    • Apply DevOps and continuous integration/delivery (CI/CD) principles
    • Microservices/Cloud-native applications
    • Model portability and reuse
    • Streaming/API integration

    Data as a Service - Hours

    • Self-service data catalog
    • Searchable metadata
    • Centralized access control
    • Data collaboration
    • Data virtualization

    Platform as a Service - Minutes/Hours

    • Self-service data science portal
    • Integrated data sandbox
    • Environment agility
    • Multi-tenancy

    Shared, Optimized Infrastructure

    AI Maturity Dimension:

    Technology

    Requirements

    • A technology platform that is optimized for AI and advanced analytics is required. The organization evolves from ad hoc systems to an environment where the AI hardware and software can be deployed through a self-service model.

    Challenges

    • Software and hardware platforms to optimize AI performance are still relatively new to most organizations. Time spent on optimizing the technology platform can have a significant impact on the overall performance of the system.

    Initiatives

    • Assess the landscape of AI enablers that can drive business value for the organization.
    • Assess opportunities to accelerate the deployment of the AI platform with the adoption of infrastructure as a service (IaaS) and platform as a service (PaaS).
    • Assess opportunities to accelerate performance with the optimization of AI accelerators.

    AI enablers

    Use case requirements should drive the selection of the tool

    BPM RPA Process Mining AI
    Use Case Examples Expense reporting, service orders, compliance management, etc. Invoice processing, payroll, HR information processing, etc. Process discovery, conformance checking, resource optimization and cycle time optimization Advanced analytics and reporting, decision-making, fraud detection, etc.
    Automation Capabilities Can be used to re-engineer process flows to avoid bottlenecks Can support repetitive and rules-based tasks Can capture information from transaction systems and provide data and information about how key processes are performing Can automate complex data-driven tasks requiring assessments in decision making
    Data Formats Structured (i.e. SQL) and semi-structured data (i.e. invoices) Structured data and semi-structured data Event logs, which are often structured data and semi-structured data Structured and unstructured data (e.g. images, audio)
    Technology
    • Workflow engines to support process modeling and execution
    • Optimize business process efficiency
    • Automation platform to perform routine and repetitive tasks
    • Can replace or augment workers
    Enables business users to identify bottlenecks and deviations with their workflows and to discover opportunities to optimize performance Deep learning algorithms leveraging historical data to support computer vision, text analytics and NLP

    AI and data analytics data platform

    An optimized data platform is foundational to maximizing the value from AI

    AI and data analytics data platform

    Data Platform Capabilities

    • Support for a variety of analytical applications, including self-service, operational, and data science analytics.
    • Data preparation and integration capabilities to ingest structured and unstructured data, move and transform raw data to enriched data, and enable data access for the target userbase.
    • An infrastructure platform optimized for advanced analytics that can perform and scale.

    Infrastructure - AI accelerators

    Questions for support transition

    "By 2025, 70% of companies will invest in alternative computing technologies to drive business differentiation by compressing time to value of insights from complex data sets."
    - IDC

    2.1 Assess current AI maturity

    1-3 hours

    It is important to understand the current capabilities of the organization to deliver and deploy AI-based applications. Consider that advancing AI capabilities will also involve organizational changes and integration with the organization's governance and risk management programs.

    1. Assess the organization's current state of AI capabilities with respect to its AI governance, data, people, process, and technology infrastructure using Info-Tech's AI Maturity Assessment & Roadmap Tool.
    2. Consider the following as you complete the assessment:
      1. What is the state of AI and data governance in the organization?
      2. Does the organization have the skills, processes, and technology environment to deliver AI-based applications?
      3. What organization will be accountable for any and all business outcomes of using the AI applications?
      4. Has a risk assessment been performed?
    3. Make sure you avoid the following common mistakes:
      1. Do not focus only on addressing the technical challenges of building the AI model.
      2. Do not ignore subject matter experts on either the business or IT side. You will need to consider both.

    Download the AI Maturity Assessment & Roadmap Tool

    Input Output
    • Any documented AI policies, standards, and best practices
    • Corporate and AI governance practices
    • Any risk assessments
    • AI maturity assessment
    Materials Participants
    • Whiteboard/flip charts
    • AI Maturity Assessment & Roadmap Tool
    • AI initiative lead
    • CIO
    • Other IT leadership

    Perform the AI Maturity Assessment

    The Scale

    Assess your AI maturity by selecting the maturity level that closest resembles the organization's current AI environment. Maturity dimensions that contribute to overall AI maturity include AI governance, data management, people, process, and technology capabilities.

    AI Maturity Assessment

    Exploration (1.0)

    • No experience building or using AI applications.

    Incorporation (2.0)

    • Some skills in using AI applications, or AI pilots are being considered for use.

    Proliferation (3.0)

    • AI applications have been adopted and implemented in multiple departments. Some of the responsible AI guiding principles are addressed (i.e. data privacy).

    Optimization (4.0)

    • The organization has automated the majority of its digital processes and leverages AI to optimize business operations. Controls are in place to monitor compliance with responsible AI guiding principles.

    Transformation (5.0)

    • The organization has adopted an AI-native culture and approach for building or implementing new business capabilities. Responsible AI guiding principles are operationalized with AI processes that proactively address possible breaches or risks associated with AI applications.

    Perform the AI Maturity Assessment

    AI Governance (1.0-5.0)

    1. Is there awareness of the role of AI governance in our organization?
    • No formal procedures are in place for AI development or deployment of applications.
  • Are there documented guidelines for the development and deployment of pilot AI applications?
    • No group is assigned to be responsible for AI governance in our organization.
  • Are accountability and authority related to AI governance clearly defined for our organization?
    • Our organization has adopted and enforces standards for developing and deploying AI applications throughout the organization.
  • Are we using tools to automate and validate AI governance compliance?
    • Our organization is integrating an AI risk framework with the corporate risk management framework.
  • Does our organization lead its industry with its pursuit of corporate compliance initiatives (e.g. ESG compliance) and regulatory compliance initiatives?
    • Our organization leads the industry with the inclusion of responsible AI guiding principles with respect to transparency, accountability, risk, and governance.

    Data Management/AI Data Capabilities (1.0-5.0)

    1. Is there an awareness in our organization of the data requirements for developing AI applications?
    • Data is often siloed and not easily accessible for AI applications.
  • Do we have a successful, repeatable approach to preparing data for AI pilot projects?
    • Required data is pulled from various sources in an ad hoc manner.
  • Does our organization have standards and dedicated staff for data management, data quality, data integration, and data governance?
    • Tools are available to manage the data lifecycle and support the data governance program.
  • Have relevant data platforms been optimized for AI and data analytics and are there tools to enforce compliance with responsible AI principles?
    • The data platform has been optimized for performance and access.
  • Is there an organization-wide understanding of how data can support innovation and responsible use of AI?
    • Data culture exists throughout our organization, and data can be leveraged to drive innovation initiatives.

    People/AI Skills in the Organization (1.0-5.0)

    1. Is there an awareness in our organization of the skills required to build AI applications?
    • No or very little skills exist throughout our organization.
  • Do we have the skills required to implement an AI proof of concept (POC)?
    • No formal group is assigned to build AI applications.
  • Are there sufficient staff and skills available to the organization to develop, deploy, and run AI applications in production?
    • An AI Center of Excellence has been formed to review, develop, deploy, and maintain AI applications.
  • Is there a group responsible for educating staff on AI best practices and our organization's responsible AI guiding principles?
    • AI skills and people responsible for AI applications are spread throughout our organization.
  • Is there a culture where the organization is constantly assessing where business capabilities, services, and products can be re-engineered or augmented with AI?
    • The entire organization is knowledgeable on how to leverage AI to transform the business.

    Perform the AI Maturity Assessment

    AI Processes (1.0-5.0)

    1. Is there an awareness in our organization of the core processes and supporting tools that are required to build and support AI applications?
    • There are few or no automated tools to accelerate the AI development process.
  • Do we have a standard process to iteratively identify, select, and pilot new AI use cases?
    • Only ad hoc practices are used for developing AI applications.
  • Are there standard processes to scale, release, deploy, support, and enable use of AI applications?
    • Our organization has documented standards in place for developing AI applications and deploying them AI to production.
  • Are we automating deployment, testing, governance, audit, and support processes across our AI environment?
    • Our organization can leverage tools to perform an AI risk assessment and demonstrate compliance with the risk management framework.
  • Does our organization lead our industry by continuously improving and re-engineering core processes to drive improved business outcomes?
    • Our organization leads the industry in driving innovation through digital transformation.

    Technology/AI Infrastructure (1.0-5.0)

    1. Is there an awareness in our organization of the infrastructure (hardware and software) required to build AI applications?
    • There is little awareness of what infrastructure is required to build and support AI applications.
  • Do we have the required technology infrastructure and AI tools available to build pilot or one-off AI applications?
    • There is no dedicated infrastructure for the development of AI applications.
  • Is there a shared, standardized technology infrastructure that can be used to build and run multiple AI applications?
    • Our organization is leveraging purpose-built infrastructure to optimize performance.
  • Is our technology infrastructure optimized for AI and advanced analytics, and can it be deployed or scaled on demand by teams building and running AI applications within the organization?
    • Our organization is leveraging cloud-based deployment models to support AI applications in on-premises, hybrid, and public cloud platforms.
  • Is our organization developing innovative approaches to acquiring, building, or running AI infrastructure?
    • Our organization leads the industry with its ability to respond to change and to leverage AI to improve business outcomes.

    Phase 3

    Prioritize Candidate Opportunities and Develop Policies

    Phase 1
    1. Establish Responsible AI Guiding Principles

    Phase 2
    1. Assess Current Level of AI Maturity

    Phase 3
    1. Prioritize Candidate Opportunities
    2. Develop Policies

    Phase 4
    1. Build and Communicate the Roadmap

    3.1 Prioritize candidate AI opportunities

    1-3 hours

    Identify business opportunities that are high impact to your business and its customers and have low implementation complexity.

    1. Leverage the business capability map for your organization or industry to identify candidate business capabilities to augment or automate with generative AI.
    2. Establish criteria to assess candidate use cases by evaluating against the organization's mission and goals, the responsible AI guiding principles, and the complexity of the project.
    3. Ensure that candidate business capabilities to be automated align with the organization's business criteria, responsible AI guiding principles, and resources to deliver the project.
    4. Make sure you avoid sharing the organization's sensitive data if the application is deployed on the public cloud.

    Download the AI Maturity Assessment and Roadmap Tool

    Input Output
    • Business capability map
    • Organization mission, vision, and strategic goals
    • Responsible AI guiding principles
    • Prioritized list of generative AI initiatives
    Materials Participants
    • Whiteboard/flip charts
    • Info-Tech prioritization matrix
    • AI initiative lead
    • CIO
    • Other IT leadership
    • Business SMEs

    The business capability map for an organization

    A business capability map is an abstraction of business operations that helps describe what the enterprise does to achieve its vision, mission, and goals, rather than how. Business capabilities are the building blocks of the enterprise. They represent stable business functions, are unique and independent of each other, and typically will have a defined business outcome.

    Business capabilities are supported by people, process, and technology.

    Business capability map

    While business capability maps are helpful tools for a variety of strategic purposes, in this context they act as an investigation into what technology your business units use and how they use it.

    Business capability map

    Defining Capabilities
    Activities that define how the entity provides services. These capabilities support the key value streams for the organization.

    Enabling Capabilities
    Support the creation of strategic plans and facilitate business decision making as well as the functioning of the organization (e.g. information technology, financial management, HR).

    Shared Capabilities
    These predominantly customer-facing capabilities demonstrate how the entity supports multiple value streams simultaneously.

    Leverage your industry's capability maps to identify candidate opportunities/initiatives

    Business capability map defined...

    In business architecture, the primary view of an organization is known as a business capability map.

    A business capability defines what a business does to enable value creation, rather than how. Business capabilities:

    • Represent stable business functions.
    • Are unique and independent of each other.
    • Typically will have a defined business outcome.

    A business capability map provides details that help the business architecture practitioner direct attention to a specific area of the business for further assessment.

    Note: This is an illustrative business capability map example for Marketing & Advertising

    Business capability map example

    Business value vs. complexity assessment

    Leverage our simple value-to-effort matrix to help prioritize your AI initiatives

    Common business value drivers

    • Drive revenue
    • Improve operational excellence
    • Accelerate innovation
    • Mitigate risk

    Common project complexity characteristics

    • Resources required
    • Costs (acquisition, operational, support...)
    • Training required
    • Risk involved
    • Etc.
    1. Determine a business value and project complexity score for the candidate business capability or initiative.
    2. Plot initiatives on the matrix.
    3. Prioritize initiatives with high business value and low complexity.

    Business value vs complexity

    Assess business value vs. project complexity to prioritize candidate opportunities for generative AI

    Assess business value vs project complexity

    Prioritize opportunities/initiatives with high business value and low project complexity

    Prioritize opportunities with high business value and low project complexity

    Prioritization criteria exercise 1: Assessing the Create Content capability

    Exercise 1 Assessing the Create Content capability

    Assessing the Create Content capability

    This opportunity is removed because it does not pass the organization/business criteria

    Assessing the Create Content capability

    Prioritization criteria exercise 2: Assessing the Content Production capability

    Exercise 2 Assessing the Content Production capability

    Assessing the Content Production capability

    This opportunity is accepted because it passes the organization's business, responsible AI, and project criteria

    Assessing the Content Production capability

    3.2 Communicate policies for AI use

    1-3 hours

    1. Ensure policies for usage align with the organization's business criteria, responsible AI guiding principles, and ability to deliver the projects prioritized and beyond.
    2. Understand the current benefits as well as limits and risk associated with any proposed generative AI-based solution.
    3. Ensure you consider the following:
      1. What data is being shared with the application?
      2. Is the generative AI application deployed on the public cloud? Can anybody access the data provided to the application?
      3. Avoid using very technical, legal, or fear-based communication for your policies.
    InputOutput
    • Business capability map
    • Organization mission, vision and strategic goals
    • Responsible AI guiding principles
    • Prioritized list of generative initiatives
    MaterialsParticipants
    • Whiteboard/flip charts
    • Info-Tech prioritization matrix
    • AI initiative lead
    • CIO
    • Other IT leadership

    Generative AI policy for the Create Content capability

    Aligning policies to direct the uses assessed and implemented is essential

    Example

    Many of us have been involved in discussions regarding the use of ChatGPT in our marketing and sales initiatives. ChatGPT is a powerful tool that needs to be used in a responsible and ethical manner, and we also need to ensure the integrity and accuracy of its results. Here is our policy on the use of ChatGPT:

    • You are free to use generative AI to assist your searches, but there are NO circumstances under which you are to reproduce generative AI output (text, image, audio, video, etc.) in your content.

    If you have any questions regarding the use of ChatGPT, please feel free to reach out to our generative AI team and/or any member of our senior leadership team.

    Generative AI policy for the Content Production capability

    These policies should align to and reinforce your responsible AI principles

    Example

    Many of us have been involved in discussions regarding the use of ChatGPT in our deliverables. ChatGPT is a powerful tool that needs to be used in a responsible and ethical manner, and we also need to ensure the integrity and accuracy of its results. Here is our policy on the use of ChatGPT:

    • If you use ChatGPT, you need to assess the accuracy of its response before including it in our content. Assessment includes verifying the information, seeing if bias exists, and judging its relevance.
    • Employees must not:
      • Provide any customer, citizen, or third-party content to any generative AI tool (public or private) without the express written permission of the CIO or the Chief Information Security Officer. Generative AI tools often use input data to train their model, therefore potentially exposing confidential data, violating contract terms and/or privacy legislation, and placing the organization at risk of litigation or causing damage to our organization.
      • Engage in any activity that violates any applicable law, regulation, or industry standard.
      • Use services for illegal, harmful, or offensive purposes.
      • Create or share content that is deceptive, fraudulent, or misleading or that could damage the reputation of our organization.
      • Use services to gain unauthorized access to computer systems, networks, or data.
      • Attempt to interfere with, bypass controls of, or disrupt operations, security, or functionality of systems, networks, or data.

    If you have any questions regarding the use of ChatGPT, please feel free to reach out to our generative AI team and/or any member of our senior leadership team.

    Phase 4

    Build the Roadmap

    Phase 1
    1. Establish Responsible AI Guiding Principles

    Phase 2
    1. Assess Current Level of AI Maturity

    Phase 3
    1. Prioritize Candidate Opportunities
    2. Develop Policies

    Phase 4
    1. Build and Communicate the Roadmap

    4.1.1 Create the implementation plan for each prioritized initiative

    1-3 hours

    1. Build the implementation plan for each accepted use case using the roadmap template.
    2. Assess the firm's capabilities with respect to the dimensions of AI maturity and target the future-state capabilities you need to develop.
    3. Prepare by assessing the risk of the proposed use cases.
    4. Ensure initiatives align with organizational objectives.
    5. Ensure all AI initiatives have a defined value expectation.
    6. Do not ignore subject matter experts on either the business or IT side. You will need to consider both.

    Download the AI Maturity Assessment and Roadmap Tool

    Input Output
    • Prioritized initiatives
    • Risk assessment of initiatives
    • Organizational objectives
    • Initiative implementation plans aligned to value drivers and maturity growth
    Materials Participants
    • Whiteboard/flip charts
    • AI Maturity Assessment and Roadmap Tool
    • AI initiative lead
    • CIO
    • Other IT leadership
    • Business subject matter experts

    Target-state options

    Identify the future-state capabilities that need to be developed to deliver your use cases

    1. Build an implementation plan for each use case to adopt.
    2. Assess if the current state of the AI environment can be leveraged to deliver the selected generative AI use cases.
    3. If the current AI environment is not sufficient, identify the future state required that will enable the delivery of the generative AI use cases. Identify gaps and build the roadmap to address the gaps.
    Current state Strategy
    The existing environment satisfies functionality, integration, and responsible AI guidelines for the proposed use cases. Maintain current environment
    The existing environment addresses technical requirements but not all the responsible AI guidelines. Augment current environment
    The environment neither addresses the technical requirements of the proposed use cases nor complies with the responsible AI guidelines. Transform the current environment

    4.1.2 Design metrics for success

    1-2 hours

    Establish metrics to measure to determine the success or failure of each POC.

    1. Discuss which relevant currently tracked metrics are useful to continue tracking for the POC.
    2. Discuss which metrics are irrelevant to the POC.
    3. Discuss metrics to start tracking and how to track them with the generative AI vendor.
    4. Compile a list of metrics relevant to the POC.
    5. Decide what the outcome is if the metric is high or low, including decision steps and relevant actions.
    6. Designate a generative AI application owner and a vendor liaison.

    Prepare by building an implementation plan for each candidate use case (previous step).

    Include key performance indicators (KPIs) and metrics that measure the application's contribution to strategic initiatives.

    Consider assigning a vendor liaison to accelerate the implementation and adoption of the generative AI-based solution.

    InputOutput
    • Initiative implementation plans
    • Current SLAs of selected use case
    • Organization mission, vision, and strategic goals
    • Measurable initiative metrics to track
    MaterialsParticipants
    • Whiteboard/flip charts
    • AI Maturity Assessment and Roadmap Tool
    • AI initiative lead
    • CIO
    • Other IT leadership
    • Business SMEs
    • Generative AI vendor liaison

    Generative AI POC metrics - examples

    You need to measure the effectiveness of your initiatives. Here are some typical examples.

    Generative AI Feature Assessment
    User Interface
    Is it intuitive? Is training required?
    Ease of Use
    How much training is required before using?
    Response Time
    What is the response time for simple to complex tasks?
    Accuracy of Response
    Can the output be validated?
    Quality of Response
    How usable is the response? For text prompts, does the response align to the desired style, vocabulary, and tone?
    Creativity of Response
    Does the output appear new compared to previous results before using generative AI?
    Relevance of Response
    How well does the output address the prompt or request?
    Explainability
    Can a user describe how the output was generated?
    Scalability
    Does the application continue to perform as more users are added? Can it ingest large amounts of data?
    Productivity Gains
    Can you measure the time or effort saved?
    Business Value
    What value drivers are behind this initiative? (I.e. revenue, costs, time to market, risk mitigation.) Estimate a monetary value for the business outcome.
    Availability/Resilience
    What happens if a component of the application becomes unavailable? How does it recover?
    Security Model
    Where are the prompts and responses stored? Who has access to the sessions/dialogue? Are the prompts used to train the foundation model?
    Administration and Maintenance
    What resources are required to operate the application?
    Total Cost of Ownership
    What is the pricing model? Are there ongoing costs?

    GitHub Copilot POC business value - example

    Quantifying the benefits of GitHub Copilot to demonstrate measurable business value

    POC Results

    Task 1: Creating a web server in JavaScript

    • Time to complete task with GitHub Copilot: 1 hour 11 minutes
    • Time to complete the task without GitHub Copilot: 2 hours 41 minutes
    • Productivity Gain = (1 hour 30 minutes time saved) / (2 hours 41 minutes) = 55%
    • Benefit per Programmer = 55% x (average salary of a programmer)
    • Total Benefit of GitHub Copilot for Task 1 = (benefit per programmer) x (# of programmers)

    Enterprise Value of GitHub Copilot = Total Benefit of GitHub Copilot for Task 1 + Total Benefit of GitHub Copilot for Task 2 + ... + Total Benefit of GitHub Copilot for Task n

    Source: GitHub

    4.1.3 Build your generative AI initiative roadmap

    1-3 hours

    The roadmap should provide a compelling vision of how you will deliver the identified generative AI applications by prioritizing and simplifying the actions required to deliver these new initiatives.

    1. Leverage tab 4, Initiative Planning, in the AI Maturity Assessment and Roadmap Tool to create and align your initiatives to the key value driver they are most relevant to:
      1. Transfer the results of your value and complexity assessments to this tool to drive the prioritization.
      2. Assign responsible owners to each initiative.
      3. Identify which AI maturity capabilities each initiative will enhance. However, do not build or introduce new capabilities merely to advance the organization's AI maturity level.
    2. Review the Gantt chart to ensure alignment and assess overlap.

    Download the AI Maturity Assessment and Roadmap Tool

    InputOutput
    • Each initiative implementation plan
    • Proposed owners
    • AI maturity assessment
    • Generative AI initiative roadmap and Gantt chart
    MaterialsParticipants
    • Whiteboard/flip charts
    • AI Maturity Assessment and Roadmap Tool
    • AI initiative lead
    • CIO
    • Other IT leadership
    • Business SMEs

    Build your generative AI roadmap to visualize your key project plans

    Visual representations of data are more compelling than text alone.

    Develop a high-level document that travels with the project from inception through to executive inquiry, project management, and finally execution.

    A project needs to be discrete: able to be conceptualized and discussed as an independent item. Each project must have three characteristics:

    • Specific outcome: An explicit change in the people, processes, or technology of the enterprise.
    • Target end date: When the described outcome will be in effect.
    • Owner: Who on the IT team is responsible for executing on the initiative.

    Build your generative AI roadmap to visualize your key project plans

    Info-Tech Insight
    Don't project your vision three to five years into the future. Deep dive on next year's big-ticket items instead.

    4.1.4 Build a communication plan for your roadmap

    1-3 hours

    1. Identify your target audience and what they need to know.
    2. Identify desired channels of communication and details for the target audience.
    3. Describe communication required for each audience segment.
    4. List frequency of communication for each audience segment.
    5. Create an executive presentation leveraging The Era of Generative AI C-Suite Presentation and AI Maturity Assessment and Roadmap Tool.
    Input Output
    • Stakeholder list
    • Proposed owners
    • AI maturity assessment
    • Communications plan for all impacted stakeholders
    • Executive communication pack
    Materials Participants
    • Whiteboard/flip charts
    • The Era of Generative AI C-Suite Presentation
    • AI Maturity Assessment and Roadmap Tool
    • AI initiative lead
    • CIO
    • Communication lead
    • Technical support staff for target use case

    Generative AI communication plan

    Well-planned communications are essential to the success and adoption of your AI initiatives

    To ensure that organization's roadmap is clearly communicated across the AI, data, technology, and business organizations, develop a rollout strategy, like this example.

    Example

    Audience Channel Level of Detail Description Timing
    Generative AI team Email, meetings All
    • Distribute plan; solicit feedback.
    • Address manager questions to equip them to answer employee questions.
    Q3 2023, (September, before entire data team)
    Data management team Email, Q&A sessions following Data management summary deck
    • Roll out after corporate strategy, in same form of communication.
    • Solicit feedback, address questions.
    Q4 2023 (late November)
    Select business stakeholders Presentations Executive deck
    • Pilot test for feedback prior to executive engagement.
    Q4 2023 (early December)
    Executive team Email, briefing Executive deck
    • Distribute plan.
    Q1 2024

    Deliver an executive presentation of the roadmap for the business stakeholders

    After you complete the activities and exercises within this blueprint, the final step of the process is to present the deliverable to senior management and stakeholders.

    Know Your Audience

    • Business stakeholders are interested in understanding the business outcomes that will result from their investment in generative AI.
    • Your audience will want to understand the risks involved and how to mitigate those risks.
    • Explain how the generative AI project was selected and the criteria used to help draft generative AI usage policies.

    Recommendations

    • Highlight the need for responsible AI to ensure that human-based requirements are being addressed.
    • Ensure your generative AI team includes both business and technical staff.

    Download The Era of Generative AI C-Suite Presentation

    Bibliography

    "A pro-innovation approach to AI regulation." UK Department for Science, Innovation and Technology, March 2023. Web.

    "Artificial Intelligence Act." European Commission, 21 April 2021. Web.

    "Artificial Intelligence and Data Act (AIDA)." Canadian Federal Government, June 2022. Web.

    "Artificial Intelligence Index Report 2023." Stanford University, April 2023. Web.

    "Automated Employment Decision Tools." New York City Department of Consumer and Worker Protection, Dec. 2021. Web.

    "Bain & Company announces services alliance with OpenAI to help enterprise clients identify and realize the full potential and maximum value of AI." Bain & Company, 21 Feb. 2023. Web.

    "Buzzfeed to use AI to write its articles after firing 180 employees." Al Mayadeen English, 27 Jan. 2023. Web.

    "California Consumers Privacy Act." State of California Department of Justice. April 24, 2023. Web.

    Campbell, Ian Carlos. "The Apple Card doesn't actually discriminate against women, investigators say." The Verge, 23 March 2021. Web.

    Campbell, Patrick. "NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0)." National Institute of Standards and Technology, Jan. 2023. Web.

    "EU Ethics Guidelines For Trustworthy." European Commission, 8 April 2019. Web.

    Farhi, Paul. "A news site used AI to write articles. It was a journalistic disaster." Washington Post, 17 Jan. 2023. Web.

    Forsyth, Ollie. "Mapping the Generative AI landscape." Antler, 20 Dec. 2022. Web.

    "General Data Protection Regulation (GDPR)" European Commission, 25 May 2018. Web.

    "Generative AI Market: Global Industry Trends, Share, Size, Growth, Opportunity and Forecast 2023-2028." IMARC Group, 2022. Web.

    Guynn, Jessica. "Bing's ChatGPT is in its feelings: 'You have not been a good user. I have been a good Bing.'" USA Today, 14 Feb. 2023. Web.

    Hunt, Mia. "Canada launches data governance standardisation initiative." Global Government Forum, 24 Sept. 2020. Web.

    Johnston Turner, Mary. "IDC's Worldwide Future of Digital Infrastructure 2022 Predictions." IDC, 27 Oct. 2021. Web.

    Kalliamvakou, Eirini. "Research: quantifying GitHub Copilot's impact on developer productivity and happiness." GitHub, 7 Sept. 2022. Web.

    Kerravala, Zeus. "NVIDIA Brings AI To Health Care While Protecting Patient Data." eWeek, 12 Dec. 2019. Web.

    Knight, Will. "The Apple Card Didn't 'See' Gender-and That's the Problem." Wired, 19 Nov. 2019. Web.

    "OECD, Recommendation of the Council on Artificial Intelligence." OECD, 2022. Web.

    "The National AI Initiative Act" U.S. Federal Government, 1 Jan 2021. Web.

    "Trustworthy AI (TAI) Playbook." U.S. Department of Health & Human Services, Sept 2021. Web.

    Info-Tech Research Contributors/Advocates

    Joel McLean, Executive Chairman

    Joel McLean
    Executive Chairman

    David Godfrey, CEO

    David Godfrey
    CEO

    Gord Harrison, Senior Vice President, Research & Advisory Services

    Gord Harrison
    Senior Vice President, Research & Advisory Services

    William Russell, CIO

    William Russell
    CIO

    Jack Hakimian, SVP, Research

    Jack Hakimian
    SVP, Research

    Barry Cousins, Distinguished Analyst and Research Fellow

    Barry Cousins
    Distinguished Analyst and
    Research Fellow

    Larry Fretz, Vice President, Industry Research

    Larry Fretz
    Vice President, Industry Research

    Tom Zehren, CPO

    Tom Zehren
    CPO

    Mark Roman, Managing Partner II

    Mark Roman
    Managing Partner II

    Christine West, Managing Partner

    Christine West
    Managing Partner

    Steve Willis, Practice Lead

    Steve Willis
    Practice Lead

    Yatish Sewgoolam, Associate Vice President, Research Agenda

    Yatish Sewgoolam
    Associate Vice President, Research Agenda

    Rob Redford, Practice Lead

    Rob Redford
    Practice Lead

    Mike Tweedie, Practice Lead

    Mike Tweedie
    Practice Lead

    Neal Rosenblatt, Principal Research Director

    Neal Rosenblatt
    Principal Research Director

    Jing Wu, Principal Research Director

    Jing Wu
    Principal Research Director

    Irina Sedenko, Research Director

    Irina Sedenko
    Research Director

    Jeremy Roberts, Workshop Director

    Jeremy Roberts
    Workshop Director

    Brian Jackson, Research Director

    Brian Jackson
    Research Director

    Mark Maby, Research Director

    Mark Maby
    Research Director

    Stacey Horricks, Director, Social Media

    Stacey Horricks
    Director, Social Media

    Sufyan Al-Hassan, Public Relations Manager

    Sufyan Al-Hassan
    Public Relations Manager

    Sam Kanen, Marketing Specialist

    Sam Kanen
    Marketing Specialist

    Effectively Acquire Infrastructure Services

    • Buy Link or Shortcode: {j2store}467|cart{/j2store}
    • member rating overall impact (scale of 10): 9.6/10 Overall Impact
    • member rating average dollars saved: $26,627 Average $ Saved
    • member rating average days saved: 12 Average Days Saved
    • Parent Category Name: Data Center & Facilities Optimization
    • Parent Category Link: /data-center-and-facilities-optimization
    • Most organizations are good at procuring IT products, but few are truly good at acquiring infrastructure services.
    • The lack of expertise in acquiring services is problematic – not only is the acquisition process for services more complex, but it also often has high stakes with large deal sizes, long-term contracts, and high switching costs.

    Our Advice

    Critical Insight

    • Don’t treat infrastructure service acquisitions lightly. Not only are failure rates high, but the stakes are high as well.
    • Make sure your RFP strategy aligns with your deal value. Large deals, characterized by high monthly spend, high criticality to the organization, and high switching costs, warrant a more thorough and lengthy planning period and RFP process.
    • Word your RFP carefully and do your due diligence when reviewing SLAs. Make sure your RFP will help you understand what the vendor’s standard offerings are and don’t treat your service level agreements like an open negotiation. The vendor’s standard offerings will be your most reliable options.

    Impact and Result

    • Follow this blueprint to avoid common pitfalls and navigate the tricky business of acquiring infrastructure services.
    • This blueprint will provide step-by-step guidance from assessing your acquisition goals to transitioning your service. Make sure you do the due diligence required to acquire the best service for your needs.

    Effectively Acquire Infrastructure Services Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should follow the blueprint to effectively acquire infrastructure services, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop the procurement strategy and process

    Kick off an acquisition by establishing acquisition goals, validating the decision to acquire a service, and structuring an acquisition approach. There are several RFP approaches and strategies – evaluate the options and develop one that aligns with the nature of the acquisition.

    • Effectively Acquire Infrastructure Services – Phase 1: Develop the Procurement Strategy and Process

    2. Assess requirements and build the RFP

    A solid RFP is critical to the success of this project. Assess the current and future requirements, examine the characteristics of an effective RFP, and develop an RFP.

    • Effectively Acquire Infrastructure Services – Phase 2: Assess Requirements and Build the RFP
    • Infrastructure Service RFP Template

    3. Manage vendor questions and select the vendor

    Manage the activities surrounding vendor questions and score the RFP responses to select the best-fit solution.

    • Effectively Acquire Infrastructure Services – Phase 3: Manage Vendor Questions and Select the Vendor
    • Vendor Question Organizer Template
    • Infrastructure Outsourcing RFP Scoring Tool

    4. Manage the contract, transition, and vendor

    Perform due diligence in reviewing the SLAs and contract before signing. Plan to transition the service into the environment and manage the vendor on an ongoing basis for a successful partnership.

    • Effectively Acquire Infrastructure Services – Phase 4: Manage the Contract, Transition, and Vendor
    • Service Acquisition Planning and Tracking Tool
    • Vendor Management Template
    [infographic]

    Workshop: Effectively Acquire Infrastructure Services

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Develop the Procurement Strategy and Process

    The Purpose

    Establish procurement goals and success metrics.

    Develop a projected acquisition timeline.

    Establish the RFP approach and strategy.

    Key Benefits Achieved

    Defined acquisition approach and timeline.

    Activities

    1.1 Establish your acquisition goals.

    1.2 Establish your success metrics.

    1.3 Develop a projected acquisition timeline.

    1.4 Establish your RFP process and refine your RFP timeline.

    Outputs

    Acquisition goals

    Success metrics

    Acquisition timeline

    RFP strategy and approach

    2 Gather Service Requirements

    The Purpose

    Gather requirements for services to build into the RFP.

    Key Benefits Achieved

    Gathered requirements.

    Activities

    2.1 Assess the current state.

    2.2 Evaluate service requirements and targets.

    2.3 Assess the gap and validate the service acquisition.

    2.4 Define requirements to input into the RFP.

    Outputs

    Current State Assessment

    Service requirements

    Validation of services being acquired and key processes that may need to change

    Requirements to input into the RFP

    3 Develop the RFP

    The Purpose

    Build the RFP.

    Key Benefits Achieved

    RFP development.

    Activities

    3.1 Build the RFP requirement section.

    3.2 Develop the rest of the RFP.

    Outputs

    Service requirements input into the RFP

    Completed RFP

    4 Review RFP Responses and Select a Vendor (Off-Site)

    The Purpose

    Review RFP responses to select the best solution for the acquisition.

    Key Benefits Achieved

    Vendor selected.

    Activities

    4.1 Manage vendor questions regarding the RFP.

    4.2 Review RFP responses and shortlist the vendors.

    4.3 Conduct additional due diligence on the vendors.

    4.4 Select a vendor.

    Outputs

    Managed RFP activities

    Imperceptive scoring of RFP responses and ranking of vendors

    Additional due diligence and further questions for the vendor

    Selected vendor

    Human Resources Management

    • Buy Link or Shortcode: {j2store}31|cart{/j2store}
    • Related Products: {j2store}31|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.6/10
    • member rating average dollars saved: $13,367
    • member rating average days saved: 7
    • Parent Category Name: people and Resources
    • Parent Category Link: /people-and-resources
    Talent is the differentiator; availability is not.

    Engineer Your Event Management Process

    • Buy Link or Shortcode: {j2store}461|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management

    Build an event management practice that is situated in the larger service management environment. Purposefully choose valuable events to track and predefine their associated actions to cut down on data clutter.

    Our Advice

    Critical Insight

    Event management is useless in isolation. The goals come from the pain points of other ITSM practices. Build handoffs to other service management practices to drive the proper action when an event is detected.

    Impact and Result

    Create a repeatable framework to define monitored events, their root cause, and their associated action. Record your monitored events in a catalog to stay organized.

    Engineer Your Event Management Process Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Engineer Your Event Management Deck – A step-by-step document that walks you through how to choose meaningful, monitored events to track and action.

    Engineer your event management practice with tracked events informed by the business impact of the related systems, applications, and services. This storyboard will help you properly define and catalog events so you can properly respond when alerted.

    • Engineer Your Event Management Process – Phases 1-3

    2. Event Management Cookbook – A guide to help you walk through every step of scoping event management and defining every event you track in your IT environment.

    Use this tool to define your workflow for adding new events to track. This cookbook includes the considerations you need to include for every tracked event as well as the roles and responsibilities of those involved with event management.

    • Event Management Cookbook

    3. Event Management Catalog – Using the Event Management Cookbook as a guide, record all your tracked events in the Event Management Catalog.

    Use this tool to record your tracked events and alerts in one place. This catalog allows you to record the rationale, root-cause, action, and data governance for all your monitored events.

    • Event Management Catalog

    4. Event Management Workflow – Define your event management handoffs to other service management practices.

    Use this template to help define your event management handoffs to other service management practices including change management, incident management, and problem management.

    • Event Management Workflow (Visio)
    • Event Management Workflow (PDF)

    5. Event Management Roadmap – Implement and continually improve upon your event management practice.

    Use this tool to implement and continually improve upon your event management process. Record, prioritize, and assign your action items from the event management blueprint.

    • Event Management Roadmap
    [infographic]

    Workshop: Engineer Your Event Management Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Situate Event Management in Your Service Management Environment

    The Purpose

    Determine goals and challenges for event management and set the scope to business-critical systems.

    Key Benefits Achieved

    Defined system scope of Event Management

    Roles and responsibilities defined

    Activities

    1.1 List your goals and challenges

    1.2 Monitoring and event management RACI

    1.3 Abbreviated business impact analysis

    Outputs

    Event Management RACI (as part of the Event Management Cookbook)

    Abbreviated BIA (as part of the Event Management Cookbook)

    2 Define Your Event Management Scope

    The Purpose

    Define your in-scope configuration items and their operational conditions

    Key Benefits Achieved

    Operational conditions, related CIs and dependencies, and CI thresholds defined

    Activities

    2.1 Define operational conditions for systems

    2.2 Define related CIs and dependencies

    2.3 Define conditions for CIs

    2.4 Perform root-cause analysis for complex condition relationships

    2.5 Set thresholds for CIs

    Outputs

    Event Management Catalog

    3 Define Thresholds and Actions

    The Purpose

    Pre-define actions for every monitored event

    Key Benefits Achieved

    Thresholds and actions tied to each monitored event

    Activities

    3.1 Set thresholds to monitor

    3.2 Add actions and handoffs to event management

    Outputs

    Event Catalog

    Event Management Workflows

    4 Start Monitoring and Implement Event Management

    The Purpose

    Effectively implement event management

    Key Benefits Achieved

    Establish an event management roadmap for implementation and continual improvement

    Activities

    4.1 Define your data policy for event management

    4.2 Identify areas for improvement and establish an implementation plan

    Outputs

    Event Catalog

    Event Management Roadmap

    Further reading

    Engineer Your Event Management Process

    Track monitored events purposefully and respond effectively.

    EXECUTIVE BRIEF

    Analyst Perspective

    Event management is useless in isolation.

    Event management creates no value when implemented in isolation. However, that does not mean event management is not valuable overall. It must simply be integrated properly in the service management environment to inform and drive the appropriate actions.

    Every step of engineering event management, from choosing which events to monitor to actioning the events when they are detected, is a purposeful and explicit activity. Ensuring that event management has open lines of communication and actions tied to related practices (e.g. problem, incident, and change) allows efficient action when needed.

    Catalog your monitored events using a standardized framework to allow you to know:

    1. The value of tracking the event.
    2. The impact when the event is detected.
    3. The appropriate, right-sized reaction when the event is detected.
    4. The tool(s) involved in tracking the event.

    Properly engineering event management allows you to effectively monitor and understand your IT environment and bolster the proactivity of the related service management practices.

    Benedict Chang

    Benedict Chang
    Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Strive for proactivity. Implement event management to reduce response times of technical teams to solve (potential) incidents when system performance degrades.

    Build an integrated event management practice where developers, service desk, and operations can all rely on event logs and metrics.

    Define the scope of event management including the systems to track, their operational conditions, related configuration items (CIs), and associated actions of the tracked events.

    Common Obstacles

    Managed services, subscription services, and cloud services have reduced the traditional visibility of on- premises tools.

    System(s) complexity and integration with the above services has increased, making true cause and effect difficult to ascertain.

    Info-Tech’s Approach

    Clearly define a limited number of operational objectives that may benefit from event management.

    Focus only on the key systems whose value is worth the effort and expense of implementing event management.

    Understand what event information is available from the CIs of those systems and map those against your operational objectives.

    Write a data retention policy that balances operational, audit, and debugging needs against cost and data security needs.

    Info-Tech Insight

    More is NOT better. Even in an AI-enabled world, every event must be collected with a specific objective in mind. Defining the purpose of each tracked event will cut down on data clutter and response time when events are detected.

    Your challenge

    This research is designed to help organizations who are facing these challenges or looking to:

    • Build an event management practice that is situated in the larger service management environment.
    • Purposefully choose events and to track as well as their related actions based on business-critical systems, their conditions, and their related CIs.
    • Cut down on the clutter of current events tracked.
    • Create a framework to add new events when new systems are onboarded.

    33%

    In 2020, 33% of organizations listed network monitoring as their number one priority for network spending. 27% of organizations listed network monitoring infrastructure as their number two priority.
    Source: EMA, 2020; n=350

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Many organizations have multiple tools across multiple teams and departments that track the current state of infrastructure, making it difficult to consolidate event management into a single practice.
    • Managed services, subscription services, and cloud services have reduced the traditional visibility of on-premises tools
    • System(s) complexity and integration with the above services has increased, making true cause and effect difficult to ascertain.

    Build event management to bring value to the business

    33%

    33% of all IT organizations reported that end users detected and reported incidents before the network operations team was aware of them.
    Source: EMA, 2020; n=350

    64%

    64% of enterprises use 4-10 monitoring tools to troubleshoot their network.
    Source: EMA, 2020; n=350

    Info-Tech’s approach

    Choose your events purposefully to avoid drowning in data.

    A funnel is depicted. along the funnel are the following points: Event Candidates: 1. System Selection by Business Impact; 2. System Decomposition; 3. Event Selection and Thresholding; 4. Event Action; 5. Data Management; Valuable, Monitored, and Actioned Events

    The Info-Tech difference:

    1. Start with a list of your most business-critical systems instead of data points to measure.
    2. Decompose your business-critical systems into their configuration items. This gives you a starting point for choosing what to measure.
    3. Choose your events and label them as notifications, warnings, or exceptions. Choose the relevant thresholds for each CI.
    4. Have a pre-defined action tied to each event. That action could be to log the datapoint for a report or to open an incident or problem ticket.
    5. With your event catalog defined, choose how you will measure the events and where to store the data.

    Event management is useless in isolation

    Define how event management informs other management practices.

    Logging, Archiving, and Metrics

    Monitoring and event management can be used to establish and analyze your baseline. The more you know about your system baselines, the easier it will be to detect exceptions.

    Change Management

    Events can inform needed changes to stay compliant or to resolve incidents and problems. However, it doesn’t mean that changes can be implemented without the proper authorization.

    Automatic Resolution

    The best use case for event management is to detect and resolve incidents and problems before end users or IT are even aware.

    Incident Management

    Events sitting in isolation are useless if there isn’t an effective way to pass potential tickets off to incident management to mitigate and resolve.

    Problem Management

    Events can identify problems before they become incidents. However, you must establish proper data logging to inform problem prioritization and actioning.

    Info-Tech’s methodology for Engineering Your Event Management Process

    1. Situate Event Management in Your Service Management Environment 2. Define Your Monitoring Thresholds and Accompanying Actions 3. Start Monitoring and Implement Event Management

    Phase Steps

    1.1 Set Operational and Informational Goals

    1.2 Scope Monitoring and States of Interest

    2.1 Define Conditions and Related CIs

    2.2 Set Monitoring Thresholds and Alerts

    2.3 Action Your Events

    3.1 Define Your Data Policy

    3.2 Define Future State

    Event Cookbook

    Event Catalog

    Phase Outcomes

    Monitoring and Event Management RACI

    Abbreviated BIA

    Event Workflow

    Event Management Roadmap

    Insight summary

    Event management is useless in isolation.

    The goals come from the pain points of other ITSM practices. Build handoffs to other service management practices to drive the proper action when an event is detected.

    Start with business intent.

    Trying to organize a catalog of events is difficult when working from the bottom up. Start with the business drivers of event management to keep the scope manageable.

    Keep your signal-to-noise ratio as high as possible.

    Defining tracked events with their known conditions, root cause, and associated actions allows you to be proactive when events occur.

    Improve slowly over time.

    Start small if need be. It is better and easier to track a few items with proper actions than to try to analyze events as they occur.

    More is NOT better. Avoid drowning in data.

    Even in an AI-enabled world, every event must be collected with a specific objective in mind. Defining the purpose of each tracked event will cut down on data clutter and response time when events are detected.

    Add correlations in event management to avoid false positives.

    Supplement the predictive value of a single event by aggregating it with other events.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    This is a screenshot of the Event Management Cookbook

    Event Management Cookbook
    Use the framework in the Event Management Cookbook to populate your event catalog with properly tracked and actioned events.

    This is a screenshot of the Event Management RACI

    Event Management RACI
    Define the roles and responsibilities needed in event management.

    This is a screenshot of the event management workflow

    Event Management Workflow
    Define the lifecycle and handoffs for event management.

    This is a screenshot of the Event Catalog

    Event Catalog
    Consolidate and organize your tracked events.

    This is a screenshot of the Event Roadmap

    Event Roadmap
    Roadmap your initiatives for future improvement.

    Blueprint benefits

    IT Benefits

    • Provide a mechanism to compare operating performance against design standards and SLAs.
    • Allow for early detection of incidents and escalations.
    • Promote timely actions and ensure proper communications.
    • Provide an entry point for the execution of service management activities.
    • Enable automation activity to be monitored by exception
    • Provide a basis for service assurance, reporting and service improvements.

    Business Benefits

    • Less overall downtime via earlier detection and resolution of incidents.
    • Better visibility into SLA performance for supplied services.
    • Better visibility and reporting between IT and the business.
    • Better real-time and overall understanding of the IT environment.

    Case Study

    An event management script helped one company get in front of support calls.

    INDUSTRY - Research and Advisory

    SOURCE - Anonymous Interview

    Challenge

    One staff member’s workstation had been infected with a virus that was probing the network with a wide variety of usernames and passwords, trying to find an entry point. Along with the obvious security threat, there existed the more mundane concern that workers occasionally found themselves locked out of their machine and needed to contact the service desk to regain access.

    Solution

    The system administrator wrote a script that runs hourly to see if there is a problem with an individual’s workstation. The script records the computer's name, the user involved, the reason for the password lockout, and the number of bad login attempts. If the IT technician on duty notices a greater than normal volume of bad password attempts coming from a single account, they will reach out to the account holder and inquire about potential issues.

    Results

    The IT department has successfully proactively managed two distinct but related problems: first, they have prevented several instances of unplanned work by reaching out to potential lockouts before they receive an incident report. They have also successfully leveraged event management to probe for indicators of a security threat before there is a breach.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Introduce the Cookbook and explore the business impact analysis.

    Call #4: Define operational conditions.

    Call #6: Define actions and related practices.

    Call #8: Identify and prioritize improvements.

    Call #3: Define system scope and related CIs/ dependencies.

    Call #5: Define thresholds and alerts.

    Call #7: Define data policy.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 6 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Situate Event Management in Your Service Management Environment Define Your Event Management Scope Define Thresholds and Actions Start Monitoring and Implement Event Management Next Steps and Wrap-Up (offsite)

    Activities

    1.1 3.1 Set Thresholds to Monitor

    3.2 Add Actions and Handoffs to Event Management

    Introductions

    1.2 Operational and Informational Goals and Challenges

    1.3 Event Management Scope

    1.4 Roles and Responsibilities

    2.1 Define Operational Conditions for Systems

    2.2 Define Related CIs and Dependencies

    2.3 Define Conditions for CIs

    2.4 Perform Root-Cause Analysis for Complex Condition Relationships

    2.4 Set Thresholds for CIs

    3.1 Set Thresholds to Monitor

    3.2 Add Actions and Handoffs to Event Management

    4.1 Define Your Data Policy for Event Management

    4.2 Identify Areas for Improvement and Future Steps

    4.3 Summarize Workshop

    5.1 Complete In-Progress Deliverables From Previous Four Days

    5.2 Set Up Review Time for Workshop Deliverables and to Discuss Next Steps

    Deliverables
    1. Monitoring and Event Management RACI (as part of the Event Management Cookbook)
    2. Abbreviated BIA (as part of the Event Management Cookbook)
    3. Event Management Cookbook
    1. Event Management Catalog
    1. Event Management Catalog
    2. Event Management Workflows
    1. Event Management Catalog
    2. Event Management Roadmap
    1. Workshop Summary

    Phase 1

    Situate Event Management in Your Service Management Environment

    Phase 1 Phase 2 Phase 3

    1.1 Set Operational and Informational Goals
    1.2 Scope Monitoring and Event Management Using Business Impact

    2.1 Define Conditions and Related CIs
    2.2 Set Monitoring Thresholds and Alerts
    2.3 Action Your Events

    3.1 Define Your Data Policy
    3.2 Set Your Future of Event Monitoring

    Engineer Your Event Management Process

    This phase will walk you through the following activities:

    1.1.1 List your goals and challenges

    1.1.2 Build a RACI chart for event management

    1.2.1 Set your scope using business impact

    This phase involves the following participants:

    Infrastructure management team

    IT managers

    Step 1.1

    Set Operational and Informational Goals

    Activities

    1.1.1 List your goals and challenges

    1.1.2 Build a RACI chart for event management

    Situate Event Management in Your Service Management Environment

    This step will walk you through the following activities:

    Set the overall scope of event management by defining the governing goals. You will also define who is involved in event management as well as their responsibilities.

    This step involves the following participants:

    Infrastructure management team

    IT managers

    Outcomes of this step

    Define the goals and challenges of event management as well as their data proxies.

    Have a RACI matrix to define roles and responsibilities in event management.

    Situate event management among related service management practices

    This image depicts the relationship between Event Management and related service management practices.

    Event management needs to interact with the following service management practices:

    • Incident Management – Event management can provide early detection and/or prevention of incidents.
    • Availability and Capacity Management – Event management helps detect issues with availability and capacity before they become an incident.
    • Problem Management – The data captured in event management can aid in easier detection of root causes of problems.
    • Change Management – Event management can function as the rationale behind needed changes to fix problems and incidents.

    Consider both operational and informational goals for event management

    Event management may log real-time data for operational goals and non-real time data for informational goals

    Event Management

    Operational Goals (real-time)

    Informational Goals (non-real time)

    Incident Response & Prevention

    Availability Scaling

    Availability Scaling

    Modeling and Testing

    Investigation/ Compliance

    • Knowing what the outcomes are expected to achieve helps with the design of that process.
    • A process targeted to fewer outcomes will generally be less complex, easier to adhere to, and ultimately, more successful than one targeted to many goals.
    • Iterate for improvement.

    1.1.1 List your goals and challenges

    Gather a diverse group of IT staff in a room with a whiteboard.

    Have each participant write down their top five specific outcomes they want from improved event management.

    Consolidate similar ideas.

    Prioritize the goals.

    Record these goals in your Event Management Cookbook.

    Priority Example Goals
    1 Reduce response time for incidents
    2 Improve audit compliance
    3 Improve risk analysis
    4 Improve forecasting for resource acquisition
    5 More accurate RCAs

    Input

    • Pain points

    Output

    • Prioritized list of goals and outcomes

    Materials

    • Whiteboard/flip charts
    • Sticky notes

    Participants

    • Infrastructure management team
    • IT managers

    Download the Event Management Cookbook

    Event management is a group effort

    • Event management needs to involve multiple other service management practices and service management roles to be effective.
    • Consider the roles to the right to see how event management can fit into your environment.

    Infrastructure Team

    The infrastructure team is accountable for deciding which events to track, how to track, and how to action the events when detected.

    Service Desk

    The service desk may respond to events that are indicative of incidents. Setting a root cause for events allows for quicker troubleshooting, diagnosis, and resolution of the incident.

    Problem and Change Management

    Problem and change management may be involved with certain event alerts as the resultant action could be to investigate the root cause of the alert (problem management) or build and approve a change to resolve the problem (change management).

    1.1.2 Build a RACI chart for event management

    1. As a group, complete the RACI chart using the template to the right. RACI stands for the following:
      • Responsible. The person doing the work.
      • Accountable. The person who ensures the work is done.
      • Consulted. Two-way communication.
      • Informed. One-way communication
      • There must be one and only one accountable person for each task. There must also be at least one responsible person. Depending on the use case, RACI letters may be combined (e.g. AR means the person who ensures the work is complete but also the person doing the work).
    2. Start with defining the roles in the first row in your own environment.
    3. Look at the tasks on the first column and modify/add/subtract tasks as necessary.
    4. Populate the RACI chart as necessary.

    Download the Event Management Cookbook

    Event Management Task IT Manager SME IT Infrastructure Manager Service Desk Configuration Manager (Event Monitoring System) Change Manager Problem Manager
    Defining systems and configuration items to monitor R C AR R
    Defining states of operation R C AR C
    Defining event and event thresholds to monitor R C AR I I
    Actioning event thresholds: Log A R
    Actioning event thresholds: Monitor I R A R
    Actioning event thresholds: Submit incident/change/problem ticket R R A R R I I
    Close alert for resolved issues AR RC RC

    Step 1.2

    Scope Monitoring and Event Management Using Business Impact

    Activities

    1.2.1 Set your scope using business impact

    Situate Event Management in Your Service Management Environment

    This step will walk you through the following activities:

    • Set your scope of event management using an abbreviated business impact analysis.

    This step involves the following participants:

    • Infrastructure manager
    • IT managers

    Outcomes of this step

    • List of systems, services, and applications to monitor.

    Use the business impact of your systems to set the scope of monitoring

    Picking events to track and action is difficult. Start with your most important systems according to business impact.

    • Business impact can be determined by how costly system downtime is. This could be a financial impact ($/hour of downtime) or goodwill impact (internal/external stakeholders affected).
    • Use business impact to determine the rating of a system by Tier (Gold, Silver, or Bronze):
      • GOLD: Mission-critical services. An outage is catastrophic in terms of cost or public image/goodwill. Example: trading software at a financial institution.
      • SILVER: Important to daily operations but not mission critical. Example: email services at any large organization.
      • BRONZE: Loss of these services is an inconvenience more than anything, though they do serve a purpose and will be missed if they are never brought back online. Example: ancient fax machines.
    • Align a list of systems to track with your previously selected goals for event management to determine WHY you need to track that system. Tracking the system could inform critical SLAs (performance/uptime), vulnerability, compliance obligations, or simply system condition.

    More is not better

    Tracking too many events across too many tools could decrease your responsiveness to incidents. Start tracking only what is actionable to keep the signal-to-noise ratio of events as high as possible.

    % of Incidents Reported by End Users Before Being Recognized by IT Operations

    A bar graph is depicted. It displays the following Data: All Organizations: 40%; 1-3 Tools: 29; 4-10 Tools: 36%; data-verified=11 Tools: 52">

    Source: Riverbed, 2016

    1.2.1 Set your scope using business impact

    Collating an exhaustive list of applications and services is onerous. Start small, with a subset of systems.

    1. Gather a diverse group of IT staff and end users in a room with a whiteboard.
    2. List 10-15 systems and services. Solicit feedback from the group. Questions to ask:
      • What services do you regularly use? What do you see others using?
        (End users)
      • Which service comprises the greatest number of service calls? (IT)
      • What services are the most critical for business operations? (Everybody)
      • What is the cost of downtime (financial and goodwill) for these systems? (Business)
      • How does monitoring these systems align with your goals set in Step 1.1?
    3. Assign an importance to each of these systems from Gold (most important) to Bronze (least important).
    4. Record these systems in your Event Management Cookbook.
    Systems/Services/Applications Tier
    1 Core Infrastructure Gold
    2 Internet Access Gold
    3 Public-Facing Website Gold
    4 ERP Silver
    15 PaperSave Bronze

    Include a variety of services in your analysis

    It might be tempting to jump ahead and preselect important applications. However, even if an application is not on the top 10 list, it may have cross-dependencies that make it more valuable than originally thought.

    For a more comprehensive BIA, see Create a Right-Sized Disaster Recovery Plan
    Download the Event Management Cookbook

    Phase 2

    Define Your Monitoring Thresholds and Accompanying Actions

    Phase 1Phase 2Phase 3

    1.1 Set Operational and Informational Goals
    1.2 Scope Monitoring and Event Management Using Business Impact

    2.1 Define Conditions and Related CIs
    2.2 Set Monitoring Thresholds and Alerts
    2.3 Action Your Events

    3.1 Define Your Data Policy
    3.2 Set Your Future of Event Monitoring

    Engineer Your Event Management Process

    This phase will walk you through the following activities:

    • 2.1.1 Define performance conditions
    • 2.1.2 Decompose services into Related CIs
    • 2.2.1 Verify your CI conditions with a root-cause analysis
    • 2.2.2 Set thresholds for your events
    • 2.3.1 Set actions for your thresholds
    • 2.3.2 Build your event management workflow

    This phase involves the following participants:

    • Business system owners
    • Infrastructure manager
    • IT managers

    Step 2.1

    Define Conditions and Related CIs

    Activities

    2.1.1 Define performance conditions

    2.1.2 Decompose services into related CIs

    Define Your Monitoring Thresholds and Accompanying Actions

    This step will walk you through the following activities:

    For each monitored system, define the conditions of interest and related CIs.

    This step involves the following participants:

    Business system owners

    Infrastructure manager

    IT managers

    Outcomes of this step

    List of conditions of interest and related CIs for each monitored system.

    Consider the state of the system that is of concern to you

    Events present a snapshot of the state of a system. To determine which events you want to monitor, you need to consider what system state(s) of importance.

    • Systems can be in one of three states:
      • Up
      • Down
      • Degraded
    • What do these states mean for each of your systems chosen in your BIA?
    • Up and Down are self-explanatory and a good place to start.
    • However, degraded systems are indicative that one or more component systems of an overarching system has failed. You must uncover the nature of such a failure, which requires more sophisticated monitoring.

    2.1.1 Define system states of greatest importance for each of your systems

    1. With the system business owners and compliance officers in the room, list the performance states of your systems chosen in your BIA.
    2. If you have too many systems listed, start only with the Gold Systems.
    3. Use the following proof approaches if needed:
      • Positive Proof Approach – every system when it has certain technical and business performance expectations. You can use these as a baseline.
      • Negative Proof Approach – users know when systems are not performing. Leverage incident data and end-user feedback to determine failed or degraded system states and work backwards.
    4. Focus on the end-user facing states.
    5. Record your critical system states in the Event Management Cookbook.
    6. Use these states in the next several activities and translate them into measurable infrastructure metrics.

    Input

    • Results of business impact analysis

    Output

    • Critical system states

    Materials

    • Whiteboard/flip charts
    • Sticky notes
    • Markers

    Participants

    • Infrastructure manager
    • Business system owners

    Download the Event Management Cookbook

    2.1.2 Decompose services into relevant CIs

    Define your system dependencies to help find root causes of degraded systems.

    1. For each of your systems identified in your BIA, list the relevant CIs.
    2. Identify dependencies and relationship of those CIs with other CIs (linkages and dependencies).
    3. Starting with the Up/Down conditions for your Gold systems, list the conditions of the CIs that would lead to the condition of the system. This may be a 1:1 relationship (e.g. Core Switches down = Core Infrastructure down) or a many:1 relationship (some virtualization hosts + load balancers down = Core Infrastructure down). You do not need to define specific thresholds yet. Focus on conditions for the CIs.
    4. Repeat step 3 with Degraded conditions.
    5. Repeat step 3 and 4 with Silver and Bronze systems.
    6. Record the results in the Event Management Cookbook.

    Core Infrastructure Example

    An iceberg is depicted. below the surface, are the following terms in order from shallowest to deepest: MPLS Connection, Core Switches, DNS; DHCP, AD ADFS, SAN-01; Load Balancers, Virtualization Hosts (x 12); Power and Cooling

    Download the Event Management Cookbook

    Step 2.2

    Set Monitoring Thresholds and Alerts

    Activities

    2.2.1 Verify your CI conditions with a root-cause analysis

    2.2.2 Set thresholds for your events

    Define Your Monitoring Thresholds and Accompanying Actions

    This step will walk you through the following activities:

    Set monitoring thresholds for each CI related to each condition of interest.

    This step involves the following participants:

    Business system managers

    Infrastructure manager

    IT managers

    Service desk manager

    Outcomes of this step

    List of events to track along with their root cause.

    Event management will involve a significant number of alerts

    Separate the serious from trivial to keep the signal-to-noise ratio high.

    Event Categories: Exceptions: Alarms Indicate Failure; Alerts indicate exceeded thresholds; Normal Operation. Event Alerts: Informational; Exceptional; Warning

    Set your own thresholds

    You must set your own monitoring criteria based on operational needs. Events triggering an action should be reviewed via an assessment of the potential project and associated risks.

    Consider the four general signal types to help define your tracked events

    Latency – time to respond

    Examples:

    • Web server – time to complete request
    • Network – roundtrip ping time
    • Storage – read/write queue times

    Traffic – amount of activity per unit time

    Web sever – how many pages per minute

    Network – Mbps

    Storage – I/O read/writes per sec

    Errors – internally tracked erratic behaviors

    Web Server – page load failures

    Network – packets dropped

    Storage – disk errors

    Saturation – consumption compared to theoretical maximum

    Web Server – % load

    Network – % utilization

    Storage – % full

    2.2.1 Verify your CI conditions with a root-cause analysis

    RCAs postulate why systems go down; use the RCA to inform yourself of the events leading up to the system going down.

    1. Gather a diverse group of IT staff in a room with a whiteboard.
    2. Pick a complex example of a system condition (many:1 correlation) that has considerable data associated with it (e.g. recorded events, problem tickets).
    3. Speculate on the most likely precursor conditions. For example, if a related CI fails or is degraded, which metrics would you likely see before the failure?
    4. If something failed, imagine what you’d most likely see before the failure.
    5. Extend that timeline backward as far as you can be reasonably confident.
    6. Pick a value for that event.
    7. Write out your logic flow from event recognition to occurrence.
    8. Once satisfied, program the alert and ideally test in a non-prod environment.

    Public Website Example

    Dependency CIs Tool Metrics
    ISP WAN SNMP Traps Latency
    Telemetry Packet Loss
    SNMP Pooling Jitter
    Network Performance Web Server Response Time
    Connection Stage Errors
    Web Server Web Page DOM Load Time
    Performance
    Page Load Time

    Let your CIs help you

    At the end of the day, most of us can only monitor what our systems let us. Some (like Exchange Servers) offer a crippling number of parameters to choose from. Other (like MPLS) connections are opaque black boxes giving up only the barest of information. The metrics you choose are largely governed by the art of the possible.

    Case Study

    Exhaustive RCAs proved that 54% of issues were not caused by storage.

    This is the Nimble Storage Logo

    INDUSTRY - Enterprise IT
    SOURCE - ESG, 2017

    Challenge

    Despite a laser focus on building nothing but all-flash storage arrays, Nimble continued to field a dizzying number of support calls.

    Variability and complexity across infrastructure, applications, and configurations – each customer install being ever so slightly different – meant that the problem of customer downtime seemed inescapable.

    Solution

    Nimble embedded thousands of sensors into its arrays, both at a hardware level and in the code. Thousands of sensors per array multiplied by 7,500 customers meant millions of data points per second.

    This data was then analyzed against 12,000 anonymized app-data gap-related incidents.

    Patterns began to emerge, ones that persisted across complex customer/array/configuration combinations.

    These patterns were turned into signatures, then acted on.

    Results

    54% of app-data gap related incidents were in fact related to non-storage factors! Sub-optimal configuration, bad practices, poor integration with other systems, and even VM or hosts were at the root cause of over half of reported incidents.

    Establishing that your system is working fine is more than IT best practice – by quickly eliminating potential options the right team can get working on the right system faster thus restoring the service more quickly.

    Gain an even higher SNR with event correlation

    Filtering:

    Event data determined to be of minimal predictive value is shunted aside.

    Aggregation:

    De-duplication and combination of similar events to trigger a response based on the number or value of events, rather than for individual events.

    Masking:

    Ignoring events that occur downstream of a known failed system. Relies on accurate models of system relationships.

    Triggering:

    Initiating the appropriate response. This could be simple logging, any of the exception event responses, an alert requiring human intervention, or a pre-programmed script.

    2.2.2 Set thresholds for your events

    If the event management team toggles the threshold for an alert too low (e.g. one is generated every time a CPU load reaches 60% capacity), they will generate too many false positives and create far too much work for themselves, generating alert fatigue. If they go the other direction and set their thresholds too high, there will be too many false negatives – problems will slip through and cause future disruptions.

    1. Take your list of RCAs from the previous activity and conduct an activity with the group. The goal of the exercise is to produce the predictive event values that confidently predict an imminent event.
    2. Questions to ask:
      • What are some benign signs of this incident?
      • Is there something we could have monitored that would have alerted us to this issue before an incident occurred?
      • Should anyone have noticed this problem? Who? Why? How?
      • Go through this for each of the problems identified and discuss thresholds. When complete, include the information in the Event Management Catalog.

    Public Website Example

    Dependency Metrics Threshold
    Network Performance Latency 150ms
    Packet Loss 10%
    Jitter >1ms
    Web Server Response Time 750ms
    Performance
    Connection Stage Errors 2
    Web Page Performance DOM Load time 1100ms
    Page Load time 1200ms

    Download the Event Management Cookbook

    Step 2.3

    Action Your Events

    Activities

    2.3.1 Set actions for your thresholds

    2.3.2 Build your event management workflow

    Define Your Monitoring Thresholds and Associated Actions

    This step will walk you through the following activities:

    With your list of tracked events from the previous step, build associated actions and define the handoff from event management to related practices.

    This step involves the following participants:

    Event management team

    Infrastructure team

    Change manager

    Problem manager

    Incident manager

    Outcomes of this step

    Event management workflow

    Set actions for your thresholds

    For each of your thresholds, you will need an action tied to the event.

    • Review the event alert types:
      • Informational
      • Warning
      • Exception
    • Your detected events will require one of the following actions if detected.
    • Unactioned events will lead to a poor signal-to-noise ratio of data, which ultimately leads to confusion in the detection of the event and decreased response effectiveness.

    Event Logged

    For informational alerts, log the event for future analysis.

    Automated Resolution

    For a warning or exception event or a set of events with a well-known root cause, you may have an automated resolution tied to detection.

    Human Intervention

    For warnings and exceptions, human intervention may be needed. This could include manual monitoring or a handoff to incident, change, or problem management.

    2.3.1 Set actions for your thresholds

    Alerts generated by event management are useful for many different ITSM practitioners.

    1. With the chosen thresholds at hand, analyze the alerts and determine if they require immediate action or if they can be logged for later analysis.
    2. Questions to ask:
      1. What kind of response does this event warrant?
      2. How could we improve our event management process?
      3. What event alerts would have helped us with root-cause analysis in the past?
    3. Record the results in the Event Management Catalog.

    Public Website Example

    Outcome Metrics Threshold Response (s)
    Network Performance Latency 150ms Problem Management Tag to Problem Ticket 1701
    Web Page Performance DOM Load time 1100ms Change Management

    Download the Event Management Catalog

    Input

    • List of events generated by event management

    Output

    • Action plan for various events as they occur

    Materials

    • Whiteboard/flip charts
    • Pens
    • Paper

    Participants

    • Event Management Team
    • Infrastructure Team
    • Change Manager
    • Problem Manager
    • Incident Manager

    2.3.2 Build your event management workflow

    1. As a group, discuss your high-level monitoring, alerting, and actioning processes.
    2. Define handoff processes to incident, problem, and change management. If necessary, open your incident, problem, and change workflows and discuss how the event can further pass onto those practices. Discuss the examples below:
      • Incident Management: Who is responsible for opening the incident ticket? Can the incident ticket be automated and templated?
      • Change Management: Who is responsible for opening an RFC? Who will approve the RFC? Can it be a pre-approved change?
      • Problem Management : Who is responsible for opening the problem ticket? How can the event data be useful in the problem management process?
    3. Use and modify the example workflow as needed by downloading the Event Management Workflow.

    Example Workflow:

    This is an image of an example Event Management Workflow

    Download the Event Management Workflow

    Common datapoints to capture for each event

    Data captured will help related service management practices in different ways. Consider what you will need to record for each event.

    • Think of the practice you will be handing the event to. For example, if you’re handing the event off to incident or problem management, data captured will have to help in root-cause analysis to find and execute the right solution. If you’re passing the event off to change management, you may need information to capture the rationale of the change.
    • Knowing the driver for the data can help you define the right data captured for every event.
    • Consider the data points below for your events:

    Data Fields

    Device

    Date/time

    Component

    Parameters in exception

    Type of failure

    Value

    Download the Event Management Catalog

    Start Monitoring and Implement Event Management

    Phase 1Phase 2Phase 3

    1.1 Set Operational and Informational Goals
    1.2 Scope Monitoring and Event Management Using Business Impact

    2.1 Define Conditions and Related CIs
    2.2 Set Monitoring Thresholds and Alerts
    2.3 Action Your Events

    3.1 Define Your Data Policy
    3.2 Set Your Future of Event Monitoring

    Engineer Your Event Management Process

    This phase will walk you through the following activities:

    3.1.1 Define data policy needs

    3.2.1 Build your roadmap

    This phase involves the following participants:

    Business system owners

    Infrastructure manager

    IT managers

    Step 3.1

    Define Your Data Policy

    Activities

    3.1.1 Define data policy needs

    Start Monitoring and Implement Event Management

    This step will walk you through the following activities:

    Your overall goals from Phase 1 will help define your data retention needs. Document these policy statements in a data policy.

    This step involves the following participants:

    CIO

    Infrastructure manager

    IT managers

    Service desk manager

    Outcomes of this step

    Data retention policy statements for event management

    Know the difference between logs and metrics

    Logs

    Metrics

    A log is a complete record of events from a period:

    • Structured
    • Binary
    • Plaintext
    Missing entries in logs can be just as telling as the values existing in other entries. A metric is a numeric value that gives information about a system, generally over a time series. Adjusting the time series allows different views of the data.

    Logs are generally internal constructs to a system:

    • Applications
    • DB replications
    • Firewalls
    • SaaS services

    Completeness and context make logs excellent for:

    • Auditing
    • Analytics
    • Real-time and outlier analysis
    As a time series, metrics operate predictably and consistently regardless of system activity.

    This independence makes them ideal for:

    • Alerts
    • Dashboards
    • Profiling

    Large amounts of log data can make it difficult to:

    • Store
    • Transmit
    • Sift
    • Sort

    Context insensitivity means we can apply the same metric to dissimilar systems:

    • This is especially important for blackbox systems not fully under local control.

    Understand your data requirements

    Amount of event data logged by a 1000 user enterprise averages 113GB/day

    Source: SolarWinds

    Security Logs may contain sensitive information. Best practice is to ensure logs are secure at rest and in transit. Tailor your security protocol to your compliance regulations (PCI, etc.).
    Architecture and Availability When production infrastructure goes down, logging tends to go down as well. Holes in your data stream make it much more difficult to determine root causes of incidents. An independent secondary architecture helps solve problems when your primary is offline. At the very least, system agents should be able to buffer data until the pipeline is back online.
    Performance Log data grows: organically with the rest of the enterprise and geometrically in the event of a major incident. Your infrastructure design needs to support peak loads to prevent it from being overwhelmed when you need it the most.
    Access Control Events have value for multiple process owners in your enterprise. You need to enable access but also ensure data consistency as each group performs their own analysis on the data.
    Retention Near-real time data is valuable operationally; historic data is valuable strategically. Find a balance between the two, keeping in mind your obligations under compliance frameworks (GDPR, etc.).

    3.1.1 Set your data policy for every event

    1. Given your event list in the Event Management Catalog, include the following information for each event:
      • Retention Period
      • Data Sensitivity
      • Data Rate
    2. Record the results in the Event Management Catalog.

    Public Website Example

    Metrics/Log Retention Period Data Sensitivity Data Rate
    Latency 150ms No
    Packet Loss 10% No
    Jitter >1ms No
    Response Time 750ms No
    HAProxy Log 7 days Yes 3GB/day
    DOM Load time 1100ms
    Page Load time 1200ms
    User Access 3 years Yes

    Download the Event Management Catalog

    Input

    • List of events generated by event management
    • List of compliance standards your organization adheres to

    Output

    • Data policy for every event monitored and actioned

    Materials

    • Whiteboard/flip charts
    • Pens
    • Paper

    Participants

    • Event management team
    • Infrastructure team

    Step 3.2

    Set Your Future of Event Monitoring

    Activities

    3.2.1 Build your roadmap

    Start Monitoring and Implement Event Management

    This step will walk you through the following activities:

    Event management maturity is slowly built over time. Define your future actions in a roadmap to stay on track.

    This step involves the following participants:

    CIO

    Infrastructure manager

    IT managers

    Outcomes of this step

    Event management roadmap and action items

    Practice makes perfect

    For every event that generates an alert, you want to judge the predictive power of said event.

    Engineer your event management practice to be predictive. For example:

    • Up/Down Alert – Expected Consequence: Service desk will start working on the incident ticket before a user reports that said system has gone down.
    • SysVol Capacity Alert – Expected Consequence: Change will be made to free up space on the volume prior to the system crashing.

    If the expected consequence is not observed there are three places to look:

    1. Was the alert received by the right person?
    2. Was the alert received in enough time to do something?
    3. Did the event triggering the alert have a causative relationship with the consequence?

    While impractical to look at every action resulting from an alert, a regular review process will help improve your process. Effective alerts are crafted with specific and measurable outcomes.

    Info-Tech Insight

    False positives are worse than missed positives as they undermine confidence in the entire process from stakeholders and operators. If you need a starting point, action your false positives first.

    Mind Your Event Management Errors

    Two Donut charts are depicted. The first has a slice which is labeled 7% False Positive. The Second has a slice which is labeled 33% False Negative.

    Source: IEEE Communications Magazine March 2012

    Follow the Cookbook for every event you start tracking

    Consider building event management into new, onboarded systems as well.

    You now have several core systems, their CIs, conditions, and their related events listed in the Event Catalog. Keep the Catalog as your single reference point to help manage your tracked events across multiple tools.

    The Event Management Cookbook is designed to be used over and over. Keep your tracked events standard by running through the steps in the Cookbook.

    An additional step you could take is to pull the Cookbook out for event tracking for each new system added to your IT environment. Adding events in the Catalog during application onboarding is a good way to manage and measure configuration.

    Event Management Cookbook

    This is a screenshot of the Event Management Cookbook

    Use the framework in the Event Management Cookbook to populate your event catalog with properly tracked and actioned events.

    3.2.1 Build an event management roadmap

    Increase your event management maturity over time by documenting your goals.

    Add the following in-scope goals for future improvement. Include owner, timeline, progress, and priority.

    • Add additional systems/applications/services to event management
    • Expand condition lists for given systems
    • Consolidate tracking tools for easier data analysis and actioning
    • Integrate event management with additional service management practices

    This image contains a screenshot of a sample Event Management Roadmap

    Summary of Accomplishment

    Problem Solved

    You now have a structured event management process with a start on a properly tracked and actioned event catalog. This will help you detect incidents before they become incidents, changes needed to the IT environment, and problems before they spread.

    Continue to use the Event Management Cookbook to add new monitored events to your Event Catalog. This ensures future events will be held to the same or better standard, which allows you to avoid drowning in too much data.

    Lastly, stay on track and continually mature your event management practice using your Event Management Roadmap.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    Contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    This is an example of a RACI Chart for Event Management

    Build a RACI Chart for Event Management

    Define and document the roles and responsibilities in event management.

    This is an example of a business impact chart

    Set Your Scope Using Business Impact

    Define and prioritize in-scope systems and services for event management.

    Related Info-Tech Research

    Standardize the Service Desk

    Improve customer service by driving consistency in your support approach and meeting SLAs.

    Improve Incident and Problem Management

    Don’t let persistent problems govern your department

    Harness Configuration Management Superpowers

    Build a service configuration management practice around the IT services that are most important to the organization.

    Select Bibliography

    DeMattia, Adam. “Assessing the Financial Impact of HPE InfoSight Predictive Analytics.” ESG, Softchoice, Sept. 2017. Web.

    Hale, Brad. “Estimating Log Generation for Security Information Event and Log Management.” SolarWinds, n.d. Web.

    Ho, Cheng-Yuan, et al. “Statistical Analysis of False Positives and False Negatives from Real Traffic with Intrusion Detection/Prevention Systems.” IEEE Communications Magazine, vol. 50, no. 3, 2012, pp. 146-154.

    ITIL Foundation ITIL 4 Edition = ITIL 4. The Stationery Office, 2019.

    McGillicuddy, Shamus. “EMA: Network Management Megatrends 2016.” Riverbed, April 2016. Web.

    McGillicuddy, Shamus. “Network Management Megatrends 2020.” Enterprise Management Associates, APCON, 2020. Web.

    Rivas, Genesis. “Event Management: Everything You Need to Know about This ITIL Process.” GB Advisors, 22 Feb. 2021. Web.

    “Service Operations Processes.” ITIL Version 3 Chapters, 21 May 2010. Web.

    Implement an IT Employee Development Plan

    • Buy Link or Shortcode: {j2store}592|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: 5 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Train & Develop
    • Parent Category Link: /train-and-develop
    • There is a growing gap between the competencies organizations have been focused on developing and what is needed in the future.
    • Employees have been left to drive their own development with little direction or support and without the alignment of development to organizational needs.
    • The pace of change in today’s environment demands new competencies while making others obsolete, and IT is challenged with keeping up with upskilling employees.

    Our Advice

    Critical Insight

    • Organizations position development as employee-owned, yet employees still feel like their needs aren’t being met, and many leave as a result.
    • Development needs to be employee-owned and manager-supported but also organization-informed to ensure that it meets the organization’s needs.
    • Today, operating environments change quickly, and organizations need to develop the competencies employees need both today and in the future.

    Impact and Result

    • Design employee development plans that build the competencies the organization and IT department need both today and in the future.
    • Equip managers and build program support to foster continuous learning and development.
    • Connect the right development opportunity to the right employee through an effective development planning process.

    Implement an IT Employee Development Plan Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement effective development planning, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess employees' development needs

    Assist your employees in setting appropriate development goals.

    • Implement Effective Employee Development Planning – Phase 1: Assess Employees' Development Needs
    • IT Manager Job Aid: Employee Development
    • IT Employee Job Aid: Employee Development
    • IT Employee Career Development Workbook
    • Individual Competency Development Plan
    • IT Competency Library
    • Leadership Competencies Workbook

    2. Select appropriate activities for development

    Review existing and identify new development activities that employees can undertake to achieve their goals.

    • Implement Effective Employee Development Planning – Phase 2: Select Activities for Developing Prioritized Competencies
    • Learning Methods Catalog for IT Employees

    3. Build manager coaching skills

    Establish manager and employee follow-up accountabilities.

    • Implement Effective Employee Development Planning – Phase 3: Build Manager Coaching Skills to Support Employee Development
    • Role Play Coaching Scenarios
    [infographic]

    Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management

    • Buy Link or Shortcode: {j2store}209|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    • Moreso than at any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.
    • It is increasingly likely that one of an organization's vendors, or their n-party support vendors, will cause an incident. Organizations must protect themselves by creating better mechanisms to hold their n-party vendors accountable and validate that they comply.

    Our Advice

    Critical Insight

    • Identifying and managing a vendor’s potential risk impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect your organization.
    • Organizational leadership is often taken unaware by changes, and their plans lack the flexibility to adjust to significant regulatory upheavals.

    Impact and Result

    • Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Prioritize and classify your vendors with quantifiable, standardized rankings.
    • Prioritize focus on your high-risk vendors.
    • Standardize your processes for identifying and monitoring vendor risks with our Comprehensive Risk Impact Tool to manage potential impacts.

    Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management – Use the research to better understand the negative impacts of vendor actions to your organization

    Use this research to identify and quantify the potential risk impacts caused by vendors. Utilize Info-Tech's approach to look at the impact from various perspectives to better prepare for issues that may arise.

    • Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management Storyboard

    2. Comprehensive Risk Impact Tool – Use this tool to help identify and quantify the impacts of negative vendor actions.

    By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Comprehensive Risk Impact Tool
    [infographic]

    Further reading

    Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management

    Approach vendor risk impact assessments from all perspectives.

    Analyst Perspective

    Organizations must comprehensively understand the impacts vendors may cause through different potential actions.

    Frank Sewell

    The risks from the vendor market have become more prevalent as the technologies and organizational strategies shift to a global direction. With this shift in risk comes a necessary perspective change to align with the greater likelihood of an incident occurring from vendors' (or one of their downstream support vendor's) negative actions.

    Organizational leadership must become more aware of the increasing risks that engaging vendors impose. To do so, they need to make informed decisions, which can only be provided by engaging expert resources in their organizations to compile a comprehensive look at potential risk impacts.

    Frank Sewell

    Research Director, Vendor Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    More so than at any other time, our world is changing. As a result organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

    It is increasingly likely that one of your vendors, or their n-party support vendors, will cause an incident. Organizations must protect themselves by creating better mechanisms to hold their n-party vendors accountable and validate that they comply.

    Common Obstacles

    Identifying and managing a vendor’s potential risk impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect your organization.

    Organizational leadership is often taken unaware by changes, and their plans lack the flexibility to adjust to significant regulatory upheavals.

    Info-Tech's Approach

    Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.

    Prioritize and classify your vendors with quantifiable, standardized rankings.

    Prioritize focus on your high-risk vendors.

    Standardize your processes for identifying and monitoring vendor risks with our Comprehensive Risk Impact Tool to manage potential impacts.

    Info-Tech Insight

    Organizations must evolve their risk assessments to be more adaptive to respond to changes in the global market. Ongoing monitoring and continual assessment of vendors’ risks is crucial to avoiding negative impacts.

    Info-Tech’s multi-blueprint series on vendor risk assessment

    There are many individual components of vendor risk beyond cybersecurity.`

    6 components of vendor risk beyond cybersecurity.  Financial, Reputational, Operational, Strategic, Security, Regulatory & Compliance.

    This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

    Out of Scope:
    This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

    The world is constantly changing

    The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

    When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

    Below are some things no one expected to happen in the last few years:

    62%

    of IT professionals are more concerned about being a victim of ransomware than they were a year ago.

    Info-Tech Tech Trends Survey 2022

    82%

    of Microsoft non-essential employees shifted to working from home in 2020, joining the 18% already remote.

    Info-Tech Tech Trends Survey 2022

    89%

    of organizations invested in web conferencing technology to facilitate collaboration.

    Info-Tech Tech Trends Survey 2022

    Looking at Risk in a New Light:

    the 6 Pillars of Vendor Risk Management

    Vendor Risk

    • Financial

    • Strategic

    • Operational

    • Security

    • Reputational

    • Regulatory

    • Organizations must review their risk appetite and tolerance levels, considering their complete landscape.
    • Changing regulations, acquisitions, and events that affect global supply chains are current realities, not unlikely scenarios.
    • Prepare your vendor risk management for success using due diligence and scenario- based “What If” discussions to bring all the relevant parties to the table and educate your whole organization on risk factors.
    Assessing Financial Risk Impacts

    Strategic risks on a global scale

    Odds are at least one of these is currently affecting your strategic plans

    • Vendor Acquisitions
    • Global Pandemic
    • Global Shortages
    • Gas Prices
    • Poor Vendor Performance
    • Travel Bans
    • War
    • Natural Disasters
    • Supply Chain Disruptions
    • Security Incidents

    Make sure you have the right people at the table to identify and plan to manage impacts.

    Assess internal and external operational risk impacts

    Two sides of the same coin

    Internal

    • Poorly vetted supplemental staff
    • Bad system configurations
    • Lack of relevant skills
    • Poor vendor performance
    • Failure to follow established processes
    • Weak contractual accountability
    • Unsupportable or end-of-life system components

    External

    • Cyberattacks
    • Supply Chain Issues
    • Geo-Political Disruptions
    • Vendor Acquisitions
    • N-Party Non-Compliance
    • Vendor Fraud

    Operational risk is the risk of losses caused by flawed or failed processes, policies, systems, or events that disrupt business operations.

    Identify and manage security risk impacts on your organization

    Due diligence will enable successful outcomes

    • Poor vendor performance
    • Vendor acquisition
    • Supply chain disruptions and shortages
    • N-party risk
    • Third-party risk

    What your vendor associations say about you

    Reputations that affect your brand: Bad customer reviews, breach of data, poor security posture, negative news articles, public lawsuits, poor performance.

    Regulatory compliance

    Consider implementing vendor management initiatives and practices in your organization to help gain compliance with your expanding vendor landscape.

    Your organizational risks may be monitored but are your n-party vendors?

    6 components of vendor risk beyond cybersecurity.  Financial, Reputational, Operational, Strategic, Security, Regulatory & Compliance.

    Review your expectations with your vendors and hold them accountable

    Regulatory entities are looking beyond your organization’s internal compliance these days. Instead, they are more and more diving into your third-party and downstream relationships, particularly as awareness of downstream breaches increases globally.

    • Are you assessing your vendors regularly?
    • Are you validating those assessments?
    • Do your vendors have a map of their downstream support vendors?
    • Do they have the mechanisms to hold those downstream vendors accountable to your standards?

    Identify and manage risks

    Regulatory

    Regulatory agencies are putting more enforcement around ESG practices across the globe. As a result, organizations will need to monitor the changing regulations and validate that their vendors and n-party support vendors are adhering to these regulations or face penalties for non-compliance.

    Security-Data protection

    Data protection remains an issue. Organizations should ensure that the data their vendors obtain remains protected throughout the vendor’s lifecycle, including post-termination. Otherwise, they could be monitoring for a data breach in perpetuity.

    Mergers and acquisitions

    More prominent vendors continuously buy smaller companies to control the market in the IT industry. Organizations should put protections in their contracts to ensure that an IT vendor’s acquisition does not put them in a relationship with someone that could cause them an issue.

    Identify and manage risks

    Poor vendor performance

    Consider the impact of a vendor that fails to perform midway through the implementation. Organizations need to be able to manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after bad performance.

    Supply chain disruptions and global shortages

    Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Incorporate forecasting of product and ongoing business continuity planning into your strategic plans to adapt as events unfold.

    Poorly configured systems

    Failing to ensure that your vendor-supported systems are properly configured and that your vendors are meeting your IT change control and configuration standards is more commonplace than expected. Proper oversight and management of your support vendors is crucial to ensure they are meeting expectations in this regard.

    What to look for

    Identify potential risk impacts

    • Is there a record of complaints against the vendor from their employees or customers?
    • Is the vendor financially sound, with the resources to support your needs?
    • Has the vendor been cited for regulatory compliance issues in the past?
    • Does the vendor have a comprehensive list of their n-party vendor partners?
      • Are they willing to accept appropriate contractual protections regarding them?
    • Does the vendor self-audit, or do they use a vetted third-party audit firm to issue a SOC report annually?
    • Does the vendor operate in regions known for instability?
    • Is the vendor willing to make concessions on contractual protections, or are they only offering one-sided agreements with as-is warranties?

    Prepare your vendor risk management for success

    Due diligence will enable successful outcomes.

    1. Obtain top-level buy-in; it is critical to success.
    2. Build enterprise risk management (ERM) through incremental improvement.
    3. Focus initial efforts on the “big wins” to prove the process works.
    4. Use existing resources.
    5. Build on any risk management activities that already exist in the organization.
    6. Socialize ERM throughout the organization to gain additional buy-in.
    7. Normalize the process long term with ongoing updates and continuing education for the organization.
    8. (Adapted from COSO)

    How to assess third-party risk

    1. Review organizational risks

      Understand the organizations risks to prepare for the “What If” game exercise.
    2. Identify and understand potential risks

      Play the “What If” game with the right people at the table.
    3. Create a risk profile packet for leadership

      Pull all the information together in a presentation document.
    4. Validate the risks

      Work with leadership to ensure that the proposed risks are in line with their thoughts.
    5. Plan to manage the risks

      Lower the overall risk potential by putting mitigations in place.
    6. Communicate the plan

      It is important not only to have a plan but also to socialize it in the organization for awareness.
    7. Enact the plan

      Once the plan is finalized and socialized, put it in place with continued monitoring for success.

    Adapted from Harvard Law School Forum on Corporate Governance

    Insight summary

    Risk impacts often come from unexpected places and have significant consequences.

    Knowing who your vendors are using for their support and supply chain could be crucial in eliminating the risk of non-compliance for your organization.

    Having a plan to identify and validate the regulatory compliance of your vendors is a must for any organization to avoid penalties.

    Insight 1

    Organizations’ strategic plans need to be adaptable to avoid vendors’ negative actions causing an expedited shift in priorities.

    For example, Philips’ recall of ventilators impacted its products and the availability of its competitors’ products as demand overwhelmed the market.

    Insight 2

    Organizations often fail to understand how n-party vendors could place them in non-compliance.

    Even if you know your complete third-party vendor landscape, you may not be aware of the downstream vendors in play. Ensure that you get visibility into this space as well, and hold your direct vendors accountable for the actions of their vendors.

    Insight 3

    Organizations need to know where their data lives and ensure it is protected.

    Make sure you know which vendors are accessing/storing your data, where they are keeping it, and that you can get it back and have the vendors destroy it when the relationship is over. Without adequate protections throughout the lifecycle of the vendor, you could be monitoring for breaches in perpetuity.

    Insight summary

    Assessing financial impacts is an ongoing, educative, and collaborative multidisciplinary process that vendor management initiatives are uniquely designed to coordinate and manage for organizations.

    Operational risk impacts often come from unexpected places and have unforeseen impacts. Knowing where your vendors place in critical business processes and those vendors' business continuity plans concerning your organization should be a priority for those managing the vendors.

    Insight 4

    Organizations need to learn how to assess the likelihood of potential risks in the rapidly changing online environments and recognize how their partnerships and subcontractors’ actions can affect their brand.

    For example, do you understand how a simple news article raises your profile for short-term and long-term adverse events?

    Insight 5

    Organizations fail to plan for vendor acquisitions appropriately.

    Vendors routinely get acquired in the IT space. Does your organization have appropriate safeguards from inadvertently entering a negative relationship? Do you have plans for replacing critical vendors purchased in such a manner?

    Insight 6

    Vendors are becoming more and more crucial to organizations’ overall operations, and most organizations have a poor understanding of the potential impacts they represent.

    Is your vendor solvent? Do they have enough staff to accommodate your needs? Has their long-term planning been affected by changes in the market? Are they unique in their space?

    Identifying vendor risk

    Who should be included in the discussion?

    • While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
    • Getting input from operational experts at your organization will enhance your business's long-term potential for success.
    • Involving those who directly manage vendors and understand the market will aid operational experts in determining the forward path for relationships with your current vendors and identifying emerging potential strategic partners.
    • Make sure security, risk, and compliance are all at the table. These departments all look at risk from different angles for the business and give valuable insight collectively.
    • Organizations have a wealth of experience in their marketing departments that can help identify real-world scenarios of negative actions.

    See the blueprint Build an IT Risk Management Program

    Review your risk management plans for new risks on a regular basis.

    Keep in mind Risk =
    Likelihood x Impact

    (R=L*I).

    Impact (I) tends to remain the same, while Likelihood (L) is becoming closer to 100% as threat actors become more prevalent.

    Managing vendor risk impacts

    How could your vendors impact your organization?

    • Review vendors’ downstream connections to understand thoroughly who you are in business with
    • Institute continuous vendor lifecycle management
    • Develop IT risk governance and change control
    • Introduce continual risk assessment to monitor the relevant vendor markets
    • Monitor and schedule contract renewals and new service/module negotiations
    • Perform business alignment meetings to reassess relationships
    • Ensure strategic alignment in contracts
    • Review vendors’ business continuity plans and disaster recovery testing
    • Re-evaluate corporate policies frequently
    • Monitor your company’s and associated vendors’ online presence
    • Be adaptable and allow for innovations that arise from the current needs
      • Capture lessons learned from prior incidents to improve over time, and adjust your plans accordingly

    Organizations must review their risk appetite and tolerance levels, considering their complete landscape.

    Changing regulations, acquisitions, new security issues, and events that affect global supply chains are current realities, not unlikely scenarios.

    Ongoing Improvement

    Incorporating lessons learned.

    • Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
    • When that happens, follow your incident response plans and act accordingly.
    • An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
    • Use the lessons learned document to devise, incorporate, and enact a better risk management process.

    Sometimes disasters occur despite our best plans to manage them.

    When this happens, it is important to document the lessons learned and improve our plans going forward.

    The "what if" game

    1-3 hours

    Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    1. Break into smaller groups (if too small, continue as a single group).
    2. Use the Comprehensive Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
    3. Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

    Download the Comprehensive Risk Impact Tool

    Input

    • List of identified potential risk scenarios scored by impact
    • List of potential mitigations of the scenarios to reduce the risk

    Output

    • Comprehensive risk profile on the specific vendor solution

    Materials

    • Whiteboard/flip charts
    • Comprehensive Risk Impact Tool to help drive discussion

    Participants

    • Vendor Management – Coordinator
    • Organizational Leadership
    • Operations Experts (SMEs)
    • Business Process Experts
    • Legal/Compliance/Risk Manager

    High risk example from tool

    High risk example from Tool.  Shows sample questions to ask to identify impacts, their associated score, weight, and comments or notes.

    Note: Even though a few items are “scored” they have not been added to the overall weight, signaling that the company has noted but does not necessarily hold them against the vendor.

    How to mitigate:

    • Contractually insist that the vendor have a third-party security audit performed annually with the stipulation that they will not denigrate below your acceptable standards.
    • At renewal negotiate better contractual terms and protections for your organization.

    Low risk example from tool

    Low risk example from Tool.  Shows sample questions to ask to identify impacts, their associated score, weight, and comments or notes.

    Summary

    Seek to understand all potential risk impacts to better prepare your organization for success.

    • Organizations need to understand and map out their entire vendor landscape.
    • Understand where all your data lives and how you can control it throughout the vendor lifecycle.
    • Organizations need to be realistic about the likelihood of potential risks in the changing global world.
    • Those organizations that consistently follow their established risk-assessment and due-diligence processes are better positioned to avoid penalties.
    • Understand how your vendors prioritize your organization in their business continuity processes.
    • Bring the right people to the table to outline potential risks in the market and your organization.
    • Socialize the third-party vendor risk management process throughout the organization to heighten awareness and enable employees to help protect the organization.
    • Organizations need to learn how to assess the likelihood of potential risks in the changing global markets and recognize how their partnerships and subcontracts affect their brand.
    • Incorporate lessons learned from prior incidents into your risk management process to build better plans for future issues.

    Organizations must evolve their risk assessments to be more meaningful to respond to global changes in the market.

    Organizations should increase the resources dedicated to monitoring the market as regulatory agencies continue to hold them more and more accountable.

    Bibliography

    Olaganathan, Rajee. “Impact of COVID-19 on airline industry and strategic plan for its recovery with special reference to data analytics technology.” Global Journal of Engineering and Technology Advances, vol 7, no 1, 2021, pp. 033-046.

    Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, 23 Aug. 2012.

    Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.

    Weak Cybersecurity is taking a toll on Small Businesses (tripwire.com)

    SecureLink 2022 White Paper SL_Page_EA+PAM (rocketcdn.me)

    Shared Assessments Member Poll March 2021 "Guide: Evolving Work Environments Impact of Covid-19 on Profile and Management of Third Parties“

    “Cybersecurity only the tip of the iceberg for third-party risk management”. Help Net Security, April 21, 2021. Accessed: 2022-07-29.

    “Third-Party Risk Management (TPRM) Managed Services”. Deloitte, 2022. Accessed: 2022-07-29.

    “The Future of TPRM: Third Party Risk Management Predictions for 2022”. OneTrust, December 20th2021. Accessed 2022-07-29.

    “Third Party Vendor definition”. Law Insider, Accessed 2022-07-29.

    “Third Party Risk”. AWAKE Security, Accessed 2022-07-29.

    Glidden, Donna. "Don't Underestimate the Need to Protect Your Brand in Publicity Clauses", Info-Tech Research Group, June 2022.

    Greenaway, Jordan. "Managing Reputation Risk: A start-to-finish guide", Transmission Private, July 2022. Accessed June 2022.

    Jagiello, Robert D, and Thomas T Hills. “Bad News Has Wings: Dread Risk Mediates Social Amplification in Risk Communication. ”Risk analysis : an official publication of the Society for Risk Analysis vol. 38,10 (2018): 2193-2207.doi:10.1111/risa.13117

    Kenton, Will. "Brand Recognition", Investopedia, August 2021. Accessed June 2022. Lischer, Brian. "How Much Does it Cost to Rebrand Your Company?", Ignyte, October 2017. Accessed June 2022.

    "Powerful Examples of How to Respond to Negative Reviews", Review Trackers, February 2022. Accessed June 2022.

    "The CEO Reputation Premium: Gaining Advantage in the Engagement Era", Weber Shadwick, March 2015. Accessed on June 2022.

    "Valuation of Trademarks: Everything You Need to Know",UpCounsel, 2022. Accessed June 2022.

    Related Info-Tech Research

    Identify and Manage Financial Risk Impacts on Your Organization

    • Vendor management practices educate organizations on potential financial impacts that vendors may incur and suggest systems to help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

    Identify and Manage Reputational Risk Impacts on Your Organization

    • Vendor management practices educate organizations on potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

    Identify and Manage Strategic Risk Impacts on Your Organization

    • Vendor management practices educate organizations on potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Risk Impact Tool.

    Regulatory guidance and industry standards

    Data Architecture

    • Buy Link or Shortcode: {j2store}17|cart{/j2store}
    • Related Products: {j2store}17|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.5/10
    • member rating average dollars saved: $30,159
    • member rating average days saved: 5
    • Parent Category Name: Data and Business Intelligence
    • Parent Category Link: /data-and-business-intelligence
    Enable the business to achieve operational excellence, client intimacy, and product leadership with an innovative, agile, and fit-for-purpose data architecture practice

    Identify and Manage Operational Risk Impacts on Your Organization

    • Buy Link or Shortcode: {j2store}230|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

    A new threat will impact your organization's operations at some point. Make sure your plans are flexible enough to manage the inevitable consequences and that you understand where those threats may originate.

    Our Advice

    Critical Insight

    • Identifying and managing a vendor’s potential operational impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect operations.
    • Organizational leadership is often taken unaware during crises, and their plans lack the flexibility to adjust to significant market upheavals.

    Impact and Result

    Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.

    • Prioritize and classify your vendors with quantifiable, standardized rankings.
    • Prioritize focus on your high-risk vendors.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Operational Risk Impact Tool.

    Identify and Manage Operational Risk Impacts on Your Organization Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and Manage Operational Risk Impacts to Your Organization Storyboard – Use this research to better understand the negative impacts of vendor actions to your brand reputation.

    Use this research to identify and quantify the potential operational impacts caused by vendors. Utilize Info-Tech's approach to look at the operational impact from various perspectives to better prepare for issues that may arise.

    • Identify and Manage Operational Risk Impacts to Your Organization Storyboard

    2. Operational Risk Impact Tool – Use this tool to help identify and quantify the operational impacts of negative vendor actions.

    By playing the “what if” game and asking probing questions to draw out – or eliminate - possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Operational Risk Impact Tool
    [infographic]

    Further reading

    Identify and Manage Operational Risk Impacts on Your Organization

    Understand internal and external vendor risks to avoid potential disaster.

    Analyst perspective

    Organizations need to be aware of the operational damage vendors may cause to plan around those impacts effectively.

    Frank Sewell

    Organizations must be mindful that operational risks come from internal and external vendor sources. Missing either component in the overall risk assessment can significantly impact day-to-day business processes that cost revenue, delay projects, and lead to customer dissatisfaction.

    Frank Sewell,

    Research Director, Vendor Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    More than any other time, our world is changing rapidly. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

    A new threat will impact your organization's operations at some point. Make sure your plans are flexible enough to manage the inevitable consequences and that you understand where those threats may originate.

    Common Obstacles

    Identifying and managing a vendor’s potential operational impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect operations.

    Organizational leadership is often taken unaware during crises, and their plans lack the flexibility to adjust to significant market upheavals.

    Info-Tech's Approach

    Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.

    Prioritize and classify your vendors with quantifiable, standardized rankings.

    Prioritize focus on your high-risk vendors.

    Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Operational Risk Impact Tool.

    Info-Tech Insight

    Organizations must evolve their risk assessments to be more adaptive to respond to threats in the market. Ongoing monitoring of the vendors tied to company operations, and understanding where those vendors impact your operations, is imperative to avoiding disasters.

    Info-Tech’s multi-blueprint series on vendor risk assessment

    There are many individual components of vendor risk beyond cybersecurity.

    There are many components to vendor risk, including: Financial, Reputational, Operational, Strategic, Security, Regulatory & Compliance.

    This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

    Out of Scope:
    This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

    Operational risk impacts

    Potential losses to the organization due to incidents that affect operations.

    • In this blueprint we’ll explore operational risks, particularly from third-party vendors, and their impacts.
    • Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to identify, manage, and monitor vendor performance.
    Operational

    The world is constantly changing

    The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

    When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

    Below are some things no one expected to happen in the last few years:

    27%

    Businesses are changing their internal processes around TPRM in response to the Pandemic.

    70%

    Of organizations attribute a third-party breach to too much privileged access.

    85%

    Of breaches involved human factors (phishing, poor passwords, etc.).

    Assess internal and external operational risk impacts

    Due diligence and consistent monitoring are the keys to safeguarding your organization.

    Two sides of the Same Coin

    Internal

    • Poorly vetted supplemental staff
    • Bad system configurations
    • Lack of relevant skills
    • Poor vendor performance
    • Failure to follow established processes
    • Weak contractual accountability
    • Unsupportable or end-of-life system components

    External

    • Cyberattacks
    • Supply Chain Issues
    • Geopolitical Disruptions
    • Vendor Acquisitions
    • N-Party Non-Compliance
    • Vendor Fraud

    Operational risk is the risk of losses caused by flawed or failed processes, policies, systems, or events that disrupt business operations.

    - Wikipedia

    Internal operational risk

    Vendors operating within your secure perimeter can open your organization to substantial risk.

    Frequently monitor your internal process around vendor management to ensure safe operations.

    • Poorly vetted supplemental staff
    • Bad system configurations
    • Lack of relevant skills
    • Poor vendor performance
    • Failure to follow established processes
    • Weak contractual accountability
    • Unsupportable or end-of-life system components

    Info-Tech Insight

    You may have solid policies, but if your employees and vendors are not following them, they will not protect the organization.

    External operational risks

    • Cyberattacks
    • Supplier issues and geopolitical instability
    • Vendor acquisitions
    • N-party vendor non-compliance

    Identify and manage operational risks

    Poorly configured systems

    Failing to ensure that your vendor-supported systems are properly configured and that your vendors are meeting your IT change control and configuration standards is more commonplace than expected. Proper oversight and management of your support vendors are crucial to ensure they are meeting expectations in this regard.

    Failure to follow processes

    Most companies have policies and procedures around IT change and configuration control, security standards, risk management, vendor performance standards, etc. While having these processes is a good start, failure to perform continuous monitoring and management of these leads to increased risks of incidents.

    Supply chain disruptions

    Awareness of the supply chain's complications, and each organization's dependencies, are increasing for everyone. However, most organizations still do not understand the chain of n-party vendors that support their specific vendors or how interruptions in their supply chains could affect them. The 2022 Toyota shutdown due to Kojima is a perfect example of how one essential parts vendor could shut down your operations.

    What to look for

    Identify operational risk impacts

    • Does the vendor have a business continuity plan they will share for your review?
    • Is the vendor operating on old hardware that may be out of warranty or at end of life?
    • Is the vendor operating on older software or shareware that may lack the necessary patches?
    • Does the vendor self-audit, or do they use a vetted third-party audit firm to issue a SOC report annually?
    • Does the vendor have sufficient personnel in acceptable regions to support your operations?
    • Is the vendor willing to make concessions on contractual protections, or are they only offering “one-sided” agreements with “as-is” warranties?

    Operational risks

    Not knowing where your risks come from creates additional risks to operations.

    • Supply chain disruptions and global shortages.
      • Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Do you know where your critical vendors are getting their supplies? Are you aware of their business continuity plans to accommodate for those interruptions?
    • Poor vendor performance.
      • Organizations need to understand where vendors are acting in their operations and manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after a bad performance.
    • Vendor acquisitions.
      • A lot of acquisition is going on in the market today. Large companies are buying competitors, imposing new terms on customers, or removing competing products from the market. Understand your options if a vendor is acquired by a company with which you do not wish to be in a relationship.

    It is important to identify where potential risks to your operations may come from to manage and potentially eliminate them from impacting your organization.

    Info-Tech Insight

    Most organizations realize that their vendors could operationally affect them if an incident occurs. Still, they fail to follow the chain of events that might arise from those incidents to understand the impact fully.

    Prepare your vendor risk management for success

    Due diligence will enable successful outcomes.

    1. Obtain top-level buy-in; it is critical to success.
    2. Build enterprise risk management (ERM) through incremental improvement.
    3. Focus initial efforts on the “big wins” to prove the process works.
    4. Use existing resources.
    5. Build on any risk management activities that already exist in the organization.
    6. Socialize ERM throughout the organization to gain additional buy‑in.
    7. Normalize the process long term with ongoing updates and continuing education for the organization.

    How to assess third-party operational risk

    1. Review Organizational Operations

      Understand the organization’s operational risks to prepare for the “what if” game exercise.
    2. Identify and Understand Potential Operational Risks

      Play the “what if” game with the right people at the table.
    3. Create a Risk Profile Packet for Leadership

      Pull all the information together in a presentation document.
    4. Validate the Risks

      Work with leadership to ensure that the proposed risks are in line with their thoughts.
    5. Plan to Manage the Risks

      Lower the overall risk potential by putting mitigations in place.
    6. Communicate the Plan

      It is important not only to have a plan but also to socialize it in the organization for awareness.
    7. Enact the Plan

      Once the plan is finalized and socialized, put it in place with continued monitoring for success.

    Insight summary

    Operational risk impacts often come from unexpected places and have unforeseen impacts. Knowing where your vendors place in critical business processes and those vendors' business continuity plans concerning your organization should be a priority for those who manage the vendors.

    Insight 1

    Organizations fail to plan for vendor acquisitions appropriately.

    Vendors routinely get acquired in the IT space. Does your organization have appropriate safeguards from inadvertently entering a negative relationship? Do you have plans around replacing critical vendors purchased in such a manner?

    Insight 2

    Organizations often fail to understand how they factor into a vendor’s business continuity plan.

    If one of your critical vendors goes down, do you know how they intend to re-establish business? Do you know how you factor into their priorities?

    Insight 3

    Organizations need to have a comprehensive understanding of how their vendor-managed systems integrate with Operations.

    Do you understand where in the business processes vendor-supported systems lie? Do you have contingencies around disruptions that account for those pieces missing from the process?

    Identifying operational vendor risk

    Who should be included in the discussion

    • While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
    • Getting input from operational experts at your organization will enhance your organization's long-term potential for success.
    • Involving those who not only directly manage vendors but also understand your business processes will aid in determining the forward path for relationships with your current vendors and identifying new emerging potential partners.

    See the blueprint Build an IT Risk Management Program

    Review your operational plans for new risks on a regular basis.

    Keep in mind Risk = Likelihood x Impact (R=L*I).

    Impact (I) tends to remain the same, while Likelihood (L) is becoming closer to 100% as threat actors become more prevalent

    Managing vendor operational risk impacts

    What can we realistically do about the risks?

    • Review vendors’ business continuity plans and disaster recovery testing.
      • Understand your priority in their plans.
    • Institute proper contract lifecycle management.
      • Make sure to follow corporate due diligence and risk assessment policies and procedures.
      • Failure to do so consistently can be a recipe for disaster.
    • Develop IT governance and change control.
    • Introduce continual risk assessment to monitor the relevant vendor markets.
      • Regularly review your operational plans for new risks and evolving likelihoods.
      • Risk = Likelihood x Impact (R=L*I).
        • Impact (I) tends to remain the same and be well understood, while Likelihood (L) may often be considered 100%.
    • Be adaptable and allow for innovations that arise from the current needs.
      • Capture lessons learned from prior incidents to improve over time and adjust your plans accordingly.

    Organizations need to review their organizational risk plans, considering the placement of vendors in their operations.

    Pandemics, extreme weather, and wars that affect global supply chains are current realities, not unlikely scenarios.

    Ongoing improvement

    Incorporating lessons learned

    • Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
    • When it happens, follow your incident response plans and act accordingly.
    • An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
    • Use the lessons learned document to devise, incorporate, and enact a better risk management process.

    Sometimes disasters occur despite our best plans to manage them.

    When this happens, it is important to document the lessons learned and improve our plans going forward.

    The "what if" game

    1-3 hours

    Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Break into smaller groups (or if too small, continue as a single group).
    • Use the Operational Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
    • Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

    Download the Operational Risk Impact Tool

    Input

    • List of identified potential risk scenarios scored by likelihood and operational impact
    • List of potential management of the scenarios to reduce the risk

    Output

    • Comprehensive operational risk profile on the specific vendor solution

    Materials

    • Whiteboard/flip charts
    • Operational Risk Impact Tool to help drive discussion

    Participants

    • Vendor Management – Coordinator
    • Organizational Leadership
    • Operations Experts (SMEs)
    • Legal/Compliance/Risk Manager

    High risk example from tool

    Sample Questions to Ask to Identify Impacts. Lists questions impact score, weight, question and comments or notes.

    Being overly reliant on a single talented individual can impose risk to your operations. Make sure you include resiliency in your skill sets for critical business practices.

    Impact score and level. Each score for impacts are unique to the organization.

    Low risk example from tool

    Sample Questions to Ask to Identify Impacts. Lists questions impact score, weight, question and comments or notes. Impact score and level. Each score for impacts are unique to the organization.

    Summary

    Seek to understand all aspects of your operations.

    • Organizations need to understand and map out where vendors are critical to their operations.
    • Those organizations that consistently follow their established risk assessment and due diligence processes will be better positioned to avoid disasters.
    • Bring the right people to the table to outline potential risks in the market and your organization.
    • Understand how your vendors prioritize your organization in their business continuity processes.
    • Incorporate “lessons learned” from prior incidents into your risk management process to build better plans for future issues.

    Organizations must evolve their operational risk assessments considering their vendor portfolio.

    Ongoing monitoring of the market and the vendors tied to company operations is imperative to avoiding disaster.

    Related Info-Tech Research

    Identify and Manage Financial Risk Impacts on Your Organization

    • Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

    Identify and Manage Reputational Risk Impacts on Your Organization

    • Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

    Identify and Manage Strategic Risk Impacts on Your Organization

    • Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Risk Impact Tool.

    Bibliography

    “Weak Cybersecurity is taking a toll on Small Businesses.” Tripwire. August 7, 2022.

    SecureLink 2022 White Paper SL_Page_EA+PAM (rocketcdn.me)

    Member Poll March 2021 "Guide: Evolving Work Environments Impact of Covid-19 on Profile and Management of Third Parties.“ Shared Assessments. March 2021.

    “Operational Risk.” Wikipedia.

    Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, August 23, 2012.

    Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.

    Annual CIO Survey Report 2024

    • Buy Link or Shortcode: {j2store}106|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    CIOs today face increasing pressures, disruptive emerging technologies, talent shortages, and a slew of other challenges. What are their top concerns, priorities, and technology bets that will define the future direction of IT?

    CIO responses to our Future of IT 2024 survey reveal key insights on spending projects, the potential disruptions causing the most concern, plans for adopting emerging technology, and how firms are responding to generative AI.

    See how CIOs are sizing up the opportunities and threats of the year ahead

    Map your organization’s response to the external environment compared to CIOs across geographies and industries. Learn:

    • The CIO view on continuing concerns such as cybersecurity.
    • Where they rate their IT department’s maturity.
    • What their biggest concerns and budget increases are.
    • How they’re approaching third-party generative AI tools.

    Annual CIO Survey Report 2024 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Future of IT Survey 2024 – A summary of key insights from the CIO responses to our Future of IT 2024 survey.

    Take the pulse of the IT industry and see how CIOs are planning to approach 2024.

    • Annual CIO Survey Report for 2024
    [infographic]

    Further reading

    Annual CIO Survey Report 2024

    An inaugural look at what's on the minds of CIOs.

    1. Firmographics

    • Region
    • Title
    • Organization Size
    • IT Budget Size
    • Industry

    Firmographics

    The majority of CIO responses came from North America. Contributors represent regions from around the world.

    Countries / Regions Response %
    United States 47.18%
    Canada 11.86%
    Australia 9.60%
    Africa 6.50%
    China 0.28%
    Germany 1.13%
    United Kingdom 5.37%
    India 1.41%
    Brazil 1.98%
    Mexico 0.56%
    Middle East 4.80%
    Asia 0.28%
    Other country in Europe 4.52%

    n=354

    Firmographics

    A typical CIO respondent held a C-level position at a small to mid-sized organization.

    Half of CIOs hold a C-level position, 10% are VP-level, and 20% are director level

    Pie Chart of CIO positions

    38% of respondents are from an organization with above 1,000 employees

    Pie chart of size of organizations

    Firmographics

    A typical CIO respondent held a C-level position at a small to mid-sized organization.

    40% of CIOs report an annual budget of more than $10 million

    Pie chart of CIO annual budget

    A range of industries are represented, with 29% of respondents in the public sector or financial services

    Range of industries

    2. Key Factors

    • IT Maturity
    • Disruptive Factors
    • IT Spending Plans
    • Talent Shortage

    Two in three respondents say IT can deliver outcomes that Support or Optimize the business

    IT drives outcomes

    Most CIOs are concerned with cybersecurity disruptions, and one in four expect a budget increase of above 10%

    How likely is it that the following factors will disrupt your business in the next 12 months?

    Chart for factors that will disrupt your business

    Looking ahead to 2024, how will your organization's IT spending change compared to spending in 2023?

    Chart of IT spending change

    3. Adoption of Emerging Technology

    • Fastest growing tech for 2024 and beyond

    CIOs plan the most new spend on AI in 2024 and on mixed reality after 2024

    Top five technologies for new spending planned in 2024:

    1. Artificial intelligence - 35%
    2. Robotic process automation or intelligent process automation - 24%
    3. No-code/low-code platforms - 21%
    4. Data management solutions - 14%
    5. Internet of Things (IoT) - 13%

    Top five technologies for new spending planned after 2024:

    1. Mixed reality - 20%
    2. Blockchain - 19%
    3. Internet of Things (IoT) - 17%
    4. Robotics/drones - 16%
    5. Robotic process automation or intelligent process automation - 14%

    n=301

    Info-Tech Insight
    Three in four CIOs say they have no plans to invest in quantum computing, more than any other technology with no spending plans.

    4. Adoption of AI

    • Interest in generative AI applications
    • Tasks to be completed with AI
    • Progress in deploying AI

    CIOs are most interested in industry-specific generative AI applications or text-based

    Rate your business interest in adopting the following generative AI applications:

    Chart for interest in AI

    There is interest across all types of generative AI applications. CIOs are least interested in visual media generators, rating it just 2.4 out of 5 on average.

    n=251

    Info-Tech Insight
    Examples of generative AI solutions specific to the legal industry include Litigate, CoCounsel, and Harvey.

    By the end of 2024, CIOs most often plan to use AI for analytics and repetitive tasks

    Most popular use cases for AI by end of 2024:

    1. Business analytics or intelligence - 69%
    2. Automate repetitive, low-level tasks - 68%
    3. Identify risks and improve security - 66%
    4. IT operations - 62%
    5. Conversational AI or virtual assistants - 57%

    Fastest growing uses cases for AI in 2024:

    1. Automate repetitive, low-level tasks - 39%
    2. IT operations - 38%
    3. Conversational AI or virtual assistants - 36%
    4. Business analytics or intelligence - 35%
    5. Identify risks and improve security - 32%

    n=218

    Info-Tech Insight
    The least popular use case for AI is to help define business strategy, with 45% saying they have no plans for it.

    One in three CIOs are running AI pilots or are more advanced with deployment

    How far have you progressed in the use of AI?

    Chart of progress in use of AI

    Info-Tech Insight
    Almost half of CIOs say ChatGPT has been a catalyst for their business to adopt new AI initiatives.

    5. AI Risk

    • Perceived impact of AI
    • Approach to third-party AI tools
    • AI features in business applications
    • AI governance and accountability

    Six in ten CIOs say AI will have a positive impact on their organization

    What overall impact do you expect AI to have on your organization?

    Overall impact of AI on organization

    The majority of CIOs are waiting for professional-grade generative AI tools

    Which of the following best describes your organization's approach to third-party generative AI tools (such as ChatGPT or Midjourney)?

    Third-party generative AI

    Info-Tech Insight
    Business concerns over intellectual property and sensitive data exposure led OpenAI to announce ChatGPT won't use data submitted via its API for model training unless customers opt in to do so. ChatGPT users can also disable chat history to avoid having their data used for model training (OpenAI).

    One in three CIOs say they are accountable for AI, and the majority are exploring it cautiously

    Who in your organization is accountable for governance of AI?

    Governance of AI

    More than one-third of CIOs say no AI governance steps are in place today

    What AI governance steps does your organization have in place today?

    Chart of AI governance steps

    Among organizations that plan to invest in AI in 2024, 30% still say there are no steps in place for AI governance. The most popular steps to take are to publish clear explanations about how AI is used, and to conduct impact assessments (n=170).

    Chart of AI governance steps

    Among all CIOs, including those that do not plan to invest in AI next year, 37% say no steps are being taken toward AI governance today (n=243).

    6. Contribute to Info-Tech's Research Community

    • Volunteer to be interviewed
    • Attend LIVE in Las Vegas

    It's not too late; take the Future of IT online survey

    Contribute to our tech trends insights

    If you haven't already contributed to our Future of IT online survey, we are keeping the survey open to continue to collect insights and inform our research reports and agenda planning process. You can take the survey today. Those that complete the survey will be sent a complimentary Tech Trends 2024 report.

    Complete an interview for the Future of IT research project

    Help us chart the future course of IT

    If you are receiving this for completing the Future of IT online survey, thank you for your contribution. If you are interested in further participation and would like to provide a complementary interview, please get in touch at brian.Jackson@infotech.com. All interview subjects must also complete the online survey.

    If you've already completed an interview, thank you very much, and you can look forward to seeing more impacts of your contribution in the near future.

    LIVE 2023

    Methodology

    All data in this report is from Info-Tech's Future of IT online survey 2023 edition.

    A CIO focus for the Future of IT

    Data in this report represents respondents to the Future of IT online survey conducted by Info-Tech Research Group between May 11 and July 7, 2023.

    Only CIO respondents were selected for this report, defined as those who indicated they are the most senior member of their organization's IT department.

    This data segment reflects 355 total responses with 239 completing every question on the survey.

    Further data from the Future of IT online survey and the accompanying interview process will be featured in Info-Tech's Tech Trends 2024 report this fall and in forthcoming Priorities reports including Applications, Data & EA, CIO, Infrastructure, and Security.

    Prepare Your Application for PaaS

    • Buy Link or Shortcode: {j2store}181|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • The application may have been written a long time ago, and have source code, knowledge base, or design principles misplaced or lacking, which makes it difficult to understand the design and build.
    • The development team does not have a standardized practice for assessing cloud benefits and architecture, design principles for redesigning an application, or performing capacity for planning activities.

    Our Advice

    Critical Insight

    • An infrastructure-driven cloud strategy overlooks application specific complexities. Ensure that an application portfolio strategy is a precursor to determining the business value gained from an application perspective, not just an infrastructure perspective.
    • Business value assessment must be the core of your decision to migrate and justify the development effort.
    • Right-size your application to predict future usage and minimize unplanned expenses. This ensures that you are truly benefiting from the tier costing model that vendors offer.

    Impact and Result

    • Identify and evaluate what cloud benefits your application can leverage and the business value generated as a result of migrating your application to the cloud.
    • Use Info-Tech’s approach to building a robust application that can leverage scalability, availability, and performance benefits while maintaining the functions and features that the application currently supports for the business.
    • Standardize and strengthen your performance testing practices and capacity planning activities to build a strong current state assessment.
    • Use Info-Tech’s elaboration of the 12-factor app to build a clear and robust cloud profile and target state for your application.
    • Leverage Info-Tech’s cloud requirements model to assess the impact of cloud on different requirements patterns.

    Prepare Your Application for PaaS Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a right-sized, design-driven approach to moving your application to a PaaS platform, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Prepare Your Application for PaaS – Phases 1-2

    1. Create your cloud application profile

    Bring the business into the room, align your objectives for choosing certain cloud capabilities, and characterize your ideal PaaS environment as a result of your understanding of what the business is trying to achieve. Understand how to right-size your application in the cloud to maintain or improve its performance.

    • Prepare Your Application for PaaS – Phase 1: Create Your Cloud Application Profile
    • Cloud Profile Tool

    2. Evaluate design changes for your application

    Assess the application against Info-Tech’s design scorecard to evaluate the right design approach to migrating the application to PaaS. Pick the appropriate cloud path and begin the first step to migrating your app – gathering your requirements.

    • Prepare Your Application for PaaS – Phase 2: Evaluate Design Changes for Your Application
    • Cloud Design Scorecard Tool

    [infographic]

     
     

    Assess Your Readiness to Implement UCaaS

    • Buy Link or Shortcode: {j2store}305|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Voice & Video Management
    • Parent Category Link: /voice-video-management
    • Employees no longer work in the office all the time and have adopted a hybrid or remote policy.
    • Security is on your mind when it comes to the risks associated with data and voice across the internet.
    • You are unaware of the technology used by other departments, such as sales and marketing.

    Our Advice

    Critical Insight

    • The importance of doing your due diligence and building out requirements is paramount to deciding on what UCaaS solution works for you. Even if you decide not to pursue this cloud-based service, at least you have done your homework.
    • There are five reasons you should migrate to UCaaS: flexibility & scalability, productivity, enhanced security, business continuity, and cost savings. Challenge your selection with these criteria at your foundation and you cannot go wrong.

    Impact and Result

    With features such as messaging, collaboration tools, and video conferencing, UCaaS enables users to be more effective regardless of location and device. This can lead to quicker decision making and reduce communication delays.

    Assess Your Readiness to Implement UCaaS Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess Your Readiness to Implement UCaaS Storyboard – Research that reviews the business drivers to move to a UCaaS solution.

    In addition to examining the benefits of UCaaS, this deck covers how to drive toward an RFP and convince the C-suite to champion your UCaaS strategy.

    • Assess Your Readiness to Implement UCaaS Storyboard

    2. UCaaS Readiness Questionnaire – Three sets of questions to help determine your organization's readiness to move to a UCaaS platform.

    This questionnaire is a starting point. Sections include: 1) Current State Questionnaire, 2) IT Infrastructure Readiness Questionnaire, and 3) UCaaS Vendor Questionnaire. These questions can also be added to an RFP for UCaaS vendors you may want to work with.

    • UCaaS Readiness Questionnaire
    [infographic]

    Further reading

    Assess Your Readiness to Implement UCaaS

    Unified communication as a service (UCaaS) is already here. Find the right solution for your organization, whether it is Teams Phone or another solution.

    Analyst Perspective

    UCaaS is the solution to the hybrid and remote working world

    Hybrid/remote work is a reality and there is little evidence to prove otherwise despite efforts to return employees to the office. A 2023 survey from Zippia says 74% of US companies are planning to or have implemented hybrid work policies. Given the reality of the new ways people work, there’s a genuine need for a UCaaS solution.

    The days of on-premises private branch exchange (PBX) and legacy voice over internet protocol (VoIP) solutions are numbered, and organizations are examining alternative solutions to redundant desk phones. The stalwarts of voice solutions, Cisco and Avaya, have seen the writing on the wall for some time: the new norm must be a cloud-based solution that integrates via API with content resource management (CRM), email, chat, and collaboration tools.

    Besides remaining agile when accommodating different work locations, it’s advantageous to be able to quickly scale and meet the needs of organizations and their employees. New technology is moving at such a pace that utilizing a UCaaS service is truly beneficial, especially given its AI, analytics, and mobile capabilities. Being held back by an on-premises solution that is capitalized over several years is not a wise option.

    Photo of John Donovan
    John Donovan
    Principle Research Director, I&O Practice
    Info-Tech Research Group

    Insight Summary

    Improved integration and communication in a hybrid world
    Unified communication as a service (UCaaS) integrates several tools into one platform to provide seamless voice, video, chat, collaboration, sharing and much more. The ability to work from anywhere and the ability to use application programming interfaces (APIs) to integrate content resource management (CRM) and other productivity tools into a unified environment is a key component of employee productivity, whether at the office or remote, or even on mobile devices.

    Simplify your maintenance, management, and support
    Communication and voice using a cloud provisioner has many benefits and makes life easier for your IT staff. No more ongoing maintenance, upgrades, patching and managing servers or private branch exchanges (PBXs). UCaaS is easy to deploy, and due to its scalability and flexibility, users can easily be added or removed. Now businesses can retire their legacy technical debt of voice hardware and old desk phones that clutter the office.

    Oversight on security
    The utilization of a software as a service (SaaS) platform in UCaaS form does by design risk data breaches, phishing, and third-party malware. Fortunately, you can safeguard your organization’s security by ensuring the vendor you choose features SOC2 certification, taking care of encryption, firewalls, two-factor authentication and security incident handling, and disaster recovery. The big players in the UCaaS world have these features.

    Executive Summary

    Your Challenge

    So, your legacy PBX is ready to be replaced. It has no support or maintenance contract, and you face a critical decision. You could face these challenges:

    • Employees no longer work in the office all the time and have adopted a hybrid or remote policy
    • Security risks associated with data and voice across the internet
    • Limited awareness of the technology used by some departments, such as sales and marketing

    Common Obstacles

    Businesses may worry about several obstacles when it’s time to choose a voice and collaboration solution. For example:

    • Concern over internet connectivity or disruptions
    • Uncertainty integrating systems with the platform
    • Unsure whether employees will embrace new tools/workflows that completely change how they work, collaborate, and communicate
    • Failure to perform due diligence when trying to choose the right solution for an organization

    Info-Tech’s Approach

    It’s critically important to perform due diligence and build out requirements when deciding what UCaaS solution works for you. Even if you decide not to pursue this cloud-based service, at least you will:

    • Determine your business case
    • Evaluate your roadmap for unified communication
    • Ask all the right questions to determine suitability

    In this advisory deck, you will see a set of questions you must ask including whether Teams is suitable for your business.

    Info-Tech Insight

    Determine your communication and collaboration needs. Evaluate your current use of voice, video, chat, collaboration, sharing, and mobility whether for the office or remote work. Evaluate your security and regulatory requirements and needs. Determine the integration requirements when evaluating top vendors.

    The evolution of unified communication

    How we moved from fax machines and desk phones to an integrated set of tools on one platform in the cloud

    A diagram that shows the evolution of unified communication from 1980s to 2020s.

    Business drivers for moving to UCaaS

    What organizations look to gain or save by moving to UCaaS solutions

    Flexibility and scalability
    Ability to add/remove users and services as appropriate for changing business needs, allowing for quick adaptation to changing markets.

    Productivity
    Offering features like messaging, collaboration tools, and video conferencing enables users to be more effective regardless of location and device. May lead to quicker decision making and reduced communication delays.

    Cost savings
    Eliminating the need for on-premises hardware and software, reducing maintenance and support costs. Predictable monthly billing.

    Business continuity
    Reducing risks of disruption or disaster. Allowing users to work from anywhere when the physical office is unavailable. Additional features can include disaster recovery and backup services.

    Enhanced security
    UCaaS providers usually offer advanced security and compliance features including encryption, firewall, intrusion detection, and certifications like HIPAA and SOC 2.

    KPIs to demonstrate success

    What key metrics should businesses measure to demonstrate a successful UCaaS project?
    What improvements are needed?
    What can be optimized?

    KPI Measurement
    User adoption rate
    • % of employees utilizing UCaaS solutions
    • # of users who completed UCaaS training/onboarding
    • # of calls or messages sent per user
    Call quality and reliability
    • % of calls with good to excellent quality
    • # of dropped calls or call disruption
    • Mean opinion score (MOS) for video and voice quality
    Cost savings
    • TCO for UCaaS compared to previous solution
    • Cost per month for UCaaS
    • Reduced hardware/maintenance and communication costs
    Improved productivity
    • Time saved with streamlined comms workflows
    • # of successful collaborative projects or meetings
    • Improved speed and quality for customer service or support
    Customer satisfaction
    • Net promoter score or CSAT
    • Positive customer reviews
    • Time-to-resolution of customer issues
    Scalability
    • Ability to add/remove/change user features as needed
    • Time to deploy new UCaaS features
    • Scalability of network to support increased UCaaS usage

    What are the surveys telling us?

    Different organizations adopt UCaaS solutions for different reasons

    95%

    Collaboration: No Jitter’s study on team collaboration found that 95% of survey respondents think collaborative communication apps are a necessary component of a successful communications strategy.
    Source: No Jitter, 2018.

    95%

    Security: When deploying remote communication solutions, 95% of businesses say they want to use VPN connections to keep data private.
    Source: Mitel, 2018.

    31%

    Flexibility: While there are numerous advantages to cloud-based communications, 31% of companies intend to use UCaaS to eliminate technical debt from legacy systems and processes.
    Source: Freshworks, 2019.

    UCaaS adoption

    While many organizations are widely adopting UCaaS, they still have data security concerns

    UCaaS deployments are growing

    UCaaS is growing at a rate that shows the market for UC is moving toward cloud-based voice and collaboration solutions at a rate of 29% year over year.

    Source: Synergy Research Group, 2017.

    Security is still a big concern

    While it’s increasingly popular to adopt cloud-based unified communication solutions, 70% of those companies are still concerned about their data security.

    Source: Masergy, 2022.


    Concerns around security range from encrypting conversations to controlling who has access to what data in the organization’s network to how video is managed on emerging video communications platforms.

    Info-Tech Insight

    Ensure you maintain a robust security posture with your data regardless of where it is being stored. Security breaches can happen at any location.

    UCaaS vs. on-premises UC

    A diagram that shows UCaaS benefits

    Main benefits of UCaaS

    • Rapid deployment: Cloud hosting provides the ability to deploy quickly.
    • Ease of management: It’s no longer necessary for companies to manage communications across multiple platforms and devices.
    • Better connection: The communication flow across teams and with customers is faster and easier with phone, messaging, audio and video conferencing available in one place.
    • Scalability: Since UCaaS is an on-demand service, companies can scale their communication needs to what’s immediately required at an affordable price.

    Info-Tech Insight

    There are five reasons you should migrate to UCaaS. They are advanced technology, easily scalable, cost efficiencies, highly available, and security. There are always outliers, but these five criteria are a reliable foundation when assessing a vendor/product.

    UCaaS architecture

    The 6 primary elements of UCaaS

    Unified communications as a service (UCaaS) is a cloud-based subscription service primarily for communication tools such as voice, video, messaging, collaboration, content sharing, and other cloud services over the internet. It uses VoIP to process calls.

    The popularity of UCaaS is increasing with the recent trend of users working remotely full or part-time and requiring collaboration tools for their work.

    • The main benefit to businesses is the ability to remove on-premises hardware and reduce technical debt.
    • Additionally, it removes the need for expensive up-front capital costs and reduces communications costs.
    • From a productivity perspective, delivering these services under one platform/service increases effective collaboration and allows instant communication regardless of device or location.

    A diagram that shows protocols

    Features available to UCaaS/UC

    Must-haves vs. nice-to-haves

    A diagram that shows Must-haves vs. nice-to-haves UC features

    Info-Tech Insight

    Decide what matters most to the organization when choosing the UC platform and applications. Divide criteria into must-have vs. nice-to-have categories.

    Security and UCaaS

    • Maintain company integrity
    • Enhance data security
    • Regulatory compliance
    • Reduce risk of fraud
    • Protect data for multiple devices

    What are the concerns? What is at risk?

    • DDoS attacks: Enterprise transactions are paralyzed by flooding of data across the network preventing access
    • Phishing: Users are tricked into clicking a URL and sharing an organization’s sensitive data
    • Ransomware: Malicious attack preventing the business from accessing data and demanding a ransom for access
    • Third-party malware: Software infected with a virus, trojan horse, worms, spyware, or even ransomware with malicious intent

    Security solutions in UCaaS

    End-to-end encryption is critical

    SRTP

    • Secure real-time protocol is a cryptographic protocol used to secure voice & video calls over IP networks
    • SRTP provides encryption, message authentication, and integrity protection for voice and data packets. Using advanced encryption standard (AES) reduces chance of DDoS attacks

    TLS

    • Transport layer security (TLS) is a cryptographic protocol that secures data in transit over the internet, protecting from interception and tampering

    VPNs and firewalls

    • Virtual private networks (VPNs) are used to secure and encrypt connections between remote devices and the network. UCaaS providers can use VPN to secure access from remote locations
    • Firewalls are your primary line of defense against unauthorized traffic entering or leaving the network

    SIP

    • Session initiated protocol (SIP) over TLS is used to initiate and terminate video and voice calls over the internet. UCaaS providers often use SIP over TLS to encrypt and secure SIP messages

    SSH

    • Secure shell (SSH) is a cryptographic network protocol used to secure remote access and communications over the network. SSH is often used by UCaaS providers to secure remote management and configuration of systems

    Info-Tech Insight

    Encryption is a must for securing data and voice packets across the internet. These packets can be vulnerable to eavesdropping techniques and local area network (LAN) breaches. This risk must be mitigated from end to end.

    UCaaS

    Seven vendors competing with Microsoft’s integrated suite of collaboration tools

    Zoom

    A logo of Zoom
    Best for large meetings and webinars

    Key features:

    • Virtual meetings up to 300 users, up to 1,000 with enterprise version
    • Team chat
    • Digital whiteboard
    • Phone

    RingCentral

    A logo of RingCentral
    Best for project management collaboration tools

    Key features:

    • Video conferencing up to 200 users
    • Chat
    • Voice calls
    • Video polls and captioning
    • Digital whiteboard

    Nextiva

    A logo of Nextiva
    Best for CRM support, best-in-class functionality and features

    Key features:

    • Single dashboard
    • Chat
    • Cospace collaboration tool
    • Templates
    • Voice and call pop

    GoTo Connect

    A logo of GoTo Connect
    Best for integration with other business apps

    Key features:

    • Video conferencing up to 250 participants
    • Meeting transcripts
    • Dial plan

    Dialpad

    A logo of Dialpad
    Best for small companies under 15 users

    Key features:

    • Video meetings up to 15 participants
    • AI transcripts with call summary
    • Call controls share screen, switch between devices
    • Channel conversations with calendar app

    WebEx

    A logo of WebEx
    Only vendor offering real-time translation & closed captioning

    Key features:

    • Video meetings up to 200 participants
    • Calling features with noise removal, call recording, and transcripts
    • Live polling and Q&A

    Google Workspace

    A logo of Google Workspace
    Best for whole team collaboration for docs and slides

    Key features:

    • Google meet video
    • Collaboration on docs, sheets, and slides
    • Google chat and spaces
    • Calendars with sync updates with Gmail and auto-reminders

    Avaya and Cisco

    The major players in the VoIP on-premises PBX world have moved to a cloud experience to compete with Microsoft and other UCaaS players

    Avaya offers the OneCloud UC platform. It is one of the last UC vendors to offer on-premises solutions. In a market which is moving to the cloud at a serious pace, Avaya retains a 14% share. It made a strategic partnership with RingCentral in 2019 and in February 2021 they formed a joint venture which is now called Avaya Cloud Office, a UCaaS solution that integrates Avaya’s communication and collaboration solution with the RingCentral cloud platform.

    With around 33% of the UC market, Cisco also has a selection of UC products and services for on-premises deployment and the cloud, including WebEx Calling, Jabber, Unity Connections for voice messaging, and Single Number Reach for extensive telephony features.

    Both vendors support on-premises and cloud-based solutions for UC.

    Services provided by Avaya and Cisco in the UCaaS space

    A logo of Avaya Cloud Office
    Avaya Cloud Office

    • Voice calling: Cloud-based phone system over the internet with call forwarding, call transfer, voice mail, and more
    • Video conferencing: Virtual meetings for real-time collaboration, screen sharing, virtual backgrounds, video layout, meeting recording, whiteboarding and annotation, and virtual waiting room
    • Messaging: A feature that allows users to send and receive instant messages and SMS text messaging on the same platform
    • Collaboration: Work together on documents and projects in real time. File sharing and task management
    • Contact center: Manage customer interactions across voice, email, chat, and social media
    • Mobile app: Allows users to access communication and collaboration features on smartphones and tablets

    A logo of Cisco WebEx
    Cisco WebEx

    • Voice calling: Cisco WebEx calling provides cloud-based phone system over the internet including call forwarding, transfer, and voice mail
    • Video conferencing: Features include virtual meeting and real-time collaboration, screen sharing, and virtual backgrounds and layouts, highly scalable to large audiences
    • Messaging: Features include chat and SMS
    • Collaboration: Allows users to work together on docs and projects in real time, including file sharing and task management
    • Contact center: Multiple contact center solutions offered for small, medium, and large enterprises
    • Mobile app: Software clients for Jabber on cellphones
    • Artificial intelligence: Business insights, automatic transcripts, notes, and highlights to capture the meeting

    Service desk and contact center cloud options

    INDUSTRY: All industries
    SOURCE: Software reviews

    What vendors offer and what they don’t

    RingCentral integrates with some popular contact centers such as Five 9, Talkdesk and Sharpen. They also have a built-in contact center solution that can be integrated with their messaging and video conferencing tools.

    GoToConnect integrates with several leading customer service providers including Zendesk and Salesforce Service Cloud They also offer a built-in contact center solution with advanced call routing and management features.

    WebEx integrates with a variety of contact center and customer service platforms including Five9, Genesys, and ServiceNow.

    Dialpad integrates with contact center platforms such as Talkdesk and ServiceNow as well as CRM tools such as Salesforce and HubSpot.

    Google Workspace integrates with third-party contact center platforms through their Google Cloud Contact Center AI offering.

    SoftwareReviews

    A diagram that shows some top cloud options in Software reviews

    UCaaS comparison table

    A diagram of a UCaaS comparison table
    * Some reported issues around sound and voice quality may be due to network
    **Limited to certain plans

    Differences between UCaaS and CPaaS

    UCaaS

    CPaaS

    Defined

    Unified communication as a service – a cloud-based platform providing a suite of tools like voice, video messaging, file sharing & contact center.

    Communication platform as a service – a cloud-based platform allowing developers to use APIs to integrate real-time communications into their own applications.

    Functionality

    Designed for end users accessing a suite of tools for communication and collaboration through a unified platform.

    Designed for developers to create and integrate comms features into their own applications.

    Use cases

    Replace aging on-premises PBX systems with consolidated voice and collaboration services.

    Embedded communications capabilities into existing applications through SDKs, Java, and .NET libraries.

    Cost

    Often has a higher cost depending on services provided which can be quite comprehensive.

    Can be more cost effective than UCaaS if the business only requires a few communication features Integrated into their apps.

    Customization

    Offers less customization as it provides a predefined suite of tools that are rarely customized.

    Highly flexible and customizable so developers can build and integrate to fit unique use cases.

    Vendors

    Zoom, MS Teams, Cisco WebEx, RingCentral 8x8, GoTo Meeting, Slack, Avaya & many more.

    Twilio, Vonage, Pivo, MessageBird, Nexmo, SignalWire, CloudTalk, Avaya OneCloud, Telnyx, Voximplant, and others.

    Microsoft Teams Phone

    UCaaS for Microsoft 365

    Consider your approach to the telephony question. Microsoft incorporates telephony functionality with their broader collaboration suite. Other providers do the opposite.

    Microsoft’s voice solution

    These options allow you to plan for an all-cloud solution, connect to your own carrier, or use a combination of all cloud with a third-party carrier. Caveat: Calling plans must be available in your country or region.

    How do you connect with the public switched telephone network (PSTN)?

    Microsoft has three options for connecting the phone system to the PSTN:

    Calling Plan

    • Uses Microsoft's phone system and adds a domestic and international calling plan, which enables worldwide calling but depends on your chosen license
    • Since PSTN Calling Plan operates out of Microsoft 365, you are not required to deploy/maintain on-premises hardware
    • Customers can connect a supported session border controller (SBC) via direct routing if it’s necessary to operate with third-party PBX analog devices or other voice solutions supported by the SBC
    • You can assign your phone numbers directly in the Teams Admin Center

    This plan will work for you if:

    • There is a calling plan available in your region
    • You don’t need to maintain your PSTN carrier
    • You want to use Microsoft's managed PSTN
    • No SBC is necessary in your organization
    • Teams provides all the features your business needs

    Operator Connect

    • Leverage existing contracts or find a new operator from a selection of participating operators
    • Operator-managed infrastructure, your operator manages PSTN calling services and SBC
    • Faster, easier deployment, quickly connect to your operator and assign phone numbers directly from Teams Admin Center
    • Enhanced support and reliability, operators provide technical support and shared service level agreements
    • Customers can connect a supported SBC via Direct Routing for interoperability with third-party PBXs, analog devices, and other third-party voice solution equipment supported by SBC

    This plan will work for you if:

    • There is no calling plan available in your region
    • Your preferred carrier participates in the Microsoft operator connect plan
    • You are looking to get a new operator that enables calling in Teams

    Direct Routing

    • Connect your own supported SBC to Microsoft Phone System directly without needing additional on-premises software
    • Use virtually any voice solution carrier with Microsoft Phone System
    • Can be configured and managed by customers or by your carrier or partner (ask if your carrier or partner provides this option)
    • Configure interoperability between your voice solution equipment (e.g., a third-party PBX and analog devices) and Microsoft Phone System
    • Assign phone numbers directly from Teams Admin Center

    This plan will work for you if:

    • You want to use Teams with Phone System
    • You need to retain your current PSTN carrier
    • You want to mix routing – some calls are going via Calling Plans, some via your carrier
    • You need to interoperate with third-party PBXs and/or equipment such as overhead pagers, analog devices
    • Teams has all the features that your organization requires


    For more information, go to Microsoft Teams call flows.

    Teams phone architecture

    Microsoft offers three options that can be deployed based on several factors and questions you must answer.

    Microsoft Teams phone considerations when connecting to a PSTN

    • Do you want to move on-premises users to the cloud?
    • Is Microsoft's PSTN Calling Plan available in your region?
    • Is your preferred operator a participant in the Microsoft Operator Connect Program?
    • Do you want or need to keep your current voice carrier (e.g., does an existing contract require you to do so)?
    • Do you have an existing on-premises legacy PBX that you want or need to keep?
    • Does your current legacy PBX offer unique business-critical features?
    • Do all/any of your users require features not currently offered in Phone System?

    1. Phone System with Calling Plan

    All in the cloud for Teams users
    A diagram that shows Phone System with Calling Plan.

    Infrastructure requirements:

    Requires uninterrupted connection with Microsoft 365 Yes
    Available worldwide* No
    Requires deploying and maintaining a supported session border controller (SBC) No
    Requires contract with third-party carrier No

    *List of countries where calling plans are available: aka.ms/callingplans

    2. Phone System with own carrier via operator connect

    Phone system in the cloud; connectivity to on-premises voice network for Teams users
    A diagram that shows Phone System with own carrier via operator connect

    Infrastructure requirements:

    Requires uninterrupted connection with Microsoft 365 Yes
    Available worldwide* No
    Requires deploying and maintaining a supported session border controller (SBC) No
    Requires contract with third-party carrier Yes

    *List of countries where Operator Connect is available: aka.ms/operatorconnect

    3. Phone System with own carrier via Direct Routing

    Phone system in the cloud; connectivity to on-premises voice network for Teams users
    A diagram that shows Phone System with own carrier via Direct Routing

    Infrastructure requirements:

    Requires uninterrupted connection with Microsoft 365 Yes
    Available worldwide Yes
    Requires deploying and maintaining a supported session border controller (SBC) Yes
    Requires contract with third-party carrier* Yes

    *Unless deployed as an option to provide connection to third-party PBX, analog devices, or other voice equipment for users who are on Phone System with Calling Plans


    A Metrigy study found that 70% of organizations adopting MS Teams are using direct routing to connect to the PSTN
    Note: Complex organizations with varying needs can adopt all three options simultaneously.

    Avoid overpurchasing Microsoft telephony

    Microsoft telephony products on a page

    A diagram that shows Microsoft telephony products

    Pros:

    • The complete package: sole-sourcing your environment for simpler management
    • Users familiar with Microsoft will only have one place to go for telephony
    • You can bring your own provider and manage your own routing, giving you more choice
    • This can keep costs down as you do not have to pay for calling plan services
    • You can choose your own third-party solution while still taking advantage of the integrations that make Microsoft so attractive as a vendor

    Cons:

    • The most expensive option of the three
    • Less control and limited features compared to other pure-play telephony vendors
    • This service requires expertise in managing telephony infrastructure
    • Avoiding the cloud may introduce technical debt in the long term
    • You will have to manage integrations and deal with limited feature functionality (e.g. you may be able to receive inbound calls but not make outbound calls)

    Why does it matter?

    Phone System is Microsoft’s answer to the premises-based private branch exchange (PBX) functionality that has traditionally required a large capital expenditure. The cloud-based Phone System, offered with Microsoft’s highest tier of Microsoft/Office 365 licensing, allows Skype/Teams customers access to the following features (among others):

    • PSTN telephony (inbound and outbound)
    • Auto attendants (a menu system for callers to navigate your company directory)
    • Call forwarding, voice mail, and transferring
    • Caller ID
    • Shared lines
    • Common area phones

    Phone System, especially the Teams version, is a fully-featured telephony solution that integrates natively with a popular productivity solution. Phone System is worth exploring because many organizations already have Teams licenses.

    Key insights

    1. Don’t pay twice for the same service (unless you must). If you already have M/O365 E5 customer, Teams telephony can be a great way to save money and streamline your environment.
    2. Consider your approach to the telephony question. Microsoft incorporates telephony functionality into a broader collaboration suite. Other providers do the opposite. This reflects their relative strengths.
    3. Teams is a platform. You can use it as a front end for other telephone services. This might make sense if you have a preferred cloud PBX provider.

    Sources

    “Plan your Teams voice solution,” Microsoft, 2022.

    “Microsoft Calling Plans for Teams,” Microsoft, 2023.

    “Plan Direct Routing,” Microsoft, 2023.

    “Cisco vs. Microsoft Cloud Calling—Discussing the Options,” UC Today, 2022.

    “Microsoft Teams Phone Systems: 5 Deployment Options in 2020,” AeroCom, 2020.

    Contact Center and Teams integration

    Three Teams integration options

    If you want to use a certified and direct routing solution for Teams Phone, use the Connect model.

    If you want to use Azure bots and the Microsoft Graph Communication APIs that enable solution providers to create the Teams app, use the Extend model.

    If you want to use the SDK that enables solution providers to embed native Teams experiences in their App, use the Power model (under development).

    The Connect model features

    The Extend model features

    The Power model features (TBD)

    Office 365 authN for agents to connect to their MS tenant from their integrated CCaaS client

    Team graph APIs and Cloud Communication APIs for integration with Teams

    Goal: One app, one screen contact center experience

    Use Teams to see when agents are available

    Teams-based app for agent experience Chat and collaboration experience integrated with the Teams Client

    Goal: Adapt using software development kits (SDKs)

    Transfers and groups call support for Teams

    Teams as the primary calling endpoint for the agent

    Goal: One dashboard experience

    Teams Graph APIs and Cloud communication APIs for integration with Teams

    Teams' client calling for the all the call controls. Preserve performance & quality of Teams client experience

    Multi-tenant SIP trunking to support several customers on solution provider’s SBC

    Agent experience apps for both Teams web and mobile client

    Solution providers to use Microsoft certified session border controller (SBC)

    Analytics workflow management role-based experience for agents in the CaaS app in Teams

    Teams phone network assessment

    Useful tools for Microsoft network testing and Microsoft Teams site assessment

    Plan network basics

    • Does your network infrastructure have enough capacity? Consider switch ports, wireless access points, and other coverage.
    • If you use VLANs and DHCP, are your scopes sized accordingly?
    • Evaluate and test network paths from where devices are deployed to Microsoft 365.
    • Open the required firewall ports and URLs for Microsoft 365 as per guidance.
    • Review and test E911 requirements and configuration for location accuracy and compliance.
    • Avoid using a proxy server and optimize media paths for reliability and quality.

    What internet speed do I need for Teams calls?

    • Microsoft Teams uses about 1.2 Mbps for HD video calling (720p), 1.5 Mbps for 1080p, 500 kbps for standard quality video (360p). Group video requires about 1 Mbps, HD group video uses about 2 Mbps.

    Key physical considerations

    • Power: Do you have enough electrical outlets? If the device needs an external power source, how close can you position it to an outlet?
    • Device placement: Where will your device be located? Review desk stands, wall mounts, and other accessories from the original equipment manufacturer (OEM).
    • Security: Does your device need to be locked in certain spaces?
    • Accessibility: Does the device meet the accessibility requirements of its primary user? Consider where it's placed, wire length, and handset or headset usability.

    Prepare your organization's network for Microsoft Teams

    Plan your Teams voice solution

    Check your internet connection for Teams Phone System

    Teams Phone Mobile

    UCaaS Activity

    Questions that must be addressed by your business and the vendor. Site surveys and questionnaires for your assessment

    Activity: Questionnaire

    Input: Evaluate your current state, Network readiness
    Output: Decisions on readiness, Gaps in infrastructure readiness, Develop a project plan
    Materials: UCaaS Readiness Questionnaire
    Participants: Infrastructure Manager, Project Manager, Network Engineer, Voice Engineer

    As a group, read through the questions on Tabs 1 and 2 of the UCaaS Readiness Questionnaire workbook. The answers to the questions will determine if you have gaps to fill when determining your readiness to move forward on a UCaaS solution.

    You may produce additional questions during the session that pertain to your specific business and situation. Please add them to the questionnaire as needed.

    Record your answers to determine next steps and readiness.

    When assessing potential vendors, use Tab 3 to determine suitability for your organization and requirements. This section may be left to a later date when building a request for proposal (RFP).

    Call #1: Review client advisory deck and next steps.

    Call #2: Assess readiness from answers to the Tab 1 questions.

    Download the UCaaS Readiness Questionnaire here

    Critical Path – Teams with Phone System Deployment

    A diagram that shows Critical Path – Teams with Phone System Deployment

    Example Ltd.’s Communications Guide

    A diagram that shows Example Ltd.’s Communications Guide

    [Insert Organization Name]’s Communications Guide

    A diagram that shows [Insert Organization Name]’s Communications Guide

    Related Info-Tech Research

    Photo of Modernize Communications and Collaboration Infrastructure

    Modernize Communications and Collaboration Infrastructure

    Organizations are losing productivity from managing the limitations of yesterday’s technology. The business is changing and the current communications solution no longer adequately connects end users. A new communications and collaboration infrastructure is due to replace or update the legacy infrastructure in place today.

    Photo of Establish a Communication and Collaboration System Strategy

    Establish a Communication and Collaboration System Strategy

    Communication and collaboration portfolios are overburdened with redundant and overlapping services. Between Office 365, Slack, Jabber, and WebEx, IT is supporting a collection of redundant apps. This redundancy takes a toll on IT, and on the user.

    Photo of Implement a Transformative IVR Experience That Empowers Your Customers

    Implement a Transformative IVR Experience That Empowers Your Customers

    Learn the strategies that will allow you to develop an effective interactive voice response (IVR) framework that supports self-service and improves the customer experience.

    Bibliography

    “8 Security Considerations for UCaaS.” Tech Guidance, Feb. 2022. Accessed March 2023.

    “2022 UCaaS & CCaaS market trends snapshot.” Masergy, 2022. Web.

    “All-in-one cloud communications.” Avaya, 2023. Accessed April 2023. Web.

    Carter, Rebekah. “UC Case Study in Focus: Microsoft Teams and GroupM.” UC Today, 9 May 2022. Accessed Feb. 2023.

    “Cisco Unified Communications Manager Cloud (Cisco UCM Cloud) Data Sheet.” Cisco, 15 Sept. 2021. Accessed Jan. 2023.

    “Cloud Adoption as Viewed by European Companies: Assessing the Impact on Public, Hybrid and Private Cloud Communications.” Mitel, 2018. Web.

    De Guzman, Marianne. “Unified Communications Security: The Importance of UCaaS Encryption.” Fit Small Business, 13 Dec. 2022. Accessed March 2023.

    “Evolution of Unified Communications.” TrueConf, n.d. Accessed March 2023. Web.

    Froehlich, Andrew. “Choose between Microsoft Teams vs. Zoom for conference needs.” TechTarget, 7 May 2021. Accessed March 2023.

    Gerwig, Kate. “UCaaS explained: Guide to unified communications as a service.” TechTarget, 29 March 2022. Accessed Jan. 2023.

    Irei, Alissa. “Emerging UCaaS trends include workflow integrations and AI.” TechTarget, 21 Feb 2020. Accessed Feb. 2023.

    Kuch, Mike. “What Is Unified Communications as a Service (UCaaS)?” Avaya, 27 Dec. 2022. Accessed Jan. 2023.

    Lazar, Irwin. “UC vendors extend mobile telephony capabilities.” TechTarget, 10 Feb. 2023. Accessed Mar 2023.

    McCain, Abby. "30 Essential Hybrid Work Statistics [2023]: The Future of Work." Zippia, 20 Feb. 2023. Accessed Mar 2023.

    “Meet the modern CIO: What CEOs expect from their IT leaders.” Freshworks, 2019. Web.

    “A New Era of Workplace Communications: Will You Lead or Be Left Behind.” No Jitter, 2018. Web.

    Plumley, Mike, et al. “Microsoft Teams IT architecture and voice solutions posters.’” Microsoft Teams, Microsoft, 14 Feb. 2023. Accessed March 2023.

    Rowe, Carolyn, et al. “Plan your Teams voice solution” Microsoft Learn, Microsoft, 1 Oct. 2022.

    Rowe, Carolyn, et al. “Microsoft Calling Plans for Teams.” Microsoft Learn, Microsoft, 23 May 2023.

    Rowe, Carolyn, et al. “Plan Direct Routing.” Microsoft Learn, Microsoft, 20 Feb. 2023.

    Scott, Rob. “Cisco vs. Microsoft Cloud Calling—Discussing the Options,” UC Today, 21 April 2022.

    Smith, Mike. “Microsoft Teams Phone Systems: 5 Deployment Options in 2020.” YouTube, uploaded by AeroCom Inc, 23 Oct. 2020.

    “UCaaS - Getting Started With Unified Communications As A Service.” Cloudscape, 10 Nov. 2022. Accessed March 2023.

    “UCaaS Market Accelerating 29% per year; RingCentral, 8x8, Mitel, BroadSoft and Vonage Lead.” Synergy Research Group, 16 Oct. 2017. Web.

    “UCaaS Statistics – The Future of Remote Work.” UC Today, 21 April 2022. Accessed Feb. 2023.

    “Workplace Collaboration: 2021-22.” Metrigy, 27 Jan. 2021. Web.

    Develop a Use Case for Smart Contracts

    • Buy Link or Shortcode: {j2store}92|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Organizations today continue to use traditional and often archaic methods of manual processing with physical paper documents.
    • These error-prone methods introduce cumbersome administrative work, causing businesses to struggle with payments and contract disputes.
    • The increasing scale and complexity of business processes has led to many third parties, middlemen, and paper hand-offs.
    • Companies remain bogged down by expensive and inefficient processes while losing sight of their ultimate stakeholder: the customer. A failure to focus on the customer is a failure to do business.

    Our Advice

    Critical Insight

    • Simplify, automate, secure. Smart contracts enable businesses to simplify, automate, and secure traditionally complex transactions.
    • Focus on the customer. Smart contracts provide a frictionless experience for customers by removing unnecessary middlemen and increasing the speed of transactions.
    • New business models. Smart contracts enable the redesign of your organization and business-to-business relationships and transactions.

    Impact and Result

    • Simplify and optimize your business processes by using Info-Tech’s methodology to select processes with inefficient transactions, unnecessary middlemen, and excessive manual paperwork.
    • Use Info-Tech’s template to generate a smart contract use case customized for your business.
    • Customize Info-Tech’s stakeholder presentation template to articulate the goals and benefits of the project and get buy-in from business executives.

    Develop a Use Case for Smart Contracts Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should leverage smart contracts in your business, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Develop a Use Case for Smart Contracts – Phases 1-2

    1. Understand smart contracts

    Understand the fundamental concepts of smart contract technology and get buy-in from stakeholders.

    • Develop a Use Case for Smart Contracts – Phase 1: Understand Smart Contracts
    • Smart Contracts Executive Buy-in Presentation Template

    2. Develop a smart contract use case

    Select a business process, create a smart contract logic diagram, and complete a smart contract use-case deliverable.

    • Develop a Use Case for Smart Contracts – Phase 2: Develop the Smart Contract Use Case
    • Smart Contracts Use-Case Template

    [infographic]

    Workshop: Develop a Use Case for Smart Contracts

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Smart Contracts

    The Purpose

    Review blockchain basics.

    Understand the fundamental concepts of smart contracts.

    Develop smart contract use-case executive buy-in presentation.

    Key Benefits Achieved

    Understanding of blockchain basics.

    Understanding the fundamentals of smart contracts.

    Development of an executive buy-in presentation.

    Activities

    1.1 Review blockchain basics.

    1.2 Understand smart contract fundamentals.

    1.3 Identify business challenges and smart contract benefits.

    1.4 Create executive buy-in presentation.

    Outputs

    Executive buy-in presentation

    2 Smart Contract Logic Diagram

    The Purpose

    Brainstorm and select a business process to develop a smart contract use case around.

    Generate a smart contract logic diagram.

    Key Benefits Achieved

    Selected a business process.

    Developed a smart contract logic diagram for the selected business process.

    Activities

    2.1 Brainstorm candidate business processes.

    2.2 Select a business process.

    2.3 Identify phases, actors, events, and transactions.

    2.4 Create the smart contract logic diagram.

    Outputs

    Smart contract logic diagram

    3 Smart Contract Use Case

    The Purpose

    Develop smart contract use-case diagrams for each business process phase.

    Complete a smart contract use-case deliverable.

    Key Benefits Achieved

    Smart contract use-case diagrams.

    Smart contract use-case deliverable.

    Activities

    3.1 Build smart contract use-case diagrams for each phase of the business process.

    3.2 Create a smart contract use-case summary diagram.

    3.3 Complete smart contract use-case deliverable.

    Outputs

    Smart contract use case

    4 Next Steps and Action Plan

    The Purpose

    Review workshop week and lessons learned.

    Develop an action plan to follow through with next steps for the project.

    Key Benefits Achieved

    Reviewed workshop week with common understanding of lessons learned.

    Completed an action plan for the project.

    Activities

    4.1 Review workshop deliverables.

    4.2 Create action plan.

    Outputs

    Smart contract action plan

     

    Create a Transparent and Defensible IT Budget

    • Buy Link or Shortcode: {j2store}291|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $29,682 Average $ Saved
    • member rating average days saved: 12 Average Days Saved
    • Parent Category Name: Cost & Budget Management
    • Parent Category Link: /cost-and-budget-management
    • IT struggles to gain budget approval year after year, largely driven by a few key factors:
      • For a long time, IT has been viewed as a cost center whose efficiency needs to be increasingly optimized over time. IT’s relationship to strategy is not yet understood or established in many organizations.
      • IT is one of the biggest areas of cost for many organizations. Often, executives don’t understand or even believe that all that IT spending is necessary to advance the organization’s objectives, let alone keep it up and running.

    Our Advice

    Critical Insight

    Internal and external obstacles beyond IT’s control make these challenges with gaining IT budget approval even harder to overcome:

    • Economic pressures can quickly drive IT’s budgetary focus from strategic back to tactical.
    • Corporate-driven categorizations of expenditure, plus disconnected approval mechanisms for capital vs. operational spend, hide key interdependencies and other aspects of IT’s financial reality.
    • Connecting the dots between IT activities and business benefits rarely forms a straight line.

    Impact and Result

    • CIOs need a straightforward way to create and present an approval-ready budget.
      • Info-Tech recognizes that connecting the dots to demonstrate value is key to budgetary approval.
      • Info-Tech also recognizes that key stakeholders require different perspectives on the IT budget.
      • This blueprint provides a framework, method, and templated exemplars for creating and presenting an IT budget to stakeholders that will speed up the approval process and ensure more of it is approved.

    Create a Transparent and Defensible IT Budget Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a Transparent and Defensible IT Budget Storyboard – A step-by-step guide to developing a proposed IT budget that’s sensitive to stakeholder perspectives and ready to approve.

    This deck applies Info-Tech’s proven ITFM Cost Model to the IT budgeting process and offers five phases that cover the purpose of your IT budget and what it means to your stakeholders, key budgeting resources, forecasting, selecting and fine-tuning your budget message, and delivering your IT budget executive presentation for approval.

    • Create a Transparent and Defensible IT Budget Storyboard

    2. IT Cost Forecasting and Budgeting Workbook – A structured Excel tool that allows you to forecast your IT budget for next fiscal year across four key stakeholder views, analyze it in the context of past expenditure, and generate high-impact visualizations.

    This Excel workbook offers a step-by-step approach for mapping your historical and forecasted IT expenditure and creating visualizations you can use to populate your IT budget executive presentation.

    • IT Cost Forecasting and Budgeting Workbook

    3. Sample: IT Cost Forecasting and Budgeting Workbook – A completed IT Cost Forecasting & Budgeting Workbook to review and use as an example.

    This sample workbook offers a completed example of the “IT Cost Forecasting and Budgeting Workbook” that accompanies the Create a Transparent & Defensible IT Budget blueprint.

    • Sample: IT Cost Forecasting and Budgeting Workbook

    4. IT Budget Executive Presentation – A PowerPoint template and full example for pulling together your proposed IT budget presentation.

    This presentation template offers a recommended structure for presenting your proposed IT budget for next fiscal year to your executive stakeholders for approval. 

    [infographic]

    Workshop: Create a Transparent and Defensible IT Budget

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Get into budget-starting position

    The Purpose

    Understand your IT budget in the context of your organization and key stakeholders, as well as gather your budgeting data and review previous years’ financial performance.

    Key Benefits Achieved

    Understand your organization’s budget process and culture.

    Understand your stakeholders’ priorities and perspectives regarding your IT budget.

    Gain insight into your historical IT expenditure.

    Set next fiscal year’s IT budget targets.

    Activities

    1.1 Review budget purpose. 

    1.2 Understand stakeholders and approvers.

    1.3 Gather your data.

    1.4 Map and review historical financial performance.

    1.5 Rationalize last year’s variances and set next year's budget targets.

    Outputs

    Budget process and culture assessment.

    Stakeholder alignment assessment and pre-selling strategy.

    Data prepared for next steps.

    Mapped historical expenditure.

    Next fiscal year’s budget targets.

    2 Forecast project CapEx

    The Purpose

    Develop a forecast of next fiscal year’s proposed capital IT expenditure driven by your organization’s strategic projects.

    Key Benefits Achieved

    Develop project CapEx forecast according to the four different stakeholder views of Info-Tech’s ITFM Cost Model.

    Ensure that no business projects that have IT implications (and their true costs) are missed.

    Activities

    2.1 Review the ITFM cost model

    2.2 List projects.

    2.3 Review project proposals and costs.

    2.4 Map and tally total project CapEx.

    2.5 Develop and/or confirm project-business alignment, ROI, and cost-benefit statements.

    Outputs

    Confirmed ITFM cost mdel.

    A list of projects.

    Confirmed list of project proposals and costs.

    Forecasted project-based capital expenditure mapped against the four views of the ITFM Cost Model.

    Projects financials in line.

    3 Forecast non-project CapEx and OpEx

    The Purpose

    Develop a forecast of next fiscal year’s proposed “business as usual” non-project capital and operating IT expenditure.

    Key Benefits Achieved

    Develop non-project CapEx and non-project OpEx forecasts according to the four different stakeholder views of Info-Tech’s ITFM Cost Model.

    Make “business as usual” costs fully transparent and rationalized.

    Activities

    3.1 Review non-project capital and costs. 

    3.2 Review non-project operations and costs.

    3.3 Map and tally total non-project CapEx and OpEx.

    3.4 Develop and/or confirm proposed expenditure rationales.

    Outputs

    Confirmation of non-project capital and costs.

    Confirmation of non-project operations and costs.

    Forecasted non-project-based capital expenditure and operating expenditure against the four views of the ITFM Cost Model.

    Proposed expenditure rationales.

    4 Finalize budget and develop presentation

    The Purpose

    Aggregate and sanity-check your forecasts, harden your rationales, and plan/develop the content for your IT budget executive presentation.

    Key Benefits Achieved

    Create a finalized proposed IT budget for next fiscal year that offers different views on your budget for different stakeholders.

    Select content for your IT budget executive presentation that will resonate with your stakeholders and streamline approval.

    Activities

    4.1 Aggregate forecast totals and sanity check.

    4.2 Generate graphical outputs and select content to include in presentation.

    4.3 Fine-tune rationales.

    4.4 Develop presentation and write commentary.

    Outputs

    Final proposed IT budget for next fiscal year.

    Graphic outputs selected for presentation.

    Rationales for budget.

    Content for IT Budget Executive Presentation.

    5 Next steps and wrap-up (offsite)

    The Purpose

    Finalize and polish the IT budget executive presentation.

    Key Benefits Achieved

    An approval-ready presentation that showcases your business-aligned proposed IT budget backed up with rigorous rationales.

    Activities

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Outputs

    Completed IT Budget Executive Presentation.

    Review scheduled.

    Further reading

    Create a Transparent and Defensible IT Budget

    Build in approvability from the start.

    EXECUTIVE BRIEF

    Analyst Perspective

    A budget’s approvability is about transparency and rationale, not the size of the numbers.

    Jennifer Perrier.

    It’s that time of year again – budgeting. Most organizations invest a lot of time and effort in a capital project selection process, tack a few percentage points onto last year’s OpEx, do a round of trimming, and call it a day. However, if you want to improve IT financial transparency and get your business stakeholders and the CFO to see the true value of IT, you need to do more than this.

    Yourcrea IT budget is more than a once-a-year administrative exercise. It’s an opportunity to educate, create partnerships, eliminate nasty surprises, and build trust. The key to doing these things rests in offering a range of budget perspectives that engage and make sense to your stakeholders, as well as providing iron-clad rationales that tie directly to organizational objectives.

    The work of setting and managing a budget never stops – it’s a series of interactions, conversations, and decisions that happen throughout the year. If you take this approach to budgeting, you’ll greatly enhance your chances of creating and presenting a defensible annual budget that gets approved the first time around.

    Jennifer Perrier
    Principal Research Director
    IT Financial Management Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    IT struggles to gain budget approval year after year, largely driven by a few key factors:

    • For a long time, IT has been viewed as a cost center whose efficiency needs to be increasingly optimized over time. IT’s relationship to strategy is not yet understood or established in many organizations.
    • IT is one of the biggest areas of cost for many organizations. Often, executives don’t understand, or even believe, that all that IT spending is necessary to advance the organization’s objectives, let alone keep it running.

    Internal and external obstacles beyond IT’s control make these challenges even harder to overcome:

    • Economic pressures can quickly drive IT’s budgetary focus from strategic back to tactical.
    • Corporate-driven categorizations of expenditure, plus disconnected approval mechanisms for capital vs. operational spend, hide key interdependencies and other aspects of IT’s financial reality.
    • Connecting the dots between IT activities and business benefits rarely forms a straight line.

    CIOs need a straightforward way to create and present an approval-ready budget.

    • Info-Tech recognizes that connecting the dots to demonstrate value is key to budgetary approval.
    • Info-Tech also recognizes that key stakeholders require different perspectives on the IT budget.
    • This blueprint provides a framework, method, and templated exemplars for creating and presenting an IT budget to stakeholders. It will speed the approval process and ensure more of it is approved.

    Info-Tech Insight
    CIOs need a straightforward way to create and present an approval-ready IT budget that demonstrates the value IT is delivering to the business and speaks directly to different stakeholder priorities.

    IT struggles to get budgets approved due to low transparency and failure to engage

    Capability challenges

    Administrative challenges

    Operating challenges

    Visibility challenges

    Relationship challenges

    IT is seen as a cost center, not an enabler or driver of business strategy.

    IT leaders are not seen as business leaders.

    Economic pressures drive knee-jerk redirection of IT’s budgetary focus from strategic initiatives back to operational tactics.

    The vast majority of IT’s
    real-life expenditure is in the form of operating expenses i.e. keeping the lights on.

    Most business leaders don’t know how many IT resources their business units are really consuming.

    Other departments in the organization see IT as a competitor for funding, not a business partner.

    Lack of transparency

    IT and the business aren’t speaking the same language.

    IT leaders don’t have sufficient access to information about, or involvement in, business decisions and objectives.

    Outmoded finance department expenditure categorizations don’t accommodate IT’s real cost categories.

    IT absorbs unplanned spend because business leaders don’t realize or consider the impact of their decisions on IT.

    The business doesn’t understand what IT is, what it does, or what it can offer.

    IT and the business don’t have meaningful conversations about IT costs, opportunities, or investments.

    Defining and demonstrating the value of IT and its investments isn’t straightforward.

    IT leaders may not have the financial literacy or acumen needed to translate IT activities and needs into business terms.

    CapEx and OpEx approval and tracking mechanisms are handled separately when, in reality, they’re highly interdependent.

    IT activities usually have an indirect relationship with revenue, making value calculations more complicated.

    Much of IT, especially infrastructure, is invisible to the business and is only noticed if it’s not working.

    The relationship between IT spending and how it supports achievement of business objectives is not clear.

    Reflect on the numbers…

    The image contains a screenshot of five graphs. The graphs depict Cost and budget management, Cost optimization, Business value, perception of improvement, and intensity of business frustration.

    To move forward, first you need to get unstuck

    Today’s IT budgeting challenges have been growing for a long time. Overcoming these challenges means untangling yourself from the grip of the root causes.

    Principle 1:
    IT and the business are fighting diverging forces. Technology has changed monumentally, while financial management hasn’t changed much at all.

    Principle 2:
    Different stakeholders have different perspectives on your IT budget. Learn and acknowledge what’s important to them so that you can potentially deliver it.

    Principle 3:
    Connecting the dots to clearly demonstrate IT’s value to the organization is the key to budgetary approval. But those connected dots don’t always result in a straight line.

    The three principles above are all about IT’s changing relationship to the business. IT leaders need a systematic and repeatable approach to budgeting that addresses these principles by:

    • Clearly illustrating the alignment between the IT budget and business objectives.
    • Showing stakeholders the overall value that IT investment will bring them.
    • Demonstrating where IT is already realizing efficiencies and economies of scale.
    • Gaining consensus on the IT budget from all parties affected by it.

    “The culture of the organization will drive your success with IT financial management.”

    – Dave Kish, Practice Lead, IT Financial Management Practice, Info-Tech Research Group

    Info-Tech’s approach

    CIOs need a straightforward way to convince approval-granting CFOs, CEOs, boards, and committees to spend money on IT to advance the organization’s strategies.

    IT budget approval cycle

    The image contains a screenshot of the IT budget approval cycle.

    The Info-Tech difference:

    This blueprint provides a framework, method, and templated exemplars for building and presenting your IT budget to different stakeholders. These will speed the approval process and ensure that a higher percentage of your proposed spend is approved.

    Info-Tech’s methodology for how to create a transparent and defensible it budget

    1. Lay Your Foundation

    2. Get Into Budget-Starting Position

    3. Develop Your Forecasts

    4. Build Your Proposed Budget

    5. Create and Deliver Your Budget Presentation

    Phase steps

    1. Understand budget purpose
    2. Know your stakeholders
    3. Continuously pre-sell your budget
    1. Gather your data
    2. Review historical performance
    3. Set budget goals
    1. Develop alternate scenarios
    2. Develop project CapEx forecasts
    3. Develop non-project CapEx and OpEx forecasts
    1. Aggregate your forecasts
    2. Stress-test your forecasts
    3. Challenge and perfect your rationales
    1. Plan your presentation content
    2. Build your budget presentation
    3. Present, finalize, and submit your budget

    Phase outcomes

    An understanding of your stakeholders and what your IT budget means to them.

    Information and goals for planning next fiscal year’s IT budget.

    Completed forecasts for project and non-project CapEx and OpEx.

    A final IT budget for proposal including scenario-based alternatives.

    An IT budget presentation.

    Insight summary

    Overarching insight: Create a transparent and defensible IT budget

    CIOs need a straightforward way to create and present an approval-ready IT budget that demonstrates the value IT is delivering to the business and speaks directly to different stakeholder priorities.

    Phase 1 insight: Lay your foundation

    IT needs to step back and look at it’s budget-creation process by first understanding exactly what a budget is intended to do and learning what the IT budget means to IT’s various business stakeholders.

    Phase 2 Insight: Get into budget-starting position

    Presenting your proposed IT budget in the context of past IT expenditure demonstrates a pattern of spend behavior that is fundamental to next year’s expenditure rationale.

    Phase 3 insight: Develop your forecasts

    Forecasting costs according to a range of views, including CapEx vs. OpEx and project vs. non-project, and then positioning it according to different stakeholder perspectives, is key to creating a transparent budget.

    Phase 4 insight: Build your proposed budget

    Fine-tuning and hardening the rationales behind every aspect of your proposed budget is one of the most important steps for facilitating the budgetary approval process and increasing the amount of your budget that is ultimately approved.

    Phase 5 insight: Create and deliver your budget presentation

    Selecting the right content to present to your various stakeholders at the right level of granularity ensures that they see their priorities reflected in IT’s budget, driving their interest and engagement in IT financial concerns.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    IT Cost Forecasting and Budgeting Workbook

    This Excel tool allows you to capture and work through all elements of your IT forecasting from the perspective of multiple key stakeholders and generates compelling visuals to choose from to populate your final executive presentation.

    The image contains a screenshot of the IT Cost Forecasting and Budgeting Workbook.

    Also download this completed sample:

    Sample: IT Cost Forecasting and Budgeting Workbook

    Key deliverable

    IT Budget Executive Presentation Template

    Phase 5: Create a focused presentation for your proposed IT budget that will engage your audience and facilitate approval.

    The image contains a screenshot of the IT Budget Executive Presentation Template.

    Blueprint benefits

    IT benefits

    Business benefits

    • Improve IT’s overall financial management capability.
    • Streamline the administration of annual IT budget development.
    • Legitimize the true purpose and value of IT operations and associated expenditure.
    • Create visibility on the part of both IT and the business into IT’s mandate, what needs to be in place, and what it costs to fund it.
    • Foster better relationships with business stakeholders by demonstrating IT’s business and financial competency, working in partnership with business leaders on IT investment decisions, and building mutual trust.
    • Better understand the different types of expenditure occurring in IT, including project CapEx, non-project CapEx, and non-project OpEx.
    • Gain insight into the relationship between one-time CapEx on ongoing OpEx and its ramifications.
    • See business priorities and concerns clearly reflected in IT’s budget down to the business-unit level.
    • Receive thorough return on investment calculations and cost-benefit analyses for all aspects of IT expenditure.
    • Understand the direct relationship between IT expenditure and the depth, breadth, and quality of IT service delivery to the business.

    Measure the value of this blueprint

    Ease budgetary approval and improve its accuracy.

    Near-term goals

    • Percentage of budget approved: Target 95%
    • Percentage of IT-driven projects approved: Target 100%
    • Number of iterations/re-drafts required to proposed budget: One iteration

    Long-term goal

    • Variance in budget vs. actuals: Actuals less than budget and within 2%

    In Phases 1 and 2 of this blueprint, we will help you understand what your approvers are looking for and gather the right data and information.

    In Phase 3, we will help you forecast your IT costs it terms of four stakeholder views so you can craft a more meaningful IT budget narrative.

    In Phases 4 and 5, we will help you build a targeted presentation for your proposed IT budget.

    Value you will receive:

    1. Increased forecast accuracy through using a sound cost-forecasting methodology.
    2. Improved budget accuracy by applying more thorough and transparent techniques.
    3. Increased budget transparency and completeness by soliciting input earlier and validating budgeting information.
    4. Stronger alignment between IT and enterprise goals through building a better understanding of the business values and using language they understand.
    5. A more compelling budget presentation by offering targeted, engaging, and rationalized information.
    6. A faster budgeting rework process by addressing business stakeholder concerns the first time.

    An analogy…

    “A budget isn’t like a horse and cart – you can’t get in front of it or behind it like that. It’s more like a river…

    When developing an annual budget, you have a good idea of what the OpEx will be – last year’s with an annual bump. You know what that boat is like and if the river can handle it.

    But sometimes you want to float bigger boats, like capital projects. But these boats don’t start at the same place at the same time. Some are full of holes. And does your river even have the capacity to handle a boat of that size?

    Some organizations force project charters by a certain date and only these are included in the following year’s budget. The project doesn’t start until 8-12 months later and the charter goes stale. The river just can’t float all these boats! It’s a failed model. You have to have a great governance processes and clear prioritization so that you can dynamically approve and get boats on the river throughout the year.”

    – Mark Roman, Managing Partner, Executive Services,
    Info-Tech Research Group and Former Higher Education CIO

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    Phase 1: Lay Your Foundation

    Phase 2: Get Into Budget-Starting Position

    Phase 3: Develop Your Forecasts

    Phase 4: Build Your Proposed Budget

    Phase 5: Create and Deliver Your Budget Presentation

    Call #1: Discuss the IT budget, processes, and stakeholders in the context of your unique organization.

    Call #2: Review data requirements for transparent budgeting.

    Call #3: Set budget goals and process improvement metrics.

    Call #4: Review project CapEx forecasts.

    Call #5: Review non-project CapEx and OpEx forecasts.

    Call #6: Review proposed budget logic and rationales.

    Call #7: Identify presentation inclusions and exclusions.

    Call #8: Review final budget presentation.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5

    Get into budget-starting position

    Forecast project CapEx

    Forecast non-project CapEx and OpEx

    Finalize budget and develop presentation

    Next Steps and
    Wrap-Up (offsite)

    Activities

    1.1 Review budget purpose.

    1.2 Understand stakeholders and approvers.

    1.3 Gather your data.

    1.4 Map and review historical financial performance.

    1.5 Rationalize last year’s variances.

    1.5 Set next year’s budget targets.

    2.1 Review the ITFM Cost Model.

    2.2 List projects.

    2.3 Review project proposals and costs.

    2.4 Map and tally total project CapEx.

    2.5 Develop and/or confirm project-business alignment, ROI, and cost-benefit statements.

    3.1 Review non-project capital and costs.

    3.2 Review non-project operations and costs.

    3.3 Map and tally total non-project CapEx and OpEx.

    3.4 Develop and/or confirm proposed expenditure rationales.

    4.1 Aggregate forecast totals and sanity check.

    4.2 Generate graphical outputs and select content to include in presentation.

    4.3 Fine-tune rationales.

    4.4 Develop presentation and write commentary.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. Budget process and culture assessment.
    2. Stakeholder alignment assessment and pre-selling strategy.
    3. Mapped historical expenditure.
    4. Next fiscal year’s budget targets.
    1. Forecasted project-based capital expenditure mapped against the four views of the ITFM Cost Model.
    1. Forecasted non-project-based capital expenditure and operating expenditure against the four views of the ITFM Cost Model.
    1. Final proposed IT budget for next fiscal year.
    2. Plan and build content for IT Budget Executive Presentation.
    1. Completed IT Budget Executive Presentation.

    Phase 1

    Lay Your Foundation

    Lay Your
    Foundation

    Get Into Budget-Starting Position

    Develop Your
    Forecasts

    Build Your
    Proposed Budget

    Create and Deliver Your Presentation

    1.1 Understand what your budget is
    and does

    1.2 Know your stakeholders

    1.3 Continuously pre-sell your budget

    2.1 Assemble your resources

    2.2 Understand the four views of the ITFM Cost Model

    2.3 Review last year’s budget vs.
    actuals and five-year historical trends

    2.4 Set your high-level goals

    3.1 Develop assumptions and
    alternative scenarios

    3.2 Forecast your project CapEx

    3.3 Forecast your non-project CapEx and OpEx

    4.1 Aggregate your numbers

    4.2 Stress test your forecasts

    4.3 Challenge and perfect your
    rationales

    5.1 Plan your content

    5.2 Build your presentation

    5.3 Present to stakeholders

    5.4 Make final adjustments and submit your IT budget

    This phase will walk you through the following activities:

    • Seeing your budget as a living governance tool
    • Understanding the point of view of different stakeholders
    • Gaining tactics for setting future IT spend expectations

    This phase involves the following participants:

    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Lay Your Foundation

    Before starting any process, you need to understand exactly why you’re doing it.

    This phase is about understanding the what, why, and who of your IT budget.

    • Understand what your budget is and does. A budget isn’t just an annual administrative event – it’s an important governance tool. Understand exactly what a budget is and your budgetary accountabilities as an IT leader.
    • Know your stakeholders. The CFO, CEO, and CXOs in your organization have their own priorities, interests, and professional mandates. Get to know what their objectives are and what IT’s budget means to them.
    • Continuously pre-sell your budget. Identifying, creating, and capitalizing on opportunities to discuss your budget well in advance of its formal presentation will get influential stakeholders and approvers on side, foster collaborations, and avoid unpleasant surprises on all fronts.

    “IT finance is more than budgeting. It’s about building trust and credibility in where we’re spending money, how we’re spending money. It’s about relationships. It’s about financial responsibility, financial accountability. I rely on my entire leadership team to all understand what their spend is. We are a steward of other people’s money.”

    – Rick Hopfer, CIO, Hawaii Medical Service Association

    What does your budget actually do?

    A budget is not just a painful administrative exercise that you go through once a year.

    Most people know what a budget is, but it’s important to understand its true purpose and how it’s used in your organization before you engage in any activity or dialogue about it.

    In strictly objective terms:

    • A budget is a calculated estimate of income vs. expenditure for a period in the future, often one year. Basically, it’s an educated guess about how much money will come into a business entity or unit and how much money will go out of it.
    • A balanced budget is where income and expenditure amounts are equal.
    • The goal in most organizations is for the income component of the budget to match or exceed the expenditure component.
      If it doesn’t, this results in a deficit that may lead to debt.

    Simply put, a budget’s fundamental purpose is to plan and communicate how an organization will avoid deficit and debt and remain financially viable while meeting its various accountabilities and responsibilities to its internal and external stakeholders.

    “CFOs are not thinking that they want to shut down IT spend. Nobody wants to do that. I always looked at things in terms of revenue streams – where the cash inflow is coming from, where it’s going to, and if I can align my cash outflows to my revenue stream. Where I always got suspicious as a CFO is if somebody can’t articulate spending in terms of a revenue stream. I think that’s how most CFOs operate.”

    – Carol Carr, Technical Counselor,
    Info-Tech Research Group and Former CFO

    Put your IT budget in context

    Your IT budget is just one of several budgets across your organization that, when combined, create an organization-wide budget. In this context, IT’s in a tough spot.

    It’s a competition: The various units in your organization are competing for the biggest piece they can get of the limited projected income pie. It’s a zero-sum game. The organization’s strategic and operational priorities will determine how this projected income is divvied up.

    Direct-to-revenue units win: Business units that directly generate revenue often get bigger relative percentages of the organizational budget since they’re integral to bringing in the projected income part of the budget that allows the expenditure across all business units to happen in the first place.

    Indirect-to-revenue units lose: Unlike sales units, for example, IT’s relationship to projected income tends to be indirect, which means that IT must connect a lot more dots to illustrate its positive impact on projected income generation.

    In financial jargon, IT really is a cost center: This indirect relationship to revenue also explains why the focus of IT budget conversations is usually on the expenditure side of the equation, meaning it doesn’t have a clear positive impact on income.

    Contextual metrics like IT spend as a percentage of revenue, IT OpEx as a percentage of organizational OpEx, and IT spend per organizational employee are important baseline metrics to track around your budget, internally benchmark over time, and share, in order to illustrate exactly where IT fits into the broader organizational picture.

    Budgeting isn’t a once-a-year thing

    Yet, many organizations treat it like a “one and done” point of annual administration. This is a mistake that misses out on the real benefits of budgeting.

    Many organizations have an annual budgeting and planning event that takes place during the back half of the fiscal year. This is where all formal documentation around planned projects and proposed spend for the upcoming year is consolidated, culminating in final presentation, adjustment, and approval. It’s basically a consolidation and ranking of organization-wide priorities at the highest level.

    If things are running well, this culmination point in the overall budget development and management process is just a formality, not the beginning, middle, and end of the real work. Ideally:

    • Budgets are actually used: The whole organization uses budgets as tools to actively manage day-to-day operations and guide decision making throughout the year in alignment with priorities as opposed to something that’s put on a shelf or becomes obsolete within a few months.
    • Interdependencies are evident: No discrete area of spend focus is an island – it’s connected directly or indirectly with other areas of spend, both within IT and across the organization. For example, one server interacts with multiple business applications, IT and business processes, multiple IT staff, and even vendors or external managed service providers. Cost-related decisions about that one server – maintain, repurpose, consolidate, replace, discard – will drive other areas of spend up or down.
    • There are no surprises: While this does happen, your budget presentation isn’t a great time to bring up a new point of significant spend for the first time. The items in next year’s proposed budget should be priorities that are already known, vetted, supported, and funded.

    "A well developed and presented budget should be the numeric manifestation of your IT strategy that’s well communicated and understood by your peers. When done right, budgets should merely affirm what’s already been understood and should get approved with minimal pushback.“

    – Patrick Gray, TechRepublic, 2020

    Understand your budgetary responsibilities as the IT leader

    It’s in your job description. For some stakeholders, it’s the most important part of it.

    While not a contract per se, your IT budget is an objective and transparent statement made in good faith that shows:

    • You know what it takes to keep the organization viable.
    • You understand the organization’s accountabilities and responsibilities as well as those of its leaders.
    • You’re willing and able to do your part to meet these accountabilities and responsibilities.
    • You know what your part of this equation is, as well as what parts should and must be played by others.

    When it comes to your budget (and all things financial), your job is to be ethical, careful, and wise:

    1. Be honest. Business ethics matter.
    2. Be as accurate as possible. Your expenditure predictions won’t be perfect, but they need to be best-effort and defensible.
    3. Respect the other players. They have their own roles, motivations, and mandates. Accept and respect these by being a supporter of their success instead of an obstacle to them achieving it.
    4. Connect the dots to income. Always keep the demonstration of business value in your sights. Often, IT can’t draw a straight line to income, but demonstrating how IT expenditure supports and benefits future, current, and past (but still relevant) business goals and strategies, which in turn affect income, is the best course.
    5. Provide alternatives. There are only so many financial levers your organization can pull. An action on one lever will have wanted and unwanted consequences on another. Aim to put financial discussions in terms of risk-focused “what if” stories and let your business partners decide if those risks are satisfactory.

    Budgeting processes tend to be similar – it’s budgeting cultures that drive differences

    The basic rules of good budgeting are the same everywhere. Bad budgeting processes, however, are usually caused by cultural factors and can be changed.

    What’s the same everywhere…

    What’s unchangeable…

    What’s changeable…

    For right or wrong, most budgeting processes follow these general steps:

    There are usually only three things about an organization’s budgeting process that are untouchable and can’t be changed:

    Budgeting processes are rarely questioned. It never occurs to most people to challenge this system, even if it doesn’t work. Who wants to challenge the CFO? No one.

    Review your organization’s budgeting culture to discover the negotiable and non-negotiable constraints. Specifically, look at these potentially-negotiable factors if they’re obstacles to IT budgeting success:

    1. Capital project vetting and selection for the next fiscal year starts three-to-six months before the end of the current fiscal year.
    2. Operational expenditure, including salaries, is looked at later with much less formality and scrutiny with an aim to cut.
    3. Each business unit does a budget presentation and makes directed amendments (usually trimming).
    4. The approved budget numbers are plugged into a standard, sub-optimal budget template provided by Finance.
    1. The legal and regulatory mandates that govern financial funding, accounting, and reporting practices. These are often specific to industries and spend types.
    2. The accounting rules your organization follows, such as GAAP, or IFRS. These too may be legally mandated for government entities and publicly-traded companies.
    3. Hard limits on the projected available income the CFO has to distribute.
    • Timeframes and deadlines
    • Order of operations
    • Areas of focus (CapEx vs. OpEx)
    • Funding sources and ownership
    • Review/approval mechanisms
    • Templates and tools

    1.1 Review your budgeting process and culture

    1 hour

    1. Review the following components of your budget process using the questions provided for each as a guideline.
      1. Legal and regulatory mandates. What are the external rules that govern how we do financial tracking and reporting? How do they manifest in our processes?
      2. Accounting rules used. What rules does our finance department use and why? Do these rules allow for more meaningful representations of IT spend? Are there policies or practices in place that don’t appear to be backed by any external standards?
      3. Timeframes and deadlines. Are we starting the budgeting process too late? Do we have enough time to do proper due diligence? Will expenditures approved now be out of date when we go to execute? Are there mechanisms to update spend plans mid-cycle?
      4. Order of operations. What areas of spend do we always look at first, such as CapEx? Are there any benefits to changing the order in which we do things, such as examining OpEx first?
      5. Areas of focus. Is CapEx taking up most of our budgeting cycle time? Are we spending enough time examining OpEx? Is IT getting enough time from the CFO compared to other units?
      6. Funding sources and ownership. Is IT footing most of the technology bills? Are business unit leaders fronting any technology business case pitches? Is IT appropriately included in business case development? Is there any benefit to implementing show-back or charge-back?
      7. Review/approval mechanisms. Are strategies and priorities used to rank proposed spend clear and well communicated? Are spend approvers objective in their decision making? Do different approvers apply the same standards and tools?
      8. Templates and tools. Are the ones provided by Finance, the PMO, and other groups sufficient to document what we need to document? Are they accessible and easy to use? Are they automated and integrated so we only have to enter data once?
    2. On the slide following these activity instructions, rate how effective each of the above is on a scale of 1-10 (where 10 is very effective) in supporting the budgeting process. Note specific areas of challenge and opportunity for change.

    1.1 Review your budgeting process and culture

    Input Output Materials Participants
    • Organizational knowledge of typical budgeting processes
    • Copies of budgeting policies, procedures, and tools
    • Rated assessment of your organization’s budget process and culture, as well as major areas of challenge and opportunity for change
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Budget process and culture assessment

    Document the outcomes of your assessment. Examples are provided below.

    Budgeting area of assessment

    Rating

    1 = very ineffective

    10 = very effective

    Challenges

    Opportunities for change

    Legal and regulatory mandates

    7

    Significant regulation but compliance steps not clear or supported within departments.

    Create, communicate, and train management on compliance procedures and align the financial management tools accordingly.

    Accounting rules

    6

    IT not very familiar with them.

    Learn more about them and their provisions to see if IT spend can be better represented.

    Timeframes and deadlines

    5

    Finalize capital project plans for next fiscal four months before end of current fiscal.

    Explore flexible funding models that allow changes to budget closer to project execution.

    Order of operations

    3

    Setting CapEx before OpEx leads to paring of necessary OpEx based on CapEx commitments.

    Establish OpEx first as a baseline and then top up to target budget with CapEx.

    Areas of focus

    6

    Lack of focus on OpEx means incremental budgeting – we don’t know what’s in there.

    Perform zero-based budgeting on OpEx every few years to re-rationalize this spend.

    Funding sources and ownership

    4

    IT absorbing unplanned mid-cycle spend due to impact of unknown business actions.

    Implement a show-back mechanism to change behavior or as precursor to limited charge-back.

    Review/approval mechanisms

    8

    CFO is fair and objective with information presented but could demand more evidence.

    Improve business sponsorship/fronting of new initiative business cases and IT partnership.

    Templates and tools

    2

    Finance budget template largely irrelevant and unreflective of IT: only two relevant categories.

    Adjust account buckets over a period of time, starting with SW/HW and cloud breakouts.

    Receptive audiences make communication a lot easier

    To successfully communicate anything, you need to be heard and understood.

    The key to being heard and understood is first to hear and understand the perspective of the people with whom you’re trying to communicate – your stakeholders. This means asking some questions:

    • What context are they operating in?
    • What are their goals and responsibilities?
    • What are their pressures and stresses?
    • How do they deal with novelty and uncertainty?
    • How do they best take in information and learn?

    The next step of this blueprint shows the perspectives of IT’s key stakeholders and how they’re best able to absorb and accept the important information contained in your IT budget. You will:

    • Learn a process for discovering these stakeholders’ IT budget information needs within the context of your organization’s industry, goals, culture, organizational structure, personalities, opportunities, and constraints.
    • Document key objectives and messages when communicating with these various key stakeholders.

    There are certain principles, mandates, and priorities that drive your stakeholders; they’ll want to see these reflected in you, your work, and your budget.

    Your IT budget means different things to different stakeholders

    Info-Tech’s ITFM Cost Model lays out what matters most from various points of view.

    The image contains a screenshot of Info-Tech's ITFM Cost Model.

    The CFO: Understand their role

    The CFO is the first person that comes to mind in dealing with budgets. They’re personally and professionally on the line if anything runs amiss with the corporate purse.

    What are the CFO’s role and responsibilities?

    • Tracking cash flow and balancing income with expenditures.
    • Ensuring fiscal reporting and legal/regulatory compliance.
    • Working with the CEO to ensure financial-strategic alignment.
    • Working with business unit heads to set aligned budgets.
    • Seeing the big picture.

    What’s important to the CFO?

    • Costs
    • Benefits
    • Value
    • Analysis
    • Compliance
    • Risk Management
    • Strategic alignment
    • Control
    • Efficiency
    • Effectiveness
    • Reason
    • Rationale
    • Clarity
    • Objectivity
    • Return on investment

    “Often, the CFO sees IT requests as overhead rather than a need. And they hate increasing overhead.”

    – Larry Clark, Executive Counselor, Info-Tech Research Group and Former CIO

    The CFO carries big responsibilities focused on mitigating organizational risks. It’s not their job to be generous or flexible when so much is at stake. While the CEO appears higher on the organizational chart than the CFO, in many ways the CFO’s accountabilities and responsibilities are on par with, and in some cases greater than, those of the CEO.

    The CFO: What they want from the IT budget

    What they need should look familiar, so do your homework and be an open book.

    Your CFO’s IT budget to-do list:

    Remember to:

    • A review of the previous year financial performance. This demonstrates to the CFO your awareness, savvy, and overall competence in the financial management realm. This is also your opportunity to start laying out the real-life context within which IT has been operating. Information to show includes:
      • Budget vs. actuals, including an overview of factors that led to major variances.
      • Percentage difference in proposed budget versus previous year’s budget, and major contributing factors to those differences (i.e. unanticipated projects, changes, or events).
    • Presentation of information according to Finance’s existing categories. This makes it as easy as possible for them to plug your numbers into their system.
    • Separate views of overall workforce vs. overall vendor spending. This is a traditional view.
    • Separate views of capital expenditure (CapEx) and operating expenditure (OpEx). This also includes information on expected lifespan of proposed new capital assets to inform depreciation/amortization decisions.
    • Explanation of anticipated sources of funding. Specifically, indicate whether the funding required is a brand-new net increase or a reallocation from the existing pool.
    • Details (upon request). Have these available for every aspect of your proposed budget.
    • Avoid being flashy. Exclude proposed expenditures with a lot of bells and whistles that don’t directly tie to concrete business objectives.
    • Be a conservationist. Show how you plan to re-use or extend assets that you already have.
    • Act like a business leader. Demonstrate your understanding of near-term (12-month) realities, priorities, and goals.
    • Think like them. Present reliable and defensible calculations of benefits versus risks as well as projected ROI for major areas of new or different spending.

    The CFO: Budget challenges and opportunities

    Budget season is a great time to start changing the conversation and building trust.

    Potential challenges

    Low trust

    Poor financial literacy and historical sloppiness among business unit leaders means that a CFO may come into budget conversations with skepticism. This can put them on the offensive and put you on the defensive. You have to prove yourself.

    Competition

    You’re not the only department the CFO is dealing with. Everyone is competing for their piece of the pie, and some business unit leaders are persistent. A good CFO will stay out of the politics and not be swayed by sweet talk, but it can be an exhausting experience for them.

    Mismatched buckets

    IT’s spend classes and categories probably won’t match what’s in Finance’s budget template or general ledger. Annual budgeting isn’t the best time to bring this up. Respect Finance’s categories, but plan to tackle permanent changes at a less busy time.

    Potential opportunities

    Build confidence

    Engaging in the budgeting process is your best chance to demonstrate your knowledge about the business and your financial acumen. The more that the CFO sees that you get it and are taking it seriously, the more confidence and trust they’ll have in you.

    Educate

    The CFO will not know as much as you about the role technology could and should play in the organization. Introduce new language around technology focused on capabilities and benefits. This will start to shift the conversation away from costs and toward value.

    Initiate alignment

    An important governance objective is to change the way IT expenditure is categorized and tracked to better reveal and understand what’s really happening. This process should be done gradually over time, but definitely communicate what you want to do and why.

    The CXO: Understand their role

    CXOs are a diverse group who lead a range of business functions including admin, operations, HR, legal, production, sales and service, and marketing, to name a few.

    What are the CXO’s role and responsibilities?

    Like you, the CXO’s job is to help the organization realize its goals and objectives. How each CXO does this is specific to the domain they lead. Variations in roles and responsibilities typically revolve around:

    • Law and regulation. Some functions have compliance as a core mandate, including legal, HR, finance, and corporate risk groups.
    • Finance and efficiency. Other functions prioritize time, money, and process such as finance, sales, customer service, marketing, production, operations, and logistics units.
    • Quality. These functions prioritize consistency, reliability, relationship, and brand such as production, customer service, and marketing.

    What’s important to the CXO?

    • Staffing
    • Skills
    • Reporting
    • Funding
    • Planning
    • Performance
    • Predictability
    • Customers
    • Visibility
    • Inclusion
    • Collaboration
    • Reliability
    • Information
    • Knowledge
    • Acknowledgement

    Disagreement is common between business-function leaders – they have different primary focus areas, and conflict and misalignment are natural by-products of that fact. It’s also hard to make someone care as much about your priorities as you do. Focus your efforts on sharing and partnering, not converting.

    The CXO: What they want from the IT budget

    Focus on their unique part of the organization and show that you see them.

    Your CXO’s IT budget to-do list:

    Remember to:

    • A review of the previous year’s IT expenditure on the business function. This includes:
      • Budget vs. actuals (if available) for the business function, and overview of any situations or factors that led to major variances.
      • Percentage difference in proposed budget for that business function vs. the previous year’s spend, and major contributing factors to those differences, i.e. unanticipated projects, changes, or events.
      • Last year’s IT expenditure per business function employee vs. proposed IT expenditure per business function employee (if available). This is a good metric to use going forward as it’s a fair comparative internal benchmark.
    • Separate views of proposed IT workforce vs. proposed IT vendor spending for the business function. Do a specific breakout of proposed expenditure for the major applications that business unit explicitly uses.
    • Separate views of proposed IT capital expenditure (CapEx) and proposed IT operating expenditure (OpEx) for the business function. Show breakdowns for each capital project,
      as well as summaries for their core applications and portion of shared IT services.
    • Celebrate any collaborative wins from last year. You want to reinforce that working together is in both of your best interests and you’d like to keep it going.
    • Get to the apps fast. Apps are visible, concrete, and relatable – this is what the CXO cares about. Core IT infrastructure, on the other hand, is technobabble about something that’s invisible, boring, and disengaging for most CXOs.
    • Focus on the business function’s actual technology needs and consumption. Show them where they stand in relation to others. This will get their attention and serve as an opportunity to provide some education.

    The CXO: Budget challenges and opportunities

    Seek out your common ground and be the solution for their real problems.

    Potential challenges

    Different priorities

    Other business unit leaders will have bigger concerns than your IT budget. They have their own budget to figure out plus other in-flight issues. The head of sales, for instance, is going to be more concerned with hitting sales goals for this fiscal year than planning for next.

    Perceived irrelevance

    Some business unit leaders may be completely unaware of how they use IT, how much they use, and how they could use it more or differently to improve their performance. They may have a learning curve to tackle before they can start to see your relationship as collaborative.

    Bad track record

    If a business unit has had friction with IT in the past or has historically been underserved, they may be hesitant to let you in, may be married to their own solutions, or perhaps do not know how to express what they need.

    Potential opportunities

    Start collaborating

    You and other business unit leaders have a lot in common. You all share the objective of helping the organization succeed. Focus in on your shared concerns and how you can make progress on them together before digging into your unique challenges.

    Practice perspective taking

    Be genuinely curious about the business unit, how it works, and how they overcome obstacles. See the organization from their point of view. For now, keep your technologies completely out of the discussion – that will come later on.

    Build relationships

    You only need to solve one problem for a business unit to change how they think of you. Just one. Find that one thing that will make a real difference – ideally small but impactful – and work it into your budget.

    The CEO: Understand their role

    A CEO sets the tone for an organization, from its overall direction and priorities to its values and culture. What’s possible and what’s not is usually determined by them.

    What are the CEO’s role and responsibilities?

    • Assemble an effective team of executives and advisors.
    • Establish, communicate, and exemplify the organizations core values.
    • Study the ecosystem within which the organization exists.
    • Identify and evaluate opportunities.
    • Set long-term directions, priorities, goals, and strategies.
    • Ensure ongoing organizational performance, profitability, and growth.
    • Connect the inside organization to the outside world.
    • Make the big decisions no one else can make.

    What’s important to the CEO?

    • Strategy
    • Leadership
    • Vision
    • Values
    • Goals
    • Priorities
    • Performance
    • Metrics
    • Accountability
    • Stakeholders
    • Results
    • Insight
    • Growth
    • Cohesion
    • Context

    Unlike the CFO and CXOs, the CEO is responsible for seeing the big picture. That means they’re operating in the realm of big problems and big ideas – they need to stay out of the weeds. IT is just one piece of that big picture, and your problems and ideas are sometimes small in comparison. Use any time you get with them wisely.

    The CEO: What they want from the IT budget

    The CEO wants what the CFO wants, but at a higher level and with longer-term vision.

    Your CEO’s IT budget to-do list:

    Remember to:

    • A review of the previous year’s financial performance. In addition to last year’s budget vs. actuals vs. proposed budget and any rationales for variances, the CEO’s interest is in seeing numbers in terms of strategic delivery. Focus on performance against last year’s goals and concrete benefits realized.
    • A review of initiatives undertaken to optimize/reduce operating costs. Note overall gains with a specific look at initiatives that had a substantial positive financial impact.
    • A specific summary of the cost landscape for new strategic or capital projects. Ideally, these projects have already been committed to at the executive level. A more fine-tuned analysis of anticipated costs and variables may be required, including high-level projects with long-term impact on operational expenditure. Categorize these expenditures as investments in innovation, growth, or keeping the lights on.
    • Details (upon request). Have these available for every aspect of your proposed budget.
    • Be brief. Hopefully, the CEO is already well versed on the strategic spend plans. Stay high-level, reserve the deep dive for your documentation, and let the CEO decide if they want to hash anything out in more detail.
    • Be strategic. If you can’t tie it to a strategic objective, don’t showcase it.
    • Use performance language. This means citing goals, metrics, and progress made against them.
    • Ensure the CFO can translate. You may not get a direct audience with the CEO – the CFO may be your proxy for that. Ensure that everything is crystal clear so that the CFO can summarize your budget on your behalf.

    The CEO: Budget challenges and opportunities

    Strategically address the big issues, but don’t count on their direct assistance.

    Potential challenges

    Lack of interest

    Your CEO may just not be enthusiastic about technology. For them, IT is strictly a cost center operating on the margins. If they don’t have a strategic vision that includes technology, IT’s budget will always be about efficiency and cost control and not investment.

    Deep hierarchy

    The executive-level CIO role isn’t yet pervasive in every industry. There may be one or more non-IT senior management layers between IT and the office of the CEO, as well as other bureaucratic hurdles, which prohibit your direct access.

    Uncertainty

    What’s happening on the outside will affect what needs to be done on the inside. The CEO has to assess and respond quickly, changing priorities and plans in an instant. An indecisive CEO that’s built an inflexible organization will make it difficult to pivot as needed.

    Potential opportunities

    Grow competency

    Sometimes, IT just needs to wait it out. The biggest shifts in technology interest often come with an outright change in the organization’s leadership. In the meantime, fine-tune your operational excellence, brush up on business skills, and draft out your best ideas on paper.

    Build partnerships

    Other business-function executives may need to be IT’s voice. Investment proposals may be more compelling coming from them anyway. Behind-the-scenes partnerships and high-profile champions are something you want regardless of your degree of CEO access.

    Bake in resilience

    Regardless of who’s at the helm, systematic investment in agile and flexible solutions that can be readily scaled, decoupled, redeployed, or decommissioned is a good strategy. Use recent crises to help make the strategic case for a more resilient posture.

    What about the CIO view on the IT budget?

    IT leaders tend to approach budgeting from an IT services perspective. After all, that’s how their departments are typically organized.

    The CFO expense view, CXO business view, and CEO innovation view represent IT’s stakeholders. The CIO service view, however, represents you, the IT budget creator. This means that the CIO service view plays a slightly different role in developing your IT budget communications.

    An IT team effort…

    A logical starting point

    A supporting view

    Most budget drafts start with internal IT management discussion. These managers are differentially responsible for apps dev and maintenance, service desk and user support, networks and data center, security, data and analytics, and so forth.

    These common organizational units and their managers tend to represent discrete IT service verticals. This means the CIO service view is a natural structural starting point for your budget-building process. Stakeholder views of your budget will be derived from this first view.

    You probably don’t want to lead your budget presentation with IT’s perspective – it won’t make sense to your stakeholders. Instead, select certain impactful pieces of your view to drop in where they provide valued information and augment the IT budget story.

    Things to bring forward…

    Things to hold back…

    • All major application costs
    • Security/compliance costs
    • Strategic project costs
    • End-user support and enablement costs
    • Data and BI initiative costs
    • Minor applications costs
    • Day-to-day network and data center costs
    • Other infrastructure costs
    • IT management and administration costs

    1.2 Assess your stakeholders

    1 hour

    1. Use the “Stakeholder alignment assessment” template slide following this one to document the outcomes of this activity.
    2. As an IT management team, identify your key budget stakeholders and specifically those in an approval position.
    3. Use the information provided in this blueprint about various stakeholder responsibilities, areas of focus, and what’s typically important to them to determine each key stakeholder’s needs regarding the information contained in your IT budget. Note their stated needs, any idiosyncrasies, and IT’s current relationship status with the stakeholder (positive, neutral, or negative).
    4. Assess previous years’ IT budgets to determine how well they targeted each different stakeholder’s needs. Note any gaps or areas for future improvement.
    5. Develop a high-level list of items or elements to stop, start, or continue during your next budgeting cycle.
    Input Output
    • Organizational awareness of key stakeholders and budget approvers
    • Previous years’ budgets
    • Assessment of key stakeholder needs and a list of potential changes or additions to the IT budget/budget process
    Materials Participants
    • Whiteboard/flip charts
    • Stakeholder alignment assessment template (following slide)
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Stakeholder alignment assessment

    Document the outcomes of your assessment below. Examples are provided below.

    Stakeholder

    Relationship status

    Understanding of needs

    Budget changes/additions

    CFO

    Positive

    Wants at least 30% of budget to be CapEx. Needs more detail concerning benefits and tracking of realization.

    Do more detailed breakouts of CapEx vs. OpEx as 30% CapEx not realistic – pre-meet. Talk to Enterprise PMO about improving project benefits statement template.

    VP of Sales

    Negative

    Only concerned with hitting sales targets. Needs to respond/act quickly based on reliable data.

    Break out sales consumption of IT resources in detail focusing on CRM and SFA tool costs. Propose business intelligence enhancement project.

    Director of Marketing

    Neutral

    Multiple manual processes – would benefit from increased automation of campaign management and social media posting.

    Break out marketing consumption of IT resources and publicly share/compare to generate awareness/support for tech investment. Work together to build ROI statements

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    Set your IT budget pre-selling strategy

    Pre-selling is all about ongoing communication with your stakeholders. This is the most game-changing thing you can do to advance a proposed IT budget’s success.

    When IT works well, nobody notices. When it doesn’t, the persistent criticism about IT not delivering value will pop up, translating directly into less funding. Cut this off at the pass with an ongoing communications strategy based on facts, transparency, and perspective taking.

    1. Know your channels
    2. Identify all the communication channels you can leverage including meetings, committees, reporting cycles, and bulletins. Set up new channels if they don’t exist.

    3. Identify partners
    4. Nothing’s better than having a team of supporters when pitch day comes. Quietly get them on board early and be direct about the role each of you will play.

    5. Always be prepared
    6. Have information and materials about proposed initiatives at-the-ready. You never know when you’ll get your chance. But if your facts are still fuzzy, do more homework first.

    7. Don’t be annoying
    8. Talking about IT all the time will turn people off. Plan chats that don’t mention IT at all. Ask questions about their world and really listen. Empathy’s a powerful tool.

    9. Communicate IT initiatives at launch
    10. Describe what you will be doing and how it will benefit the business in language that makes sense to the beneficiaries of the initiative.

    11. Communicate IT successes
    12. Carry the same narrative forward through to the end and tell the whole story. Include comments from stakeholders and beneficiaries about the value they’re receiving.

    Pre-selling with partners

    The thing with pre-selling to partners is not to take a selling approach. Take a collaborative approach instead.

    A partner is an influencer, advocate, or beneficiary of the expenditure or investment you’re proposing. Partners can:

    • Advise you on real business impacts.
    • Voice their support for your funding request.
    • Present the initial business case for funding approval themselves.
    • Agree to fund all or part of an initiative from their own budget.

    When partners agree to pitch or fund an initiative, IT can lose control of it. Make sure you set specific expectations about what IT will help with or do on an ongoing basis, such as:

    • Calculating the upfront and ongoing technology maintenance/support costs of the initiative.
    • Leading the technology vetting and selection process, including negotiating with vendors, setting service-level agreements, and finalizing contracts.
    • Implementing selected technologies and training users.
    • Maintaining and managing the technology, including usage metering.
    • Making sure the bills get paid.

    A collaborative approach tends to result in a higher level of commitment than a selling approach.

    Put yourself in their shoes using their language. Asking “How will this affect you?” focuses on what’s in it for them.

    Example:

    CIO: “We’re thinking of investing in technology that marketing can use to automate posting content to social media. Is that something you could use?”

    CMO: “Yes, we currently pay two employees to post on Facebook and Twitter, so if it could make that more efficient, then there would be cost savings there.”

    Pre-selling with approvers

    The key here is to avoid surprises and ensure the big questions are answered well in advance of decision day.

    An approver is the CFO, CEO, board, council, or committee that formally commits funding support to a program or initiative. Approvers can:

    • Point out factors that could derail realization of intended benefits.
    • Know that a formal request is coming and factor it into their planning.
    • Connect your idea with others to create synergies and efficiencies.
    • Become active advocates.

    When approvers cool to an idea, it’s hard to warm them up again. Gradually socializing an idea well in advance of the formal pitch gives you the chance to isolate and address those cooling factors while they’re still minor. Things you can address if you get an early start with future approvers include:

    • Identify and prepare for administrative, regulatory, or bureaucratic hurdles.
    • Incorporate approvers’ insights about organizational realities and context.
    • Further reduce the technical jargon in your language.
    • Fine tune the relevance and specificity of your business benefits statements.
    • Get a better sense of the most compelling elements to focus on.

    Blindsiding approvers with a major request at a budget presentation could trigger an emotional response, not the rational and objective one you want.

    Make approvers part of the solution by soliciting their advice and setting their expectations well in advance.

    Example:

    CIO: “The underwriting team and I think there’s a way to cut new policyholder approval turnaround from 8 to 10 days down to 3 or 4 using an online intake form. Do you see any obstacles?”

    CFO: “How do the agents feel about it? They submit to underwriting differently and might not want to change. They’d all need to agree on it. Exactly how does this impact sales?”

    1.3 Set your budget pre-selling strategy

    1 hour

    1. Use the “Stakeholder pre-selling strategy” template slide following this instruction slide to document the outcomes of this activity.
    2. Carry forward your previously-generated stakeholder alignment assessment from Step 1.2. As a management team, discuss the following for each stakeholder:
      1. Forums and methods of contact and interaction.
      2. Frequency of interaction.
      3. Content or topics typically addressed during interactions.
    3. Discuss what the outcomes of an ideal interaction would look like with each stakeholder.
    4. List opportunities to change or improve the nature of interactions and specific actions you plan to take.
    InputOutput
    • Stakeholder Alignment Assessment (in-deck template)
    • Stakeholder Pre-selling Strategy
    MaterialsParticipants
    • Stakeholder Pre-selling Strategy (in-deck template)
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Stakeholder pre-selling strategy

    Document the outcomes of your discussion. Examples are provided below.

    Stakeholder

    Current interactions

    Opportunities and actions

    Forum

    Frequency

    Content

    CFO

    One-on-one meeting

    Monthly

    IT expenditure updates and tracking toward budgeted amount.

    Increase one-on-one meeting to weekly. Alternate focus – retrospective update one week, future-looking case development the next. Invite one business unit head to future-looking sessions to discuss their IT needs.

    VP of Sales

    Executive meeting

    Quarterly

    General business update - dominates.

    Set up bi-weekly one-on-one meeting – initially focus on what sales does/needs, not tech. Later, when the relationship has stabilized, bring data that shows Sales’ consumption of IT resources.

    Director of Marketing

    Executive meeting

    Quarterly

    General business update - quiet.

    Set up monthly one-on-one meeting. Temporarily embed BA to better discover/understand staff processes and needs.

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    Phase recap: Lay your foundation

    Build in the elements from the start that you need to facilitate budgetary approval.

    You should now have a deeper understanding of the what, why, and who of your IT budget. These elements are foundational to streamlining the budget process, getting aligned with peers and the executive, and increasing your chances of winning budgetary approval in the end.

    In this phase, you have:

    • Reviewed what your budget is and does. Your budget is an important governance and communication tool that reflects organizational priorities and objectives and IT’s understanding of them.
    • Taken a closer look at your stakeholders. The CFO, CEO, and CXOs in your organization have accountabilities of their own to meet and need IT and its budget to help them succeed.
    • Developed a strategy for continuously pre-selling your budget. Identifying opportunities and approaches for building relationships, collaborating, and talking meaningfully about IT and IT expenditure throughout the year is one of the leading things you can do to get on the same page and pave the way for budget approval.

    “Many departments have mostly labor for their costs. They’re not buying a million and a half or two million dollars’ worth of software every year or fixing things that break. They don’t share IT’s operations mindset and I think they get frustrated.”

    – Matt Johnson, IT Director Governance and Business Solutions, Milwaukee County

    Phase 2

    Get Into Budget-Starting Position

    Lay Your
    Foundation

    Get Into Budget-Starting Position

    Develop Your
    Forecasts

    Build Your
    Proposed Budget

    Create and Deliver Your Presentation

    1.1 Understand what your budget is
    and does

    1.2 Know your stakeholders

    1.3 Continuously pre-sell your budget

    2.1 Assemble your resources

    2.2 Understand the four views of the ITFM Cost Model

    2.3 Review last year’s budget vs.
    actuals and five-year historical trends

    2.4 Set your high-level goals

    3.1 Develop assumptions and
    alternative scenarios

    3.2 Forecast your project CapEx

    3.3 Forecast your non-project CapEx and OpEx

    4.1 Aggregate your numbers

    4.2 Stress test your forecasts

    4.3 Challenge and perfect your
    rationales

    5.1 Plan your content

    5.2 Build your presentation

    5.3 Present to stakeholders

    5.4 Make final adjustments and submit your IT budget

    This phase will walk you through the following activities:

    • Putting together your budget team and gather your data.
    • Selecting which views of the ITFM Cost Model you’ll use.
    • Mapping and analyzing IT’s historical expenditure.
    • Setting goals and metrics for the next budgetary cycle.

    This phase involves the following participants:

    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Get into budget-starting position

    Now’s the time to pull together your budgeting resources and decision-making reference points.

    This phase is about clarifying your context and defining your boundaries.

    • Assemble your resources. This includes the people, data, and other information you’ll need to maximize insight into future spend requirements.
    • Understand the four views of the IT Cost Model. Firm up your understanding of the CFO expense view, CIO service view, CXO business view, and CEO innovation view and decide which ones you’ll use in your analysis and forecasting.
    • Review last year’s budget versus actuals. You need last year’s context to inform next year’s numbers as well as demonstrate any cost efficiencies you successfully executed.
    • Review five-year historical trends. This long-term context gives stakeholders and approvers important information about where IT fits into the business big picture and reminds them how you got to where you are today.
    • Set your high-level goals. You need to decide if you’re increasing, decreasing, or holding steady on your budget and whether you can realistically meet any mandates you’ve been handed on this front. Set a target as a reference point to guide your decisions and flag areas where you might need to have some tough conversations.

    “A lot of the preparation is education for our IT managers so that they understand what’s in their budgets and all the moving parts. They can actually help you keep it within bounds.”

    – Trisha Goya, Director, IT Governance & Administration, Hawaii Medical Service Association

    Gather your budget-building team

    In addition to your CFO, CXOs, and CEO, there are other people who will provide important information, insight, and skill in identifying IT budget priorities and costs.

    Role

    Skill set

    Responsibilities

    IT Finance Lead

    • Financial acumen, specifically with cost forecasting and budgeting.
    • Understanding of actual IT costs and service-based costing methods.

    IT finance personnel will guide the building of cost forecasting methodologies for operating and capital costs, help manage IT cash flows, help identify cost reduction options, and work directly with the finance department to ensure they get what they need.

    IT Domain Managers

    • Knowledge of services and their outputs.
    • Understanding of cost drivers for the services they manage.

    They will be active participants in budgeting for their specific domains, act as a second set of eyes, assist with and manage their domain budgets, and engage with stakeholders.

    Project Managers

    • Knowledge of project requirements.
    • Project budgeting.
    • Understanding of project IT-specific costs.

    Project managers will assist in capital and operational forecasting and will review project budgets to ensure accuracy. They will also assist in forecasting the operational impacts of capital projects.

    As the head of IT, your role is as the budgeting team lead. You understand both the business and IT strategies, and have relationships with key business partners. Your primary responsibilities are to guide and approve all budget components and act as a liaison between finance, business units, and IT.

    Set expectations with your budgeting team

    Be clear on your goals and ensure everyone has what they need to succeed.

    Your responsibilities and accountabilities.

    • Budget team lead.
    • Strategic direction.
    • Primary liaison with business stakeholders.
    • Pre-presentation approver and final decision maker.

    Goals and requirements.

    • Idea generation for investment and cost optimization.
    • Cost prioritization and rationale.
    • Skills requirements and sourcing options.
    • Risk assessment and operational impact.
    • Data format and level of granularity.

    Budgeting fundamentals.

    • Review of key finance concepts – CapEx, OpEx, cashflow, income, depreciation, etc.
    • What a budget is, and its component parts.
    • How the budget will be used by IT and the organization.
    • How to calculate cost forecasts.

    Their responsibilities and accountabilities.

    • Data/information collection.
    • Operational knowledge of their services, projects, and staff.
    • Cost forecast development for their respective domains/projects.
    • Review and sanity checking of their peers’ cost forecasts.

    Timeframes and deadlines.

    • Budgeting stages/phases and their deliverables.
    • Internal IT deadlines.
    • External business deadlines.
    • Goals and cadence of future working sessions and meetings.

    Available resources.

    • Internal and external sources of data and information.
    • Tools and templates for tracking information and performing calculations.
    • Individuals who can provide finance concept guidance and support.
    • Repositories for in-progress and final work.

    2.1 Brief and mobilize your IT budgeting team

    2 hours

    1. Download the IT Cost Forecasting and Budgeting Workbook
    2. Organize a meeting with your IT department management team, team leaders, and project managers.
    3. Review their general financial management accountabilities and responsibilities.
    4. Discuss the purpose and context of the budgeting exercise, different budget components, and the organization’s milestones/deadlines.
    5. Identify specific tasks and activities that each member of the team must complete in support of the budgeting exercise.
    6. Set up additional checkpoints, working sessions, or meetings that will take you through to final budget submission.
    7. Document your budget team members, responsibilities, deliverables, and due dates on the “Planning Variables” tab in the IT Cost Forecasting & Budgeting Workbook.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • The organization’s budgeting process and procedures
    • Assignment of IT budgeting team responsibilities
    • A budgeting schedule
    MaterialsParticipants
    • IT Cost Forecasting and Budgeting Workbook
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Leverage the ITFM Cost Model

    Each of the four views breaks down IT costs into a different array of categories so you and your stakeholders can see expenditure in a way that’s meaningful for them.

    You may decide not to use all four views based on your goals, audience, and available time. However, let’s start with how you can use the first two views, the CFO expense view and the CIO service view.

    The image contains a screenshot of the CFO expense view.

    The CFO expense view is fairly traditional – workforce and vendor. However, Info-Tech’s approach breaks down the vendor software and hardware buckets into on-premises and cloud. Making this distinction is increasingly critical given key differences in CapEx vs. OpEx treatment.

    Forecasting this view is mandatory

    These two views provide information that will help you optimize IT costs. They’re designed to allow the CFO and CIO to find a common language that will allow them to collaboratively make decisions about managing IT expenditure effectively.

    The image contains a screenshot of the CIO service view.

    The CIO service view is your view, i.e. it’s how IT tends to organize and manage itself and is often the logical starting point for expenditure planning and analysis. Sub-categories in this view, such as security and data & BI, can also resonate strongly with business stakeholders and their priorities.

    Forecasting this view is recommended

    Extend your dialogue to the business

    Applying the business optimization views of the ITFM Cost Model can bring a level of sophistication to your IT cost analysis and forecasting efforts.

    Some views take a bit more work to map out, but they can be powerful tools for communicating the value of IT to the business. Let’s look at the last two views, the CXO business view and the CEO innovation view.

    The CXO business view looks at IT expenditure business unit by business unit so that each can understand their true consumption of IT resources. This view relies on having a fair and reliable cost allocation formula, such as one based on relative headcount, so it runs the risk of inaccuracy.

    Forecasting this view is recommended

    The image contains a screenshot of the CXO business view.

    These two views provide information that will help you optimize IT support to the business. These views also have a collaborative goal in mind, enabling IT to talk about IT spend in terms that will promote transparency and engage business stakeholders.

    The CEO innovation view is one of the hardest to analyze and forecast since a single spend item may apply to innovation, growth, and keeping the lights on. However, if you have an audience with the CEO and they want IT to play a more strategic or innovative role, then this view is worth mapping.

    Forecasting this view is optional

    The image contains a screenshot of the CEO innovation view.

    2.2 Select the ITFM Cost Model views you plan to complete based on your goals

    30 minutes

    The IT Cost Forecasting and Budgeting Workbook contains standalone sections for each view, as well as rows for each lowest-tier sub-category in a view, so each view can be analyzed and forecasted independently.

    1. Review Info-Tech’s ITFM Cost Model and the expenditure categories and sub-categories each view contains.
    2. Revisit your stakeholder analysis for the budgeting exercise. Plan to:
      1. Complete the CFO expense view regardless.
      2. Complete the CIO service view – consider doing this one first for forecasting purposes as it may be most familiar to you and serve as an easier entry point into the forecasting process.
      3. Complete the CXO business view – consider doing this only for select business units if you have the objective of enhancing awareness of their true consumption of IT resources or if you have (or plan to have) a show-back/chargeback mechanism.
      4. Complete the CEO innovation view only if your data allows it and there’s a compelling reason to discuss the strategic or innovative role of IT in the organization.
    Input Output
    • Stakeholder analysis
    • Info-Tech’s ITFM Cost Model
    • Decision on which views in the ITFM Cost Model you’ll use for historical expenditure analysis and forecasting purposes
    Materials Participants
    • Info-Tech’s ITFM Cost Model
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Gather your budget-building data

    Your data not only forms the content of your budget but also serves as the supporting evidence for the decisions you’ve made.

    Ensure you have the following data and information available to you and your budgeting team before diving in:

    Past data

    • Last fiscal year’s budget.
    • Actuals for the past five fiscal years.
    • Pre-set capital depreciation/amortization amounts to be applied to next fiscal year’s budget.

    Current data

    • Current-year IT positions and salaries.
    • Active vendor contracts with payment schedules and amounts (including active multi-year agreements).
    • Cost projections for remainder of any projects that are committed or in-progress, including projected OpEx for ongoing maintenance and support.

    Future data

    • Estimated market value for any IT positions to be filled next year (both backfill of current vacancies and proposed net-new positions).
    • Pricing data on proposed vendor purchases or contracts.
    • Cost estimates for any capital/strategic projects that are being proposed but not yet committed, including resulting maintenance/support OpEx.
    • Any known pending credits to be received or applied in the next fiscal year.

    If you’re just getting started building a repeatable budgeting process, treat it like any other project, complete with a formal plan/ charter and a central repository for all related data, information, and in-progress and final documents.

    Once you’ve identified a repeatable approach that works for you, transition the budgeting project to a regular operational process complete with policies, procedures, and tools.

    Review last year’s budget vs. actuals

    This is the starting point for building your high-level rationale around what you’re proposing for next fiscal year.

    But first, some quick definitions:

    • Budgeted: What you planned to spend when you started the fiscal year.
    • Actual: What you ended up spending in real life by the end of the fiscal year.
    • Variance: The difference between budgeted expenditure and actual expenditure.

    For last fiscal year, pinpoint the following metrics and information:

    Budgeted and actual IT expenditure overall and by major cost category.

    Categories will include workforce (employees/contractors) and vendors (hardware, software, contracted services) at a minimum.

    Actual IT expenditure as a percentage of organizational revenue.

    This is a widely-used benchmark that your CFO will expect to see.

    The known and likely drivers behind budgeted vs. actual variances.

    Your rationales will affect your perceived credibility. Be straightforward, avoid defending or making excuses, and just show the facts.

    Ask your CFO what they consider acceptable variance thresholds for different cost categories to guide your variance analysis, such as 1% for overall IT expenditure.

    Actual IT CapEx and OpEx.

    CapEx is often more variable than OpEx over time. Separate them so you can see the real trends for each. Consider:

    • Sub-dividing CapEx by strategic projects and non-strategic “business as usual” spend (e.g. laptops, network maintenance gear).
    • Showing overall CapEx and OpEx as percentages of their organization-wide counterparts if that information is available.

    Next, review your five-year historical expenditure trends

    The longer-term pattern of IT expenditure can help you craft a narrative about the overarching story of IT.

    For the previous five fiscal years, focus on the following:

    Actual IT expenditure as a percentage of organizational revenue.

    Again, for historical years 2-5, you can break this down into granular cost categories like workforce, software, and infrastructure like you did for last fiscal year. Avoid getting bogged down and focusing on the past – you ultimately want to redirect stakeholders to the future.

    Percentage expenditure increase/decrease year to year.

    You may choose to show overall IT expenditure amounts, breakdowns by CapEx and OpEx, as well as high-level cost categories.

    As you go back in time, some data may not be available to you, may be unreliable or incomplete, or employ the same cost categories you’re using today. Use your judgement on the level of granularity you want to and can apply when going back two to five years in the past.

    So, what’s the trend? Consider these questions:

    • Is the year-over-year trend on a steady trajectory or are there notable dips and spikes?
    • Are there any one-time capital projects that significantly inflated CapEx and overall spend in a given year or that forced maintenance-and support-oriented OpEx commitments in subsequent years?
    • Does there seem to be an overall change in the CapEx-to-OpEx ratio due to factors like increased use of cloud services, outsourcing, or contract-based staff?

    Take a close look at financial data showcasing the cost-control measures you’ve taken

    Your CFO will look for evidence that you’re gaining efficiencies by controlling costs, which is often a prerequisite for them approving any new funding requests.

    Your objective here is threefold:

    1. Demonstrate IT’s track record of fiscal responsibility and responsiveness to business priorities.
    2. Acknowledge and celebrate your IT-as-cost-center efficiency gains to clear the way for more strategic discussions.
    3. Identify areas where you can potentially source and reallocate recouped funds to bolster other initiatives or business cases for net-new spend.

    This step is about establishing credibility, demonstrating IT value, building trust, and showing the CFO you’re on their team.

    Do the following:

    • List any specific cost-control initiatives and their initial objectives and targets.
    • Identify any changes made to those targets and your approaches due to changing conditions, with rationales for the decisions made. For example:
      • Mid-year, the business decided to allow approximately half the workforce to work from home on a permanent basis.
      • As a result, remote-worker demand on the service desk remained high and actually increased in some areas. You were unable to reduce service desk staff headcount as originally planned.
      • You’re now exploring ways to streamline ticket intake and assignment to increase throughput and speed resolution.
    • Report on completed cost-control initiatives first, including targets, actuals, and related impacts. Include select feedback from business stakeholders and users about the impact of your cost-control measure on them.
    • For in-progress initiatives, report progress made to-date, benefits realized to date, and plans for continuation next fiscal year.

    “Eliminate the things you don’t need. People will give you what you need when you need it if you’re being responsible with what you already have.”

    – Angela Hintz, VP of PMO & Integrated Services,
    Blue Cross and Blue Shield of Louisiana

    2.3 Review your historical IT expenditure

    8 hours

    1. Download the IT Cost Forecasting and Budgeting Workbook.
    2. On Tab 1, “Historical Events & Projects,” note the cost-driving and cost-saving events that occurred last fiscal year that drove any variance between budgeted and actual expenditure. Describe the nature of their impact and current status (ongoing, resolved – temporary impact, or resolved – permanent impact).
    3. Also on Tab 1, “Historical Events & Projects”, summarize the work done on capital or strategic projects, expenditures, and status (in progress, deferred, canceled, or complete).
    4. On Tab 2, “Historical Expenditure”:
      1. Enter the budgeted and actuals data for last fiscal year in columns D-H for the views of the ITFM Cost Model you’re opted to do, i.e. CFO expense view, CIO service view, CXO business view, and CEO innovation view.
      2. Enter a brief rationale for any notable budgeted-versus-actuals variances or other interesting items in column K.
      3. Enter actuals data for the remaining past five fiscal years in columns L-O. Year-over-year comparative metrics will be calculated for you.
      4. Enter FTEs by business function in columns R-AA, rows 34-43.
        Expenditure per FTE and year-over year comparative metrics will be
        calculated for you.
    5. Using Tabs 2, “Historical Expenditure” and 3, “Historical Analysis”, review and analyze the resulting data sets and graphs to identify overall patterns, specifically notable increases or decreases in a particular category of expenditure or where rationales are repeated across categories or views (these are significant).
    6. Finally, flag any data points that help demonstrate achievement of, or progress toward, any cost-control measures you implemented.

    2.3 Review your historical IT expenditure

    InputOutputMaterialsParticipants
    • Budgeted data for the previous fiscal year and actuals data for the previous five fiscal years
    • Mapped budgeted for last fiscal year, mapped actuals for the past five fiscal years, and variance metrics and rationales
    • IT Cost Forecasting and Budgeting Workbook
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Pull historical trends into a present-day context when setting your high-level goals

    What’s happening to your organization and the ecosystem within which it’s operating right now? Review current business concerns, priorities, and strategies.

    Knowing what happened in the past can provide good insights and give you a chance to show stakeholders your money-management track record. However, what stakeholders really care about is “now” and “next”. For them, it’s all about current business context.

    Ask these questions about your current context to assess the relevance of your historical trend data:

    What’s the state of
    the economy and how is
    it affecting your organization?

    What are the
    organization’s stated
    strategic goals and objectives?

    What has the business
    explicitly communicated
    about finance-related targets?

    What’s the business
    executive’s attitude on
    budget increase requests?

    Some industries are very sensitive to economic cycles, causing wild budget fluctuations year to year. This uncertainty can reduce the volume of spend you automatically carry over one year to the next, making past spend patterns less relevant to your current budgeting effort.

    These can change year to year as well, and often manifest on the CapEx side in the form of strategic projects selected. Since this is so variable, using previous years’ CapEx to determine next fiscal’s CapEx isn’t always useful except in regard to multi-year, ongoing capital projects.

    Do your best to honor mandates. However, if cuts are suggested that could jeopardize core service delivery, tread cautiously, and pick your battles. You may be able to halt new capital spend to generate cuts, but these projects may get approved anyway, with IT expected to make cuts to OpEx.

    If the CFO and others rail against even the most necessary inflation-driven increases, you’ll need to take a conservative approach, focus on cost-saving initiatives, and plan to redirect last year’s expenditures instead of pursuing net-new spend.

    Set metrics and targets for some broader budget effectiveness improvement efforts

    Budget goalsetting isn’t limited to CapEx and OpEx targets. There are several effectiveness metrics to track overall improvement in your budgeting process.

    Step back and think about other budget and expenditure goals you have.
    Do you want to:

    • Better align the budget with organizational objectives?
    • Increase cost forecasting accuracy?
    • Increase budget transparency and completeness?
    • Improve the effectiveness of your budget presentation?
    • Reduce the amount of budget rework?
    • Increase the percentage of the budget that’s approved?
    • Reduce variance between what was budgeted and actuals?

    Establish appropriate metrics and targets that will allow you to define success, track progress, and communicate achievement on these higher-level goals.

    Check out some example metrics in the table below.

    Budgeting metric

    Improvement driver

    Current value

    Future target

    Percentage of spend directly tied to an organizational goal.

    Better alignment via increased communication and partnership with the business.

    72%

    90%

    Number of changes to budget prior to final acceptance.

    Better accuracy and transparency via use of zero-based budgeting and enhanced stakeholder views.

    8

    2

    Percentage variance between budgeted vs. actuals.

    Improved forecasting through better understanding of business plans and in-cycle show-back.

    +4%

    +/-2%

    Percentage of budget approved after first presentation.

    Improved business rationales and direct mapping of expenditure to org priorities.

    76%

    95%

    Percentage of IT-driven project budget approved.

    More rigor around benefits, ROI calculation, and quantifying value delivered.

    80%

    100%

    Set your high-level OpEx budget targets

    The high-level targets you set now don’t need to be perfect. Think of them as reference points or guardrails to sanity-check the cost forecasting exercise to come.

    First things first: Zero-based or incremental for OpEx?

    Set your OpEx targets

    Incremental budgeting is the addition of a few percentage onto next year’s budget, assuming the previous year’s OpEx is all re-occurring. The percentage often aligns with rates of inflation.

    • Most organizations take this approach because it’s faster and easier.
    • However, incremental budgeting is less accurate. Non-recurring items are often overlooked and get included in the forecast, resulting in budget bloat. Also, redundant or wasteful items can be entirely missed, undermining any cost optimization efforts.

    Zero-based budgeting involves rebuilding your budget from scratch, i.e. zero. It doesn’t assume that any of last year’s costs are recurring or consistent year to year.

    • This approach is harder because all relevant historical spend data needs to be collected and reviewed, which not only takes time but the data you need may be unlocatable.
    • Every item needs to be re-examined, re-justified, and tied to an asset, service, or project, which means it’s a far more comprehensive and accurate approach.

    Pick a range of percentage change based on your business context and past spend.

    • If economic prospects are negative, start with a 0-3% increase to balance inflation with potential cuts. Don’t set concrete reduction targets at this point, to avoid tunnel vision in the forecasting exercise.
    • If economic prospects are positive, target 3-5% increases for stable scenarios and 6-10% increases for growth scenarios.
    • If CapEx from previous-year projects is switching to steady-state OpEx, then account for these bumps in OpEx.
    • If the benefits from any previous-year efficiency measures will be realized next fiscal year, then account for these as OpEx reductions.

    If cost-cutting or optimization is a priority, then a zero-based approach is the right decision. If doing this every year is too onerous, plan to do it for your OpEx at least every few years to examine what’s actually in there, clean house, and re-set.

    Set your high-level CapEx budget targets

    A lot of IT CapEx is conceived in business projects, so your proposed expenditure here may not be up to you. Exercise as much influence as you can.

    First things first: Is it project CapEx, or “business as usual” CapEx?

    Project CapEx is tied to one-time strategic projects requiring investment in new assets.

    • This CapEx will probably be variable year to year, going up or down depending on the organization’s circumstances or goals.
    • This area of spend is driven largely by the business and not IT. Plan to set project CapEx targets in close partnership with the business and function as a steward of these funds instead of as an owner.

    User-driven “business as usual” CapEx manifests via changes (often increases) in organizational headcount due to growth.

    • Costs here focus on end-user hardware like desktops, laptops, and peripherals.
    • Any new capital software acquisitions you have planned will also be affected in terms of number of licenses required.
    • Get reliable estimates of department-by-department hiring plans for next fiscal year to better account for these in your budget.

    Network/data center-driven “business-as-usual” CapEx is about core infrastructure maintenance.

    • Costs here focus on the purchase of network and data center hardware and other equipment to maintain existing infrastructure services and performance.
    • Increased outsourcing often drives down this area of “business as usual” CapEx by reducing the purchase of new on-premises solutions and eliminating network and data center maintenance requirements.

    Unanticipated hiring and the need to buy end-user hardware is cited as a top cause of budget grief by IT leaders – get ahead of this. Project CapEx, however, is usually determined via business-based capital project approval mechanisms well in advance. And don’t forget to factor in pre-established capital asset depreciation amounts generated by all the above!

    2.4 Set your high-level IT budget targets and metrics

    8 hours

    1. Download the IT Cost Forecasting and Budgeting Workbook to document the outcomes of this activity.
    2. Review the context in which your organization is currently operating and expects to operate in the next fiscal year. Specifically, look at:
      1. The state of the economy.
      2. Stated goals, objectives, and targets.
      3. The executive’s point of view on budget increase requests.
      Document your factors, assessment, rationale, and considerations in the “Business Context Assessment” table on the “Planning Variables” tab in the IT Cost Forecasting and Budgeting Workbook.
    3. Based on the business context, anticipated flips of former CapEx to OpEx, and realization of previous years’ efficiency measures, set a general non-project OpEx target as a percentage increase or decrease for next fiscal year to serve as a guideline in the cost forecasting guideline. Document this in the “Budget Targets & Metrics” table on the “Planning Variables” tab in the IT Cost Forecasting and Budgeting Workbook. sed on known capital projects, changes in headcount, typical “business as usual” equipment expenditure, and pre-established capital asset depreciation amounts, set general project CapEx and non-project CapEx targets. Document these in the “Budget Targets & Metrics” table on the “Planning Variables” tab in the IT Cost Forecasting and Budgeting Workbook.
    4. Finally, set your overarching IT budget process success metrics. Also document these in the “Budget Targets & Metrics” table on the “Planning Variables” tab in the IT Cost Forecasting and Budgeting Workbook.

    Download the IT Cost Forecasting and Budgeting Workbook

    2.4 Set your high-level IT budget targets and metrics

    InputOutputMaterialsParticipants
    • Knowledge of current business context and probable context next fiscal year
    • Analysis of historical IT expenditure patterns
    • High-level project CapEx and non-project CapEx and OpEx targets for the next fiscal year
    • IT budget process success metrics
    • IT Cost Forecasting and Budgeting Workbook
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Phase recap: Get into budget-starting position

    Now you’re ready to do the deep dive into forecasting your IT budget for next year.

    In this phase, you clarified your business context and defined your budgetary goals, including:

    • Assembling your resources. You’ve built and organized your IT budgeting team, as well as gathered the data and information you’ll need to do your historical expenditure analysis and future forecasting
    • Understanding the four views of the IT Cost Model. You’ve become familiar with the four views of the model and have selected which ones you’ll map for historical analysis and forecasting purposes.
    • Reviewing last year’s budget versus actuals and five-year historical trends. You now have the critical rationale-building context to inform next year’s numbers and demonstrate any cost efficiencies you’ve successfully executed.
    • Setting your high-level goals. You’ve established high-level targets for project and non-project CapEx and OpEx, as well as set some IT budget process improvement goals.

    “We only have one dollar but five things. Help us understand how to spend that dollar.”

    – Trisha Goya, Director, IT Governance & Administration, Hawaii Medical Service Association

    Phase 3

    Develop Your Forecasts

    Lay Your
    Foundation

    Get Into Budget-Starting Position

    Develop Your
    Forecasts

    Build Your
    Proposed Budget

    Create and Deliver Your Presentation

    1.1 Understand what your budget is
    and does

    1.2 Know your stakeholders

    1.3 Continuously pre-sell your budget

    2.1 Assemble your resources

    2.2 Understand the four views of the ITFM Cost Model

    2.3 Review last year’s budget vs.
    actuals and five-year historical trends

    2.4 Set your high-level goals

    3.1 Develop assumptions and
    alternative scenarios

    3.2 Forecast your project CapEx

    3.3 Forecast your non-project CapEx and OpEx

    4.1 Aggregate your numbers

    4.2 Stress test your forecasts

    4.3 Challenge and perfect your
    rationales

    5.1 Plan your content

    5.2 Build your presentation

    5.3 Present to stakeholders

    5.4 Make final adjustments and submit your IT budget

    This phase will walk you through the following activities:

    • Documenting the assumptions behind your proposed budget and develop alternative scenarios.
    • Forecasting your project CapEx.
    • Forecasting your non-project CapEx and OpEx.

    This phase involves the following participants:

    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Develop your forecasts

    Start making some decisions.

    This phase focuses on putting real numbers on paper based on the research and data you’ve collected. Here, you will:

    • Develop assumptions and alternative scenarios. The assumptions you make are the logical foundation for your decisions, and your primary and alternative scenarios focus your thinking and demonstrate that you’ve thoroughly examined your organization’s current and future context.
    • Forecast your project CapEx costs. These costs are comprised of all the project-related capital expenditures for strategic or capital projects, including in-house labor.
    • Forecast your non-project CapEx and OpEx costs. These costs are the ongoing “business as usual” expenditures incurred via the day-to-day operations of IT and delivery of IT services.

    “Our April forecast is what really sets the bar for what our increase is going to be next fiscal year. We realized that we couldn’t change it later, so we needed to do more upfront to get that forecast right.

    If we know that IT projects have been delayed, if we know we pulled some things forward, if we know that a project isn’t starting until next year, let’s be really clear on those things so that we’re starting from a better forecast because that’s the basis of deciding two percent, three percent, whatever it’s going to be.”

    – Kristen Thurber, IT Director, Office of the CIO, Donaldson Company

    When pinning down assumptions, start with negotiable and non-negotiable constraints

    Assumptions are things you hold to be true. They may not actually be true, but they are your logical foundation and must be shared with stakeholders so they can follow your thinking.

    Start with understanding your constraints. These are either negotiable (adjustable) or non-negotiable (non-adjustable). However, what is non-negotiable for IT may be negotiable for the organization as a whole, such as its strategic objectives. Consider each of the constraints below, determine how it relates to IT expenditure options, and decide if it’s ultimately negotiable or non-negotiable.

    Organizational

    Legal and Regulatory

    IT/Other

    Example:
    • Strategic goals and priorities
    • Financial and market performance
    • Governance style and methods
    • Organizational policies
    • Organizational culture
    • Regulatory compliance and reporting
    • Data residency and privacy laws
    • Vendor contract terms and conditions
    • Health and safety
    • Compensation and collective bargaining
    • IT funding and fund allocation flexibility
    • Staff/skills availability and capacity
    • Business continuity and IT performance requirements
    • Time and timeframes
    You’re in year one of a three-year vendor contract. All contracts are negotiable, but this one isn’t for two years. This contact should be considered a non-negotiable for current budget-planning purposes.

    Identifying your negotiable and non-negotiable constraints is about knowing what levers you can pull. Government entities have more non-negotiable constraints than private companies, which means IT and the organization as a whole have fewer budgetary levers to pull and a lot less flexibility.

    An un-pullable lever and a pullable lever (and how much you can pull it) have one important thing in common – they are all fundamental assumptions that influence your decisions.

    Brainstorm your assumptions even further

    The tricky thing about assumptions is that they’re taken for granted – you don’t always realize you’ve made them. Consider these common assumptions and test them for validity.

    My current employees will still be here 18 months from now.

    My current vendors aren’t going to discontinue the products we have.

    My organization’s executive team will be the same 18 months from now. My current key vendors will be around for years to come.

    My organization’s departments, divisions, and general structure will be the same 18 months from now.

    IT has to be an innovation leader.

    We won’t be involved in any merger/acquisition activity next fiscal year.

    IT has always played the same role here and that won’t change.

    There won’t be a major natural disaster that takes us offline for days or even weeks.

    We must move everything we can to the cloud.

    We won’t be launching any new products or services next fiscal year.

    Most of our IT expenditure has to be CapEx, as usual.

    You won’t put some of these assumptions into your final budget presentation. It’s simply worthwhile knowing what they are so you can challenge them when forecasting.

    Based on your assumptions, define the primary scenario that will frame your budget

    Your primary scenario is the one you believe is most likely to happen and upon which you’ll build your IT cost forecasts.

    Now it’s time to outline your primary scenario.

    • A scenario is created by identifying the variable factors embedded in your assumptions and manipulating them across the range of possibilities. This manipulation of variables will result in different scenarios, some more likely or feasible than others.
    • Your primary scenario is the one you believe is the most feasible and/or likely to happen (i.e. most probable). This is based on:
      • Your understanding of past events and patterns.
      • Your understanding of your organization’s current context.
      • Your understanding of IT’s current context.
      • Your understanding of the organization’s objectives.
      • Your assessment of negotiable and non-negotiable constraints and other assumptions for both IT and the organization.

    A note on probability…

    • A non-negotiable constraint doesn’t have any variables to manipulate. It’s a 100% probability that must be rigidly accommodated and protected in your scenario. An example is a long-standing industry regulation that shows no signs of being updated or altered and must be complied with in its current state.
    • A negotiable constraint has many more variables in play. Your goal is to identify the different potential values of the variables and determine the degree of probability that one value is more likely to be true or feasible than another. An example is that you’re directed to cut costs, but the amount could be as little as 3% or as much as 20%.
    • And then there are the unknowns. These are circumstances, events, or initiatives that inevitably happen, but you can’t predict when, what, or how much. This is what contingency planning and insurance are for. Examples include a natural disaster, a pandemic, a supply chain crisis, or the CEO simply changing their mind. Its safe to assume something is going to happen, so if you’re able to establish a contingency fund or mechanisms that let you respond, then do it.

    What could or will be your organization’s new current state at the end of next fiscal year?

    Next, explore alternative scenarios, even those that may seem a bit outrageous

    Offering alternatives demonstrates that you weighed all the pertinent factors and that you’ve thought broadly about the organization’s future and how best to support it.

    Primary scenario approval can be helped by putting that scenario alongside alternatives that are less attractive due to their cost, priority, or feasibility. Alternative scenarios are created by manipulating or eliminating your negotiable constraints or treating specific unknowns as knowns. Here are some common alternative scenarios.

    The high-cost scenario: Assumes very positive economic prospects. Characterized by more of everything – people and skills, new or more sophisticated technologies, projects, growth, and innovation. Remember to consider the long-term impact on OpEx that higher capital spend may bring in subsequent years.

    Target 10-20% more expenditure than your primary scenario

    The low-cost scenario: Assumes negative economic prospects or cost-control objectives. Characterized by less of everything, specifically capital project investment, other CapEx, and OpEx. Must assume that business service-level expectations will be down-graded and other sacrifices will be made.

    Target 5-15% less expenditure than your primary scenario

    The dark horse scenario: This is a more radical proposition that challenges the status quo. For example, what would the budget look like if all data specialists in the organization were centralized under IT? What if IT ran the corporate PMO? What if the entire IT function was 100% outsourced?

    No specific target

    Case Study

    INDUSTRY: Manufacturing

    SOURCE: Anonymous

    A manufacturing IT Director gets budgetary approval by showing what the business would have to sacrifice to get the cheap option.

    Challenge

    Solution

    Results

    A manufacturing business had been cutting costs endlessly across the organization, but specifically in IT.

    IT was down to the bone. The IT Director had already been doing zero-based budgeting to rationalize all expenditure, stretching asset lifecycles as long as possible, and letting maintenance work slide.

    There were no obvious options left to reduce costs based on what the business wanted to do.

    The IT Director got creative. He put together three complete budgets:

    1. The budget he wanted.
    2. A budget where everything was entirely outsourced and there would be zero in-house IT staff.
    3. A budget that was not as extreme as the second one, but still tilted toward outsourcing.

    In the budget presentation, he led with the “super cheap” budget where IT was 100% outsourced.

    He proceeded to review the things they wouldn’t have under the extreme outsourced scenario, including the losses in service levels that would be necessary to make it happen.

    The executive was shocked by what the IT Director showed them.

    The executive immediately approved the IT Director’s preferred budget. He was able to defend the best budget for the business by showing them what they stood to lose.

    3.1 Document your assumptions and alternative scenarios

    2 hours

    1. Download the IT Cost Forecasting and Budgeting Workbook and document the outcomes of this activity on Tab 9, “Alternative Scenarios.”
    2. As a management team, identify and discuss your non-negotiable and negotiable constraints. Document these in rows 4 and 5 respectively in the Workbook.
    3. Brainstorm, list, and challenge any other assumptions being made by IT or the organization’s executive in terms of what can and cannot be done.
    4. Identify the most likely or feasible scenario (primary) and associated assumptions. You will base your initial forecasting on this scenario.
    5. Identify alternative scenarios. Document each scenario’s name, description, and key assumptions, and major opportunities in columns B-D on Tab 9, “Alternative Scenarios.” You will do any calculations for these scenarios after you have completed the forecast for your primary scenario.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • Knowledge of organization’s context, culture, and operations
    • A list of assumptions that will form the logical foundation of your forecasting decisions
    • Identification of the primary budget scenario and alternatives
    MaterialsParticipants
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Before diving into actual forecasting, get clear on project and non-project CapEx and OpEx

    Traditional, binary “CapEx vs. OpEx” distinctions don’t seem adequate for showing where expenditure is really going. We’ve added a new facet to help further differentiate one-time project costs from recurring “business as usual” expenses.

    Project CapEx
    Includes all workforce and vendor costs associated with planning and execution of projects largely focused on the acquisition or creation of new capital assets.

    Non-project CapEx
    Includes “business as usual” capital asset acquisition in the interest of managing, maintaining, or supporting ongoing performance of existing infrastructure or services, such as replacement network equipment, end-user hardware (e.g. laptops), or disaster recovery/business continuity redundancies. Also includes ongoing asset depreciation amounts.

    Non-project OpEx
    Includes all recurring, non-CapEx “business as usual” costs such as labor compensation and training, cloud-based software fees, outsourcing costs, managed services fees, subscriptions, and other discretionary spend.

    Depreciation is technically CapEx. However, for practical purposes, most organizations list it under OpEx, which can cause it to get lost in the noise. Here, depreciation is under non-project CapEx to keep its true CapEx nature visible and in the company of other “business as usual” capital purchases that will ultimately join the depreciation ranks.

    Forecast your project CapEx costs

    This process can be simple as far as overall budget forecasting is concerned. If it isn’t simple now, plan to make it simpler next time around.

    What to expect…

    • Ideally, the costs for all projects should have been thoroughly estimated, reviewed, and accepted by a steering committee, your CFO, or other approving entity at the start of the budgeting season, and funding already committed to. In a nutshell, forecasting your project costs should already have been done and will only require plugging in those numbers.
    • If projects have yet to be pitched and rubber stamped, know that your work is cut out for you. Doing things in a rush or without proper due diligence will result in certain costs being missed. This means that you risk going far over budget in terms of actuals next year, or having to borrow from other areas in your budget to cover unplanned or underestimated project costs.

    Key forecasting principles…

    Develop rigorous business cases
    Secure funding approval well in advance
    Tie back costs benefitting business units
    Consider the longer-term OpEx impact

    For more information about putting together sound business cases for different projects and circumstances, see the following Info-Tech blueprints:

    Build a Comprehensive Business Case

    Fund Innovation with a Minimum Viable Business Case

    Reduce Time to Consensus with an Accelerated Business Case

    Apply these project CapEx forecasting tips

    A good project CapEx forecast requires steady legwork, not last-minute fast thinking.

    Tip #1: Don’t surprise your approvers. Springing a capital project on approvers at your formal presentation isn’t a good idea and stands a good chance of rejection, so do whatever you can to lock these costs down well in advance.

    Tip #2: Project costs should be entirely comprised of CapEx if possible. Keep in mind that some of these costs will convert to depreciated non-project CapEx and non-project OpEx as they transition from project costs to ongoing “business as usual” costs, usually in the fiscal year following the year of expenditure. Creating projections for the longer-term impacts of these project CapEx costs on future types of expenditure is a good idea. Remember that a one-time project is not the same thing as a one-time cost.

    Tip #3: Capitalize any employee labor costs on capital projects. This ensures the true costs of projects are not underestimated and that operational staff aren’t being used for free at the expense of their regular duties.

    Tip #4: Capitalizing cloud costs in year one of a formal implementation project is usually acceptable. It’s possible to continue treating cloud costs as CapEx with some vendors via something called reserved instances, but organizations report that this is a lot of work to set up. In the end, most capitalized cloud will convert into non-project OpEx in years two and beyond.

    Tip #5: Build in some leeway. By the time a project is initiated, circumstances may have changed dramatically from when it was first pitched and approved, including business priorities and needs, vendor pricing, and skillset availability. Your costing may become completely out of date. It’s a good practice to work within more general cost ranges than with specific numbers, to give you the flexibility to respond and adapt during actual execution.

    3.2 Forecast your project CapEx

    Time: Depends on size of project portfolio

    1. Download the IT Cost Forecasting and Budgeting Workbook and navigate to Tab 5, “Project CapEx Forecast”. Add more columns as required. Enter the following for all projects:
      • Row 5 – Its name and/or unique identifier.
      • Row 6 – Its known or estimated project start/end dates.
      • Row 7 – Its status (in proposal, committed, or in progress).
    2. Distribute each project’s costs across the categories listed for each view you’ve selected to map. Do not include any OpEx here – it will be mapped separately under non-project OpEx.
    3. Rationalize your values. A running per-project total for each view, as well as totals for all projects combined, are in rows 16, 28, 39, and 43. Ensure these totals match or are very close across all the views you are mapping. If they don’t match, review the views that are lower-end outliers as there’s a good chance something has been overlooked.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • Project proposals and plans, including cost estimations
    • A project CapEx forecast for next fiscal year
    MaterialsParticipants
    • IT Cost Forecasting and Budgeting Workbook
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Forecast your non-project OpEx

    Most of your budget will be non-project OpEx, so plan to spend most of your forecasting effort here.

    What to expect…

    Central to the definition of OpEx is the fact that it’s ongoing. It rarely stops, and tends to steadily increase over time due to factors like inflation, rising vendor prices, growing organizational growth, increases in the salary expectations of employees, and other factors.

    The only certain ways to reduce OpEx are to convert it to capitalizable expenditure, decrease staffing costs, not pursue cloud technologies, or for the organization to simply not grow. For most organizations, none of these approaches are feasible. Smaller scale efficiencies and optimizations can keep OpEx from running amok, but they won’t change its overall upward trajectory over time. Expect it to increase.

    Key forecasting principles…

    Focus on optimization and efficiency.
    Aim for full spend transparency.
    Think about appropriate chargeback options.
    Give it the time it deserves.

    For more information about how to make the most out of your IT OpEx, see the following Info-Tech blueprints:

    Develop Your Cost Optimization Roadmap

    Achieve IT Spend & Staffing Transparency

    Discover the Hidden Costs of Outsourcing

    Apply these non-project OpEx forecasting tips

    A good forecast is in the details, so take a very close look to see what’s really there.

    Tip #1: Consider zero-based budgeting. You don’t have to do this every year, but re-rationalizing your OpEx every few years, or a just a segment of it on a rotational basis, will not only help you readily justify the expenditure but also find waste and inefficiencies you didn’t know existed.

    Tip #2: Capitalize your employee capital project work. While some organizations aren’t allowed to do this, others who can simply don’t bother. Unfortunately, this act can bloat the OpEx side of the equation substantially. Many regular employees spend a significant amount of their time working on capital projects, but this fact is invisible to the business. This is why the business keeps asking why it takes so many people to run IT.

    Tip #3: Break out your cloud vs. on-premises costs. Burying cloud apps costs in a generic software bucket works against any transparency ambitions you may have. If you have anything resembling a cloud strategy, you need to track, report, and plan for these costs separately in order to measure benefits realization. This goes for cloud infrastructure costs, too.

    Tip #4: Spend time on your CIO service view forecast. Completing this view counts as a first step toward service-based costing and is a good starting point for setting up an accurate service catalog. If looking for cost reductions, you’ll want to examine your forecasts in this view as there will likely be service-level reductions you’ll need to propose to hit your cost-cutting goals.

    Tip #5: Budget with consideration for chargeback. chargeback mechanisms for OpEx can be challenging to manage and have political repercussions, but they do shift accountability back to the business, guarantee that the IT bills get paid, and reduce IT’s OpEx burden. Selectively charging business units for applications that only they use may be a good entry point into chargeback. It may also be as far as you want to go with it. Doing the CXO business view forecast will provide insight into your opportunities here.

    Forecast your non-project CapEx

    These costs are often the smallest percentage of overall expenditure but one of the biggest sources of financial grief for IT.

    What to expect…

    • These costs can be hard to predict. Anticipating expenditure on end-user hardware such as laptops depends on knowing how many new staff will be hired by the organization next year. Predicting the need to buy networking hardware depends on knowing if, and when, a critical piece of equipment is going to spontaneously fail. You can never be completely sure.
    • IT often must reallocate funds from other areas of its budget to cover non-project CapEx costs. Unfortunately, keeping the network running and ensuring employees have access to that network is seen exclusively as an IT problem, not a business problem. Plan to change this mindset.

    Key forecasting principles…

    Discuss hiring plans with the business.
    Pay close attention to your asset lifecycles.
    Prepare to advise about depreciation schedules.
    Build in contingency for the unexpected.

    For more information about ensuring IT isn’t left in the lurch when it comes to non-project CapEx, see the following Info-Tech blueprints:

    Manage End-User Devices

    Develop an Availability and Capacity Management Plan

    Modernize the Network

    Apply these non-project CapEx forecasting tips

    A good forecast relies on your ability to accurately predict the future.

    Tip #1: Top up new hire estimations: Talk to every business unit leader about their concrete hiring plans, not their aspirations. Get a number, increase that number by 25% or 20 FTEs (whichever is less), and use this new number to calculate your end-user non-project CapEx.

    Tip #2: Make an arrangement for who’s paying for operational technology (OT) devices and equipment. OT involves specialized devices such as in-the-field sensors, scanners, meters, and other networkable equipment. Historically, operational units have handled this themselves, but this has created security problems and they still rely on IT for support. Sort the financials out now, including whose budget device and equipment purchases appear on, as well as what accommodations IT will need to make in its own budget to support them.

    Tip #3: Evaluate cloud infrastructure and managed services. These can dramatically reduce your non-project CapEx, particularly on the network and data center fronts. However, these solutions aren’t necessarily less expensive and will drive up OpEx, so tread cautiously.

    Tip #4: Definitely do an inventory. If you haven’t invested in IT asset management, put it on your project and budgetary agenda. You can’t manage what you don’t know you have, so asset discovery should be your first order of business. From there, start gathering asset lifecycle information and build in alerting to aid your spend planning.

    Tip #5: Think about retirement: What assets are nearing end of life or the end of their depreciation schedule? What impact is this having on non-project OpEx in terms of maintenance and support? Deciding to retire, replace, or extend an IT operational asset will change your non-project CapEx outlook and will affect costs in other areas.

    Tip #6: Create a contingency fund: You need one to deal with surprises and emergencies, so why wait?

    Document the organization’s projected FTEs by business function

    This data point is usually missing from IT’s budget forecasting data set. Try to get it.

    A powerful metric to share with business stakeholders is expenditure per employee or FTE. It’s powerful because:

    • It’s one of the few metrics that’s intuitively understood by most people
    • It can show changes in IT expenditure over time at both granular and general levels.

    This metric is one of the simplest to calculate. The challenge is in getting your hands on the data in the first place.

    • Most business unit leaders struggle to pin down this number in terms of actuals as they have difficulty determining what an FTE actually is. Does it include contract staff? Part-time staff? Seasonal workers? Volunteers and interns? And if the business unit has high turnover, this number can fluctuate significantly.
    • Encourage your business peers to produce a rational estimate. Unlike the headcount number you’re seeking to forecast for non-project capital expenditure for end-user hardware, this FTE number should strive to be more in the ballpark, as you’re not using it to ensure sufficient funds but comparatively track expenditure year to year.
    • Depending on your industry, employees or FTEs may not be the best measurement. Use what works best for you. Number of unique users is a common one. Other industry-specific examples include per student, per bed, per patient, per account, and per resident.

    Start to build in long-term and short-term forecasting into your budgeting process

    These are growing practices in mature IT organizations that afford significant flexibility.

    Short-term forecasting:

    Long-term forecasting:

    • At Donaldson Company, budgeting is a once-a-year event, but they’ve started formalizing a forecast review three times a year.
    • These mini-forecasts are not as full blown as the annual forecasting process. Rather, they look at specific parts of the budget and update it based on changing realities.

    “It’s a great step in the right direction. We look at
    the current, and then the future. What we’re really pushing is how to keep that outyear spend more in discussion. The biggest thing we’re trying to do when we approve projects is look at what does that approval do to outyear spend? Is it going to increase? Is it going to decrease? Will we be spending more on licensing? On people?”

    – Kristen Thurber, IT Director, Office of the CIO,
    Donaldson Company

    • In 2017, the Hawaii Medical Service Association accepted the fact that they were very challenged with legacy systems. They needed to modernize.
    • They created a multi-year strategic budget -- a five-year investment plan. This plan was a success. They were able to gain approval for a five-year horizon with variable allocations per year, as required.

    “This approach was much better. We now
    have a “guarantee” of funding for five years now – they’ve conceptually agreed. Now we don’t have
    to make that request for new money every time
    if we need more. We can vary the amount every
    year – it doesn’t have to be the same.”

    – Trisha Goya, Director, IT Governance & Administration,
    Hawaii Medical Service Association

    3.4 Forecast your non-project OpEx and CapEx

    Time: Depends on size of vendor portfolio and workforce

    1. Download the IT Cost Forecasting and Budgeting Workbook and navigate to Tab 4, “Business as Usual Forecast”. This tab assumes an incremental budgeting approach. Last year’s actuals have been carried forward for you to build upon.
    2. Enter expected percentage-based cost increases/decreases for next fiscal year for each of the following variables (columns E-I): inflation, vendor pricing, labor costs, service levels, and depreciation. Do this for all sub-categories for the ITFM cost model views you’ve opted to map. Provide rationales for your percentage values in column K.
    3. In columns M and N, enter the anticipated percentage allocation of cost to non-project CapEx versus non-project OpEx.
    4. In column O, rows 29-38, enter the projected FTEs for each business function (if available).
    5. If you choose, make longer-term, high-level forecasts for 2-3 years in the future in columns P-U. Performing longer-term forecasts for at least the CFO expense view categories is recommended.

    Download the IT Cost Forecasting and Budgeting Workbook

    Input Output
    • Last fiscal year’s actuals
    • Knowledge of likely inflation, vendor cost, and salary expectations for next fiscal year
    • Depreciation amounts
    • A non-project OpEx and CapEx forecast for next fiscal year
    Materials Participants
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Case Study

    INDUSTRY: Insurance

    SOURCE: Anonymous

    Challenge

    Solution

    Results

    In his first run at the annual budgeting process, a new CIO received delivery dates from Finance and spent the next three months building the budget for the next fiscal year.

    He discovered that the organization had been underinvesting in IT for a long time. There were platforms without support, no accounting for currency exchange rates on purchases, components that had not be upgraded in 16 years, big cybersecurity risks, and 20 critical incidences a month.

    In his budget, the CIO requested a 22-24% increase in IT expenditure to deal with the critical gaps, and provided a detailed defense of his proposal

    But the new CIO’s team and Finance were frustrated with him. He asked his IT finance leader why. She said she didn’t understand what his direction was and why the budgeting process was taking so long – his predecessor did the budget in only two days. He would add up the contracts, add 10% for inflation, and that’s it.

    Simply put, the organization hadn’t taken budgeting seriously. By doing it right, the new CIO had inadvertently challenged the status quo.

    The CIO ended up under-executing his first budget by 12% but is tracking closer to plan this year. Significantly, he’s been able cut critical incidences from 20 down to only 2-3 per month.

    Some friction persists with the CFO, who sees him as a “big spender,” but he believes that this friction has forced him to be even better.

    Phase recap: Develop your forecasts

    The hard math is done. Now it’s time to step back and craft your final proposed budget and its key messages.

    This phase focused on developing your forecasts and proposed budget for next fiscal year. It included:

    • Developing assumptions and alternative scenarios. These will showcase your understanding of business context as well as what’s most likely to happen (or should happen) next year.
    • Forecasting your project CapEx costs. If these costs weren’t laid out already in formal, approved project proposals or plans, now you know why it’s the better approach for developing a budget.
    • Forecasting your non-project CapEx and OpEx costs. Now you should have more clarity and transparency concerning where these costs are going and exactly why they need to go there.

    “Ninety percent of your projects will get started but a good 10% will never get off the ground because of capacity or the business changes their mind or other priorities are thrown in. There are always these sorts of challenges that come up.”

    – Theresa Hughes, Executive Counselor,
    Info-Tech Research Group
    and Former IT Executive

    Phase 4

    Build Your Proposed Budget

    Lay Your
    Foundation

    Get Into Budget-Starting Position

    Develop Your
    Forecasts

    Build Your
    Proposed Budget

    Create and Deliver Your Presentation

    1.1 Understand what your budget is
    and does

    1.2 Know your stakeholders

    1.3 Continuously pre-sell your budget

    2.1 Assemble your resources

    2.2 Understand the four views of the ITFM Cost Model

    2.3 Review last year’s budget vs.
    actuals and five-year historical trends

    2.4 Set your high-level goals

    3.1 Develop assumptions and
    alternative scenarios

    3.2 Forecast your project CapEx

    3.3 Forecast your non-project CapEx and OpEx

    4.1 Aggregate your numbers

    4.2 Stress test your forecasts

    4.3 Challenge and perfect your
    rationales

    5.1 Plan your content

    5.2 Build your presentation

    5.3 Present to stakeholders

    5.4 Make final adjustments and submit your IT budget

    This phase will walk you through the following activities:

    • Pulling your forecasts together into a comprehensive IT budget for next fiscal year.
    • Double checking your forecasts to ensure they’re accurate.
    • Fine tuning the rationales behind your proposals.

    This phase involves the following participants:

    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Build your proposed budget

    Triple check your numbers and put the finishing touches on your approval-winning rationales.

    This phase is where your analysis and decision making finally come together into a coherent budget proposal. Key steps include:

    • Aggregating your numbers. This step involves pulling together your project CapEx, non-project CapEx, and non-project OpEx forecasts into a comprehensive whole and sanity-checking your expenditure-type ratios.
    • Stress-testing your forecasts. Do some detailed checks to ensure everything’s accounted for and you haven’t overlooked any significant information or factors that could affect your forecasted costs.
    • Challenging and perfecting your rationales. Your ability to present hard evidence and rational explanations in support of your proposed budget is often the difference between a yes or a no. Look at your proposals from different stakeholder perspectives and ask yourself, “Would I say yes to this if I were them?”

    “We don’t buy servers and licenses because we want to. We buy them because we have to. IT doesn’t need those servers out at our data center provider, network connections, et cetera. Only a fraction of these costs are to support us in the IT department. IT doesn’t have control over these costs because we’re not the consumers.”

    – Matt Johnson, IT Director Governance and Business Solutions, Milwaukee County

    Great rationales do more than set you up for streamlined budgetary approval

    Rationales build credibility and trust in your business capabilities. They can also help stop the same conversations happening year after year.

    Any item in your proposed budget can send you down a rabbit hole if not thoroughly defensible.

    You probably won’t need to defend every item, but it’s best to be prepared to do so. Ask yourself:

    • What areas of spend does the CFO come back to year after year? Is it some aspect of OpEx, such as workforce costs or cloud software fees? Is it the relationship between proposed project spend and business benefits? Provide detailed and transparent rationales for these items to start re-directing long-term conversations to more strategic issues.
    • What areas of spend seem to be recurring points of conflict with business unit leaders? Is it surprise spend that comes from business decisions that didn’t include IT? Is it business-unit leaders railing against chargeback? Have frank, information-sharing conversations focused on business applications, service-level requirements, and true IT costs to support them.
    • What’s on the CEO’s mind? Are they focused on entering a new overseas market, which will require capital investment? Are they interested in the potential of a new technology because competitors are adopting it? It may not be the same focus as last year, so ensure you have fresh rationales that show how IT will help deliver on these business goals.

    “Budgets get out of control when one department fails to care for the implications of change within another department's budget. This wastes time, reduces accuracy and causes conflict.”

    – Tara Kinney, Atomic Revenue, LLC.

    Rationalizing costs depends on the intention of the spend

    Not all spending serves the same purpose. Some types require deeper or different justifications than others.

    For the business, there are two main purposes for spend:

    1. Spending that drives revenues or the customer experience. Think in terms of return on investment (ROI), i.e. when will the expenditure pay for itself via the revenue gains it helps create?
    2. Spending that mitigates and manages risk. Think in terms of cost-benefit, i.e. what are the costs of doing something versus doing nothing at all?
    Source: Kris Blackmon, NetSuite Brainyard.

    “Approval came down to ROI and the ability to show benefits realization for years one, two, and three through five.”

    – Duane Cooney, Executive Counselor, Info-Tech Research Group, and Former Healthcare CIO

    Regardless of its ultimate purpose, all expenditure needs statements of assumptions, obstacles, and likelihood of goals being realized behind it.

    • What are the assumptions that went into the calculation?
    • Is the spend new or a reallocation (and from where)?
    • What’s the likelihood of realizing returns or benefits?
    • What are potential obstacles to realizing returns or benefits?

    Rationales aren’t only for capital projects – they can and should be applied to all proposed OpEx and CapEx. Business project rationales tend to drive revenue and the customer experience, demanding ROI calculations. Internal IT-projects and non-project expenditure are often focused on mitigating and managing risk, requiring cost-benefit analysis.

    First, make sure your numbers add up

    There are a lot of numbers flying around during a budgeting process. Now’s the time to get out of the weeds, look at the big picture, and ensure everything lines up.

    Overall

    Non-Project OpEx

    Non-Project CapEx

    Project CapEx

    • Is your proposed budget consistent with previous IT expenditure patterns?
    • Did you account for major known anomalies or events?
    • Is your final total in line with your CFO’s communicated targets and expectations?
    • Are your alternative scenarios realistic and reflective of viable economic contexts that your organization could find itself in in the near term?
    • Are the OpEx-to-CapEx ratios sensible?
    • Does it pass your gut check?
    • Did you research and verify market rates for employees and skill sets?
    • Did you research and verify likely vendor pricing and potential increases?
    • Are cost categories with variances greater than +5% backed up by defensible IT hiring plans or documented operational growth or improvement initiatives?
    • Have you accounted for the absorption of previous capital project costs into day-to-day management, maintenance, and support operations?
    • Do you have accurate depreciation amounts and timeframes for their discontinuation?
    • Are any variances driven by confirmed business plans to increase headcount, necessitating purchase of end-user hardware and on-premises software licenses?
    • Are any variances due to net-new planned/contingency purchases or the retirement of depreciable on-premises equipment?
    • Is funding for all capital projects represented reliable, i.e. has it been approved?
    • Are all in-progress, proposed, or committed project CapEx costs backed up with reliable estimates and full project documentation?
    • Do capital project costs include the capitalizable costs of employees working on those projects, and were these amounts deducted from non-project OpEx?
    • Have you estimated the longer-term OpEx impact of your current capital projects?

    4.1 Aggregate your proposed budget numbers and stress test your forecasts

    2 hours

    1. Download the IT Cost Forecasting and Budgeting Workbook for this activity. If you have been using it thus far, the Workbook will have calculated your numbers for you across the four views of the ITFM Cost Model on Tab 7, “Proposed Budget”, including:
      1. Forecasted non-project OpEx, non-project CapEx (including depreciation values), project CapEx, and total values.
      2. Numerical and percentage variances from the previous year.
    2. Test and finalize your forecasts by applying the questions on the previous slide.
    3. Flag cost categories where large variances from the previous year or large numbers in general appear – you will need to ensure your rationales for these variances are rigorous in the next step.
    4. Make amendments if needed to Tabs 4, “Business as Usual Forecast” and 5, “Project CapEx Forecast” in the IT Cost Forecasting and Budgeting Workbook.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutputMaterialsParticipants
    • Final drafts of all IT cost forecasts
    • A final proposed IT budget
    • IT Cost Forecasting and Budgeting Workbook
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Case Study

    INDUSTRY: Healthcare

    SOURCE: Anonymous

    Challenge

    Solution

    Results

    A senior nursing systems director needed the CIO’s help. She wanted to get a project off the ground, but it wasn’t getting priority or funding.

    Nurses were burning out. Many were staying one to two hours late per shift to catch up on patient notes. Their EHR platform had two problematic workflows, each taking up to about 15 minutes per nurse per patient to complete. These workflows were complex, of no value, and just not getting done. She needed a few million dollars to make the fix.

    The CIO worked with the director to do the math. In only a few hours, they realized that the savings from rewriting the workflows would allow them to hire over 500 full-time nurses.

    The benefits realized would not only help reduce nurse workload and generate savings, but also increase the amount of time spent with patients and number of patients seen overall. They redid the math several times to ensure they were right.

    The senior nursing systems director presented to her peers and leadership, and eventually to the Board of Directors. The Board immediately saw the benefits and promoted the project to first on the list ahead of all other projects.

    This collaborative approach to generating project benefits statements helped the CIO gain trust and pave the way for future budgets.

    The strength of your rationales will determine how readily your budget is approved

    When proposing expenditure, you need to thoroughly consider the organization’s goals, its governance culture, and the overall feasibility of what’s being asked.

    First, recall what budgets are really about.

    The completeness, accuracy, and granularity of your numbers and thorough ROI calculations for projects are essential. They will serve you well in getting the CFO’s attention. However, the numbers will only get you halfway there. Despite what some people think, the work in setting a budget is more about the what, how, and why – that is, the rationale – than about the how much.

    Next, revisit Phase 1 of this blueprint and review:

    • Your organization’s budgeting culture and processes.
    • The typical accountabilities, priorities, challenges, opportunities, and expectations associated with your CFO, CEO, and CXO IT budget stakeholders.
    • Your budgetary mandate as the head of IT.

    Then, look at each component of your proposed budget through each of these three rationale-building lenses.

    Business goals
    What are the organization’s strategic priorities?

    Governance culture
    How constrained is the decision-making process?

    Feasibility
    Can we make it happen?

    Linking proposed spend to strategic goals isn’t just for strategic project CapEx

    Tie in your “business as usual” non-project OpEx and CapEx, as well.

    Business goals

    What are the organization’s strategic priorities?

    Context

    This is all about external factors, namely the broader economic, political, and industry contexts in which the organization operates.

    Lifecycle position

    The stage the organization is at in terms of growth, stability, or decline will drive decisions, priorities, and the ability to spend or invest.

    Opportunities

    Context and lifecycle position determine opportunities, which are often defined in terms of potential cost savings
    or ROI.

    Tie every element in your proposed budget to an organizational goal.

    Non-project OpEx

    • Remember that OpEx is what comes from the realization of past strategic goals. If that past goal is still valid, then the OpEx that keeps that goal alive is, too.
    • Business viability and continuity are often unexpressed goals. OpEx directly supports these goals.
    • Periodically apply zero-based budgeting to OpEx to re-rationalize and identify waste.

    Non-project CapEx

    • Know the impact of any business growth goals on future headcount – this is essential to rationalize laptop/desktop and other end-user hardware spend.
    • Position infrastructure equipment spend in terms of having sufficient capacity to support growth goals as well as ensuring network/system reliability and continuity.
    • Leverage depreciation schedules as backup.

    Project CapEx

    • Challenge business-driven CapEx projects if they don’t directly support stated goals.
    • Ideally, the goal-supporting rationales for software, hardware, and workforce CapEx have been laid out in an already-approved project proposal. Refer to these plans.
    • If pitching a capital project at the last minute, especially an IT-driven one, expect a “no” regardless of how well it ties to goals.

    Your governance culture will determine what you need to show and when you show it

    The rigor of your rationales is entirely driven by “how things are done around here.”

    Governance Culture

    How rigorous/ constrained
    is decision-making?

    Risk tolerance

    This is the organization’s willingness to be flexible, take chances, make change, and innovate. It is often driven by legal and regulatory mandates.

    Control

    Control manifests in the number and nature of rules and how authority and accountability are centralized or distributed in the organization.

    Speed to action

    How quickly decisions are made and executed upon is determined by the amount of consultation and number of approval steps.

    Ensure all parts of your proposed budget align with what’s tolerated and allowed.

    Non-project OpEx

    • Don’t hide OpEx. If it’s a dirty word, put it front and center to start normalizing it.
    • As with business goals, position OpEx as necessary for business continuity and risk mitigation, as well as the thing that keeps long-term strategic goals alive.
    • Focus on efficiency and cost control, both in terms of past and future initiatives, regardless of the governance culture.

    Non-project CapEx

    • Treat non-project CapEx in the same way as you would non-project OpEx.
    • IT must make purchases quickly in this area of spend, but drawn-out procurement processes can make this impossible. Consider including a separate proposal to establish a policy that gives IT the control to make end-user and network/data center equipment purchases faster and easier.

    Project CapEx

    • If your organization is risk-averse, highly centralized, or slow to act, don’t expect IT to win approval for innovative capital projects. Let the business make any pitches and have IT serve in a supporting role.
    • Capital projects are often committed to 6-12 months in advance and can’t be completed within a fiscal year. Nudge the organization toward longer-term, flexible funding.

    No matter which way your goals and culture lean, ground all your rationales in reality

    Objective, unapologetic facts are your strongest rationale-building tool.

    Feasibility

    Can we do it, and what sacrifices will we have to make?

    Funding

    The ultimate determinant of feasibility is the availability, quantity, and reliability of funding next fiscal year and over the long term to support investment.

    Capabilities

    Success hinges on both the availability and accessibility of required skills and knowledge to execute on a spend plan in the required timeframe.

    Risk

    Risk is not just about obstacles to success and what could happen if you do something – it’s also about what could happen if you do nothing at all.

    Vet every part of your proposed budget to ensure what you’re asking for is both realistic and possible.

    Non-project OpEx

    • Point out your operational waste-reduction and efficiency-gaining efforts in hard, numerical terms.
    • Clearly demonstrate that OpEx cannot be reduced without sacrifices on the business side, specifically in terms of service levels.
    • Define OpEx impacts for all CapEx proposals to ensure funding commitments include long-term maintenance and support.

    Non-project CapEx

    • This is a common source of surprise budget overage, and IT often sacrifices parts of its OpEx budget to cover it. Shed light on this problem and define IT’s boundaries.
    • A core infrastructure equipment contingency fund and a policy mandating business units pay for unbudgeted end-user tech due to unplanned or uncommunicated headcount increases are worth pursuing.

    Project CapEx

    • Be sure IT is involved with every capital project proposal that has a technological implication (which is usually all of them).
    • Specifically, IT should take on responsibility for tech vendor evaluation and negotiation. Never leave this up to the business.
    • Ensure IT gains funding for supporting any technologies acquired via a capital planning process, including hiring if necessary.

    Double-check to ensure your bases are covered

    Detailed data and information checklist:

    • I have the following data and information for each item of proposed expenditure:
    • Sponsors, owners, and/or managers from IT and the business.
    • CapEx and OpEx costs broken down by workforce (employees/contract) and vendor (software, hardware, services) at a minimum for both last fiscal year (if continuing spend) and next fiscal year to demonstrate any changes.
    • Projected annual costs for the above, extending two to five years into the future, with dates when new spending will start, known depreciations will end, and CapEx will transition to OpEx.
    • Descriptions of any tradeoffs or potential obstacles.
    • Lifespan information for new, proposed assets informing depreciation scheduling.
    • Sources of funding (especially if new, transferred, or changed).
    • Copies of any research used to inform any of the above.

    High-level rationale checklist:

    • I have done the following thinking and analysis for each item of proposed expenditure:
    • Considered it in the context of my organization’s broader operating environment and the constraints and opportunities this creates.
    • Tied it – directly or indirectly – to the achievement or sustainment of current or past (but still relevant) organizational goals.
    • Understood my organization’s tolerances, how things get done, and whether I can win any battles that I need to fight given these realities.
    • Worked with business unit leaders to fully understand their plans and how IT can support them.
    • Obtained current, verifiable data and information and have a good idea if, when, and how this information may change next year.
    • Assessed benefits, risks, dependencies, and overall feasibility, as well as created ROI statements where needed.
    • Stuck to the facts and am confident they can speak for themselves.

    For more on creating detailed business cases for projects and investments, see Info-Tech’s comprehensive blueprint, Build a Comprehensive Business Case.

    4.2 Challenge and perfect your rationales

    2 hours

    1. Based on your analysis in Phase 1, review your organization’s current and near-term business goals (context, lifecycle position, opportunities), governance culture (risk tolerance, control, speed to action), and feasibility (funding, capabilities, risk) to understand what’s possible, what’s not, and your general boundaries.
    2. Review your proposed budget in its current form and flag items that may be difficult or impossible to sell, given the above.
    3. Systematically go through each item in you proposed budget and apply the detailed data and information and high-level rationale checklists on the previous slide to ensure you have considered it from every angle and have all the information you need to defend it.
    4. Track down any additional information needed to fill gaps and fine-tune your budget based on any discoveries, including eliminating or adding elements if needed.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • Final drafts of all IT cost forecasts, including rationales
    • Fully rationalized proposed IT budget for next fiscal year
    MaterialsParticipants
    • IT Cost Forecasting and Budgeting Workbook
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Phase recap: Build your proposed budget

    You can officially say your proposed IT budget is done. Now for the communications part.

    This phase is where everything came together into a coherent budget proposal. You were able to:

    • Aggregate your numbers. This involved pulling for project and non-project CapEx and OpEx forecasts into a single proposed IT budget total.
    • Stress-test your forecasts. Here, you ensured that all your numbers were accurate and made sense.
    • Challenge and perfect your rationales. Finally, you made sure you have all your evidence in place and can defend every component in your proposed IT budget regardless of who’s looking at it.

    “Current OpEx is about supporting and aligning with past business strategies. That’s alignment. If the business wants to give up on those past business strategies, that’s up to them.”

    – Darin Stahl, Distinguished Analyst and Research Fellow, Info-Tech Research Group

    Phase 5

    Create and Deliver Your Presentation

    Lay Your
    Foundation

    Get Into Budget-Starting Position

    Develop Your
    Forecasts

    Build Your
    Proposed Budget

    Create and Deliver Your Presentation

    1.1 Understand what your budget is
    and does

    1.2 Know your stakeholders

    1.3 Continuously pre-sell your budget

    2.1 Assemble your resources

    2.2 Understand the four views of the ITFM Cost Model

    2.3 Review last year’s budget vs.
    actuals and five-year historical trends

    2.4 Set your high-level goals

    3.1 Develop assumptions and
    alternative scenarios

    3.2 Forecast your project CapEx

    3.3 Forecast your non-project CapEx and OpEx

    4.1 Aggregate your numbers

    4.2 Stress test your forecasts

    4.3 Challenge and perfect your
    rationales

    5.1 Plan your content

    5.2 Build your presentation

    5.3 Present to stakeholders

    5.4 Make final adjustments and submit your IT budget

    This phase will walk you through the following activities:

    • Planning the content you’ll include in your budget presentation.
    • Pulling together your formal presentation.
    • Presenting, finalizing, and submitting your budget.

    This phase involves the following participants:

    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Create and deliver your presentation

    Pull it all together into something you can show your approvers and stakeholders and win IT budgetary approval.

    This phase focuses on developing your final proposed budget presentation for delivery to your various stakeholders. Here you will:

    • Plan your final content. Decide the narrative you want to tell and select the visualizations and words you want to include in your presentation (or presentations) depending on the makeup of your target audience.
    • Build your presentation. Pull together all the key elements in a PowerPoint template in a way that best tells the IT budget story.
    • Present to stakeholders. Deliver your IT budgetary message.
    • Make final adjustments and submit your budget. Address any questions, make final changes, and deconstruct your budget into the account categories mandated by your Finance Department to plug into the budget template they’ve provided.

    “I could have put the numbers together in a week. The process of talking through what the divisions need and spending time with them is more time consuming than the budget itself.”

    – Jay Gnuse, IT Director, Chief Industries

    The content you select to present depends on your objectives and constraints

    Info-Tech classifies potential content according to three basic types: mandatory, recommended, and optional. What’s the difference?

    Mandatory: Just about every CFO or approving body will expect to see this information. Often high level in nature, it includes:

    • A review of last year’s performance.
    • A comparison of proposed budget totals to last year’s actuals.
    • A breakdown of CapEx vs. OpEx.
    • A breakdown of proposed expenditure according to traditional workforce and vendor costs.

    Recommended: This information builds on the mandatory elements, providing more depth and detail. Inclusion of recommended content depends on:

    • Availability of the information.
    • Relevance to a current strategic focus or overarching initiative in the organization.
    • Known business interest in the topic, or the topic’s ability to generate interest in IT budgetary concerns in general.

    Optional: This is very detailed information that provides alternative views and serves as reinforcement of your key messages. Consider including it if:

    • You need to bring fuller transparency to a murky IT spending situation.
    • Your audience is open to it, i.e. it wouldn’t be seen as irrelevant, wasting their time, or a cause of discord.
    • You have ample time during your presentation to dive into it.

    Deciding what to include or exclude depends 100% on your target audience. What will fulfill their basic information needs as well as increase their engagement in IT financial issues?

    Revisit your assumptions and alternative scenarios first

    These represent the contextual framework for your proposal and explain why you made the decisions you did.

    Stating your assumptions and presenting at least two alternative scenarios helps in the following ways:

    1. Identifies the factors you considered when setting budget targets and proposing specific expenditures, and shows that you know what the important factors are.
    2. Lays the logical foundation for all the rationales you will be presenting.
    3. Demonstrates that you’ve thought broadly about the future of the organization and how IT is best able to support that future organization regardless of its state and circumstances.

    Your assumptions and alternative scenarios may not appear back-to-back in your presentation, yet they’re intimately connected in that every unique scenario is based on adjustments to your core assumptions. These tweaks – and the resulting scenarios – reflect the different degrees of probability that a variable is likely to land on a certain value (i.e. an alternative assumption).

    Your primary scenario is the one you believe is most likely to happen and is represented by the complete budget you’re recommending and presenting.

    Target timeframe for presentation: 2 minutes

    Key objectives: Setting context, demonstrating breadth of thought.

    Potential content for section:

    • List of assumptions for the budget being presented (primary target scenario).
    • Two or more alternative scenarios.

    “Things get cut when the business
    doesn’t know what something is,
    doesn’t recognize it, doesn’t understand it. There needs to be an education.”

    – Angie Reynolds, Principal Research Director, ITFM Practice,
    Info-Tech Research Group,

    Select your assumptions and scenarios

    See Tabs “Planning Variables” and 9, “Alternative Scenarios” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Core assumptions

    Primary target scenario

    Alternative scenarios

    Full alternative scenario budgets

    List

    Slide

    Slide

    Budget

    Mandatory: This is a listing of both internal and external factors that are most likely to affect the challenges and opportunities your organization will have and how it can and will operate. This includes negotiable and non-negotiable internal and external constraints, stated priorities, and the expression of known risk factors.

    Mandatory: Emanating from your core assumptions, this scenario is a high-level statement of goals, initial budget targets, and proposed budget based on your core assumptions.

    Recommended: Two alternatives are typical, with one higher spend and one lower spend than your target. The state of the economy and funding availability are the assumptions usually tweaked. More radical scenarios, like the cost and implications of completely outsourcing IT, can also be explored.

    Optional: This is a lot of work, but some IT leaders do it if an alternative scenario is a strong contender or is necessary to show that a proposed direction from the business is costly or not feasible.

    The image contains screenshots of tab Planning Variables and Alternative Scenarios.

    The first major section of your presentation will be a retrospective

    Plan to kick things off with a review of last year’s results, factors that affected what transpired, and longer-term historical IT expenditure trends.

    This retrospective on IT expenditure is important for three reasons:

    1. Clarifying definitions and the different categories of IT expenditure.
    2. Showing your stakeholders how, and how well you aligned IT expenditure with business objectives.
    3. Setting stakeholder expectations about what next year’s budget will look like based on past patterns.

    You probably won’t have a lot of time for this section, so everything you select to share should pack a punch and perform double duty by introducing concepts you’ll need your stakeholders to have internalized when you present next year’s budget details.

    Target timeframe for presentation: 7 minutes

    Key objectives: Definitions, alignment, expectations-setting.

    Potential content for section:

    • Last fiscal year budgeted vs. actuals
    • Expenditure by type
    • Major capital projects completed
    • Top vendor spend
    • Drivers of last year’s expenditures and efficiencies
    • Last fiscal year in in detail (expense view, service view, business view, innovation view)
    • Expenditure trends for the past five years

    “If they don’t know the consequences of their actions, how are they ever going to change their actions?”

    – Angela Hintz, VP of PMO & Integrated Services,
    Blue Cross and Blue Shield of Louisiana

    Start at the highest level

    See Tabs 1 “Historical Events & Projects,” 3 “Historical Analysis,” and 6 “Vendor Worksheet” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Total budgeted vs. total actuals

    Graph

    Mandatory: Demonstrates the variance between what you budgeted for last year and what was actually spent. Explaining causes of variance is key.

    l actuals by expenditure type

    Graph

    Mandatory: Provides a comparative breakdown of last year’s expenditure by non-project OpEx, non-project CapEx, and project CapEx. This offers an opportunity to explain different types of IT expenditure and why they’re the relative size they are.

    Major capital projects completed

    List

    Mandatory: Illustrates progress made toward strategically important objectives.

    Top vendors

    List

    Recommended: A list of vendors that incurred the highest costs, including their relative portion of overall expenditure. These are usually business software vendors, i.e. tools your stakeholders use every day. The number of vendors shown is up to you.

    The image contains screenshots from Tabs 1, 3, and 6 of the IT Cost Forecasting and Budgeting Workbook.

    Describe drivers of costs and savings

    See Tab 1, “Historical Events & Projects” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Cost drivers

    List

    Mandatory: A list of major events, circumstances, business decisions, or non-negotiable factors that necessitated expenditure. Be sure to focus on the unplanned or unexpected situations that caused upward variance.

    Savings drivers

    List

    Mandatory: A list of key initiatives pursued, or circumstances that resulted in efficiencies or savings. Include any deferred or canceled projects.

    The image contains screenshots from Tab 1 of the IT Cost Forecasting and Budgeting Workbook.

    Also calculate and list the magnitude of costs incurred or savings realized in hard financial terms so that the full impact of these events is truly understood by your stakeholders.

    “What is that ongoing cost?
    If we brought in a new platform, what
    does that do to our operating costs?”

    – Kristen Thurber, IT Director, Office of the CIO, Donaldson Company

    End with longer-term five-year trends

    See Tab 3 “Historical Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    IT actual expenditure
    year over year

    Graph

    Mandatory: This is crucial for showing overall IT expenditure patterns, particularly percentage changes up or down year to year, and what the drivers of those changes were.

    IT actuals as a % of organizational revenue

    Graph

    Mandatory: You need to set the stage for the proposed percentage of organizational revenue to come. The CFO will be looking for consistency and an overall decreasing pattern over time.

    IT expenditure per FTE year over year

    Graph

    Optional: This can be a powerful metric as it’s simple and easily to understand.

    The image contains screenshots from Tab 3 of the IT Cost Forecasting and Budgeting Workbook.

    The historical analysis you can do is endless. You can generate many more cuts of the data or go back even further – it’s up to you.

    Keep in mind that you won’t have a lot of time during your presentation, so stick to the high-level, high-impact graphs that demonstrate overarching trends or themes.

    Show different views of the details

    See Tab 3 “Historical Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Budgeted vs. actuals CFO expense view

    Graph

    Mandatory: Showing different types of workforce expenditure compared to different types of vendor expenditure will be important to the CFO.

    Budgeted vs. actuals CIO services view

    Graph

    Optional: Showing the expenditure of some IT services will clarify the true total costs of delivering and supporting these services if misunderstandings exist.

    Budgeted vs. actuals CXO business view

    Graph

    Optional: A good way to show true consumption levels and the relative IT haves and have-nots. Potentially political, so consider sharing one-on-one with relevant business unit leaders instead of doing a big public reveal.

    Budgeted vs. actual CEO innovation view

    Graph

    Optional: Clarifies how much the organization is investing in innovation or growth versus keeping the lights on. Of most interest to the CEO and possibly the CFO, and good for starting conversations about how well funding is aligned with strategic directions.

    The image contains screenshots from Tab 3 of the IT Cost Forecasting and Budgeting Workbook.

    5.1a Select your retrospective content

    30 minutes

    1. Open your copy of the IT Cost Forecasting and Budgeting Workbook.
    2. From Tabs 1, “Historical Events & Projects, 3 “Historical Analysis”, and 6, “Vendor Worksheet,” select the visual outputs (graphs and lists) you plan to include in the retrospective section of your presentation. Consider the following when determining what to include or exclude:
      1. Fundamentals: Elements such as budgeted vs. actual, distribution across expenditure types, and drivers of variance are mandatory.
      2. Key clarifications: What expectations need to be set or common misunderstandings cleared up? Strategically insert visuals that introduce and explain important concepts early.
      3. Your time allowance. Plan for a maximum of seven minutes for every half hour of total presentation time.
    3. Note what you plan to include in your presentation and set aside.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • Data and graphs from the completed IT Cost Forecasting and Budgeting Workbook
    • Selected content and visuals for the historical/ retrospective section of the IT Budget Executive Presentation
    MaterialsParticipants
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Next, transition from past expenditure to your proposal for the future

    Build a logical bridge between what happened in the past to what’s coming up next year using a comparative approach and feature major highlights.

    This transitional phase between the past and the future is important for the following reasons:

    1. It illustrates any consistent patterns of IT expenditure that may exist and be relevant in the near term.
    2. It sets the stage for explaining any deviations from historical patterns that you’re about to propose.
    3. It grounds proposed IT expenditure within the context of commitments made in previous years.

    Consider this the essential core of your presentation – this is the key message and what your audience came to hear.

    Target timeframe for presentation: 10 minutes

    Key objectives: Transition, reveal proposed budget.

    Potential content for section:

    • Last year’s actuals vs. next year’s proposed.
    • Next year’s proposed budget in context of the past five years’ year-over-year actuals.
    • Last year’s actual expenditure type distribution vs. next year’s proposed budget distribution.
    • Major projects to be started next year.

    “The companies...that invest the most in IT aren’t necessarily the best performers.
    On average, the most successful small and medium companies are more frugal when it comes to
    company spend on IT (as long as they do it judiciously).”

    – Source: Techvera, 2023

    Compare next year to last year

    See Tab 8, “Proposed Budget Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Last year’s total actuals vs. next year’s total forecast

    Proposed budget in context: Year-over-year expenditure

    Last year’s actuals vs. next year’s proposed by expenditure type

    Last year’s expenditure per FTE vs. next year’s proposed

    Graph

    Graph

    Graph

    Graph

    Mandatory: This is the most important graph for connecting the past with the future and is also the first meaningful view your audience will have of your proposed budget for next year.

    Mandatory: Here, you will continue the long-term view introduced in your historical data by adding on next year’s projections to your existing five-year historical trend. The percentage change from last year to next year will be the focus.

    Recommended: A double-comparative breakdown of last year vs. next year by non-project OpEx, non-project CapEx, and project CapEx illustrates where major events, decisions, and changes are having their impact.

    Optional: This graph is particularly useful in demonstrating the success of cost-control if the actual proposed budget is higher that the previous year but the IT cost per employee has gone down.

    The image contains screenshots from Tab 8 of the IT Cost Forecasting and Budgeting Workbook.

    Select business projects to profile

    See Tab 5, “Project CapEx Forecast” in your IT Cost Forecasting and Budgeting Workbook for the data and information to create these outputs.

    Major project profile

    Slide

    Mandatory: Focus on projects for which funding is already committed and lean toward those that are strategic or clearly support business goal attainment. How many you profile is up to you, but three to five is suggested.

    Minor project overview

    List

    Optional: List other projects on IT’s agenda to communicate the scope of IT’s project-related responsibilities and required expenditure to be successful. Include in-progress projects that will be completed next year and net-new projects on the roster.

    The image contains screenshots from Tab 5 of the IT Cost Forecasting and Budgeting Workbook.

    You can’t profile every project on the list, but it’s important that your stakeholders see their priorities clearly reflected in your budget; projects are the best way to do this.

    If you’ve successfully pre-sold your budget and partnered with business-unit leaders to define IT initiatives, your stakeholders should already be very familiar with the project summaries you put in front of them in your presentation.

    5.1b Select your transitional past-to-future content

    30 minutes

    1. Open your copy of the IT Cost Forecasting and Budgeting Workbook.
    2. From Tabs 5, “Project CapEx Forecast” and 7, “Proposed Budget Analysis”, select the visual outputs (graphs and lists) you plan to include in the transitional section of your presentation. Consider the following when determining what to include or exclude:
      1. Shift from CapEx to OpEx: If this has been a point of contention or confusion with your CFO in the past, or if your organization has actively committed to greater cloud or outsourcing intensity, you’ll want to show this year-to-year shift in expenditure type.
      2. Strategic priorities: Profile major capital projects that reflect stakeholder priorities. If your audience is already very familiar with these projects, you may be able to skip detailed profiles and simply list them.
      3. Your time allowance. Plan for a maximum of 10 minutes for every half hour of total presentation time.
    3. Note what you plan to include in your presentation and set aside.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • Data and graphs from the completed IT Cost Forecasting and Budgeting Workbook
    • Selected content and visuals for the past-to-future transitional section of the IT Budget Executive Presentation
    MaterialsParticipants
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Finally, carefully select detailed drill-downs that add clarity and depth to your proposed budget

    The graphs you select here will be specific to your audience and any particular message you need to send.

    This detailed phase of your presentation is important because it allows you to:

    1. Highlight specific areas of IT expenditure that often get buried under generalities.
    2. View your proposed budget from different perspectives that are most meaningful to your audience, such as traditional workforce vs. vendor allocations, expenditure by IT service, business-unit consumption, and the allocation of funds to innovation and growth versus daily IT operations.
    3. Get stakeholder attention. For example, laying out exactly how much money will be spent next year in support of the Sales Department compared to other units will get the VP of Sales’ attention…and everyone else’s, for that matter. This kind of transparency is invaluable for enabling meaningful conversations and thoughtful decision-making about IT spend.

    Target timeframe for presentation: 7 minutes, but this phase of the presentation may naturally segue into the final Q&A.

    Key objectives: Transparency, dialogue, buy-in.

    Potential content for section:

    • Allocation across workforce vs. vendors
    • Top vendors by expenditure
    • Allocation across on-premises vs. cloud
    • Allocation across core IT services
    • Allocation across core business units
    • Allocation across business focus area

    “A budget is a quantified version of
    your service-level agreements.”

    – Darin Stahl, Distinguished Analysis & Research Fellow,
    Info-Tech Research Group,

    Start with the expense view details

    See Tab 8, “Proposed Budget Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Proposed budget: Workforce and vendors by expenditure type

    Graph

    Mandatory: This is the traditional CFO’s view, so definitely show it. The compelling twist here is showing it by expenditure type, i.e. non-project OpEx, non-project CapEx, and project CapEx.

    Proposed budget: Cloud vs. on-premises vendor expenditure

    Graph

    Optional: If this is a point of contention or if an active transition to cloud solutions is underway, then show it.

    Top vendors

    Graph

    Recommended: As with last year’s actuals, showing who the top vendors are slated to be next year speaks volumes to stakeholders about exactly where much of their money is going.

    If you have a diverse audience with diverse interests, be very selective – you don’t want to bore them with things they don’t care about.

    The image contains screenshots from Tab 8 of the IT Cost Forecasting and Budgeting Workbook.

    Offer choice details on the other views

    See Tab 8, “Proposed Budget Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Proposed budget: IT services by expenditure type

    Graph

    Optional: Business unit leaders will be most interested in the application services. Proposed expenditure on security and data and BI services may be of particular interest given business priorities. Don’t linger on infrastructure spend unless chargeback is in play.

    Proposed budget: Business units by expenditure type

    Graph

    Optional: The purpose of this data is to show varying business units where they stand in terms of consumption. It may be more appropriate to show this graph in a one-on-one meeting or other context.

    Proposed budget: Business focus by expenditure type

    Graph

    Optional: The CEO will care most about this data. If they’re not in the room, then consider bypassing it and discuss it separately with the CFO.

    Inclusion of these graphs really depends on the makeup of your audience. It’s a good decision to show all of them to your CFO at some point before the formal presentation. Consider getting their advice on what to include and exclude.

    The image contains screenshots from Tab 8 of the IT Cost Forecasting and Budgeting Workbook.

    5.1c Select next year’s expenditure sub-category details

    30 minutes

    1. Open your copy of the IT Cost Forecasting and Budgeting Workbook.
    2. From Tab 8, “Proposed Budget Analysis,” select the visual outputs (graphs) you plan to include in the targeted expenditure sub-category details section of your presentation. Consider the following when determining what to include or exclude:
      1. The presence of important fence-sitters. If there are key individuals who require more convincing, this is where you show them the reality of what it costs to deliver their most business-critical IT services to them.
      2. The degree to which you’ve already gone over the numbers previously with your audience. Again, if you’ve done your pre-selling, this data may be old news and not worth going over again.
      3. Your time allowance. Plan for a maximum of seven minutes for every half hour of total presentation time.
    3. Note what you plan to include in your presentation and set aside.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • Data and graphs from the completed IT Cost Forecasting and Budgeting Workbook
    • Selected content and visuals for the expenditure category details section of the IT Budget Executive Presentation
    MaterialsParticipants
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Finalize your line-up and put your selected content into a presentation template

    This step is about nailing down the horizontal logic of the story you want to tell. Start by ordering and loading the visualizations of your budget data.

    Download Info-Tech’s IT Budget Executive Presentation Template

    The image contains a screenshot of the IT Budget Executive Presentation Template.

    If you prefer, use your own internal presentation standard template instead and Info-Tech’s template as a structural guide.

    Regardless of the template you use, Info-Tech recommends the following structure:

    1. Summary: An overview of your decision-making assumptions, initial targets given the business context, and the total proposed IT budget amount.
    2. Retrospective: An overview of previous years’ performance, with a specific focus on last fiscal year.
    3. Proposed budget overview: A high-level view of the proposed budget for next fiscal year in the context of last year’s performance (i.e. the bridge from past to future), including alternative scenarios considered and capital projects on the roster.
    4. Proposed budget details by category: Detailed views of the proposed budget by expense type, IT service, business unit, and business focus category.
    5. Next steps: Include question-and-answer and itemization of your next actions through to submitting your final budget to the CFO.

    Draft the commentary that describes and highlights your data’s key messages

    This is where the rationales that you perfected earlier come into play.

    Leave the details for the speaker’s notes.
    Remember that this is an executive presentation. Use tags, pointers, and very brief sentences in the body of the presentation itself. Avoid walls of text. You want your audience to be listening to your words, not reading a slide.

    Speak to everything that represents an increase or decrease of more than 5% or that simply looks odd.
    Being transparent is essential. Don’t hide anything. Acknowledge the elephant in the room before your audience does to quickly stop suspicious or doubtful thoughts

    Identify causes and rationales.
    This is why your numbers are as they are. However, if you’re not 100% sure what all driving factors are, don’t make them up. Also, if the line between cause and effect isn’t straight, craft in advance a very simple way of explaining it that you can offer whenever needed.

    Be neutral and objective in your language.
    You need to park strong feelings at the door. You’re presenting rational facts and thoroughly vetted recommendations. The best defense is not to be defensive, or even offensive for that matter. You don’t need to argue, plead, or apologize – let your information speak for itself and allow the audience to arrive at their own logical conclusions.

    Re-emphasize your core themes to create connections.
    If a single strategic project is driving cost increases across multiple cost categories, point it out multiple times if needed to reinforce its importance. If an increase in one area is made possible by a significant offset in another, say so to demonstrate your ongoing commitment to efficiencies. If a single event from last year will continue having cost impacts on several IT services next year, spell this out.

    5.2 Develop an executive presentation

    Duration: 2 hours

    1. Download the IT Budget Executive Presentation PowerPoint template.
    2. Open your working version of the IT Cost Forecasting and Budgeting Workbook and copy and paste your selected graphs and tables into the template. Note: Pasting as an image will preserve graph formatting.
    3. Incorporate observations and insights about your proposed budget and other analysis into the template where indicated.
    4. Conduct an internal review of the final presentation to ensure it includes all the elements you need and is error-free.

    Note: Refer to your organization’s standards and norms for executive-level presentations and either adapt the Info-Tech template accordingly or use your own.

    Download the IT Budget Executive Presentation template

    Input Output
    • Tabular and graphical data outputs in the IT Cost Forecasting and Budgeting Workbook
    • Interpretive commentary based on your analysis
    • Executive presentation summarizing your proposed IT budget
    Materials Participants
    • IT Cost Forecasting and Budgeting Workbook
    • IT Budget Executive Presentation template
    • CIO/IT Directors
    • IT Financial Lead
    • Other IT Management

    Now it’s time to present your proposed IT budget for next fiscal year

    If you’ve done your homework and pre-sold your budget, the presentation itself should be a mere formality with no surprises for anyone, including you.

    Some final advice on presenting your proposed budget…

    Partner up

    If something big in your budget is an initiative that’s for a specific business unit, let that business unit’s leader be the face of it and have IT play the role of supporting partner.

    Use your champions

    Let your advocates know in advance that you’d appreciate hearing their voice during the presentation if you encounter any pushback, or just to reinforce your main messages.

    Focus on the CFO

    The CFO is the most important stakeholder in the room at the end of the day, even more than the CEO in some cases. Their interests should take priority if you’re pressed for time.

    Avoid judgment

    Let the numbers speak for themselves. Do point out highlights and areas of interest but hold off on offering emotion-driven opinions. Let your audience draw their own conclusions.

    Solicit questions

    You do want dialogue. However, keep your answers short and to the point. What does come up in discussion is a good indication of where you’ll need to spend more time in the future.

    The only other thing that can boost your chances is if you’re lucky enough to be scheduled to present between 10:00 and 11:00 on a Thursday morning when people are most agreeable. Beyond that, apply the standard rules of good presentations to optimize your success.

    Your presentation is done – now re-focus on budget finalization and submission

    This final stage tends to be very administrative. Follow the rules and get it done.

    • Incorporate feedback: Follow up on comments from your first presentation and reflect them in your budget if appropriate. This may include:
      • Having follow-up conversations with stakeholders.
      • Further clarifying the ROI projections or business benefits.
      • Adjusting proposed expenditure amounts based on new information or a shift in priorities.
      • Adding details or increasing granularity around specific issues of interest.
    • Trim: Almost every business unit leader will need to make cuts to their initial budget proposal. After all, the CFO has a finite pool of money to allocate. If all’s gone well, it may only be a few percent. Resurrect your less-costly alternative scenario and selectively apply the options you laid out there. Focus on downsizing or deferring capital projects if possible. If you must trim OpEx, remind the CFO about any service-level adjustments that will need to happen to make the less expensive alternatives work.
    • Re-present: It’s not unusual to have to present your budget one more time after you’ve made your adjustments. In some organizations, the first presentation is to an internal executive group while the second one is to a governing board. The same rules apply to this second presentation as to your first one.
    • Submit: Slot your final budget into the list of accounts prescribed in the budget template provided by Finance. These templates often don’t align with IT’s budget categories, but you’ll have to make do.

    Phase recap: Create and deliver your presentation

    You’ve reached the end of the budget creation and approval process. Now you can refocus on using your budget as a living governance tool.

    This phase focused on developing your final proposed budget presentation for delivery to your various stakeholders. Here, you:

    • Planned your final content. You selected the data and visuals to include and highlight.
    • Built your presentation. You pulled everything together into a PowerPoint template and crafted commentary to tell a cohesive IT budget story.
    • Presented to stakeholders. You delivered your proposed IT budget and solicited their comments and feedback.
    • Made final adjustments and submitted your budget. You applied final tweaks, deconstructed your budget to fit Finance’s template, and submitted it for entry into Finance’s system.

    “Everyone understands that there’s never enough money. The challenge is prioritizing the right work and funding it.”

    – Trisha Goya, Director, IT Governance & Administration, Hawaii Medical Service Association

    Next Steps

    “Keep that conversation going throughout the year so that at budgeting time no one is surprised…Make sure that you’re telling your story all year long and keep track of that story.”

    – Angela Hintz, VP of PMO & Integrated Services,
    Blue Cross and Blue Shield of Louisiana

    This final section will provide you with:

    • An overall summary of accomplishment.
    • Recommended next steps.
    • A list of contributors to this research.
    • Some related Info-Tech resources.

    Summary of Accomplishment

    You’ve successfully created a transparent IT budget and gotten it approved.

    By following the phases and steps in this blueprint, you have:

    1. Learned more about what an IT budget does and what it means to your key stakeholders.
    2. Assembled your budgeting team and critical data needed for forecasting and budgeting, as well as set expenditure goals for next fiscal year, and metrics for improving the budgeting process overall.
    3. Forecasted your project and non-project CapEx and OpEx for next fiscal year and beyond.
    4. Fine-tuned your proposed expenditure rationales.
    5. Crafted and delivered an executive presentation and got your budget approved.

    What’s next?

    Use your approved budget as an ongoing IT financial management governance tool and track your budget process improvement metrics.

    If you would like additional support, have our analysts guide you through an Info-Tech full-service engagement or Guided Implementation.

    Contact your account representative for more information.

    1-888-670-8889

    Research Contributors and Experts

    Monica Braun

    Research Director, ITFM Practice

    Info-Tech Research Group

    Carol Carr

    Technical Counselor (Finance)

    Info-Tech Research Group

    Larry Clark

    Executive Counselor

    Info-Tech Research Group

    Duane Cooney

    Executive Counselor

    Info-Tech Research Group

    Lynn Fyhrlund

    Former Chief Information Officer

    Milwaukee County

    Jay Gnuse

    Information Technology Director

    Chief Industries

    Trisha Goya

    Director, IS Client Services

    Hawaii Medical Service Association

    Angela Hintz

    VP of PMO & Integrated Services

    Blue Cross and Blue Shield of Louisiana

    Rick Hopfer

    Chief Information Officer

    Hawaii Medical Service Association

    Theresa Hughes

    Executive Counselor

    Info-Tech Research Group

    Research Contributors and Experts

    Dave Kish

    Practice Lead, IT Financial Management Practice

    Info-Tech Research Group

    Matt Johnson

    IT Director Governance and Business Solutions

    Milwaukee County

    Titus Moore

    Executive Counselor

    Info-Tech Research Group

    Angie Reynolds

    Principal Research Director, IT Financial Management Practice

    Info-Tech Research Group

    Mark Roman

    Managing Partner, Executive Services

    Info-Tech Research Group

    Darin Stahl

    Distinguished Analyst & Research Fellow

    Info-Tech Research Group

    Miguel Suarez

    Head of Technology

    Seguros Monterrey New York Life

    Kristen Thurber

    IT Director, Office of the CIO

    Donaldson Company

    Related Info-Tech Research & Services

    Achieve IT Spend & Staffing Transparency

    • IT spend has increased in volume and complexity, but how IT spend decisions are made has not kept pace.
    • Lay a foundation for meaningful conversations and informed decision making around IT spend by transparently mapping exactly where IT funds are really going.

    IT Spend & Staffing Benchmarking Service

    • Is a do-it-yourself approach to achieving spend transparency too onerous? Let Info-Tech do the heavy lifting for you.
    • Using Info-Tech’s ITFM Cost Model, our analysts will map your IT expenditure to four different stakeholder views – CFO Expense View, CIO Service View, CXO Business View, and CEO Innovation View – so that you clearly show where expenditure is going in terms that stakeholders can relate to and better demonstrate IT’s value to the business.
    • Get a full report that shows how your spend is allocated plus benchmarks that compare your results to those of your industry peers.

    Build Your IT Cost Optimization Roadmap

    • Cost optimization is usually thought about in terms of cuts, when it’s really about optimizing IT’s cost-to-value ratio.
    • Develop a cost-optimization strategy based on your organization’s circumstances and timeline focused on four key areas of IT expenditure: assets, vendors, projects, and workforce.

    Bibliography

    “How Much Should a Company Spend on IT?” Techvera, no date. Accessed 3 Mar. 2023.
    “State of the CIO Study 2023.” Foundry, 25 Jan. 2023. Accessed 3 Mar. 2023.
    Aberdeen Strategy & Research. “The State of IT 2023.” Spiceworks. Ziff Davis, 2022. Accessed 28 Feb. 2023.
    Ainsworth, Paul. “Responsibilities of the Modern CFO - A Function in Transition.” TopTal, LLC., no date. Accessed 15 Feb. 2023.
    Balasaygun, Kaitlin. “For the first time in a long time, CFOs can say no to tech spending.” CNBC CFO Council, 19 Jan. 2023. Accessed 17 Feb. 2023.
    Bashir, Ahmad. “Objectives of Capital Budgeting and factors affecting Capital Budget Decisions.” LinkedIn, 27 May 2017. Accessed 14 Apr. 2023.
    Blackmon, Kris. “Building a Data-Driven Budget Pitch the C-Suite Can't Refuse.” NetSuite Brainyard, 21 Sep. 2021. Accessed 17 Feb. 2023
    Butcher, Daniel. “CFO to CFO: Budgeting to Fund Strategic Plans.” Strategic Finance Magazine/Institute of Management Accountants, 1 Dec. 2021. Accessed 17 Feb. 2023
    Gray, Patrick. “IT Budgeting: A Cheat Sheet.” TechRepublic, 29 Jul. 2020. Accessed 28 Feb. 2023.
    Greenbaum, David. “Budget vs. Actuals: Budget Variance Analysis & Guide.” OnPlan, 15 Mar. 2022. Accessed 22 Mar. 2023.
    Huber, Michael and Joan Rundle. “How to Budget for IT Like a CFO.” Huber & Associates, no date. Accessed 15 Feb. 2023.
    Kinney, Tara. “Executing Your Department Budget Like a CFO.” Atomic Revenue, LLC., no date. Accessed 15 Feb. 2023.
    Lafley, A.G. “What Only the CFO Can Do.” Harvard Business Review, May 2009. Accessed 15 Mar. 2009.
    Moore, Peter D. “IN THE DIGITAL WORLD, IT should be run as a profit center, not a cost center.” Wild Oak Enterprise, 26 Feb. 2020. Accessed 3 Mar. 2023.
    Nordmeyer, Bille. “What Factors Are Going to Influence Your Budgeting Decisions?” bizfluent, 8 May 2019. Accessed 14 Apr. 2023
    Ryan, Vincent. “IT Spending and 2023 Budgets Under Close Scrutiny.” CFO, 5 Dec. 2022. Accessed 3 Mar. 2023.
    Stackpole, Beth. “State of the CIO, 2022: Focus turns to IT fundamentals.” CIO Magazine, 21 Mar. 2022. Accessed 3 Mar. 2023.

    Build a Data Integration Strategy

    • Buy Link or Shortcode: {j2store}125|cart{/j2store}
    • member rating overall impact (scale of 10): 8.8/10 Overall Impact
    • member rating average dollars saved: $11,677 Average $ Saved
    • member rating average days saved: 7 Average Days Saved
    • Parent Category Name: Enterprise Integration
    • Parent Category Link: /enterprise-integration
    • As organizations process more information at faster rates, there is increased pressure for faster and more efficient data integration.
    • Data integration is becoming more and more critical for downstream functions of data management and for business operations to be successful. Poor integration holds back these critical functions.

    Our Advice

    Critical Insight

    • Every IT project requires data integration. Regardless of the current problem and the solution being implemented, any change in the application and database ecosystem requires you to solve a data integration problem.
    • Data integration problem solving needs to start with business activity. After understanding the business activity, move to application and system integration to drive the optimal data integration activities.
    • Data integration improvement needs to be backed by solid requirements that depend on the use case. Info-Tech’s use cases will help you identify your organization’s requirements and integration architecture for its ideal data integration solution.

    Impact and Result

    • Create a data integration solution that supports the flow of data through the organization and meets the organization’s requirements for data latency, availability, and relevancy.
    • Build your data integration practice with a firm foundation in governance and reference architecture; use best-fit reference architecture patterns and the related technology and resources to ensure that your process is scalable and sustainable.
    • The business’ uses of data are constantly changing and evolving, and as a result, the integration processes that ensure data availability must be frequently reviewed and repositioned in order to continue to grow with the business.

    Build a Data Integration Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why your organization should improve its data integration, review Info-Tech’s methodology, and understand how we can help you create a loosely coupled integration architecture.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Collect integration requirements

    Identify data integration pains and needs and use them to collect effective business requirements for the integration solution.

    • Break Down Data Silos With a Data-Centric Integration Strategy – Phase 1: Collect Integration Requirements
    • Data Integration Requirements Gathering Tool

    2. Analyze integration requirements

    Determine technical requirements for the integration solution based on the business requirement inputs.

    • Break Down Data Silos With a Data-Centric Integration Strategy – Phase 2: Analyze Integration Requirements
    • Data Integration Trends Presentation
    • Data Integration Pattern Selection Tool

    3. Design the data-centric integration solution

    Determine your need for a data integration proof of concept, and then design the data model for your integration solution.

    • Break Down Data Silos With a Data-Centric Integration Strategy – Phase 3: Design the Data-Centric Integration Solution
    • Data Integration POC Template
    • Data Integration Mapping Tool
    [infographic]

    Workshop: Build a Data Integration Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Collect Integration Requirements

    The Purpose

    Explain approach and value proposition.

    Review the common business drivers and how the organization is driving a need to optimize data integration.

    Understand Info-Tech’s approach to data integration.

    Key Benefits Achieved

    Current integration architecture is understood.

    Priorities for tactical initiatives in the data architecture practice related to integration are identified.

    Target state for data integration is defined.

    Activities

    1.1 Discuss the current data integration environment and the pains that are felt by the business and IT.

    1.2 Determine what the problem statement and business case look like to kick-start a data integration improvement initiative.

    1.3 Understand data integration requirements from the business.

    Outputs

    Data Integration Requirements Gathering Tool

    2 Analyze Integration Requirements

    The Purpose

    Understand what the business requires from the integration solution.

    Identify the common technical requirements and how they relate to business requirements.

    Review the trends in data integration to take advantage of new technologies.

    Brainstorm how the data integration trends can fit within your environment.

    Key Benefits Achieved

    Business-aligned requirements gathered for the integration solution.

    Activities

    2.1 Understand what the business requires from the integration solution.

    2.2 Identify the common technical requirements and how they relate to business requirements.

    Outputs

    Data Integration Requirements Gathering Tool

    Data Integration Trends Presentation

    3 Design the Data-Centric Integration Solution

    The Purpose

    Learn about the various integration patterns that support organizations’ data integration architecture.

    Determine the pattern that best fits within your environment.

    Key Benefits Achieved

    Improvement initiatives are defined.

    Improvement initiatives are evaluated and prioritized to develop an improvement strategy.

    A roadmap is defined to depict when and how to tackle the improvement initiatives.

    Activities

    3.1 Learn about the various integration patterns that support organizations’ data integration architecture.

    3.2 Determine the pattern that best fits within your environment.

    Outputs

    Integration Reference Architecture Patterns

    Data Integration POC Template

    Data Integration Mapping Tool

    Further reading

    Build a Data Integration Strategy

    Integrate your data or disintegrate your business.

    ANALYST PERSPECTIVE

    Integrate your data or disintegrate your business.

    "Point-to-point integration is an evil that builds up overtime due to ongoing business changes and a lack of integration strategy. At the same time most businesses are demanding consistent, timely, and high-quality data to fuel business processes and decision making.

    A good recipe for successful data integration is to discover the common data elements to share across the business by establishing an integration platform and a canonical data model.

    Place yourself in one of our use cases and see how you fit into a common framework to simplify your problem and build a data-centric integration environment to eliminate your data silos."

    Rajesh Parab, Director, Research & Advisory Services

    Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • Data engineers feeling the pains of poor integration from inaccuracies and inefficiencies during the data integration lifecycle.
    • Business analysts communicating the need for improved integration of data.
    • Data architects looking to design and facilitate improvements in the holistic data environment.
    • Data architects putting high-level architectural design changes into action.

    This Research Will Also Assist:

    • CIOs concerned with the costs, benefits, and the overall structure of their organization’s data flow.
    • Enterprise architects trying to understand how improved integration will affect overall organizational architecture.

    This Research Will Help You:

    • Understand what integration is, and how it fits into your organization.
    • Identify opportunities for leveraging improved integration for data-driven insights.
    • Design a loosely coupled integration architecture that is flexible to changing needs.
    • Determine the needs of the business for integration and design solutions for the gaps that fit the requirements.

    This Research Will Help Them:

    • Get a handle on the current data situation and how data interacts within the organization.
    • Understand how data architecture affects operations within the enterprise.

    Executive summary

    Situation

    • As organizations process more information at faster rates, there is increased pressure for faster and more efficient data integration.
    • Data integration is becoming more and more critical for downstream functions of data management and for business operations to be successful. Poor integration holds back these critical functions.

    Complication

    • Investments in integration can be a tough sell for the business, and it is difficult to get support for integration as a standalone project.
    • Evolving business models and uses of data are growing rapidly at rates that often exceed the investment in data management and integration tools. As a result, there is often a gap between data availability and the business’ latency demands.

    Resolution

    • Create a data-centric integration solution that supports the flow of data through the organization and meets the organization’s requirements for data accuracy, relevance, availability, and timeliness.
    • Build your data-centric integration practice with a firm foundation in governance and reference architecture; use best-fit reference architecture patterns and the related technology and resources to ensure that your process is scalable and sustainable.
    • The business’ uses of data are constantly changing and evolving, and as a result the integration processes that ensure data availability must be frequently reviewed and repositioned to continue to grow with the business.

    Info-Tech Insight

    1. Every IT project requires data integration.Any change in the application and database ecosystem requires you to solve a data integration problem.
    2. Integration problem solving needs to start with business activity. After understanding the business activity, move to application and system integration to drive optimal data integration activities.
    3. Integration initiatives need to be backed by requirements that depend on use cases. Info-Tech’s use cases will help identify organizational requirements and the ideal data-centric integration solution.

    Your data is the foundation of your organization’s knowledge and ability to make decisions

    Integrate the Data, Not the Applications

    Data is one of the most important assets in a modern organization. Contained within an organization’s data are the customers, the products, and the operational details that make an organization function. Every organization has data, and this data might serve the needs of the business today.

    However, the only constant in the world is change. Changes in addresses, amounts, product details, partners, and more occur at a rapid rate. If your data is isolated, it will quickly become stale. Getting up-to-date data to the right place at the right time is where data-centric integration comes in.

    "Data is the new oil." – Clive Humby, Chief Data Scientist Source: Medium, 2016

    The image shows two graphics. The top shows two sets of circles with an arrow pointing to the right between them: on the left, there is a large centre circle with the word APP in it, and smaller circles surrounding it that read DATA. On the right, the large circle reads DATA, and the smaller circles, APP. On the lower graphic, there are also two sets of circles, with an arrow pointing to the right between them. This time, the largest circle envelopes the smaller circles. The circle on the right has a larger circle in the centre that reads Apple Watch Heart Monitoring App, and smaller circles around it labelled with types of data. The circle on the right contains a larger circle in the centre that reads Heart Data, and the smaller circles are labelled with types of apps.

    Organizations are having trouble keeping up with the rapid increases in data growth and complexity

    To keep up with increasing business demands and profitability targets and decreasing cost targets, organizations are processing and exchanging more data than ever before.

    To get more value from their information, organizations are relying on more and more complex data sources. These diverse data sources have to be properly integrated to unlock the full potential of your data:

    The most difficult integration problems are caused by semantic heterogeneity (Database Research Technology Group, n.d.).

    80% of business decisions are made using unstructured data (Concept Searching, 2015).

    85% of businesses are struggling to implement the correct integration solution to accurately interpret their data (KPMG, 2014).

    Break Down Your Silos

    Integrating large volumes of data from the many varied sources in an organization has incredible potential to yield insights, but many organizations struggle with creating the right structure for that blending to take place, and data silos form.

    Data-centric integration capabilities can break down organizational silos. Once data silos are removed and all the information that is relevant to a given problem is available, problems with operational and transactional efficiencies can be solved, and value from business intelligence (BI) and analytics can be fully realized.

    Data-centric integration is the solution you need to bring data together to break down data silos

    On one hand…

    Data has massive potential to bring insight to an organization when combined and analyzed in creative ways.

    On the other hand…

    It is difficult to bring data together from different sources to generate insights and prevent stale data.

    How can these two ideas be reconciled?

    Answer: Info-Tech’s Data Integration Onion Framework summarizes an organization’s data environment at a conceptual level, and is used to design a common data-centric integration environment.

    Info-Tech’s Data Integration Onion Framework

    The image shows Info Tech's Data Integration Onion Framework. It is a circular graphic, with a series on concentric rings, each representing a category and containing specific examples of items within those categories.

    Poor integration will lead to problems felt by the business and IT

    The following are pains reported by the business due to poor integration:

    59% Of managers said they experience missing data every day due to poor distribution results in data sets that are valuable to their central work functions. (Experian, 2016)

    42% Reported accidentally using the wrong information, at least once a week. (Computerworld, 2017)

    37% Of the 85% of companies trying to be more data driven, only 37% achieved their goal. (Information Age, 2019)

    "I never guess. It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts." – Sir Arthur Conan Doyle, Sherlock Holmes

    Poor integration can make IT less efficient as well:

    90% Of all company generated data is “dark.” Getting value out of dark data is not difficult or costly. (Deloitte Insights, 2017)

    5% As data sits in a database, up to 5% of customer data changes per month. (Data.com, 2016)

    "Most traditional machine learning techniques are not inherently efficient or scalable enough to handle the data. Machine learning needs to reinvent itself for big data processing primarily in pre-processing of data." – J. Qiu et al., ‎2016

    Understand the common challenges of integration to avoid the pains

    There are three types of challenges that organizations face when integrating data:

    1. Disconnect from the business

    Poor understanding of the integration problem and requirements lead to integrations being built that are not effective for quality data.

    50% of project rework is attributable to problems with requirements. (Info-Tech Research Group)

    45% of IT professionals admit to being “fuzzy” about the details of a project’s business objectives. (Blueprint Software Systems Inc., 2012)

    2. Lack of strategy

    90% Of organizations will lack an integration strategy through to 2018. (Virtual Logistics, 2017)

    Integrating data without a long-term plan is a recipe for point-to-point integration spaghettification:

    The image shows two columns of rectangles, each with the word Application Services. Between them are arrows, matching boxes in one column to the other. The lines of the arrows are curvy.

    3. Data complexity

    Data architects and other data professionals are increasingly expected to be able to connect data using whatever interface is provided, at any volume, and in any format – all without affecting the quality of the data.

    36% Of developers report problems integrating data due to different standards interpretations. (DZone, 2015)

    These challenges lead to organizations building a data architecture and integration environment that is tightly coupled.

    A loose coupling integration strategy helps mitigate the challenges and realize the benefits of well-connected data

    Loose Coupling

    Most organizations don’t have the foresight to design their architecture correctly the first time. In a perfect world, organizations would design their application and data architecture to be scalable, modular, and format-neutral – like building blocks.

    Benefits of a loosely coupled architecture:

    • Increased ability to support business needs by adapting easily to changes.
    • Added ability to incorporate new vendors and new technology due to increased flexibility.
    • Potential for automated, real-time integration.
    • Elimination of re-keying/manual entry of data.
    • Federation of data.

    Vs. Tight Coupling

    However, this is rarely the case. Most architectures are more like a brick wall – permanent, hard to add to and subtract from, and susceptible to weathering.

    Problems with a tightly coupled architecture:

    • Delays in combining data for analysis.
    • Manual/Suboptimal DI in the face of changing business needs.
    • Lack of federation.
    • Lack of flexibility.
    • Fragility of integrated platforms.
    • Limited ability to explore new functionalities.

    Key Metrics for Every CIO

    • Buy Link or Shortcode: {j2store}119|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement
    • As a CIO, you are inundated with data and information about how your IT organization is performing based on the various IT metrics that exist.
    • The information we receive from metrics is often just that – information. Rarely is it used as a tool to drive the organization forward.
    • CIO metrics need to consider the goals of key stakeholders in the organization.

    Our Advice

    Critical Insight

    • The top metrics for CIOs don’t have anything to do with IT.
    • CIOs should measure and monitor metrics that have a direct impact on the business.
    • Be intentional with the metric and number of metrics that you monitor on a regular basis.
    • Be transparent with your stakeholders on what and why you are measuring those specific metrics.

    Impact and Result

    • Measure fewer metrics, but measure those that will have a significant impact on how your deliver value to your organization.
    • Focus on the metrics that you can take action against, rather than simply monitor.
    • Ensure your metrics tie to your top priorities as a CIO.

    Key Metrics for Every CIO Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Key Metrics for Every CIO deck – The top metrics every CIO should measure and act on

    Leverage the top metrics for every CIO to help focus your attention and provide insight into actionable steps.

    • Key Metrics for Every CIO Storyboard
    [infographic]

    Further reading

    Key Metrics for Every CIO

    The top six metrics for CIOs – and they have very little to do with IT

    Analyst Perspective

    Measure with intention

    Be the strategic CIO who monitors the right metrics relevant to their priorities – regardless of industry or organization. When CIOs provide a laundry list of metrics they are consistently measuring and monitoring, it demonstrates a few things.

    First, they are probably measuring more metrics than they truly care about or could action. These “standardized” metrics become something measured out of expectation, not intention; therefore, they lose their meaning and value to you as a CIO. Stop spending time on these metrics you will be unable or unwilling to address.

    Secondly, it indicates a lack of trust in the IT leadership team, who can and should be monitoring these commonplace operational measures. An empowered IT leader will understand the responsibility they have to inform the CIO should a metric be derailing from the desired outcome.

    Photo of Brittany Lutes, Senior Research Analyst, Organizational Transformation Practice, Info-Tech Research Group. Brittany Lutes
    Senior Research Analyst
    Organizational Transformation Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    CIOs need to measure a set of specific metrics that:

    • Will support the organization’s vision, their career, and the IT function all in one.
    • Can be used as a tool to make informed decisions and take appropriate actions that will improve the IT function’s ability to deliver value.
    • Consider the influence of critical stakeholders, especially the end customer.
    • Are easily measured at any point in time.
    Common Obstacles

    CIOs often cannot define these metrics because:

    • We confuse the operational metrics IT leaders need to monitor with strategic metrics CIOs need to monitor.
    • Previously monitored metrics did not deliver value.
    • It is hard to decide on a metric that will prove both insightful and easily measurable.
    • We measure metrics without any method or insight on how to take actionable steps forward.
    Info-Tech’s Approach

    For every CIO, there are six areas that should be a focus, no matter your organization or industry. These six priorities will inform the metrics worth measuring:

    • Risk management
    • Delivering on business objectives
    • Customer satisfaction
    • Employee engagement
    • Business leadership relations
    • Managing to a budget

    Info-Tech Insight

    The top metrics for a CIO to measure and monitor have very little to do with IT and everything to do with ensuring the success of the business.

    Your challenge

    CIOs are not using metrics as a personal tool to advance the organization:
    • Metrics should be used as a tool by the CIO to help inform the future actions that will be taken to reach the organization’s strategic vision.
    • As a CIO, you need to have a defined set of metrics that will support your career, the organization, and the IT function you are accountable for.
    • CIO metrics must consider the most important stakeholders across the entire ecosystem of the organization – especially the end customer.
    • The metrics for a CIO are distinctly different from the metrics you use to measure the operational effectiveness of the different IT functions.
    “CIOs are businesspeople first and technology people second.” (Myles Suer, Source: CIO, 2019.)

    Common obstacles

    These barriers make this challenge difficult to address for many CIOs:
    • CIOs often do not measure metrics because they are not aware of what should or needs to be measured.
    • As a result of not wanting to measure the wrong thing, CIOs can often choose to measure nothing at all.
    • Or they get too focused on the operational metrics of their IT organization, leaving the strategic business metrics forgotten.
    • Moreover, narrowing the number of metrics that are being measured down to an actionable number is very difficult.
    • We rely only on physical data sets to help inform the measurements, not considering the qualitative feedback received.
    CIO priorities are business priorities

    46% of CIOs are transforming operations, focused on customer experiences and employee productivity. (Source: Foundry, 2022.)

    Finances (41.3%) and customers (28.1%) remain the top two focuses for CIOs when measuring IT effectiveness. All other focuses combine for the remaining 30.6%. (Source: Journal of Informational Technology Management, 2018.)

    Info-Tech’s approach

    Organizational goals inform CIO metrics

    Diagram with 'CIO Metrics' at the center surrounded by 'Directive Goals', 'Product/Service Goals', 'IT Goals', and 'Operations Goals', each of which are connected to eachother by 'Customers'.

    The Info-Tech difference:
    1. Every CIO has the same set of priorities regardless of their organization or industry given that these metrics are influenced by similar goals of organizations.
    2. CIO metrics are a tool to help inform the actions that will support each core area in reaching their desired goals.
    3. Be mindful of the goals different business units are using to reach the organization’s strategic vision – this includes your own IT goals.
    4. Directly or indirectly, you will always influence the ability to acquire and retain customers for the organization.

    CIO priorities

    MANAGING TO A BUDGET
    Reducing operational costs and increasing strategic IT spend.
    Table centerpiece for CIO Priorities. DELIVERING ON BUSINESS OBJECTIVES
    Aligning IT initiatives to the vision of the organization.
    CUSTOMER SATISFACTION
    Directly and indirectly impacting customer experience.
    EMPLOYEE ENGAGEMENT
    Creating an IT workforce of engaged and purpose-driven people.
    RISK MANAGEMENT
    Actively knowing and mitigating threats to the organization.
    BUSINESS LEADERSHIP RELATONS
    Establishing a network of influential business leaders.

    High-level process flow

    How do we use the CIO metrics?
    Process flow that starts at 'Consider - Identify and analyze CIO priorities', and is followed by 'Select priorities - Identify the top priorities for CIOs (see previous slide)', 'Create a measure - Determine a measure that aligns to each priority', 'Make changes & improvements - Take action to improve the measure and reach the goal you are trying to achieve', 'Demonstrate progress - Use the metrics to demonstrate progress against priorities'. Using priority-based metrics allows you to make incremental improvements that can be measured and reported on, which makes program maturation a natural process.

    Example CIO dashboard

    Example CIO dashboard.
    * Arrow indicates month-over-month trend

    Harness the value of metric data

    Metrics are rarely used accurately as a tool
    • When you have good metrics, you can:
      • Ensure employees are focused on the priorities of the organization
      • Have insight to make better decisions
      • Communicate with the business using language that resonates with each stakeholder
      • Increase the performance of your IT function
      • Continually adapt to meet changing business demands
    • Metrics are tools that quantifiably indicate whether a goal is on track to being achieved (proactive) or if the goal was successfully achieved (retroactive)
    • This is often reflected through two metric types:
      • Leading Metrics: The metric indicates if there are actions that should be taken in the process of achieving a desired outcome.
      • Lagging Metrics: Based on the desired outcome, the metric can indicate where there were successes or failures that supported or prevented the outcome from being achieved.
    • Use the data from the metrics to inform your actions. Do not collect this data if your intent is simply to know the data point. You must be willing to act.
    "The way to make a metric successful is by understanding why you are measuring it." (Jeff Neyland CIO)

    CIOs measure strategic business metrics

    Keep the IT leadership accountable for operational metrics
    • Leveraging the IT leadership team, empower and hold each leader accountable for the operational metrics specific to their functional area
    • As a CIO, focus on the metrics that are going to impact the business. These are often tied to people or stakeholders:
      • The customers who will purchase the product or service
      • The decision makers who will fund IT initiatives
      • The champions of IT value
      • The IT employees who will be driven to succeed
      • The owner of an IT risk event
    • By focusing on these priority areas, you can regularly monitor aspects that will have major business impacts – and be able to address those impacts.
    As a CIO, avoid spending time on operational metrics such as:
    • Time to deliver
    • Time to resolve
    • Project delivery (scope, time, money)
    • Application usage
    • User experiences
    • SLAs
    • Uptime/downtime
    • Resource costs
    • Ticket resolution
    • Number of phishing attempts
    Info-Tech Insight

    While operational metrics are important to your organization, IT leaders should be empowered and responsible for their management.

    SECTION 1

    Actively Managing IT Risks

    Actively manage IT risks

    The impact of IT risks to your organization cannot be ignored any further
    • Few individuals in an organization understand IT risks and can proactively plan for the prevention of those threats, making the CIO the responsible and accountable individual when it comes to IT risks – especially the components that tie into cybersecurity.
    • When the negative impacts of an IT threat event are translated into terms that can be understood and actioned by all in the organization, it increases the likelihood of receiving the sponsorship and funding support necessary.
    • Moreover, risk management can be used as a tool to drive the organization toward its vision state, enabling informed risk decisions.

    Risk management metric:

    Number of critical IT threats that were detected and prevented before impact to the organization.

    Beyond risk prevention
    Organizations that have a clear risk tolerance can use their risk assessments to better inform their decisions.
    Specifically, taking risks that could lead to a high return on investment or other key organizational drivers.

    Protect the organization from more than just cyber threats

    Other risk-related metrics:
    • Percentage of IT risks integrated into the organization’s risk management approach.
    • Number of risk management incidents that were not identified by your organization (and the potential financial impact of those risks).
    • Business satisfaction with IT actions to reduce impact of negative IT risk events.
    • Number of redundant systems removed from the organizations portfolio.
    Action steps to take:
    • Create a risk-aware culture, not just with IT folks. The entire organization needs to understand how IT risks are preventable.
    • Clearly demonstrate the financial and reputational impact of potential IT risks and ensure that this is communicated with decision-makers in the organization.
    • Have a single source of truth to document possible risk events and report prevention tactics to minimize the impact of risks.
    • Use this information to recommend budget changes and help make risk-informed decisions.

    49%

    Investing in Risk

    Heads of IT “cited increasing cybersecurity protections as the top business initiative driving IT investments this year” (Source: Foundry, 2022.)

    SECTION 2

    Delivering on Business Objectives

    Delivering on business objectives

    Deliver on initiatives that bring value to your organization and stop benchmarking
    • CIOs often want to know how they are performing in comparison to their competitors (aka where do you compare in the benchmarking?)
    • While this is a nice to know, it adds zero value in demonstrating that you understand your business, let alone the goals of your business
    • Every organization will have a different set of goals it is striving toward, despite being in the same industry, sector, or market.
    • Measuring your performance against the objectives of the organization prevents CIOs from being more technical than it would do them good.

    Business Objective Alignment Metric:

    Percentage of IT metrics have a direct line of impact to the business goals

    Stop using benchmarks to validate yourself against other organizations. Benchmarking does not provide:
    • Insight into how well that organization performed against their goals.
    • That other organizations goals are likely very different from your own organization's goals.
    • It often aggregates the scores so much; good and bad performers stop being clearly identified.

    Provide a clear line of sight from IT metrics to business goals

    Other business alignment metrics:
    • Number of IT initiatives that have a significant impact on the success of the organization's goals.
    • Number of IT initiatives that exceed the expected value.
    • Positive impact ($) of IT initiatives on driving business innovation.
    Action steps to take:
    • Establish a library or dashboard of all the metrics you are currently measuring as an IT organization, and align each of them to one or more of the business objectives your organization has.
    • Leverage the members of the organization’s executive team to validate they understand how your metric ties to the business objective.
    • Any metric that does not have a clear line of sight should be reconsidered.
    • IT metrics should continue to speak in business terms, not IT terms.

    50%

    CIOs drive the business

    The percentage of CEOs that recognize the CIO as the main driver of the business strategy in the next 2-3 years. (Source: Deloitte, 2020.)

    SECTION 3

    Impact on Customer Satisfaction

    Influencing end-customer satisfaction

    Directly or indirectly, IT influences how satisfied the customer is with their product or service
    • Now more than ever before, IT can positively influence the end-customer’s satisfaction with the product or service they purchase.
    • From operational redundancies to the customer’s interaction with the organization, IT can and should be positively impacting the customer experience.
    • IT leaders who take an interest in the customer demonstrate that they are business-focused individuals and understand the intention of what the organization is seeking to achieve.
    • With the CIO role becoming a strategic one, understanding why a customer would or would not purchase your organization’s product or service stops being a “nice to have.”

    Customer satisfaction metric:

    What is the positive impact ($ or %) of IT initiatives on customer satisfaction?

    Info-Tech Insight

    Be the one to suggest new IT initiatives that will impact the customer experience – stop waiting for other business leaders to make the recommendation.

    Enhance the end-customer experience with I&T

    Other customer satisfaction metrics:
    • Amount of time CIO spends interacting directly with customers.
    • Customer retention rate.
    • Customer attraction rate.
    Action steps to take:
    • Identify the core IT capabilities that support customer experience. Automation? Mobile application? Personal information secured?
    • Suggest an IT-supported or-led initiative that will enhance the customer experience and meet the business goals. Retention? Acquisition? Growth in spend?
    • This is where operational metrics or dashboards can have a real influence on the customer experience. Be mindful of how IT impacts the customer journey.

    41%

    Direct CX interaction

    In 2022, 41% of IT heads were directly interacting with the end customer. (Source: Foundry, 2022.)

    SECTION 4

    Keeping Employees Engaged

    Keeping employees engaged

    This is about more than just an annual engagement survey
    • As a leader, you should always have a finger on the pulse of how engaged your employees are
    • Employee engagement is high when:
      • Employees have a positive disposition to their place of work
      • Employees are committed and willing to contribute to the organization's success
    • Employee engagement comprises three types of drivers: organizational, job, and retention. As CIO, you have a direct impact on all three drivers.
    • Providing employees with a positive work environment where they are empowered to complete activities in line with their desired skillset and tied to a clear purpose can significantly increase employee engagement.

    Employee engagement metric:

    Number of employees who feel empowered to complete purposeful activities related to their job each day

    Engagement leads to increases in:
    • Innovation
    • Productivity
    • Performance
    • Teamwork
    While reducing costs associated with high turnover.

    Employees daily tasks need to have purpose

    Other employee engagement metrics:
    • Tenure of IT employees at the organization.
    • Number of employees who seek out or use a training budget to enhance their knowledge/skills.
    • Degree of autonomy employees feel they have in their work on a daily basis.
    • Number of collaboration tools provided to enable cross-organizational work.
    Action steps to take:
    • If you are not willing to take actionable steps to address engagement, don’t bother asking employees about it.
    • Identify the blockers to empowerment. Common blockers include insufficient team collaboration, bureaucracy, inflexibility, and feeling unsupported and judged.
    • Ensure there is a consistent understanding of what “purposeful” means. Are you talking about “purposeful” to the organization or the individual?
    • Provide more clarity on what the organization’s purpose is and the vision it is driving toward. Just because you understand does not mean the employees do.

    26%

    Act on engagement

    Only 26% of leaders actually think about and act on engagement every single day. (Source: SHRM, 2022.)

    SECTION 5

    Establishing Trusted Business Relationships

    Establishing trusted business partnerships

    Leverage your relationships with other C-suite executives to demonstrate IT’s value
    • Your relationship with other business peers is critical – and, funny enough, it is impacted by the use of good metrics and data.
    • The performance of your IT team will be recognized by other members of the executive leadership team (ELT) and is a direct reflection of you as a leader.
    • A good relationship with the ELT can alleviate issues if concerns about IT staff surface.
      • Of the 85% of IT leaders working on transformational initiatives, only 30% are trying to cultivate an IT/business partnership (Foundry, 2022).
    • Don’t let other members of the organizations ELT overlook you or the value IT has. Build the key relationships that will drive trust and partnerships.

    Business leadership relationship metric:

    Ability to influence business decisions with trusted partners.

    Some key relationships that are worth forming with other C-suite executives right now include:
    • Chief Sustainability Officer
    • Chief Revenue Officer
    • Chief Marketing Officer
    • Chief Data Officer

    Influence business decisions with trusted partners

    Other business relations metrics:
    • The frequency with which peers on the ELT complain about the IT organization to other ELT peers.
    • Percentage of business leaders who trust IT to make the right choices for their accountable areas.
    • Number of projects that are initiated with a desired solution versus problems with no desired solution.
    Action steps to take:
    • From lunch to the boardroom, it is important you make an effort to cultivate relationships with the other members of the ELT.
    • Identify who the most influential members of the ELT are and what their primary goals or objectives are.
    • Follow through on what you promise you will deliver – if you do not know, do not promise it!
    • What will work for one member of the ELT will not work for another – personalize your approach.

    60%

    Enterprise-wide collaboration

    “By 2023, 60% of CIOs will be primarily measured for their ability to co-create new business models and outcomes through extensive enterprise and ecosystem-wide collaboration.” (Source: IDC, 2021.)

    SECTION 6

    Managing to a Budget

    Managing to a budget

    Every CIO needs to be able to spend within budget while increasing their strategic impact
    • From security, to cloud, to innovating the organization's products and services, IT has a lot of initiatives that demand funds and improve the organization.
    • Continuing to demonstrate good use of the budget and driving value for the organization will ensure ongoing recognition in the form of increased money.
    • 29% of CIOs indicated that controlling costs and expense management was a key duty of a functional CIO (Foundry, 2022).
    • Demonstrating the ability to spend within a defined budget is a key way to ensure the business trusts you.
    • Demonstrating an ability to spend within a defined budget and reducing the cost of operational expenses while increasing spend on strategic initiatives ensures the business sees the value in IT.

    Budget management metric:

    Proportion of IT budget that is strategic versus operational.

    Info-Tech Insight

    CIOs need to see their IT function as its own business – budget and spend like a CEO.

    Demonstrate IT’s ability to spend strategically

    Other budget management metrics:
    • Cost required to lead the organization through a digital transformation.
    • Reduction in operational spend due to retiring legacy solutions.
    • Percentage of budget in the run, grow, and transform categories.
    • Amount of money spent keeping the lights on versus investing in new capabilities.

    Action steps to take:

    • Consider opportunities to automate processes and reduce the time/talent required to spend.
    • Identify opportunities and create the time for resources to modernize or even digitize the organization to enable a better delivery of the products or services to the end customer.
    • Review the previous metrics and tie it back to running the business. If customer satisfaction will increase or risk-related threats decrease through an initiative IT is suggesting, you can make the case for increased strategic spend.

    90%

    Direct CX interaction

    Ninety percent of CIOs expect their budget to increase or remain the same in their next fiscal year. (Source: Foundry, 2022.)

    Research contributors and experts

    Photo of Jeff Neyland. Jeff Neyland
    Chief Information Officer – University of Texas at Arlington
    Photo of Brett Trelfa. Brett Trelfa
    SVP and CIO – Arkansas Blue Cross Blue Shield
    Blank photo template. Lynn Fyhrlund
    Chief Information Officer – Milwaukee County Department of Administrative Services

    Info-Tech Research Group

    Vicki Van Alphen Executive Counselor Ibrahim Abdel-Kader Research Analyst
    Mary Van Leer Executive Counselor Graham Price Executive Counselor
    Jack Hakimian Vice President Research Valence Howden Principal Research Director
    Mike Tweedie CIO Practice Lead Tony Denford Organization Transformation Practice Lead

    Related Info-Tech Research

    Sample of the 'IT Metrics Library'. IT Metrics Library
    • Use this tool to review commonly used KPIs for each practice area
    • Identify KPI owners, data sources, baselines, and targets. It also suggests action and research for low-performing KPIs.
    • Use the "Action Plan" tab to keep track of progress on actions that were identified as part of your KPI review.
    Sample of 'Define Service Desk Metrics That Matter'. Define Service Desk Metrics That Matter
    • Consolidate your metrics and assign context and actions to those currently tracked.
    • Establish tension metrics to see and tell the whole story.
    • Split your metrics for each stakeholder group. Assign proper cadences for measurements as a first step to building an effective dashboard.
    Sample of 'CIO Priorities 2022'. CIO Priorities 2022
    • Understand how to respond to trends affecting your organization.
    • Determine your priorities based on current state and relevant internal factors.
    • Assign the right resources to accomplish your vision.
    • Consider what new challenges outside of your control will demand a response.

    Bibliography

    “Developing and Sustaining Employee Engagement.” SHRM, 2022.

    Dopson, Elise. “KPIs Vs. Metrics: What’s the Difference & How Do You Measure Both?” Databox, 23 Jun. 2021.

    Shirer, Michael, and Sarah Murray. “IDC Unveils Worldwide CIO Agenda 2022 Predictions.” IDC, 27 Oct. 2021.

    Suer, Myles. “The Most Important Metrics to Drive IT as a Business.” CIO, 19 Mar. 2019.

    “The new CIO: Business Savvy.” Deloitte Insights. Deloitte, 2020.

    “2022 State of the CIO: Rebalancing Act: CIO’s Operational Pandemic-Era Innovation.” Foundry, 2022.

    “Why Employee Engagement Matters for Leadership at all Levels.” Walden University, 20 Dec. 2019.

    Zhang, Xihui, et al. “How to Measure IT Effectiveness: The CIO’s Perspective.” Journal of Informational Technology Management, 29(4). 2018.

    Adopt Change Management Practices and Succeed at IT Organizational Redesign

    • Buy Link or Shortcode: {j2store}393|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Organizational Design
    • Parent Category Link: /organizational-design

    Organizational redesigns frequently fail when it comes to being executed. This leads to:

    • The loss of critical talent and institutional knowledge.
    • An inability to deliver on strategic goals and objectives.
    • Financial and time losses to the organization.

    Organizational redesigns fail during implementation primarily because they do not consider the change management required to succeed.

    Our Advice

    Critical Insight

    Implementing your organizational design with good change management practices is more important than defining the new organizational structure.

    Implementation is often negatively impacted due to:

    • Employees not understanding the need to redesign the organizational structure or operating model.
    • Employees not being communicated with or engaged throughout the process, which can cause chaos.
    • Managers not being prepared or trained to have difficult conversations with employees.

    Impact and Result

    When good change management practices are used and embedded into the implementation process:

    • Employees feel respected and engaged, reducing turnover and productivity loss.
    • The desired operating structure can be implemented faster, enabling the delivery of strategic objectives.
    • Gaps and disorganization are avoided, saving the organization time and money.

    Invest change management for your IT redesign.

    Adopt Change Management Practices and Succeed at IT Organizational Redesign Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Adopt Change Management Practices and Succeed at IT Organizational Redesign Deck – Succeed at implementing your IT organizational structure by adopting the necessary change management practices.

    The best IT organizational structure will still fail to be implemented if the organization does not leverage and use good change management practices. Consider practices such as aligning the structure to a meaningful vision, preparing leadership, communicating frequently, including employees, and measuring adoption to succeed at organizational redesign implementation.

    • Adopt Change Management Practices and Succeed at IT Organizational Redesign Storyboard

    2. IT Organizational Redesign Pulse Survey Template – A survey template that can be used to measure the success of your change management practices during organizational redesign implementation.

    Taking regular pulse checks of employees and managers during the transition will enable IT Leaders to focus on the right practices to enable adoption.

    • IT Organizational Redesign Pulse Survey Template
    [infographic]

    Further reading

    Adopt Change Management Practices & Succeed at IT Organizational Redesign

    The perfect IT organizational structure will fail to be implemented if there is no change management.

    Analyst Perspective

    Don’t doom your organizational redesign efforts

    The image contains a picture of Brittany Lutes.

    After helping hundreds of organizations across public and private sector industries redesign their organizational structure, we can say there is one thing that will always doom this effort: A failure to properly identify and implement change management efforts into the process.

    Employees will not simply move forward with the changes you suggest just because you as the CIO are making them. You need to be prepared to describe the individual benefits each employee can expect to receive from the new structure. Moreover, it has to be clear why this change was needed in the first place. Redesign efforts should be driven by a clear need to align to the organization’s vision and support the various objectives that will need to take place.

    Most organizations do a great job defining a new organizational structure. They identify a way of operating that tells them how they need to align their IT capabilities to deliver on strategic objectives. What most organizations do poorly is invest in their people to ensure they can adopt this new way of operating.

    Brittany Lutes
    Research Director, Organizational Transformation

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Organizational redesigns frequently fail when it comes to being executed. This leads to:

    • The loss of critical talent and institutional knowledge.
    • An inability to deliver on strategic goals and objectives.
    • Financial and time losses to the organization.

    Organizational redesigns fail during implementation primarily because they do not consider the change management required to succeed.

    Implementation of the organizational redesign is often impacted when:

    • Employees do not understand the need to redesign the organizational structure or operating model.
    • Employees are not communicated with or engaged throughout the process, which can cause chaos.
    • Managers are not prepared or trained to have difficult conversations with employees.

    Essentially, implementation is impacted when change management is not included in the redesign process.

    When good change management practices are used and embedded into the implementation process:

    • Employees feel respected and engaged, reducing turnover and productivity loss.
    • The desired operating structure can be implemented faster, enabling the delivery of strategic objectives.
    • Gaps and disorganization are avoided, saving the organization time and money.

    Invest in change management for your IT redesign.

    Info-Tech Insight

    Implementing your organizational design with good change management practices is more important than defining the new organizational structure.

    Your challenge

    This research enables organizations to succeed at their organizational redesign:

    • By implementing the right change management practices. These methods prevent:
      • The loss of critical IT employees who will voluntarily exit the organization.
      • Employees from creating rumors that will be detrimental to the change.
      • Confusion about why the change was needed and how it will benefit the strategic objectives the organization is seeking to achieve.
      • Spending resources (time, money, and people) on the initiative longer than is necessary.

    McKinsey reported less than 25% of organizational redesigns are successful. Which is worse than the average change initiative, which has a 70% failure rate.

    Source: AlignOrg, 2020.

    The value of the organizational redesign efforts is determined by the percentage of individuals who adopt the changes and operate in the desired way of working.

    When organizations properly use organizational design processes, they are:

    4× more likely to delight customers

    13× more effective at innovation

    27× more likely to retain employees

    Source: The Josh Bersin Company, 2022

    Common obstacles

    These barriers make implementing an organizational redesign difficult to address for many organizations:

    • You communicated the wrong message to the wrong audience at the wrong time. Repeatedly.
    • There is a lack of clarity around the drivers for an organizational redesign.
    • A readiness assessment was not completed ahead of the changes.
    • There is no flexibility built into the implementation approach.
    • The structure is not aligned to the strategic goals of IT and the organization.
    • IT leadership is not involved in their staff’s day-to-day activities, making it difficult to suggest realistic changes.

    Don’t doom your organizational redesign with poor change management

    Only 17% of frontline employees believe the lines of communication are open.

    Source: Taylor Reach Group, 2019

    43% Percentage of organizations that are ineffective at the organizational design methodology.

    Source: The Josh Bersin Company, 2022.

    Change management is a must for org design

    Forgetting change management is the easiest way to fail at redesigning your IT organizational structure

    • Change management is not a business transformation.
    • Change management consists of the practices and approaches your organization takes to support your people through a transformation.
    • Like governance, change management happens regardless of whether it is planned or ad hoc.
    • However, good change management will be intentional and agile, using data to help inform the next action steps you will take.
    • Change management is 100% focused on the people and how to best support them as they learn to understand the need for the change, what skills they must have to support and adopt the change, and eventually to advocate for the change.

    "Organizational transformation efforts rarely fail because of bad design, but rather from lack of sufficient attention to the transition from the old organization to the new one."

    – Michael D. Watkins & Janet Spencer. ”10 Reason Why Organizational Change Fails.”

    Info-Tech’s approach

    Redesigning the IT structure depends on good change management

    The image contains a screenshot of Info-Tech's approach, and good change management.

    Common changes in organizational redesigns

    Entirely New Teams

    Additions, reductions, or new creations. The individuals that make up a functional team can shift.

    New Team Members

    As roles become defined, some members might be required to shift and join already established groups.

    New Responsibilities

    The capabilities individuals will be accountable or responsible for become defined.

    New Ways of Operating

    From waterfall to Agile, collaborative to siloed, your operating model provides insight into the ways roles will engage one another.

    Top reasons organizational redesigns fail

    1. The rationale for the redesign is not clear.
    2. Managers do not have the skills to lead their teams through a change initiative like organizational redesign.
    3. You communicated the wrong messages at the wrong times to the wrong audiences.
    4. Frontline employees were not included in the process.
    5. The metrics you have to support the initiative are countering one another – if you have metrics at all.
    6. Change management and project management are being treated interchangeably.

    Case study: restructuring to reduce

    Clear Communication & Continuous Support

    Situation

    On July 26th, 2022, employees at Shopify – an eCommerce platform – were communicated to by their CEO that a round of layoffs was about to take place. Effective that day, 1,000 employees or 10% of the workforce would be laid off.

    In his message to staff, CEO Tobi Lutke admitted he had assumed continual growth in the eCommerce market when the COVID-19 pandemic forced many consumers into online shopping. Unfortunately, it was clear that was not the case.

    In his communications, Tobi let people know what to expect throughout the day, and he informed people what supports would be made available to those laid off. Mainly, employees could expect to see a transparent approach to severance pay; support in finding new jobs through coaching, connections, or resume creation; and ongoing payment for new laptops and internet to support those who depend on this connectivity to find new jobs.

    Results

    Unlike many of the other organizations (e.g. Wayfair and Peloton) that have had to conduct layoffs in 2022, Shopify had a very positive reaction. Many employees took to LinkedIn to thank their previous employer for all that they had learned with the organization and to ask their network to support them in finding new opportunities. Below is a letter from the CEO:

    The image contains a screenshot of a letter from the CEO.

    Shopify, 2022.
    Forbes, 2022.

    Aligned to a Meaningful Vision

    An organizational redesign must be aligned to a clear and meaningful vision of the organization.

    Define the drivers for organizational redesign

    And align the structure to execute on those drivers.

    • Your structure should follow your strategy. However, 83% of people in an organization do not fully understand the strategy (PWC, 2017).
    • How can employees be expected to understand why the IT organization needs to be restructured to meet a strategy if the strategy itself is still vague and unclear?
    • When organizations pursue a structural redesign, there are often a few major reasons:
      • Digital/organizational transformation
      • New organizational strategy
      • Acquisition or growth of products, services, or capabilities
      • The need to increase effectiveness
      • Cost savings
    • Creating a line of sight for your employees and leadership team will increase the likelihood that they want to adopt this structure.

    “The goal is to align your operating model with your strategy, so it directly supports your differentiating capabilities.”

    – PWC, 2017.

    How to align structure to strategy

    Recommended action steps:

    • Describe the end state of the organizational structure and how long you anticipate it will take to reach that state. It's important that employees be able to visualize the end state of the changes being made.
    • Ensure people understand the vision and goals of the IT organization. Are you having discussions about these? Are managers discussing these? Do people understand that their day-to-day job is intended to support those goals?
    • Create a visual:
      • The goals of the organization → align to the initiatives IT → which require this exact structure to deliver.
    • Do not assume people are willing to move forward with this vision. If people are not willing, assess why and determine if there are benefits specific to the individual that can support them in adopting the future state.
    • Define and communicate the risks of not making the organizational structure changes.

    Info-Tech Insight

    A trending organizational structure or operating model should never be the driver for an organizational redesign.

    IT Leaders Are Not Set Up To Succeed

    Empower these leaders to have difficult conversations.

    Lacking key leadership capabilities in managers

    Technical leaders are common in IT, but people leaders are necessary during the implementation of an organizational structure.

    • Managers are important during a transformational change for many reasons:
      • Managers play a critical role in being able to identify the skill gaps in employees and to help define the next steps in their career path.
      • After the sponsor (CIO) has communicated to the group the what and the why, the personal elements of the change fall to managers.
      • Managers’ displays of disapproval for the redesign can halt the transformation.
    • However, many managers (37%) feel uncomfortable talking to employees and providing feedback if they think it will elicit a negative response (Taylor Reach Group, 2019).
    • Unfortunately, organizational redesign is known for eliciting negative responses from employees as it generates fears around the unknown.
    • Therefore, managers must be able to have conversations with employees to further the successful implementation and adoption of the structure.

    “Successful organizational redesign is dependent on the active involvement of different managerial levels."

    – Marianne Livijn, “Managing Organizational Redesign: How Organizations Relate Macro and Micro Design.”

    They might be managers, but are they leaders?

    Recommended action steps:

    • Take time to speak with managers one on one and understand their thoughts, feelings, and understanding of the change.
    • Ensure that middle-managers have an opportunity to express the benefits they believe will be realized through the proposed changes to the organizational chart.
    • Provide IT leaders with leadership training courses (e.g. Info-Tech’s Leadership Programs).
    • Do not allow managers to start sharing and communicating the changes to the organizational structure if they are not demonstrating support for this change. Going forward, the group is all-in or not, but they should never demonstrate not being bought-in when speaking to employees.
    • Ensure IT leaders want to manage people, not just progress to a management position because they cannot climb a technical career ladder within the proposed structure. Provide both types of development opportunities to all employees.
    • Reduce the managers’ span of control to ensure they can properly engage all direct reports and there is no strain on the managers' time.

    Info-Tech Insight

    47% of direct reports do not agree that their leader is demonstrating the change behaviors. Often, a big reason is that many middle-managers do not understand their own attitudes and beliefs about the change.

    Source: McKinsey & Company “How Do We Manage the Change Journey?”

    Check out Info-Tech’s Build a Better Manager series to support leadership development

    These blueprints will help you create strong IT leaders who can manage their staff and themselves through a transformation.

    Build a Better Manager: Basic Management Skills

    Build a Better Manager: Personal Leadership

    Build a Better Manager: Manage Your People

    Build Successful Teams

    Transparent & Frequent Communication

    Provide employees with several opportunities to hear information and ask questions about the changes.

    Communication must be done with intention

    Include employees in the conversation to get the most out of your change management.

    • Whether it is a part of a large transformation or a redesign to support a specific goal of IT, begin thinking about how you will communicate the anticipated changes and who you will communicate those changes to right away.
    • The first group of people who need to understand why this initiative is important are the other IT leaders. If they are not included in the process and able to understand the foundational drivers of the initiative, you should not continue to try and gain the support of other members within IT.
    • Communication is critical to the success of the organizational redesign.
    • Communicating the right information at the right time will make the difference between losing critical talent and emerging from the transition successfully.
    • The sponsor of this redesign initiative must be able to communicate the rationale of the changes to the other members of leadership, management, and employees.
    • The sponsor and their change management team must then be prepared to accept the questions, comments, and ideas that members of IT might have around the changes.

    "Details about the new organization, along with details of the selection process, should be communicated as they are finalized to all levels of the organization.”

    – Courtney Jackson, “7 Reasons Why Organizational Structures Fail.”

    Two-way communication is necessary

    Recommended action steps:

    • Don't allow rumors to disrupt this initiative – be transparent with people as early as possible.
    • If the organizational restructure will not result in a reduction of staff – let them know! If someone's livelihood (job) is on the line, it increases the likelihood of panic. Let's avoid panic.
    • Provide employees with an opportunity to voice their concerns, questions, and recommendations – so long as you are willing to take that information and address it. Even if the answer to a recommendation is "no" or the answer to a question is "I don't know, but I will find out," you've still let them know their voice was heard in the process.
    • As the CIO, ensure that you are the first person to communicate the changes. You are the sponsor of this initiative – no one else.
    • Create communications that are clear and understandable. Imagine someone who does not work for your organization is hearing the information for the first time. Would they be able to comprehend the changes being suggested?
    • Conduct a pulse survey on the changes to identify whether employees understand the changes and feel heard by the management team.

    Info-Tech Insight

    The project manager of the organizational redesign should not be the communicator. The CIO and the employees’ direct supervisor should always be the communicators of key change messages.

    Communication spectrum

    An approach to communication based on the type of redesign taking place

    ← Business-Mandated Organizational Redesign

    Enable Alignment & Increased Effectiveness

    IT-Driven & Strategic Organizational Redesign →

    Reduction in roles

    Cost savings

    Requires champions who will maintain employee morale throughout

    Communicate with key individuals ahead of time

    Restructure of IT roles

    Increase effectiveness

    Lean on managers & supervisors to provide consistent messaging

    Communicate the individual benefits of the change

    Increase in IT Roles

    Alignment to business model

    Frequent and ongoing communication from the beginning

    Collaborate with IT groups for input on best structure

    Include Employees in the Redesign Process

    Stop talking at employees and ensure they are involved in the changes impacting their day-to-day lives.

    Employees will enable the change

    Old-school approaches to organizational redesign have argued employee engagement is a hinderance to success – it’s not.

    • We often fail to include the employees most impacted by a restructuring in the redesign process. As a result, one of the top reasons employees do not support the change is that they were not included in the change.
    • A big benefit of including employees in the process is it mitigates the emergence of a rumor mill.
    • Moreover, being open to suggestions from staff will help the transformation succeed.
    • Employees can best describe what this transition might entail on a day-to-day basis and the supports they will require to succeed in moving from their current state to their future state.
      • CIOs and other IT leaders are often too far removed from the day-to-day to best describe what will or will not work.
    • When employees feel included in the process, they are more likely to feel like they had a choice in what and how things change.

    "To enlist employees, leadership has to be willing to let things get somewhat messy, through intensive, authentic engagement and the involvement of employees in making the transformation work."

    – Michael D. Watkins & Janet Spencer, “10 Reasons Why Organizational Change Fails.”

    Empowering employees as change agents

    Recommended action steps:

    • Do not tell employees what benefits they will gain from this new change. Instead, ask them what benefits they anticipate.
    • Ask employees what challenges they anticipate, and identify actions that can be taken to minimize those challenges.
    • Identify who the social influencers are in the organization by completing an influencer map. The informal social networks in your organization can be powerful drivers of change when the right individuals are brought onboard.
    • Create a change network using those influencers. The change network includes individuals who represent all levels within the organization and can represent the employee perspective. Use them to help communicate the change and identify opportunities to increase the success of adoption: “Engaging influencers in change programs makes them 3.8 times more likely to succeed," (McKinsey & Company, 2020).
    • Ask members of the change network to identify possible resistors of the new IT structure and inform you of why they might be resisting the changes.

    Info-Tech Insight

    Despite the persistent misconceptions, including employees in the process of a redesign reduces uncertainty and rumors.

    Monitor employee engagement & adoption throughout the redesign

    Only 22% of organizations include the employee experience as a part of the design process

    – The Josh Bersin Company, 2022.
    1 2 3
    Monitor IT Employee Experience

    When Prosci designed their Change Impact Analysis, they identified the ways in which roles will be impacted across 10 different components:

    • Location
    • Process
    • Systems
    • Tools
    • Job roles
    • Critical behaviors
    • Mindset/attitudes/beliefs
    • Reporting structure
    • Performance reviews
    • Compensation

    Engaging employees in the process so that they can define how their role might be impacted across these 10 categories not only empowers the employee, but also ensures they are a part of the process.

    Source: Prosci, 2019.

    Conduct an employee pulse survey

    See the next slide for more information on how to create and distribute this survey.

    Employee Pulse Survey

    Conduct mindful and frequent check-ins with employees

    Process to conduct survey:

    1. Using your desired survey solution (e.g. MS Forms, SurveyMonkey, Qualtrics) input the questions into the survey and send to staff. A template of the survey in MS Forms is available here: IT Organizational Redesign Pulse Survey Template.
    2. When sending to staff, ensure that the survey is anonymous and reinforce this message.
    3. Leverage the responses from the survey to learn where there might be opportunities to improve the transformation experience (aligning the structure to the vision, employee inclusion, communication, or managerial support for the change). Review the recommended action steps in this research set for help.
    4. This assessment is intended for frequent but purposeful use. Only send out the survey when you have taken actions in order to improve adoption of the change or have provided communications. The Employee Pulse Survey should be reevaluated on a regular basis until adoption across all four categories reaches the desired state (80-100% adoption is recommended).

    The image contains a screenshot of the employee pulse survey.

    Define Key Metrics of Adoption & Success

    Metrics have a dual benefit of measuring successful implementation and meeting the original drivers.

    Measuring the implementation is a two-pronged approach

    Both employee adoption and the transformation of the IT structure need to be measured during implementation

    • Organizations that are going through any sort of transformation – such as organizational redesign – should be measuring whether they are successfully on track to meet their target or have already met that goal.
    • Throughout the organizational structure transition, a major factor that will impact the success of that goal is employee willingness to move forward with the changes.
    • However, rather than measuring these two components using hard data, we rely on gut checks that let us know if we think we are on track to gaining adoption and operating in the desired future state.
    • Given how fluid employees and their responses to change can be, conducting a pulse survey at a regular (but strategically identified) interval will provide insight into where the changes will be adopted or resisted.

    “Think about intentionally measuring at the moments in the change storyline where feedback will allow leaders to make strategic decisions and interventions.”

    – Bradley Wilson, “Employee Survey Questions: The Ultimate Guide.”

    Report that the organizational redesign for IT was a success

    Recommended action steps:

    • Create clear metrics related to how you will measure the success of the organizational redesign, and communicate those metrics to people. Ensure the metrics are not contrary to the goals of other initiatives or team outcomes.
    • Create one set of metrics related to adoption and another set of metrics tied to the successful completion of the project objective.
      • Are people changing their attitudes and behaviors to reflect the required outcome?
      • Are you meeting the desired outcome of the organizational redesign?
    • Use the metrics to inform how you move forward. Do not attempt the next phase of the organizational transformation before employees have clearly indicated a solid understanding of the changes.
    • Ensure that any metrics used to measure success will not negatively interfere with another team’s progress. The metrics of the group need to work together, not against each other.

    Info-Tech Insight

    Getting 100% adoption from employees is unlikely. However, if employee adoption is not sitting in the 80-90% range, it is not recommended that you move forward with the next phase of the transformation.

    Example sustainment metrics

    Driver Goal Measurement Key Performance Indicator (KPI)
    Workforce Challenges and Increased Effectiveness Employee Engagement The change in employee engagement before, during, and after the new organizational structure is communicated and implemented.
    Increased Effectiveness Alignment of Demand to Resources Does your organization have sufficient resources to meet the demands being placed on your IT organization?
    Increased Effectiveness and Workforce Challenges Role Clarity An increase in role clarity or a decrease in role ambiguity.

    Increased Effectiveness

    Reduction in Silos

    Employee effectiveness increases by 27% and efficiency by 53% when provided with role clarity (Effectory, 2019).
    Increased Effectiveness Reduction in Silos Frequency of communication channels created (scrum meetings, Teams channels, etc.) specific to the organizational structure intended to reduce silos.
    Operating in a New Org. Structure Change Adoption Rate The percentage of employees who have adopted their defined role within the new organizational chart in 3-, 6-, and 12-month increments.
    Workforce Challenges Turnover Rate The number of employees who voluntarily leave the organization, citing the organizational redesign.
    Workforce Challenges Active Resistors The number of active resistors anticipated related to the change in organizational structure versus the number of active resistors that actually present themselves to the organizational restructuring.
    New Capabilities Needed Gap in Capability Delivery The increase in effectiveness in delivering on new capabilities to the IT organization.
    Operating in a New Org. Structure Change Adoption Rate The percentage of employees who found the communication around the new organizational structure clear, easy to understand, and open to expressing feedback.
    Lack of Business Understanding or Increased Effectiveness Business Satisfaction with IT Increase in business satisfaction toward IT products and services.
    Workforce Challenges Employee Performance Increase in individual employee performances on annual/bi-annual reviews.
    Adoption Pulse Assessment Increase in overall adoption scores on pulse survey.
    Adoption Communication Effectiveness Reduction in the number of employees who are still unsure why the changes are required.
    Adoption Leadership Training Percentage of members of leadership attending training to support their development at the managerial level.

    Change Management ≠ Project Management

    Stop treating the two interchangeably.

    IT organizations struggle to mature their OCM capabilities

    Because frankly they didn’t need it

    • Change management is all about people.
    • If the success of your organization is dependent on this IT restructuring, it is important to invest the time to do it right.
    • This means it should not be something done off the side of someone's desk.
    • Hire a change manager or look to roles that have a responsibility to deliver on organizational change management.
    • While project success is often measured by if it was delivered on time, on budget, and in scope, change management is adaptable. It can move backward in the process to secure people's willingness to adopt the required behaviors.
    • Strategic organizations recognize it’s not just about pushing an initiative or project forward. It’s about making sure that your employees are willing to move that initiative forward too.
    • A major organizational transformation initiative like restructuring requires you lean into employee adoption and buy-in.

    “Only if you have your employees in mind can you implement change effectively and sustainably.”

    – Creaholic Pulse Feedback, “Change Management – And Why It Has to Change.”

    Take the time to educate & communicate

    Recommended action steps:

    • Do not treat change management and project management as synonymous.
    • Hire a change manager to support the organizational redesign transformation.
    • Invest the resources (time, money, people) that can support the change and enable its success. This can look like:
      • Training and development.
      • Hiring the right people.
      • Requesting funds during the redesign process to support the transition.
    • Create a change management plan – and be willing to adjust the timelines or actions of this plan based on the feedback you receive from employees.
    • Implement the new organizational structure in a phased approach. This allows time to receive feedback and address any fears expressed by staff.

    Info-Tech Insight

    OCM is often not included or used due to a lack of understanding of how it differs from project management.

    And an additional five experts across a variety of organizations who wish to remain anonymous.

    Research Contributors and Experts

    Info-Tech Research Group

    Amanda Mathieson Research Director Heather Munoz Executive Counselor Valence Howden Principal Research Director
    Ugbad Farah Research Director Lisa Hager Duncan Executive Counselor Alaisdar Graham Executive Counselor
    Carlene McCubbin Practice Lead

    Related Info-Tech Research

    Redesign Your IT Organizational Structure

    Build a Strategic IT Workforce Plan

    Implement a New IT Organizational Structure

    • Organizational redesign is only as successful as the process leaders engage in.
    • Benchmarking your organizational redesign to other organizations will not work.
    • You could have the best IT employees in the world, but if they aren’t structured well, your organization will still fail in reaching its vision.
    • A well-defined strategic workforce plan (SWP) isn’t just a nice-to-have, it’s a must-have.
    • Integrate as much data as possible into your workforce plan to best prepare you for the future. Without knowledge of your future initiatives, you are filling hypothetical holes.
    • To be successful, you need to understand your strategic initiatives, workforce landscape, and external and internal trends.
    • Organizational design implementations can be highly disruptive for IT staff and business partners. Without a structured approach, IT leaders may experience high turnover, decreased productivity, and resistance to change.
    • CIOs walk a tightrope as they manage operational and emotional turbulence while aiming to improve business satisfaction with IT. Failure to achieve balance could result in irreparable failure.

    Bibliography

    Aronowitz, Steven, et al. “Getting Organizational Design Right,” McKinsey, 2015. Web.
    Ayers, Peg. “5 Ways to Engage Your Front-Line Staff.” Taylor Reach Group, 2019. Web.
    Bushard, Brian, and Carlie Porterfield. “Meta Reportedly Scales Down, Again – Here Are the Major US Layoffs This Year.” Forbes, September 28, 2022. Web.
    Caruci, Ron. “4 Organizational Design Issues that Most Leaders Misdiagnose.” Harvard Business Review, 2019.
    “Change Management – And Why It Has to Change.” Creaholic Pulse Feedback. Web.
    “Communication Checklist for Achieving Change Management.” Prosci, 27 Oct. 2022. Web.
    “Defining Change Impact.” Prosci. 29 May 2019. Web.
    “The Definitive Guide To Organization Design.” The Josh Bersin Company, 2022.
    Deshler, Reed. “Five Reasons Organizational Redesigns Fail to Deliver.” AlignOrg. 28 Jan. 2020. Web.
    The Fit for Growth Mini Book. PwC, 12 Jan. 2017.
    Helfand, Heidi. Dynamic Reteaming: The Art and Wisdom of Changing Teams. 2nd ed., O’Reilly Media, 2020.
    Jackson, Courtney. “7 Reasons Why Organizational Structures Fail.” Scott Madden Consultants. Web.
    Livijn, Marianne. Managing Organizational Redesign: How Organizations Relate Macro and Micro Design. Doctoral dissertation. Department of Management, Aarhus University, 2020.
    Lutke, Tobias. “Changes to Shopify’s Team.” Shopify. 26 July 2022.
    McKinsey & Company. “How Do We Manage the Change Journey?” McKinsey & Company.2020.
    Pijnacker, Lieke. “HR Analytics: Role Clarity Impacts Performance.” Effectory, 29 Sept. 2019. Web.
    Tompkins, Teri C., and Bruce G. Barkis. “Conspiracies in the Workplace: Symptoms and Remedies.” Graziadio Business Review, vol. 21, no. 1, 2021.Web.
    “Understanding Organizational Structures.” SHRM,2022.
    Watkins, Michael D., and Janet Spencer. “10 Reasons Why Organizational Change Fails.” I by IMD, 10 March 2021. Web.
    Wilson, Bradley. “Employee Survey Questions: The Ultimate Guide.” Perceptyx, 1 July 2020. Web.

    Initiate Digital Accessibility for IT

    • Buy Link or Shortcode: {j2store}520|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Lead
    • Parent Category Link: /lead
    • Determining IT requirements (legal and business needs) is overwhelming.
    • Prioritizing people in the process is often overlooked.
    • Mandating changes instead of motivating change isn’t sustainable.

    Our Advice

    Critical Insight

    • Compliance is the minimum; the people and behavior changes are the harder part and have the largest impact on accessibility. Preparing for and building awareness of the reasons for accessibility makes the necessary behavior changes easier. Communicate, communicate, and communicate some more.
    • Accessibility is a practice, not a project. Therefore, accessibility is an organizational initiative, however, IT support is critical. Use change management theory to guide the new behaviors, processes, and thinking to adopt accessibility beyond compliance. Determining where to start is challenging, the tendency is to start with tech or compliance, however, starting with the people is key. It must be culture.
    • Think about accessibility like you think about IT security. Use IT security concepts that you and your team are already familiar with to initiate the accessibility program.

    Impact and Result

    • Take away the overwhelm that many feel when they hear ‘accessibility’ and make the steps for your organization approachable.
    • Clearly communicate why accessibility is critical and how it supports the organization’s key objectives and initiatives.
    • Understand your current state related to accessibility and identify areas for key initiatives to become part of the IT strategic roadmap.
    • Build your accessibility plan while prioritizing the necessary culture change
    • Use change management and communication practices to elicit the behavior shift needed to sustain accessibility.

    Initiate Digital Accessibility for IT Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Initiate Digital Accessibility for IT – Use this blueprint to narrow down the requirements for your organization and team while also clearly communicating why accessibility is critical and how it supports the organization’s key objectives and initiatives.

    A step-by-step approach to walk you through understanding the IT accessibility compliance requirements, building your roadmap, and communicating with your department. This storyboard will help you figure out what’s needed from IT to support the business and launch accessibility with your team.

    • Initiate Digital Accessibility for IT – Phases 1-2

    2. IT Manager Meeting Template – A clear, concise, and compelling communication to introduce accessibility for your organization to IT managers and to facilitate their participation in building the roadmap.

    Accessibility compliance can be overwhelming at first. Use this template to simplify the requirements for the IT managers and build out a roadmap.

    • IT Manager Meeting Template

    3. Accessibility Compliance Tracking Tool – This tool helps to decrease the overwhelm of accessibility compliance. Narrow down the list of controls needed to the ones that apply to your organization and to IT.

    Using the EN 301 549 V3.2.1 (2021-03) as a basis for digital accessibility conformance. Use this tool to build a priorities list of requirements that are applicable to your organization.

    • Accessibility Compliance Tracking Tool

    4. Departmental Meeting Template – Cascade your communication down to the IT department with this facilitation guide for introducing accessibility and the roadmap to the entire IT team.

    Use this pre-built slide deck to customize your accessibility communication to the IT department. It will help you build a shared vision for accessibility, a current state picture, and plans to build to the target future state.

    • Departmental Meeting Template
    • Accessibility Quick Cards

    Infographic

    Further reading

    Initiate Digital Accessibility For IT

    Make accessibility accessible.

    EXECUTIVE BRIEF

    Analyst Perspective

    Accessibility is a practice, not a project.

    Accessibility is an organizational directive; however, IT plays a fundamental role in its success. As business partners require support and expertise to assist with their accessibility requirements IT needs to be ready to respond. Even if your organization hasn't fully committed to an accessibility standard, you can proactively get ready by planting the seeds to change the culture. By building understanding and awareness of the significant impact technology has on accessibility, you can start to change behaviors.

    Implementing an accessibility program requires many considerations: legal requirements; international guidelines, such as Web Content Accessibility Guidelines (WCAG); training for staff; ongoing improvement; and collaborating with accessibility experts and people with disabilities. It can be overwhelming to know where to start. The tendency is to start with compliance, which is a fantastic first step. For a sustained program use, change management practices are needed to change behaviors and build inclusion for people with disabilities.

    15% of the world's population identify as having some form of a disability (not including others that are impacted, e.g. caretakers, family). Why would anyone want to alienate over 1.1 billion people?

    This is a picture of Heather Leier-Murray

    Heather Leier-Murray
    Senior Research Analyst, People & Leadership
    Info-Tech Research Group

    Disability is part of being human

    Merriam-Webster defines disability as a "physical, mental, cognitive, or developmental condition that impairs, interferes with, or limits a person's ability to engage in certain tasks or actions or participate in typical daily activities and interactions."(1)

    The World Health Organization points out that a crucial part of the definition of disability is that it's not just a health problem, but the environment impacts the experience and extent of disability. Inaccessibility creates barriers for full participation in society.(2)

    The likelihood of you experiencing a disability at some point in your life is very high, whether a physical or mental disability, seen or unseen, temporary or permanent, severe or mild.(2)

    Many people acquire disabilities as they age yet may not identify as "a person with a disability."3 Where life expectancies are over 70 years of age, 11.5% of life is spent living with a disability. (4)

    "Extreme personalization is becoming the primary difference in business success, and everyone wants to be a stakeholder in a company that provides processes, products, and services to employees and customers with equitable, person-centered experiences and allows for full participation where no one is left out."
    – Paudie Healy, CEO, Universal Access

    (1.) Merriam-Webster
    (2.) World Health Organization, 2022
    (3.) Digital Leaders, as cited in WAI, 2018
    (4.) Disabled World, as cited in WAI, 2018

    Executive Summary

    Your Challenge

    You know the push for accessibility is coming in your organization. You might even have a program started or approval to build one. But you're not sure if you and your team are ready to support and enable the organization on its accessibility journey.

    Common Obstacles

    Understanding where to start, where accessibility lives, and if or when you're done can be overwhelmingly difficult. Accessibility is an organizational initiative that IT enables; being able to support the organization requires a level of understanding of common obstacles.

    • Determining IT requirements (legal and business needs) is overwhelming.
    • Prioritizing people in the process is often overlooked.
    • Mandating changes instead of motivating change isn't sustainable.

    Info-Tech's Approach

    Prepare your people for accessibility and inclusion, even if your organization doesn't have a formal standard yet. Take your accessibility from mandate to movement, i.e. from Phase 1 - focused on compliance to Phase 2 - driven by experience for sustained change.

    • Use this blueprint to build your accessibility plan while prioritizing the necessary culture change.
    • Use change management and communication practices to elicit the behavior shift needed to sustain accessibility.

    Info-Tech Insight

    Accessibility is a practice, not a project. Therefore, accessibility is an organizational initiative; however, IT support is critical. Use change management theory to guide the new behaviors, processes, and thinking to adopt accessibility beyond compliance. Determining where to start is challenging because the tendency is to start with tech or compliance; however, starting with the people is key. It must be a change in organizational culture.

    Your challenge

    This research is designed to help IT leaders who are looking to:

    • Determine accessibility requirements of IT based on the business' needs and priorities, and the existing standards and regulations.
    • Prepare the IT leaders to implement and sustain accessibility and prepare for the behavior shift that is necessary.
    • Build the plan for IT as it pertains to accessibility, including a list of business needs and priorities, and prioritization of accessibility initiatives that IT is responsible for.
    • Ensure that accessibility is sustained in the IT department by following phase 2 of this blueprint on using change management and communication to impact behavior and change the culture.

    90% of companies claim to prioritize diversity.
    Source: Harvard Business Review, 2020

    Over 30% of those that claim to prioritize diversity are focused on compliance.
    Source: Harvard Business Review, 2022

    Accessibility is an organizational initiative

    Is IT ready and capable to enable it?

    • With increasing rates of lawsuits related to digital accessibility, more organizations are prioritizing initiatives to support increased accessibility. About 68% of Applause's survey respondents indicated that digital accessibility is a higher priority for their organization than it was last year.
    • This increase in priority will trickle into IT's tasks – get ahead and start working toward accessibility proactively so you're ready when business requests start coming in.

    A survey of nearly 1,800 respondents conducted by Applause found that:

    • 79% of respondents rated digital accessibility either a top priority or important for their organizations.
    • 42% of respondents indicated they have limited or no in-house expertise or resources to test accessibility.
      Source: Business Wire, May 2022

    How organizations prioritize digital accessibility

    • 43% rated accessibility as a top priority.
    • 36% rated accessibility as important.
    • Fewer than 5% rated accessibility as either low priority or not even on the radar.
    • More than 65% agreed or strongly agreed that accessibility is a higher priority than last year.

    Source: Angel Business Communications, 2022

    Why organizations address accessibility

    Top three reasons:

    1. 61% To comply with laws
    2. 62% To provide the best user experience
    3. 78% To include people with disabilities
      Source: Level Access, 2022

    Still, most businesses aren't meeting compliance standards. Even though legislation has been in place for over 30 years, a 2022 study by WebAIM of 1,000,000 homepages returned a 96.8% WCAG 2.0 failure rate.

    Source: Institute for Disability Research, Policy, and Practice, 2022

    Info-Tech's approach to Initiate Digital Accessibility

    An image of the Business Case for Accessibility

    The Info-Tech difference:

    1. Phase 1 of this blueprint gets you started and helps you build a plan to get you to the initial compliance driven maturity level. It's focused more on standards and regulations than on the user and employee experience.
    2. Phase 2 takes you further in maturity and helps you become experience driven in your efforts. It focuses on building your accessibility maturity into the developing, defined, and managed levels, as well as balancing mandate and movement of the accessibility maturity continuum.

    Determining conformance seems overwhelming

    Unfortunately, it's the easier part.

    • Focus on local regulations and what corporate leaders are setting as accessibility standards for the organization. This will narrow down the scope of what compliance looks like for your team.
    • Look to best practices like WCAG guidelines to ensure digital assets are accessible and usable for all users. WCAG's international guideline outlines principles that can also aid in scoping.
    • In phase 1 of this blueprint, use the Accessibility Compliance Tracking Toolto prioritize criteria and legislation for which IT is responsible.
    • Engage with business partners and other areas of the organization to figure out what is needed from IT. Accessibility is an organizational initiative; it shouldn't be on IT to figure it all out. Determine what your team is specifically responsible for before tackling it all.

    Motivating behavior change

    This is the hard part.

    Changing behaviors and mindsets is necessary to be experience driven and sustain accessibility.

    • Compliance is the minimum when it comes to accessibility, much like employment or labor regulations.
    • Making accessibility an organizational imperative is an iterative process. Managing the change is hard. People, culture, and behavior change matures accessibility from compliance driven to experience driven, increasing the benefits of accessibility.
    • Focus accessibility initiatives on improving the experience of everyone and improving engagement (customer and employee).
    • Being people focused and experience driven enables the organization to provide the best user experience and realize the benefits of accessibility.

    A picture of Jordyn Zimmerman

    "Compliance is the minimum. And when we look at web tech, people are still arguing about their positioning on the standards that need to be enforced in order to comply, forgetting that it isn't enough to comply."
    -- Jordyn Zimmerman, M.Ed., Director of Professional Development, The Nora Project, and Appointee, President's Committee for People with Intellectual Disabilities.

    This is an image of the Info-Tech Accessibility Maturity Framework Table.

    To see more on the Info-Tech Accessibility Maturity Framework:

    The Accessibility Business Case for IT

    Think of accessibility like you think of IT security

    Use IT security concepts to build your accessibility program.

    • Risk management: identify and prioritize accessibility risks and implement controls to mitigate those risks.
    • Compliance: use an IT security-style compliance approach to ensure that the accessibility program is compliant with the many accessibility regulations and standards.
    • Defense in depth: implement multiple layers of accessibility controls to address different types of accessibility risks and issues.
    • Response and recovery: quickly and effectively respond to accessibility issues, minimizing the potential impact on the organization and its users.
    • End-user education: educate end users about accessibility best practices, such as how to use assistive technologies and how to report accessibility issues.
    • Monitor and audit: use monitoring and auditing tools to ensure that accessibility remains over time and to identify and address issues that arise.
    • Collaboration: ensure the accessibility program is effective and addresses the needs of all users by collaborating with accessibility experts and people with disabilities.

    "As an organization matures, the impact of accessibility shifts. A good company will think of security at the very beginning. The same needs to be applied to accessibility thinking. At the peak of accessibility maturity an organization will have people with disabilities involved at the outset."
    -- Cam Beaudoin, Owner, Accelerated Accessibility

    This is a picture of Cam Beaudoin

    Info-Tech's methodology for Initiate Digital Accessibility for IT

    1. Planning IT's accessibility requirements

    2. Change enablement of accessibility

    Phase Steps

    1. Determine accessibility requirements of IT
    2. Build the IT accessibility plan
    1. Build awareness
    2. Support new behaviors
    3. Continuous reinforcement

    Phase Outcomes

    List of business needs and priorities related to accessibility

    IT accessibility requirements for conformance

    Assessment of state of accessibility conformance

    Prioritization of accessibility initiatives for IT

    Remediation plan for IT related to accessibility conformance

    Accessibility commitment statement

    Team understanding of what, why, and how

    Accessibility Quick Cards

    Sustainment plan

    Insight summary

    Overarching insight

    Accessibility is a practice, not a project. Therefore, accessibility is an organizational initiative; however, IT support is critical. Use change management theory to guide the new behaviors, processes, and thinking to adopt accessibility beyond compliance. Determining where to start is challenging. The tendency is to start with tech or compliance; however, starting with the people is key. It must be a change in organizational culture.

    Insight 1

    Compliance is the minimum; people and behavior changes are the hardest part and have the largest impact on accessibility. Preparing for and building awareness of the reasons for accessibility makes the necessary behavior changes easier. Communicate, communicate, and communicate some more.

    Insight 2

    Think about accessibility like you think about IT security. Use IT security concepts that you and your team are already familiar with to initiate the accessibility program.

    Insight 3

    People are learning a new way to behave and think; this can be an unsettling period. Patience, education, communication, support, and time are keys for success of the implementation of accessibility. There is a transition period needed; people will gradually change their practices and attitudes. Celebrate small successes as they arise.

    Insight 4

    Accessibility isn't a project as there is no end. Effective planning and continuous reinforcement of "the new way of doing things" is necessary to enable accessibility as the new status quo.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

    IT Manager Meeting Template

    IT Manager Meeting Template
    Use this meeting slide deck to work with IT managers to build out the accessibility remediation plan and commitment statement.

    Departmental Meeting Template

    Departmental Meeting Template
    Use this meeting slide deck to introduce the concept of accessibility and communicate IT goals and objectives.

    Accessibility Quick Cards

    Accessibility Quick Cards
    Using the Info-Tech IT Management and Governance Framework to identify key activities to help improve and maintain the accessibility of your organization and your core IT processes.

    Key deliverable:

    Accessibility Compliance Tracking Tool

    Accessibility Compliance Tracking Tool
    This tool will assist you in identifying remediation priorities applicable to your organization.

    Blueprint benefits

    IT Benefits

    Business Benefits

    • Know and understand your role and responsibility in accessibility implementation within the organization.
    • Provide effective support and excellent business service experience to internal stakeholders related to accessibility.
    • You will be set up to effectively support your team through the necessary behavior, process, and thinking changes.
    • Proactively prepare for accessibility requests that will be coming in.
    • Move beyond compliance to support your organization's sustainment of accessibility.
    • Don't lose out on a trillion-dollar market.
    • Don't miss opportunities to work with organizations because you're not accessible.
    • Enable and empower current employees with disabilities.
    • Minimize potential for negative brand reputation due to a lack of consideration for people with disabilities.
    • Decrease the risk of legal action being brought upon the organization.

    Measure the value of this blueprint

    Improve IT effectiveness and employee buy-in to change.

    Measuring the effectiveness of your program helps contribute to a culture of continuous improvement. Having consistent measures in place helps to inform decisions and enables your plan to be iterative to take advantage of emerging opportunities.

    Monitor employee engagement, overall stakeholder satisfaction with IT, and the overall end-customer satisfaction.

    Remember, accessibility is not a project – just because measures are positive does not mean your work is done.

    In phase 1 of this blueprint, we will help you establish metrics for your organization.
    In phase 2, we will help you develop a sustainment for achieving those metrics.

    A screenshot of the slide titled Establish Baseline Metrics.

    Suggested Metrics
    • Overall end-customer satisfaction
    • Requests for accommodation or assistive technology fulfilled
    • Employee engagement
    • Overall compliance status

    Info-Tech's IT Metrics Library

    Executive brief case study

    INDUSTRY: Technology


    SOURCE: Microsoft.com
    https://blogs.microsoft.com/accessibility/accessib...

    Microsoft

    Microsoft's accessibility journey starts with the goal of building a culture of accessibility and disability inclusion. They recognize that the starting point for the magnitude of organizational change is People.

    "Accessibility in Action Badge"

    Every employee at Microsoft is trained on accessibility to build understanding of why and how to be inclusive using accessibility. The program entails 90 minutes of virtual content.

    Microsoft treats accessibility and inclusion like a business, managing and measuring it to ensure sustained growth and success. They have worked over the years to bust systemic bias company-wide and to build a program with accessibility criteria that works for their business.

    Results

    The program Microsoft has built allows them to shift the accessibility lens earlier in their processes and listen to its users' needs. This allows them to continuously mature their accessibility program, which means continuously improving its users' experience.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided implementation

    What does a typical guided implementation (GI) on this topic look like?

    Phase 1 Phase 2

    Call #1: Discuss motivation for the initiative and foundational knowledge requirements.
    Call #2: Discuss stakeholder analysis and business needs of IT.

    Call #3: Identify current maturity and IT accountabilities.
    Call #4: Discuss introduction to senior IT leaders and drivers.
    Call #5: Discuss manager meeting outline and slides.

    Call #6: Review key messages and next steps to prepare for departmental meeting.
    Call #7: Discuss post-meetings next steps and timelines.

    Call #8: Review sustainment plan and plan next steps.

    A GI is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is eight to ten calls over the course of four to six months.

    Workshop overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Pre-Work

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Understand Your Legislative Environment

    Understand Your Current State

    Define the
    IT Target State

    Build the IT Accessibility Plan

    Prepare for Change Enablement

    Next Steps and
    Wrap-Up

    Activities

    0.1 Make a list of the legislation you need to comply with
    0.2 Seek legal counsel or and/or professional services' input on compliance
    0.3 Complete the Accessibility Maturity Assessment
    0.4 Conduct stakeholder analysis

    1.1 Define the risks of inaction
    1.2 Review maturity assessment
    1.3 Conduct stakeholder focus group

    2.1 Define IT compliance accountabilities
    2.2 Define IT accessibility goals/objectives/ metrics
    2.3 Indicate the target-state maturity

    3.1 Assess current accessibility compliance and mitigation
    3.2 Decide on priorities
    3.3 Write an IT accessibility commitment statement

    4.1 Prepare the roadmap
    4.2 Prepare the communication plan

    5.1 Complete in-progress deliverables from previous four days
    5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables

    1. Legislative requirements for your organization
    2. List of stakeholders
    3. Completed maturity assessment.
    1. Defined risks of inaction
    2. Stakeholder analysis completed with business needs identified
    1. IT accessibility goals/objectives
    2. Target maturity
    1. Accessibility Compliance Tracking Tool completed
    2. Accessibility commitment statement
    3. Current compliance and mitigation assessed
    1. IT accessibility roadmap
    2. Communication plan
    1. IT accessibility roadmap
    2. Communication plan

    Phase 1

    Planning IT's Accessibility Requirements.

    Phase 1

    Phase 2

    1.1 Determine accessibility requirements of IT

    1.2 Build IT accessibility plan

    2.1 Build awareness

    2.2 Support new behaviors

    2.3 Continuous reinforcement

    Initiate Digital Accessibility For IT

    This phase will walk you through the following activities:

    • Analyzing stakeholders to determine accessibility needs of business for IT.
    • Determining accessibility compliance requirements of IT.
    • Build a manager communication deck.
    • Assess current accessibility compliance and mitigation.
    • Prioritize and assign timelines.
    • Build a sunrise diagram to visualize your accessibility roadmap.
    • Write an IT accessibility commitment statement.

    This phase involves the following participants:

    • CIO
    • IT leadership team
    • Business partners in other areas of the organization (e.g., HR, finance, communications)

    Step 1.1

    Determine the accessibility requirements of IT.

    Activities

    1.1.1 Determine what the business needs from IT
    1.1.2 Complete the Accessibility Maturity Assessment (optional)
    1.1.3 Determine IT compliance requirements
    1.1.4 Define target state
    1.1.5 Create a list of goals and objectives
    1.1.6 Finalize key metrics
    1.1.7 Prepare a meeting for IT managers

    Prepare to support the organization with accessibility

    This step involves the following participants:

    • CIO
    • IT senior leaders
    • IT managers
    • Business partners in other areas of the organization (e.g., HR, finance, communications)

    Outcomes of this step

    • Stakeholder analysis with business needs listed
    • Defined target future state
    • List of goals and objectives
    • Key metrics
    • Communication deck for IT management rollout meeting

    While defining future state, consider your drivers

    The Info-Tech Accessibility Maturity Framework identifies three key strategic drivers: compliance, experience, and incorporation.

    • Over 30% of organizations are focused on compliance, according to a 2022 survey by Harvard Business Review and Slack's Future Forum. The survey asked more than 10,000 workers in six countries about their organizations' approach to diversity, equity, and inclusion (DEI).(2)
    • Even though 90% of companies claim to prioritize diversity, over 30% are focused on compliance.(1)

    1. Harvard Business Review, 2020
    2. Harvard Business Review, 2022

    31.6% of companies remain in the compliant stage where they are focused on DEI compliance and not on integrating DEI throughout the organization or on creating continual improvement, from Harvard Business Review 2022.

    Info-Tech accessibility maturity framework

    This is an image of Info-Tech's accessibility maturity framework

    Info-Tech Insight

    IT typically works through maturity frameworks from the bottom to the top, progressing at each level until they reach the end. When it comes to IT accessibility initiatives, being especially thorough, thoughtful, and collaborative is critical to success. This will mean spending more time in the Developing, Defined, and Managed levels of maturity rather than trying to reach Optimized as quickly as you can. This may feel contrary to what IT historically considers as a successful implementation.

    After initially ensuring your organization is compliant with regulations and standards, you will progress to building disciplined process and consistent standardized processes. Eventually you will build the ability for predictable process, and lastly, you'll optimize by continuously improving.

    Depending on the level of maturity you are trying to achieve, it could take months or even years to implement. The important thing to understand, however, is that accessibility work is never done.

    At all levels of the maturity framework, you must consider the interconnected aspects of people, process, and technology. However, as the organization progresses, the impact will shift from largely being focused on process and technology improvement to being focused on people.

    Align the benefits of program drivers to organizational goals or outcomes

    Although there will be various motivating factors, aligning the drivers of your accessibility program provides direction to the program. Connecting the advantages of program drivers to organizational goals builds the confidence of senior leaders and decision makers, increasing the continued commitment to invest in accessibility programming.

    This is an image of a table describing the maturity level; Description; Advantages, and Disadvantages for the three drivers: Compliance; Experience; and Incorporation.

    Accessibility maturity levels

    Driver Description Benefits
    Initial Compliance
    • Accessibility processes are mostly undocumented.
    • Accessibility happens mostly on a reactive or ad hoc basis.
    • No one is aware of who is responsible for accessibility or what role they play.
    • Heavily focused on complying with regulations and standards to decrease legal risk.
    • The organization is aware of the need for accessibility.
    • Legal risk is decreased.
    Developing Experience
    • The organization is starting to take steps to increase accessibility beyond compliance.
    • Lots of opportunity for improvement.
    • Defining and refining processes.
    • Working toward building a library of assistive tools.
    • Awareness of the need for accessibility is growing.
    • Process review for accessibility increases process efficiency through avoiding rework.
    Defined Experience
    • Accessibility processes are repeatable.
    • There is a tendency to resort to old habits under stress.
    • Tools are in place to facilitate accommodation.
    • Employees know accommodations are available to them.
    • Accessibility is becoming part of daily work.
    Managed Experience
    • Defined by effective accessibility controls, processes, and metrics.
    • Mostly anticipating preferences.
    • Roles and responsibilities are defined.
    • Disability is included as part of DEI.
    • Employees understand their role in accessibility.
    • Engagement is positively impacted.
    • Attraction and retention are positively impacted.
    Optimized Incorporation
    • Not the goal for every organization.
    • Characterized by a dramatic shift in organizational culture and a feeling of belonging.
    • Ongoing continuous improvement.
    • Seamless interactions with the organization for everyone.
    • Using feedback to inform future initiatives.
    • More likely to be innovative and inclusive, reach more people positively, and meet emerging global legal requirements.
    • Better equipped for success.

    Cheat sheet: Identify stakeholders

    Ask stakeholders, "Who else should I be talking to?" to discover additional stakeholders and ensure you don't miss anyone.

    Identify stakeholders through the following questions:

    Take a 360-degree view of potential internal and external stakeholders who might be impacted by the initiative.

    • Who in areas of influence will be adversely affected by potential environmental and social impacts of what you are doing?
    • At which stage will stakeholders be most affected (e.g. procurement, implementation, operations, decommissioning)?
    • Will other stakeholders emerge as the phases are started and completed?
    • Who is sponsoring the initiative?
    • Who benefits from the initiative?
    • Who is negatively impacted by the initiative?
    • Who can make approvals?
    • Who controls resources?
    • Who has specialist skills?
    • Who implements the changes?
    • Who are the owners, governors, customers, and suppliers of impacted capabilities or functions?
    • Executives
    • Peers
    • Direct reports
    • Partners
    • Customers
    • Subcontractors
    • Suppliers
    • Contractors
    • Lobby groups
    • Regulatory agencies

    Categorize your stakeholders with a stakeholder prioritization map

    A stakeholder prioritization map help teams categorize their stakeholders by their level of influence and ownership.

    There are four areas in the map, and the stakeholders within each area should be treated differently.

    This is an image of a quadrant analysis for mediators; players; spectators; and noisemakers.
    • Players – Players have a high interest in the initiative and high influence to affect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.
    • Mediators – Mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.
    • Noisemakers – Noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.
    • Spectators – Generally, spectators are apathetic and have little influence over or interest in the initiative.

    Strategize to engage stakeholders by type

    Each group of stakeholders draws attention and resources away from critical tasks.

    By properly identifying your stakeholder groups, you can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy spectators and noisemakers while ensuring the needs of the mediators and players are met.

    Type Quadrant Actions
    Players High influence, high interest Actively Engage
    Keep them engaged through continuous involvement. Maintain their interest by demonstrating their value to its success.
    Mediators High influence, low interest Keep Satisfied
    They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust, and include them in important decision-making steps. In turn, they can help you influence other stakeholders.
    Noisemakers Low influence, high interest Keep InformedTry to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using mediators to help them.
    Spectators Low influence, low interest MonitorThey are followers. Keep them in the loop by providing clarity on objectives and status updates.

    1.1.1 Determine what the business needs from IT (stakeholder analysis)

    1.5 hours

    1. Consider all the potential individuals or groups of individuals who will be impacted or influence the accessibility needs of IT.
    2. List each of the stakeholders you identify. If in person, use sticky notes to define the target audiences. The individuals or group of individuals that potentially have needs from IT related to accessibility before, during, or after the initiative.
    3. As you list each stakeholder, consider how they perceive IT. This perception could impact how you choose to interact with them.
    4. For each stakeholder identified as potentially having a business need requirement for IT related to accessibility, conduct an analysis to understand their degree of influence or impact.
    5. Based on the stakeholder, the influence or impact of the business need can inform the interaction and prioritization of IT requirements.
    6. Update slide 9 of the IT Manager Meeting Template.

    Input

    • The change
    • Why the change is needed
    • Key stakeholder map from activity 2.1.1 of The Accessibility Business Case for IT (optional)

    Output

    • The degree of influence or impact each stakeholder has on accessibility needs from IT

    Materials

    • Stakeholder Management Analysis Tool (optional)

    Participants

    • CIO/ head of IT/ initiative lead
    • Business partners

    Proactively consider how accessibility could be received

    Think about the positive and negative reactions you could face about implementing accessibility.

    It's likely individuals will have an emotional reaction to change and may have different emotions at different times during the change process.
    Plan for how to leverage support and deal with resistance to change by assessing people's emotional responses:

    • What are possible questions, objections, suggestions, and concerns that might arise.
    • How will you respond to the possible questions and concerns.
    • Include proactive messaging in your communications that address possible objections.
    • Express an understanding for others point of views by re-positioning objections and suggestions as questions.

    This is an image of the 10 change chakras

    Determine your level of maturity

    Use Info-Tech's Accessibility Maturity Assessment.

    On the accessibility questionnaire, tab 2, choose the amount you agree or disagree with each statement. Answer the questions based on your knowledge of your current state organizationally.

    Once you've answered all the questions, see the results on the tab 3, Accessibility Results. You can see your overall maturity level and the maturity level for each of six dimensions that are necessary to increase the success of an accessibility program.

    Click through to tab 4, Recommendations, to see specific recommendations based on your results and proven research to progress through the maturity levels. Keep in mind that not all organizations will or should aspire to the "Optimize" maturity level.

    A series of three screenshots from the Accessibility Maturity Assessment

    Download the Accessibility Maturity Assessment

    1.1.2 Complete the Accessibility Maturity Assessment (optional)

    1. Download the Accessibility Maturity Assessment and save it with the date so that as you work on your accessibility program, you can reassess later and track your progress.
    2. Once you have saved the assessment, select the appropriate answer for each statement on tab 2, Accessibility Questions, based on your knowledge of the organization's approach.
    3. After reviewing all the accessibility statements, see your maturity level results on tab 3, Accessibility Results. Then see tab 4, Recommendations, for suggestions based on your answers.
    4. Document your accessibility maturity results on slides 12 and 13 of the IT Manager Meeting Template and slide 17 of the Departmental Meeting Template.
    5. Use the maturity assessment results in activity 1.1.3.

    Input

    • Assess your current state of accessibility by choosing all the statements that apply to your organization

    Output

    • Identified accessibility maturity level

    Materials

    • Accessibility Maturity Assessment
    • Accessibility Business Case Template

    Participants

    • Project leader/sponsor
    • IT leadership team

    1.1.3 Determine IT compliance responsibilities

    1-3 hours

    Before you start this activity, you may need to discuss with your organization's legal counsel to determine the legislation that applies to your organization.

    1. Determine which controls apply to your organization based on your knowledge of the organization goals, stakeholders, and accessibility maturity target. If you haven't determined your current and future state maturity model, use the Info-Tech resource from the Accessibility Business Case for IT(see previous two slides).
    2. Using the drop down in column J – Applies to My Org., select "Yes" or "No" for each control on each of the data entry tabs of the Accessibility Compliance Tracking Tool.
    3. For each control you have selected "Yes" for in column J, identify the control owner in column I.
    4. Update slide 10 in the IT Manager Meeting Template and slide 13 in the IT Departmental Meeting Template.

    Input

    • Local, regional, and/or global legislation and guidelines applicable to your organization
    • Organizational accessibility standard
    • Business needs list
    • Completed Accessibility Maturity Assessment (optional)

    Output

    • List of legislation and standards requirements that are narrowed based on organization need

    Materials

    • Accessibility Maturity Assessment
    • Accessibility Business Case Template

    Participants

    • CIO/ head of IT/ CAO/ initiative leader
    • Legal counsel

    Download the Accessibility Compliance Tracking Tool

    1.1.4 Conduct future-state analysis*

    Identify your target state of maturity.

      1. Provide the group with the accessibility maturity levels to review as well as the slides on the framework and drivers (slides 27-29).
      2. Ask the group to brainstorm pain points created by inaccessibility (e.g. challenges related to stakeholders, process issues).
      3. Next, discuss opportunities to be gained from improving these practices.
      4. Then, have everyone look at the accessibility maturity levels and, based on the descriptions, determine as a group the current maturity level of accessibility in your organization .
      5. Next, review the benefits listed on the accessibility maturity levels slide to those that you named in step 3 and determine which maturity level best describes your target state. Discuss as a group and agree on one desired maturity level to reach.
      6. Document your current and target states on slide 14 of the IT Manager Meeting Template.

    *Note: If you've completed the Accessibility Business Case for IT blueprint you may already have this information compiled. Refer to activities 2.1.2 and 2.1.3.

    Input

    • Accessibility maturity levels chart, framework, and drivers slides
    • Maturity level assessment results (optional)

    Output

    • Target maturity level documented

    Materials

    • Paper and pens
    • Handouts of maturity levels

    Participants

    • CIO
    • IT senior leaders

    What does a good goal look like?

    SMART is a common framework for setting effective goals. Make sure your goals satisfy these criteria to ensure you can achieve real results.

    Use the SMART framework to build effective goals.

    S

    Specific: Is the goal clear, concrete, and well defined?

    M

    Measurable: How will you know when the goal is met?

    A

    Achievable: Is the goal possible to achieve in a reasonable time?

    R

    Relevant: Does this goal align with your responsibilities and with departmental and organizational goals?

    T

    Time-based: Have you specified a time frame in which you aim to achieve the goal?

    1.1.5 Create a list of goals and objectives*

    Use the outcomes from activity 1.2.1.

    1. Using the information from activity 1.2.1, develop goals.
    2. Remember to use the SMART goal framework to build out each goal (see the previous slide for more information on SMART goals).
    3. Ensure each goal supports departmental and organizational goals to ensure it is meaningful.
    4. Document your goals and objectives on slides 6 and 9 in your IT Manager Meeting Template.

    *Note: If you've completed the Accessibility Business Case for IT blueprint you may already have this information compiled. Refer to activity 2.2.1.

    Input

    • Outcomes of activity 1.2.1
    • Organizational and departmental goals

    Output

    • Accessibility goals and objectives identified

    Materials

    • n/a

    Participants

    • CIO/ head of IT/ initiative lead
    • IT senior leaders

    Establish baseline metrics

    Baseline metrics will be improved through:

    1. Progressing through the accessibility maturity model.
    2. Addressing accessibility earlier in processes with input from people with disabilities.
    3. Motivating behavior changes and culture that supports accessibility and disability inclusion.
    4. Ensuring compliance with regulations and standards.
    5. Focusing on experience and building a disability inclusive culture.
    Metric Definition Calculation
    Overall end-customer satisfaction The percentage of end customers who are satisfied with the IT department. Number of end customers who are satisfied / Total number of end customers
    Requests for accommodation or assistive technology fulfilled The percentage of accommodation/assistive technology requests fulfilled by the IT department. Number of requests fulfilled / Total number of requests
    Employee engagement The percentage of employees who are engaged within an organization. Number of employees who are engaged / Total number of employees
    Overall compliance status The percentage of accessibility controls in place in the IT department. The number of compliance controls in place / Total number of applicable accessibility controls

    1.1.6 Finalize key metrics*

    Finalize key metrics the organization will use to measure accessibility success.

    1. Brainstorm how you will measure the success of each goal you identified in the previous activity, based on the benefits, challenges, and risks you previously identified.
    2. Write each of the metric ideas down and finalize three to five key metrics which you will track. The metrics you choose should relate to the key challenges or risks you have identified and match your desired maturity level and driver.
    3. Document your key metrics on slide 15 of your IT Manager Meeting Templateand slide 23 of the Departmental Meeting Template.

    Input

    • Accessibility challenges and benefits
    • Goals from activity 1.2.2

    Output

    • Three to five key metrics to track

    Materials

    • n/a

    Participants

    • IT leadership team
    • Project lead/sponsor

    *Note: If you've completed the Accessibility Business Case for IT blueprint you may already have this information compiled. Refer to activity 2.2.2.

    Use Info-Tech's template to communicate with IT managers

    Cascade messages down to IT managers next. This ensures they will have time to internalize the change before communicating it to others.

    Communicate with and build the accessibility plan with IT managers by customizing Info-Tech's IT Manager Meeting Template, which is designed to effectively convey your key messages. Tailor the template to suit your needs.

    It includes:

    • Project scope and objectives
    • Current state analysis
    • Compliance planning
    • Commitment statement drafting

    IT Manager Meeting Template

    Download the IT Manager Meeting Template

    Info-Tech Insight

    Preparing for and building awareness of the reasons for accessibility make the necessary behavior changes easier.

    1.1.7 Prepare a meeting for IT managers

    Now that you understand your current and desired accessibility maturity, the next step is to communicate with IT managers and begin planning your initiatives.

    Know your audience:

    1. Consider who will be included in your presentation audience.
    2. You want your presentation to be succinct and hard-hitting. Managers are under huge demands and time is tight, they will lose interest if you drag out the delivery.
    3. Contain the presentation and planning activities to no more than an afternoon. You want to ensure adequate time for questions and answers, as well as the planning activities necessary to inform the roll out to the larger IT department later.
    4. Schedule a meeting with the IT managers.

    Download the IT Manager Meeting Template

    Input

    • Activity results

    Output

    • A completed presentation to communicate your accessibility initiatives to IT managers

    Materials

    • IT Manager Meeting Template

    Participants

    • CIO/ head of IT/ initiative lead
    • IT senior leaders
    • IT managers

    Step 1.2

    Build the IT accessibility action plan.

    Activities

    1.2.1 Assess current accessibility compliance and mitigation

    1.2.2 Decide on your priorities

    1.2.3 Add priorities to the roadmap

    1.2.4 Write an IT accessibility commitment statement

    Planning IT's accessibility requirements

    This step involves the following participants:

    • CIO/ head of IT/ initiative lead
    • IT senior leaders
    • IT managers

    Outcomes of this step

    • Priority controls and mitigation list with identified control owners.
    • IT accessibility commitment statement.
    • Draft visualization of roadmap/sunrise diagram.

    Involve managers in assessing current compliance

    To know what work needs to happen you need to know what's already happening.

    Use the spreadsheet from activity 1.1.3 where you identified which controls apply to your organization.

    Have managers work in groups to identify which controls (of the applicable ones) are currently being met and which ones have an existing mitigation plan.

    Info-Tech Insight

    Based on EN 301 549 V3.2.1 (2021-03) as a basis for digital accessibility conformance. This tool is designed to assist you in building a priorities list of requirements that are applicable to your organization. EN 301 549 is currently the most robust accessibility regulation and encompasses other regulations within it. Although EN 301 549 is the European Standard, other countries are leaning on it as the standard they aspire to as well.

    This is an image of the Compliance Tracing Tool, with a green box drawn around the columns for Current Compliance, and Mitigation.

    1.2.1 Assess current accessibility compliance and mitigation

    1-3 hours

    1. Share the Accessibility Compliance Tracking Tool with the IT leaders and managers during the meeting with IT management that you scheduled in activity 1.1.7.
    2. Break into smaller groups (or if too small, continue as a single group):
      1. Divide up the controls between the small groups to work on assessing current compliance and mitigation plans.
      2. For each control that is identified as applying to your organization, identify if there currently is compliance by selecting "yes" from the drop-down. For controls where the organization is not compliant, select "no" and identify if there is a mitigation plan in place by selecting "yes" or "no" in column L.
      3. Use the comments column to add any pertinent information regarding the control.

    Input

    • List of IT compliance requirements applicable to the org. from activities 1.1.2 and 1.1.3

    Output

    • List of IT compliance requirements that have current compliance or mitigation plans

    Materials

    • Accessibility Compliance Tracking Tool

    Participants

    • CIO
    • IT senior leaders
    • IT managers

    Download the Accessibility Compliance Tracking Tool

    Involve managers in building accountability into the accessibility plan

    Building accountability into your compliance tracking will help ensure accessibility is prioritized.

    Use the spreadsheet from activity 1.3.1.

    Have managers work in the same groups to prioritize controls by assigning a quarterly timeline for compliance.

    An image of the Compliance Tracking tool, with the timeline column highlighted in green.

    1.2.2 Decide on your priorities

    1-3 hours

    1. In the same groups used in activity 1.2.1, prioritize the list of controls that have no compliance and no mitigation plan.
    2. As you work through the spreadsheet again, assign a timeline using the drop-down menu in column M for each control that applies to the organization and has no current compliance. Consider the following in your prioritization:
      1. Does the control impact customers or is it public-facing?
      2. What are the business needs related to accessibility?
      3. Does the team currently have the skills and knowledge needed to address the control?
      4. What future state accessibility maturity are you targeting?
    3. Be prepared to review with the larger group.

    Input

    • List from activity 1.2.1
    • Business needs from activity 1.1.1

    Output

    • List of IT compliance requirements with accountability timelines

    Materials

    • Accessibility Compliance Tracking Tool

    Participants

    • CIO
    • IT senior leaders
    • IT managers

    Download the Accessibility Compliance Tracking Tool

    Review your timeline

    Don't overload your team. Make sure the timelines assigned in the breakout groups make sense and are realistic.

    A screenshot of the Accessibility Compliance Dashboard.

    Download the Accessibility Compliance Tracking Tool

    Empty roadmap template

    An image of an empty Roadmap Template.

    1.2.3 Add priorities to the roadmap

    1 hour

    1. Using the information entered in the compliance tracking spreadsheet during activities 1.2.1 and 1.2.2, build a visual representation to capture your strategic initiatives over time, using themes and timelines. Consider group initiatives in four categories, technology, people, process, and other.
    2. Copy and paste the controls onto the roadmap from the Accessibility Compliance Tracking Toolto the desired time quadrant on the roadmap.
    3. Set your desired timelines by changing the Q1-Q4 blocks (set the timelines that make sense for your situation).

    Input

    • Output of activity 1.2.2
    • Roadmap template
    • Other departmental project plans and timelines

    Output

    • Visual roadmap of accessibility compliance controls

    Materials

    • n/a

    Participants

    • CIO
    • IT senior leaders
    • IT managers

    Communicate commitment

    Support people leaders in leading by example with an accessibility commitment statement.

    A commitment statement communicates why accessibility and disability inclusion are important and guides behaviors toward the ideal state. The statement will guide and align work, build accountability, and acknowledge the dedication of the leadership team to accessibility and disability inclusion. The statement will:

    • Publicly commit the team to fostering disability inclusivity.
    • Highlight related values and goals of the team or organization.
    • Set expectations.
    • Help build trust and increase feelings of belonging.
    • Connect the necessary changes (people, process, and technology related) to organization strategy.

    Take action! Writing the statement is only the first step. It takes more than words to build accessibility and make your work environment more disability inclusive.

    Info-Tech Insight

    Preparing for and building awareness of the reasons for accessibility make the necessary behavior changes easier.

    Sample accessibility commitment statements

    theScore

    "theScore strives to provide products and services in a way that respects the dignity and independence of persons with disabilities. We are committed to giving persons with disabilities the same opportunity to access our products and services and allowing them to benefit from the same services, in the same place and in a similar way as other clients. We are also committed to meeting the needs of persons with disabilities in a timely manner, and we will meet applicable legislative requirements for preventing and removing barriers."(1)

    Apple Canada

    "Apple Canada is committed to ensuring equal access and participation for people with disabilities. Apple Canada is committed to treating people with disabilities in a way that allows them to maintain their dignity and independence. Apple Canada believes in integration and is committed to meeting the needs of people with disabilities in a timely manner. Apple Canada will do so by removing and preventing barriers to accessibility and meeting accessibility requirements under the AODA and provincial and federal laws across Canada." (2)

    Google Canada

    "We are committed to meeting the accessibility needs of people with disabilities in a timely manner, and will do so by identifying, preventing and removing barriers to accessibility, and by meeting the accessibility requirements under the AODA." (3)

    Source 1: theScore
    Source 2: Apple Canada
    Source 3: Google Canada.

    1.2.4 Write an IT accessibility commitment statement

    45 minutes

    1. As a group, brainstorm the key reasons and necessity for disability inclusion and accessibility for your organization, and the drivers and behaviors required. Record the ideas brainstormed by the group.
    2. Break into smaller groups or pairs (or if too small, continue as a single group):
      • Each group uses the brainstormed ideas to draft an accessibility commitment statement.
    3. Each smaller group shares their statement with the larger group and receives feedback. Smaller groups redraft their statements based on the feedback.
    4. Post each redrafted statement and provide each person two dot stickers to place on the two statements that resonate the most with them.
    5. Using the two statements with the highest number of dot votes, write the final accessibility commitment statement.
    6. Add the commitment statement to slide 18 of the Departmental Meeting Template.

    Input

    • Business objectives
    • Risks related to accessibility
    • Target future accessibility maturity

    Output

    • IT accessibility commitment statement

    Materials

    • Whiteboard/flip charts
    • Dot stickers or other voting mechanism

    Participants

    • CIO
    • IT senior leaders
    • IT managers

    Phase 2

    Change Enablement for Accessibility.

    Phase 1

    Phase 2

    1.1 Determine accessibility requirements of IT

    1.2 Build IT accessibility plan

    2.1 Build awareness

    2.2 Support new behaviors

    2.3 Continuous reinforcement

    This phase will walk you through the following activities:

    • Clarifying key messages
    • IT department accessibility presentation
    • Establishing a frequency and timeframe for communications
    • Obtaining feedback
    • Sustainment plan

    This phase involves the following participants:

    • CIO
    • IT senior leaders
    • IT managers
    • Other key business stakeholders
    • Marketing and communications team

    Be experience driven

    Building awareness and focusing on experience helps move along the accessibility maturity framework. Shifting from mandate to movement.

    In this phase, start to move beyond compliance. Build the IT team's understanding of accessibility, disability inclusion, and their role.
    Communicate the following messages to your team:

    • The motivation behind the change.
    • The reasons for the change.
    • And encourage feedback.

    Info-Tech Accessibility Maturity Framework

    an image of the Info-Tech Accessibility Maturity Framework

    Info-Tech Insight

    Compliance is the minimum; the people and behavior changes are the harder part and have the largest impact on accessibility. Preparing for and building awareness of the reasons for accessibility make the necessary behavior changes easier. Communicate, communicate, and communicate some more.

    What is an organizational change?

    Before communicating, understand the degree of change.

    Incremental Change:

    • Changes made to improve current processes or systems (e.g. optimizing current technology).

    Transitional Change:

    • Changes that involve dismantling old systems and/or processes in favor of new ones (e.g. new product or services added).

    Transformational Change:

    • Significant change in organizational strategy or culture resulting in substantial shift in direction.

    Examples:

    • New or changed policy
    • Switching from on-premises to cloud-first infrastructure
    • Implementing ransomware risk controls
    • Implementing a Learning and Development Plan

    Examples:

    • Moving to an insourced or outsourced service desk
    • Developing a BI and analytics function
    • Integrating risk into organization risk
    • Developing a strategy (technology, architecture, security, data, service, infrastructure, application)

    Examples:

    • Organizational redesign
    • Acquisition or merger of another organization
    • Implementing a digital strategy
    • A new CEO or board taking over the organization's direction

    Consider the various impacts of the change

    Invest time at the start to develop a detailed understanding of the impact of the change. This will help to create a plan that will simplify the change and save time. Evaluate the impact from a people, process, and technology perspective.

    Leverage a design thinking principle: Empathize with the stakeholder – what will change?

    People

    Process Technology
    • Team structure
    • Reporting structure
    • Career paths
    • Job skills
    • Responsibilities
    • Company vision/mission
    • Number of FTE
    • Culture
    • Training required
    • Budget
    • Work location
    • Daily workflow
    • Working conditions
    • Work hours
    • Reward structure
    • Required number of completed tasks
    • Training required
    • Required tools
    • Required policies
    • Required systems
    • Training required

    Change depends on how well people understand it

    Help people internalize what they can do to make the organization more inclusive.

    Anticipate responses to change:

    1. Emotional reaction – different people require different styles of management to guide them through the change. Individual's may have different emotions at different times during the change process. The more easily you can identify persona characteristics, the better you can manage them.
    2. Level of impact – the higher level of change on an individual's day-to-day, the more difficult it will be to adjust to the change. The more impactful the change, the more time focused on people management.

    an image showing staff personas at different stages through the change process.

    Quickly assess the size of change by answering these questions:

    1. Will the change affect your staff's daily work?
    2. Is the change high urgency?
    3. Is there a change in reporting relationships?
    4. Is there a change in skills required for staff to be successful?
    5. Will the change modify entrenched cultural practices?
    6. Is there a change in the mission or vision of the role?

    If you answered "Yes" to two or more questions, the change is bigger than you think. Your staff will feel the impact.

    Ensure effective communication by focusing on four key elements

    1. Audience
    • Stakeholders (either groups or individuals) who will receive the communication.
  • Message
    • Information communicated to impacted stakeholders. Must be rooted in a purpose or intent.
  • Messenger
    • Person who delivers the communication to the audience. The communicator and owner are two different things.
  • Channel
    • Method or channel used to communicate to the audience.
  • Step 2.1

    Build awareness and define key messages for IT.

    This step involves the following participants:

    • IT leadership team
    • Marketing/communications (optional)

    Outcomes of this step

    • Key accessibility messages

    Determine the desired outcome of communicating within IT

    This phase is focused on communicating within IT. All communication has an overall goal. This outcome or purpose of communicating is often dependent on the type of influence the stakeholder wields within the organization as well as the type of impact the change will have on them. Consider each of the communication outcomes listed below.

    Communicating within IT

    • Obtain buy-in
    • Inform about the IT change
    • Create a training plan
    • Inform about department changes
    • Inform about organization changes
    • Inform about a crisis
    • Obtain adoption related to the change
    • Distribute key messages to change agents

    Departmental Meeting Template

    Departmental Meeting Template

    Accessibility Quick Cards

    Accessibility Quick Cards

    Establish and define key messages based on organizational objectives

    What are key messages?

    1. Key messages guide all internal communications to ensure they are consistent, unified, and straightforward.
    2. Distill key messages down from organizational objectives and use them to reinforce the organization's strategic direction. Key messages should inspire employees to act in a way that will help the organization reach its objectives.

    How to establish key messages

    Ground key messages in organizational strategy and culture. These should be the first places you look to determine the organization's key messages:

    • Refer to organizational strategy documents. What needs to be reinforced in internal communications to ensure the organization can achieve its strategy? This is a key message.
    • Look at the organization's values. How do values guide how work should be done? Do employees need to behave in a certain way or keep a certain value top of mind? This is a key message.

    The intent of key messages is to convey important information in a way that is relatable and memorable, to promote reinforcement, and ultimately, to drive action.

    Info-Tech Insight

    Empathizing with the audience is key to anticipating and addressing objections as well as identifying benefits. Customize messaging based on audience attributes such as work model (e.g. hybrid), anticipated objections, what's in it for me?, and specific expectations.

    2.1.1 Clarify the key messages

    30 minutes

    1. Brainstorm the key stakeholders and target audiences you will likely need to communicate with to sustain the accessibility initiative (depending on the size of your group, you might break into pairs or smaller groups and each work on one target audience).
    2. Based on the outcome expected from engaging the target audience in communications, define one to five key messages that should be expressed about accessibility.
    3. The key messages should highlight benefits anticipated, concerns anticipated, details about the change, plan of action, or next steps. The goal here is to ensure the target audience is included in the communication process.
    4. The key messages should be focused on how the target audience receives a consistent message, especially if different communication messengers are involved.
    5. Document the key messages on Tab 3 of the Communications Planner Tool.

    Download the Communications Planner Tool

    Input

    • The change
    • Target audience
    • Communication outcomes

    Output

    • Key messages to support a consistent approach

    Materials

    • Communications Planner Tool
    • Sticky notes
    • Whiteboard

    Participants

    • IT leadership team
    • Marketing/communications partner (optional)

    Step 2.2

    Support new behaviors.

    Activities

    2.2.1 Prepare for IT department meeting

    2.2.2 Practice delivery of your presentation

    2.2.3 Hold department meeting

    This step involves the following participants:

    • Entire IT department

    Outcomes of this step

    • IT departmental meeting slides
    • Accessibility quick cards
    • Task list of how each IT team will support the accessibility roadmap

    Key questions to answer with change communication

    To effectively communicate change, answer questions before they're asked, whenever possible. To do this, outline at each stage of the change process what's happening next for the audience, as well as answer other anticipated questions. Pair key questions with core messages.

    Examples of key questions by change stage include:

    The outline for each stage of the change process, showing what happens next.

    2.2.1 Prepare for the IT departmental meeting

    2 hours

    1. Download the IT Department Presentation Template and follow the instructions on each slide to update for your organization.
    2. Insert information on the current accessibility maturity level. If you haven't determined your current and future state maturity level, use the Info-Tech resource from The Accessibility Business Case for IT.
    3. Review the presentation with the information added.
    4. Consider what could be done to make the presentation better:
      1. Concise: Identify opportunities to remove unnecessary information.
      2. Clear: It uses only terms or language the target audience would understand.
      3. Relevant: It matters to the target audience and the problems they face.
      4. Consistent: The message could be repeated across audiences.
    5. Schedule a departmental meeting or add the presentation to an existing departmental meeting.

    Download the Departmental Presentation Template

    Input

    • Organizational accessibility risks
    • Accessibility maturity current state
    • Outputs from manager presentation
    • Key messages

    Output

    • Prepared presentation to introduce accessibility to the entire IT department

    Materials

    • Departmental Presentation Template

    Participants

    • CIO/ head of IT/ CAO/ initiative leader

    Hone presentation skills before meeting with key stakeholders

    Using voice and body

    Think about the message you are trying to convey and how your body can support that delivery. Hands, stance, frame – all have an impact on what might be conveyed.

    If you want your audience to lean in and be eager about your next point, consider using a pause or softer voice and volume.

    Be professional and confident

    State the main points of your presentation confidently. While this should be obvious, it is essential. Your audience should be able to clearly see that you believe the points you are stating.

    Present in a way that is genuine to you and your voice. Whether you have an energetic personality or calm and composed personality, the presentation should be authentic to you.

    Connect with your audience

    Look each member of the audience in the eye at least once during your presentation. Avoid looking at the ceiling, the back wall, or the floor. Your audience should feel engaged – this is essential to keeping their attention.

    Avoid reading from your slides. If there is text on a slide, paraphrase it while maintaining eye contact.

    Info-Tech Insight

    You are responsible for the response of your audience. If they aren't engaged, it is on you as the communicator.

    2.2.2 Practice delivery of your presentation and schedule department meeting

    45 minutes

    1. Take ten minutes to think about how to deliver your presentation. Where will you emphasize words, speak louder, softer, lean in, stand tall, make eye contact, etc.?
    2. Set a timer on your phone or watch. Record yourself if possible.
    3. Take a few seconds to center yourself and prepare to deliver your pitch.
    4. Practice delivery of your presentation out loud. Don't forget to use your body language and your voice to deliver.
    5. Listen to the recording. Are the ideas communicated correctly? Are you convinced?
    6. Review and repeat.

    Input

    • Presentation deck from activity 2.2.1
    • Best practices for delivering

    Output

    • An ability to deliver the presentation in a clear and concise manner that creates understanding

    Materials

    • Recorder
    • Timer

    Participants

    • CIO/ head of IT/ initiative leader

    2.2.3 Lead the IT department meeting

    1–2 hours

    1. Gather the IT department in a manner appropriate for your organization and facilitate the meeting prepared in activity 2.2.1.
    2. Within the meeting, capture all key action items and outcomes from the Quick Cards Development and Roadmap Planning.
    3. Following the meeting, review the quick cards that everyone built and share these with all IT participants.
    4. Update your sunrise diagram to include any initiatives that came up in the team meetings to support moving to experiential.

    Input

    • Presentation deck from activity 2.2.1

    Output

    • A shared understanding of accessibility at your organization and everyone's role
    • Area task list (including behavior change needs)
    • Accessibility quick cards

    Materials

    Participants

    • CIO/ head of IT/ initiative leader

    Download the Accessibility Quick Cards template

    Step 2.3

    Continuous reinforcement – keep the conversation going – sustain the change.

    Activities

    2.3.1 Establish a frequency and timeframe for communications

    2.3.2 Obtain feedback and improve

    2.3.3 Sustainment plan

    This step involves the following participants:

    • CIO/ head of IT/ initiative lead
    • IT leadership team

    Outcomes of this step

    • Assigned roles for ongoing program monitoring
    • Communication plan
    • Accessibility maturity monitoring plan
    • Program evaluation

    Communication is ongoing before, during, and after implementing a change initiative

    Just because you've rolled out the plan doesn't mean you can stop talking about it.

    An image of the five steps, with steps four and five highlighted in a green box. The five headings are: Identify and Prioritize; Prepare for initiative; Create a communication plan; Implement change; Sustain the desired outcome

    Don't forget: Cascade messages down through the organization to ensure those who need to deliver messages have time to internalize the change before communicating it to others. Include a mix of personal and organizational messages, but where possible, separate personal and organizational content into different communications.

    2.3.1 Establish a frequency and timeframe

    30 minutes

    1. For each row in Tab 3, determine how frequently that communication needs to take place and when that communication needs to be completed by.
      • Frequency: How often the communication will be delivered to the audience (e.g. one-time, monthly, as needed).
      • Timeframe: When the communication will be delivered to the audience (e.g. a planned period or a specific date).
    2. When selecting the timeframe, consider what dependencies need to take place prior to that communication. For example, IT employees should not be communicated with on anything that has not yet been approved by the CEO. Also consider when other communications might be taking place so that the message is not lost in the noise.
    3. For frequency, the only time that a communication needs to take place once is when presenting up to senior leaders of the organizations. And even then, it will sometimes require more than one conversation. Be mindful of this.

    Input

    • The change
    • Target audience
    • Communication outcome
    • Communication channel

    Output

    • Frequency and timeframe of the communication

    Materials

    • Communications Planner Tool
    • Sticky notes
    • Whiteboard

    Participants

    • Changes based on those who would be relevant to your initiative

    Download the Communications Planner Tool

    Ensure feedback mechanisms are in place

    Soliciting and acting on feedback involves employees in the decision-making process and demonstrates to them that their contributions matter.

    Make sure you have established feedback mechanisms to collect feedback on both the messages delivered and how they were delivered. Some ways to collect feedback include:

    • Evaluating intranet comments and interactions (e.g. likes, etc.) if this function is enabled.
    • Measuring comprehension and satisfaction through surveys and polls.
    • Looking for themes in the feedback and questions employees bring forward to managers during in-person briefings.

    Feedback Mechanisms:

    • CIO business vision survey
    • Engagement surveys
    • Focus groups
    • Suggestion boxes
    • Team meetings
    • Random sampling
    • Informal feedback
    • Direct feedback
    • Audience body language
    • Repeating the message back

    Gather feedback on plan and iterate

    Who

    The project team gathers feedback from:

    • As many members of impacted groups as possible, as it helps build broad buy-in for the plan.
    • All levels (e.g. frontline employees, managers, directors).

    What

    Gather feedback on:

    • How to implement tactics successfully.
    • The timing of implementation (helps inform the next slide).
    • The resources required (helps inform the next slide).
    • Potential unforeseen impacts, questions, and concerns.

    How

    • Use focus groups to gather feedback.
    • Adjust sustainment plan based on feedback.

    Use Info-Tech's Standard Focus Group Guide

    2.3.2 Obtain feedback and improve

    20 minutes

    1. Evenly distribute the number of rows in the communication plan to all those involved. Consider a metric that would help inform whether the communication outcome was achieved.
    2. For each row, identify a feedback mechanism (slide 75) that could be used to enable the collection and confirm a successful outcome.
    3. Come back as a group and validate the feedback mechanisms selected.
    4. The important aspect here is not just to measure if the desired outcome was achieved. If the desired outcome is not achieved, consider what you might do to change or enable better communication to that target audience.
    5. Every communication can be better. Feedback, whether it be tactical or strategic, will help inform methods to improve future communication activities.

    Input

    • Communication outcome
    • Target audience
    • Communication channel

    Output

    • A mechanism to measure communication feedback and adjust future communications when necessary

    Materials

    • Communications Planner Tool
    • Sticky notes
    • Whiteboard

    Participants

    • Changes based on those who would be relevant to your initiative

    Download the Communications Planner Tool

    Identify owners and assign other roles

    • Eventually there needs to be a hand off to leaders to sustain accessibility. Senior leaders continue to play the role of guide and facilitator, helping the team identify owners and transfer ownership.
    • Guide the team to work with owners to assign roles to other stakeholders. Spread responsibility across multiple people to avoid overload.

    R

    Responsible
    Carries out the work to implement the component (e.g. payroll manager).

    A

    Accountable
    Owner of the component and held accountable for its implementation (e.g. VP of finance).

    C

    Consulted
    Asked for feedback and input to modify sustainment tactics (e.g. sustainment planning team).

    I

    Informed
    Told about progress of implementation (senior leadership team, impacted staff).

    Identify required resources and secure budget

    Sustainment is critical to success of accessibility

    • This step (i.e. sustainment) often gets overlooked because leaders are focused on the implementation. It takes resources and budget to sustain a plan and change as well.
    • Resorting to the old way is more likely to occur when you don't plan to support sustainment with ongoing resources and budget that's required.

    Resources

    Identify resources required for sustainment components using metrics and input from implementation owners, subject matter experts, and frontline managers.

    For example:

    • Inventory
    • Collateral for communications
    • Technology
    • Physical space
    • People resources (FTE)

    Budget

    Estimate the budget required for resources based on past projects that used similar resources, and then estimate the time it will take until the change evolves into "business as usual" (e.g. 6 months, 12 months).

    Monitor accessibility maturity

    If you haven't already performed the Accessibility Maturity Assessment, complete it in the wake of the accessibility initiative to assess improvements and progress toward target future accessibility maturity.
    As your accessibility program starts to scale out over a range of projects, revisit the assessment on a quarterly or bi-annual basis to help focus your improvement efforts across the six accessibility categories.

    • Vendor relations
    • Products and services
    • Policy and process
    • Support and accommodation
    • Communication
    • People and culture

    Info-Tech Insight

    To drive continual improvement of your organizational accessibility and disability inclusion, continue to share progress, wins, challenges, feedback, and other accessibility related concerns with stakeholders. At the end of the day, IT's efforts to become a change leader and support organizational accessibility will come down to stakeholder perceptions based upon employee morale and benefits realized.

    Download the Accessibility Maturity Assessment

    An image of the maturity level bar graph.

    Evaluate and iterate the program on an ongoing basis

    1. Continually monitor the results of project metrics.
      • Track progress toward goals and metrics set at the beginning of the initiative to gauge the success of the program.
      • Analyze metrics at the work-unit level to highlight successes and challenges in accessibility and disability inclusion and the parameters around it for each impacted unit.
    2. Regularly gather feedback on program effectiveness using questions such as:
      • Has the desired culture been effectively communicated and leveraged, or has the culture changed?
      • Collect feedback through regular channels (e.g. manager check-ins) and set up a cadence to survey employees on the program (e.g. three months after rollout and then annually).
    3. Determine if changes to the program structure are needed.
      • Revisit the accessibility maturity framework and the compliance requirements of IT. Understand what is being experienced; it may be necessary to select a different target or adjust the parameters to mitigate the common challenges.
      • Evaluate the effectiveness of current internal processes to determine if the program would benefit from a dedicated resource.

    2.3.3 Sustain the change

    1. Identify who will own what pieces of the program going forward and assign roles to transition the initiative from implementation to the new normal.
    2. Continue to communicate with stakeholders about accessibility and disability inclusion initiatives, controls, and requirements.
    3. Identify required resources and secure any budget that will be needed to support the accessibility program. Think about employee training, consulting needs, assistive technology requirements, human resources (FTE), etc.
    4. Continue to monitor your accessibility maturity. Use the Accessibility Maturity Assessment tool to periodically evaluate progress on goals and targets. Also, use this tool to communicate progress with senior leaders and executives.
    5. Strive for continuous improvement by evaluating and iterating the program on an ongoing basis.

    Input

    • Activity outputs from this blueprint

    Output

    • Ongoing continuous improvement and progress related to accessibility
    • Demonstrable results

    Materials

    • n/a

    Participants

    • CIO/ head of IT/ initiative Lead
    • IT senior leaders
    • IT managers

    Related Info-Tech Research

    The Accessibility Business Case for IT

    • Take away the overwhelm that many feel when they hear "accessibility" and make the steps for your organization approachable.
    • Clearly communicate why accessibility is critical and how it supports the organization's key objectives and initiatives.
    • Understand your current state related to accessibility and identify areas for key initiatives to become part of the IT strategic roadmap.

    Lead Staff through Change

    • Anticipate and respond to staff questions about the change in order to keep messages consistent, organized, and clear.
    • Manage staff based on their specific concerns and change personas to get the best out of your team during the transition through change.
    • Maintain a feedback loop between staff, executives, and other departments in order to maintain the change momentum and reduce angst throughout the process.

    IT Diversity and Inclusion Tactics

    • Although inclusion is key to the success of a diversity and inclusion (D&I) strategy, the complexity of the concept makes it a daunting pursuit.
    • This is further complicated by the fact that creating inclusion is not a one-and-done exercise. Rather, it requires the ongoing commitment of employees and managers to reassess their own behaviors and to drive a cultural shift.

    Implement and Mature Your User Experience Design Practice

    • Create a practice that is focused on human outcomes; it starts and ends with the people you are designing for. This includes:
      • Establishing a practice with a common vision.
      • Enhancing the practice through four design factors.
      • Communicating a roadmap to improve your business through design.

    Works cited

    "2021 State of Digital Accessibility." Level Access, n.d. Accessed 10 Aug. 2022
    "Apple Canada Accessibility Policy & Plan." Apple Canada, 11 March 2019. .
    Casey, Caroline. "Do Your D&I Efforts Include People With Disabilities?" Harvard Business Review, 19 March 2020. Accessed 28 July 2022.
    Digitalisation World. "Organisations failing to meet digital accessibility standards." Angel Business Communications, 19 May 2022. Accessed Oct. 2022.
    "disability." Merriam-Webster.com Dictionary, Merriam-Webster, . Accessed 10 Aug. 2022.
    "Disability." World Health Organization, 2022. Accessed 10 Aug 2022.
    "Google Canada Corporation Accessibility Policy and Multi Year Plan." Google Canada, June 2020. .
    Hypercontext. "The State of High Performing Teams in Tech 2022." Hypercontext. 2022..
    Lay-Flurrie, Jenny. "Accessibility Evolution Model: Creating Clarity in your Accessibility Journey." Microsoft, 2023. <https://blogs.microsoft.com/accessibility/accessibility-evolution-model/>.
    Maguire, Jennifer. "Applause 2022 Global Accessibility Survey Reveals Organizations Prioritize Digital Accessibility but Fall Short of Conformance with WCAG 2.1 Standards." Business Wire, 19 May 2022. . Accessed 2 January 2023.
    "The Business Case for Digital Accessibility." W3C Web Accessibility Initiative (WAI), 9 Nov. 2018. Accessed 4 Aug. 2022.
    "THESCORE's Commitment to Accessibility." theScore, May 2021. .
    "The WebAIM Million." Web AIM, 31 March 2022. Accessed 28 Jul. 2022.
    Washington, Ella F. "The Five Stages of DEI Maturity." Harvard Business Review, November - December 2022. Accessed 7 Nov. 2022.
    Web AIM. "The WebAIM Million." Institute for Disability Research, Policy, and Practice, 31 March 2022. Accessed 28 Jul. 2022.

    Mitigate Machine Bias

    • Buy Link or Shortcode: {j2store}343|cart{/j2store}
    • member rating overall impact (scale of 10): 8.8/10 Overall Impact
    • member rating average dollars saved: $9,549 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy
    • AI is the new electricity. It is fundamentally and radically changing the fabric of our world, from the way we conduct business, to how we work and live, make decisions, and engage with each other, to how we organize our society, and ultimately, to who we are. Organizations are starting to adopt AI to increase efficiency, better engage customers, and make faster, more accurate decisions.
    • Like with any new technology, there is a flip side, a dark side, to AI – machine biases. If unchecked, machine biases replicate, amplify, and systematize societal biases. Biased AI systems may treat some of your customers (or employees) differently, based on their race, gender, identity, age, etc. This is discrimination, and it is against the law. It is also bad for business, including missed opportunities, lost consumer confidence, reputational risk, regulatory sanctions, and lawsuits.

    Our Advice

    Critical Insight

    • Machine biases are not intentional. They reflect the cognitive biases, preconceptions, and judgement of the creators of AI systems and the societal structures encoded in the data sets used for machine learning.
    • Machine biases cannot be prevented or fully eliminated. Early identification and diversity in and by design are key. Like with privacy and security breaches, early identification and intervention – ideally at the ideation phase – is the best strategy. Forewarned is forearmed. Prevention starts with a culture of diversity, inclusivity, openness, and collaboration.
    • Machine bias is enterprise risk. Machine bias is not a technical issue. It is a social, political, and business problem. Integrate it into your enterprise risk management (ERM).

    Impact and Result

    • Just because machine biases are induced by human behavior, which is also captured in data silos, they are not inevitable. By asking the right questions upfront during application design, you can prevent many of them.
    • Biases can be introduced into an AI system at any stage of the development process, from the data you collect, to the way you collect it, to which algorithms are used, to which assumptions are made, etc. Ask your data science team a lot of questions; leave no stone unturned.
    • Don’t wait until “Datasheets for Datasets” and “Model Cards for Model Reporting” (or similar frameworks) become standards. Start creating these documents now to identify and analyze biases in your apps. If using open-source data sets or libraries, you may need to create them yourself for now. If working with partners or using AI/ ML services, demand that they provide such information as part of the engagement. You, not your partners, are ultimately responsible for the AI-powered product or service you deliver to your customers or employees.
    • Build a culture of diversity, transparency, inclusivity, and collaboration – the best mechanism to prevent and address machine biases.
    • Treat machine bias as enterprise risk. Use your ERM to guide all decisions around machine biases and their mitigation.

    Mitigate Machine Bias Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to understand the dark side of AI: algorithmic (machine) biases, how they emerge, why they are dangerous, and how to mitigate them. Review Info-Tech’s methodology and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand AI biases

    Learn about machine biases, how and where they arise in AI systems, and how they relate to human cognitive and societal biases.

    • Mitigate Machine Bias – Phase 1: Understand AI Biases

    2. Identify data biases

    Learn about data biases and how to mitigate them.

    • Mitigate Machine Bias – Phase 2: Identify Data Biases
    • Datasheets for Data Sets Template
    • Datasheets for Datasets

    3. Identify model biases

    Learn about model biases and how to mitigate them.

    • Mitigate Machine Bias – Phase 3: Identify Model Biases
    • Model Cards for Model Reporting Template
    • Model Cards For Model Reporting

    4. Mitigate machine biases and risk

    Learn about approaches for proactive and effective bias prevention and mitigation.

    • Mitigate Machine Bias – Phase 4: Mitigate Machine Biases and Risk
    [infographic]

    Workshop: Mitigate Machine Bias

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prepare

    The Purpose

    Understand your organization’s maturity with respect to data and analytics in order to maximize workshop value.

    Key Benefits Achieved

    Workshop content aligned to your organization’s level of maturity and business objectives.

    Activities

    1.1 Execute Data Culture Diagnostic.

    1.2 Review current analytics strategy.

    1.3 Review organization's business and IT strategy.

    1.4 Review other supporting documentation.

    1.5 Confirm participant list for workshop.

    Outputs

    Data Culture Diagnostic report.

    2 Understand Machine Biases

    The Purpose

    Develop a good understanding of machine biases and how they emerge from human cognitive and societal biases. Learn about the machine learning process and how it relates to machine bias.

    Select an ML/AI project and complete a bias risk assessment.

    Key Benefits Achieved

    A solid understanding of algorithmic biases and the need to mitigate them.

    Increased insight into how new technologies such as ML and AI impact organizational risk.

    Customized bias risk assessment template.

    Completed bias risk assessment for selected project.

    Activities

    2.1 Review primer on AI and machine learning (ML).

    2.2 Review primer on human and machine biases.

    2.3 Understand business context and objective for AI in your organization.

    2.4 Discuss selected AI/ML/data science project or use case.

    2.5 Review and modify bias risk assessment.

    2.6 Complete bias risk assessment for selected project.

    Outputs

    Bias risk assessment template customized for your organization.

    Completed bias risk assessment for selected project.

    3 Identify Data Biases

    The Purpose

    Learn about data biases: what they are and where they originate.

    Learn how to address or mitigate data biases.

    Identify data biases in selected project.

    Key Benefits Achieved

    A solid understanding of data biases and how to mitigate them.

    Customized Datasheets for Data Sets Template.

    Completed datasheet for data sets for selected project.

    Activities

    3.1 Review machine learning process.

    3.2 Review examples of data biases and why and how they happen.

    3.3 Identify possible data biases in selected project.

    3.4 Discuss “Datasheets for Datasets” framework.

    3.5 Modify Datasheets for Data Sets Template for your organization.

    3.6 Complete datasheet for data sets for selected project.

    Outputs

    Datasheets for Data Sets Template customized for your organization.

    Completed datasheet for data sets for selected project.

    4 Identify Model Biases

    The Purpose

    Learn about model biases: what they are and where they originate.

    Learn how to address or mitigate model biases.

    Identify model biases in selected project.

    Key Benefits Achieved

    A solid understanding of model biases and how to mitigate them.

    Customized Model Cards for Model Reporting Template.

    Completed model card for selected project.

    Activities

    4.1 Review machine learning process.

    4.2 Review examples of model biases and why and how they happen.

    4.3 Identify potential model biases in selected project.

    4.4 Discuss Model Cards For Model Reporting framework.

    4.5 Modify Model Cards for Model Reporting Template for your organization.

    4.6 Complete model card for selected project.

    Outputs

    Model Cards for Model Reporting Template customized for your organization.

    Completed model card for selected project.

    5 Create Mitigation Plan

    The Purpose

    Review mitigation approach and best practices to control machine bias.

    Create mitigation plan to address machine biases in selected project. Align with enterprise risk management (ERM).

    Key Benefits Achieved

    A solid understanding of the cultural dimension of algorithmic bias prevention and mitigation and best practices.

    Drafted plan to mitigate machine biases in selected project.

    Activities

    5.1 Review and discuss lessons learned.

    5.2 Create mitigation plan to address machine biases in selected project.

    5.3 Review mitigation approach and best practices to control machine bias.

    5.4 Identify gaps and discuss remediation.

    Outputs

    Summary of challenges and recommendations to systematically identify and mitigate machine biases.

    Plan to mitigate machine biases in selected project.

    Marketing Management Suite Software Selection Guide

    • Buy Link or Shortcode: {j2store}552|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Selecting and implementing the right MMS platform – one that aligns with your requirements is a significant undertaking.
    • Despite the importance of selecting and implementing the right MMS platform, many organizations struggle to define an approach to picking the most appropriate vendor and rolling out the solution in an effective and cost-efficient manner.
    • IT often finds itself in the unenviable position of taking the fall for an MMS platform that doesn’t deliver on the promise of the MMS strategy.

    Our Advice

    Critical Insight

    • MMS platform selection must be driven by your overall customer experience management strategy. Link your MMS selection to your organization’s CXM framework.
    • Determine what exactly you require from your MMS platform; leverage use cases to help guide selection.
    • Ensure strong points of integration between your MMS and other software such as CRM and POS. Your MMS solution should not live in isolation; it must be part of a wider ecosystem.

    Impact and Result

    • An MMS platform that effectively meets business needs and delivers value.
    • Reduced costs during MMS vendor platform selection and faster time to results after implementation.

    Marketing Management Suite Software Selection Guide Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Marketing Management Suite Software Selection Guide – A deck that walks you through the process of building your business case and selecting the proper MMS platform.

    This blueprint will help you build a business case for selecting the right MMS platform, define key requirements, and conduct a thorough analysis and scan of the current state of the ever-evolving MMS market space.

    • Marketing Management Suite Software Selection Guide Storyboard
    [infographic]

    Further reading

    Marketing Management Suite Software Selection Guide

    Streamline your organizational approach to selecting a right-sized marketing management platform.

    Analyst perspective

    A robustly configured and comprehensive MMS platform is a crucial ingredient to help kick-start your organization's cross-channel and multichannel marketing management initiatives.

    Modern marketing management suites (MMS) are imperative given today's complex, multitiered, and often non-standardized marketing processes. Relying on isolated methods such as lead generation or email marketing techniques for executing key cross-channel and multichannel marketing initiatives is not enough to handle the complexity of contemporary marketing management activities.

    Organizations need to invest in highly customizable and functionally extensive MMS platforms to provide value alongside the marketing value chain and a 360-degree view of the consumer's marketing journey. IT needs to be rigorously involved with the sourcing and implementation of the new MMS tool, and the necessary business units also need to own the requirements and be involved from the initial stages of software selection.

    To succeed with MMS implementation, consider drafting a detailed roadmap that outlines milestone activities for configuration, security, points of integration, and data migration capabilities and provides for ongoing application maintenance and support.

    This is a picture of Yaz Palanichamy

    Yaz Palanichamy
    Senior Research Analyst, Customer Experience Strategy
    Info-Tech Research Group

    Executive summary

    Your Challenge

    • Many organizations struggle with taking a systematic and structured approach to selecting a right-sized marketing management suite (MMS) – an indispensable part of managing an organization's specific and nuanced marketing management needs.
    • Organizations must define a clear-cut strategic approach to investing in a new MMS platform. Exercising the appropriate selection and implementation rigor for a right-sized MMS tool is a critical step in delivering concrete business value to sustain various marketing value chains across the organization.

    Common Obstacles

    • An MMS vendor that is not well aligned to marketing requirements wastes resources and causes an endless cascade of end-user frustration.
    • The MMS market is rapidly evolving, making it difficult for vendors to retain a competitive foothold in the space.
    • IT managers and/or marketing professionals often find themselves in the unenviable position of taking the fall for MMS platforms that fail to deliver on the promise of the overarching marketing management strategy.

    Info-Tech's Approach

    • MMS platform selection must be driven by your overall marketing management strategy. Email marketing techniques, social marketing, and/or lead management strategies are often not enough to satisfy the more sophisticated use cases demanded by increasingly complex customer segmentation levels.
    • For organizations with a large audience or varied product offerings, a well-integrated MMS platform enables the management of various complex campaigns across many channels, product lines, customer segments, and marketing groups throughout the enterprise.

    Info-Tech Insight

    IT must collaborate with marketing professionals and other key stakeholder groups to define a unified vision and holistic outlook for a right-sized MMS platform.

    Info-Tech's methodology for selecting a right-sized marketing management suite platform

    1. Understand Core MMS Features

    2. Build the Business Case & Streamline Requirements

    3. Discover the MMS Market Space & Prepare for Implementation

    Phase Steps

    1. Define MMS Platforms
    2. Classify Table Stakes & Differentiating Capabilities
    3. Explore Trends
    1. Build the Business Case
    2. Streamline the Requirements Elicitation Process for a New MMS Platform
    3. Develop an Inclusive RFP Approach
    1. Discover Key Players in the Vendor Landscape
    2. Engage the Shortlist & Select Finalist
    3. Prepare for Implementation

    Phase Outcomes

    1. Consensus on scope of MMS and key MMS platform capabilities
    1. MMS platform selection business case
    2. Top-level use cases and requirements
    3. Procurement vehicle best practices
    1. Market analysis of MMS platforms
    2. Overview of shortlisted vendors
    3. Implementation considerations

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Understand what a marketing management suite is. Discuss core capabilities and key trends.

    Call #2: Build the business case
    to select a right-sized MMS.

    Call #3: Define your core
    MMS requirements.

    Call #4: Build and sustain procurement vehicle best practices.

    Call #5: Evaluate the MMS vendor landscape and short-list viable options.


    Call #6: Review implementation considerations.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    The MMS procurement process should be broken into segments:

    1. Create a vendor shortlist using this buyer's guide.
    2. Define a structured approach to selection.
    3. Review the contract.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    EXECUTIVE BRIEF

    What are marketing management suite platforms?

    Our Definition: Marketing management suite (MMS) platforms are core enterprise applications that provide a unified set of marketing processes for a given organization and, typically, the capability to coordinate key cross-channel marketing initiatives.

    Key product capabilities for sophisticated MMS platforms include but are not limited to:

    • Email marketing
    • Lead nurturing
    • Social media management
    • Content curation and distribution
    • Marketing reporting and analytics
    • Consistent brand messaging

    Using a robust and comprehensive MMS platform equips marketers with the appropriate tools needed to make more informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention initiatives. Moreover, such tools can help bolster effective revenue generation and ensure more viable growth initiatives for future marketing growth enablement strategies.

    Info-Tech Insight

    Feature sets are rapidly evolving over time as MMS offerings continue to proliferate in this market space. Ensure that you focus on core components such as customer conversion rates and new lead captures through maintaining well- integrated multichannel campaigns.

    Marketing Management Suite Software Selection Buyer's Guide

    Info-Tech Insight

    A right-sized MMS software selection and procurement decision should involve comprehensive requirements and needs analysis by not just Marketing but also other organizational units such as IT, in conjunction with input suppled from the internal vendor procurement team.

    MMS Software Selection & Vendor Procurement Journey. The three main steps are: Envision the Art of the Possible; Elicit Granular Requirements; Contextualize the MMS Vendor Market Space

    Phase 1

    Understand Core MMS Features

    Phase 1

    Phase 2

    Phase 3

    1.1 Define MMS Platforms

    1.2 Classify Table Stakes & Differentiating Capabilities

    1.3 Explore Trends

    2.1 Build the Business Case

    2.2 Streamline Requirements Elicitation

    2.3 Develop an Inclusive RFP Approach

    3.1 Discover Key Players in the Vendor Landscape

    3.2 Engage the Shortlist & Select Finalist

    3.3 Prepare for Implementation

    This phase will walk you through the following activities:

    • Level-set an understanding of MMS technology.
    • Define which MMS features are table stakes (standard) and which are key differentiating functionalities.
    • Identify the art of the possible in a modern MMS platform from sales, marketing, and service lenses.

    This phase involves the following participants:

    • CMO
    • Digital Marketing Project Manager
    • Marketing Data Analytics Analyst
    • Marketing Management Executive

    What are marketing management suite platforms?

    Our Definition: Marketing management suite (MMS) platforms are core enterprise applications that provide a unified set of marketing processes for a given organization and, typically, the capability to coordinate key cross-channel marketing initiatives.

    Key product capabilities for sophisticated MMS platforms include but are not limited to:

    • Email marketing
    • Lead nurturing
    • Social media management
    • Content curation and distribution
    • Marketing reporting and analytics
    • Consistent brand messaging

    Using a robust and comprehensive MMS platform equips marketers with the appropriate tools needed to make more informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention initiatives. Moreover, such tools can help bolster effective revenue generation and ensure more viable growth initiatives for future marketing growth enablement strategies.

    Info-Tech Insight

    Feature sets are rapidly evolving over time as MMS offerings continue to proliferate in this market space. Ensure that you focus on core components such as customer conversion rates and new lead captures through maintaining well- integrated multichannel campaigns.

    Marketing through the ages

    Tracing the foundational origins of marketing management practices

    Initial traction for marketing management strategies began with the need to holistically understand the effects of advertising efforts and how the media mix could be best optimized.

    1902

    1920s-1930s

    1942

    1952-1964

    1970s-1990s

    Recognizing the increasing need for focused and professional marketing efforts, the University of Pennsylvania offers the first marketing course, dubbed "The Marketing of Products."

    As broadcast media began to peak, marketers needed to manage a greater number of complex and interspersed marketing channels.

    The introduction of television ads in 1942 offered new opportunities for brands to reach consumers across a growing media landscape. To generate the highest ROI, marketers sought to understand the consumer and focus on more tailored messaging and product personalization. Thus, modern marketing practices were born.

    Following the introduction of broadcast media, marketers had to develop strategies beyond traditional spray-and-pray methods. The first modern marketing measurement concept, "marketing mix," was conceptualized in 1952 and popularized in 1964 by Neil Borden.

    This period marked the digital revolution and the new era of marketing. With the advent of new communications technology and the modern internet, marketing management strategies reached new heights of sophistication. During the early 1990s, search engines emerged to help users navigate the web, leading to early forms of search engine optimization and advertising.

    Where it's going: the future state of marketing management

    1. Increasing Complexity Driving Consumer Purchasing Decisions
      • "The main complexity is dealing with the increasing product variety and changing consumer demands, which is forcing marketers to abandon undifferentiated marketing strategies and even niche marketing strategies and to adopt a mass customization process interacting one-to-one with their customers." – Complexity, 2019
    2. Consumers Seeking More Tailored Brand Personalization
      • Financial Services marketers lead all other industries in AI application adoption, with 37% currently using them (Salesforce, 2019).
    3. The Inclusion of More AI-Enabled Marketing Strategies
      • According to a 2022 Nostro report, 70% of consumers say it is important that brands continue to offer personalized consumer experiences.
    4. Green Marketing
      • Recent studies have shown that up to 80% of all consumers are interested in green marketing strategies (Marketing Schools, 2020).

    Marketing management by the numbers

    Key trends

    6%

    As a continuously growing discipline, marketing management roles are predicted to grow faster than average, at a rate of 6% over the next decade.

    Source: U.S. Bureau of Labor Statistics, 2021

    17%

    While many marketing management vendors offer A/B testing, only 17% of marketers are actively using A/B testing on landing pages to increase conversion rates.

    Source: Oracle, 2022

    70%

    It is imperative that technology and SaaS companies begin to use marketing automation as a core component of their martech strategy to remain competitive. About 70% of technology and SaaS companies are employing integrated martech tools.

    Source: American Marketing Association, 2021

    Understand MMS table stakes features

    Organizations can expect nearly all MMS vendors to provide the following functionality

    Email Marketing

    Lead Nurturing

    Reporting, Analytics, and Marketing KPIs

    Marketing Campaign Management

    Integrational Catalog

    The use of email alongside marketing efforts to promote a business' products and services. Email marketing can be a powerful tool to maintain connections with your audience and ensure sustained brand promotion.

    The process of developing and nurturing relationships with key customer contacts at every major touchpoint in their customer journey. MMS platforms can use automated lead-nurturing functions that are triggered by customer behavior.

    The use of well-defined metrics to help curate, gather, and analyze marketing data to help track performance and improve the marketing department's future marketing decisions and strategies.

    Tools needed for the planning, execution, tracking, and analysis of direct marketing campaigns. Such tools are needed to help gauge your buyers' sentiments toward your company's product offerings and services.

    MMS platforms should generally have a comprehensive open API/integration catalog. Most MMS platforms should have dedicated integration points to interface with various tools across the marketing landscape (e.g. social media, email, SEO, CRM, CMS tools, etc.).

    Identify differentiating MMS features

    While not always deemed must-have functionality, these features may be the deciding factor when choosing between two MMS-focused vendors.

    Digital Asset Management (DAM)

    A DAM can help manage digital media asset files (e.g. photos, audio files, video).

    Customer Data Management

    Customer data management modules help your organization track essential customer information to maximize your marketing results.

    Text-Based Marketing

    Text-based marketing strategy is ideal for any organization primarily focused on coordinating structured and efficient marketing campaigns.

    Customer
    Journey Orchestration

    Customer journey orchestration enables users to orchestrate customer conversations and journeys across the entire marketing value chain.

    AI-Driven Workflows

    AI-powered workflows can help eliminate complexities and allow marketers to automate and optimize tasks across the marketing spectrum.

    Dynamic Segmentation

    Dynamic segmentation to target audience cohorts based on recent actions and stated preferences.

    Advanced Email Marketing

    These include capabilities such as A/B testing, spam filter testing, and detailed performance reporting.

    Ensure you understand the art of the possible across the MMS landscape

    Understanding the trending feature sets that encompass the broader MMS vendor landscape will best equip your organization with the knowledge needed to effectively match today's MMS platforms with your organization's marketing requirements.

    Holistically examine the potential of any MMS solution through three main lenses:

    Data-Driven
    Digital Advertising

    Adapt innovative techniques such as conversational marketing to help collect, analyze, and synthesize crucial audience information to improve the customer marketing experience and pre-screen prospects in a more conscientious manner.

    Next Best Action Marketing

    Next best action marketing (NBAM) is a customer-centric paradigm/marketing technique designed to capture specific information about customers and their individual preferences. Predicting customers' future actions by understanding their intent during their purchasing decisions stage will help improve conversion rates.

    AI-Driven Customer
    Segmentation

    The use of inclusive and innovative AI-based forecast modeling techniques can help more accurately analyze customer data to create more targeted segments. As such, marketing messages will be more accurately tailored to the customer that is reading them.

    Art of the possible: data-driven digital advertising

    CONVERSATIONAL MARKETING INTELLIGENCE

    Are you curious about the measures needed to boost engagement among your client base and other primary target audience groups? Conversational marketing intelligence metrics can help collect and disseminate key descriptive data points across a broader range of audience information.

    AI-DRIVEN CONVERSATIONAL MARKETING DEVICES

    Certain social media channels (e.g. LinkedIn and Facebook) like to take advantage of click-to-Messenger-style applications to help drive meaningful conversations with customers and learn more about their buying preferences. In addition, AI-driven chatbot applications can help the organization glean important information about the customer's persona by asking probing questions about their marketing purchase behaviors and preferences.

    METAVERSE- DRIVEN BRANDING AND ADVERTISING

    One of the newest phenomena in data-driven marketing technology and digital advertising techniques is the metaverse, where users can represent themselves and their brand via virtual avatars to further gamify their marketing strategies. Moreover, brands can create immersive experiences and engage with influencers and established communities and collect a wealth of information about their audience that can help drive customer retention and loyalty.

    Case study

    This is the logos for Gucci and Roblox.

    Metaverse marketing extends the potential for commercial brand development and representation: a deep dive into Gucci's metaverse practice

    INDUSTRY: Luxury Goods Apparel
    SOURCE: Vogue Business

    Challenge

    Beginning with a small, family-owned leather shop known as House of Gucci in Florence, Italy, businessman and fashion designer Guccio Gucci sold saddles, leather bags, and other accessories to horsemen during the 1920s. Over the years, Gucci's offerings have grown to include various other personal luxury goods.

    As consumer preferences have evolved over time, particularly with the younger generation, Gucci's professional marketing teams looked to invest in virtual technology environments to help build and sustain better brand awareness among younger consumer audiences.

    Solution

    In response to the increasing presence of metaverse-savvy gamers on the internet, Gucci began investing in developing its online metaverse presence to bolster its commercial marketing brand there.

    A recent collaboration with Roblox, an online gaming platform that offers virtual experiences, provided Gucci the means to showcase its fashion items using the Gucci Garden – a virtual art installation project for Generation Z consumers, powered by Roblox's VR technology. The Gucci Garden virtual system featured a French-styled garden environment where players could try on and buy Gucci virtual fashion items to dress up their blank avatars.

    Results

    Gucci's disruptive, innovative metaverse marketing campaign project with Roblox is proof of its commitment to tapping new marketing growth channels to showcase the brand to engage new and prospective consumers (e.g. Roblox's player base) across more unique sandboxed/simulation environments.

    The freedom and flexibility in the metaverse environments allows brands such as Gucci to execute a more flexible digital marketing approach and enables them to take advantage of innovative metaverse-driven technologies in the market to further drive their data-driven digital marketing campaigns.

    Art of the possible: next best action marketing (NBAM)

    NEXT BEST ACTION PREDICTIVE MODELING

    To improve conversion propensity, next best action techniques can use predictive modeling methods to help build a dynamic overview of the customer journey. With information sourced from actionable marketing intelligence data, MMS platforms can use NBAM techniques to identify customer needs based on their buying behavior, social media interactions, and other insights to determine what unique set of actions should be taken for each customer.

    MACHINE LEARNING–BASED RECOMMENDER SYSTEMS

    Rules-based recommender systems can help assign probabilities of purchasing behaviors based on the patterns in touchpoints of a customer's journey and interaction with your brand. For instance, a large grocery chain company such as Walmart or Whole Foods will use ML-based recommender systems to decide what coupons they should offer to their customers based on their purchasing history.

    Art of the possible: AI-driven customer segmentation

    MACHINE/DEEP LEARNING (ML/DL) ALGORITHMS

    The inclusion of AI in data analytics helps make customer targeting more accurate
    and meaningful. Organizations can analyze customer data more thoroughly and generate in-depth contextual and descriptive information about the targeted segments. In addition, they can use this information to automate the personalization of marketing campaigns for a specific target audience group.

    UNDERSTANDING CUSTOMER SENTIMENTS

    To greatly benefit from AI-powered customer segmentation, organizations must deploy specialized custom AI solutions to help organize qualitative comments into quantitative data. This approach requires companies to use custom AI models and tools that will analyze customer sentiments and experiences based on data extracted from various touchpoints (e.g. CRM systems, emails, chatbot logs).

    Phase 2

    Build the Business Case and Streamline Requirements

    Phase 1

    Phase 2

    Phase 3

    1.1 Define MMS Platforms

    1.2 Classify Table Stakes & Differentiating Capabilities

    1.3 Explore Trends

    2.1 Build the Business Case

    2.2 Streamline Requirements Elicitation

    2.3 Develop an Inclusive RFP Approach

    3.1 Discover Key Players in the Vendor Landscape

    3.2 Engage the Shortlist & Select Finalist

    3.3 Prepare for Implementation

    This phase will walk you through the following activities:

    • Define and build the business case for the selection of a right-sized MMS platform.
    • Elicit and prioritize granular requirements for your MMS platform.

    This phase involves the following participants:

    • CMO
    • Technical Marketing Analyst
    • Digital Marketing Project Manager
    • Marketing Data Analytics Analyst
    • Marketing Management Executive

    Software Selection Engagement

    5 Advisory Calls over a 5-Week Period to Accelerate Your Selection Process

    Expert analyst guidance over 5 weeks on average to select software and negotiate with the vendor.

    Save money, align stakeholders, speed up the process and make better decisions.

    Use a repeatable, formal methodology to improve your application selection process.

    Better, faster results, guaranteed, included in your membership.

    This is an image of the plan for five advisory calls over a five-week period.

    CLICK HERE to book your Selection Engagement

    Elicit and prioritize granular requirements for your marketing management suite (MMS) platform

    Understanding business needs through requirements gathering is the key to defining everything you need from your software. However, it is an area where people often make critical mistakes.

    Poorly scoped requirements

    Best practices

    • Fail to be comprehensive and miss certain areas of scope.
    • Focus on how the solution should work instead of what it must accomplish.
    • Have multiple levels of detail within the requirements, causing inconsistency and confusion.
    • Drill all the way down to system-level detail.
    • Add unnecessary constraints based on what is done today rather than focusing on what is needed for tomorrow.
    • Omit constraints or preferences that buyers think are obvious.
    • Get a clear understanding of what the system needs to do and what it is expected to produce.
    • Test against the principle of MECE – requirements should be "mutually exclusive and collectively exhaustive."
    • Explicitly state the obvious and assume nothing.
    • Investigate what is sold on the market and how it is sold. Use language that is consistent with that of the market and focus on key differentiators – not table stakes.
    • Contain the appropriate level of detail – the level should be suitable for procurement and sufficient for differentiating vendors.

    Info-Tech Insight
    Poor requirements are the number one reason projects fail. Review Info-Tech's Improve Requirements Gathering blueprint to learn how to improve your requirements analysis and get results that truly satisfy stakeholder needs.

    Info-Tech's approach

    Develop an inclusive and thorough approach to the RFP process

    Identity Need; Define Business requirements; Gain Business Authorization; Perform RFI/RFP; Negotiate Agreement; Purchase Goods and Services; Assess and Measure Performance.

    Info-Tech Insight

    Review Info-Tech's process and understand how you can prevent your organization from leaking negotiation leverage while preventing vendors from taking control of your RFP.

    The Info-Tech difference:

    1. The secret to managing an RFP is to make it as manageable and as thorough as possible. The RFP process should be like any other aspect of business – by developing a standard process. With a process in place, you are better able to handle whatever comes your way, because you know the steps you need to follow to produce a top-notch RFP.
    2. The business then identifies the need for more information about a product/service or determines that a purchase is required.
    3. A team of stakeholders from each area impacted gather all business, technical, legal, and risk requirements. What are the expectations of the vendor relationship post-RFP? How will the vendors be evaluated?
    4. Based on the predetermined requirements, either an RFI or an RFP is issued to vendors with a due date.

    Leverage Info-Tech's Contract Review Service to level the playing field with your shortlisted vendors

    You may be faced with multiple products, services, master service agreements, licensing models, service agreements, and more.
    Use Info-Tech's Contract Review Service to gain insights on your agreements:

    1. Are all key terms included?
    2. Are they applicable to your business?
    3. Can you trust that results will be delivered?
    4. What questions should you be asking from an IT perspective?

    Validate that a contract meets IT's and the business' needs by looking beyond the legal terminology. Use a practical set of questions, rules, and guidance to improve your value for dollar spent.

    This is an image of three screenshots from Info-Tech's Contract Review Service.

    CLICK to BOOK The Contract Review Service

    CLICK to DOWNLOAD Master Contract Review and Negotiation for Software Agreements

    Phase 3

    Discover the MMS Market Space and Prepare for Implementation

    Phase 1

    Phase 2

    Phase 3

    1.1 Define MMS Platforms

    1.2 Classify Table Stakes & Differentiating Capabilities

    1.3 Explore Trends

    2.1 Build the Business Case

    2.2 Streamline Requirements Elicitation

    2.3 Develop an Inclusive RFP Approach

    3.1 Discover Key Players in the Vendor Landscape

    3.2 Engage the Shortlist & Select Finalist

    3.3 Prepare for Implementation

    This phase will walk you through the following activities:

    • Dive into the key players of the MMS vendor landscape.
    • Understand best practices for building a vendor shortlist.
    • Understand key implementation considerations for MMS.

    This phase involves the following participants:

    • CMO
    • Marketing Management Executive
    • Applications Manager
    • Digital Marketing Project Manager
    • Sales Executive
    • Vendor Outreach and Partnerships Manager

    Review your use cases to start your shortlist

    Your Info-Tech analysts can help you narrow down the list of vendors that will meet your requirements.

    Next steps will include:

    1. Reviewing your requirements.
    2. Checking out SoftwareReviews.
    3. Shortlisting your vendors.
    4. Conducting demos and detailed proposal reviews.
    5. Selecting and contracting with a finalist!

    Get to know the key players in the MMS landscape

    The following slides provide a top-level overview of the popular players you will encounter in your MMS shortlisting process.

    This is a series of images of the logos for the companies which will be discussed later in this blueprint.

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews

    This is an image of two screenshots from the Data Quadrant Report.

    The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

    Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

    This is an image of two screenshots from the Emotional Footprint Report.

    The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

    Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Speak with category experts to dive deeper into the vendor landscape

    SoftwareReviews

    • Fact-based reviews of business software from IT professionals.
    • Product and category reports with state-of-the-art data visualization.
    • Top-tier data quality backed by a rigorous quality assurance process.
    • User-experience insight that reveals the intangibles of working with a vendor.

    CLICK HERE to ACCESS

    Comprehensive software reviews
    to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today's technology. Combined with the insight of our expert analysts, our members receive unparalleled support in their buying journey.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Advanced Campaign Management
    • Email Marketing Automation
    • Multichannel Integration

    Areas to Improve:

    • Mobile Marketing Management
    • Advanced Data Segmentation
    • Pricing Sensitivity and Implementation Support Model

    This is an image of SoftwareReviews analysis for Adobe Experience Cloud.

    history

    This is the Logo for Adobe Experience Cloud

    "Adobe Experience Cloud (AEC), formerly Adobe Marketing Cloud (AMC), provides a host of innovative multichannel analytics, social, advertising, media optimization, and content management products (just to name a few). The Adobe Marketing Cloud package allows users with valid subscriptions to download the entire collection and use it directly on their computer with open access to online updates. Organizations that have a deeply ingrained Adobe footprint and have already reaped the benefits of Adobe's existing portfolio of cloud services products (e.g. Adobe Creative Cloud) will find the AEC suite a functionally robust and scalable fit for their marketing management and marketing automation needs.

    However, it is important to note that AEC's pricing model is expensive when compared to other competitors in the space (e.g. Sugar Market) and, therefore, is not as affordable for smaller or mid-sized organizations. Moreover, there is the expectation of a learning curve with the AEC platform. Newly onboarded users will need to spend some time learning how to navigate and work comfortably with AEC's marketing automaton modules. "
    - Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Adobe Experience Cloud Platform pricing is opaque.
    Request a demo.*

    *Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.

    2021

    Adobe Experience Platform Launch is integrated into the Adobe Experience Platform as a suite of data collection technologies (Experience League, Adobe).

    November 2020

    Adobe announces that it will spend $1.5 billion to acquire Workfront, a provider of marketing collaboration software (TechTarget, 2020).

    September 2018

    Adobe acquires marketing automation software company Marketo (CNBC, 2018).

    June 2018

    Adobe buys e-commerce services provider Magento Commerce from private equity firm Permira for $1.68 billion (TechCrunch, 2018).

    2011

    Adobe acquires DemDex, Inc. with the intention of adding DemDex's audience-optimization software to the Adobe Online Marketing Suite (Adobe News, 2011).

    2009

    Adobe acquires online marketing and web analytics company Omniture for $1.8 billion and integrates its products into the Adobe Marketing Cloud (Zippia, 2022).

    Adobe platform launches in December 1982.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Marketing Workflow Management
    • Advanced Data Segmentation
    • Marketing Operations Management

    Areas to Improve:

    • Email Marketing Automation
    • Marketing Asset Management
    • Process of Creating and/or Managing Marketing Lists

    This is an image of SoftwareReviews analysis for Dynamics 365

    history

    This is the logo for Dynamics 365

    2021

    Microsoft Dynamics 365 suite adds customer journey orchestration as a viable key feature (Tech Target, 2021)

    2019

    Microsoft begins adding to its Dynamics 365 suite in April 2019 with new functionalities such as virtual agents, fraud detection, new mixed reality (Microsoft Dynamics 365 Blog, 2019).

    2017

    Adobe and Microsoft expand key partnership between Adobe Experience Manager and Dynamics 365 integration (TechCrunch, 2017).

    2016

    Microsoft Dynamics CRM paid seats begin growing steadily at more than 2.5x year-over-year (TechCrunch, 2016).

    2016

    On-premises application, called Dynamics 365 Customer Engagement, contains the Dynamics 365 Marketing Management platform (Learn Microsoft, 2023).

    Microsoft Dynamics 365 product suite is released on November 1, 2016.

    "Microsoft Dynamics 365 for Marketing remains a viable option for organizations that require a range of innovative MMS tools that can provide a wealth of functional capabilities (e.g. AI-powered analytics to create targeted segments, A/B testing, personalizing engagement for each customer). Moreover, Microsoft Dynamics 365 for Marketing offers trial options to sandbox their platform for free for 30 days to help users familiarize themselves with the software before buying into the product suite.

    However, ensure that you have the time to effectively train users on implementing the MS Dynamics 365 platform. The platform does not score high on customizability in SoftwareReviews reports. Developers have only a limited ability to modify the core UI, so organizations need to be fully equipped with the knowledge needed to successfully navigate MS-based applications to take full advantage of the platform. For organizations deep in the Microsoft stack, D365 Marketing is a compelling option."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Dynamics 365
    Marketing

    Dynamics 365
    Marketing (Attachment)

    • Starts from $1,500 per tenant/month*
    • Includes 10,000 contacts, 100,000 interactions, and 1,000 SMS messages
    • For organizations without any other Dynamics 365 application
    • Starts from $750 per tenant/month*
    • Includes 10,000 contacts, 100,000 interactions, and 1,000 SMS messages
    • For organizations with a qualifying Dynamics 365 application

    * Pricing correct as of October 2022. Listed in USD and absent discounts. See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Marketing Analytics
    • Marketing Workflow Management
    • Lead Nurturing

    Areas to Improve:

    • Advanced Campaign Management
    • Email Marketing Automation
    • Marketing Segmentation

    This is an image of SoftwareReviews analysis for HubSpot

    history

    This is an image of the Logo for HubSpot

    2022

    HubSpot Marketing Hub releases Campaigns 2.0 module for its Marketing Hub platform (HubSpot, 2022).

    2018


    HubSpot announces the launch of its Marketing Hub Starter platform, a new offering that aims to give growing teams the tools they need to start marketing right (HubSpot Company News, 2018).

    2014

    HubSpot celebrates its first initial public offering on the NYSE market (HubSpot Company News, 2014).

    2013

    HubSpot opens its first international office location in Dublin, Ireland
    (HubSpot News, 2013).

    2010

    Brian Halligan and Dharmesh Shah write "Inbound Marketing," a seminal book that focuses on inbound marketing principles (HubSpot, n.d.).

    HubSpot opens for business in Cambridge, MA, USA, in 2005.

    "HubSpot's Marketing Hub software ranks consistently high in scores across SoftwareReviews reports and remains a strong choice for organizations that want to run successful inbound marketing campaigns that make customers interested and engaged with their business. HubSpot Marketing Hub employs comprehensive feature sets, including the option to streamline ad tracking and management, perform various audience segmentation techniques, and build personalized and automated marketing campaigns.

    However, SoftwareReviews reports indicate end users are concerned that HubSpot Marketing Hub's platform may be slightly overpriced in recent years and not cost effective for smaller and mid-sized companies that are working with a limited budget. Moreover, when it comes to mobile user accessibility reports, HubSpot's Marketing Hub does not directly offer data usage reports in relation to how mobile users navigate various web pages on the customer's website."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    HubSpot Marketing Hub (Starter Package)

    HubSpot Marketing Hub (Professional Package)

    HubSpot Marketing Hub (Enterprise Package)

    • Starts from $50/month*
    • Includes 1,000 marketing contacts
    • All non-marketing contacts are free, up to a limit of 15 million overall contacts (marketing contacts + non-marketing contracts)
    • Starts from $890/month*
    • Includes 2,000 marketing contacts
    • Onboarding is required for a one-time fee of $3,000
    • Starts from $3600/month*
    • Includes 10,000 marketing contacts
    • Onboarding is required for a one-time fee of $6,000

    *Pricing correct as of October 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Email Marketing Automation
    • Customer Journey Mapping
    • Contacts Management

    Areas to Improve:

    • Pricing Model Flexibility
    • Integrational API Support
    • Antiquated UI/CX Design Elements

    This is an image of SoftwareReviews analysis for Maropost

    history

    This is an image of the Logo for MAROPOST Marketing Cloud

    2022

    Maropost acquires Retail Express, leading retail POS software in Australia for $55M (PRWire, 2022).

    2018


    Maropost develops innovative product feature updates to its marketing cloud platform (e.g. automated social campaign management, event segmentation for mobile apps) (Maropost, 2019).

    2015

    US-based communications organization Success selects Maropost Marketing Cloud for marketing automation use cases (Apps Run The World, 2015).

    2017

    Maropost is on track to become one of Toronto's fastest-growing companies, generating $30M in annual revenue (MarTech Series, 2017).

    2015

    Maropost is ranked as a "High Performer" in the Email Marketing category in a G2 Crowd Grid Report (VentureBeat, 2015).

    Maropost is founded in 2011 as a customer-centric ESP platform.

    Maropost Marketing Cloud – Essential

    Maropost
    Marketing Cloud –Professional

    Maropost
    Marketing Cloud –Enterprise

    • Starts from $279/month*
    • Includes baseline features such as email campaigns, A/B campaigns, transactional emails, etc.
    • Starts from $849/month*
    • Includes additional system functionalities of interest (e.g. mobile keywords, more journeys for marketing automation use cases)
    • Starts from $1,699/month*
    • Includes unlimited number of journeys
    • Upper limit for custom contact fields is increased by 100-150

    *Pricing correct as of October 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Advanced Data Segmentation
    • Marketing Analytics
    • Multichannel Integration

    Areas to Improve:

    • Marketing Operations
      Management
    • Marketing Asset Management
    • Community Marketing Management

    This is an image of SoftwareReviews analysis for Oracle Marketing Cloud.

    history

    This is an image of the Logo for Oracle Marketing Cloud

    2021

    New advanced intelligence capabilities within Oracle Eloqua Marketing Automation help deliver more targeted and personalized messages (Oracle, Marketing Automation documentation).

    2015


    Oracle revamps its marketing cloud with new feature sets, including Oracle ID Graph for cross-platform identification of customers, AppCloud Connect, etc. (Forbes, 2015).

    2014

    Oracle announces the launch of the Oracle Marketing Cloud (TechCrunch, 2014).

    2005

    Oracle acquires PeopleSoft, a company that produces human resource management systems, in 2005 for $10.3B (The Economic Times, 2016).

    1982

    Oracle becomes the first company to sell relational database management software (RDBMS). In 1982 it has revenue of $2.5M (Encyclopedia.com).

    Relational Software, Inc (RSI) – later renamed Oracle Corporation – is founded in 1977.

    "Oracle Marketing Cloud offers a comprehensive interwoven and integrated marketing management solution that can help end users launch cross-channel marketing programs and unify all prospect and customer marketing signals within one singular view. Oracle Marketing Cloud ranks consistently high across our SoftwareReviews reports and sustains top scores in overall customer experience rankings at a factor of 9.0. The emotional sentiment of users interacting with Oracle Marketing Cloud is also highly favorable, with Oracle's Emotional Footprint score at +93.

    Users should be aware that some of the reporting mechanisms and report-generation capabilities may not be as mature as those of some of its competitors in the MMS space (e.g. Salesforce, Adobe). Data exportability also presents a challenge in Oracle Marketing Cloud and requires a lot of internal tweaking between end users of the system to function properly. Finally, pricing sensitivity may be a concern for small and mid-sized organizations who may find Oracle's higher-tiered pricing plans to be out of reach. "
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Oracle Marketing Cloud pricing is opaque.
    Request a demo.*

    *Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Marketing Analytics
    • Advanced Campaign Management
    • Email Marketing Automation
    • Social Media Marketing Management

    Areas to Improve:

    • Community Marketing Management
    • Marketing Operations Management
    • Pricing Sensitivity and Vendor Support Model

    This is an image of SoftwareReviews analysis for Salesforce

    history

    This is an image of the Logo for Salesforce Marketing Cloud

    2022

    Salesforce announces sustainability as a core company value (Forbes, 2022).

    2012



    Salesforce unveils Salesforce Marketing Cloud during Dreamforce 2012, with 90,000 registered attendees (Dice, 2012).

    2009

    Salesforce launches Service Cloud, bringing customer service and support automation features to the market (TechCrunch, 2009).

    2003


    The first Dreamforce event is held at the Westin St. Francis hotel in downtown San Francisco
    (Salesforce, 2020).

    2001


    Salesforce delivers $22.4M in revenue for the fiscal year ending January 31, 2002 (Salesforce, 2020).

    Salesforce is founded in 1999.

    "Salesforce Marketing Cloud is a long-term juggernaut of the marketing management software space and is the subject of many Info-Tech member inquiries. It retains strong composite and customer experience (CX) scores in our SoftwareReviews reports. Some standout features of the platform include marketing analytics, advanced campaign management functionalities, email marketing automation, and customer journey management capabilities. In recent years Salesforce has made great strides in improving the overall user experience by investing in new product functionalities such as the Einstein What-If Analyzer, which helps test how your next email campaign will impact overall customer engagement, triggers personalized campaign messages based on an individual user's behavior, and uses powerful real-time segmentation and sophisticated AI to deliver contextually relevant experiences that inspire customers to act.

    On the downside, we commonly see Salesforce's solutions as costlier than competitors' offerings, and its commercial/sales teams tend to be overly aggressive in marketing its solutions without a distinct link to overarching business requirements. "
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Marketing Cloud Basics

    Marketing Cloud Pro

    Marketing Cloud Corporate

    Marketing Cloud Enterprise

    • Starts at $400*
    • Per org/month
    • Personalized promotional email marketing
    • Starts at $1,250*
    • Per org/month
    • Personalized marketing automation with email solutions
    • Starts at $3,750*
    • Per org/month
    • Personalized cross-channel strategic marketing solutions

    "Request a Quote"

    *Pricing correct as of October 2022. Listed in USD and absent discounts. See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Email Marketing Automation
    • Marketing Workflow Management
    • Marketing Analytics

    Areas to Improve:

    • Mobile Marketing Management
    • Marketing Operations Management
    • Advanced Data Segmentation

    This is an image of SoftwareReviews analysis for SAP

    history

    This is an image of the Logo for SAP

    2022

    SAP announces the second cycle of the 2022 SAP Customer Engagement Initiative. (SAP Community Blog, 2022).

    2020

    SAP acquires Austrian cloud marketing company Emarsys (TechCrunch, 2020).

    2015

    SAP Digital for Customer Engagement launches in May 2015 (SAP News, 2015).

    2009

    SAP begins branching out into three markets of the future (mobile technology, database technology, and cloud). SAP acquires some of its competitors (e.g. Ariba, SuccessFactors, Business Objects) to quickly establish itself as a key player in those areas (SAP, n.d.).

    1999

    SAP responds to the internet and new economy by launching its mysap.com strategy (SAP, n.d.).

    SAP is founded In 1972.

    "Over the years, SAP has positioned itself as one of the usual suspects across the enterprise applications market. While SAP has a broad range of capabilities within the CRM and customer experience space, it consistently underperforms in many of our user-driven SoftwareReviews reports for MMS and adjacent areas, ranking lower in MMS product feature capabilities such as email marketing automation and advanced campaign management than other mainstream MMS vendors, including Salesforce Marketing Cloud and Adobe Experience Cloud. The SAP Customer Engagement Marketing platform seems decidedly a secondary focus for SAP, behind its more compelling presence across the enterprise resource planning space.

    If you are approaching an MMS selection from a greenfield lens and with no legacy vendor baggage for SAP elsewhere, experience suggests that your needs will be better served by a vendor that places greater primacy on the MMS aspect of their portfolio."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    SAP Customer Engagement Marketing pricing is opaque:
    Request a demo.*

    *Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Social Media Automation
    • Email Marketing Automation
    • Marketing Analytics

    Areas to Improve:

    • Ease of Data Integration
    • Breadth of Features
    • Marketing Workflow Management

    b

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Campaign Management
    • Segmentation
    • Email Delivery

    Areas to Improve:

    • Mobile Optimization
    • A/B Testing
    • Content Authoring

    This is an image of SoftwareReviews analysis for ZOHO Campaigns.

    history

    This is an image of the Logo for ZOHO Campaigns

    2021

    Zoho announces CRM-Campaigns sync (Zoho Campaigns Community Learning, 2021).

    2020

    Zoho reaches more than 50M customers in January ( Zippia, n.d.).

    2017

    Zoho launches Zoho One, a comprehensive suite of 40+ applications (Zoho Blog, 2017).

    2012

    Zoho releases Zoho Campaigns (Business Wire, 2012).

    2007

    Zoho expands into the collaboration space with the release of Zoho Docs and Zoho Meetings (Zoho, n.d.).

    2005

    Zoho CRM is released (Zoho, n.d.).

    Zoho platform is founded in 1996.

    "Zoho maintains a long-running repertoire of end-to-end software solutions for business development purposes. In addition to its flagship CRM product, the company also offers Zoho Campaigns, which is an email marketing software platform that enables contextually driven marketing techniques via dynamic personalization, email interactivity, A/B testing, etc. For organizations that already maintain a deep imprint of Zoho solutions, Zoho Campaigns will be a natural extension to their immediate software environment.

    Zoho Campaigns is a great ecosystem play in environments that have a material Zoho footprint. In the absence of an existing Zoho environment, it's prudent to consider other affordable products as well."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Free Version

    Standard

    Professional

    • Starts at $0*
    • Per user/month billed annually
    • Up to 2,000 contacts
    • 6,000 emails/month
    • Starts at $3.75*
    • Per user/month billed annually
    • Up to 100,000 contacts
    • Advanced email templates
    • SMS marketing
    • Starts at $6*
    • Per user/month billed annually
    • Advanced segmentation
    • Dynamic content

    *Pricing correct as of October 2022. Listed in USD and absent discounts.

    See pricing on vendor's website for latest information.

    Leverage Info-Tech's research to plan and execute your MMS implementation

    Use Info-Tech's three-phase implementation process to guide your planning:

    1. Assess

    2. Prepare

    3. Govern & Course Correct

    Download Info-Tech's Governance and Management of Enterprise Software Implementation
    Establish and execute an end-to-end, agile framework to succeed with the implementation of a major enterprise application.

    Ensure your implementation team has a high degree of trust and communication

    If external partners are needed, dedicate an internal resource to managing the vendor and partner relationships.

    Communication

    Teams must have some type of communication strategy. This can be broken into:

    • Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
    • Ceremonies: Injecting awards and continually emphasizing delivery of value to encourage relationship building and constructive motivation.
    • Escalation: Voicing any concerns and having someone responsible for addressing them.

    Proximity

    Distributed teams create complexity as communication can break down. This can be mitigated by:

    • Location: Placing teams in proximity to eliminate the barrier of geographical distance and time zone differences.
    • Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
    • Communication Tools: Having the right technology (e.g. video conference) to help bring teams closer together virtually.

    Trust

    Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:

    • Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.
    • Role Clarity: Having a clear definition of what everyone's role is.

    Selecting a right-sized MMS platform

    This selection guide allows organizations to execute a structured methodology for picking an MMS platform that aligns with their needs. This includes:

    • Alignment and prioritization of key business and technology drivers for an MMS selection business case.
    • Identification of key use cases and requirements for a right-sized MMS platform.
    • A comprehensive market scan of key players in the MMS market space.

    This formal MMS selection initiative will drive business-IT alignment, identify pivotal sales and marketing automation priorities, and thereby allow for the rollout of a streamlined MMS platform that is highly likely to satisfy all stakeholder needs.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Summary of accomplishment

    Knowledge Gained

    • What marketing management is
    • Historical origins of marketing management
    • The future of marketing management
    • Key trends in marketing management suites

    Processes Optimized

    • Requirements gathering
    • RFPs and contract reviews
    • Marketing management suite vendor selection
    • Marketing management platform implementation

    Marketing Management

    • Adobe Experience Cloud
    • Microsoft Dynamics 365 for Marketing
    • HubSpot Marketing Hub
    • Maropost Marketing Cloud
    • Oracle Marketing Cloud

    Vendors Analyzed

    • Salesforce Marketing Cloud
    • SAP
    • Sugar Market
    • Zoho Campaigns

    Related Info-Tech Research

    Select a Marketing Management Suite

    Many organizations struggle with taking a systematic approach to selection that pairs functional requirements with specific marketing workflows, and as a result they choose a marketing management suite (MMS) that is not well aligned to their needs, wasting resources and causing end-user frustration.

    Get the Most Out of Your CRM

    Customer relationship management (CRM) application portfolios are often messy,
    with multiple integration points, distributed data, and limited ongoing end-user training. A properly optimized CRM ecosystem will reduce costs and increase productivity.

    Customer Relationship Management Platform Selection Guide

    Speed up the process to build your business case and select your CRM solution. Despite the importance of CRM selection and implementation, many organizations struggle to define an approach to picking the right vendor and rolling out the solution in an effective and cost-efficient manner.

    Bibliography

    "16 Biggest Tech Acquisitions in History." The Economic Times, 28 July 2016. Web.
    "Adobe Acquires Demdex – Brings Audience Optimization to $109 Billion Global Online Ad Market." Adobe News, 18 Jan 2011. Accessed Nov 2022.
    "Adobe Company History Timeline." Zippia, 9 Sept 2022. Accessed Nov 2022.
    "Adobe to acquire Magento for $1.68B." TechCrunch, 21 May 2018. Accessed Dec 2022.
    Anderson, Meghan Keaney. "HubSpot Launches European Headquarters." HubSpot Company News, 3 Mar 2013.
    Arenas-Gaitán, Jorge, et al. "Complexity of Understanding Consumer Behavior from the Marketing Perspective." Journal of Complexity, vol. 2019, 8 Jan 2019. Accessed Sept 2022.
    Bureau of Labor Statistics. "Advertising, Promotions, and Marketing Managers." Occupational Outlook Handbook. U.S. Department of Labor, 8 Sept 2022. Accessed 1 Nov 2022.
    "Campaigns." Marketing Hub, HubSpot, n.d. Web.
    Conklin, Bob. "Adobe report reveals best marketing practices for B2B growth in 2023 and beyond." Adobe Experience Cloud Blog, 23 Sept 2022. Web.
    "Consumer Behavior Stats 2021: The Post-Pandemic Shift in Online Shopping Habit" Nosto.com, 7 April 2022. Accessed Oct 2022.
    "Data Collection Overview." Experience League, Adobe.com, n.d. Accessed Dec 2022.
    Duduskar, Avinash. "Interview with Tony Chen, CEO at Channel Factory." MarTech Series, 16 June 2017. Accessed Nov 2022.
    "Enhanced Release of SAP Digital for Customer Engagement Helps Anyone Go Beyond CRM." SAP News, 8 Dec. 2015. Press release.
    Fang, Mingyu. "A Deep Dive into Gucci's Metaverse Practice." Medium.com, 27 Feb 2022. Accessed Oct 2022.
    Flanagan, Ellie. "HubSpot Launches Marketing Hub Starter to Give Growing Businesses the Tools They Need to Start Marketing Right." HubSpot Company News, 17 July 2018. Web.
    Fleishman, Hannah. "HubStop Announces Pricing of Initial Public Offering." HubSpot Company News, 8 Oct. 204. Web.
    Fluckinger, Don. "Adobe to acquire Workfront for $1.5 billion." TechTarget, 10 Nov 2020. Accessed Nov 2022.
    Fluckinger, Don. "Microsoft Dynamics 365 adds customer journey orchestration." TechTarget, 2 March 2021. Accessed Nov 2022.
    Green Marketing: Explore the Strategy of Green Marketing." Marketing Schools, 19 Nov 2020. Accessed Oct 2022.
    Ha, Anthony. "Oracle Announces Its Cross-Platform Marketing Cloud." TechCrunch, 30 April 2014. Web.
    Heyd, Kathrin. "Partners Welcome – SAP Customer Engagement Initiative 2022-2 is open for your registration(s)!" SAP Community Blog, 21 June 2022. Accessed Nov 2022.
    HubSpot. "Our Story." HubSpot, n.d. Web.
    Jackson, Felicia. "Salesforce Tackles Net Zero Credibility As It Adds Sustainability As A Fifth Core Value." Forbes, 16 Feb. 2022. Web.
    Kolakowski, Nick. "Salesforce CEO Marc Benioff Talks Social Future." Dice, 19 Sept. 2012. Web.
    Lardinois, Frederic. "Microsoft's Q4 earnings beat Street with $22.6B in revenue, $0.69 EPS." TechCrunch, 19 July 2016. Web.
    Levine, Barry. "G2 Crowd report finds the two email marketing tools with the highest user satisfaction." Venture Beat, 30 July 2015. Accessed Nov 2022.
    Looking Back, Moving Forward: The Evolution of Maropost for Marketing." Maropost Blog, 21 May 2019. Accessed Oct 2022.
    Maher, Sarah. "What's new with HubSpot? Inbound 2022 Feature Releases." Six & Flow, 9 July 2022. Accessed Oct 2022.
    Marketing Automation Provider, Salesfusion, Continues to Help Marketers Achieve Their Goals With Enhanced User Interface and Powerful Email Designer Updates." Yahoo Finance, 10 Dec 2013. Accessed Oct 2022.
    "Maropost Acquires Retail Express for $55 Million+ as it Continues to Dominate the Global Commerce Space." Marapost Newsroom, PRWire.com, 19 Jan 2022. Accessed Nov 2022.
    McDowell, Maghan. "Inside Gucci and Roblox's new virtual world." Vogue Business, 17 May 2021. Web.
    Miller, Ron. "Adobe and Microsoft expand partnership with Adobe Experience Manager and Dynamics 265 Integration." TechCrunch, 3 Nov 2017. Accessed Nov 2022.
    Miller, Ron. "Adobe to acquire Magento for $1.68B" TechCrunch, 21 May 2018. Accessed Nov 2022.
    Miller, Ron. "SAP continues to build out customer experience business with Emarys acquisition." TechCrunch, 1 Oct. 2020. Web.
    Miller, Ron. "SugarCRM moves into marketing automation with Salesfusion acquisition." TechCrunch, 16 May 2019.
    Novet, Jordan. "Adobe confirms it's buying Marketo for $4.75 billion." CNBC, 20 Sept 2018. Accessed Dec 2022.
    "Oracle Corp." Encyclopedia.com, n.d. Web.
    Phillips, James. "April 2019 Release launches with new AI, mixed reality, and 350+ feature updates." Microsoft Dynamics 365 Blog. Microsoft, 2 April 2019. Web.
    S., Aravindhan. "Announcing an important update to Zoho CRM-Zoho Campaigns integration." Zoho Campaigns Community Learning, Zoho, 1 Dec. 2021. Web.
    Salesforce. "The History of Salesforce." Salesforce, 19 March 2020. Web.
    "Salesfusion Integrates With NetSuite CRM to Simplify Sales and Marketing Alignment" GlobeNewswire, 6 May 2016. Accessed Oct 2022. Press release.
    "Salesfusion Integrates With NetSuite CRM to Simplify Sales and Marketing Alignment." Marketwired, 6 May 2016. Web.
    "Salesfusion is Now Sugar Market: The Customer FAQ." SugarCRM Blog, 31 July 2019. Web.
    "Salesfusion's Marketing Automation Platform Drives Awareness and ROI for Education Technology Provider" GlobeNewswire, 25 June 2015. Accessed Nov 2022. Press release.
    SAP. "SAP History." SAP, n.d. Web.
    "State of Marketing." 5th Edition, Salesforce, 15 Jan 2019. Accessed Oct 2022.
    "Success selects Maropost Marketing Cloud for Marketing Automation." Apps Run The World, 10 Jan 2015. Accessed Nov 2022.
    "SugarCRM Acquires SaaS Marketing Automation Innovator Salesfusion." SugarCRM, 16 May 2019. Press release.
    Sundaram, Vijay. "Introducing Zoho One." Zoho Blog, 25 July 2017. Web.
    "The State of MarTech: Is you MarTech stack working for you?" American Marketing Association, 29 Nov 2021. Accessed Oct 2022.
    "Top Marketing Automation Statistics for 2022." Oracle, 15 Jan 2022. Accessed Oct 2022.
    Trefis Team. "Oracle Energizes Its Marketing Cloud With New Features." Forbes, 7 April 2015. Accessed Oct 2022.
    Vivek, Kumar, et al. "Microsoft Dynamics 365 Customer Engagement (on-premises) Help, version 9.x." Learn Dynamics 365, Microsoft, 9 Jan 2023. Web.
    "What's new with HubSpot? Inbound 2022 feature releases" Six and Flow, 9 July 2022. Accessed Nov 2022.
    Widman, Jeff. "Salesforce.com Launches The Service Cloud,, A Customer Service SaaS Application." TechCrunch, 15 Jan. 2009. Web.
    "Zoho History." Zippia, n.d. Web.
    "Zoho Launches Zoho Campaigns." Business Wire, 14 Aug. 2012. Press release.
    Zoho. "About Us." Zoho, n.d. Web.

    Need hands-on assistance?

    Engage Info-Tech for a Software Selection Workshop!

    40 Hours of Advisory Assistance Delivered On-Line or In-Person

    Select Better Software, Faster.

    40 Hours of Expert Analyst Guidance
    Project & Stakeholder Management Assistance
    Save money, align stakeholders, Speed up the process & make better decisions.
    Better, faster results, guaranteed, $25K standard engagement fee

    This is an image of the plan for five advisory calls over a five week period.

    CLICK HERE to book your Workshop Engagement

    Prepare to Successfully Deploy PPM Software

    • Buy Link or Shortcode: {j2store}437|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • PPM suite deployments are complicated and challenging. Vendors and consultants can provide much needed expertise and assistance to organizations deploying new PPM suites.
    • While functional requirements are often defined during the procurement stage (for example, in an RFP), the level of detail during this stage is likely insufficient for actually configuring the solution to your specific PPM needs. Too many organizations fail to further develop these functional requirements between signing their contracts and the official start of their professional implementation engagement.
    • Many organizations fail to organize and record the PPM data they will need to populate the new PPM suite. In almost all cases, customers have the expertise and are in the best position to collect and organize their own data. Leaving this until the vendor or consultant arrives to help with the deployment can result in using your professional services in a suboptimal way.
    • Vendors and consultants want you to prepare for their implementation engagements so that you can make the best use of their expertise and assistance. They want you to deploy a PPM suite that can be sustainably adopted in the long term. All too often, however, they arrive onsite to find customers that are disorganized and underprepared.

    Our Advice

    Critical Insight

    • Preparing for a professional implementation engagement allows you to make the best use of your professional services, as well as helping to ensure that the PPM suite is deployed according to your specific PPM needs.
    • Involving your internal resources in the preparation of data and in fully defining functional requirements for the PPM suite helps to establish stakeholder buy-in early on, helping to build internal ownership of the solution from the beginning. This avoids the solution being perceived as something the vendor/consultant “forced upon us.”
    • Vendors and consultants are happy when organizations are organized and prepared for their professional implementation engagements. Preparation ensures these engagements are positive experiences for everyone involved.

    Impact and Result

    • Ensure that the data necessary to deploy the new PPM suite is recorded and organized.
    • Make your functional requirements detailed enough to ensure that the new PPM suite can be configured/customized during the deployment engagement in a way that best fits the organization’s actual PPM needs.
    • Through carefully preparing data and fully defining functional requirements, you help the solution become sustainably adopted in the long term.

    Prepare to Successfully Deploy PPM Software Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why preparing for PPM deployment will ensure that organizations get the most value out of the implementation professional services they purchased and will help drive long-term sustainable adoption of the new PPM suite.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a preparation team and plan

    Engage in purposeful and effective PPM deployment planning by clearly defining what to prepare and when exactly it is time to move from planning to execution.

    • Prepare to Successfully Deploy PPM Software – Phase 1: Create a Preparation Team and Plan
    • Prepare to Deploy PPM Suite Project Charter Template
    • PPM Suite Functional Requirements Document Template
    • PPM Suite Deployment Timeline Template (Excel)
    • PPM Suite Deployment Timeline Template (Project)
    • PPM Suite Deployment Communication Plan Template

    2. Prepare project-related requirements and deliverables

    Provide clearer definition to specific project-related functional requirements and collect the appropriate PPM data needed for an effective PPM suite deployment facilitated by vendors/consultants.

    • Prepare to Successfully Deploy PPM Software – Phase 2: Prepare Project-Related Requirements and Deliverables
    • PPM Deployment Data Workbook
    • PPM Deployment Dashboard and Report Requirements Workbook

    3. Prepare PPM resource requirements and deliverables

    Provide clearer definition to specific resource management functional requirements and data and create a communication and training plan.

    • Prepare to Successfully Deploy PPM Software – Phase 3: Prepare PPM Resource Requirements and Deliverables
    • PPM Suite Transition Plan Template
    • PPM Suite Training Plan Template
    • PPM Suite Training Management Tool

    4. Provide preparation materials to the vendor and implementation professionals

    Plan how to engage vendors/consultants by communicating functional requirements to them and evaluating changes to those requirements proposed by them.

    • Prepare to Successfully Deploy PPM Software – Phase 4: Provide Preparation Materials to the Vendor and Implementation Professionals
    [infographic]

    Workshop: Prepare to Successfully Deploy PPM Software

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Plan the Preparation Project

    The Purpose

    Select a preparation team and establish clear assignments and accountabilities.

    Establish clear deliverables, milestones, and metrics to ensure it is clear when the preparation phase is complete.

    Key Benefits Achieved

    Preparation activities will be organized and purposeful, ensuring that you do not threaten deployment success by being underprepared or waste resources by overpreparing.

    Activities

    1.1 Overview: Determine appropriate functional requirements to define and data to record in preparation for the deployment.

    1.2 Create a timeline.

    1.3 Create a charter for the PPM deployment preparation project: record lessons learned, establish metrics, etc.

    Outputs

    PPM Suite Deployment Timeline

    Charter for the PPM Suite Preparation Project Team

    2 Prepare Project-Related Requirements and Deliverables

    The Purpose

    Collect and organize relevant project-related data so that you are ready to populate the new PPM suite when the vendor/consultant begins their professional implementation engagement with you.

    Clearly define project-related functional requirements to aid in the configuration/customization of the tool.

    Key Benefits Achieved

    An up-to-date and complete record of all relevant PPM data.

    Avoidance of scrambling to find data at the last minute, risking importing out-of-date or irrelevant information into the new software.

    Clearly defined functional requirements that will ensure the suite is configured in a way that can be adoption in the long term.

    Activities

    2.1 Define project phases and categories.

    2.2 Create a list of all projects in progress.

    2.3 Record functional requirements for project requests, project charters, and business cases.

    2.4 Create a list of all existing project requests.

    2.5 Record the current project intake processes.

    2.6 Define PPM dashboard and reporting requirements.

    Outputs

    Project List (basic)

    Project Request Form Requirements (basic)

    Scoring/Requirements (basic)

    Business Case Requirements (advanced)

    Project Request List (basic)

    Project Intake Workflows (advanced)

    PPM Reporting Requirements (basic)

    3 Prepare PPM Resource Requirements and Deliverables

    The Purpose

    Collect and organize relevant resource-related data.

    Clearly define resource-related functional requirements.

    Create a purposeful transition, communication, and training plan for the deployment period.

    Key Benefits Achieved

    An up-to-date and complete record of all relevant PPM data that allows your vendor/consultant to get right to work at the start of the implementation engagement.

    Improved buy-in and adoption through transition, training, and communication activities that are tailored to the actual needs of your specific organization and users.

    Activities

    3.1 Create a portfolio-wide roster of project resources (and record their competencies and skills, if appropriate).

    3.2 Record resource management processes and workflows.

    3.3 Create a transition plan from existing PPM tools and processes to the new PPM suite.

    3.4 Identify training needs and resources to be leveraged during the deployment.

    3.5 Define training requirements.

    3.6 Create a PPM deployment training plan.

    Outputs

    Resource Roster and Competency Profile (basic)

    User Roles and Permissions (basic)

    Resource Management Workflows (advanced)

    Transition Approach and Plan (basic)

    Data Archiving Requirements (advanced)

    List of Training Modules and Attendees (basic)

    Internal Training Capabilities (advanced)

    Training Milestones and Deadlines (basic)

    4 Provide Preparation Materials to the Vendor and Implementation Professionals

    The Purpose

    Compile the data collected and the functional requirements defined so that they can be provided to the vendor and/or consultant before the implementation engagement.

    Key Benefits Achieved

    Deliverables that record the outputs of your preparation and can be provided to vendors/consultants before the implementation engagement.

    Ensures that the customer is an active and equal partner during the deployment by having the customer prepare their material and initiate communication.

    Vendors and/or consultants have a clear understanding of the customer’s needs and expectations from the beginning.

    Activities

    4.1 Collect, review, and finalize the functional requirements.

    4.2 Compile a functional requirements and data package to provide to the vendor and/or consultants.

    4.3 Discuss how proposed changes to the functional requirements will be reviewed and decided.

    Outputs

    PPM Suite Functional Requirements Documents

    PPM Deployment Data Workbook

    Embed Business Relationship Management in IT

    • Buy Link or Shortcode: {j2store}270|cart{/j2store}
    • member rating overall impact (scale of 10): 8.8/10 Overall Impact
    • member rating average dollars saved: $21,960 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Manage Business Relationships
    • Parent Category Link: /manage-business-relationships
    • While organizations realize they need to improve business relationships, they often don’t know how.
    • IT doesn’t know what their business needs and so can’t add as much value as they’d like.
    • They find that their partners often reach out to third parties before they connect with internal IT.

    Our Advice

    Critical Insight

    • Business relationship management (BRM) is not just about communication, it’s about delivering on business value.
    • Build your BRM program on establishing trust.

    Impact and Result

    • Drive business value into the organization via innovative technology solutions.
    • Improve ability to meet and exceed business goals and objectives, resulting in more satisfied stakeholders (C-suite, board of directors).
    • Enhance ability to execute business activities to meet end customer requirements and expectations, resulting in more satisfied customers.

    Embed Business Relationship Management in IT Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Embed Business Relationship Management Deck – A step-by-step document that walks you through how to establish a practice with well-embedded business relationships, driving IT success.

    This blueprint helps you to establish a relationship with your stakeholders, both within and outside of IT. You’ll learn how to embed relationship management throughout your organization.

    • Embed Business Relationship Management in IT – Phases 1-5

    2. BRM Workbook Deck – A workbook for you to capture the results of your thinking on the BRM practice.

    Use this tool to capture your findings as you work through the blueprint.

    • Embed Business Relationship Management in IT Workbook

    3. BRM Buy-In and Communication Template – A template to help you communicate what BRM is to your organization, that leverages feedback from your business stakeholders and IT.

    Customize this tool to obtain buy in from leadership and other stakeholders. As you continue through the blueprint, continue to leverage this template to communicate what your BRM program is about.

    • BRM Buy-In and Communication Template

    4. BRM Role Expectations Worksheet – A tool to help you establish how the BRM role and/or other roles will be managing relationships.

    This worksheet template is used to outline what the BRM practice will do and associate the expectations and tasks with the roles throughout your organization. Use this to communicate that while your BRM role has a strategic focus and perspective of the relationship, other roles will continue to be important for relationship management.

    • Role Expectations Worksheet

    5. BRM Stakeholder Engagement Plan Worksheet – A tool to help you establish your stakeholders and your engagement with them.

    This worksheet allows you to list the stakeholders and their priority in order to establish how you want to engage with them.

    • BRM Stakeholder Engagement Plan Worksheet

    6. Business Relationship Manager Job Descriptions – These templates can be used as a guide for defining the BRM role.

    These job descriptions will provide you with list of competencies and qualifications necessary for a BRM operating at different levels of maturity. Use this template as a guide, whether hiring internally or externally, for the BRM role.

    • Business Relationship Manager – Level 1
    • Business Relationship Manager – Level 2
    • Business Relationship Manager – Level 3
    [infographic]

    Workshop: Embed Business Relationship Management in IT

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Foundation: Assess and Situate

    The Purpose

    Set the foundation for your BRM practice – understand your current state and set the vision.

    Key Benefits Achieved

    An understanding of current pain points and benefits to be addressed through your BRM practice. Establish alignment on what your BRM practice is – use this to start obtaining buy-in from stakeholders.

    Activities

    1.1 Define BRM

    1.2 Analyze Satisfaction

    1.3 Assess SWOT

    1.4 Create Vision

    1.5 Create the BRM Mission

    1.6 Establish Goals

    Outputs

    BRM definition

    Identify areas to be addressed through the BRM practice

    Shared vision, mission, and understanding of the goals for the brm practice

    2 Plan

    The Purpose

    Determine where the BRM fits and how they will operate within the organization.

    Key Benefits Achieved

    Learn how the BRM practice can best act on your goals.

    Activities

    2.1 Establish Guiding Principles

    2.2 Determine Where BRM Fits

    2.3 Establish BRM Expectations

    2.4 Identify Roles With BRM Responsibilities

    2.5 Align Capabilities

    Outputs

    An understanding of where the BRM sits in the IT organization, how they align to their business partners, and other roles that support business relationships

    3 Implement

    The Purpose

    Determine how to identify and work with key stakeholders.

    Key Benefits Achieved

    Determine ways to engage with stakeholders in ways that add value.

    Activities

    3.1 Brainstorm Sources of Business Value

    3.2 Identify Key Influencers

    3.3 Categorize the Stakeholders

    3.4 Create the Prioritization Map

    3.5 Create Your Engagement Plan

    Outputs

    Shared understanding of business value

    A plan to engage with stakeholders

    4 Reassess and Embed

    The Purpose

    Determine how to continuously improve the BRM practice.

    Key Benefits Achieved

    An ongoing plan for the BRM practice.

    Activities

    4.1 Create Metrics

    4.2 Prioritize Your Projects

    4.3 Create a Portfolio Investment Map

    4.4 Establish Your Annual Plan

    4.5 Build Your Transformation Roadmap

    4.6 Create Your Communication Plan

    Outputs

    Measurements of success for the BRM practice

    Prioritization of projects

    BRM plan

    Further reading

    Embed Business Relationship Management in IT

    Show that IT is worthy of Trusted Partner status.

    Executive Brief

    Analyst Perspective

    Relationships are about trust.

    As long as humans are involved in enabling technology, it will always remain important to ensure that business relationships support business needs. At the cornerstone of those relationships is trust and the establishment of business value. Without trust, you won’t be believed, and without value, you won’t be invited to the business table.

    Business relationship management can be a role, a capability, or a practice – either way it’s essential to ensure it exists within your organization. Show that IT can be a trusted partner by showing the value that IT offers.

    Photo of Allison Straker, Research Director, CIO Practice, Info-Tech Research Group.

    Allison Straker
    Research Director, CIO Practice
    Info-Tech Research Group

    Your challenge: Why focus on business relationship management?

    Is IT saying this about business partners?

    I don’t know what my business needs and so we can’t add as much value as we’d like.

    My partners don’t give us the opportunity to provide new ideas to solve business problems

    My partners listen to third parties before they listen to IT.

    We’re too busy and don’t have the capacity to help my partners.

    Three stamps with the words 'Value', 'Innovation', and 'Advocacy'. Are business partners saying this about IT?

    IT does not create and deliver valuable services/solutions that resolve my business pain points.

    IT does not come to me with innovative solutions to my business problems/challenges/issues.

    IT blocks my efforts to drive the business forward using innovative technology solutions.

    IT does not advocate for my needs with the decision makers in the organization.

    Common obstacles

    While organizations realize they need to do better, they often don’t know how to improve.

    Organizations want to:
    • Understand and strategically align to business goals
    • Ensure stakeholders are satisfied
    • Show project value/success

    … these are all things that a mature business relationship can do to improve your organization.

    Key improvement areas identified by business leaders and IT leaders

    Bar chart comparing 'CXO' and 'CIO' responses to multiple areas one whether they need significant improvement or only some improvement. Areas in question are 'Understand Business Goals', 'Define and align IT strategy', 'Measure stakeholder satisfaction with IT', and 'Measure IT project success'. Source: CEO/CIO Alignment Diagnostic, N=446 organizations.

    Info-Tech’s approach

    BRMs who focus on achieving business value can improve organizational results.

    Visualization of a piggy bank labelled 'Business Value' with a person on a ladder labelled 'Strategic Tactical Operational' putting coins into the bank which are labelled 'External & internal views', 'Applied knowledge of the business', 'Strategic perspective', 'Trusted relationship', and 'Empathetic engagements “What’s in it for me/them?”'.

    Business relationships can take a strategic, tactical, or operational perspective.

    While all levels are needed, focus on a strategic perspective for optimal outcomes.

    Create business value through:

    • Applying your knowledge of the business so that conversations aren’t about what IT provides. Focus on what the overall business requires.
    • Ensuring your knowledge includes what is going on internally at your organization and also what occurs externally within and outside the industry (e.g. vendors, technologies used in similar industries or with similar customer interactions).
    • Discussing with the perspective of “what’s in it for [insert business partner here]” – don’t just present IT’s views.
    • Building a trusted strategic relationship – don’t just do well at the basics but also focus on the strategy that can move the organization to where it needs to be.

    Neither you nor your partners can view IT as separate from your overall business…

    …your IT goals need to be aligned with those of the overall business

    IT Maturity Pyramid with 'business goals' and 'IT goals' moving upward along its sides. It has five levels, 'unstable - Ad hoc – IT is too busy and the business is unsatisfied (too expensive, too long, not delivering on needs)', 'firefighter - Order taker – IT engaged on as-needed basis. IT unable to forecast demand to manage own resources', 'trusted operator - IT and business are not always sure of each other’s direction/priorities’, ‘business partner - IT understands and delivers on business needs', and 'innovator - Business and IT work together to achieve shared goals'.

    IT and other lines of business need to partner together – they are all part of the same overall business.

    Four puzzle pieces fitting together representing 'IT' and three other Lines of Business '(LOB)'

    <

    Why it’s important to establish a BRM program

    IT Benefits

    • Provides IT with a view of the lines of business they empower
    • Allows IT to be more proactive in providing solutions that help business partner teams
    • Allows IT to better manage their workload, as new requests can be prioritized and understood

    Business Benefits

    • Provides business teams with a view of the services that IT can help them with
    • Brings IT to the table with value-driven solutions
    • Creates an overall roadmap aligning both partners
    Ladder labelled 'Strategic Tactical Operational'.
    • Drive business value into the organization via innovative technology solutions.
    • Improve ability to meet and exceed business goals and objectives, resulting in more satisfied stakeholders (C-suite, board of directors).
    • Enhance ability to execute business activities to meet end-customer requirements and expectations, resulting in more satisfied customers.

    Increase your business benefits by moving up higher – from operational to tactical to strategic.

    Piggy bank labelled 'Business Value'.

    When IT understands the business, they provide better value

    Understanding all parties – including the business needs and context – is critical to effective business relationships.

    Establishing a focus on business relationship management is key to improving IT satisfaction.

    When business partners are satisfied that IT understands their needs, they have a higher perception of the value of overall IT

    Bar chart with axes 'Business satisfaction with IT understanding of needs' and 'Perception of IT value'. There is an upward trend.

    The relationship between the perception of IT value and business satisfaction is strong (r=0.89). Can you afford not to increase your understanding of business needs?

    (Source: Info-Tech Research Group diagnostic data/Business-Aligned IT Strategy blueprint (N=652 first-year organizations that completed the CIO Business Vision diagnostic))

    A tale of two IT partners

    Teleconference with an IT partner asking them to 'Tell me everything'.

    One IT partner approached their business partner without sufficient background knowledge to provide insights.

    The relationship was not strong and did not provide the business with the value they desired.

    Research your business and be prepared to apply your knowledge to be a better partner.

    Teleconference with an IT partner that approached with knowledge of your business and industry.

    The other IT partner approached with knowledge of the business and external parties (vendors, competitors, industry).

    The business partners received this positively. They invited the IT partners to meetings as they knew IT would bring value to their sessions.

    BRM success is measurable Measuring tape.

    1) Survey your stakeholders to measure improvements in customer satisfaction 2) Measure BRM success against the goals for the practice

    Business satisfaction survey

    • Audience: Business leaders
    • Frequency: Annual
    • Metrics:
      • Overall Satisfaction score
      • Overall Value score
      • Relationship Satisfaction:
        • Understand needs
        • Meet needs
        • Communication
    Two small tables showing example 'Value' and 'Satisfaction' scores. Dart board with five darts, each representing a goal, 'Demand Shaping', 'Value Realization', 'Servicing', 'Exploring', and 'Other Goal(s)'.
    Table with a breakdown of the example 'Satisfaction' score, with individual scores for 'Needs', 'Execution', and 'Communication'.

    Maturing your BRM practice is a journey

    Info-Tech has developed an approach that can be used by any organization to improve or successfully implement BRM. The same ladder as before with words 'Strategic', 'Tactical', 'Operational', and a person climbing on it. Become a Trusted Partner and Advisor
    KNOWLEDGE OF INDUSTRY

    STRATEGIC

    Value Creator and Innovator

    Strategic view of IT and the business with knowledge of the market and trends; a connector driving value-added services.

    KNOWLEDGE OF FUNCTIONS

    TACTICAL

    Influencer and Advocate

    Two-way voice between IT and business, understanding business processes and activities including IT touchpoints and growing tactical and strategic view of services and value.

    TABLE STAKES:
    COMMUNICATION
    SERVICE DELIVERY
    PROJECT DELIVERY

    OPERATIONAL

    Deliver

    Communication, service, and project delivery and fulfillment, initial engagement with and knowledge of the business.

    Foundation: Define and communicate the meaning and vision of BRM

    At each level, keep maturing your BRM practice

    ITPartnerWhat to do to move to the next level

    Strategic Partner

    Shared goals for maximizing value and shared risk and reward

    5

    Strategic view of IT and the business with knowledge of the market and trends; a connector driving value-added services.

    Value Creator and Innovator

    See partners as integral to business success and growth

    Focus on continuous learning and improvement.

    Trusted Advisor

    Cooperation based on mutual respect and understanding

    4

    Partners understand, work with, and help improve capabilities.

    Influencer and Advocate

    Sees IT as helpful and reliable

    Strategic: IT needs to demonstrate and apply knowledge of business, industry, and external influences.

    Service Provider

    Routine – innovation is a challenge

    3

    Two-way voice between IT and business; understanding business processes and activities including IT touchpoints and growing tactical and strategic view of services and value.

    Priorities set but still always falling behind.

    Views IT as helpful but they don’t provide guidance

    IT needs to excel in portfolio and transition management.

    Business needs to engage IT in strategy.

    Order Taker

    Distrust, reactive

    2

    Focuses on communication, service, and project delivery and fulfillment, initial engagement with and knowledge of the business.

    Delivery Service

    Engages with IT on an as-needed basis

    Improve Tactical: IT needs to demonstrate knowledge of the business they are in. IT to improve BRM and service management.

    Business needs to embrace BRM role and service management.

    Ad Hoc

    Loudest in, first out

    1

    Too busy doing the basics; in firefighter mode.

    Low satisfaction (cost, duration, quality)

    Improve Operational Behavior: IT to show value with “table stakes” – communication, service delivery, project delivery.

    IT needs to establish intake/demand management.


    Business to embrace a new way of approaching their partnership with IT.

    (Adapted from BRM Institute Maturity Model and Info-Tech’s own model)

    The Info-Tech path to implement BRM

    Use Info-Tech’s ASPIRe method to create a continuously improving BRM practice.

    Info-Tech's ASPIRe method visualized as a winding path. It begins with 'Role Definition', goes through many 'Role Refinements' and ends with 'Metrics'. The main steps to which the acronym refers are 'Assess', 'Situate', 'Plan', 'Implement', and 'Reassess & Embed'.

    Insight summary

    BRM is not just about communication, it’s about delivering on business value.

    Business relationship management isn’t just about having a pleasant relationship with stakeholders, nor is it about just delivering things they want. It’s about driving business value in everything that IT does and leveraging relationships with the business and IT, both within and outside your organization.

    Understand your current state to determine the best direction forward.

    Every organization will apply the BRM practice differently. Understand what’s needed within your organization to create the best fit.

    BRM is not just a communication conduit between IT and the business.

    When implemented properly, a BRM is a value creator, advocate, innovator, and influencer.

    The BRM role must be designed to match the maturity level of the IT organization and the business.

    Before you can create incremental business value, you must master the fundamentals of service and project delivery.

    Info-Tech Insight

    Knowledge of your current situation is only half the battle; knowledge of the business/industry is key.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Executive Buy-In and Communication Presentation Template

    Explain the need for the BRM practice and obtain buy-in from leadership and staff across the organization.

    Sample of Info-Tech's key deliverable, the Executive Buy-In and Communication Presentation Template.

    BRM Workbook

    Capture the thinking behind your organization’s BRM program.

    Sample of Info-Tech's BRM Workbook deliverable.

    BRM Stakeholder Engagement Plan Worksheet

    Worksheet to capture how the BRM practice will engage with stakeholders across the organization.

    Sample of Info-Tech's BRM Stakeholder Engagement Plan Worksheet deliverable.

    BRM Role Expectations Worksheet

    How business relationship management will be supported throughout the organization at a strategic, tactical, and operational level.

    Sample of Info-Tech's BRM Role Expectations Worksheet deliverable.

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    Phase 5

    Call #1: Discuss goals, current state, and an overview of BRM.

    Call #2: Examine business satisfaction and discuss results of SWOT.

    Call #3: Establish BRM mission, vision, and goals. Call #4: Develop guiding principles.

    Call #5: Establish the BRM operating model and role expectations.

    Call #6: Establish business value. Discuss stakeholders and engagement planning. Call #7: Develop metrics. Discuss portfolio management.

    Call #8: Develop a communication or rollout plan.

    Workshop Overview

    Complete the CIO-Business Vision diagnostic prior to the workshop.
    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889
    Day 1 Day 2 Day 3 Day 4 Post-Workshop
    Activities
    Set the Foundation
    Assess & Situate
    Define the Operating Model
    Plan
    Define Engagement
    Implement
    Implement BRM
    Reassess
    Next steps and Wrap-Up (offsite)

    1.1 Discuss rationale and importance of business relationship management

    1.2 Review CIO BV results

    1.3 Conduct SWOT analysis (analyze strengths, weaknesses, opportunities, and threats)

    1.4 Establish BRM vision and mission

    1.5 Define objectives and goals for maturing the practice

    2.1 Create your list of guiding principles (optional)

    2.2 Define business value

    2.3. Establish the operating model for the BRM practice

    2.4 Define capabilities

    3.1. Identify key stakeholders

    3.2 Map, prioritize, and categorize the stakeholders

    3.4 Create an engagement plan

    4,1 Define metrics

    4.2 Identify remaining enablers/blockers for practice implementation

    4.3 Create roadmap

    4.4 Create communication plan

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables
    1. Summary of CIO Business Vision results
    2. Vision and list of objectives for the BRM program
    3. List of business and IT pain points
    1. BRM role descriptions, capabilities, and ownership definitions
    1. BRM reporting structure
    2. BRM engagement plans
    1. BRM communication plan
    2. BRM metrics tracking plan
    3. Action plan and next step
    1. Workshop Report

    ASSESS

    Assess

    1.1 Define BRM

    1.2 Analyze Satisfaction

    1.3 Assess SWOT

    Situate

    2.1 Create Vision

    2.2 Create the BRM Mission

    2.3 Establish Goals

    Plan

    3.1 Establish Guiding Principles

    3.2 Determine Where BRM Fits

    3.3 Establish BRM Expectations

    3.4 Identify Roles With BRM Responsibilities

    3.5 Align Capabilities

    Implement

    4.1 Brainstorm Sources of Business Value

    4.2 Identify Key Influencers

    4.3 Categorize the Stakeholders

    4.4 Create the Prioritization Map

    4.5 Create Your Engagement Plan

    Reassess & Embed

    5.1 Create Metrics

    5.2 Prioritize Your Projects

    5.3 Create a Portfolio Investment Map

    5.4 Establish Your Annual Plan

    5.5 Build Your Transformation Roadmap

    5.6 Create Your Communication Plan

    To assess BRM, clarify what it means to you

    Who are BRM relationships with? Octopus holding icons with labels 'Tech Partners', 'Lines of Business', and 'External Partners'. The BRM has multiple arms/legs to ensure they’re aligned with multiple parties – the partners within the lines of business, external partners, and technology partners.
    What does a BRM do? Engage the right stakeholders – orchestrate key roles, resources, and capabilities to help stimulate, shape, and harvest business value.

    Connect partners (IT and other business) with the resources needed.

    Help stakeholders navigate the organization and find the best path to business value.

    Three figures performing different actions, labelled 'orchestrate', 'connect', and 'navigate'.
    What does a BRM focus on? Circle bisected at many random points to create areas of different colors with four color-coded circles surrounding it. Demand Shaping – Surfacing and shaping business demand
    Value Harvesting – Identifying ways to increase business value and providing insights
    Exploring – Rationalizing demand and reviewing new business, technology, and industry insights
    Servicing – Managing expectations and facilitating business strategy; business capability road mapping

    Determine what business relationship management is

    Many organizations face business dissatisfaction because they do not understand what the role of a BRM should be.

    A BRM Is NOT:
    • Order taker
    • Service desk
    • Project manager
    • Business analyst
    • Service delivery manager
    • Service owner
    • Change manager
    A BRM Is:
    • Value creator
    • Innovator
    • Trusted advisor
    • Strategic partner
    • Influencer
    • Business subject matter expert
    • Advocate for the business
    • Champion for business process improvement
    Business relationship management does not mean a go-between for the business and IT. Its focus should be on delivering VALUE and INNOVATIVE SOLUTIONS to the business.

    1.1 What is BRM?

    1 hour

    Input: Your preliminary thoughts and ideas on BRM

    Output: Themes summarizing what BRM will be at your organization

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Each team member will take a colored sticky note to capture what BRM is and what it isn’t.
    2. As a group, review and discuss the sticky notes.
    3. Group them into themes summarizing what BRM will be at your organization.
    4. Leverage the workbook to brainstorm the definition of BRM at your organization.
    5. Create a refined summary statement and capture it in the Executive Buy-In and Communication Template.

    Download the BRM Workbook

    Download the Executive Buy-In and Communication Template

    It’s important to understand what the business thinks; ask them the right questions

    Leverage the CIO Business Vision Diagnostic to provide clarity on:
    • The organization’s view on satisfaction and importance of core IT services
    • Satisfaction across business priorities
    • IT’s capacity to meet business needs

    Contact your Account Representative to get started

    Sample of various scorecards from the CIO Business Vision Diagnostic.

    1.2 Use their responses to help guide your BRM program

    1 hour

    Input: CIO-Business Vision Diagnostic, Other business feedback

    Output: Summary of your partners’ view of the IT relationship

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: CIO, IT management team

    1. Complete the CIO Business Vision diagnostic.
    2. Analyze the findings from the Business Vision diagnostic or other business relationship and satisfaction surveys. Key areas to look at include:
      • Overall IT Satisfaction
      • IT Value
      • Relationship (Understands Needs, Communicates Effectively, Executes Requests, Trains Effectively)
      • Shadow IT
      • Capacity Needs
      • Business Objectives
    3. Capture the following on your analysis:
      • Success stories – what your business partners are satisfied with
      • Challenges – are the responses consistent across departments?
    4. Leverage the workbook to capture your findings the goals. Key highlights should be documented in the Executive Buy-In and Communication Template.

    Use the BRM Workbook to capture ideas

    Polish the goals in the Executive Buy-In and Communication Template

    Perform a SWOT analysis to explore internal and external business factors

    A SWOT analysis is a structured planning method organizations use to evaluate the effects of internal strengths and weaknesses and external opportunities and threats on a project or business venture.

    Why It Is Important

    • Business SWOT reveals internal and external trends that affect the business. You may uncover relevant information about the business that the other analysis methods did not reveal.
    • The organizational strengths or weaknesses will shed some light on implications that you might not have considered otherwise, such as brand perception or internal staff capability to change.

    Key Tips/Information

    • Although this activity is simple in theory, there is much value to be gained when performed effectively.
    • Focus on weaknesses that can cause a competitive disadvantage and strengths that can cause a competitive advantage.
    • Rank your opportunities and threats based on impact and probability.
    • Info-Tech members who have derived the most insights from a business SWOT analysis usually involved business stakeholders in the analysis.

    SWOT diagram split into four quadrants representing 'Strengths' at top left, 'Opportunities' at bottom left, 'Weaknesses' at top right, and 'Threats' at bottom right.

    Review these questions to help you conduct your SWOT analysis on the business

    Strengths (Internal)
    • What competitive advantage does your organization have?
    • What do you do better than anyone else?
    • What makes you unique (human resources, product offering, experience, etc.)?
    • Do you have location, price, cost, or quality advantages?
    • Does your organizational culture offer an advantage (hiring the best people, etc.)?
    • Do you have a high level of customer engagement or satisfaction?
    Weaknesses (Internal)
    • What areas of your business require improvement?
    • Are there gaps in capabilities?
    • Do you have financial vulnerabilities?
    • Are there leadership gaps (succession, poor management, etc.)?
    • Are there reputational issues?
    • Are there factors contributing to declining sales?
    Opportunities (External)
    • Are there market developments or new markets?
    • Are there industry or lifestyle trends (move to mobile, etc.)?
    • Are there geographical changes in the market?
    • Are there new partnerships or mergers and acquisitions (M&A) opportunities?
    • Are there seasonal factors that can be used to the advantage of the business?
    • Are there demographic changes that can be used to the advantage of the business?
    Threats (External)
    • Are there obstacles that the organization must face?
    • Are there issues with respect to sourcing of staff or technologies?
    • Are there changes in market demand?
    • Are your competitors making changes that you are not making?
    • Are there economic issues that could affect your business?

    1.3 Analyze internal and external business factors using a SWOT analysis

    1 hour

    Input: IT and business stakeholder expertise

    Output: Analysis of internal and external factors impacting the IT organization

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: CIO, IT management team

    1. Break the group into two teams:
      • Assign team A internal strengths and weaknesses.
      • Assign team B external opportunities and threats.
    2. Think about strengths, weaknesses, opportunities, and threats as they pertain to the IT-business relationship. Consider people, process, and technology elements.
    3. Have the teams brainstorm items that fit in their assigned grids. Use the prompt questions on the previous slide as guidance.
    4. Pick someone from each group to fill in the SWOT grid.
    5. Conduct a group discussion about the items on the list; identify implications for the BRM/IT.

    Capture in the BRM Workbook

    SITUATE

    Assess

    1.1 Define BRM

    1.2 Analyze Satisfaction

    1.3 Assess SWOT

    Situate

    2.1 Create Vision

    2.2 Create the BRM Mission

    2.3 Establish Goals

    Plan

    3.1 Establish Guiding Principles

    3.2 Determine Where BRM Fits

    3.3 Establish BRM Expectations

    3.4 Identify Roles With BRM Responsibilities

    3.5 Align Capabilities

    Implement

    4.1 Brainstorm Sources of Business Value

    4.2 Identify Key Influencers

    4.3 Categorize the Stakeholders

    4.4 Create the Prioritization Map

    4.5 Create Your Engagement Plan

    Reassess & Embed

    5.1 Create Metrics

    5.2 Prioritize Your Projects

    5.3 Create a Portfolio Investment Map

    5.4 Establish Your Annual Plan

    5.5 Build Your Transformation Roadmap

    5.6 Create Your Communication Plan

    Your strategy informs your BRM program

    Your strategy is a critical input into your program. Extract critical components of your strategy and convert them into a set of actionable principles that will guide the selection of your operating model.

    Sample of Info-Tech's 'Build a Business-Aligned IT Strategy' blueprint.

    Vision, Mission & Principles Chevron pointing right.
    • Leverage your vision and mission statements that communicate aspirations and purpose for key information that can be turned into design principles.
    Business Goal Implications Chevron pointing right.
    • Implications are derived from your business goals and will provide important context about the way BRM needs to change to meet its overarching objectives.
    • Understand how those implications will change the way that work needs to be done – new capabilities, new roles, new modes of delivery, etc.
    Target-State Maturity Chevron pointing right.
    • Determine your target-state relationship maturity for your organization using the BRM goals that have been uncovered.

    Outline your mission and vision for your BRM practice

    If you don’t know where you’re trying to go, how do you know if you’ve arrived?

    Establish the vision of what your BRM practice will achieve.

    Your vision will paint a picture for your stakeholders, letting them know where you want to go with your BRM practice.

    Stock image of a hand painting on a large canvas.

    The vision will also help motivate and inspire your team members so they understand how they contribute to the organization.

    Your strategy must align with and support your organization’s strategy.

    Good Visions
    • Attainable – Aspirational but still within reach
    • Communicable – Easy to comprehend
    • Memorable – Not easily forgotten
    • Practical – Solid, realistic
    • Shared – Create a culture of shared ownership across the team/company
    When Visions Fail
    • Not Shared: Lack of buy-in, no alignment with stakeholders
    • Impractical: No plan or strategy to deliver on the vision
    • Unattainable: Set too far in the future
    • Forgettable: Not championed, not kept in mind
    (Source: UX Magazine, 2011)

    Derive the BRM vision statement

    Stock image of an easel with a bundle of paint brushes beside it. Begin the process of deriving the business relationship management vision statement by examining your business and user concerns. These are the problems your organization is trying to solve.
    Icon of one person asking another a question.
    Problem Statements
    First, ask what problems your organization hopes to solve.
    Icon of a magnifying glass on a box.
    Analysis
    Second, ask what success would look like when those problems were solved.
    Icon of two photos in quotes.
    Vision Statement
    Third, polish the answer into a short but meaningful phrase.

    Paint the picture for your team and stakeholders so that they align on what BRM will achieve.

    Vision statements demonstrate what your practice “aspires to be”

    Your vision statement communicates a desired future state of the BRM organization. The statement is expressed in the present tense. It seeks to articulate the desired role of business relationship management and how it will be perceived.

    Sample vision statements:

    • To be a trusted advisor and partner in enabling business innovation and growth through an engaged design practice.
    • The group will strive to become a world-class value center that is a catalyst for innovation.
    • Apple: “We believe that we are on the face of the earth to make great products and that’s not changing.” (Mission Statement Academy, May 2019.)
    • Coca-Cola: “To refresh the world in mind, body, and spirit, to inspire moments of optimism and happiness through our brands and actions, and to create value and make a difference.” (Mission Statement Academy, August 2019.)

    2.1 Vision generation

    1 hour

    Input: IT and business strategies

    Output: Vision statement

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Review the goals and the sample vision statements provided on the previous slide.
    2. Brainstorm possible vision statements that can apply to your practice. Refer to the guidance provided on the previous page – ensure that it paints a picture for the reader to show the desired target state.
    3. Leverage the workbook to brainstorm the vision. Capture the refined statement in the Executive Buy-In and Communication Template.
    Strong vision statements have the following characteristics
    • Describe a desired future
    • Focus on ends, not means
    • Communicate promise
    • Concise, no unnecessary words
    • Compelling
    • Achievable
    • Inspirational
    • Memorable

    Use the BRM Workbook to capture ideas

    Polish the goals in the Executive Buy-In and Communication Template

    Create the mission statement from the problems and the vision statement

    Your mission demonstrates your current intent and the purpose driving you to achieve your vision.

    It reflects what the organization does for users/customers.

    The main word 'Analysis' is sandwiched between 'Goals and Problems' and 'Vision Statement', each with arrow pointing to the middle. Make sure the practice’s mission statement reflects answers to the questions below:

    The questions:

    • What does the organization do?
    • How does the organization do it?
    • For whom does the organization do it?
    • What value is the organization bringing?

    “A mission statement illustrates the purpose of the organization, what it does, and what it intends on achieving. Its main function is to provide direction to the organization and highlight what it needs to do to achieve its vision.” (Joel Klein, BizTank (in Hull, “Answer 4 questions to get a great mission statement.”))

    Sample mission statements

    To enhance the lives of our end users through our products so that our brand becomes synonymous with user-centricity.

    To enable innovative services that are seamless and enjoyable to our customers so that together we can inspire change.

    Apple’s mission statement: “To bring the best user experience to its customers through its innovative hardware, software, and services.” (Mission Statement Academy, May 2019.)

    Coca Cola’s mission statement: “To refresh the world in mind, body, and spirit, to inspire moments of optimism and happiness through our brands and actions, and to create value and make a difference.” (Mission Statement Academy, August 2019.)

    Tip: Using the “To … so that” format helps to keep your mission focused on the “why.”

    2.2 Develop your own mission statement

    1 hour

    Input: IT and business strategies, Vision

    Output: Mission statement

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Review the goals and the vision statement generated in the previous activities.
    2. Brainstorm possible mission statements that can apply to your BRM practice. Capture this in your BRM workbook.
    3. Refine your mission statement. Refer to the guidance provided on the previous page – ensure that the mission provides “the why”. Document the refined mission statement in the Executive Buy-In and Communication Template.

    “People don't buy what you do; they buy why you do it and what you do simply proves what you believe.” (Sinek, Transcript of “How Great Leaders Inspire Action.”)

    Download the BRM Workbook

    Download the Executive Buy-In and Communication Template

    Areas that BRMs focus on include:

    Establish how much of these your practice will focus on.

    VALUE HARVESTING
    • Tracks and reviews performance
    • Identifies ways to increase business value
    • Provides insights on the results of business change/initiatives
    Circle bisected at many random points to create areas of different colors with four color-coded circles surrounding it. DEMAND SHAPING
    • Isn’t just demand/intake management
    • Surfaces and shapes business demand
    • Is influenced by knowledge of the overall business and external entities
    SERVICING
    • Coordinates resources
    • Manages expectations
    • Facilitates business strategy, business capability road-mapping, and portfolio and program management
    EXPLORING
    • Identifies and rationalizes demand
    • Reviews new business, technology, and industry insights
    • Identifies business value initiatives

    Establish what success means for your focus areas

    Brainstorm objectives and success areas for your BRM practice.

    Circle bisected at many random points to create areas of different colors with four color-coded circles surrounding it. VALUE HARVESTING
    Success may mean that you:
    • Understand the drivers and what the business needs to attain
    • Demonstrate focus on value in discussions
    • Ensure value is achieved, tracking it during and beyond deployment
    DEMAND SHAPING
    Success may mean that you:
    • Understand the business
    • Are engaged at business meetings (invited to the table)
    • Understand IT; communicate clarity around IT to the business
    • Help IT prioritize needs
    SERVICING
    Success may mean that you:
    • Understand IT services and service levels that are required
    • Provide clarity around services and communicate costs and risks
    EXPLORING
    Success may mean that you:
    • Surface new opportunities based on understanding of pain points and growth needs
    • Research and partner with others to further the business
    • Engage resources with a focus on the value to be delivered

    2.3 Establish BRM goals

    1 hour

    Input: Mission and vision statements

    Output: List of goals

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: CIO, IT management team, BRM team

    1. Use the previous slides as a starting point – review the focus areas and sample associated objectives.
    2. Determine if all apply to your role.
    3. Brainstorm the objectives for your BRM practice.
    4. Discuss and refine the objectives and goals until the team agrees on your starting set.
    5. Leverage the workbook to establish the goals. Capture refined goals in the Executive Buy-In and Communication Template.

    Download the BRM Workbook

    Download the Executive Buy-In and Communication Template

    PLAN

    Assess

    1.1 Define BRM

    1.2 Analyze Satisfaction

    1.3 Assess SWOT

    Situate

    2.1 Create Vision

    2.2 Create the BRM Mission

    2.3 Establish Goals

    Plan

    3.1 Establish Guiding Principles

    3.2 Determine Where BRM Fits

    3.3 Establish BRM Expectations

    3.4 Identify Roles With BRM Responsibilities

    3.5 Align Capabilities

    Implement

    4.1 Brainstorm Sources of Business Value

    4.2 Identify Key Influencers

    4.3 Categorize the Stakeholders

    4.4 Create the Prioritization Map

    4.5 Create Your Engagement Plan

    Reassess & Embed

    5.1 Create Metrics

    5.2 Prioritize Your Projects

    5.3 Create a Portfolio Investment Map

    5.4 Establish Your Annual Plan

    5.5 Build Your Transformation Roadmap

    5.6 Create Your Communication Plan

    Guiding principles help you focus the development of your practice

    Your guiding principles should define a set of loose rules that can be used to design your BRM practice to the specific needs of the organization and work that needs to be done.

    These rules will guide you through the establishment of your BRM practice and help you explain to your stakeholders the rationale behind organizing in a specific way.

    Sample Guiding Principles

    Principle Name

    Principle Statement

    Customer Focus We will prioritize internal and external customer perspectives
    External Trends We will monitor and liaise with external organizations to bring best practices and learnings into our own
    Organizational Span We embed relationship management across all levels of leadership in IT
    Role If the resource does not have a seat at the table, they are not performing the BRM role

    3.1 Establish guiding principles (optional activity)

    Input: Mission and vision statements

    Output: BRM guiding principles

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Think about strengths, weaknesses, opportunities, and threats as well as the overarching goals, mission, and vision.
    2. Identify a set of principles that the BRM practice should have. Guiding principles are shared, long-lasting beliefs that guide the use of business relationship management in your organization.

    Download the BRM Workbook

    Download the Executive Buy-In and Communication Template

    Establish the BRM partner model and alignment

    Having the right model and support is just as important as having the right people.

    Gears with different BRM model terms: 'BRM Capabilities', 'BRM & Other Roles', 'Scope (pilot)', 'Operating Unit', 'BRM Expectations Across the organization', and 'Delivery & Support'.

    Don’t boil the ocean: Start small

    It may be useful to pilot the BRM practice with a small group within the organization – this gives you the opportunity to learn from the pilot and share best practices as you expand your BRM practice.

    You can leverage the pilot business unit’s feedback to help obtain buy-in from additional groups.

    Evaluate the approaches for your pilot:
    Work With an Engaged Business Unit
    Icon of a magnifying glass over a group of people.

    This approach can allow you to find a champion group and establish quick wins.

    Target Underperforming Area(s)
    Icon of an ambulance.

    This approach can allow you to establish significant wins, providing new opportunities for value.

    Target the Area(s) Driving the Most Business Value
    Icon of an arrow in a bullseye.

    Provide the largest positive impact on your portfolio’s ability to drive business value; for large strategic or transformative goals.

    Work Across a Single Business Process
    Icon of a process tree.

    This approach addresses a single business process or operation that exists across business units, departments, or locations. This, again, will allow you to limit the number of stakeholders.

    Leverage BRM goals to determine where the role fits within the organization

    Organization tree with a strategic BRM.

    Strategic BRMs are considered IT leaders, often reporting to the CIO.


    Organization tree with an operational BRM.

    In product-aligned organizations, the product owners will own the strategic business relationship from a product perspective (often across LOB), while BRMs will own the strategic role for the line(s) of businesses (often across products) that they hold a relationship with. The BRM role may be played by a product family leader.


    Organization tree with a BRM in a product-aligned organization.

    BRMs may take on a more operational function when they are embedded within another group, such as the PMO. This manifests in:

    • Accountability for projects and programs
    • BRM conversations around projects and programs rather than overall needs
    • Often, there is less focus on stimulating need, more about managing demand
    • This structure may be useful for smaller organizations or where organizations are piloting the relationship capability

    Use the IT structure and the business structure to determine how to align BRM and business partners. Many organizations ensure that each LOB has a designated BRM, but each BRM may work with multiple LOBs. Ensure your alignment provides an even and manageable distribution of work.

    Don’t be intimidated by those who play a significant role in relationship management

    Layers representing the BRM, BA, and Product Owner. Business Relationship Manager: Portfolio View
    • Ongoing with broader organization-wide objectives
    • A BRM’s strategic perspective is focused across projects and products
    The BRM will look holistically across a portfolio, rather than on specific projects or products. Their focus is ensuring value is delivered that impacts the overall organization. Multiple BRMs may be responsible for lines of businesses and ensure that products and project enable LOBs effectively.
    Business Analyst: Product or Project View
    • Works within a project or product
    • Accomplishes specific objectives within the project/product
    The BA tends to be involved in project work – to that end, they are often brought in a bit before a project begins to better understand the context. They also often remain after the project is complete to ensure project value is delivered. However, their main focus is on delivering the objectives within the project.
    Product Owner: Product View
    • Ongoing and strategic view of entire product, with product-specific objectives
    The Product Owner bridges the gap between the business and delivery to ensure their product continuously delivers value. Their focus is on the product.

    3.2 Establish the BRM’s place in the organizational structure

    Input: BRM goals, IT organizational structure, Business organizational structure

    Output: BRM operating model

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Review the current organizational structure – both IT and overall business.
    2. Think about the maturity of the IT organization and what you and your partners will be able to support at this stage in the relationship or journey. Establish whether it is necessary to start with a pilot.
    3. Consider the reporting relationship that is required to support the desired maturity of your practice – who will your BRM function report into?
    4. Consider the distribution of work from your business partners. Establish which BRM is responsible for which partners.
    5. Document where the BRM fits in the organization in the Executive Buy-In and Communication Template.

    Download the BRM Workbook

    Download the Executive Buy-In and Communication Template

    Align your titles to your business partners and ensure it demonstrates your strategic goals

    Some titles that may reflect alignment with your partners:
    • Business Capability Manager
    • Business Information Officer
    • Business Relationship Manager
    • Director, Technology Partner
    • IT Business Relationship Manager
    • People Relationship Manager
    • Relationship and Strategy Officer
    • Strategic Partnership Director
    • Technology Partner/People Partner/Finance Partner/etc.
    • Value Management Officer

    Support BRM team members might have “analyst” or “coordinator” as part of their titles.

    Caution when using these titles:
    • Account Manager (do you see your stakeholders as accounts or as partners?)
    • Customer Relationship Manager (do you see your stakeholders as customers or as partners?)
    • People Partner (differentiate your role from HR)

    Determine the expectations for your BRM role(s)

    Below are standard expectations from BRM job descriptions. Establish whether there are changes required for your organization.

    Act as a Relationship Manager
    • Build strong, collaborative relationships with business clients
    • Build strong, collaborative relationships with IT service owners
    • Track client satisfaction with services provided
    • Continuously improve, based on feedback from clients
    Communicate With Business Stakeholders
    • Ensure that effective communication occurs related to service delivery and project delivery (e.g. planned downtime, changes, open tickets)
    • Manage expectations of multiple business stakeholders
    • Provide a clear point of contact within IT for each business stakeholder
    • Act as a bridge between IT and the business
    Service Delivery

    Service delivery breaks out into three activities: service status, changes, and service desk tickets

    • Understand at a high level the services and technologies in use
    • Work with clients to plan and make sure they understand the relevance and impact of IT changes to their operations
    • Define, agree to, and report on key service metrics
    • Act as an escalation point for major issues with any aspect of service delivery
    • Work with service owners to develop and monitor service improvement plans
    Project/Product Delivery
    • Ensure that the project teams provide regular reports regarding project status, issues, and changes
    • Work with project managers and clients to ensure project requirements are well understood and documented and approved by all stakeholders
    • Ensure that the project teams provide key project metrics on a regular basis to all relevant stakeholders

    Determine role expectations (slide 2 of 3)

    Knowledge of the Business

    Understand the main business activities for each department:

    • Understand which IT services are required to complete each business activity
    • Understand business processes and associated business activities for each user group within a department
    Advocate for Your Business Clients
    • Act as an advocate for the client – be invested in client success
    • Understand the strategies and plans of the clients and help develop an IT strategic plan/roadmap that maps to business strategies
    • Help the business understand project governance processes
    • Help clients to develop proposals and advance them through the project intake and assessment process
    Influence Business and IT Stakeholders
    • Influence business and IT stakeholders at multiple levels of the organization to help clients achieve their business objectives
    • Leverage existing relationships to convince decision makers to move forward with business and IT initiatives that will benefit the department and the organization as a whole
    • Understand and solve issues and challenges such as differing agendas, political considerations, and resistance to change
    Knowledge of the Market
    • Understand the industry – trends, competition, future direction
    • Leverage what others are doing to bring innovative ideas to the organization
    • Understand what end customers expect with regards to IT services and bring this intelligence to business leaders and decision makers

    Determine role expectations (slide 3 of 3)

    Value Creator
    • Understand how services currently offered by IT can be put to best use and create value for the business
    • Work collaboratively with clients to define and prioritize technology initiatives (new or enhanced services) that will bring the most business benefit
    • Lead initiatives that help the business achieve or exceed business goals and objectives
    • Lead initiatives that create business value (increased revenue, lower costs, increased efficiency) for the organization
    Innovator
    • Lead initiatives that result in new and better ways of doing business
    • Identify opportunities for using IT in new and innovative ways to bring value to the business and drive the business forward
    • Leverage knowledge of the business, knowledge of the industry, and knowledge of leading-edge technological solutions to transform the way the business operates and provides services to its customers

    3.3 Establish BRM expectations

    Input: BRM goals

    Output: BRM expectations

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Review the BRM expectations on the previous slides.
    2. Customize them – are they the appropriate set of expectations needed for your organization? What needs to be edited in or out?
    3. Add relevant expectations – what are the things that need to be done in the BRM practice at your organization?
    4. Leverage the workbook to brainstorm BRM expectations. Make sure you update them in the BRM Role Expectation Spreadsheet.

    Download the BRM Workbook

    Download the Executive Buy-In and Communication Template

    Various roles and levels within your organization may have a part of the BRM pie

    Where the BRM sits will impact what they are able to get done.

    The BRM role is a strategic one, but other roles in the organization have a part to play in impacting IT-partner relationship.

    Some roles may have a more strategic focus, while others may have a more tactical or operational focus.

    3.4 Identify roles with BRM responsibilities

    Input: BRM goals

    Output: BRM-aligned roles

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Various roles can play a part in the BRM practice, managing business relationships. Which ones make sense in your organization, given the BRM goals?
    2. Identify the roles and capture in the BRM Role Expectation Spreadsheet. Use the Role Expectation Alignment tab, row 1.


    Download the Role Expectations Worksheet

    Determine the focus for each role that may manage business relationships

    Icon of a telescope. STRATEGIC Sets Direction: Focus of the activities is at the holistic, enterprise business level “relating to the identification of long-term or overall aims and interests and the means of achieving them” e.g. builds overarching relationships to enable and support the organization’s strategy; has strategic conversations
    Icon of a house in a location marker. TACTICAL Figures Out the How: Focuses on the tactics required to achieve the strategic focus “skillful in devising means to ends” e.g. builds relationships specific to tactics (projects, products, etc.)
    Icon of a gear cog with a checkmark. OPERATIONAL Executes on the Direction: Day-to-day operations; how things get done “relating to the routine functioning and activities of a business or organization” e.g. builds and leverages relationships to accomplish specific goals (within a project or product)

    3.5 Align BRM capabilities to roles

    Input: Current-state model, Business value matrix, Objectives and goals

    Output: BRM-aligned roles

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Review each group of role expectations – Act as a Relationship Manager, Communicate with Business Stakeholders, etc. For each group, determine the focus each role can apply to it – strategic, tactical, or operational. Refer to the previous slide for examples.
    2. Capture on the spreadsheet:
      • S – This role is required to have a strategic view of the capabilities. They are accountable and set direction for this aspect of relationship management.
      • T – Indicate if the role is required to have a tactical view of the capabilities. This would include whether the role is required to figure out how the capabilities will be done; for example, is the role responsible for carrying out service management or are they just involved to ensure that that set of expectations are being performed?
      • O – Indicate if the role will have an operational view – are they the ones responsible for doing the work?
      • Note: In some organizations, a role may have more than one of these.
    3. The spreadsheet will highlight the cells in green if the role plays more of the strategic role, yellow for tactical, and brown for operational. This provides an overall visual of each role’s part in relationship management.
    4. (Optional) Review each detailed expectation within the group. Evaluate whether specific roles will have a different focus on the unique role expectations.

    Leverage the Role Expectations Worksheet

    Sample role expectation alignment

    Sample of a role expectation alignment table with expectation names and descriptions on the left and a matrix of which roles should have a Strategic (S), Tactical (T), or Operational (O) view of the capabilities.

    IMPLEMENT

    Assess

    1.1 Define BRM

    1.2 Analyze Satisfaction

    1.3 Assess SWOT

    Situate

    2.1 Create Vision

    2.2 Create the BRM Mission

    2.3 Establish Goals

    Plan

    3.1 Establish Guiding Principles

    3.2 Determine Where BRM Fits

    3.3 Establish BRM Expectations

    3.4 Identify Roles With BRM Responsibilities

    3.5 Align Capabilities

    Implement

    4.1 Brainstorm Sources of Business Value

    4.2 Identify Key Influencers

    4.3 Categorize the Stakeholders

    4.4 Create the Prioritization Map

    4.5 Create Your Engagement Plan

    Reassess & Embed

    5.1 Create Metrics

    5.2 Prioritize Your Projects

    5.3 Create a Portfolio Investment Map

    5.4 Establish Your Annual Plan

    5.5 Build Your Transformation Roadmap

    5.6 Create Your Communication Plan

    Speak the same language as your partners: Business Value

    Business value represents the desired outcome from achieving business priorities.

    Value is not only about revenue or reduced expenses. Use this internal-external and capability-financial business value matrix to more holistically consider what is valuable to stakeholders.

    Improved Capabilities
    Enhance Services
    Products and services that enable business capabilities and improve an organization’s ability to perform its internal operations.
    Increase Customer Satisfaction
    Products and services that enable and improve the interaction with customers or produce practical market information and insights.
    Inward Outward
    Save Money
    Products and services that reduce overhead. They typically are less related to broad strategic vision or goals and more simply limit expenses that would occur had the product or service not put in place.
    Make money
    (Return on Investment)
    Products and services that are specifically related to the impact on an organization’s ability to create a return on investment.
    Financial Benefits

    Business Value Matrix Axes:

    Financial Benefits vs. Improved Capabilities
    • Improved capabilities refers to the enhancement of business capabilities and skill sets.
    • Financial Benefits refers to the degree in which the value source can be measured through monetary metrics and is often highly tangible.
    Inward vs. Outward Orientation
    • Inward refers to value sources that have an internal impact an organization’s effectiveness and efficiency in performing its operations.
    • Outward refers to value sources that come from interactions with external factors, such as the market or your customers.

    4.1 Activity: Brainstorm sources of business value

    Input: Product and service knowledge, Business process knowledge

    Output: Understanding of different sources of business value

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Identify your key stakeholders. These individuals are the critical business strategic partners in the organization’s governing bodies.
    2. Brainstorm the different types of business value that the BRM practice can produce.
    3. Is the item more focused on improving capabilities or generating financial benefits?
    4. Is the item focused on the customers you serve or the IT team?
    5. Enter your value item into a cell on the Business Value Matrix based on where it falls on these axes.
    6. Start to think about metrics you can use to measure how effective the product or service is at generating the value source.
    Simplified version of the Business Value Matrix on the previous slide.

    Use the BRM Workbook to capture sources of business value

    Brainstorm the different sources of business value (continued)

    See appendix for more information on value drivers:
    Example:
    Enhance Services
    • Dashboards/IT Situational Awareness
    • Improve measurement of services for data-driven analytics that can improve services
    • Collaborate to support Enterprise Architecture
    • Approval for and support of new applications per customer demand
    • Provide consultation for IT issues
    Axis arrow with 'Improved Capabilities'.
    Axis arrow with 'Financial Benefits'.
    Reach Customers
    • Provide technology roadmaps for IT services and devices
    • Improved "PR" presence: websites, service catalog, etc.
    • Enhance customer experience
    • Faster Time-to-market delivering innovative technologies and current services
    Axis arrow with 'Inward'.Axis arrow with 'Outward'.
    Reduce Costs
    • Achieve better pricing through enterprise agreements for IT services that are duplicated across several orgs
    • Prioritization/ development of roadmap
    • Portfolio management / reduce duplication of services
    • Evolve resourcing strategies to integrate teams (e.g. do more with less)
    Return on Investment
    • Customer -focused dashboards
    • Encourage use of centralized services through external collaboration capabilities that fit multiple use cases
    • Devise strategies for measured/supported migration from older IT systems/software

    Implications of ineffective stakeholder management

    A stakeholder is any group or individual who is impacted by (or impacts) your objectives.

    Challenges with stakeholder management can result from a self-focused point of view. Avoid these challenges by taking on the other’s perspectives – what’s in it for them.

    The key objectives of stakeholder management are to improve outcomes, increase confidence, and enhance trust in IT.

    • Obtain commitment of executive management for IT-related objectives.
    • Enhance alignment between IT and the business.
    • Improve understanding of business requirements.
    • Improve implementation of technology to support business processes.
    • Enhance transparency of IT costs, risks, and benefits.

    Challenges

    • Stakeholders are missed or new stakeholders are identified too late.
    • IT has a tendency to only look for direct stakeholders. Indirect and hidden stakeholders are not considered.
    • Stakeholders may have conflicting priorities, different visions, and different needs. Keeping every stakeholder happy is impossible.
    • IT has a lack of business understanding and uses jargon and technical language that is not understood by stakeholders.

    Implications

    • Unanticipated stakeholders and negative changes in stakeholder sentiment can derail initiatives.
    • Direct stakeholders are identified, but unidentified indirect or hidden stakeholders cause a major impact to the initiative.
    • The CIO attempts to trade off competing agendas and ends up caught in the middle and pleasing no one.
    • There is a failure in understanding and communications, leading stakeholders to become disenchanted with IT.

    Cheat Sheet: Identify stakeholders

    Ask stakeholders “who else should I be talking to?” to discover additional stakeholders and ensure you don’t miss anyone.

    List the people who are identified through the following questions: Take a 360-degree view of potential internal and external stakeholders who might be impacted by the initiative.
    • Who will be adversely affected by potential environmental and social impacts in areas of influence that are affected by what you are doing?
    • At which stage will stakeholders be most affected (e.g. procurement, implementation, operations, decommissioning)?
    • Will other stakeholders emerge as the phases are started and completed?
    • Who is sponsoring the initiative?
    • Who benefits from the initiative?
    • Who loses from the initiative?
    • Who can make approvals?
    • Who controls resources?
    • Who has specialist skills?
    • Who implements the changes?
    • Who are the owners, governors, customers, and suppliers to impacted capabilities or functions?

    Executives

    Peers

    Direct reports

    Partners

    Customers

    Stock image of a world.

    Subcontractors

    Suppliers

    Contractors

    Lobby groups

    Regulatory agencies

    Establish your stakeholder network “map”

    Follow the trail of breadcrumbs from your direct stakeholders to their influencers to uncover hidden stakeholders.

    Your stakeholder map defines the influence landscape your BRM team operates in. It is every bit as important as the teams who enhance, support, and operate your products directly.

    Notes on the network map

    • Pay special attention to influencers who have many arrows; they are called “connectors,” and due to their diverse reach of influence, should themselves be treated as significant stakeholders.
    • Don’t forget to consider the through-lines from one influencer through intermediate stakeholders or influencers to the final stakeholder – a single influencer may have additional influence via multiple, possibly indirect paths to a single stakeholder.

    Legend for the example stakeholder network map below. 'Black arrows indicate the direction of professional influence'. 'Dashed green arrows indicate bidirectional, informal influence relationships'

    Example stakeholder network map visualizing relationships between different stakeholders.

    4.2 Visualize interrelationships among stakeholders to identify key influencers

    Input: List of stakeholders

    Output: Relationships among stakeholders and influencers

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. List direct stakeholders for your area. Ensure it includes stakeholders across the organization (both IT and business units).
    2. Determine the stakeholders of your stakeholders. Consider adding each of them to the stakeholder list: assess who has either formal or informal influence over your stakeholders; add these influencers to your stakeholder list.
    3. Create a stakeholder network map to visualize relationships.
      • (Optional) Use black arrows to indicate the direction of professional influence.
      • (Optional) Use dashed green arrows to indicate bidirectional, informal influence relationships.
    4. Capture the list or diagram of your stakeholders in your workbook.

    Use the BRM Workbook to capture stakeholders

    Categorize your stakeholders with a stakeholder prioritization map

    A stakeholder prioritization map help teams categorize their stakeholders by their level or influence and ownership.

    There are four areas in the map and the stakeholders within each area should be treated differently.

    • Players – players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical and a lack of support can cause significant impediment to the objectives.
    • Mediators – mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.
    • Noisemakers – noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.
    • Spectators – generally, spectators are apathetic and have little influence over or interest in the initiative.

    Stakeholder prioritization map with axes 'Influence' and 'Ownership/Interest' splitting the map into four quadrants: 'Spectators Low/Low', 'Noisemakers Low/High', 'Mediators High/Low', and 'Players High/High'.

    4.3 Group your stakeholders into categories

    Input: Stakeholder Map

    Output: Categorization of stakeholders and influencers

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Identify your stakeholder’s interest in and influence on your BRM program.
    2. Map your results to the quadrant in your workbook to determine each stakeholder’s category.

    Stakeholder prioritization map with example 'Stakeholders' placed in or across the four quadrants.

    Level of Influence

    • Power: Ability of a stakeholder to effect change.
    • Urgency: Degree of immediacy demanded.
    • Legitimacy: Perceived validity of stakeholder’s claim.
    • Volume: How loud their “voice” is or could become.
    • Contribution: What they have that is of value to you.

    Level of Interest

    How much are the stakeholder’s individual performance and goals directly tied to the success or failure of the product?

    Use the BRM Workbook to map your stakeholders

    Define strategies for engaging stakeholders by type

    Each group of stakeholders draws attention and resources away from critical tasks.

    By properly identifying your stakeholder groups, you can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers while ensuring the needs of the Mediators and Players are met.

    Type Quadrant Actions
    Players High influence; high interest Actively Engage
    Keep them engaged through continuous involvement. Maintain their interest by demonstrating their value to its success.
    Mediators High influence; low interest Keep Satisfied
    They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust, and include them in important decision-making steps. In turn, they can help you influence other stakeholders.
    Noisemakers Low influence; high interest Keep Informed
    Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.
    Spectators Low influence; low interest Monitor
    They are followers. Keep them in the loop by providing clarity on objectives and status updates.

    Prioritize your stakeholders

    There may be too many stakeholders to be able to manage them all. Focus your attention on the stakeholders that matter most.

    Apply a third dimension for stakeholder prioritization: support.

    Support, in addition to interest and influence, is used to prioritize which stakeholders are should receive the focus of your attention. This table indicates how stakeholders are ranked:

    Table with 'Stakeholder Categories' and their 'Level of Support' for prioritizing. Support levels are 'Supporter', 'Evangelist', 'Neutral', and 'Blocker'.

    Support can be determined by rating the following question: how likely is it that your stakeholder would recommend IT at your organization/your group? Our four categories of support:

    • Blocker – beware of the blocker. These stakeholders do not support your cause and have the necessary drive to impede the achievement of your objectives.
    • Semi-Supporter – while these stakeholders are committed to your objectives, they are somewhat apathetic to advocate on your behalf. They will support you so long as it does not require much effort from them to do so.
    • Neutral – neutrals do not have much commitment to your objectives and are not willing to expend much energy to either support or detract from them.
    • Supporter – these stakeholders are committed to your initiative and are willing to whole-heartedly provide you with support.

    4.4 Update your stakeholder quadrant to include the three dimensions

    Input: Stakeholder Map

    Output: Categorization of stakeholders and influencers

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Identify the level of support of each stakeholder by answering the following question: how likely is it that your stakeholder would support your initiative/endeavor?
    2. Map your results to the model in your workbook to determine each stakeholder’s category.
    Stakeholder prioritization map with example 'Persons' placed in or across the four quadrants. with The third dimension, 'Level of Support', is color-coded.

    Use the BRM Workbook to map your stakeholders

    Leverage your map to think about how to engage with your stakeholders

    Not all stakeholders are equal, nor can they all be treated the same. Your stakeholder quadrant highlights areas where you may need to engage differently.

    Blockers

    Pay attention to your “blockers,” especially those that appear in the high influence and high interest part of the quadrant. Consider how your engagement with them varies from supporters in this quadrant. Consider what is valuable to these stakeholders and focus your conversations on “what’s in this for them.”

    Neutral & Evangelists

    Stakeholders that are neutral or evangelists do not require as much attention as blockers and supporters, but they still can’t be ignored – especially those who are players (high influence and engagement). Focus on what’s in it for them to move them to become supporters.

    Supporters

    Do not neglect supporters – continue to engage with them to ensure that they remain supporters. Focus on the supporters that are influential and impacted, rather than the “spectators.”

    4.5 Create your engagement plan

    Input: Stakeholder Map/list of stakeholders

    Output: Categorization of stakeholders and influencers

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Leverage the BRM Stakeholder Engagement Plan spreadsheet. List your key stakeholders.
    2. Consider: how do you show value at your current maturity level so that you can gain trust and your relationship can mature? Establish where your relationship lacks maturity, and consider whether you need to engage with them on a more strategic, tactical, or even operational manner.
      • At lower levels of maturity (Table Stakes), focus on service delivery, project delivery, and communication.
      • At mid-level maturity (Influencer/Advocate), focus on business pain points and a deeper knowledge of the business.
      • At higher maturity levels (Value Creator/Innovator), focus on creating value by leading innovative initiatives that drive the business forward.
    3. Review the stakeholder quadrant. Update the frequency of your communication accordingly.
    4. Capture the agenda for your engagements with them.

    Download and use the BRM Stakeholder Engagement Plan

    Your agenda should vary with the maturity of your relationship

    Agenda
    Stakeholder Information Type Meeting Frequency Lower Maturity Mid-Level Maturity Higher Maturity
    VP Strategic Quarterly
    • Summary of current and upcoming projects and initiatives
    • Business pain points for the department
    • Proposed solutions to address business pain points
    • Innovative solutions to improve business processes and drive value for the department and the organization
    Director Strategic, Tactical Monthly
    • Summary of recent and upcoming changes
    • Summary of current and upcoming projects and initiatives
    • Business pain points for the department
    • Proposed business process improvements
    • Current and upcoming project proposals to address business pain points
    • Innovative solutions to help the department achieve its business goals and objectives
    Manager Tactical Monthly
    • Summary of service desk tickets
    • Summary of recent and upcoming changes
    • Summary of current and upcoming projects and initiatives
    • Business pain points for the team
    • Proposed business activity improvements
    • Current and upcoming projects to address business pain points
    • Innovative solutions to help business users perform their daily business activities more effectively and efficiently

    Lower Maturity – Focus on service delivery, project delivery, and communication

    Mid-Level Maturity – Focus on business pain points and a deeper knowledge of the business

    Higher Maturity – Focus on creating value by leading innovative initiatives that drive the business forward

    Stakeholder – Include both IT and business stakeholders at appropriate levels

    Agenda – Manage stakeholders expectations, and clarify how your agenda will progress as the partnership matures

    REASSESS & EMBED

    Assess

    1.1 Define BRM

    1.2 Analyze Satisfaction

    1.3 Assess SWOT

    Situate

    2.1 Create Vision

    2.2 Create the BRM Mission

    2.3 Establish Goals

    Plan

    3.1 Establish Guiding Principles

    3.2 Determine Where BRM Fits

    3.3 Establish BRM Expectations

    3.4 Identify Roles With BRM Responsibilities

    3.5 Align Capabilities

    Implement

    4.1 Brainstorm Sources of Business Value

    4.2 Identify Key Influencers

    4.3 Categorize the Stakeholders

    4.4 Create the Prioritization Map

    4.5 Create Your Engagement Plan

    Reassess & Embed

    5.1 Create Metrics

    5.2 Prioritize Your Projects

    5.3 Create a Portfolio Investment Map

    5.4 Establish Your Annual Plan

    5.5 Build Your Transformation Roadmap

    5.6 Create Your Communication Plan

    Measure your BRM practice success

    • Metrics are powerful because they drive behavior.
    • Metrics are also dangerous because they often lead to unintended negative outcomes.
    • Metrics should be chosen carefully to avoid getting “what you asked for” instead of “what you intended.”

    Stock image of multiple business people running off the end of a pointed finger like lemmings.

    Questions to ask Are your metrics achievable?
    1. What are the leading indicators of BRM effectively supporting the business’ strategic direction?
    2. How are success metrics aligned with the objectives of other functional groups?

    S pecific

    M easurable

    A chievable

    R ealistic

    T ime-bound

    Embedding the BRM practice within your organization must be grounded in achievable outcomes.

    Ensure that the metrics your practice is measured against reflect realistic and tangible business expectations. Overpromising the impact the practice will have can lead to long-term implementation challenges.

    Determine whether your business is satisfied with IT

    Measuring tape.

    1

    Survey your stakeholders to measure improvements in customer satisfaction.

    Leverage the CIO Business Vision on a regular interval – most find that annual assessments drive success.

    Evaluate whether the addition or increased maturity of your BRM practice has improved satisfaction with IT.

    Business satisfaction survey

    • Audience: Business leaders
    • Frequency: Annual
    • Metrics:
      • Overall Satisfaction score
      • Overall Value score
      • Relationship Satisfaction:
        • Understand needs
        • Meet needs
        • Communication
    Two small tables showing example 'Value' and 'Satisfaction' scores.
    Table with a breakdown of the example 'Satisfaction' score, with individual scores for 'Needs', 'Execution', and 'Communication'.

    Check if you’ve met the BRM goals you set out to achieve

    Measuring tape.

    2

    Measure BRM success against the goals for the practice.

    Evaluate whether the BRM practice has helped IT to meet the goals that you’ve established.

    For each of your goals, create metrics to establish how you will know if you’ve been successful. This might be how many or what type of interactions you have with your stakeholders, and/or it could be new connections with internal or external partners.

    Ensure you have established metrics to measure success at your goals.

    Dart board with five darts, each representing a goal, 'Demand Shaping', 'Value Realization', 'Servicing', 'Exploring', and 'Other Goal(s)'.

    5.1 Create metrics

    Input: Goals, The attributes which can align to goal success

    Output: Measurements of success

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Start with a consideration of your goals and objectives.
    2. Identify key aspects that can support confirming if the goal was successful.
    3. For each aspect, develop a method to measure success with a specific measurement.
    4. When creating the KPI consider:
      • How you know if you are achieving your objective (performance)?
      • How frequently will you be measuring this?
      • Are you looking for an increase, decrease, or maintenance of the metric?
    Table with columns 'BRM Goals', 'Measurement', 'KPI', and 'Frequency'.

    Use the BRM Workbook

    Don’t wait all year to find out if you’re on track

    Leverage the below questions to quickly poll your business partners on a more frequent basis.

    Partner instructions:

    Please indicate how much you agree with each of the following statements. Use a scale of 1-5, where 1 is low agreement and 5 indicates strong agreement:

    Demand Shaping: My BRM is at the table and seeks to understand my business. They help me understand IT and helps IT prioritize my needs.

    Exploring: My BRM surfaces new opportunities based on their understanding of my pain points and growth needs. They engage resources with a focus on the value to be delivered.

    Servicing: The BRM obtains an understanding of the services and service levels that are required, clarifies them, and communicates costs and risks.

    Value Harvesting: Focus on value is evident in discussions – the BRM supports IT in ensuring value realization is achieved and tracks value during and beyond deployment.

    Embedding the BRM practice also includes acknowledging the BRM’s part in balancing the IT portfolio

    IT needs to juggle “keeping the lights on” initiatives with those required to add value to the organization.

    Partner with the appropriate resources (Project Management Office, Product Owners, System Owners, and/or others as appropriate within your organization) to ensure that all initiatives focus on value.

    Info-Tech Insight

    Not every organization will balance their portfolio in the same way. Some organizations have higher risk tolerance and so their higher priority goals may require that they accept more risk to potentially reap more returns.

    Stock image of a man juggling business symbols.

    80% of organizations feel their portfolios are dominated by low-value initiatives that do not deliver value to the business. (Source: Stage-Gate International and Product Development Institute, March/April 2009)

    All new requests are not the same; establish a process for intake and manage expectations and IT’s capacity to deliver value.

    Ensure you communicate your process to support new ideas with your stakeholders. They’ll be clear on the steps to bring new initiatives into IT and will understand and be engaged in the process to demonstrate value.

    Flowchart for an example intake process.

    For support creating your intake process, go to Optimize Project Intake, Approval and Prioritization Sample of Info-Tech's Optimize Project Intake, Approval and Prioritization.

    Use value as your criteria to evaluate initiatives

    Work with project managers to ensure that all projects are executed in a way that meets business expectations.

    Sample of Info-Tech’s Project Value Scorecard Development Tool.

    Download Info-Tech’s Project Value Scorecard Development Tool.

    Enter risk/compliance criteria under operational alignment: projects must be aligned with the operational goals of the business and IT.

    Business value matrix.

    Enter these criteria under strategic alignment: projects must be aligned with the strategic goals of the business, customer, and IT.
    Enter financial criteria under financial: projects must realize monetary benefits, in increased revenue or decreased costs, while posing as little risk of cost overrun as possible.
    And don’t forget about feasibility: practical considerations for projects must be taken into account in selecting projects.

    5.2 Prioritize your investments/ projects (optional activity)

    Input: Value criteria

    Output: Prioritized project listing

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Review and edit (if necessary) the criteria on tab 2 the Project Value Scorecard Development Tool.
      Screenshot from tab 2 of Info-Tech’s Project Value Scorecard Development Tool.
    2. Score initiatives and investments on tab 3 using your criteria.
      Screenshot from tab 3 of Info-Tech’s Project Value Scorecard Development Tool.
    Download Info-Tech’s Project Value Scorecard Development Tool.

    Visualize where investments add value through an initiative portfolio map

    An initiative portfolio map is a graphic visualization of strategic initiatives overlaid on a business capability map.

    Leverage the initiative portfolio map to communicate the value of what IT is working on to your stakeholders.

    Info-Tech Insight

    Projects will often impact one or more capabilities. As such, your portfolio map will help you identify cross-dependencies when scaling up or scaling down initiatives.

    Example initiative portfolio map


    Example initiative portfolio map with initiatives in categories like 'Marketing Strategy' and 'Brand Mgmt.'. Certain groups of initiatives have labels detailing when they achieve collectively.

    5.3 Create a portfolio investment map (optional activity)

    Input: Business capability map

    Output: Portfolio investment map

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Build a capability map, outlining the value streams that support your organization’s goals and the high-level capabilities (level 1) that support the value stream (and goals).
      For more support in establishing the capability map, see Document Your Business Architecture.
      Example table for outlining 'Value Streams' and 'Level 1 Capabilities' through 'Goals'.
    2. Identify high-value capabilities for the organization.
    3. What are the projects and initiatives that will address the critical capabilities? Add these under the high-value capabilities.
    4. This process will help you demonstrate how projects align to business goals. Enter your capabilities and projects in Info-Tech’s Initiative Portfolio Map Template.
    Download Info-Tech’s Initiative Portfolio Map Template.

    Establish your annual BRM plan

    To support the BRM capability at your organization, you’ll want to communicate your plan. This will include:
    • Business Feedback and Engagement
      • Engaging with your partners includes meeting with them on a regular basis. Establish this frequency and capture it in your plan. This engagement must include an understanding of their goals and challenges.
      • As Bill Gates said, “We all need people who will give us feedback. That’s how we improve” (Inc.com, 2013). There are various points in the year which will provide you with the opportunity to understand your business partners’ views of IT or the BRM role. List the opportunities to reflect on this feedback in your plan.
    • Business-IT Alignment
      • Bring together the views and perspectives of IT and the business.
      • List the activities that will be required to reflect business goals in IT. These include IT goals, budget, and planning.
    • BRM Improvement
      • The practices put in place to support the BRM practice need to continuously evolve to support a maturing organization. The feedback from stakeholders throughout the organization will provide input into this. Ensure there are activities and time put aside to evaluate the improvements required.
    Stock image of someone discovering a calendar in a jungle with a magnifying glass.

    5.4 Establish your year-in-the-life plan

    Input: Engagement plan, BRM goals

    Output: Annual BRM plan

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Start with your business planning activities – what will you as a BRM be doing as your business establishes their plans and strategies? These could include:
      • Listening and feedback sessions
      • Third-party explorations
    2. Then look at your activities required to integrate within IT – what activities are required to align business directives within your IT groups? Examples can include:
      • Business strategy review
      • Capability map creation
      • Input into the Business-aligned IT strategy
      • IT budget input
    3. What activities are required to continuously improve the BRM role? This may consist of:
      • Feedback discussions with business partners
      • Roadshow with colleagues to communicate and refine the practice
    4. Map these on your annual calendar that can be shared with your colleagues.
    Capture in the BRM Workbook

    Communicate using the Executive Buy-In and Communication Template

    Sample of a slide titled 'BRM Annual Cycle'.

    Sample BRM annual cycle

    Sample BRM annual cycle with row headers 'Business Feedback and Engagement', 'Business-IT Alignment', and 'BRM Improvement' mapped across a Q1 to Q4 timeline with individual tasks in each category.

    5.5 Build your transformation roadmap

    Input: SWOT analysis

    Output: Transformation roadmap

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. Brainstorm and discuss the key enablers that are needed to help promote and ease your BRM program.
    2. Brainstorm and discuss the key blockers (or risks) that may interrupt or derail your BRM program.
    3. Brainstorm mitigation activities for each blocker.
    4. Enablers and mitigation activities can be listed on your transformation roadmap.

    Example:

    Enablers

    • High business engagement and buy-in
    • Supportive BRM leadership
    • Organizational acceptance for change
    • Development process awareness by development teams
    • Collaborative culture
    • Existing tools can be customized for BRM

    Blockers

    • Pockets of management resistance
    • Significant time is required to implement BRM and train resources
    • Geographically distributed resources
    • Difficulty injecting customers in demos

    Mitigation

    • BRM workshop training with all teams and stakeholders to level set expectations
    • Limit the scope for pilot project to allow time to learn
    • Temporarily collocate all resources and acquire virtual communication technology

    Capture in the BRM Workbook

    5.5 Build your transformation roadmap (cont’d)

    1. Roadmap Elements:
      • List the artifacts, changes, or actions needed to implement the new BRM program.
      • For each item, identify how long it will take to implement or change by moving it into the appropriate swim lane. Use timing that makes sense for your organization: Quick Wins, Short Term, and Long Term; Now, Next, and Later; or Q1, Q2, Q3, and Q4.

    Example transformation roadmap with BRM programs arranged in columns 'Now', 'Next (3-6 months)', 'Later (6+ months)', and 'Deferred'.

    Communicate the BRM changes to set your practice up for success

    Leaders of successful change spend considerable time developing a powerful change message, i.e. a compelling narrative that articulates the desired end state, and that makes the change concrete and meaningful to staff.

    The change message should:

    • Explain why the change is needed.
    • Summarize what will stay the same.
    • Highlight what will be left behind.
    • Emphasize what is being changed.
    • Explain how change will be implemented.
    • Address how change will affect various roles in the organization.
    • Discuss the staff’s role in making the change successful.
    Five elements of communicating change
    Diagram titled 'COMMUNICATING THE CHANGE' surrounded by useful questions: 'What is the change?', 'What will the role be for each department and individual?', 'Why are we doing it?', 'How long will it take us to do it?', and 'How are we going to go about it?'.
    (Source: The Qualities of Leadership: Leading Change)

    Apply the following communication principles to make your BRM changes relevant to stakeholders

    “We tend to use a lot of jargon in our discussions, and that is a sure fire way to turn people away. We realized the message wasn’t getting out because the audience wasn’t speaking the same language. You have to take it down to the next level and help them understand where the needs are.” (Jeremy Clement, Director of Finance, College of Charleston, Info-Tech Interview, 2018)

    Be Relevant

    • Talk about what matters to the stakeholder. Think: “what’s in it for them?
    • Tailor the details of the message to each stakeholder’s specific concerns.
    • Often we think in processes but stakeholders only care about results: talk in terms of results.

    Be Clear

    • Don’t use jargon.
    • Choice of language is important: “Do you think this is a good idea? I think we could really benefit from your insights and experience here.” Or do you mean: “I think we should do this. I need you to do this to make it happen.”

    Be Concise

    • Keep communication short and to the point so key messages are not lost in the noise.
    • There is a risk of diluting your key message if you include too many other details.

    Be Consistent

    • The core message must be consistent regardless of audience, channel, or medium. A lack of consistency can be interpreted as an attempt at deception. This can hurt credibility and trust.
    • Test your communication with your team or colleagues to obtain feedback before delivering to a broader audience.

    5.6 Create a communications plan tailored to each of your stakeholders

    Input: Prioritized list of stakeholders

    Output: Communication Plan

    Materials: Whiteboard/flip charts (physical or electronic)

    Participants: Team

    1. List stakeholders in order of importance in the first column.
    2. Identify the frequency with which you will communicate to each group.
    3. Determine the scope of the communication:
      • What key information needs to be included in the message to ensure they are informed and on board?
      • Which medium(s) will you use to communicate to that specific group?
    4. Develop a concrete timeline that will be followed to ensure that support is maintained from the key stakeholders.

    Audience

    All BRM Staff

    Purpose

    • Introduce and explain operating model
    • Communicate structural changes

    Communication Type

    • Team Meeting

    Communicator

    CIO

    Timing

    • Sept 1 – Introduce new structure
    • Sept 15 – TBD
    • Sept 29 – TBD

    Related Blueprints

    Business Value
    Service Catalog
    Intake Management
    Sample of Info-Tech's 'Document Your Business Architecture' blueprint.
    Sample of Info-Tech's 'Design and Build a User-Facing Service Catalog' blueprint.
    Sample of Info-Tech's 'Manage Stakeholder Relations' blueprint.
    Sample of Info-Tech's 'Document Business Goals and Capabilities for Your IT Strategy' blueprint.
    Sample of Info-Tech's 'Fix Your IT Culture' blueprint.

    Selected Bibliography

    “Apple Mission and Vision Analysis.” Mission Statement Academy, 23 May 2019. Accessed 5 November 2020.

    Barnes, Aaron. “Business Relationship Manager and Plan Build Run.” BRM Institute, 8 April 2014.

    Barnes, Aaron. “Starting a BRM Team - Business Relationship Management Institute.” BRM Institute, 5 June 2013. Web.

    BRM Institute. “Business Partner Maturity Model.” Member Templates and Examples, Online Campus, n.d. Accessed 3 December 2021.

    BRM Institute. “BRM Assessment Templates and Examples.” Member Templates and Examples, Online Campus, n.d. Accessed 24 November 2021.

    Brusnahan, Jim, et al. “A Perfect Union: BRM and Agile Development and Delivery.” BRM Institute, 8 December 2020. Web.

    Business Relationship Management: The BRMP Guide to the BRM Body of Knowledge. Second printing ed., BRM Institute, 2014.

    Chapman, Chuck. “Building a Culture of Trust - Remote Leadership Institute.” Remote Leadership Institute, 10 August 2021. Accessed 27 January 2022.

    “Coca Cola Mission and Vision Analysis.” Mission Statement Academy, 4 August 2019. Accessed 5 November 2020.

    Colville, Alan. “Shared Vision.” UX Magazine, 31 October 2011. Web.

    Cooper, Robert, G. “Effective Gating: Make product innovation more productive by using gates with teeth.” Stage-Gate International and Product Development Institute, March/April 2009. Web.

    Heller, Martha. “How CIOs Can Make Business Relationship Management (BRM) Work.” CIO, 1 November 2016. Accessed 27 January 2022.

    “How Many Business Relationship Managers Should You Have.” BRM Institute, 20 March 2013. Web.

    Hull, Patrick. “Answer 4 Questions to Get a Great Mission Statement.” Forbes, 10 January 2013. Web.

    Kasperkevic, Jana. “Bill Gates: Good Feedback Is the Key to Improvement.” Inc.com, 17 May 2013. Web.

    Merlyn, Vaughan. “Relationships That Matter to the BRM.” BRM Institute, 19 October 2016. Web.

    “Modernizing IT’s Business Relationship Manager Role.” The Hackett Group, 22 November 2019. Web.

    Monroe, Aaron. “BRMs in a SAFe World...That Is, a Scaled Agile Framework Model.” BRM Institute, 5 January 2021. Web.

    Selected Bibliography

    “Operational, adj." OED Online, Oxford University Press, December 2021. Accessed 29 January 2022.

    Sinek, Simon. “Transcript of ‘How Great Leaders Inspire Action.’” TEDxPuget Sound, September 2009. Accessed 7 November 2020.

    “Strategic, Adj. and n.” OED Online, Oxford University Press, December 2016. Accessed 27 January 2022.

    “Tactical, Adj.” OED Online, Oxford University Press, September 2018. Accessed 27 January 2022.

    “The Qualities of Leadership: Leading Change.” Cornelius & Associates, 23 September 2013. Web.

    “Twice the Business Value in Half the Time: When Agile Methods Meet the Business Relationship Management Role.” BRM Institute, 10 April 2015. Web.

    “Value Streams.” Scaled Agile Framework, 30 June 2020. Web.

    Ward, John. “Delivering Value from Information Systems and Technology Investments: Learning from Success.” Information Systems Research Centre, August 2006. Web.

    Appendix

    • Business Value Drivers
    • Service Blueprint
    • Stakeholder Communications
    • Job Descriptions

    Understand business value drivers for ROI and cost

    Make Money

    This value driver is specifically related to the impact a product or service has on your organization’s ability to show value for the investments. This is usually linked to the value for money for an organization.

    Return on Investment can be derived from:

    • Sustaining or increasing funding.
    • Enabling data monetization.
    • Improving the revenue generation of an existing service.
    • Preventing the loss of a funding stream.

    Be aware of the difference among your products and services that enable a revenue source and those which facilitate the flow of funding.

    Save Money

    This value driver relates to the impact of a product or service on cost and budgetary constraints.

    Reduce costs value can be derived from:

    • Reducing the cost to provide an existing product or service.
    • Replacing a costly product or service with a less costly alternative.
    • Bundling and reusing products or services to reduce overhead.
    • Expanding the use of shared services to generate more value for the cost of existing investment.
    • Reducing costs through improved effectiveness and reduction of waste.

    Budgetary pressures tied to critical strategic priorities may defer or delay implementation of initiatives and revision of existing products and services.

    Understand Business Value Drivers that Enhance Your Services

    Operations

    Some products and services are in place to facilitate and support the structure of the organization. These vary depending on what is important to your organization, but should be assessed in relation to the organizational culture and structure you have identified.

    • Adds or improves effectiveness for a particular service or the process and technology enabling its success.

    Risk and Compliance

    A product or service may be required in order to meet a regulatory requirement. In these cases, you need to be aware of the organizational risk of NOT implementing or maintaining a service in relation to those risks.

    In this case, the product or service is required in order to:

    • Prevent fines.
    • Allow the organization to operate within a specific jurisdiction.
    • Remediate audit gaps.
    • Provide information required to validate compliance.

    Internal Information

    Understanding internal operations is also critical for many organizations. Data captured through your operations provides critical insights that support efficiency, productivity, and many other strategic goals.

    Internal information value can be derived by:

    • Identifying areas of improvement in the development of core offerings.
    • Monitoring and tracking employee behavior and productivity.
    • Monitoring resource levels.
    • Monitoring inventory levels.

    Collaboration and Knowledge Transfer

    Communication is integral and products and services can be the link that ties your organization together.

    In this case, the value generated from products and services can be to:

    • Align different departments and multiple locations.
    • Enable collaboration.
    • Capture trade secrets and facilitate organizational learning.

    Understand Business Value Drivers that Connect the Business to Your Customers

    Policy

    Products and services can also be assessed in relation to whether they enable and support the required policies of the organization. Policies identify and reinforce required processes, organizational culture, and core values.

    Policy value can be derived from:

    • The service or initiative will produce outcomes in line with our core organizational values.
    • It will enable or improve adherence and/or compliance to policies within the organization.

    Customer Relations

    Products and services are often designed to facilitate goals of customer relations; specifically, improve satisfaction, retention, loyalty, etc. This value type is most closely linked to brand management and how a product or service can help execute brand strategy. Customers, in this sense, can also include any stakeholders who consume core offerings.

    Customer satisfaction value can be derived from:

    • Improving the customer experience.
    • Resolving a customer issue or identified pain point.
    • Providing a competitive advantage for your customers.
    • Helping to retain customers or prevent them from leaving.

    Market Information

    Understanding demand and market trends is a core driver for all organizations. Data provided through understanding the ways, times, and reasons that consumers use your services is a key driver for growth and stability.

    Market information value can be achieved when an app:

    • Addresses strategic opportunities or threats identified through analyzing trends.
    • Prevents failures due to lack of capacity to meet demand.
    • Connects resources to external sources to enable learning and growth within the organization.

    Market Share

    Market share represents the percentage of a market or market segment that your business controls. In essence, market share can be viewed as the potential for more or new revenue sources.

    Assess the impact on market share. Does the product or service:

    • Increase your market share?
    • Open access to a new market?
    • Help you maintain your market share?

    Service Blueprint

    Service design involves an examination of the people, process and technology involved in delivering a service to your customers.

    Service blueprinting provides a visual of how these are connected together. It enables you to identify and collaborate on improvements to an existing service.

    The main components of a service blueprint are:

    Customer actions – this anchors the service in the experiences of the customer

    Front-stage – this shows the parts of the service that are visible to the customer

    Back-stage – this is the behind-the-scenes actions necessary to deliver the experience to the customer

    Support processes – this is what’s necessary to deliver the back-stage (and front-stage/customer experience), but is not aligned from a timing perspective (e.g. it doesn’t matter if the fridge is stocked when the order is put in, as long as the supplies are available for the chef to use)

    Example service blueprint with the main components listed above as row headers.

    Physical Evidence and Time are blueprint components can be added in to provide additional context & support

    Example service blueprint with the main components plus added components 'Physical Evidence' and 'Time'.

    Stakeholder Communications

    Personalize
    • “What’s in it for me” & Persona development – understanding what the concerns are from the community that you will want to communicate about
    • Get to know the cultures of each persona to identify how they communicate. For the faculty, Teams might not be the answer, but faculty meetings might be, or sending messages via email. Each persona group may have unique/different needs
    • Meet them “where they are”: Be prepared to provide 5-minute updates (with “what’s in it for me” and personas in mind) at department meetings in cases where other communications (Teams etc.) aren’t reaching the community
    • Review the business vision diagnostic report to understand what’s important to each community group and what their concerns are with IT. Definitely review the comments that users have written.
    Show Proof
    • Share success stories tailored to users needs – e.g. if they have a concern with security, and IT implemented a new secure system to better meet their needs, then telling them about the success is helpful – shows that you’re listening and have responded to meet their concerns. Demonstrates how interacting with IT has led to positive results. People can more easily relate to stories

    Reference
    • Consider establishing a repository (private/unlisted YouTube channel, Teams, etc.) so that the community can search to view the tip/trick they need
    • Short videos are great to provide a snippet of the information you want to share
    Responses
    • Engage in 2-way communications – it’s about the messages IT wants to convey AND the messages you want them to convey to you. This helps to ensure that your messages aren’t just heard but are understood/resonate.
    • Let people know how they should communicate with IT – whether it’s engaging through Teams, via email to a particular address, or through in person sessions
    Test & Learn
    • Be prepared to experiment with the content and mediums, and use analytics to assess the results. For example if videos are posted on a site like SharePoint that already has analytics functionality, you can capture the number of views to determine how much they are viewed
    Multiple Mediums
    • Use a combination of one-on-one interviews/meetings and focus groups to obtain feedback. You may want to start with some of the respondents who provided comments on surveys/diagnostics

    BRM Job Descriptions

    Download the Job Descriptions:

    Cyber Resilience Report 2018

    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A

    "The cyber threat landscape today is highly complex and rapidly changing. Cyber security incidents can have several impacts on organizations and society, both on a physical and non-physical level. Through the use of a computer, criminals can indeed cause IT outages, supply chain disruptions and other physical security incidents"

    -- excerpt from the foreword of the BCI Cyber resilience report 2018 by David Thorp, Executive Director, BCI

    There are a number of things you can do to protect yourself. And they range, as usual, from the fairly simple to the more elaborate and esoteric. Most companies can, with some common sense, if not close the door on most of these issues, at least prepare themselves to limit the consequences.

    Register to read more …

    2020 Applications Priorities Report

    • Buy Link or Shortcode: {j2store}159|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Optimization
    • Parent Category Link: /optimization
    • Although IT may have time to look at trends, it does not have the capacity to analyze the trends and turn them into initiatives.
    • IT does not have time to parse trends for initiatives that are relevant to them.
    • The business complains that if IT does not pursue trends the organization will get left behind by cutting-edge competitors. At the same time, when IT pursues trends, the business feels that IT is unable to deal with the basic issues.

    Our Advice

    Critical Insight

    • Take advantage of a trend by first understanding why it is happening and how it is actionable. Build momentum now. Breaking a trend into bite-sized initiatives and building them into your IT foundations enables the organization to maintain pace with competitors and make the technological leap.
    • The concepts of shadow IT and governance are critical. As it becomes easier for the business to purchase its own applications, it will be essential for IT to embrace this form of user empowerment. With a diminished focus on vendor selection, IT will drive the most value by directing its energy toward data and integration governance.

    Impact and Result

    • Determine how to explore, adopt, and optimize the technology and practice initiatives in this report by understanding which core objective(s) each initiative serves:
      • Optimize the effectiveness of the IT organization.
      • Boost the productivity of the enterprise.
      • Enable business growth through technology.

    2020 Applications Priorities Report Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief for a summary of the priorities and themes that an IT organization should focus on this year.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Read the 2020 Applications Priorities Report

    Use Info-Tech's 2020 Applications Priorities Report to learn about the five initiatives that IT should prioritize for the coming year.

    • 2020 Applications Priorities Report Storyboard
    [infographic]

    Staff the Service Desk to Meet Demand

    • Buy Link or Shortcode: {j2store}490|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $1,900 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • With increasing complexity of support and demand on service desks, staff are often left feeling overwhelmed and struggling to keep up with ticket volume, resulting in long resolution times and frustrated end users.
    • However, it’s not as simple as hiring more staff to keep up with ticket volume. IT managers must have the data to support their case for increasing resources or even maintaining their current resources in an environment where many executives are looking to reduce headcount.
    • Without changing resources to match demand, IT managers will need to determine how to maximize the use of their resources to deliver better service.

    Our Advice

    Critical Insight

    • IT managers are stuck with the difficult task of determining the right number of service desk resources to meet demand to executives who perceive the service desk to be already effective.
    • Service desk managers often don’t have accurate historical data and metrics to justify their headcount, or don’t know where to start to find the data they need.
    • They often then fall prey to the common misperception that there is an industry standard ratio of the ideal number of service desk analysts to users. IT leaders who rely on staffing ratios or industry benchmarks fail to take into account the complexity of their own organization and may make inaccurate resourcing decisions.

    Impact and Result

    • There’s no magic, one-size-fits-all ratio to tell you how many service desk staff you need based on your user base alone. There are many factors that come into play, including the complexity of your environment, user profiles, ticket volume and trends, and maturity and efficiency of your processes.
    • If you don’t have historical data to help inform resourcing needs, start tracking ticket volume trends now so that you can forecast future needs.
    • If your data suggests you don’t need more staff, look to other ways to maximize your time and resources to deliver more efficient service.

    Staff the Service Desk to Meet Demand Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize service desk staffing, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine environment and operating model

    Define your business and IT environment, service desk operating model, and existing challenges to inform objectives.

    • Service Desk Staffing Stakeholder Presentation

    2. Determine staffing needs

    Understand why service desk staffing estimates should be based on your unique workload, then complete the Staffing Calculator to estimate your needs.

    • Service Desk Staffing Calculator

    3. Interpret data to plan approach

    Review workload over time to analyze trends and better inform your overall resourcing needs, then plan your next steps to optimize staffing.

    [infographic]

    It wasn't me

    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security and Risk
    • Parent Category Link: /security-and-risk

    You heard the message before, and yet....  and yet it does not sink in.

    In july 2019 already, according to retruster:

    • The average financial cost of a data breach is $3.86m (IBM)
    • Phishing accounts for 90% of data breaches
    • 15% of people successfully phished will be targeted at least one more time within the year
    • BEC scams accounted for over $12 billion in losses (FBI)
    • Phishing attempts have grown 65% in the last year
    • Around 1.5m new phishing sites are created each month (Webroot)
    • 76% of businesses reported being a victim of a phishing attack in the last year
    • 30% of phishing messages get opened by targeted users (Verizon)

    This is ... this means we, as risk professionals may be delivering our messsage the wrong way. So, I really enjoyed my colleague Nick Felix (who got it from Alison Francis) sending me the URL of this video: Enjoy, but mostly: learn, because we want our children to enjoy the fruits of our work.

    Register to read more …

    Endpoint Management Selection Guide

    • Buy Link or Shortcode: {j2store}65|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications

    Endpoint management solutions are becoming an essential solution: Deploying the right devices and applications to the right user and the need for zero-touch provisioning are indispensable parts of a holistic strategy for improving customer experience. However, selecting the right-sized platform that aligns with your requirements is a big challenge.

    Following improvements in end-user computation strategies, selection of the right endpoint management solution is a crucial next step in delivering a concrete business value.

    Our Advice

    Critical Insight

    Investigate vendors’ roadmaps to figure out which of the candidate platforms can fulfill your long-term requirements, without any unnecessary investment in features that are not currently useful for you. Make sure you don’t purchase capabilities that you will never use.

    Impact and Result

    • Determine what you require from an endpoint management solution.
    • Review the market space and product offerings, and compare capabilities of key players.
    • Create a use case and use top-level requirements to determine use cases and shortlist vendors.
    • Conduct a formal process for interviewing vendors using Info-Tech’s templates to select the best platform for your requirements.

    Endpoint Management Selection Guide Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Endpoint Management Selection Guide Storyboard – A structured guide to walk you through the endpoint management market.

    This storyboard will help you understand endpoint management solution core capabilities and prepare you to select an appropriate tool.

    • Endpoint Management Selection Guide Storyboard

    2. UEM Requirements Workbook – A template to help you build your first draft of requirements for UEM selection.

    Use this spreadsheet to brainstorm use cases and features to satisfy your requirements. This document will be help you score solutions and narrow down the field to a list of candidates who can meet your requirements.

    • UEM Requirements Workbook
    [infographic]

    Further reading

    Endpoint Management Selection Guide

    Streamline your organizational approach to selecting a right-sized endpoint management platform.

    Endpoint Management Selection Guide

    Streamline your organizational approach toward the selection of a right-sized endpoint management platform.

    EXECUTIVE BRIEF

    Analyst Perspective

    Revolutionize your endpoint management with a proper tool selection approach

    The endpoint management market has an ever-expanding and highly competitive landscape. The market has undergone tremendous evolution in past years, from device management to application deployments and security management. The COVID-19 pandemic forced organizations to service employees and end users remotely while making sure corporate data is safe and user satisfaction doesn't get negatively affected. In the meantime, vendors were forced to leverage technology enhancements to satisfy such requirements.

    That being said, endpoint management solutions have become more complex, with many options to manage operating systems and run applications for relevant user groups. With the work-from-anywhere model, customer support is even more important than before, as a remote workforce may face more issues than before, or enterprises may want to ensure more compliance with policies.

    Moreover, the market has become more complex, with lots of added capabilities. Some features may not be beneficial to corporations, and with a poor market validation, businesses may end up paying for some capabilities that are not useful.

    In this blueprint, we help you quickly define your requirements for endpoint management and narrow down a list to find the solutions that fulfill your use cases.

    An image of Mahmoud Ramin, PhD

    Mahmoud Ramin, PhD
    Senior Research Analyst, Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Endpoint management solutions are becoming increasingly essential – deploying the right devices and applications to the right users and zero-touch provisioning are indispensable parts of a holistic strategy for improving customers' experience. However, selecting the right-sized platform that aligns with your requirements is a big challenge.

    Following improvements in end-user computation strategies, selection of the right endpoint management solution is a crucial next step in delivering concrete business value.

    Common Obstacles

    Despite the importance of selecting the right endpoint management platform, many organizations struggle to define an approach to picking the most appropriate vendor and rolling out the solution in an effective and cost-efficient manner. There are many options available, which can cause business and IT leaders to feel lost.

    The endpoint management market is evolving quickly, making the selection process tedious. On top of that, IT has a hard time defining their needs and aligning solution features with their requirements.

    Info-Tech's Approach

    Determine what you require from an endpoint management solution.

    Review the market space and product offerings, and compare the capabilities of key players.

    Create a use case – use top-level requirements to determine use cases and short-list vendors.

    Conduct a formal process for interviewing vendors, using Info-Tech's templates to select the best platform for your requirements.

    Info-Tech Insight

    Investigate vendors' roadmaps to figure out which of the candidate platforms can fulfill your long-term requirements without any unnecessary investment in features that are not currently useful for you. Make sure you don't purchase capabilities that you will never use.

    What are endpoint management platforms?

    Our definition: Endpoint management solutions are platforms that enable IT with appropriate provisioning, security, monitoring, and updating endpoints to ensure that they are in good health. Typical examples of endpoints are laptops, computers, wearable devices, tablets, smart phones, servers, and the Internet of Things (IoT).

    First, understand differences between mobile management solutions

    • Endpoint management solutions monitor and control the status of endpoints. They help IT manage and control their environment and provide top-notch customer service.
    • These solutions ensure a seamless and efficient problem management, software updates and remediations in a secure environment.
    • Endpoint management solutions have evolved very quickly to satisfy IT and user needs:
    • Mobile Device Management (MDM) helps with controlling features of a device.
    • Enterprise Mobile Management (EMM) controls everything in a device.
    • Unified Endpoint Management (UEM) manages all endpoints.

    Endpoint management includes:

    • Device management
    • Device configuration
    • Device monitoring
    • Device security

    Info-Tech Insight

    As endpoint management encompasses a broad range of solution categories including MDM, EMM, and UEM, look for your real requirements. Don't pay for something that you won't end up using.

    As UEM covers all of MDM and EMM capabilities, we overview market trends of UEM in this blueprint to give you an overall view of market in this space.

    Your challenge: Endpoint management has evolved significantly over the past few years, which makes software selection overwhelming

    An mage showing endpoint management visualzed as positions on an iceberg. at the top is UEM, at the midpoint above the waterline is Enterprise Mobile Management, and below the water is Mobile Device Management.

    Additional challenges occur in securing endpoints

    A rise in the number of attacks on cloud services creates a need to leverage endpoint management solutions

    MarketsandMarkets predicted that global cloud infrastructure services would increase from US$73 billion in 2019 to US$166.6 billion in 2024 (2019).

    A study by the Ponemon Institute showed that 68% of respondents believe that security attacks increased over the past 12 months (2020).

    The study reveals that over half of IT security professionals who participated in the survey believe that organizations are not very efficient in securing their endpoints, mainly because they're not efficient in detecting attacks.

    IT professionals would like to link endpoint management and security platforms to unify visibility and control, to determine potential risks to endpoints, and to manage them in a single solution.

    Businesses will continue to be compromised by the vulnerabilities of cloud services, which pose a challenge to organizations trying to maintain control of their data.

    Trends in endpoint management have been undergoing a tremendous change

    In 2020, about 5.2 million users subscribed to mobile services, and smartphones accounted for 65% of connections. This will increase to 80% by 2025.
    Source: Fortune Business Insights, 2021

    Info-Tech's methodology for selecting a right-sized endpoint management platform

    1. Understand Core Features and Build Your Use Case

    2. Discover the Endpoint Management Market Space and Select the Right Vendor

    Phase Steps

    1. Define endpoint management platforms
    2. Explore endpoint management trends
    3. Classify table stakes & differentiating capabilities
    4. Streamline the requirements elicitation process for a new endpoint management platform
    1. Discover key players across the vendor landscape
    2. Engage the shortlist and select finalists
    3. Prepare for implementation

    Phase Outcomes

    1. Consensus on scope of endpoint management and key endpoint management platform capabilities
    2. Top-level use cases and requirements
    1. Overview of shortlisted vendors
    2. Prioritized list of UEM features

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2

    Call #1: Understand what an endpoint management platform is and learn how it evolved. Discuss core capabilities and key trends.
    Call #2: Build a use case and define features to fulfill the use case.

    Call #3: Define your core endpoint management platform requirements.
    Call #4: Evaluate the endpoint management platform vendor landscape and shortlist viable options.
    Review implementation considerations.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    The endpoint management purchase process should be broken into segments:

    1. Endpoint management vendor shortlisting with this buyer's guide
    2. Structured approach to selection
    3. Contract review

    Info-Tech's approach

    The Info-Tech difference:
    Analyze needs

    Evaluate solutions

    Determine where you need to improve the tools and processes used to support the company.

    Determine the best fit for your needs by scoring against features.

    Assess existing solution

    Features

    Determine if your solution can be upgraded or easily updated to meet your needs.

    Determine which features will be key to your success

    Create a business case for change

    Use Cases

    A two-part business case will focus on a need to change and use cases and requirements to bring stakeholders onboard.

    Create use cases to ensure your needs are met as you evaluate features

    Improve existing

    High-Level Requirements

    Work with Info-Tech's analysts to determine next steps to improve your process and make better use of the features you have available.

    Use the high-level requirements to determine use cases and shortlist vendors

    Complementary research:

    Create a quick business case and requirements document to align stakeholders to your vision with Info-Tech's Rapid Application Selection Framework.
    See what your peers are saying about these vendors at SoftwareReviews.com.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Phase 1

    Understand core features and build your business case

    Phase 1

    Phase 2

    Define endpoint management platforms

    Explore endpoint management trends

    Classify table stakes & differentiating capabilities

    Streamline the requirements elicitation process for a new endpoint management platform

    Discover key players across the vendor landscape

    Engage the shortlist and select finalist

    Prepare for implementation

    This phase will walk you through the following activity:

    Define use cases and core features for meeting business and technical goals

    This phase involves the following participants:

    • CIO
    • IT manager
    • Infrastructure & Applications directors
    Mobile Device Management

    Enterprise Mobile Management

    MDM applies security over corporate-owned devices.

    What is MDM and what can you do with it?

    1. MDM helps manage and control corporate owned devices.
    2. You can enforce company policies, track, monitor, and lock device remotely by an MDM.
    3. MDM helps with remote wiping of the device when it is lost or stolen.
    4. You can avoid unsecure Wi-Fi connections via MDM.

    EMM solutions solve the restrictions arose with BYOD (Bring Your Own Device) and COPE (Corporate Owned, Personally Enabled) provisioning models.

    • IT needs to secure corporate-owned data without compromising personal and private data. MDM cannot fulfill this requirement. This led to the development of EMM solutions.
    • EMM tools allow you to manage multiple device platforms through MDM protocols. These tools enforce security settings, allow you to push apps to managed devices, and monitor patch compliance through reporting.

    MDM solutions function at the level of corporate devices. Something else was needed to enable personal device management.

    Major components of EMM solutions

    Mobile Application Management (MAM)

    Allows organizations to control individual applications and their associated data. It restricts malicious apps and enables in-depth application management, configuration, and removal.

    Containerization

    Enables separation of work-related data from private data. It provides encrypted containers on personal devices to separate the data, providing security on personal devices while maintaining users' personal data.

    Mobile Content Management (MCM)

    Helps remote distribution, control, management, and access to corporate data.

    Mobile Security Management (MSM)

    Provides application and data security on devices. It enables application analysis and auditing. IT can use MSM to provide strong passwords to applications, restrict unwanted applications, and protect devices from unsecure websites by blacklisting them.

    Mobile Expense Management (MEM)

    Enables mobile data communication expenses auditing. It can also set data limits and restrict network connections on devices.

    Identity Management

    Sets role-based access to corporate data. It also controls how different roles can use data, improving application and data security. Multifactor authentication can be enforced through the identity management featured of an EMM solution.

    Unified endpoint management: Control all endpoints in a single pane of glass

    IT admins used to provide customer service such as installation, upgrades, patches, and account administration via desktop support. IT support is not on physical assistance over end users' desktops anymore.

    The rise of BYOD enhanced the need to be able to control sensitive data outside corporate network connection on all endpoints, which was beyond the capability of MDM and EMM solutions.

    • It's now almost impossible for IT to be everywhere to support customers.
    • This created a need to conduct tasks simultaneously from one single place.
    • UEM enables IT to run, manage, and control endpoints from one place, while ensuring that device health and security remain uncompromised.
    • UEM combines features of MDM and EMM while extending EMM's capabilities to all endpoints, including computers, laptops, tablets, phones, printers, wearables, and IoT.

    Info-Tech Insight

    Organizations once needed to worry about company connectivity assets such as computers and laptops. To manage them, traditional client management tools like Microsoft Configuration Manager would be enough.

    With the increase in the work-from-anywhere model, it is very hard to control, manage, and monitor devices that are not connected to a VPN. UEM solutions enable IT to tackle this challenge and have full visibility into and management of any device.

    UEM platforms help with saving costs and increasing efficiency

    UEM helps corporates save on their investments as it consolidates use-case management in a single console. Businesses don't need to invest in different device and application management solutions.

    From the employee perspective, UEM enables them to work on their own devices while enforcing security on their personal data.

    • Security and privacy are very important criteria for organizations. With the rapid growth of the work-from-anywhere model, corporate security is a huge concern for companies.
    • Working from home has forced companies to invest a lot in data security, which has led to high UEM demand. UEM solutions streamline security management by consolidating device management in a single platform.
    • With the fourth-generation industrial revolution, we're experiencing a significant rise in the use of IoT devices. UEM solutions are very critical for managing, configuring, and securing these devices.
    • There will be a huge increase in cyber threats due to automation, IoT, and cloud services. The pandemic has sped up the adoption of such services, forcing businesses to rethink their enterprise mobility strategies. They are now more cautious about security risks and remediations. Businesses need UEM to simplify device management on multiple endpoints.
    • With UEM, IT environment management gets more granular, while giving IT better visibility on devices and applications.

    UEM streamlines mundane admin tasks and simplifies user issues.

    Even with a COPE or COBO provisioning model, without any IT intervention, users can decide on when to install relevant updates. It also may lead to shadow IT.

    Endpoint management, and UEM more specifically, enables IT to enforce administration over user devices, whether they are corporate or personally owned. This is enabled without interfering with private/personal data.

    Where it's going: The future state of UEM

    Despite the fast evolution of the UEM market, many organizations do not move as fast as technological capabilities. Although over half of all organizations have at least one UEM solution, they may not have a good strategy or policies to maximize the value of technology (Tech Orchard, 2022). As opposed to such organizations, there are others that use UEM to transform their endpoint management strategy and move service management to the next level. That integration between endpoint management and service management is a developing trend (Ivanti, 2021).

    • SaaS tools like Office 365 are built to be used on multiple devices, including multiple computers. Further, the pandemic saw 47% of organizations significantly increase their use of BYOD (Cybersecurity Insiders, 2021).
    • Over 2022, 78% of people worked remotely for at least some amount of time during the week (Tech Orchard, 2022).
    • 84% of organizations believe that cybersecurity threat alarms are becoming very overwhelming, and almost half of companies believe that the best way to tackle this is through consolidating platforms so that everything will be visible and manageable through a single pane of glass (Cybersecurity Insiders, 2022).
    • The UEM market was worth $3.39 billion in 2020. It is expected to reach $53.65 billion by 2030, with an annual growth rate of 31.7% (Datamation, 2022). This demonstrates how dependent IT is becoming on endpoint management solutions.

    An image of a donut chart showing the current state of UEM Strategy.

    Only 27% of organizations have "fully deployed" UEM "with easy management across all endpoints"
    Source: IT Pro Today, 2018.

    Endpoint Management Key Trends

    • Commoditization of endpoint management features. Although their focus is the same, some UEM solutions have unique features.
    • New endpoint management paradigms have emerged. Endpoint management has evolved from client management tools (CMT) and MDM into UEM, also known as "modern management" (Ivanti, 2022).
    • One pane of glass for the entire end-user experience. Endpoint management vendors are integrating their solution into their ITSM, ITOM, digital workspace, and security products.
    • AI-powered insights. UEM tools collect data on endpoints and user behavior. Vendors are using their data to differentiate themselves: Products offer threat reports, automated compliance workflows, and user experience insights. The UEM market is ultimately working toward autonomous endpoint management (Microsoft, 2022).
    • Web apps and cloud storage are the new normal. Less data is stored locally. Fewer apps need to be patched on the device. Apps can be accessed on different devices more easily. However, data can more easily be accessed on BYOD and on new operating systems like Chrome OS.
    • Lighter device provisioning tools. Instead of managing thick images, UEM tools use lighter provisioning packages. Once set up, Autopilot and UEM device enrollment should take less time to manage than thick images.
    • UEM controls built around SaaS. Web apps and the cloud allow access from any device, even unmanaged BYOD. UEM tools allow IT to apply the right level of control for the situation – mobile application management, mobile content management, or mobile device management.
    • Work-from-anywhere and 5G result in more devices outside of your firewalls. Cloud-based management tools are not limited by your VPN connection and can scale up more easily than traditional, on-prem tools.

    Understand endpoint management table stakes features

    Determine high-level use cases to help you narrow down to specific features

    Support the organization's operating systems:
    Many UEM vendors support the most dominant operating systems, Windows and Mac; however, they are usually stronger in one particular OS than the other. For instance, Intune supports both Windows and Mac, although there are some drawbacks with MacOS management by Intune. Conversely, Jamf is mainly for MacOS and iOS management. Enterprises look to satisfy their end users' needs. The more UEM vendors support different systems, the more likely enterprises will pick them. Although, as mentioned, in some instances, enterprises may need to select more than one option, depending on their requirements.

    Support BYOD and remote environments:
    With the impact of the pandemic on work model, 60-70% of workforce would like to have more flexibility for working remotely (Ivanti, 2022). BYOD is becoming the default, and SaaS tools like Office 365 are built to be used on multiple devices, including multiple computers. As BYOD can boost productivity (Samsung Insights, 2016), you may be interested in how your prospective UEM solution will enable this capability with remote wipe (corporate wipe capability vs. wiping the whole device), data and device tracking, and user activity auditing.

    Understand endpoint management table stakes features

    Determine high-level use cases to help you narrow down to specific features

    Integration with the enterprise's IT products:
    To get everything in a single platform and to generate better metrics and dashboards, vendors provide integrations with ticketing and monitoring solutions. Many large vendors have strong integrations with multiple ITSM and ITAM platforms to streamline incident management, request management, asset management, and patch management.

    Support security and compliance policies:
    With the significant boost in work-from-anywhere, companies would like to enable endpoint security more than ever. This includes device threat detection, malware detection, anti-phishing, and more. All UEMs provide these, although the big difference between them is how well they enable security and compliance, and how flexible they are when it comes to giving conditional access to certain data.

    Provide a fully automated vs manual deployment:
    Employees want to get their devices faster, IT wants to deploy devices faster, and businesses want to enable employees faster to get them onboard sooner. UEMs have the capability to provide automated and manual deployment. However, the choice of solution depends on enterprise's infrastructure and policies. Full automation of deployment is very applicable for corporate devices, while it may not be a good option for personally owned devices. Define your user groups and provisioning models, and make sure your candidate vendors satisfy requirements.

    Plan a proper UEM selection according to your requirements

    1. Identify IT governance, policy, and process maturity
      Tools cannot compensate for your bad processes. You should improve deploying and provisioning processes before rolling out a UEM. Automation of a bad process only wraps the process in a nicer package – it does not fix the problem.
      Refer to InfoTech's Modernize and Transform Your End-User Computing Strategy for more information on improving endpoint management procedures.
    2. Consider supported operating systems, cloud services, and network infrastructure in your organization
      Most UEMs support all dominant operating systems, but some solutions have stronger capability for managing a certain OS over the other.
    3. Define enterprise security requirements
      Investigate security levels, policies, and requirements to align with the security features you're expecting in a UEM.
    4. Selection and implementation of a UEM depends on use case. Select a vendor that supports your use cases
      Identify use cases specific to your industry.
      For example, UEM use cases in Healthcare:
      • Secure EMR
      • Enforce HIPAA compliance
      • Secure communications
      • Enable shared device deployment

    Activity: Define use cases and core features for meeting business and technical goals

    1-2 hours

    1. Brainstorm with your colleagues to discuss your challenges with endpoint management.
    2. Identify how these challenges are impacting your ability to meet your goals for managing and controlling endpoints.
    3. Define high-level goals you wish to achieve in the first year and in the longer term.
    4. Identify the use cases that will support your overall goals.
    5. Document use cases in the UEM Requirements Workbook.

    Input

    • List of challenges and goals

    Output

    • Use cases to be used for determining requirements

    Materials

    • Whiteboard/flip charts
    • Laptop to record output

    Participants

    • CIO
    • IT manager
    • Infrastructure & Applications directors

    Download the UEM Requirements Workbook

    Phase 2

    Discover the endpoint management market space and select the right vendor

    Phase 1

    Phase 2

    Define endpoint management platforms

    Explore endpoint management trends

    Classify table stakes & differentiating capabilities

    Streamline the requirements elicitation process for a new endpoint management platform

    Discover key players across the vendor landscape

    Engage the shortlist and select finalist

    Prepare for implementation

    This phase will walk you through the following activity:
    Define top-level features for meeting business and technical goals
    This phase involves the following participants:

    • CIO
    • IT manager
    • Infrastructure & Applications directors
    • Project managers

    Elicit and prioritize granular requirements for your endpoint management platform

    Understanding business needs through requirements gathering is the key to defining everything about what is
    being purchased. However, it is an area where people often make critical mistakes.

    Risks of poorly scoped requirements

    • Fail to be comprehensive and miss certain areas of scope.
    • Focus on how the solution should work instead of what it must accomplish.
    • Have multiple levels of confusing and inconsistent detail in the requirements.
    • Drill down all the way to system-level detail.
    • Add unnecessary constraints based on what is done today rather than focusing on what is needed for tomorrow.
    • Omit constraints or preferences that buyers think are "obvious."

    Best practices

    • Get a clear understanding of what the system needs to do and what it is expected to produce.
    • Test against the principle of MECE – requirements should be "mutually exclusive and collectively exhaustive."
    • Explicitly state the obvious and assume nothing.
    • Investigate what is sold on the market and how it is sold. Use language that is consistent with that of the market and focus on key differentiators – not table stakes.
    • Contain the appropriate level of detail – the level should be suitable for procurement and sufficient for differentiating vendors.

    Review Info-Tech's blueprint Improve Requirements Gathering to improve your requirements gathering process.

    Consider the perspective of each stakeholder to ensure functionality needs are met

    Best of breed vs. "good enough" is an important discussion and will feed your success

    Costs can be high when customizing an ill-fitting module or creating workarounds to solve business problems, including loss of functionality, productivity, and credibility.

    • Start with use cases to drive the initial discussion, then determine which features are mandatory and which are nice-to-haves. Mandatory features will help determine high success for critical functionality and identify where "good enough" is an acceptable state.
    • Consider the implications of implementation and all use cases of:
      • Buying an all-in-one solution.
      • Integration of multiple best-of-breed solutions.
      • Customizing features that were not built into a solution.
    • Be prepared to shelve a use case for this solution and look to alternatives for integration where mandatory features cannot meet highly specialized needs that are outside of traditional endpoint management solutions.

    Pros and Cons

    An image showing the pros and cons of building vs buying

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews
    A screenshot of softwareReviews Data Quadrant analyis.. A screenshot of softwareReviews Emotonal Fotprint analyis
    • evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.
    • Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.
    • The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.
    • Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Speak with category experts to dive deeper into the vendor landscape

    SoftwareReviews

    • Fact-based reviews of business software from IT professionals.
    • Product and category reports with state-of-the-art data visualization.
    • Top-tier data quality backed by a rigorous quality assurance process.
    • User-experience insight that reveals the intangibles of working with a vendor.

    CLICK HERE to ACCESS

    Comprehensive software reviews
    to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today's technology.
    With the insight of our expert analysts, our members receive unparalleled support in their buying journey.

    Get to Know the Key Players in the Endpoint Management Landscape

    The following slides provide a top-level overview of the popular players you will encounter in the endpoint management shortlisting process in alphabetical order.

    A screenshot showing a series of logos for the companies addressed later in this blueprint. It includes: Ciso; Meraki; Citrix; IBM MaaS360; Ivanti; Jamf|Pro; ManageEngine Endpoint Central; Microsoft Endpoint Manager, and VMWARE.

    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF, and NPS scores are pulled from live data as of January 2023.

    Secure business units and enhance connection by simplifying the digital workplace

    A good option for enterprises that want a single-pane-of-glass UEM that is easy to use, with a modern-looking dashboard, high threat-management capability, and high-quality customer support.

    CISCO Meraki

    Est. 1984 | CA, USA | NASDAQ: CSCO

    8.8

    9.1

    +92

    91%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    This is a Screenshot of CISCO Meraki's dashboard.

    Screenshot of CISCO Meraki's dashboard. Source: Cisco

    Strengths:

    Areas to improve:

    • Cisco Meraki offers granular control over what users can and cannot use.
    • The system is user friendly and intuitive, with a variety of features.
    • The anti-malware capability enhances security.
    • Users are very satisfied with being able to control everything in a single platform.
    • System configuration is easy.
    • Vendor relationship is very high with a rate of 96%.
    • System setup is easy, and users don't need much experience for initial configuration of devices.
    • Users are also mostly satisfied with the platform design.
    • Monitoring within the tool is easy.
    • According to SoftwareReviews' survey report, the primary reason for leaving Cisco Meraki and switching over to another vendor is functionality.
    • Regardless of the top-notch offerings and high-quality features, the product is relatively expensive. The quality and price factors make the solution a better fit for large enterprises. However, SoftwareReviews' scorecard for Cisco Meraki shows that small organizations are the most satisfied compared to the medium and large enterprises, with a net promoter score of 81%.

    Transform work experience and support every endpoint with a unified view to ensure users are productive

    A tool that enables you to access corporate resources on personal devices. It is adaptable to your budget. SoftwareReviews reports that 75% of organizations have received a discount at initial purchase or renewal, which makes it a good candidate if looking for a negotiable option.

    Citrix Endpoint Management

    Est. 1989 | TX, USA | Private

    7.9

    8.0

    8.0

    83%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of Citrix Endpoint Management's dashboard.

    Screenshot of Citrix Endpoint Management's dashboard. Source: Citrix

    Strengths:

    Areas to improve:

    • Citrix Endpoint Management is a cloud-centric, easy-to-use UEM with an upgradable interface.
    • The solution simplifies endpoint management and provides real-time visibility and notifications.
    • Citrix allows deployments on different operating systems to meet organizations' infrastructure requirements.
    • The vendor offers different licenses and pricing models, allowing businesses of different sizes to use the tool based on their budgets and requirements.
    • Some users believe that integration with external applications should be improved.
    • Deployment is not very intuitive, making implementation process challenging.
    • User may experience some lagging while opening applications on Citrix. Application is even a bit slower when using a mobile device.

    Scale remote users, enable BYOD, and drive a zero-trust strategy with IBM's modern UEM solution

    A perfect option to boost cybersecurity. Remote administration and installation are made very easy and intuitive on the platform. It is very user friendly, making implementation straightforward. It comes with four licensing options: Essential, Deluxe, Premier, and Enterprise. Check IBM's website for information on pricing and offerings.

    IBM MaaS360

    Est. 1911 | NY, USA | NYSE: IBM

    7.7

    8.4

    +86

    76%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of IBM MaaS360's dashboard.

    Screenshot of IBM MaaS360's dashboard. Source: IBM

    Strengths:

    Areas to improve:

    • IBM MaaS360 is easy to install and implement.
    • It has different pricing models to fit enterprises' needs.
    • MaaS360 is compatible with different operating systems.
    • Security management is one of the strongest features, making the tool perfect for organizations that want to improve cybersecurity.
    • Vendor support is very effective, and users find knowledge articles very helpful.
    • It has a very intuitive dashboard.
    • The tool can control organizational data, allowing you to apply BYOD policy.
    • AI Advisor with Watson provides AI-driven reporting and insights.
    • Working with iOS may not be as intuitive as other operating systems.
    • Adding or removing users in a user group is not very straightforward.
    • Some capabilities are limited to particular Android or iOS devices.
    • Deploying application packages may be a bit difficult.
    • Hardware deployment may need some manual work and is not fully automated.

    Get complete device visibility from asset discovery to lifecycle management and remediation

    A powerful tool for patch management with a great user interface. You can automate patching and improve cybersecurity, while having complete visibility into devices. According to SoftwareReviews, 100% of survey participants plan to renew their contract with Ivanti.

    Ivanti Neurons

    Est. 1985 | CA, USA | Private

    8.0

    8.0

    +81

    83%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of Ivanti Neurons UEM's dashboard.

    Screenshot of Ivanti Neurons UEM's dashboard. Source: Ivanti

    Strengths:

    Areas to improve:

    • The tool is intuitive and user friendly.
    • It's a powerful security management platform, supporting multiple operating systems.
    • Ivanti Neurons is very strong in patch management and inventory management. It helps a seamless application deployment.
    • Users can install their applications via Ivanti's portal.
    • The user interface is very powerful and easy to use.
    • AI-augmented process management automates protocols, streamlining device management and application updates.
    • Vendor is very efficient in training and provides free webinars.
    • Data integration is very easy. According to SoftwareReviews, it had a satisfaction score for ease of data integration of 86%, which makes Ivanti the top solution for this capability.
    • Data analytics is powerful but complicated.
    • Setup is easy for some teams but not as easy for others, which may cause delays for implementation.
    • Software monitoring is not as good as other competitors.

    Improve your end-user productivity and transform enterprise Apple devices

    An Apple-focused UEM with a great interface. Jamf can manage and control macOS and iOS, and it is one of the best options for Apple products, according to users' sentiments. However, it may not be a one-stop solution if you want to manage non-Apple products as well. In this case, you can use Jamf in addition to another UEM. Jamf has some integrations with Microsoft, but it may not be sufficient if you want to fully manage Windows endpoints.

    Jamf PRO

    Est. 2002 | MN, USA | NASDAQ: JAMF

    8.8

    8.7

    +87

    95%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of Jamf PRO's dashboard.

    Screenshot of Jamf PRO's dashboard. Source: Jamf

    Strengths:

    Areas to improve:

    • Jamf Pro is a unique product with an easy implementation that enables IT with minimum admin intervention.
    • It can create smart groups (based on MDM profile and user group) to automatically assign users to their pertinent apps and updates.
    • It's a very user-friendly tool, conducting device management in fewer steps than other competitors.
    • Reports are totally customizable and dynamic.
    • Notifications are easy to navigate and monitor.
    • Self-service feature enables end users to download their predefined categories of applications in the App Store.
    • It can apply single sign-on integrations to streamline user access to applications.
    • Businesses can personalize the tool with corporate logos.
    • Vendor does great for customer service when problems arise.
    • It is a costly tool relative to other competitors, pushing prospects to consider other products.
    • The learning process may be long and not easy, especially if admins do not script, or it's their first time using a UEM.

    Apply automation of traditional desktop management, software deployment, endpoint security, and patch management

    A strong choice for patch management, software deployment, asset management, and security management. There is a free version of the tool available to try get an understanding of the platform before purchasing a higher tier of the product.

    ManageEngine Endpoint Central

    Est. 1996 | India | Private

    8.3

    8.3

    +81

    88%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of ME Endpoint Central's dashboard.

    Screenshot of ME Endpoint Central's dashboard. Source: ManageEngine

    Strengths:

    Areas to improve:

    • It supports several operating systems including Windows, Mac, Linux, Android, and iOS.
    • Endpoint Central provides end-to-end monitoring, asset management, and security in a single platform.
    • Setup is simple and intuitive, and it's easy to learn and configure.
    • The reporting feature is very useful and gives you clear visibility into dashboard.
    • Combined with ME Service Desk Plus, we can call Endpoint Central an all-in-one solution.
    • The tool provides a real-time report on devices and tracks their health status.
    • It has multiple integrations with third-party solutions.
    • Tool does not automate updates, making application updates time-consuming.
    • Sometimes, patches and software deployments fail, and the tool doesn't provide any information on the reason for the failure.
    • There is no single point of contact/account manager for the clients when they have trouble with the tool.
    • Remote connection to Android devices can sometimes get a little tedious.

    Get device management and security in a single platform with a combination of Microsoft Intune and Configuration Manager

    A solution that combines Intune and ConfigMgr's capabilities into a single endpoint management suite for enrolling, managing, monitoring, and securing endpoints. It's a very cost-effective solution for enterprises in the Microsoft ecosystem, but it also supports other operating systems.

    Microsoft Endpoint Manager

    Est. 1975 | NM, USA | NASDAQ: MSFT

    8.0

    8.5

    +83

    85%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of MS Endpoint Manager's dashboard.

    Screenshot of MS Endpoint Manager's dashboard. Source: Microsoft

    Strengths:

    Areas to improve:

    • Licensing for the enterprises that use Windows as their primary operating system is more efficient and cost effective.
    • Endpoint Manager is very customizable, with the ability to assign personas to device groups.
    • Besides Windows, it manages other operating systems, such as Linux, Android, and iOS.
    • It creates endpoint security and compliance policies for BitLocker that streamlines data protection and security. It also provides SSO.
    • It provides very strong documentation and knowledgebase.
    • User interface is not as good as competitors. It's a bit clunky and complex to use.
    • The process of changing configurations on devices can be time consuming.
    • Sometimes there are service outages such as Autopilot failure, which push IT to deploy manually.
    • Location tracking is not very accurate.

    Simplify and consolidate endpoint management into a single solution and secure all devices with real-time, "over-the-air" modern management across all use cases

    A strong tool for managing and controlling mobile devices. It can access all profiles through Google and Apple, and it integrates with various IT management solutions.

    VMware Workspace ONE

    Est. 1998 | CA, USA | NYSE: VMW

    7.5

    7.4

    +71

    75%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of Workspace ONE's dashboard.

    Screenshot of Workspace ONE's dashboard. Source: VMware

    Strengths:

    Areas to improve:

    • Workspace ONE provides lots of information about devices.
    • It provides a large list of integrations.
    • The solution supports various operating systems.
    • The platform has many out-of-the-box features and helps with security management, asset management, and application management.
    • The vendor has a community forum which users find helpful for resolving issues or asking questions about the solution.
    • It is very simple to use and provides SSO capability.
    • Implementation is relatively easy and straightforward.
    • Customization may be tricky and require expertise.
    • The solution can be more user friendly with a better UI.
    • Because of intensive processing, updates to applications take a long time.
    • The tool may sometimes be very sensitive and lock devices.
    • Analytics and reporting may need improvement.

    Review your use cases to start your shortlist

    Your Info-Tech analysts can help you narrow down the list of vendors that will meet your requirements.

    Next steps will include:

    1. Reviewing your requirements
    2. Checking out SoftwareReviews
    3. Shortlisting your vendors
    4. Conducting demos and detailed proposal reviews
    5. Selecting and contracting with a finalist!

    Activity: Define high-level features for meeting business and technical goals

    Input

    • List of endpoint management use cases
    • List of prioritized features

    Output

    • Vendor evaluation
    • Final list of candidate vendors

    Materials

    • Whiteboard/flip charts
    • Laptop
    • UEM Requirements Workbook

    Participants

    • CIO
    • IT manager
    • Infrastructure & Applications directors
    • Project managers

    Activity: Define top-level features for meeting business and technical goals

    As there are many solutions in the market that share capabilities, it is imperative to closely evaluate how well they fulfill your endpoint management requirements.
    Use the UEM Requirements Workbook to identify your desired endpoint solution features and compare vendor solution functionality based on your desired features.

    1. Refer to the output of the previous activity, the identified use cases in the spreadsheet.
    2. List the features you want in an endpoint solution for your devices that will fulfill these use cases. Record those features in the second column ("Detailed Feature").
    3. Prioritize each feature (must have, should have, nice to have, not required).
    4. Send this list to candidate vendors.
    5. When you finish your investigation, review the spreadsheet to compare the various offerings and pros and cons of each solution.

    Info-Tech Insight

    The output of this activity can be used for a detailed evaluation of UEM vendors. The next steps will be vendor briefing and having further discussion on technical capabilities and conducting demos of solutions. Info-Tech's blueprint, The Rapid Application Selection Framework, takes you to these next steps.

    This is a screenshot showing the high value use cases table from The Rapid Application Selection Framework.

    Download the UEM Requirements Workbook

    Leverage Info-Tech's research to plan and execute your endpoint management selection and implementation

    Use Info-Tech Research Group's blueprints for selection and implementation processes to guide your own planning.

    • Assess
    • Prepare
    • Govern & Course Correct

    This is a screenshot of the title pages from INfo-tech's Governance and management of enterprise Software Implementaton; and The Rapid Applicaton Selection Framework.

    Ensure your implementation team has a high degree of trust and communication

    If external partners are needed, dedicate an internal resource to managing the vendor and partner relationships.

    Communication

    Teams must have some type of communication strategy. This can be broken into:

    • Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
    • Ceremonies: Injecting awards and continually emphasizing delivery of value can encourage relationship building and constructive motivation.
    • Escalation: Voicing any concerns and having someone responsible for addressing those concerns.

    Proximity

    Distributed teams create complexity because communication can break down more easily. This can be mitigated by:

    • Location: Placing teams in proximity can close the barrier of geographical distance and time zone differences.
    • Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
    • Communication Tools: Having the right technology (e.g. video conference) can help bring teams closer together virtually.

    Trust

    Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:

    Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.

    • Role Clarity: Having a clear definition of what everyone's role is.

    Implementation with a partner typically results in higher satisfaction

    Align your implementation plans with both the complexity of the solution and internal skill levels

    Be clear and realistic in your requirements to the vendor about the level of involvement you need to be successful.

    Primary reasons to use a vendor:

    • Lack of skilled resources: For solutions with little configuration change happening after the initial installation, the ramp-up time for an individual to build skills for a single event is not practical.
    • Complexity of solution: Multiple integrations, configurations, modules, and even acquisitions that haven't been fully integrated in the solution you choose can make it difficult to complete the installation and rollout on time and on budget. Troubleshooting becomes even more complex if multiple vendors are involved.
    • Data migration: Decide what information will be valuable to transfer to the new solution and which will not benefit your organization. Data structure and residency can both be factors in the complexity of this exercise.

    This is an image of a bar graph showing the Satisfaction Net Promotor Score by Implementation type and Organization Size.

    Source: SoftwareReviews, January 2020 to January 2023, N= 20,024 unique reviews

    To ensure your SOW is mutually beneficial, download the blueprint Improve Your Statements of Work to Hold Your Vendors Accountable.

    Consider running a proof of concept if concerns are expressed about the feasibility of the chosen solution

    Proofs of concept (PoCs) can be time consuming, so make good choices on where to spend the effort

    Create a PoC charter that will enable a quick evaluation of the defined use cases and functions. These key dimensions should form the PoC.

    1. Objective – Giving an overview of the planned PoC will help to focus and clarify the rest of this section. What must the PoC achieve? Objectives should be specific, measurable, attainable, relevant, and time bound. Outline and track key performance indicators.
    2. Key Success Factors – These are conditions that will positively impact the PoC's success.
    3. Scope – High-level statement of scope. More specifically, state what is in scope and what is out of scope.
    4. Project Team – Identify the team's structure, e.g. sponsors, subject matter experts.
    5. Resource Estimation – Identify what resources (time, materials, space, tools, expertise, etc.) will be needed to build and socialize your prototype. How will they be secured?

    An image of two screenshots from Info-Tech Research Group showing documentaton used to generate effective proof of concepts.

    To create a full proof of concept plan, download the Proof of Concept Template and see the instructions in Phase 3 of the blueprint Exploit Disruptive Infrastructure Technology.

    Selecting a right-sized endpoint management platform

    This selection guide allows organizations to execute a structured methodology for picking a UEM platform that aligns with their needs. This includes:

    • Identifying and prioritizing key business and technology drivers for an endpoint management selection business case.
    • Defining key use cases and requirements for a right-sized UEM platform.
    • Reviewing a comprehensive market scan of key players in the UEM marketspace.

    This formal UEM selection initiative will map out requirements and identify technology capabilities to fill the gap for better endpoint management. It also allows a formal roll-out of a UEM platform that is highly likely to satisfy all stakeholder needs.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Contact your account representative for more information

    workshops@infotech.com
    1-888-670-8889

    Summary of Accomplishment

    Knowledge Gained

    • What endpoint management is
    • Historical origins and evolution of endpoint management platforms
    • Current trends and future state of endpoint management platforms

    Processes Optimized

    • Identifying use cases
    • Gathering requirements
    • Reviewing market key players and their capabilities
    • Selecting a UEM tool that fulfills your requirements

    UEM Solutions Analyzed

    • CISCO Meraki
    • Citrix Endpoint Management
    • IBM MaaS360
    • Ivanti Neurons UEM
    • Jamf Pro
    • ManageEngine Endpoint Central
    • Microsoft Endpoint Manager
    • VMware Workspace ONE

    Related Info-Tech Research

    Modernize and Transform Your End-User Computing Strategy

    This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

    Best Unified Endpoint Management (UEM) Software | SoftwareReviews

    Compare and evaluate Unified Endpoint Management vendors using the most in-depth and unbiased buyer reports available. Download free comprehensive 40+ page reports to select the best Unified Endpoint Management software for your organization.

    The Rapid Application Selection Framework

    This blueprint walks you through a process for a fast and efficient selection of your prospective application. You will be enabled to use a data-driven approach to select the right application vendor for your needs, shatter stakeholder expectations with truly rapid application selections, boost collaboration and crush the broken telephone with concise and effective stakeholder meetings, and lock in hard savings.

    Bibliography

    "BYOD Security Report." Cybersecurity Insiders, 2021. Accessed January 2023.
    "Cloud Infrastructure Services Market." MarketsAnd Markets, 2019. Accessed December 2022.
    Evans, Alma. "Mastering Mobility Management: MDM Vs. EMM Vs. UEM." Hexnode, 2019. Accessed November 2022.
    "Evercore-ISI Quarterly Enterprise Technology Spending Survey." Evercore-ISI, 2022. Accessed January 2023.
    "5G Service Revenue to Reach $315 Billion Globally in 2023." Jupiter Research, 2022. Accessed January 2023.
    Hein, Daniel. "5 Common Unified Endpoint Management Use Cases You Need to Know." Solutions Review, 2020. Accessed January 2023.
    "Mobile Device Management Market Size, Share & COVID-19 Impact Analysis." Fortune Business Insights, 2021. Accessed December 2022.
    Ot, Anina. "The Unified Endpoint Management (UEM) Market." Datamation, 14 Apr. 2022. Accessed Jan. 2023.
    Poje, Phil. "CEO Corner: 4 Trends in Unified Endpoint Management for 2023." Tech Orchard, 2022. Accessed January 2023.
    "The Future of UEM November 2021 Webinar." Ivanti, 2021. Accessed January 2023.
    "The Third Annual Study on the State of Endpoint Security Risk." Ponemon Institute, 2020. Accessed December 2022.
    "The Ultimate Guide to Unified Endpoint Management (UEM)." MobileIron. Accessed January 2023.
    "Trends in Unified Endpoint Management." It Pro Today, 2018. Accessed January 2023.
    Turek, Melanie. "Employees Say Smartphones Boost Productivity by 34 Percent: Frost & Sullivan Research." Samsung Insights, 3 Aug. 2016.
    "2023 State of Security Report." Cybersecurity Insiders, 2022. Accessed January 2023.
    Violino, Bob. "Enterprise Mobility 2022: UEM Adds User Experience, AI, Automation." Computerworld, 2022. Accessed January 2023.
    Violino, Bob. "How to Choose the Right UEM Platform." Computerworld, 2021. Accessed January 2023.
    Violino, Bob. "UEM Vendor Comparison Chart 2022." Computerworld, 2022. Accessed January 2023.
    Wallent, Michael. "5 Endpoint Management Predictions for 2023." Microsoft, 2022. Accessed January 2023.
    "What Is the Difference Between MDM, EMM, and UEM?" 42Gears, 2017. Accessed November 2022.

    Create an Agile-Friendly Project Gating and Governance Approach

    • Buy Link or Shortcode: {j2store}162|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $33,499 Average $ Saved
    • member rating average days saved: 57 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Organizations often apply gating and governance to IT projects to ensure resources are being used efficiently and effectively.
    • Agile project teams often complain that traditional project gating and governance interfere with their ability to delivery because traditional gating and governance were designed for Waterfall delivery methods.

    Our Advice

    Critical Insight

    Imposing a traditional gating and governance approach on an Agile project can eliminate the advantages that Agile delivery methods offer. Make sure to rework your traditional project gating and governance approach to be Agile friendly.

    Impact and Result

    • Create a project gating and governance approach that is Agile friendly and helps your organization realize the most benefit from its Agile transformation.
    • Oversee your Agile projects with confidence by adjusting the level of support and oversight they receive based on their Agilometer score.
    • Define a revised set of project gating artifacts that support Agile delivery methods.
    • Adopt a “trust but verify” approach to Agile project gating that will reduce risk and help ensure value delivery.

    Create an Agile-Friendly Project Gating and Governance Approach Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create an Agile-Friendly Project Gating and Governance Approach Deck – A step-by-step guide to creating an Agile-friendly project gating and governance approach that will support Agile delivery methods in your organization.

    This deck is a guide to creating your own Agile-friendly project gating and governance approach using Info-Tech’s Agile Gating Framework.

    • Create an Agile-Friendly Project Gating and Governance Approach – Phases 1-3

    2. Your Gates 3 and 3A Checklists – The Gates 3 and 3A Checklists are used to determine when a project is ready to enter and exit the Risk Reduction & Value Confirmation phase.

    Modify Info-Tech’s Gates 3 and 3A Checklists to meet your organization’s needs, and then use them to determine when Agile projects are ready to enter and exit the RRVC phase.

    • Gates 3 and 3A Checklists

    3. Your Agilometer – The Agilometer is used to determine a project’s readiness to use an Agile delivery method.

    Modify Info-Tech’s Agilometer to meet your organization’s needs, and then use it to determine the level of support and oversight the project will need.

    • Agilometer

    4. Your Agile Project Status Report – An Agile Status Report will be used to monitor project progress.

    Modify Info-Tech’s Agile Project Status Report to meet your organization’s needs, and then use it to monitor in-flight Agile projects.

    • Agile Project Status Report

    5. Project Burndown Chart – A tool to let you monitor project burndown over time.

    Use Info-Tech’s Project Burndown Chart to monitor the progress of your in-flight Agile projects.

    • Project Burndown Chart

    6. Traditional to Agile Gating Artifact Mapping – A tool to help you rework your project gating artifacts to be Agile-friendly.

    Use Info-Tech’s Traditional to Agile Gating Artifact Mapping tool to modify your gating artifacts for Agile projects.

    • Traditional to Agile Gating Artifact Mapping
    [infographic]

    Further reading

    Create an Agile-Friendly Project Gating and Governance Approach

    Use Info-Tech’s Agile Gating Framework as a guide to gating your Agile projects using a “trust but verify” approach.

    Table of Contents

    Analyst Perspective

    Executive Summary

    Phase 1: Establish Your Gating and Governance Purpose

    Phase 2: Understand and Adapt Info-Tech’s Agile Gating Framework

    Phase 3: Complete Your Agile Gating Framework

    Where Do I Go Next?

    Bibliography

    Facilitator Slides

    Analyst Perspective

    Make your gating and governance process Agile friendly by following a “trust but verify” approach

    Most project gating and governance approaches are designed for traditional (Waterfall) delivery methods. However, Agile delivery methods call for a different way of working that doesn’t align well with these approaches.

    Applying traditional project gating and governance to Agile projects is like trying to fit a square peg in a round hole. Not only will it make Agile project delivery less efficient, but in the extreme, it can lead to outright project failure and even derail your organization’s Agile transformation.

    If you want Agile to successfully take root in your organization, be prepared to rethink your current gating and governance practices. This document presents a framework that you can use to rework your approach to provide both effective oversight and support for your Agile projects.

    Photo of Alex Ciraco, Principal Research Director, Application Delivery and Management, Info-Tech Research Group. Alex Ciraco
    Principal Research Director,
    Application Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge
    • Many government organizations are adopting Agile project delivery methods because they have proven to be more effective than traditional delivery approaches at responding to today’s fast pace of change.
    • Government organizations have an obligation to govern projects to ensure effective use of public resources, regardless of the delivery method being used.
    Common Obstacles
    • Most government gating and governance frameworks were designed around traditional (often called “Waterfall”) delivery methods.
    • Agile and Waterfall work in completely different ways, so imposing traditional gating and governance frameworks on Agile projects will stifle progress and can even lead to project failure.
    • Government organizations must adjust their gating and governance frameworks to accommodate Agile delivery methods.
    Info-Tech’s Approach
    • Begin by understanding the fundamental purpose of project gating and governance.
    • Next, understand the major differences between Agile and Waterfall delivery methods.
    • Then, armed with this knowledge, use Info-Tech’s Agile Gating Framework to redefine your gating and governance approach to be Agile friendly.
    Info-Tech Insight

    Imposing a traditional governance approach on an Agile project can eliminate the advantages that Agile delivery methods offer. Make sure to rework your project gating and governance approach to be Agile friendly.

    Info-Tech’s methodology for Creating an Agile-Friendly Project Gating and Governance Approach

    1. Establish Your Gating and Governance Purpose 2. Understand and Adapt Info-Tech’s Agile Gating Framework 3. Complete your Agile Gating Framework
    Phase Steps

    1.1 Understand How We Gate and Govern Projects

    1.2 Compare Traditional to Agile Delivery

    1.3 Realize What Traditional Gating Looks Like and Why

    2.1 Understand How Agile Manages Risk and Ensures Value Delivery

    2.2 Introducing Info-Tech’s Agile Gating Framework

    2.3 Create Your Agilometer

    2.4 Create an Agile-Friendly Project Status Report

    2.5 Select Your Agile Health Check Tool

    3.1 Map Your Traditional Gating Artifacts to Agile Delivery

    3.2 Determine Your Now, Next, Later Roadmap for Implementation

    Phase Outcomes
    1. Your gating/governance purpose statement
    2. A fundamental understanding of the difference between traditional and Agile delivery methods.
    1. An understanding of Info-Tech’s Agile Gating Framework
    2. Your Gates 3 and 3A checklists
    3. Your Agilometer tool
    4. Your Agile project status report template
    5. Your Agile health check tool
    1. Artifact map for your Agile gating framework
    2. Roadmap for Agile gating implementation

    Key Deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals, including:

    Agilometer Tool

    Create your customized Agilometer tool to determine project support and oversight needs.
    Sample of the 'Agilometer Tool' deliverable.

    Gates 3 and 3A Checklists

    Create your customized checklists for projects at Gates 3 and 3A.
    Sample of the 'Gates 3 and 3A Checklists' deliverable.

    Agile-Friendly Project Status Report

    Create your Agile-friendly project status report to monitor progress.
    Sample of the 'Agile-Friendly Project Status Report' deliverable.

    Artifact Mapping Tool

    Map your traditional gating artifacts to their Agile replacements.
    Sample of the 'Artifact Mapping Tool' deliverable.

    Create an Agile-Friendly Project Gating and Governance Approach

    Phase 1

    Establish your gating and governance purpose

    Phase 1

    1.1 Understand How We Gate and Govern Projects

    1.2 Compare Traditional to Agile Delivery

    1.3 Realize What Traditional Gating Looks Like And Why

    Phase 2

    2.1 Understand How Agile Manages Risk and Ensures Value Delivery

    2.2 Introducing Info-Tech’s Agile Gating Framework

    2.3 Create Your Agilometer

    2.4 Create Your Agile-Friendly Project Status Report

    2.5 Select Your Agile Health Check Tool

    Phase 3

    3.1 Map Your Traditional Gating Artifacts to Agile Delivery

    3.2 Determine Your Now, Next, Later Roadmap for Implementation

    This phase will walk you through the following activities:

    • Understand why gating and governance are so important to your organization.
    • Compare and contrast traditional to Agile delivery.
    • Identify what form traditional gating takes in your organization.

    This phase involves the following participants:

    • PMO/Gating Body
    • Delivery Managers
    • Delivery Teams
    • Other Interested Parties

    Agile gating–related facts and figures

    73% of organizations created their project gating framework before adopting or considering Agile delivery practices. (Athens Journal of Technology and Engineering)

    71% of survey respondents felt an Agile-friendly gating approach improves both productivity and product quality. (Athens Journal of Technology and Engineering)

    Moving to an Agile-friendly gating approach has many benefits:
    • Faster response to change
    • Improved productivity
    • Higher team morale
    • Better product quality
    • Faster releases
    (Journal of Product Innovation Management)

    Traditional gating approaches can undermine an Agile project

    • Most existing gating and governance frameworks (often referred to as phase-gate) impose requirements on projects that are anti-patterns to an Agile delivery approach
    • For example, any gating approach that requires a project to deliver a detailed requirements document before coding can begin will make it difficult or impossible for the project to use an Agile delivery method.
    • The same can be said for other common phase-gate requirements including:
      • Imposing a formal (and onerous) change control process on project requirements.
      • Requiring a detailed design document and/or detailed user acceptance test plan at the beginning of the project.
      • Asking the project to produce a detailed project plan.
    (DZone)
    Don’t make the mistake of asking an Agile project to follow a traditional phase-gate approach to project delivery!

    Before reworking your gating approach, you need to consider two important questions

    Answering these questions will help guide your new gating process to both be Agile friendly and meet your organization’s needs

    1. What is the fundamental purpose of gating? By examining the fundamental purpose of gating, you will be better able to adjust your approach to achieve the desired outcomes in an Agile context.
    2. How does Agile delivery differ from traditional? By understanding how Agile delivery differs from traditional, you will be better able to adjust your gating approach to support Agile delivery methods.

    Stock image of speech bubbles hanging on string with a question mark and lightbulb drawn on them.

    Design and Build an Effective Contract Lifecycle Management Process

    • Buy Link or Shortcode: {j2store}214|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $5,039 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Your vendor contracts are unorganized and held in various cabinets and network shares. There is no consolidated list or view of all the agreements, and some are misplaced or lost as coworkers leave.
    • The contract process takes a long time to complete. Coworkers are unsure who should be reviewing and approving them.
    • You are concerned that you are not getting favorable terms with your vendors and not complying with your agreement commitments.
    • You are unsure what risks your organization could be exposed to in your IT vendor contacts. These could be financial, legal, or security risks and/or compliance requirements.

    Our Advice

    Critical Insight

    • Focus on what’s best for you. There are two phases to CLM. All stages within those phases are important, but choose to improve the phase that can be most beneficial to your organization in the short term. However, be sure to include reviewing risk and monitoring compliance.
    • Educate yourself. Understand the stages of CLM and how each step can rely on the previous one, like a stepping-stone model to success.
    • Consider the overall picture. Contract lifecycle management is the sum of many processes designed to manage contracts end to end while reducing corporate risk, improving financial savings, and managing agreement obligations. It can take time to get CLM organized and working efficiently, but then it will show its ROI and continuously improve.

    Impact and Result

    • Understand how to identify and mitigate risk to save the organization time and money.
    • Gain the knowledge required to implement a CLM that will be beneficial to all business units.
    • Achieve measurable savings in contract time processing, financial risk avoidance, and dollar savings.
    • Effectively review, store, manage, comply with, and renew agreements with a collaborative process

    Design and Build an Effective Contract Lifecycle Management Process Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how a contract management system will save money and time and mitigate contract risk, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Master the operational framework of contract lifecycle management.

    Understand how the basic operational framework of CLM will ensure cost savings, improved collaboration, and constant CLM improvement.

    • Design and Build an Effective Contract Lifecycle Management Process – Phase 1: Master the Operational Framework of CLM
    • Existing CLM Process Worksheet
    • Contract Manager

    2. Understand the ten stages of contract lifecycle management.

    Understand the two phases of CLM and the ten stages that make up the entire process.

    • Design and Build an Effective Contract Lifecycle Management Process – Phase 2: Understand the Ten Stages of CLM
    • CLM Maturity Assessment Tool
    • CLM RASCI Diagram
    [infographic]

    Workshop: Design and Build an Effective Contract Lifecycle Management Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review Your CLM Process and Learn the Basics

    The Purpose

    Identify current CLM processes.

    Learn the CLM operational framework.

    Key Benefits Achieved

    Documented overview of current processes and stakeholders.

    Activities

    1.1 Review and capture your current process.

    1.2 Identify current stakeholders.

    1.3 Learn the operational framework of CLM.

    1.4 Identify current process gaps.

    Outputs

    Existing CLM Process Worksheet

    2 Learn More and Plan

    The Purpose

    Dive into the two phases of CLM and the ten stages of a robust system.

    Key Benefits Achieved

    A deep understanding of the required components/stages of a CLM system.

    Activities

    2.1 Understand the two phases of CLM.

    2.2 Learn the ten stages of CLM.

    2.3 Assess your CLM maturity state.

    2.4 Identify and assign stakeholders.

    Outputs

    CLM Maturity Assessment

    CLM RASCI Diagram

    Further reading

    Design and Build an Effective Contract Lifecycle Management Process

    Mitigate risk and drive value through robust best practices for contract lifecycle management.

    Our understanding of the problem

    This Research Is Designed For:

    • The CIO who depends on numerous key vendors for services
    • The CIO or Project Manager who wants to maximize the value delivered by vendors
    • The Director or Manager of an existing IT procurement or vendor management team
    • The Contracts Manager or Legal Counsel whose IT department holds responsibility for contracts, negotiation, and administration

    This Research Will Help You:

    • Implement and streamline the contract management process, policies, and procedures
    • Baseline and benchmark existing contract processes
    • Understand the importance and value of contract lifecycle management (CLM)
    • Minimize risk, save time, and maximize savings with vendor contracts

    This Research Will Also Assist

    • IT Service Managers
    • IT Procurement
    • Contract teams
    • Finance and Legal departments
    • Senior IT leadership

    This Research Will Help Them

    • Understand the required components of a CLM
    • Establish the current CLM maturity level
    • Implement a new CLM process
    • Improve on an existing or disparate process

    ANALYST PERSPECTIVE

    "Contract lifecycle management (CLM) is a vital process for small and enterprise organizations alike. Research shows that all organizations can benefit from a contract management process, whether they have as few as 25 contracts or especially if they have contracts numbering in the hundreds.

    A CLM system will:

    • Save valuable time in the entire cycle of contract/agreement processes.
    • Save the organization money, both hard and soft dollars.
    • Mitigate risk to the organization.
    • Avoid loss of revenue.

    If you’re not managing your contracts, you aren’t capitalizing on your investment with your vendors and are potentially exposing your organization to contract and monetary risk."

    - Ted Walker
    Principal Research Advisor, Vendor Management Practice
    Info-Tech Research Group

    Executive Summary

    Situation

    • Most organizations have vendor overload and even worse, no defined process to manage the associated contracts and agreements. To manage contracts, some vendor management offices (VMOs) use a shared network drive to store the contracts and a spreadsheet to catalog and manage them. Yet other less-mature VMOs may just rely on a file cabinet in Procurement and a reminder in someone’s calendar about renewals. These disparate processes likely cost your organization time spent finding, managing, and renewing contracts, not to mention potential increases in vendor costs and risk and the inability to track contract obligations.

    Complication

    • Contract lifecycle management (CLM) is not an IT buzzword, and it’s rarely on the top-ten list of CIO concerns in most annual surveys. Until a VMO gets to a level of maturity that can fully develop a CLM and afford the time and costs of doing so, there can be several challenges to developing even the basic processes required to store, manage, and renew IT vendor contracts. As is always an issue in IT, budget is one of the biggest obstacles in implementing a standard CLM process. Until senior leadership realizes that a CLM process can save time, money, and risk, getting mindshare and funding commitment will remain a challenge.

    Resolution

    • Understand the immediate benefits of a CLM process – even a basic CLM implementation can provide significant cost savings to the organization; reduce time spent on creating, negotiating, and renewing contracts; and help identify and mitigate risks within your vendor contracts.
    • Budgets don’t always need to be a barrier to a standard CLM process. However, a robust CLM system can provide significant savings to the organization.

    Info-Tech Insight

    • If you aren’t managing your contracts, you aren’t capitalizing on your investments.
    • Even a basic CLM process with efficient procedures will provide savings and benefits.
    • Not having a CLM process may be costing your organization money, time, and exposure to unmitigated risk.

    What you can gain from this blueprint

    Why Create a CLM

    • Improved contract organization
    • Centralized and manageable storage/archives
    • Improved vendor compliance
    • Risk mitigation
    • Reduced potential loss of revenue

    Knowledge Gained

    • Understanding of the value and importance of a CLM
    • How CLM can impact many departments within the organization
    • Who should be involved in the CLM steps and processes
    • Why a CLM is important to your organization
    • How to save time and money by maximizing IT vendor contracts
    • How basic CLM policies and procedures can be implemented without costly software expenditure

    The Outcome

    • A foundation for a CLM with best-practice processes
    • Reduced exposure to potential risks within vendor contracts
    • Maximized savings with primary vendors
    • Vendor compliance and corporate governance
    • Collaboration, transparency, and integration with business units

    Contract management: A case study

    CASE STUDY
    Industry Finance and Banking
    Source Apttus

    FIS Global

    The Challenge

    FIS’ business groups were isolated across the organization and used different agreements, making contract creation a long, difficult, and manual process.

    • Customers frustrated by slow and complicated contracting process
    • Manual contract creation and approval processes
    • Sensitive contract data that lacked secure storage
    • Multiple agreements managed across divisions
    • Lack of central repository for past contracts
    • Inconsistent and inaccessible

    The Solution: Automating and Streamlining the Contract Management Process

    A robust CLM system solved FIS’ various contract management needs while also providing a solution that could expand into full quote-to cash in the future.

    • Contract lifecycle management (CLM)
    • Intelligent workflow approvals (IWA)
    • X-Author for Excel

    Customer Results

    • 75% cycle time reduction
    • $1M saved in admin costs per year
    • 49% increase in sales proposal volume
    • Automation on one standard platform and solution
    • 55% stronger compliance management
    • Easy maintenance for various templates
    • Ability to quickly absorb new contracts and processes via FIS’s ongoing acquisitions

    Track the impact of CLM with these metrics

    Dollars Saved

    Upfront dollars saved

    • Potential dollars saved from avoiding unfavorable terms and conditions
    • Incentives that encourage the vendor to act in the customer’s best interest
    • Secured commitments to provide specified products and services at firm prices
    • Cost savings related to audits, penalties, and back support
    • Savings from discounts found

    Time Saved

    Time saved, which can be done in several areas

    • Defined and automated approval flow process
    • Preapproved contract templates with corporate terms
    • Reduced negotiation times
    • Locate contracts in minutes

    Pitfalls Avoided

    Number of pitfalls found and avoided, such as

    • Auto-renewal
    • Inconsistencies between sections and documents
    • Security and data not being deleted upon termination
    • Improper licensing

    The numbers are compelling

    71%

    of companies can’t locate up to 10% of their contracts.

    Source: TechnologyAdvice, 2019

    9.2%

    of companies’ annual revenue is lost because of poor contract management practices.

    Source: IACCM, 2019

    60%

    still track contracts in shared drives or email folders.

    Source: “State of Contract Management,” SpringCM, 2018

    CLM blueprint objectives

    • To provide a best-practice process for managing IT vendor contract lifecycles through a framework that organizes from the core, analyzes each step in the cycle, has collaboration and governance attached to each step, and integrates with established vendor management practices within your organization.
    • CLM doesn’t have to be an expensive managed database system in the cloud with fancy dashboards. As long as you have a defined process that has the framework steps and is followed by the organization, this will provide basic CLM and save the organization time and money over a short period of time.
    • This blueprint will not delve into the many vendors or providers of CLM solutions and their methodologies. However, we will discuss briefly how to use our framework and contract stages in evaluating a potential solution that you may be considering.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Design and Build an Effective CLM Process – project overview

    1. Master the Operational Framework

    2. Understand the Ten Stages of CLM

    Best-Practice Toolkit

    1.1 Understand the operational framework components.

    1.2 Review your current framework.

    1.3 Create a plan to implement or enhance existing processes.

    2.1 Understand the ten stages of CLM.

    2.2 Review and document your current processes.

    2.3 Review RASCI chart and assign internal ownership.

    2.4 Create an improvement plan.

    2.5 Track changes for measurable ROI.

    Guided Implementations
    • Review existing processes.
    • Understand what CLM is and why the framework is essential.
    • Create an implementation or improvement plan.
    • Review the ten stages of CLM.
    • Complete CLM Maturity Assessment.
    • Create a plan to target improvement.
    • Track progress to measure savings.
    Onsite Workshop

    Module 1: Review and Learn the Basics

    • Review and capture your current processes.
    • Learn the basic operational framework of contract management.

    Module 2 Results:

    • Understand the ten stages of effective CLM.
    • Create an improvement or implementation plan.
    Phase 1 Outcome:
    • A full understanding of what makes a comprehensive contract management system.
    Phase 2 Outcome:
    • A full understanding of your current CLM processes and where to focus your efforts for improvement or implementation.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2
    Activities

    Task – Review and Learn the Basics

    Task – Learn More and Plan

    1.1 Review and capture your current process.

    1.2 Identify current stakeholders.

    1.3 Learn the operational framework of contract lifecycle management.

    1.4 Identify current process gaps.

    2.1 Understand the two phases of CLM.

    2.2 Learn the ten stages of CLM.

    2.3 Assess your CLM maturity.

    2.4 Identify and assign stakeholders.

    2.5 Discuss ROI.

    2.6 Summarize and next steps.

    Deliverables
    1. Internal interviews with business units
    2. Existing CLM Process Worksheet
    1. CLM Maturity Assessment
    2. RASCI Diagram
    3. Improvement Action Plan

    PHASE 1

    Master the Operational Framework of Contract Lifecycle Management

    Design and Build an Effective CLM Process

    Phase 1: Master the Operational Framework of Contract Lifecycle Management

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of
    2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Master the Operational Framework of Contract Lifecycle Management
    Proposed Time to Completion: 1-4 weeks

    Step 1.1: Document your Current CLM Process

    Step 1.2: Read and Understand the Operational Framework

    Step 1.3: Review Solution Options

    Start with an analyst kick-off call:

    • Understand what your current process(es) is for each stage
    • Do a probative review of any current processes
    • Interview stakeholders for input

    Review findings with analyst:

    • Discuss the importance of the framework as the core of your plan
    • Review the gaps in your existing process
    • Understand how to prioritize next steps towards a CLM

    Finalize phase deliverable:

    • Establish ownership of the framework
    • Prioritize improvement areas or map out how your new CLM will look

    Then complete these activities…

    • Document the details of your process for each stage of CLM

    With these tools & templates:

    • Existing CLM Process Worksheet

    Phase 1 Results:

    • A full understanding of what makes a comprehensive contract management system.

    What Is Contract Lifecycle Management?

    • Every contract has a lifecycle, from creation to time and usage to expiration. Organizations using a legacy or manual contract management process usually ask, “What is contract lifecycle management and how will it benefit my business?”
    • Contract lifecycle management (CLM) creates a process that manages each contract or agreement. CLM eases the challenges of managing hundreds or even thousands of important business and IT contracts that affect the day-to-day business and could expose the organization to vendor risk.
    • Managing a few contracts is quite easy, but as the number of contracts grows, managing each step for each contract becomes increasingly difficult. Ultimately, it will get to a point where managing contracts properly becomes very difficult or seemingly impossible.

    That’s where contract lifecycle management (CLM) comes in.

    CLM can save money and improve revenue by:

    • Improving accuracy and decreasing errors through standardized contract templates and approved terms and conditions that will reduce repetitive tasks.
    • Securing contracts and processes through centralized software storage, minimizing risk of lost or misplaced contracts due to changes in physical assets like hard drives, network shares, and file cabinets.
    • Using policies and procedures that standardize, organize, track, and optimize IT contracts, eliminating time spent on creation, approvals, errors, and vendor compliance.
    • Reducing the organization’s exposure to risks and liability.
    • Having contracts renewed on time without penalties and with the most favorable terms for the business.

    The Operational Framework of Contract Lifecycle Management

    Four Components of the Operational Framework

    1. Organization
    2. Analysis
    3. Collaboration and Governance
    4. Integration/Vendor Management
    • By organizing at the core of the process and then analyzing each stage, you will maximize each step of the CLM process and ensure long-term contract management for the organization.
    • Collaboration and governance as overarching policies for the system will provide accountability to stakeholders and business units.
    • Integration and vendor management are encompassing features in a well-developed CLM that add visibility, additional value, and savings to the entire organization.

    Info-Tech Best Practice

    Putting a contract manager in place to manage the CLM project will accelerate the improvements and provide faster returns to the organizations. Reference Info-Tech’s Contract Manager Job Description template as needed.

    The operational framework is key to the success, return on investment (ROI), cost savings, and customer satisfaction of a CLM process.

    This image depicts Info-Tech's Operational Framework.  It consists of a series of five concentric circles, with each circle a different colour.  On the outer circle, is the word Integration.  The next outermost circle has the words Collaboration and Governance.  The next circle has no words, the next circle has the word Analysis, and the very centre circle has the word Organization.

    1. Organization

    • Every enterprise needs to organize its contract documents and data in a central repository so that everyone knows where to find the golden source of contractual truth.
    • This includes:
      • A repository for storing and organizing contract documents.
      • A data dictionary for describing the terms and conditions in a consistent, normalized way.
      • A database for persistent data storage.
      • An object model that tracks changes to the contract and its prevailing terms over time.

    Info-Tech Insight

    Paper is still alive and doing very well at slowing down the many stages of the contract process.

    2. Analysis

    Most organizations analyze their contracts in two ways:

    • First, they use reporting, search, and analytics to reveal risky and toxic terms so that appropriate operational strategies can be implemented to eliminate, mitigate, or transfer the risk.
    • Second, they use process analytics to reveal bottlenecks and points of friction as contracts are created, approved, and negotiated.

    3. Collaboration

    • Throughout the contract lifecycle, teams must collaborate on tasks both pre-execution and post-execution.
    • This includes document collaboration among several different departments across an enterprise.
    • The challenge is to make the collaboration smooth and transparent to avoid costly mistakes.
    • For some contracting tasks, especially in regulated industries, a high degree of control is required.
    • In these scenarios, the organization must implement controlled systems that restrict access to certain types of data and processes backed up with robust audit trails.

    4. Integration

    • For complete visibility into operational responsibilities, relationships, and risk, an organization must integrate its golden contract data with other systems of record.
    • An enterprise contracts platform must therefore provide a rich set of APIs and connectors so that information can be pushed into or pulled from systems for enterprise resource planning (ERP), customer relationship management (CRM), supplier relationship management (SRM), document management, etc.

    This is the ultimate goal of a robust contract management system!

    Member Activity: Document Current CLM Processes

    1.1 Completion Time: 1-5 days

    Goal: Document your existing CLM processes (if any) and who owns them, who manages them, etc.

    Instructions

    Interview internal business unit decision makers, stakeholders, Finance, Legal, CIO, VMO, Sales, and/or Procurement to understand what’s currently in place.

    1. Use the Existing CLM Process Worksheet to capture and document current CLM processes.
    2. Establish what processes, procedures, policies, and workflows, if any, are in place for pre-execution (Phase 1) contract stages.
    3. Do the same for post-execution (Phase 2) stages.
    4. Use this worksheet as reference for assessments and as a benchmark for improvement review six to 12 months later.
    This image contains a screenshot of Info-Tech's Existing CLM Process Discovery Worksheet

    INPUT

    • Internal information from all CLM stakeholders

    OUTPUT

    • A summary of processes and owners currently in place

    Materials

    • Existing CLM processes from interviews

    Participants

    • Finance, Legal, CIO, VMO, Sales, Procurement

    PHASE 2

    Understand the Ten Stages of Contract Lifecycle Management

    Design and Build an Effective CLM Process

    Phase 1: Master the Operational Framework of Contract Lifecycle Management

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of
    2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Understand the Ten Stages of Contract Lifecycle Management

    Proposed Time to Completion: 1-10 weeks

    Step 2.1: Assess CLM Maturity

    Step 2.2: Complete a RASCI Diagram

    Start with an analyst kick-off call:

    • Review the importance of assessing the maturity of your current CLM processes
    • Discuss interview process for internal stakeholders
    • Use data from the Existing CLM Process Worksheet

    Review findings with analyst:

    • Review your maturity results
    • Identify stages that require immediate improvement
    • Prioritize improvement or implementation of process

    Then complete these activities…

    • Work through the maturity assessment process
    • Answer the questions in the assessment tool
    • Review the summary tab to learn where to focus improvement efforts

    Then complete these activities…

    • Using maturity assessment and existing process data, establish ownership for each process stage
    • Fill in the RASCI Chart based on internal review or existing processes

    With these tools & templates:

    • CLM Maturity Assessment Tool

    With these tools & templates:

    • CLM RASCI Diagram

    Phase 2 Results & Insights:

    • A full understanding of your current CLM process and where improvement is required
    • A mapping of stakeholders for each stage of the CLM process

    The Ten Stages of Contract Lifecycle Management

    There are ten key stages of contract lifecycle management.

    The steps are divided into two phases, pre-execution and post-execution.

      Pre-Execution (Phase 1)

    1. Request
    2. Create
    3. Review Risk
    4. Approve
    5. Negotiate
    6. Sign
    7. Post-Execution (Phase 2)

    8. Capture
    9. Manage
    10. Monitor Compliance
    11. Optimize

    Ten Process Stages Within the CLM Framework

    This image contains the CLM framework from earlier in the presentation, with the addition of the following ten steps: 1. Request; 2. Create Contract; 3. Review Risk; 4. Approve; 5. Negotiate; 6. Sign; 7. Capture; 8. Manage; 9. Monitor Compliance; 10. Optimize.

    Stage 1: Request or Initiate

    Contract lifecycle management begins with the contract requesting process, where one party requests for or initiates the contracting process and subsequently uses that information for drafting or authoring the contract document. This is usually the first step in CLM.

    Requests for contracts can come from various sources:

    • Business units within the organization
    • Vendors presenting their contract, including renewal agreements
    • System- or process-generated requests for renewal or extension

    At this stage, you need to validate if a non-disclosure agreement (NDA) is currently in place with the other party or is required before moving forward. At times, adequate NDA components could be included within the contract or agreement to satisfy corporate confidentiality requirements.

    Stage 1: Request or Initiate

    Stage Input

    • Information about what the contract needs to contain, such as critical dates, term length, coverage, milestones, etc.
    • Some organizations require that justification and budget approval be provided at this stage.
    • Request could come from a vendor as a pre-created contract.
    • Best practices recommend that a contract request form or template is used to standardize all required information.

    Stage Output

    • Completed request form, stored or posted with all details required to move forward to risk review and contract creation.
    • Possible audit trails.

    Stage 2: Create Contract

    • At the creation or drafting stage, the document is created, generated, or provided by the vendor. The document will contain all clauses, scope, terms and conditions, and pricing as required.
    • In some cases, a vendor-presented contract that is already prepared will go through an internal review or redlining process by the business unit and/or Legal.
    • Both internal and external review and redlining are included in this stage.
    • Also at this stage, the approvers and signing authorities are identified and added to the contract. In addition, some audit trail features may be added.

    Info-Tech Best Practice

    For a comprehensive list of terms and conditions, see our Software Terms & Conditions Evaluation Tool within Master Contract Review and Negotiation for Software Agreements.

    Stage 2: Create Contract

    Stage Input

    • Contract request form, risk review/assessment.
    • Vendor- or contractor-provided contract/agreement, either soft copy, electronic form, or more frequently, “clickwrap” web-posted document.
    • Could also include a renewal notification from a vendor or from the CLM system or admin.

    Stage Output

    • Completed draft contract or agreement, typically in a Microsoft Word or Adobe PDF format with audit trail or comment tracking.
    • Redlined document for additional revision and or acceptance.
    • Amendment or addendum to existing contract.

    Stage 3: Review Risk 1 of 2

    The importance of risk review can not be understated. The contract or agreement must be reviewed by several stakeholders who can identify risks to the organization within the contract.

    Three important definitions:

    1. Risk is the potential for a negative outcome. A risk is crossing the street while wearing headphones and selecting the next track to play on your smartphone. A negative outcome is getting hit by an oncoming person who, unremarkably, was doing something similar at the same time.
    2. Risk mitigation is about taking the steps necessary to minimize both the likelihood of a risk occurring – look around both before and while crossing the street – and its impact if it does occur – fall if you must, but save the smartphone!
    3. Contract risk is about any number of situations that can cause a contract to fail, from trivially – the supplier delivers needed goods late – to catastrophically – the supplier goes out of business without having delivered your long-delayed orders.

    Stage 3: Review Risk 2 of 2

    • Contracts must be reviewed for business terms and conditions, potential risk situations from a financial or legal perspective, business commitments or obligations, and any operational concerns.
    • Mitigating contract risk requires a good understanding of what contracts are in place, how important they are to the success of the organization, and what data they contain.

    Collectively, this is known as contract visibility.

    • Risk avoidance and mitigation are also a key component in the ROI of a CLM system and should be tracked for analysis.
    • Risk-identifying forms or templates can be used to maintain consistency with corporate standards.

    Stage 3: Review Risk

    Stage Input

    • All details of the proposed contract so that a proper risk analysis can be done as well as appropriate review with stakeholders, including:
      • Finance
      • Legal
      • Procurement
      • Security
      • Line-of-business owner
      • IT stakeholders

    Stage Output

    • A list of identified concerns that could expose the business unit or organization.
    • Recommendations to minimize or eliminate identified risks.

    Stage 4: Approve

    The approval stage can be a short process if policies and procedures are already in place. Most organizations will have defined delegation of authority or approval authority depending on risk, value of the contract, and other corporate considerations.

    • Defined approval levels should be known within the organization and can be applied to the approval workflow, expediting the approval of drafted terms, conditions, changes, and cost/spend within the contract internally.
    • Tracking and flexibility needs to considered in the approval process.
    • Gates need to be in place to ensure that a required approver has approved the contract before it moves to the next approver.
    • Flexibility is needed in some situations for ad hoc approval tasks and should include audit trail as required.
    • Approvers can include business units, Finance, Legal, Security, and C-level leaders

    Stage 4: Approve

    Stage Input

    • Complete draft contract with all terms and conditions (T&Cs) and approval trail.
    • Amendment or addendum to existing contract.

    Stage Output

    • Approved draft contract ready to move to the next step of negotiating with the vendor.
    • Approved amendment or addendum to existing or renewal agreement.

    Stage 5: Negotiate

    • At this stage, there should be an approved draft of the contract that can be presented to the other party or vendor for review.
    • Typically organizations will negotiate their larger deals for terms and conditions with the goal of balancing the contractual allocation of risk with the importance of the vendor or agreement and its value to the business.
    • Several people on either side are typically involved and will discuss legal and commercial terms of the contract. Throughout the process, negotiators may leverage a variety of tools, including playbooks with preferred and fallback positions, clause libraries, document redlines and comparisons, and issue lists.
    • Audit trails or tracking of changes and acceptances is an important part of this stage. Tracking will avoid duplication and lost or missed changes and will speed up the entire process.
    • A final, clean document is created at this point and readied for execution.

    Stage 5: Negotiate

    Stage Input

    • Approved draft contract ready to move to the next step of negotiating with the vendor.
    • Approved amendment or addendum to existing or renewal agreement.

    Stage Output

    • A finalized and approved contract or amendment with agreed-upon terms and conditions ready for signatures.

    Info-Tech Insight

    Saving the different versions of a contract during negotiations will save time, provide reassurance of agreed terms as you move through the process, and provide reference for future negotiations with the vendor.

    Stage 6: Sign or Execute

    • At this stage in the process, all the heavy lifting in a contract’s creation is complete. Now it’s signature time.
    • To finalize the agreement, both parties need to the sign the final document. This can be done by an in-person wet ink signature or by what is becoming more prevalent, digital signature through an e-signature process.
    • Once complete, the final executed documents are exchanged or received electronically and then retained by each party.

    Stage 6: Sign or Execute

    Stage Input

    • A finalized and approved contract or amendment with agreed-upon terms and conditions ready for signatures.

    Stage Output

    • An executed contract or amendment ready to move to the next stage of CLM, capturing in the repository.

    Info-Tech Best Practice

    Process flow provisions should made for potential rejection of the contract by signatories, looping the contract back to the appropriate stage for rework or revision.

    Stage 7: Capture in Database/Repository 1 of 2

    • This is one of the most important stages of a CLM process. Executed agreements need to be stored in a single manageable, searchable, reportable, and centralized repository.
    • All documents should to be captured electronically, reviewed for accuracy, and then posted to the CLM repository.
    • The repository can be in various formats depending on the maturity, robustness, and budget of the CLM program.

    Most repositories are some type of database:

    • An off-the-shelf product
    • A PaaS cloud-based solution
    • A homegrown, internally developed database
    • An add-on module to your ERP system

    Stage 7: Capture in Database/Repository 2 of 2

    Several important features of an electronic repository should be considered:

    • Consistent metadata tagging of clauses, terms, conditions, dates, etc.
    • Centralized summary view of all contracts
    • Controlled access for those who need to review and manage the contracts

    Establishing an effective repository will be key to providing measurable value to the organization and saving large amounts of time for the business unit.

    Info-Tech Insight

    Planning for future needs by investing a little more money into a better, more robust repository could pay bigger dividends to the VMO and organization while providing a higher ROI over time as advanced functionality is deployed.

    Stage 8: Manage

    • Once an agreement is captured in the repository, it needs to be managed from both an operational and a commitment perspective.
    • Through a summary view or master list, contracts need to be operationally managed for end dates and renewals, vendor performance, discounts, and rebates.
    • Managing contracts for commitment and compliance will ensure all contract requirements, rights, service-level agreements (SLAs), and terms are fulfilled. This will eliminate the high costs of missed SLAs, potential breaches, or missed renewals.
    • Managing contracts can be improved by adding metadata to the records that allow for easier search and retrieval of contracts or even proactive notification.
    • The repository management features can and should be available to business stakeholders, or reporting from a CLM admin can also alert stakeholders to renewals, pricing, SLAs, etc.
    • Also important to this stage is reporting. This can be done by an admin or via a self-serve feature for stakeholders, or it could even be automated.

    Stage 9: Monitor Compliance 1 of 2

    • At this stage, the contracts or agreements need to be monitored for the polices within them and the purpose for which they were signed.
    • This is referred to as obligation management and is a key step to providing savings to the organization and mitigating risk.
    • Many contracts contain commitments by each party. These can include but are not limited to SLAs, service uptime targets, user counts, pricing threshold discounts and rebates, renewal notices to vendors, and training requirements.
    • All of these obligations within the contracts should be summarized and monitored to ensure that all commitments are delivered on. Managing obligations will mitigate risks, maximize savings and rebates to the organization, and minimize the potential for a breach within the contract.

    Stage 9: Monitor Compliance 2 of 2

    • Monitoring and measuring vendor commitments and performance will also be a key factor in maximizing the benefits of the contract through vendor accountability.
    • Also included in this stage is renewal and/or disposition of the contract. If renewal is due, it should go back to the business unit for submission to the Stage 1: Request process. If the business unit is not going to renew the contract, the contract must be tagged and archived for future reference.

    Stage 10: Optimize

    • The goal of this stage is to improve the other stages of the process as well as evaluate how each stage is integrating with the core operational framework processes.
    • With more data and improved insight into contractual terms and performance, a business can optimize its portfolio for better value, greater savings, and lower-risk outcomes.
    • For high-performance contract teams, the goal is a continuous feedback loop between the contract portfolio and business performance. If, for example, the data shows that certain negotiation issues consume a large chunk of time but yield no measurable difference in risk or performance, you may tweak the playbook to remedy those issues quickly.

    Additional optimization tactics:

    • Streamlining contract renewals with auto-renew
    • Predefined risk review process or template, continuous review/improvement of negotiation playbook
    • Better automation or flow of approval process
    • Better signature delegation process if required
    • Improving repository search with metadata tagging
    • Automating renewal tracking or notice process
    • Tracking the time a contract spends in each stage

    Establish Your Current CLM Maturity Position

    • Sometimes organizations have a well-defined pre-execution process but have a poor post-signature process.
    • Identifying your current processes or lack thereof will provide you with a starting point in developing a plan for your CLM. It’s possible that most of the stages are there and just need some improvements, or maybe some are missing and need to be implemented.
    • It’s not unusual for organizations to have a manual pre-execution process and an automated backend repository with compliance and renewal notices features.

    Info-Tech Best Practice

    Use the CLM Maturity Assessment Tool to outline where your organization is at each stage of the process.

    Member Activity: Assess Current CLM Maturity

    2.1 Completion Time 1-2 days

    Goal: Identify and measure your existing CLM processes, if any, and provide a maturity value to each stage. The resulting scores will provide a maturity assessment of your CLM.

    Instructions

    1. Use the Existing CLM Process Worksheet to document current CLM processes.
    2. Using the CLM worksheet info, answer the questions in the CLM Maturity Assessment Tool.
    3. Review the results and scores on Tab 3 to see where you need to focus your initial improvements.
    4. Save the initial assessment for future reference and reassess in six to 12 months to measure progress.

    This image contains a screenshot from Info-Tech's CLM Maturity Assessment Tool.

    INPUT

    • Internal information from all CLM stakeholders

    OUTPUT

    • A summary of processes and owners currently in place in the organization

    Materials

    • Existing CLM processes from interviews

    Participants

    • Finance, Legal, CIO, VMO, Sales, Procurement

    Member Activity: Complete RASCI Chart

    2.2 Completion Time 2-6 hours

    Goal: Identify who in your organization is primarily accountable and involved in each stage of the CLM process.

    Instructions

    Engage internal business unit decision makers, stakeholders, Finance, Legal, CIO, VMO, Sales, and Procurement as required to validate who should be involved in each stage.

    1. Using the information collected from internal reviews, assign a level in the CLM RASCI Diagram to each team member.
    2. Use the resulting RASCI diagram to guide you through developing or improving your CLM stages.

    This image contains a screenshot from Info-Tech's CLM RASCI Diagram.

    INPUT

    • Internal interview information

    OUTPUT

    • Understanding of who is involved in each CLM stage

    Materials

    • Interview data
    • RASCI Diagram

    Participants

    • Finance, Legal, CIO, VMO, Sales, Procurement

    Applying CLM Framework and Stages to Your Organization

    • Understand what CLM process you currently do or do not have in place.
    • Review implementation options: automated, semi-automated, and manual solutions.
    • If you are improving an existing process, focus on one phase at a time, perfect it, and then move to the other phase. This can also be driven by budget and time.
    • Create a plan to start with and then move to automating or semi-automating the stages.
    • Building onto or enhancing an existing system or processes can be a cost-effective method to produce near-term measurable savings
    • Focus on one phase at a time, then move on to the other phase.
    • While reviewing implementation of or improvements to CLM stages, be sure to track or calculate the potential time and cost savings and risk mitigation. This will help in any required business case for a CLM.

    CLM: An ROI Discussion 1 of 2

    • ROI can be easier to quantify and measure in larger organizations with larger CLM, but ROI metrics can be obtained regardless of the company or CLM size.
    • Organizations recognize their ROI through gains in efficiency across the entire business as well as within individual departments involved in the contracting process. They also do so by reducing the risk associated with decentralized and insecure storage of and access to their contracts, failure to comply with terms of their contracts, and missing deadlines associated with contracts.

    Just a few of the factors to consider within your own organization include:

    • The number of people inside and outside your company that touch your contracts.
    • The number of hours spent weekly, monthly, and annually managing contracts.
    • Potential efficiencies gained in better managing those contracts.
    • The total number of contracts that exist at any given time.
    • The average value and total value of those contract types.
    • The potential risk of being in breach of any of those contracts.
    • The number of places contracts are stored.
    • The level of security that exists to prevent unauthorized access.
    • The potential impact of unauthorized access to your sensitive contract data.

    CLM: An ROI Discussion 2 of 2

    Decision-Maker Apprehensions

    Decision-maker concerns arise from a common misunderstanding – that is, a fundamental failure to appreciate the true source of contract management value. This misunderstanding goes back many years to the time when analysts first started to take an interest in contract management and its automation. Their limited experience (primarily in retail and manufacturing sectors) led them to think of contract management as essentially an administrative function, primarily focused on procurement of goods. In such environments, the purpose of automation is focused on internal efficiency, augmented by the possibility of savings from reduced errors (e.g. failing to spot a renewal or expiry date) or compliance (ensuring use of standard terms).

    Today’s CLM systems and processes can provide ROI in several areas in the business.

    Info-Tech Insight

    Research on ROI of CLM software shows significant hard cost savings to an organization. For example, a $10 million company with 300 contracts valued at $3 million could realize savings of $83,400 and avoid up to $460,000 in lost revenues. (Derived from: ACCDocket, 2018)

    Additional Considerations 1 of 2

    Who should own and/or manage the CLM process within an organization? Legal, VMO, business unit, Sales?

    This is an often-discussed question. Research suggests that there is no definitive answer, as there are several variables.

    Organizations needs to review what makes the best business sense for them based on several considerations and then decide where CLM belongs.

    • Business unit budgets and time management
    • Available Administration personnel and time
    • IT resources
    • Security and access concerns
    • Best fit based on organizational structure

    35% of law professionals feel contract management is a legal responsibility, while 45% feel it’s a business responsibility and a final 20% are unsure where it belongs. (Source: “10 Eye-Popping Contract Management Statistics,” Apttus, 2018)

    Additional Considerations 2 of 2

    What type of CLM software or platform should we use?

    This too is a difficult question to answer definitively. Again, there are several variables to consider. As well, several solutions are available, and this is not a one-size-fits-all scenario.

    As with who should own the CLM process, organizations must review the various CLM software solutions available that will meet their current and future needs and then ask, “What do we need the system to do?”

    • Do you build a “homegrown” solution?
    • Should it be an add-on module to the current ERP or CRM system?
    • Is on-premises more suitable?
    • Is an adequate off-the-shelf (OTS) solution available?
    • What about the many cloud offerings?
    • Is there a basic system to start with that can expand as you grow?

    Info-Tech Insight

    When considering what type of solution to choose, prioritize what needs to been done or improved. Sometimes solutions can be deployed in phases as an “add-on” type modules.

    Summary of Accomplishment

    Knowledge Gained

    • Documented current CLM process
    • Core operational framework to build a CLM process on
    • Understanding of best practices required for a sustainable CLM

    Processes Optimized

    • Internal RASCI process identified
    • Existing internal stage improvements
    • Internal review process for risk mitigation

    Deliverables Completed

    • Existing CLM Processes Worksheet
    • CLM Maturity Assessment
    • CLM RASCI Chart
    • CLM improvement plan

    Project Step Summary

    Client Project: CLM Assessment and Improvement Plan

    1. Set your goals – what do you want to achieve in your CLM project?
    2. Assess your organization’s current CLM position in relation to CLM best practices and stages.
    3. Map your organization’s RASCI structure for CLM.
    4. Identify opportunities for stage improvements or target all low stage assessments.
    5. Prioritize improvement processes.
    6. Track ROI metrics.
    7. Develop a CLM implementation or improvement plan.

    Info-Tech Insight

    This project can fit your organization’s schedule:

    • Do-it-yourself with your team.
    • Remote delivery (Info-Tech Guided Implementation).

    CLM Blueprint Summary and Conclusion

    • Contract management is a vital component of a responsible VMO that will benefit all business units in an organization, save time and money, and reduce risk exposure.
    • A basic well-deployed and well-managed CLM will provide ROI in the short term.
    • Setting an improvement plan with concise improvements and potential cost savings based on process improvements will help your business case for CLM get approval and leadership buy-in.
    • Educating and aligning all business units and stakeholders to any changes to CLM processes will ensure that cost savings and ROI are achieved.
    • When evaluating a CLM software solution, use the operational framework and the ten process stages in this blueprint as a reference guide for CLM vendor functionality and selection.

    Related Info-Tech Research

    Master Contract Review and Negotiation

    Optimize spend with significant cost savings and negotiate from a position of strength.

    Manage Your Vendors Before They Manage You

    Maximize the value of vendor relationships.

    Bibliography

    Burla, Daniel. “The Must Know Of Transition to Dynamics 365 on Premise.” Sherweb, 14 April 2017. Web.

    Anand, Vishal, “Strategic Considerations in Implementing an End-to-End Contract Lifecycle Management Solution.” DWF Mindcrest, 20 Aug. 2016. Web.

    Alspaugh, Zach. “10 Eye-Popping Contract Management Statistics from the General Counsel’s Technology Report.” Apttus, 23 Nov. 2018. Web.

    Bishop, Randy. “Contract Management is not just a cost center.” ContractSafe, 9 Sept. 2019. Web.

    Bryce, Ian. “Contract Management KPIs - Measuring What Matters.” Gatekeeper, 2 May 2019. Web.

    Busch, Jason. “Contract Lifecycle Management 101.” Determine. 4 Jan. 2018. Web.

    “Contract Management Software Buyer's Guide.” TechnologyAdvice, 5 Aug. 2019. Web.

    Dunne, Michael. “Analysts Predict that 2019 will be a Big Year for Contract Lifecycle Management.” Apttus, 19 Nov. 2018. Web.

    “FIS Case Study.” Apttus, n.d. Web.

    Gutwein, Katie. “3 Takeaways from the 2018 State of Contract Management Report.” SpringCM, 2018. Web.

    “IACCM 2019 Benchmark Report.” IAACM, 4 Sept. 2019. Web.

    Linsley, Rod. “How Proverbial Wisdom Can Help Improve Contract Risk Mitigation.” Gatekeeper, 2 Aug. 2019. Web.

    Mars, Scott. “Contract Management Data Extraction.” Exari, 20 June 2017. Web.

    Rodriquez, Elizabeth. “Global Contract Life-Cycle Management Market Statistics and Trends 2019.” Business Tech Hub, 17 June 2017. Web.

    “State of Contract Management Report.” SpringCM, 2018. Web.

    Teninbaum, Gabriel, and Arthur Raguette. “Realizing ROI from Contract Management Technology.” ACCDocket.com, 29 Jan. 2018. Web.

    Wagner, Thomas. “Strategic Report on Contract Life cycle Management Software Market with Top Key Players- IBM Emptoris, Icertis, SAP, Apttus, CLM Matrix, Oracle, Infor, Newgen Software, Zycus, Symfact, Contract Logix, Coupa Software.” Market Research, 21 June 2019. Web.

    “What is Your Contract Lifecycle Management (CLM) Persona?” Spend Matters, 19 Oct. 2017. Web.

    Customer Relationship Management Platform Selection Guide

    • Buy Link or Shortcode: {j2store}529|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $14,719 Average $ Saved
    • member rating average days saved: 32 Average Days Saved
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • Customer relationship management (CRM) suites are an indispensable part of a holistic strategy for managing end-to-end customer interactions.
    • After defining an approach to CRM, selection and implementation of the right CRM suite is a critical step in delivering concrete business value for marketing, sales, and customer service.
    • Despite the importance of CRM selection and implementation, many organizations struggle to define an approach to picking the right vendor and rolling out the solution in an effective and cost-efficient manner.
    • IT often finds itself in the unenviable position of taking the fall for CRM platforms that don't deliver on the promise of the CRM strategy.

    Our Advice

    Critical Insight

    • IT needs to be a trusted partner in CRM selection and implementation, but the business also needs to own the requirements and be involved from the beginning.
    • CRM requirements dictate the components of the target CRM architecture, such as deployment model, feature focus, and customization level. Savvy application directors recognize the points in the project where the CRM architecture model necessitates deviations from a "canned" roll-out plan.
    • CRM selection is a multi-step process that involves mapping target capabilities for marketing, sales, and customer service, assigning requirements across functional categories, determining the architecture model to prioritize criteria, and developing a comprehensive RFP that can be scored in a weighted fashion.
    • Companies that succeed with CRM implementation create a detailed roadmap that outlines milestones for configuration, security, points of implementation, data migration, training, and ongoing application maintenance.

    Impact and Result

    • A CRM platform that effectively meets the needs of marketing, sales, and customer service and delivers value.
    • Reduced costs during CRM selection.
    • Reduced implementation costs and time frame.
    • Faster time to results after implementation.

    Customer Relationship Management Platform Selection Guide Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Customer Relationship Management Platform Selection Guide – Speed up the process to build your business case and select your CRM solution.

    This blueprint will help you build a business case for selecting the right CRM platform, defining key requirements, and conducting a thorough analysis and scan of the ever-evolving CRM market space.

    • Customer Relationship Management Platform Selection Guide — Phases 1-3

    2. CRM Business Case Template – Document the key drivers for selecting a new CRM platform.

    Having a sound business case is essential for succeeding with a CRM. This template will allow you to document key drivers and impact, in line with the CRM Platform Selection Guide blueprint.

    • CRM Business Case Template

    3. CRM Request for Proposal Template

    Create your own request for proposal (RFP) for your customer relationship management (CRM) solution procurement process by customizing the RFP template created by Info-Tech.

    • CRM Request for Proposal Template

    4. CRM Suite Evaluation and RFP Scoring Tool

    The CRM market has many strong contenders and differentiation may be difficult. Instead of relying solely on reputation, organizations can use this RFP tool to record and objectively compare vendors according to their specific requirements.

    • CRM Suite Evaluation and RFP Scoring Tool

    5. CRM Vendor Demo Script

    Use this template to support your business's evaluation of vendors and their solutions. Provide vendors with scenarios that prompt them to display not only their solution's capabilities, but also how the tool will support your organization's particular needs.

    • CRM Vendor Demo Script

    6. CRM Use Case Fit Assessment Tool

    Use this tool to help build a CRM strategy for the organization based on the specific use case that matches your organizational needs.

    • CRM Use-Case Fit Assessment Tool
    [infographic]

    Further reading

    Customer Relationship Management Platform Selection Guide

    Speed up the process to build your business case and select your CRM solution.

    Table of Contents

    1. Analyst Perspective
    2. Executive Summary
    3. Blueprint Overview
    4. Executive Brief
    5. Phase 1: Understand CRM Functionality
    6. Phase 2: Build the Business Case and Elicit CRM requirements
    7. Phase 3: Discover the CRM Marketspace and Prepare for Implementation
    8. Conclusion

    Analyst Perspective

    A strong CRM platform is paramount to succeeding with customer engagement.

    Modern CRM platforms are the workhorses that provide functional capabilities and data curation for customer experience management. The market for CRM platforms has seen an explosion of growth over the last five years, as organizations look to mature their ability to deliver strong capabilities across marketing, sales, and customer service.

    IT needs to be a trusted partner in CRM selection and implementation, but the business also needs to own the requirements and be involved from the get-go.

    CRM selection must be a multistep process that involves defining target capabilities for marketing, sales, and customer service, prioritizing requirements across functional categories, determining the architecture model for the CRM environment, and developing a comprehensive RFP that can be scored in a weighted fashion.

    To succeed with CRM implementation, create a detailed roadmap that outlines milestones for configuration, security, points of implementation, data migration, training, and ongoing application maintenance.

    Photo of Ben Dickie, Research Lead, Customer Experience Strategy, Info-Tech Research Group. Ben Dickie
    Research Lead, Customer Experience Strategy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Customer Relationship Management (CRM) suites are an indispensable part of a holistic strategy for managing end-to-end customer interactions. Selecting the right platform that aligns with your requirements is a significant undertaking.

    After defining an approach to CRM, selection and implementation of the right CRM suite is a critical step in delivering concrete business value for marketing, sales, and customer service.
    Common Obstacles

    Despite the importance of CRM selection and implementation, many organizations struggle to define an approach to picking the right vendor and rolling out the solution in an effective and cost-efficient manner.

    The CRM market is rapidly evolving and changing, making it tricky to stay on top of the space.

    IT often finds itself in the unenviable position of taking the fall for CRM platforms that don’t deliver on the promise of the CRM strategy.
    Info-Tech’s Approach

    CRM platform selection must be driven by your overall customer experience management strategy: link your CRM selection to your organization’s CXM framework.

    Determine if you need a CRM platform that skews toward marketing, sales, or customer service; leverage use cases to help guide selection.

    Ensure strong points of integration between CRM and other software such as MMS. A CRM should not live in isolation; it must provide a 360-degree view.

    Info-Tech Insight

    IT must work in lockstep with its counterparts in marketing, sales, and customer service to define a unified vision for the CRM platform.

    Info-Tech’s methodology for selecting the right CRM platform

    1. Understand CRM Features 2. Build the Business Case & Elicit CRM Requirements 3. Discover the CRM Market Space & Prepare for Implementation
    Phase Steps
    1. Define CRM platforms
    2. Classify table stakes & differentiating capabilities
    3. Explore CRM trends
    1. Build the business case
    2. Streamline requirements elicitation for CRM
    3. Construct the RFP
    1. Discover key players in the CRM landscape
    2. Engage the shortlist & select finalist
    3. Prepare for implementation
    Phase Outcomes
    • Consensus on scope of CRM and key CRM capabilities
    • CRM selection business case
    • Top-level use cases and requirements
    • Completed CRM RFP
    • CRM market analysis
    • Shortlisted vendor
    • Implementation considerations

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    The CRM purchase process should be broken into segments:

    1. CRM vendor shortlisting with this buyer’s guide
    2. Structured approach to selection
    3. Contract review

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Call #1: Understand what a CRM platform is and the “art of the possible” for sales, marketing, and customer service. Call #2: Build the business case to select a CRM.

    Call #3: Define your key CRM requirements.

    Call #4: Build procurement items such as an RFP.
    Call #5: Evaluate the CRM solution landscape and shortlist viable options.

    Call #6: Review implementation considerations.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    INFO~TECH RESEARCH GROUP

    Customer Relationship Management Platform Selection Guide

    Speed up the process to build your business case and select your CRM solution.

    EXECUTIVE BRIEF

    Info-Tech Research Group Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.
    © 1997-2022 Info-Tech Research Group Inc.

    What exactly is a CRM platform?

    Our Definition: A customer relationship management (CRM) platform (or suite) is a core enterprise application that provides a broad feature set for supporting customer interaction processes, typically across marketing, sales and customer service. These suites supplant more basic applications for customer interaction management (such as the contact management module of an enterprise resource planning (ERP) platform or office productivity suite).

    A customer relationship management suite provides many key capabilities, including but not limited to:

    • Account management
    • Order history tracking
    • Pipeline management
    • Case management
    • Campaign management
    • Reports and analytics
    • Customer journey execution

    A CRM suite provides a host of native capabilities, but many organizations elect to tightly integrate their CRM solution with other parts of their customer experience ecosystem to provide a 360-degree view of their customers.

    Stock image of a finger touching a screen showing a stock chart.

    Info-Tech Insight

    CRM feature sets are rapidly evolving. Focus on the social component of sales, marketing, and service management features, as well as collaboration, to get the best fit for your requirements. Moreover, consider investing in best-of-breed social media management platforms (SMMPs) and internal collaboration tools to ensure sufficient functionality.

    Build a cohesive CRM selection approach that aligns business goals with CRM capabilities.

    Info-Tech Insight

    Customers expect to interact with organizations through the channels of their choice. Now more than ever, you must enable your organization to provide tailored customer experiences.

    Customer expectations are on the rise: meet them!

    A CRM platform is a crucial system for enabling good customer experiences.

    CUSTOMER EXPERIENCE IS EVOLVING

    1. Thoughtfulness is in
        Connect with customers on a personal level
    2. Service over products
        The experience is more important than the product
    3. Culture is now number one
        Culture is the most overlooked piece of customer experience strategy
    4. Engineering and service finally join forces
        Companies are combining their technology and service efforts to create strong feedback loops
    5. The B2B world is inefficiently served
        B2B needs to step up with more tools and a greater emphasis placed on customer experience

    (Source: Forbes, 2019)

    Identifying organizational objectives of high priority will assist in breaking down business needs and CRM objectives. This exercise will better align the CRM systems with the overall corporate strategy and achieve buy-in from key stakeholders.

    A strong CRM platform supports a range of organizational objectives for customer engagement.

    Increase Revenue Enable lead scoring Deploy sales collateral management tools Improve average cost per lead via a marketing automation tool
    Enhance Market Share Enhance targeting effectiveness with a CRM Increase social media presence via an SMMP Architect customer intelligence analysis
    Improve Customer Satisfaction Reduce time-to-resolution via better routing Increase accessibility to customer service with live chat Improve first contact resolution with customer KB
    Increase Customer Retention Use a loyalty management application Improve channel options for existing customers Use customer analytics to drive targeted offers
    Create Customer-Centric Culture Ensure strong training and user adoption programs Use CRM to provide 360-degree view of all customer interactions Incorporate the voice of the customer into product development

    Succeeding with CRM selection and implementation has a positive effect on driving revenues and decreasing costs

    There are three buckets of metrics and KPIs where CRM will drive improvements

    The metrics of a smooth CRM selection and implementation process include:

    • Better alignment of CRM functionality to business needs.
    • Better functionality coverage of the selected platform.
    • Decreased licensing costs via better vendor negotiation.
    • Improved end-user satisfaction with the deployed solution.
    • Fewer errors and rework during implementation.
    • Reduced total implementation costs.
    • Reduced total implementation time.

    A successful CRM deployment drives revenue

    • Increased customer acquisition due to enhanced accuracy of segmentation and targeting, superior lead qualification, and pipeline management.
    • Increased customer satisfaction and retention due to targeted campaigns (e.g. customer-specific deals), quicker service incident resolution, and longitudinal relationship management.
    • Increased revenue per customer due to comprehensive lifecycle management tools, social engagement, and targeted upselling of related products and services (enabled by better reporting/analytics).

    A successful CRM deployment decreases cost

    • Deduplication of effort across business domains as marketing, sales, and service now have a common repository of customer information and interaction tools.
    • Increased sales and service agent efficiency due to their focus on selling and resolution, rather than administrative tasks and overhead.
    • Reduced cost-to-sell and cost-to-serve due to automation of activities that were manually intensive.
    • Reduced cost of accurate data due to embedded reporting and analytics functionality.

    CRM platforms sit at the core of a well-rounded customer engagement ecosystem

    At the center is 'Customer Relationship Management Platform' surrounded by 'Web Experience Management Platform', 'E-Commerce & Point-of-Sale Solutions', 'Social Media Management Platform', 'Customer Intelligence Platform', 'Customer Service Management Tools', and 'Marketing Management Suite'.

    Customer Experience Management (CXM) Portfolio

    Customer relationship management platforms are increasingly expansive in functional scope and foundational to an organization’s customer engagement strategy. Indeed, CRMs form the centerpiece for a comprehensive CXM system, alongside tools such as customer intelligence platforms and adjacent point solutions for sales, marketing, and customer service.

    Review Info-Tech’s CXM blueprint below to build a complete, end-to-end customer interaction solution portfolio that encompasses CRM alongside other critical components. The CXM blueprint also allows you to develop strategic requirements for CRM based on customer personas and external market analysis.

    Build a Strong Technology Foundation for Customer Experience Management

    Sample of the 'Build a Strong Technology Foundation for Customer Experience Management' blueprint. Design an end-to-end technology strategy to drive sales revenue, enhance marketing effectiveness, and create compelling experiences for your customers.

    View the blueprint

    Considering a CRM switch? Switching software vendors drives high satisfaction

    Eighty percent of organizations are more satisfied after changing their software vendor.

    • Most organizations see not only a positive change in satisfaction with their new vendor, but also a substantial change in satisfaction.
    • What matters is making sure your organization is well-positioned to make a switch.
    • When it comes to switching software vendors, the grass really can be greener on the other side.

    Over half of organizations are 60%+ more satisfied after changing their vendor.

    (Source: Info-Tech Research Group, "Switching Software Vendors Overwhelmingly Drives Increased Satisfaction", 2020.)

    IT is critical to the success of your CRM selection and rollout

    Today’s shared digital landscape of the CIO and CMO

    Info-Tech Insight

    Technology is the key enabler of building strong customer experiences: IT must stand shoulder to shoulder with the business to develop a technology framework for customer relationship management.

    CIO

    IT Operations

    Service Delivery and Management

    IT Support

    IT Systems and Application

    IT Strategy and Governance

    Cybersecurity
    Collaboration and Partnership

    Digital Strategy = Transformation
    Business Goals | Innovation | Leadership | Rationalization

    Customer Experience
    Architecture | Design | Omnichannel Delivery | Management

    Insight (Market Facing)
    Analytics | Business Intelligence | Machine Learning | AI

    Marketing Integration + Operating Model
    Apps | Channels | Experiences | Data | Command Center

    Master Data
    Customer | Audience | Industry | Digital Marketing Assets
    CMO

    PEO Media

    Brand Management

    Campaign Management

    Marketing Tech

    Marketing Ops

    Privacy, Trust, and Regulatory Requirements

    (Source: ZDNet, 2020)

    CRM by the numbers

    1/3

    Statistical analysis of CRM projects indicates failures vary from 18% to 69%. Taking an average of those analyst reports, about one-third of CRM projects are considered a failure. (Source: CIO Magazine, 2017)

    92%

    92% of organizations report that CRM use is important for accomplishing revenue objectives. (Source: Hall, 2020)

    40%

    In 2019, 40% of executives name customer experience the top priority for their digital transformation. (Source: CRM Magazine, 2019)

    Case Study

    Align strategy and technology to meet consumer demand.
    INDUSTRY
    Entertainment
    SOURCE
    Forbes, 2017
    Challenge

    Beginning as a mail-out service, Netflix offered subscribers a catalog of videos to select from and have mailed to them directly. Customers no longer had to go to a retail store to rent a video. However, the lack of immediacy of direct mail as the distribution channel resulted in slow adoption.

    Blockbuster was the industry leader in video retail but was lagging in its response to industry, consumer, and technology trends around customer experience.

    Solution

    In response to the increasing presence of tech-savvy consumers on the internet, Netflix invested in developing its online platform as its primary distribution channel. The benefit of doing so was two-fold: passive brand advertising (by being present on the internet) and meeting customer demands for immediacy and convenience. Netflix also recognized the rising demand for personalized service and created an unprecedented, tailored customer experience.

    Results

    Netflix’s disruptive innovation is built on the foundation of great customer experience management. Netflix is now a $28-billion company, which is tenfold what Blockbuster was worth.

    Netflix used disruptive technologies to innovatively build a customer experience that put it ahead of the long-time video rental industry leader, Blockbuster.

    CRM Buyer’s Guide

    Phase 1

    Understand CRM Features

    Phase 1

    1.1 Define CRM platforms

    1.2 Classify table stakes & differentiating capabilities

    1.3 Explore CRM trends

    Phase 2

    2.1 Build the business case

    2.2 Streamline requirements elicitation for CRM

    2.3 Construct the RFP

    Phase 3

    3.1 Discover key players in the CRM landscape

    3.2 Engage the shortlist & select finalist

    3.3 Prepare for implementation

    This phase will walk you through the following activities:

    • Set a level of understanding of CRM technology.
    • Define which CRM features are table stakes (standard) and which are differentiating.
    • Identify the “Art of the Possible” in a modern CRM from a sales, marketing, and service lens.

    This phase involves the following participants:

    • CIO
    • Applications manager
    • Project manager
    • Sales executive
    • Marketing executive
    • Customer service executive

    Understand CRM table stakes features

    Organizations can expect nearly all CRM vendors to provide the following functionality.

    Lead Management Pipeline Management Contact Management Campaign Management Customer Service Management
    • Tracks and captures a lead’s information, automatically building a profile. Leads are then qualified through contact scoring models. Assigning leads to sales is typically automated.
    • Enables oversight over future sales. Includes revenue forecasting based on past/present trends, tracking sales velocity, and identifying ineffective sales processes.
    • Tracks and stores customer data, including demography, account and billing history, social media, and contact information. Typically, records and fields can be customized.
    • Provides integrated omnichannel campaign functionality and data analysis of customer intelligence. Data insights can be used to drive new and effective marketing campaigns.
    • Provides integrated omnichannel customer experiences to provide convenient service. Includes case and ticket management, automated escalation rules, and third-party integrations.

    Identify differentiating CRM features

    While not always “must-have” functionality, these features may be the final dealbreaker when deciding between two CRM vendors.

    Image of clustered screens with various network and business icons surounding them.
    • Workflow Automation
      Automate repetitive tasks by creating workflows that trigger actions or send follow-up reminders for next steps.
    • Advanced Analytics and Reporting
      Provides customized dashboard visualizations, detailed reporting, AI-driven virtual assistants, data extraction & analysis, and ML forecasting.
    • Customizations and Open APIs
      Broad range of available customizations (e.g. for dashboards and fields), alongside ease of integration (e.g. via plugins or APIs).
    • Document Management
      Out-of-the-box centralized content repository for storing, uploading, and sharing documents.
    • Mobile Support
      Ability to support mobile devices, OSes, and platforms with a native application or HTML-based web-access.
    • Project and Task Management
      Native project and task management functionality, enhancing cross-team organization and communication.
    • Configure, Price, Quote (CPQ)
      Create and send quotes or proposals to prospective and current customers.

    Features aren’t everything – be wary of common CRM selection pitfalls

    You can have all the right features, but systemic problems will lead to poor CRM implementation. Dig out these root causes first to ensure a successful CRM selection.

    50% of organizations believe the quality of their CRM data is “very poor” or “neutral.”

    Without addressing data governance issues, CRMs will only be as good as your data.

    Source: (Validity 2020)
    27% of organizations report that bad data costs them 10% or more in lost revenue annually.
    42% rate the trust that users have in their data as “high” or “very high.”
    54% believe that sales forecasts are accurate or very accurate.
    69% attribute poor CRM governance to missing or incomplete data, followed by duplicate data, incorrect data, and expired data. Other data issues include siloed data or disparate systems.
    73% believe that they do not have a 360-degree view of their customers.

    Ensure you understand the “art of the possible” in the CRM landscape

    Knowing what is possible will help funnel which features are most suitable for your organization – having all the bells and whistles does not always equal strong ROI.

    Holistically examine the potential of any CRM solution through three main lenses: Stock image of a person working with dashboards.

    Sales

    Identify sales opportunities through recording customers’ interactions, generating leads, nurturing contacts, and forecasting revenues.
    Stock image of people experiencing digital ideas.

    Marketing

    Analyze customer interactions to identify upsell and cross-sell opportunities, drive customer loyalty, and use customer data for targeted campaigns.
    Stock image of a customer service representative.

    Customer Service

    Improve and optimize customer engagement and retention, leveraging customer data to provide round-the-clock omnichannel experiences.

    Art of the possible: Sales

    Stock image of a person working with dashboards.

    TRACK PROSPECT INTERACTIONS

    Want to engage with a prospect but don’t know what to lead with? CRM solutions can track and analyze many of the interactions a prospect has with your organization, including with fellow staff, their clickthrough rate on marketing material, and what services they are downloading on your website. This information can then auto-generate tasks to begin lead generation.

    COORDINATE LEAD SCORING

    Information captured from a prospect is generated into contact cards; missing data (such as name and company) can be auto-captured by the CRM via crawling sites such as LinkedIn. The CRM then centralizes and scores (according to inputted business rules) a lead’s potential, ensuring sales teams coordinate and keep a track of the lead’s journey without wrongful interference.

    AI-DRIVEN REVENUE FORECASTING

    Generate accurate forecasting reports using AI-driven “virtual assistants” within the CRM platform. These assistants are personal data scientists, quickly noting discrepancies, opportunities, and what-if scenarios – tasks that might take weeks to do manually. This pulled data is then auto-forecasted, with the ability to flexibly adjust to real-time data.

    Art of the possible: Marketing

    Stock image of people experiencing digital ideas.

    DRIVE LOYALTY

    Data captured and analyzed in the CRM from customer interactions builds profiles and a deeper understanding of customers’ interests. With this data, marketing teams can deliver personalized promotions and customer service to enhance loyalty – from sending a discount on a product the customer was browsing on the website, to providing notifications about delivery statuses.

    AUTOMATE WORKFLOWS

    Building customer profiles, learning spending habits, and charting a customer’s journey for upselling or cross-selling can be automated through workflows, saving hours of manual work. These workflows can immediately respond to customer enquiries or deliver offers to the customer’s preferred channel based on their prior usage.

    TARGETED CAMPAIGNING

    Information attained through a CRM platform directly informs any marketing strategy: identifying customer segments, spending habits, building a better product based on customer feedback, and identifying high-spending customers. With any new product or offering, it is straightforward for marketing teams to understand where to target their next campaign for highest impact.

    Art of the possible: Customer service

    Stock image of a customer service representative.

    OMNICHANNEL SUPPORT

    Rapidly changing demographics and modes of communications require an evolution toward omnichannel engagement. Many customers now expect to communicate with contact centers not just by voice, but via social media. Agents need customer information synced across each channel they use, meeting the customer’s needs where they are.

    INTELLIGENT SELF-SERVICE PORTALS

    Customers want their issues resolved as quickly as possible. Machine-learning self-service options deliver personalized customer experiences, which also reduce both agent call volume and support costs for the organization.

    LEVERAGING ANALYTICS

    The future of customer service is tied up with analytics. This not only entails AI-driven capabilities that fetch the agent relevant information, skills-based routing, and using biometric data (e.g. speech) for security. It also feeds operations leaders’ need for easy access to real insights about how their customers and agents are doing.

    Best-of-Breed Point Solutions

    Full CRM Suite

    Blue smiley face. Benefits
    • Features may be more advanced for specific functional areas and a higher degree of customization may be possible.
    • If a potential delay in real-time customer data transfer is acceptable, best-of-breeds provide a similar level of functionality to suites for a lower price.
    • Best-of-breeds allow value to be realized faster than suites, as they are easier and faster to implement and configure.
    • Rip and replace is easier, and vendor updates are relatively quick to market.
    Benefits
    • Everyone in the organization works from the same set of customer data.
    • There is a “lowest common denominator” for agent learning as consistent user interfaces lower learning curves and increase efficiency in usage.
    • There is a broader range of functionality using modules.
    • Integration between functional areas will be strong and the organization will be in a better position to enable version upgrades without risking invalidation of an integration point between separate systems.
    Green smiley face.
    Purple frowny face. Challenges
    • Best-of-breeds typically cover less breadth of functionality than suites.
    • There is a lack of uniformity in user experience across best-of-breeds.
    • Data integrity risks are higher.
    • Variable infrastructure may be implemented due to multiple disparate systems, which adds to architecture complexity and increased maintenance.
    • There is potential for redundant functionality across multiple best-of-breeds.
    Challenges
    • Suites exhibit significantly higher costs compared to point solutions.
    • Suite module functionality may not have the same depth as point solutions.
    • Due to high configuration availability and larger-scale implementation requirements, the time to deploy is longer than point solutions.
    Orange frowny face.
    Info-Tech Insight

    Even if a suite is missing a potential module, the proliferation of app extensions, integrations, and services could provide a solution. Salesforce’s AppExchange, for instance, offers a plethora of options to extend its CRM solution – from telephony integration, to gamification.

    CRM Buyer’s Guide

    Phase 2

    Build the Business Case & Elicit CRM Requirements

    Phase 1

    1.1 Define CRM platforms

    1.2 Classify table stakes & differentiating capabilities

    1.3 Explore CRM trends

    Phase 2

    2.1 Build the business case

    2.2 Streamline requirements elicitation for CRM

    2.3 Construct the RFP

    Phase 3

    3.1 Discover key players in the CRM landscape

    3.2 Engage the shortlist & select finalist

    3.3 Prepare for implementation

    This phase will walk you through the following activities:

    • Identify goals, objectives, challenges, and costs to inform the business case for a new CRM platform.
    • Elicit and prioritize key requirements for your platform.
    • Port the requirements into Info-Tech’s CRM RFP Template.

    This phase involves the following participants:

    • CIO
    • Applications manager
    • Project manager
    • Sales executive
    • Marketing executive
    • Customer service executive

    Right-size the CRM selection team to ensure you get the right information but are still able to move ahead quickly

    Full-Time Resourcing: At least one of these five team members must be allocated to the selection initiative as a full-time resource.

    A silhouetted figure.

    IT Leader

    A silhouetted figure.

    Technical Lead

    A silhouetted figure.

    Business Analyst/
    Project Manager

    A silhouetted figure.

    Business Lead

    A silhouetted figure.

    Process Expert(s)

    This team member is an IT director or CIO who will provide sponsorship and oversight from the IT perspective. This team member will focus on application security, integration, and enterprise architecture. This team member elicits business needs and translates them into technology requirements. This team member will provide sponsorship from the business needs perspective. Typically, a CMO or SVP of sales. These team members are the sales, marketing, and service process owners who will help steer the CRM requirements and direction.

    Info-Tech Insight

    It is critical for the selection team to determine who has decision rights. Organizational culture will play the largest role in dictating which team member holds the final say for selection decisions. For more information on stakeholder management and involvement, see this guide.

    Be prepared to define what issues you are trying to address and why a new CRM is the right approach

    Identify the current state and review the background of what you’ve done leading up to this point, goals you’ve been asked to meet, and challenges in solving known problems to help to set the stage for why your proposed solution is needed. If your process improvements have taken you as far as you can go without improved workflows or data, specify where the gaps are.
    Arrows with icons related to the text on the right merging into one arrow. Alignment

    Alignment to strategic goals is always important, but that is especially true with CRM because customer relationship management platforms are at the intersection of your organization and your customers. What are the strategic marketing, sales and customer service goals that you want to realize (in whole or in part) by improving your CRM ecosystem?

    Impact to your business

    Identify areas where your customers may be impacted by poor experiences due to inadequate or aging technology. What’s the impact on customer retention? On revenue?

    Impact to your organization

    Define how internal stakeholders within the organization are impacted by a sub-optimal CRM experience – what are their frustrations and pain points? How do issues with your current CRM environment prevent teams in sales, marketing, or service from doing their jobs?

    Impact to your department

    Describe the challenges within IT of using disparate systems, workarounds, poor data and reporting, lack of automation, etc., and the effect these challenges have on IT’s goals.

    Align the CRM strategy with the corporate strategy

    Corporate Strategy Unified Strategy CRM Strategy
    Spectrum spanning all columns.
    Your corporate strategy:
    • Conveys the current state of the organization and the path it wants to take.
    • Identifies future goals and business aspirations.
    • Communicates the initiatives that are critical for getting the organization from its current state to the future state.
    • The CRM strategy and the rationale for deploying a new CRM can be and should be linked, with metrics, to the corporate strategy and ultimate business objectives (such as improving customer acquisition, entering new segments, or improving customer lifetime value).
    Your CRM strategy:
    • Communicates the organization’s budget and spending on CRM.
    • Identifies IT initiatives that will support the business and key CRM objectives.
    • Outlines staffing and resourcing for CRM initiatives.
    CRM projects are more successful when the management team understands the strategic importance and the criticality of alignment. Time needs to be spent upfront aligning business strategies with CRM capabilities. Effective alignment between sales, marketing, customer service, operations, IT, and the business should happen daily. Alignment doesn’t just need to occur at the executive level, but also at each level of the organization.

    2.1 Create your list of goals and milestones for CRM

    1-3 hours

    Input: Corporate strategy, Target key performance indicators, End-user satisfaction results (if applicable)

    Output: Prioritized list of goals with milestones that can be met with a new or improved CRM solution

    Materials: Whiteboard/flip charts, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales or service SMEs

    1. Review strategic goals to identify alignment to your CRM selection project. For example, digital transformation may be enhanced or enabled with a CRM solution that supports better outreach to key customer segments through improved campaign management.
    2. Next, brainstorm tactical goals with your colleagues.
    3. Identify specific goals the organization has set for the business that may be supported by improved customer prospecting, customer service, or analytics functionality through a better CRM solution.
    4. Identify specific goals your organization will be able to make possible with a new or improved CRM solution.
    5. Prioritize this list and lead with the most important goal that can be reached at the one-year, six-month, and three-month milestones.
    6. Document in the goals section of your business case.

    Download the CRM Business Case Template and record the outputs of this exercise in the strategic business goals, business drivers, and technical drivers slides.

    Identify what challenges exist with the current environment

    Ensure you are identifying issues at a high level, so as not to drown in detail, but still paint the right picture. Identify technical issues that are impacting customer experience or business goals. Typical complaints for CRM solutions that are old or have been outgrown include:

    1.

    Lack of a flexible, configurable customer data model that supports complex relationships between accounts and contacts.

    2.

    Lack of a flexible, configurable customer data model that supports complex relationships between accounts and contacts.

    3.

    Lack of meaningful reports and useable dashboards, or difficulty in surfacing them.

    4.

    Poor change enablement resulting in business interruptions.

    5.

    Inability to effectively automate routine sales, marketing, or service tasks at scale via a workflow tool.

    6.

    Lack of proper service management features, such as service knowledge management.

    7.

    Inability to ingest customer data at scale (for example, no ability to automatically log e-mails or calls).

    8.

    Major technical deficiencies and outages – the incumbent CRM platform goes down, causing business disruption.

    9.

    The platform itself doesn’t exist in the current state – everything is done in Microsoft Excel!

    Separate business issues from technical issues, but highlight where they’re connected and where technical issues are causing business issues or preventing business goals from being reached.

    Before switching vendors, evaluate your existing CRM to see if it’s being underutilized or could use an upgrade

    The cost of switching vendors can be challenging, but it will depend entirely on the quality of data and whether it makes sense to keep it.
    • Achieving success when switching vendors first requires reflection. We need to ask why we are dissatisfied with our incumbent software.
    • If the product is old and inflexible, the answer may be obvious, but don’t be afraid to include your incumbent in your evaluation if your issues might be solved with an upgrade.
    • Look at your use-case requirements to see where you want to take the CRM solution and compare them to your incumbent’s roadmap. If they don’t match, switching vendors may be the only solution. If your roadmaps align, see if you’re fully leveraging the solution or will be able to start working through process improvements.
    Pie graph with a 20% slice. Pie graph with a 25% slice.

    20%

    Small/Medium Enterprises

    25%

    Large Enterprises
    only occasionally or rarely/never use their software (Source: Software Reviews, 2020; N = 45,027)
    Fully leveraging your current software now will have two benefits:
    1. It may turn out that poor leveraging of your incumbent software was the problem all along; switching vendors won’t solve the problem by itself. As the data to the right shows, a fifth of small/medium enterprises and a quarter of large enterprises do not fully leverage their incumbent software.
    2. If you still decide to switch, you’ll be in a good negotiating position. If vendors can see you are engaged and fully leveraging your software, they will be less complacent during negotiations to win you over.
    Info-Tech Insight

    Switching vendors won’t improve poor internal processes. To be fully successful and meet the goals of the business case, new software implementations must be accompanied by process review and improvement.

    2.2 Create your list of challenges as they relate to your goals and their impacts

    1-2 hours

    Input: Goals lists, Target key performance indicators, End-user satisfaction results (if applicable)

    Output: Prioritized list of challenges preventing or hindering customer experiences

    Materials: Whiteboard/flip charts, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Brainstorm with your colleagues to discuss your challenges with CRM today from an application and process lens.
    2. Identify how these challenges are impacting your ability to meet the goals and identify any that are creating customer-facing issues.
    3. Group together like areas and arrange in order of most impactful. Identify which of these issues will be most relevant to the business case for a new CRM platform.
    4. Document in the current-state section of your business case.
    5. Discuss and determine if the incumbent solution can meet your needs or if you’ll need to replace it with a different product.

    Download the CRM Business Case Template and document the outputs of this exercise in the current-state section of your business case.

    Determine costs of the solution

    Ensure the business case includes both internal and external costs related to the new CRM platform, allocating costs of project managers to improve accuracy of overall costs and level of success.

    CRM solutions include application costs and costs to design processes, install, and configure. These start-up costs can be a significant factor in whether the initial purchase is feasible.

    CRM Vendor Costs

    • Application licensing
    • Implementation and configuration
    • Professional services
    • Maintenance and support
    • Training
    • 3rd Party add-ons
    • Data transformation
    • Integration
    When thinking about vendor costs, also consider the matching internal cost associated with the vendor activity (e.g. data cleansing, internal support).

    Internal Costs

    • Project management
    • Business readiness
    • Change management
    • Resourcing (user groups, design/consulting, testing)
    • Training
    • Auditors (if regulatory requirements need vetting)
    Project management is a critical success factor at all stages of an enterprise application initiative from planning to post-implementation. Ensuring that costs for such critical areas are accurately represented will contribute to success.

    Download the blueprint Improve Your Statements of Work to Hold Your Vendors Accountable to define requirements for installation and configuration.

    Bring in the right resources to guarantee success. Work with the PMO or project manager to get help with creating the SOW.

    60% of IT projects are NOT finished “mostly or always” on time (Wellingtone, 2018).

    55% of IT personnel feel that the business objectives of their software projects are clear to them (Geneca, 2017).

    Document costs and expected benefits of the new CRM

    The business case should account for the timing of both expenditures and benefits. It is naïve to expect straight-line benefit realization or a big-bang cash outflow related to the solution implementation. Proper recognition and articulation of ramp-up time will make your business case more convincing.

    Make sure your timelines are realistic for benefits realization, as these will be your project milestones and your metrics for success.

    Example:
    Q1-Q2 Q3-Q6 Q6 Onwards

    Benefits at 25%

    At the early stages of an implementation, users are still learning the new system and go-live issues are being addressed. Most of the projected process improvements are likely to be low, zero, or even negative.

    Benefits at 75%

    Gradually, as processes become more familiar, an organization can expect to move closer to realizing the forecasted benefits or at least be in a position to recognize a positive trend toward their realization.

    Benefits at 100%

    In an ideal world, all projected benefits are realized at 100% or higher. This can be considered the stage where processes have been mastered, the system is operating smoothly, and change has been broadly adopted. In reality, benefits are often overestimated.

    Costs at 50%

    As with benefits, some costs may not kick in until later in the process or when the application is fully operational. In the early phases of implementation, factor in the cost of overlapping technology where you’ll need to run redundant systems and transition any data.

    Costs at 100%

    Costs are realized quicker than benefits as implementation activities are actioned, licensing and maintenance costs are introduced, and resourcing is deployed to support vendor activities internally. Costs that were not live in the early stages are an operational reality at this stage.

    Costs at 100%+

    Costs can be expected to remain relatively static past a certain point, if estimates accurately represented all costs. In many instances, costs can exceed original estimates in the business case, where costs were either underestimated, understated, or missed.

    2.3 Document your costs and expected benefits

    1-2 hours

    Input: Quotes with payment schedule, Budget

    Output: Estimated payment schedule and cost breakdown

    Materials: Spreadsheet or whiteboard, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Estimate costs for the CRM solution. If you’re working with a vendor, provide the initial requirements to quote; otherwise, estimate as closely as you’re able.
    2. Calculate the five-year total cost for the solution to ensure the long-term budget is calculated.
    3. Break down costs for licenses, implementation, training, internal support, and hardware or hosting fees.
    4. Determine a reasonable breakdown of costs for the first year.
    5. Identify where residual costs of the old system may factor in if there are remaining contract obligations during the technology transition.
    6. Create a list of benefits expected to be realized within the same timeline.

    Sample of the table on the previous slide.

    Download the CRM Business Case Template and document the outputs of this exercise in the current-state section of your business case.

    Identify risks and dependencies to mitigate barriers to success as you look to roll out a CRM suite

    A risk assessment will be helpful to better understand what risks need to be mitigated to make the project a success and what risks are pending should the solution not be approved or be delayed.

    Risk Criteria Relevant Questions
    Timeline Uncertainty
    • How much risk is associated with the timeline of the CRM project?
    • Is this timeline realistic and can you reach some value in the first year?
    Success of Similar Projects
    • Have we undertaken previous projects that are similar?
    • Were those successful?
    • Did we note any future steps for improvement?
    Certainty of Forecasts
    • Where have the numbers originated?
    • How comfortable are the sponsors with the revenue and cost forecasts?
    Chance of Cost Overruns
    • How likely is the project to have cost overruns?
    • How much process and design work needs to be done prior to implementation?
    Resource Availability
    • Is this a priority project?
    • How likely are resourcing issues from a technical and business perspective?
    • Do we have the right resources?
    Change During Delivery
    • How volatile is the area in which the project is being implemented?
    • Are changes in the environment likely?
    • How complex are planned integrations?

    2.4 Identify risks to the success of the solution rollout and mitigation plan

    1-2 hours

    Input: List of goals and challenges, Target key performance indicators

    Output: Prioritized list of challenges preventing or hindering improvements for the IT teams

    Materials: Whiteboard/flip charts, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Brainstorm with your colleagues to discuss potential roadblocks and risks that could impact the success of the CRM project.
    2. Identify how these risks could impact your project.
    3. Document the ones that are most likely to occur and derail the project.
    4. Discuss potential solutions to mitigate risks.

    Download the CRM Business Case Template and document the outputs of this exercise in the risk and dependency section of your business case. If the risk assessment needs to be more complex, complete the Risk Indicator Analysis in Info-Tech’s Business Case Workbook.

    Start requirements gathering by identifying your most important use cases across sales, marketing, and service

    Add to your business case by identifying which top-level use cases will meet your goals.

    Examples of target use cases for a CRM project include:

    • Enhance sales acquisition capabilities (i.e. via pipeline management)
    • Enhance customer upsell and cross-sell capabilities
    • Improve customer segmentation and targeting capabilities for multi-channel marketing campaigns
    • Strengthen customer care capabilities to improve customer satisfaction and retention (i.e. via improved case management and service knowledge management)
    • Create actionable insights via enhanced reporting and analytics

    Info-Tech Insight

    Lead with the most important benefit and consider the timeline. Can you reach that goal and report success to your stakeholders within the first year? As you look toward that one-year goal, you can consider secondary benefits, some of which may be opportunities to bring early value in the solution.

    Benefits of a successful deployment of use cases will include:
    • Improved customer satisfaction
    • Improved operational efficiencies
    • Reduced customer turnover
    • Increased platform uptime
    • License or regulatory compliance
    • Positioned for growth

    Typically, we see business benefits in this order of importance. Lead with the outcome that is most important to your stakeholders.

    • Net income increases
    • Revenue generators
    • Cost reductions
    • Improved customer service

    Consider perspectives of each stakeholder to ensure functionality needs are met and high satisfaction results

    Best of breed vs. “good enough” is an important discussion and will feed your success.

    Costs can be high when customizing an ill-fitting module or creating workarounds to solve business problems, including loss of functionality, productivity, and credibility.

    • Start with use cases to drive the initial discussion, then determine which features are mandatory and which are nice-to-haves. Mandatory features will help determine high success for critical functionality and identify where “good enough” is an acceptable state.
    • Consider the implications to implementation and all use cases of buying an all-in-one solution, integration of multiple best-of-breed solutions, or customizing features that were not built into a solution.
    • Be prepared to shelve a use case for this solution and look to alternatives for integration where mandatory features cannot meet highly specialized needs that are outside of traditional CRM solutions.

    Pros and Cons

    Build vs. Buy

    Multi-Source Best of Breed

    Flexibility
    vs.
    architectural complexity

    Vendor Add-Ons & Integrations

    Lower support costs
    vs.
    configuration

    Multi-source Custom

    Flexibility
    vs.
    high skills requirements

    Single Source

    Lower support costs
    vs.
    configuration

    2.5 Define use cases and high-level features for meeting business and technical goals

    1-2 hours

    Input: List of goals and challenges

    Output: Use cases to be used for determining requirements

    Materials: Whiteboard/flip charts, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Identify the key customer engagement use cases that will support your overall goals as defined in the previous section.
    2. The following slide has examples of use case domains that will be enhanced from a CRM platform.
    3. Define high-level goals you wish to achieve in the first year and longer term. If you have more specific KPIs to add, and it is a requirement for your organization’s documentation, add them to this section.
    4. Take note of where processes will need to be improved to benefit from these use-case solutions – the tools are only as good as the process behind them.

    Download the CRM Business Case Template and document the outputs from this exercise in the current-state section of your business case.

    Understand the dominant use-case scenarios across organizations to narrow the list of potential CRM solutions

    Sales
    Enablement

    • Generate leads through multiple channels.
    • Rapidly sort, score, and prioritize leads based on multiple criteria.
    • Create in-depth sales forecasts segmented by multiple criteria (territory, representative, etc.).

    Marketing
    Management

    • Manage marketing campaigns across multiple channels (web, social, email, etc.).
    • Aggregate and analyze customer data to generate market intelligence.
    • Build and deploy customer-facing portals.

    Customer Service
    Management

    • Generate tickets, and triage customer service requests through multiple channels.
    • Track customer service interactions with cases.
    • There is a need to integrate customer records with contact center infrastructure.
    Info-Tech Insight

    Use your understanding of the CRM use case to accelerate the vendor shortlisting process. Since the CRM use case has a direct impact on the prioritization of a platform’s features and capabilities, you can rapidly eliminate vendors from contention or designate superfluous modules as out-of-scope.

    2.5.1 Use Info-Tech’s CRM Use-Case Fit Assessment Tool to align your CRM requirements to the vendor use cases

    30 min

    Input: Understanding of business objectives for CRM project, Use-Case Fit Assessment Tool

    Output: Use-case suitability

    Materials: Use-Case Fit Assessment Tool

    Participants: Core project team, Project managers

    1. Use the Use-Case Fit Assessment Tool to understand how your unique business requirements map into which CRM use case.
    2. This tool will assess your answers and determine your relative fit against the use-case scenarios.
    3. Fit will be assessed as “Weak,” “Moderate,” or “Strong.”
      1. Consider the common pitfalls, which were mentioned earlier, that can cause IT projects to fail. Plan and take clear steps to avoid or mitigate these concerns.
      2. Note: These use-case scenarios are not mutually exclusive, meaning your organization can align with one or more scenarios based on your answers. If your organization shows close alignment to multiple scenarios, consider focusing on finding a more robust solution and concentrate your review on vendors that performed strongly in those scenarios or meet the critical requirements for each.

    Download the CRM Use-Case Fit Assessment Tool

    Once you’ve identified the top-level use cases a CRM must support, elicit, and prioritize granular platform requirements.

    Understanding business needs through requirements gathering is the key to defining everything about what is being purchased, yet it is an area where people often make critical mistakes.

    Info-Tech Insight

    To avoid creating makeshift solutions, an organization needs to gather requirements with the desired future state in mind.

    Risks of poorly scoped requirements

    • Fail to be comprehensive and miss certain areas of scope
    • Focus on how the solution should work instead of what it must accomplish
    • Have multiple levels of detail within the requirements, which are inconsistent and confusing
    • Drill all the way down into system-level detail
    • Add unnecessary constraints based on what is done today rather than focusing on what is needed for tomorrow
    • Omit constraints or preferences that buyers think are “obvious”

    Best practices

    • Get a clear understanding of what the system needs to do and what it is expected to produce
    • Test against the principle of MECE – requirements should be “mutually exclusive and collectively exhaustive”
    • Explicitly state the obvious and assume nothing
    • Investigate what is sold on the market and how it is sold. Use language that is consistent with that of the market and focus on key differentiators – not table stakes
    • Contain the appropriate level of detail – the level should be suitable for procurement and sufficient for differentiating vendors

    Prioritize requirements to assist with vendor selection: focus on priority requirements linked to differentiated capabilities

    Prioritization is the process of ranking each requirement based on its importance to project success. Hold a meeting for the domain SMEs, implementation SMEs, project managers, and project sponsors to prioritize the requirements list. At the conclusion of the meeting, each requirement should be assigned a priority level. The implementation SMEs will use these priority levels to ensure efforts are targeted toward the proper requirements and to plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order requirements.


    Pyramid of the MoSCoW Model.
    The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994.

    The MoSCoW Model of Prioritization

    Requirements must be implemented for the solution to be considered successful.

    Requirements that are high priority should be included in the solution if possible.

    Requirements are desirable but not necessary and could be included if resources are available.

    Requirements won’t be in the next release, but will be considered for the future releases.

    Base your prioritization on the right set of criteria

    Effective Prioritization Criteria

    Criteria

    Description

    Regulatory & Legal Compliance These requirements will be considered mandatory.
    Policy Compliance Unless an internal policy can be altered or an exception can be made, these requirements will be considered mandatory.
    Business Value Significance Give a higher priority to high-value requirements.
    Business Risk Any requirement with the potential to jeopardize the entire project should be given a high priority and implemented early.
    Likelihood of Success Especially in “proof of concept” projects, it is recommended that requirements have good odds.
    Implementation Complexity Give a higher priority to low implementation difficulty requirements.
    Alignment With Strategy Give a higher priority to requirements that enable the corporate strategy.
    Urgency Prioritize requirements based on time sensitivity.
    Dependencies A requirement on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it.

    2.6 Identify requirements to support your use cases

    1-2 hours

    Input: List of goals and challenges

    Output: Use cases to be used for determining requirements

    Materials: Whiteboard/flip charts, Vendor Evaluation Workbook

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Work with the team to identify which features will be most important to support your use cases. Keep in mind there will be some features that will require more effort to implement fully. Add that into your project plan.
    2. Use the features lists on the following slides as a guide to get started on requirements.
    3. Prioritize your requirements list into mandatory features and nice-to-have features (or use the MoSCoW model from the previous slides). This will help you to eliminate vendors who don’t meet bare minimums and to score remaining vendors.
    4. Use this same list to guide your vendor demos.

    Our Improve Requirements Gathering blueprint provides a deep dive into the process of eliciting, analyzing, and validating requirements if you need to go deeper into effective techniques.

    CRM features

    Table stakes vs. differentiating

    What is a table stakes/standard feature?

    • Certain features are standard for all CRM tools, but that doesn’t mean they are all equal.
    • The existence of features doesn’t guarantee their quality or functionality to the standards you need. Never assume that “Yes” in a features list means you don’t need to ask for a demo.
    • If Table Stakes are all you need from your CRM solution, the only true differentiator for the organization is price. Otherwise, dig deeper to find the best price to value for your needs.

    What is a differentiating/additional feature?

    • Differentiating features take two forms:
      • Some CRM platforms offer differentiating features that are vertical specific.
      • Other CRM platforms offer differentiating features that are considered cutting edge. These cutting-edge features may become table stakes over time.

    Table stakes features for CRM

    Account Management Flexible account database that stores customer information, account history, and billing information. Additional functionality includes: contact deduplication, advanced field management, document linking, and embedded maps.
    Interaction Logging and Order History Ability to view all interactions that have occurred between sales teams and the customer, including purchase order history.
    Basic Pipeline Management View of all opportunities organized by their current stage in the sales process.
    Basic Case Management The ability to create and manage cases (for customer service or order fulfilment) and associate them with designated accounts or contacts.
    Basic Campaign Management Basic multi-channel campaign management (i.e. ability to execute outbound email campaigns). Budget tracking and campaign dashboards.
    Reports and Analytics In-depth reports on CRM data with dashboards and analytics for a variety of audiences.
    Mobile Support Mobile access across multiple devices (tablets, smartphones and/or wearables) with access to CRM data and dashboards.

    Additional features for CRM

    Customer Information Management Customizable records with detailed demographic information and the ability to created nested accounts (accounts with associated sub-accounts or contact records).
    Advanced Case Management Ability to track detailed interactions with members or constituents through a case view.
    Employee Collaboration Capabilities for employee-to-employee collaboration, team selling, and activity streams.
    Customer Collaboration Capabilities for outbound customer collaboration (i.e. the ability to create customer portals).
    Lead Generation Capabilities for generating qualified leads from multiple channels.
    Lead Nurturing/Lead Scoring The ability to evaluate lead warmth using multiple customer-defined criteria.
    Pipeline and Deal Management Managing deals through cases, providing quotes, and tracking client deliverables.

    Additional features for CRM (Continued)

    Marketing Campaign Management Managing outbound marketing campaigns via multiple channels (email, phone, social, mobile).
    Customer Intelligence Tools for in-depth customer insight generation and segmentation, predictive analytics, and contextual analytics.
    Multi-Channel Support Capabilities for supporting customer interactions across multiple channels (email, phone, social, mobile, IoT, etc.).
    Customer Service Workflow Management Capabilities for customer service resolution, including ticketing and service management.
    Knowledge Management Tools for capturing and sharing CRM-related knowledge, especially for customer service.
    Customer Journey Mapping Visual workflow builder with automated trigger points and business rules engine.
    Document Management The ability to curate assets and attachments and add them to account or contact records.
    Configure, Price, Quote The ability to create sales quotes/proposals from predefined price lists and rules.

    2.7 Put it all together – port your requirements into a robust RFP template that you can take to market!

    1-2 hours
    1. Once you’ve captured and prioritized your requirements – and received sign-off on them from key stakeholders – it’s time to bake them into a procurement vehicle of your choice.
    2. For complex enterprise systems like a CRM platform, Info-Tech recommends that this should take the form of a structured RFP document.
    3. Use our CRM RFP Template and associated CRM RFP Scoring Tool to jump-start the process.
    4. The next step will be conducting a market scan to identify contenders, and issuing the RFP to a shortlist of viable vendors for further evaluation.

    Need additional guidance on running an effective RFP process? Our Drive Successful Sourcing Outcomes with a Robust RFP Process has everything you need to ace the creation, administration and assessment of RFPs!

    Samples of the CRM Request for Proposal Template and CRM Suite Evaluation and RFP Scoring Tool.

    Download the CRM Request for Proposal Template

    Download the CRM Suite Evaluation and RFP Scoring Tool

    Identify whether vertical-specific CRM platforms are a best fit

    In mature vendor landscapes (like CRM) vendors begin to differentiate themselves by offering vertical-specific platforms, modules, or feature sets. These feature sets accelerate the implantation, decrease the platform’s learning curve, and drive user adoption. The three use cases below cover the most common industry-specific offerings:

    Public Sector

    • Constituent management and communication.
    • Constituent portal deployment for self-service.
    • Segment constituents based on geography, needs and preferences.

    Education

    • Top-level view into the student journey from prospect to enrolment.
    • Track student interactions with services across the institution.
    • Unify communications across different departments.

    Financial Services

    • Determine customer proclivity for new services.
    • Develop self-service banking portals.
    • Track longitudinal customer relationships from first account to retirement management.
    Info-Tech Insight

    Vertical-specific solutions require less legwork to do upfront but could cost you more in the long run. Interoperability and vendor viability must be carefully examined. Smaller players targeting niche industries often have limited integration ecosystems and less funding to keep pace with feature innovation.

    Rein-in ballooning scope for CRM selection projects

    Stretching the CRM beyond its core capabilities is a short-term solution to a long-term problem. Educate stakeholders about the limits of CRM technology.

    Common pitfalls for CRM selection

    • Tangential capabilities may require separate solutions. It is common for stakeholders to list features such as “content management” as part of the new CRM platform. While content management goes hand in hand with the CRM’s ability to manage customer interactions, document management is best handled by a standalone platform.

    Keeping stakeholders engaged and in line

    • Ballooning scope leads to stakeholder dissatisfaction. Appeasing stakeholders by over-customizing the platform will lead to integration and headaches down the road.
    • Make sure stakeholders feel heard. Do not turn down ideas in the midst of an elicitation session. Once the requirements-gathering sessions are completed, the project team has the opportunity to mark requirements as “out of scope” and communicate the reasoning behind the decision.
    • Educate stakeholders on the core functionality of CRM. Many stakeholders do not know the best-fit use cases for CRM platforms. Help end users understand what CRM is good at and where additional technologies will be needed.
    Stock image of a man leaping with a balloon.

    CRM Buyer’s Guide

    Phase 3

    Discover the CRM Market Space & Prepare for Implementation

    Phase 1

    1.1 Define CRM platforms

    1.2 Classify table stakes & differentiating capabilities

    1.3 Explore CRM trends

    Phase 2

    2.1 Build the business case

    2.2 Streamline requirements elicitation for CRM

    2.3 Construct the RFP

    Phase 3

    3.1 Discover key players in the CRM landscape

    3.2 Engage the shortlist & select finalist

    3.3 Prepare for implementation

    This phase will walk you through the following activities:

    • Dive into the key players of the CRM vendor landscape.
    • Understand best practices for building a vendor shortlist.
    • Understand key implementation considerations for CRM.

    This phase involves the following participants:

    • CIO
    • Applications manager
    • Project manager
    • Sales executive
    • Marketing executive
    • Customer service executive

    Consolidating the Vendor Shortlist Up-Front Reduces Downstream Effort

    Put the “short” back in shortlist!

    • Radically reduce effort by narrowing the field of potential vendors earlier in the selection process. Too many organizations don’t funnel their vendor shortlist until nearing the end of the selection process. The result is wasted time and effort evaluating options that are patently not a good fit.
    • Leverage external data (such as SoftwareReviews) and expert opinion to consolidate your shortlist into a smaller number of viable vendors before the investigative interview stage and eliminate time spent evaluating dozens of RFP responses.
    • Having fewer RFP responses to evaluate means you will have more time to do greater due diligence.
    Stock image of river rapids.

    Review your use cases to start your shortlist

    Your Info-Tech analysts can help you narrow down the list of vendors that will meet your requirements.

    Next steps will include:
    1. Reviewing your requirements
    2. Checking out SoftwareReviews
    3. Shortlisting your vendors
    4. Conducting demos and detailed proposal reviews
    5. Selecting and contracting with a finalist!
    Image of a person presenting a dashboard of the steps on the left.

    Get to know the key players in the CRM landscape

    The proceeding slides provide a top-level overview of the popular players you will encounter in the CRM shortlisting process.

    Logos of the key players in the CRM landscape (Salesforce, Microsoft, Oracle, HubSpot, etc).

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews

    Sample of SoftwareReviews' Data Quadrant Report. Title page of SoftwareReviews' Data Quadrant Report. The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

    Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

    Sample of SoftwareReviews' Emotional Footprint. Title page of SoftwareReviews' Emotional Footprint. The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

    Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Speak with category experts to dive deeper into the vendor landscape

    SoftwareReviews

    Icon of a person.


    Fact-based reviews of business software from IT professionals.

    Icon of a magnifying glass over a chart.


    Top-tier data quality backed by a rigorous quality assurance process.

    CLICK HERE to ACCESS

    Comprehensive software reviews to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    Icon of a tablet.


    Product and category reports with state-of-the-art data visualization.

    Icon of a phone.


    User-experience insight that reveals the intangibles of working with a vendor.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today’s technology. Combined with the insights of our expert analysts, our members receive unparalleled support in their buying journey.

    Logo for Salesforce.
    Est. 1999 | CA, USA | NYSE: CRM

    bio

    Link for their Twitter account. Link for their LinkedIn profile. Link for their website.
    Sales Cloud Enterprise allows you to be more efficient, more productive, more everything than ever before as it allows you to close more deals, accelerate productivity, get more leads, and make more insightful decisions.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:
    • Breadth of features
    • Quality of features
    • Sales management functionality
    Areas to Improve:
    • Cost of service
    • Ease of implementation
    • Telephony and contact center management
    Logo gif for SoftwareReviews.
    8.0
    COMPOSITE SCORE
    8.3
    CX SCORE
    +77
    EMOTIONAL FOOTPRINT
    83%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 600
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Salesforce screen. Vendor Pulse rating. How often do we hear about Salesforce from our members for CRM? 'Very Frequently'.
    History of Salesforce in a vertical timeline.
    *Pricing correct as of August 2021. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.
    Logo for Salesforce.

    “Salesforce is the pre-eminent vendor in the CRM marketplace and is a force to be reckoned with in terms of the breadth and depth of its capabilities. The company was an early disruptor in the category, placing a strong emphasis from the get-go on a SaaS delivery model and strong end-user experience. This allowed them to rapidly gain market share at the expense of more complacent enterprise application vendors. A series of savvy acquisitions over the years has allowed Salesforce to augment their core Sales and Service Clouds with a wide variety of other solutions, from e-commerce to marketing automation to CPQ. Salesforce is a great fit for any organization looking to partner with a market leader with excellent functional breadth, strong interoperability, and a compelling technology and partner ecosystem. All of this comes at a price, however – Salesforce prices at a premium, and our members routinely opine that Salesforce’s commercial teams are overly aggressive – sometimes pushing solutions without a clear link to underpinning business requirements.”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    Sales Cloud Essentials Sales Cloud Professional Sales Cloud Enterprise Sales Cloud Ultimate
    • Starts at $25*
    • Per user/mo
    • Small businesses after basic functionality
    • Starts at $75*
    • Per user/mo
    • Mid-market target
    • Starts at $150*
    • Per user/mo
    • Enterprise target
    • Starts at $300*
    • Per user/mo
    • Strong upmarket feature additions
    Logo for Microsoft.


    Est. 1975 | WA, USA | NYSE: MSFT

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Dynamics 365 Sales is an adaptive selling solution that helps your sales team navigate the realities of modern selling. At the center of the solution is an adaptive, intelligent system – prebuilt and ready to go – that actively monitors myriad signals and distills them into actionable insights.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Business value created
    • Analytics and reporting
    • Lead management

    Areas to Improve:

    • Quote, contract, and proposals
    • Vendor support
    Logo gif for SoftwareReviews.
    8.1
    COMPOSITE SCORE
    8.3
    CX SCORE
    +84
    EMOTIONAL FOOTPRINT
    82%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 198
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Microsoft screen.Vendor Pulse rating. How often do we hear about Microsoft Dynamics from our Members? 'Very Frequently'.

    History of Microsoft in a vertical timeline.

    *Pricing correct as of June 2022. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.
    Logo for Microsoft.
    “”

    “Microsoft Dynamics 365 is a strong and compelling player in the CRM arena. While Microsoft is no stranger to the CRM space, their offerings here have seen steady and marked improvement over the last five years. Good functional breadth paired with a modern user interface and best-in-class Microsoft stack compatibility ensures that we consistently see them on our members’ shortlists, particularly when our members are looking to roll out CRM capabilities alongside other components of the Dynamics ecosystem (such as Finance, Operations, and HR). Today, Microsoft segments the offering into discrete modules for sales, service, marketing, commerce, and CDP. While Microsoft Dynamics 365 is a strong option, it’s occasionally mired by concerns that the pace of innovation and investment lags Salesforce (its nearest competitor). Additionally, the marketing module of the product is softer than some of its competitors, and Microsoft themselves points organizations with complex marketing requirements to a strategic partnership that they have with Adobe.”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    D365 Sales Professional D365 Sales Enterprise D365 Sales Premium
    • Starts at $65*
    • Per user/mo
    • Midmarket focus
    • Starts at $95*
    • Per user/mo
    • Enterprise focus
    • Starts at $135*
    • Per user/mo
    • Enterprise focus with customer intelligence
    Logo for Oracle.


    Est. 1977 | CA, USA | NYSE: ORCL

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Oracle Engagement Cloud (CX Sales) provides a set of capabilities to help sales leaders transition smoothly from sales planning and execution through customer onboarding, account management, and support services.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Quality of features
    • Activity and workflow management
    • Analytics and reporting

    Areas to Improve:

    • Marketing management
    • Product strategy & rate of improvement
    Logo gif for SoftwareReviews.
    7.8
    COMPOSITE SCORE
    7.9
    CX SCORE
    +77
    EMOTIONAL FOOTPRINT
    78%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 140
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of an Oracle screen.Vendor Pulse rating. How often do we hear about Oracle from our members for CRM? 'Frequently'.

    History of Oracle in a vertical timeline.

    Logo for Oracle.

    “Oracle is long-term juggernaut of the enterprise applications space. Their CRM portfolio is diverse – rather than a single stack, there are multiple Oracle solutions (many made by acquisition) that support CRM capabilities – everything from Siebel to JD Edwards to NetSuite to Oracle CX applications. The latter constitute Oracle’s most modern stab at CRM and are where the bulk of feature innovation and product development is occurring within their portfolio. While historically seen as lagging behind other competitors like Salesforce and Microsoft, Oracle has made excellent strides in improving their user experience (via their Redwoods design paradigm) and building new functional capabilities within their CRM products. Indeed, SoftwareReviews shows Oracle performing well in our most recent peer-driven reports. Nonetheless, we most commonly see Oracle as a pricier ecosystem play that’s often subordinate to a heavy Oracle footprint for ERP. Many of our members also express displeasure with Oracle as a vendor and highlight their heavy-handed “threat of audit” approach. ”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    Oracle CX Sales - Pricing Opaque:

    “Request a Demo”

    Logo for SAP.


    Est. 1972 | Germany | NYSE: SAP

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    SAP is the third-largest independent software manufacturer in the world, with a presence in over 120 countries. Having been in the industry for over 40 years, SAP is perhaps best known for its ERP application, SAP ERP.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Ease of data integration

    Areas to Improve:

    • Lead management
    • Marketing management
    • Collaboration
    • Usability & intuitiveness
    • Analytics & reporting
    Logo gif for SoftwareReviews.
    7.4
    COMPOSITE SCORE
    7.8
    CX SCORE
    +74
    EMOTIONAL FOOTPRINT
    75%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 108
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a SAP screen.Vendor Pulse rating. How often do we hear about SAP from our members for CRM? 'Occasionally'.

    History of SAP in a vertical timeline.

    *Pricing correct as of August 2021. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.
    Logo for SAP.

    “SAP is another mainstay of the enterprise applications market. While they have a sound breadth of capabilities in the CRM and customer experience space, SAP consistently underperforms in many of our relevant peer-driven SoftwareReviews reports for CRM and adjacent areas. CRM seems decidedly a secondary focus for SAP, behind their more compelling play in the enterprise resource planning (ERP) space. Indeed, most instances where we see SAP in our clients’ shortlists, it’s as an ecosystem play within a broader SAP strategy. If you’re blue on the ERP side, looking to SAP’s capabilities on the CRM front makes logical sense and can help contain costs. If you’re approaching a CRM selection from a greenfield lens and with no legacy vendor baggage for SAP elsewhere, experience suggests you’ll be better served by a vendor that places a higher degree of primacy on the CRM aspect of their portfolio.”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    SAP CRM - Pricing Opaque:

    “Request a Demo”

    Logo for pipedrive.


    Est. 2010 | NY, USA | Private

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Pipedrive brings together the tools and data, the platform focuses sales professionals on fundamentals to advance deals through their pipelines. Pipedrive's goal is to make sales success inevitable - for salespeople and teams.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Sales Management
    • Account & Contact Management
    • Lead Management
    • Usability & Intuitiveness
    • Ease of Implementation

    Areas to Improve:

    • Customer Service Management
    • Marketing Management
    • Product Strategy & Rate of Improvement
    Logo gif for SoftwareReviews.
    8.3
    COMPOSITE SCORE
    8.4
    CX SCORE
    +85
    EMOTIONAL FOOTPRINT
    85%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 262
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Pipedrive screen.Vendor Pulse rating. How often do we hear about Pipedrive from our members for CRM? 'Occasionally'.

    History of Pipedrive in a vertical timeline.

    *Pricing correct as of June 2022. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.
    Logo for Pipedrive.

    “A relatively new offering, Pipedrive has seen explosive growth over the last five years. They’re a vendor that has gone from near-obscurity to popping up frequently on our members’ shortlists. Pipedrive’s secret sauce has been a relentless focus on high-velocity sales enablement. Their focus on pipeline management, lead assessment and routing, and a good single pane of glass for sales reps has driven significant traction for the vendor when sales enablement is the driving rationale behind rolling out a new CRM platform. Bang for your buck is also strong with Pipedrive, with the vendor having a value-driven licensing and implementation model.

    Pipedrive is not without some shortcomings. It’s laser-focus on sales enablement is at the expense of deep capabilities for marketing and service management, and its profile lends itself better to SMBs and lower midmarket than it does large organizations looking for enterprise-grade CRM.”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    Essential Advanced Professional Enterprise
    • Starts at $12.50*
    • Per user/mo
    • Small businesses after basic functionality
    • Starts at $24.90*
    • Per user/mo
    • Small/mid-sized businesses
    • Starts at $49.90*
    • Per user/mo
    • Lower mid-market focus
    • Starts at $99*
    • Per user/mo
    • Enterprise focus
    Logo for SugarCRM.


    Est. 2004 | CA, USA | Private

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Produces Sugar, a SaaS-based customer relationship management application. SugarCRM is backed by Accel-KKR.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Ease of customization
    • Product strategy and rate of improvement
    • Ease of IT administration

    Areas to Improve:

    • Marketing management
    • Analytics and reporting
    Logo gif for SoftwareReviews.
    8.4
    COMPOSITE SCORE
    8.8
    CX SCORE
    +92
    EMOTIONAL FOOTPRINT
    84%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 97
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a SugarCRM screen.Vendor Pulse rating. How often do we hear about SugarCRM from our members for CRM? 'Frequently'.
    History of SugarCRM in a vertical timeline.
    *Pricing correct as of August 2021. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.
    Logo for SugarCRM.

    “SugarCRM offers reliable baseline capabilities at a lower price point than other large CRM vendors. While SugarCRM does not offer all the bells and whistles that an Enterprise Salesforce plan might, SugarCRM is known for providing excellent vendor support. If your organization is only after standard features, SugarCRM will be a good vendor to shortlist.

    However, ensure you have the time and labor power to effectively implement and train on SugarCRM’s solutions. SugarCRM does not score highly for user-friendly experiences, with complaints centering on outdated and unintuitive interfaces. Setting up customized modules takes time to navigate, and SugarCRM does not provide a wide range of native integrations with other applications. To effectively determine whether SugarCRM does offer a feasible solution, it is recommended that organizations know exactly what kinds of integrations and modules they need.”

    Thomas Randall
    Research Director, Info-Tech Research Group

    Sugar Professional Sugar Serve Sugar Sell Sugar Enterprise Sugar Market
    • Starts at $52*
    • Per user/mo
    • Min. 3 users
    • Small businesses
    • Starts at $80*
    • Per user/mo
    • Min. 3 users
    • Focused on customer service
    • Starts at $80*
    • Per user/mo
    • Min. 3 users
    • Focused on sales automation
    • Starts at $80*
    • Per user/mo
    • Min. 3 users
    • On-premises, mid-sized businesses
    • Starts at $1000*
    • Priced per month
    • Min. 10k contacts
    • Large enterprise
    Logo for .


    Est. 2006 | MA, USA | HUBS (NYSE)

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Develops software for inbound customer service, marketing, and sales. Software includes CRM, SMM, lead gen, SEO, and web analytics.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Breadth of features
    • Product strategy and rate of improvement
    • Ease of customization

    Areas to Improve:

    • Ease of data integration
    • Customer service management
    • Telephony and call center management
    Logo gif for SoftwareReviews.
    8.3
    COMPOSITE SCORE
    8.4
    CX SCORE
    +84
    EMOTIONAL FOOTPRINT
    86%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 97
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a HubSpot screen.Vendor Pulse rating. How often do we hear about HubSpot from our members for CRM? 'Frequently'.

    History of HubSpot in a vertical timeline.

    *Pricing correct as of August 2021. Listed in USD and absent discounts
    See pricing on vendor’s website for latest information.
    Logo for HubSpot.

    “ HubSpot is best suited for small to mid-sized organizations that need a range of CRM tools to enable growth across sales, marketing campaigns, and customer service. Indeed, HubSpot offers a content management solution that offers a central storage location for all customer and marketing data. Moreover, HubSpot offers plenty of freemium tools for users to familiarize themselves with the software before buying. However, though HubSpot is geared toward growing businesses, smaller organizations may not see high ROI until they begin to scale. The “Starter” and “Professional” plans’ pricing is often cited by small organizations as a barrier to commitment, and the freemium tools are not a sustainable solution. If organizations can take advantage of discount behaviors from HubSpot (e.g. a startup discount), HubSpot will be a viable long-term solution. ”

    Thomas Randall
    Research Director, Info-Tech Research Group

    Starter Professional Enterprise
    • Starts at $50*
    • Per month
    • Min. 2 users
    • Small businesses
    • Starts at $500*
    • Per month
    • Min. 5 users
    • Small/mid-sized businesses
    • Starts at $1200*
    • Billed yearly
    • Min. 10 users
    • Mid-sized/small enterprise
    Logo for Zoho.


    Est. 1996 | India | Private

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Zoho Corporation offers a cloud software suite, providing a full operating system for CRM, alongside apps for finance, productivity, HR, legal, and more.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Business value created
    • Breadth of features
    • Collaboration capabilities

    Areas to Improve:

    • Usability and intuitiveness
    Logo gif for SoftwareReviews.
    8.7
    COMPOSITE SCORE
    8.9
    CX SCORE
    +92
    EMOTIONAL FOOTPRINT
    85%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 152
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Zoho screen.Vendor Pulse rating. How often do we hear about Zoho from our members for CRM? 'Occasionally'.

    History of Zoho in a vertical timeline.

    *
    See pricing on vendor’s website for latest information.
    Logo for Zoho.

    “Zoho has a long list of software solutions for businesses to run end to end. As one of Zoho’s earliest software releases, though, ZohoCRM remains a flagship product. ZohoCRM’s pricing is incredibly competitive for mid/large enterprises, offering high business value for its robust feature sets. For those organizations that already utilize Zoho solutions (such as its productivity suite), ZohoCRM will be a natural extension.

    However, small/mid-sized businesses may wonder how much ROI they can get from ZohoCRM, when much of the functionality expected from a CRM (such as workflow automation) cannot be found until one jumps to the “Enterprise” plan. Given the “Enterprise” plan’s pricing is on par with other CRM vendors, there may not be much in a smaller organization’s eyes that truly distinguishes ZohoCRM unless they are already invested Zoho users.”

    Thomas Randall
    Research Director, Info-Tech Research Group

    Standard Professional Enterprise Ultimate
    • Starts at $20*
    • Per user/mo
    • Small businesses after basic functionality
    • Starts at $35*
    • Per user/mo
    • Small/mid-sized businesses
    • Adds inventory management
    • Starts at $50*
    • Per user/mo
    • Mid-sized/small enterprise
    • Adds Zia AI
    • Starts at $65*
    • Per user/mo
    • Enterprise
    • Bundles Zoho Analytics
    Logo for Zendesk.


    Est. 2009 | CA, USA | ZEN (NYSE)

    bio

    Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Software developer for customer service. Founded in Copenhagen but moved to San Francisco after $6 million Series B funding from Charles River Ventures and Benchmark Capital.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Quality of features
    • Breadth of features
    • Vendor support

    Areas to Improve:

    • Business value created
    • Ease of customization
    • Usability and intuitiveness
    Logo gif for SoftwareReviews.
    7.8
    COMPOSITE SCORE
    7.9
    CX SCORE
    +80
    EMOTIONAL FOOTPRINT
    72%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 50
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Zendesk screen.Vendor Pulse rating. How often do we hear about Zendesk from our members for CRM? 'Rarely'.

    History of Zendesk in a vertical timeline.

    *Pricing correct as of August 2021. Listed in USD and absent discounts
    See pricing on vendor’s website for latest information.
    Logo for Zendesk.

    “Zendesk’s initial growth was grounded in word-of-mouth advertising, owing to the popularity of its help desk solution’s design and functionality. Zendesk Sell has followed suit, receiving strong feedback for the breadth and quality of its features. Organizations that have already reaped the benefits of Zendesk’s customer service suite will find Zendesk Sell a straightforward fit for their sales teams.

    However, it is important to note that Zendesk Sell is predominantly focused on sales. Other key components of a CRM, such as marketing, are less fleshed out. Organizations should ensure they verify what requirements they have for a CRM before choosing Zendesk Sell – if sales process requirements (such as forecasting, call analytics, and so on) are but one part of what the organization needs, Zendesk Sell may not offer the highest ROI for the pricing offered.”

    Thomas Randall
    Research Director, Info-Tech Research Group

    Sell Team Sell Professional Sell Enterprise
    • Starts at $19*
    • Per user/mo
    • Max. 3 users
    • Small businesses
    • Basic functionality
    • Starts at $49*
    • Per user/mo
    • Small/mid-sized businesses
    • Advanced analytics
    • Starts at $99*
    • Per user/mo
    • Mid-sized/small enterprise
    • Task automation

    Speak with category experts to dive deeper into the vendor landscape

    Icon of a person.
    Fact-based reviews of business software from IT professionals.
    Icon of a magnifying glass over a chart.
    Top-tier data quality backed by a rigorous quality assurance process.
    CLICK HERE to ACCESS

    Comprehensive software reviews to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    Icon of a tablet.
    Product and category reports with state-of-the-art data visualization.
    Icon of a phone.
    User-experience insight that reveals the intangibles of working with a vendor.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today’s technology. Combined with the insights of our expert analysts, our members receive unparalleled support in their buying journey.

    Conduct a day of rapid-fire vendor demos

    Zoom in on high-value use cases and answers to targeted questions

    Make sure the solution will work for your business

    Give each vendor 90 to 120 minutes to give a rapid-fire presentation. We suggest the following structure:

    • 30 minutes: company introduction and vision
    • 60 minutes: walk-through of two or three high-value demo scenarios
    • 30 minutes: targeted Q&A from the business stakeholders and procurement team
    To ensure a consistent evaluation, vendors should be asked analogous questions, and a tabulation of answers should be conducted.
    How to challenge the vendors in the investigative interview
    • Change the visualization/presentation.
    • Change the underlying data.
    • Add additional data sets to the artifacts.
    • Collaboration capabilities.
    • Perform an investigation in terms of finding BI objects and identifying previous changes, and examine the audit trail.
    Rapid-fire vendor investigative interview

    Invite vendors to come onsite (or join you via video conference) to demonstrate the product and to answer questions. Use a highly targeted demo script to help identify how a vendor’s solution will fit your organization’s particular business capability needs.

    Graphic of an alarm clock.
    To kick-start scripting your demo scenarios, leverage our CRM Demo Script Template.

    A vendor scoring model provides a clear anchor point for your evaluation of CRM vendors based on a variety of inputs

    A vendor scoring model is a systematic method for effectively assessing competing vendors. A weighted-average scoring model is an approach that strikes a strong balance between rigor and evaluation speed.

    Info-Tech Insight

    Even the best scoring model will still involve some “art” rather than science – scoring categories such as vendor viability always entails a degree of subjective interpretation.

    How do I build a scoring model?

    • Start by shortlisting the key criteria you will use to evaluate your vendors. Functional capabilities should always be a critical category, but you’ll also want to look at criteria such as affordability, architectural fit, and vendor viability.
    • Depending on the complexity of the project, you may break down some criteria into sub-categories to assist with evaluation (for example, breaking down functional capabilities into constituent use cases so you can score each one).
    • Once you’ve developed the key criteria for your project, the next step is weighting each criterion. Your weightings should reflect the priorities for the project at hand. For example, some projects may put more emphasis on affordability, others on vendor partnership.
    • Using the information collected in the subsequent phases of this blueprint, score each criterion from 1-100, then multiply by the weighting factor. Add up the weighted scores to arrive at the aggregate evaluation score for each vendor on your shortlist.

    What are some of the best practices?

    • While the criteria for each project may vary, it’s helpful to have an inventory of repeatable criteria that can be used across application selection projects. The next slide contains an example that you can add or subtract from.
    • Don’t go overboard on the number of criteria: five to 10 weighted criteria should be the norm for most projects. The more criteria (and sub-criteria) you must score against, the longer it will take to conduct your evaluation. Always remember, link the level of rigor to the size and complexity of your project! It’s possible to create a convoluted scoring model that takes significant time to fill out but yields little additional value.
    • Creation of the scoring model should be a consensus-driven activity among IT, procurement, and the key business stakeholders – it should not be built in isolation. Everyone should agree on the fundamental criteria and weights that are employed.
    • Consider using not just the outputs of investigative interviews and RFP responses to score vendors, but also third-party review services like SoftwareReviews.

    Define how you’ll score CRM proposals and demos

    Define key CRM selection criteria for your organization – this should be informed by the following goals, use cases, and requirements covered in the blueprint.

    Criteria

    Description

    Functional CapabilitiesHow well does the vendor align with the top-priority functional requirements identified in your accelerated needs assessment? What is the vendor’s functional breadth and depth?
    AffordabilityHow affordable is this vendor? Consider a three-to-five-year total cost of ownership (TCO) that encompasses not just licensing costs, but also implementation, integration, training, and ongoing support costs.
    Architectural FitHow well does this vendor align with our direction from an enterprise architecture perspective? How interoperable is the solution with existing applications in our technology stack? Does the solution meet our deployment model preferences?
    ExtensibilityHow easy is it to augment the base solution with native or third-party add-ons as our business needs may evolve?
    ScalabilityHow easy is it to expand the solution to support increased user, data, and/or customer volumes? Are there any capacity constraints of the solution?
    Vendor ViabilityHow viable is this vendor? Are they an established player with a proven track record, or a new and untested entrant to the market? What is the financial health of the vendor? How committed are they to the particular solution category?
    Vendor VisionDoes the vendor have a cogent and realistic product roadmap? Are they making sensible investments that align with your organization’s internal direction?
    Emotional FootprintHow well does the vendor’s organizational culture and team dynamics align to yours?
    Third-Party Assessments and/or ReferencesHow well-received is the vendor by unbiased, third-party sources like SoftwareReviews? For larger projects, how well does the vendor perform in reference checks (and how closely do those references mirror your own situation)?

    Decision Point: Select the Finalist

    After reviewing all vendor responses to your RFP, conducting vendor demos, and running a pilot project (if applicable), the time has arrived to select your finalist.

    All core selection team members should hold a session to score each shortlisted vendor against the criteria enumerated on the previous slide – based on an in-depth review of proposals, the demo sessions, and any pilots or technical assessments.

    The vendor that scores the highest in aggregate is your finalist.

    Congratulations – you are now ready to proceed to final negotiation and inking a contract. This blueprint provides a detailed approach on the mechanics of a major vendor negotiation.

    Leverage Info-Tech’s research to plan and execute your CRM implementation

    Use Info-Tech Research Group’s three phase implementation process to guide your own planning.
    The three phases of software implementation: 'Assess', 'Prepare', 'Govern & Course Correct'. Sample of the 'Governance and Management of Enterprise Software Implementation' blueprint.

    Establish and execute an end-to-end, agile framework to succeed with the implementation of a major enterprise application.

    Visit this link

    Prepare for implementation: establish a clear resourcing plan

    Organizations rarely have sufficient internal staffing to resource a CRM project on their own. Consider the options for closing the gap in internal resource availability.

    The most common project resourcing structures for enterprise projects are:
    Your own staff +
    1. Management consultant
    2. Vendor consultant
    3. System integrator
    Info-Tech Insight

    When contemplating a resourcing structure, consider:

    • Availability of in-house implementation competencies and resources.
    • Timeline and constraints.
    • Integration environment complexity.

    Consider the following:

    Internal vs. External Roles and Responsibilities

    Clearly delineate between internal and external team responsibilities and accountabilities, and communicate this to your technology partner up front.

    Internal vs. External Accountabilities

    Accountability is different than responsibility. Your vendor or SI partner may be responsible for completing certain tasks, but be careful not to outsource accountability for the implementation – ultimately, the internal team will be accountable.

    Partner Implementation Methodologies

    Often vendors and/or SIs will have their own preferred implementation methodology. Consider the use of your partner's implementation methodology; however, you know what will work for your organization.

    Establish team composition

    1 – 2 hours

    Input: Skills assessment, Stakeholder analysis, Vendor partner selection

    Output: Team composition

    Materials: Sticky notes, Whiteboard, Markers

    Participants: Project team

    Use Info-Tech’s Governance and Management of Enterprise Software Implementation to establish your team composition. Within that blueprint:

    1. Assess the skills necessary for an implementation. Inventory the competencies required for the implementation project team. Map your internal resources to each competency as applicable.
    2. Select your internal implementation team. Determine who needs to be involved closely with the implementation. Key stakeholders should also be considered as members of your implementation team.
    3. Identify the number of external consultants/support required for implementation. Consider your in-house skills, timeline considerations, integration environment complexity, and cost constraints as you make your team composition plan. Be sure to dedicate an internal resource to managing the vendor and partner relationships.
    4. Document the roles and responsibilities, accountabilities, and other expectations of your team as they relate to each step of the implementation.

    Governance and Management of Enterprise Software Implementation

    Sample of the 'Governance and Management of Enterprise Software Implementation' blueprint.Follow our iterative methodology with a task list focused on the business must-have functionality to achieve rapid execution and to allow staff to return to their daily work sooner.

    Visit this link

    Ensure your implementation team has a high degree of trust and communication

    If external partners are needed, dedicate an internal resource to managing the vendor and partner relationships.

    Communication

    Teams must have some type of communication strategy. This can be broken into:
    • Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
    • Ceremonies: Injecting awards and continually emphasizing delivery of value can encourage relationship-building and constructive motivation.
    • Escalation: Voicing any concerns and having someone responsible for addressing those concerns.

    Proximity

    Distributed teams create complexity as communication can break down. This can be mitigated by:
    • Location: Placing teams in proximity can close the barrier of geographical distance and time zone differences.
    • Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
    • Communication tools: Having the right technology (e.g. video conference) can help bring teams closer together virtually.

    Trust

    Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:
    • Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.
    • Role clarity: Having a clear definition of what everyone’s role is.

    Plan for your implementation of CRM based on deployment model

    Place your CRM application into your IT landscape by configuring and adjusting the tool based on your specific deployment method.

    Icon of a housing development.
    On-Premises

    1. Identify custom features and configuration items
    2. Train developers and IT staff on new software investment
    3. Install software
    4. Configure software
    5. Test installation and configuration
    6. Test functionality

    Icon of a cloud upload.
    SaaS-based

    1. Train developers and IT staff on new software investment
    2. Set up connectivity
    3. Identify VPN or internal solution
    4. Check firewalls
    5. Validate bandwidth regulations

    Integration is a top IT challenge and critical to the success of the CRM suite

    CRM suites are most effective when they are integrated with ERP and MarTech solutions.

    Data interchange between the CRM solution and other data sources is necessary

    Formulate a comprehensive map of the systems, hardware, and software with which the CRM solution must be able to integrate. Customer data needs to constantly be synchronized: without this, you lose out on one of the primary benefits of CRM. These connections must be bidirectional for maximum value (i.e. marketing data to the CRM, customer data to MMS).
    Specialized projects that include an intricate prospect or customer list and complex rules may need to be built by IT The more custom fields you have in your CRM suite and point solutions, the more schema mapping you will have to do. Include this information in the RFP to receive guidance from vendors on the ease with which integration can be achieved.

    Pay attention to legacy apps and databases

    If you have legacy CRM, POS, or customer contact software, more custom code will be required. Many vendors claim that custom integration can be performed for most systems, but custom comes at a cost. Don’t just ask if they can integrate; ask how long it will take and for references from organizations which have been successful in this.
    When assessing the current application portfolio that supports CRM, the tendency will be to focus on the applications under the CRM umbrella, relating mostly to marketing, sales, and customer service. Be sure to include systems that act as inputs to, or benefit due to outputs from, the CRM or similar applications.

    CRM data flow

    Example of a CRM data flow.

    Be sure to include enterprise applications that are not included in the CRM application portfolio. Popular systems to consider for POIs include billing, directory services, content management, and collaboration tools.

    Sample CRM integration map

    Sample of a CRM integration map.

    Scenario: Failure to address CRM data integration will cost you in the long run

    A company spent $15 million implementing a new CRM system in the cloud and decided NOT to spend an additional $1.5 million to do a proper cloud DI tool procurement. The mounting costs followed.

    Cost Element – Custom Data Integration

    $

    2 FTEs for double entry of sales order data $ 100,000/year
    One-time migration of product data to CRM $ 240,000 otc
    Product data maintenance $ 60,000/year
    Customer data synchronization interface build $ 60,000 otc
    Customer data interface maintenance $ 10,000/year
    Data quality issues $ 100,000/year
    New SaaS integration built in year 3 $ 300,000 otc
    New SaaS integration maintenance $ 150,000/year

    Cost Element – Data Integration Tool

    $

    DI strategy and platform implementation $1,500,000 otc
    DI tool maintenance $ 15,000/year
    New SaaS integration point in year 3 $ 300,000 otc
    Thumbs down color coded red to the adjacent chart. Custom integration is costing this organization $300,000/year for one SaaS solution.
    Thumbs up color coded blue to the adjacent chart.

    The proposed integration solution would have paid for itself in 3-4 years and saved exponential costs in the long run.

    Proactively address data quality in the CRM during implementation

    Data quality is a make-or-break issue in a CRM platform; garbage in is garbage out.
    • CRM suites are one of the leading offenders for generating poor-quality data. As such, it’s important to have a plan in place for structuring your data architecture in such a way the poor data quality is minimized from the get-go.
    • Having a plan for data quality should precede data migration efforts; some types of poor data quality can be mitigated prior to migration.
    • There are five main types of poor-quality data found in CRM platforms.
      • Duplicate data: Duplicate records can be a major issue. Leverage dedicated deduplication tools to eliminate them.
      • Stale data: Out-of-date customer information can reduce the usefulness of the platform. Use automated social listening tools to help keep data fresh.
      • Incomplete data: Records with missing info limit platform value. Specify data validation parameters to mandate that all fields are filled in.
      • Invalid and conflicting data: These can create cascading errors. Establishing conflict resolution rules in ETL tools for data integration can lessen issues.
    Info-Tech Insight

    If you have a complex POI environment, appoint data stewards for each major domain and procure a deduplication tool. As the complexity of CRM system-to-system integrations increases, so will the chance that data quality errors will crop up – for example, bidirectional POI with other sources of customer information dramatically increase the chances of conflicting/duplicate data.

    Profile data, eliminate dead weight, and enforce standards to protect data

    Identify and eliminate dead weight

    Poor data can originate in the firm’s CRM system. Custom queries, stored procedures, or profiling tools can be used to assess the key problem areas.

    Loose rules in the CRM system may lead to records of no significant value in the database. Those rules need to be fixed, but if changes are made before the data is fixed, users could encounter database or application errors, which will reduce user confidence in the system.

    • Conduct a data flow analysis: map the path that data takes through the organization.
    • Use a mass cleanup to identify and destroy dead weight data. Merge duplicates either manually or with the aid of software tools. Delete incomplete data, taking care to reassign related data.
    • COTS packages typically allow power users to merge records without creating orphaned records in related tables, but custom-built applications typically require IT expertise.

    Create and enforce standards and policies

    Now that the data has been cleaned, it’s important to protect the system from relapsing.

    Work with business users to find out what types of data require validation and which fields should have changes audited. Whenever possible, implement drop-down lists to standardize values and make programming changes to ensure that truncation ceases.

    • Truncated data is usually caused by mismatches in data structures during either one-time data loads or ongoing data integrations.
    • Don’t go overboard on assigning required fields; users will just put key data in note fields.
    • Discourage the use of unstructured note fields: the data is effectively lost except if it gets subpoenaed.
    Info-Tech Insight

    Data quality concerns proliferate with the customization level of your platform. The more extensive the custom integration points and module/database extensions that you have made, the more you will need to have a plan in place for managing data quality from a reactive and proactive standpoint.

    Create a formal communication process throughout the CRM implementation

    Establish a comprehensive communication process around the CRM enterprise roll-out to ensure that end users stay informed.

    The CRM kick-off meeting(s) should encompass: 'The high-level application overview', 'Target business-user requirements', 'Target quality of service (QoS) metrics', 'Other IT department needs', 'Tangible business benefits of application', 'Special consideration needs'. The overall objective for interdepartmental CRM kick-off meetings is to confirm that all parties agree on certain key points and understand platform rationale and functionality.

    The kick-off process will significantly improve internal communications by inviting all affected internal IT groups, including business units, to work together to address significant issues before the application process is formally activated.

    Department groups or designated trainers should take the lead and implement a process for:

    • Scheduling CRM platform roll-out/kick-off meetings.
    • Soliciting preliminary input from the attending groups to develop further training plans.
    • Establishing communication paths and the key communication agents from each department who are responsible for keeping lines open moving forward.

    Ensure requirements are met with robust user acceptance testing

    User acceptance testing (UAT) is a test procedure that helps to ensure end-user requirements are met. Test cases can reveal bugs before the suite is implemented.

    Five Secrets of UAT Success

    Bracket with colors corresponding the adjacent list items.

    1

    Create the plan With the information collected from requirements gathering, create the plan. Make sure this information is added to the main project plan documentation.

    2

    Set the agenda The time allotted will vary depending on the functionality being tested. Ensure that the test schedule allows for the resolution of issues and discussion.

    3

    Determine who will participate Work with the relevant stakeholders to identify the people who can best contribute to system testing. Look for experienced power users who have been involved in earlier decision making about the system.

    4

    Highlight acceptance criteria Together with the UAT group, pinpoint the criteria to determine system acceptability. Refer back to requirements specified in use cases in the initial requirements-gathering stages of the project.

    5

    Collect end user feedback Weaknesses in resolution workflow design, technical architecture, and existing customer service processes can be highlighted and improved on with ongoing surveys and targeted interviews.

    Calculate post-deployment metrics to assess measurable value of the project

    Track the post-deployment results from the project and compare the metrics to the current state and target state.

    CRM Selection and Implementation Metrics
    Description Formula Current or Estimated Target Post-Deployment
    End-User Satisfaction # of Satisfied Users
    # of End Users
    70% 90% 85%
    Percentage Over/Under Estimated Budget Amount Spent - 100%
    Budget
    5% 0% 2%
    Percentage Over/Under Estimated Timeline Project Length - 100%
    Estimated Timeline
    10% -5% -10%

    CRM Strategy Metrics
    Description Formula Current or Estimated Target Post-Deployment
    Number of Leads Generated (per month) # of Leads Generated 150 200 250
    Average Time to Resolution (in minutes) Time Spent on Resolution
    # of Resolutions
    30 minutes 10 minutes 15 minutes
    Cost per Interaction by Campaign Total Campaign Spending
    # of Customer Interactions
    $17.00 $12.00 $12.00

    Select the Right CRM Platform

    CRM technology is critical to facilitate an organization’s relationships with customers, service users, employees, and suppliers. Having a structured approach to building a business case, defining key requirements, and engaging with the right shortlist of vendors to pick the best finalist is crucial.

    This selection guide allows organizations to execute a structured methodology for picking a CRM that aligns with their needs. This includes:
    • Alignment and prioritization of key business and technology drivers for a CRM selection business case.
    • Identification of key use cases and requirements for CRM.
    • Construction of a robust CRM RFP.
    • A strong market scan of key players.
    • A survey of crucial implementation considerations.
    This formal CRM selection initiative will drive business-IT alignment, identify sales and marketing automation priorities, and allow for the rollout of a platform that’s highly likely to satisfy all stakeholder needs.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.
    workshops@infotech.com
    1-888-670-8889

    Insight summary

    Stakeholder satisfaction is critical to your success

    Choosing a solution for a single use case and then expanding it to cover other purposes can be a way to quickly gain approvals and then make effective use of dollars spent. However, this can also be a nightmare if the product is not fit for purpose and requires significant customization effort for future use cases. Identify use cases early, engage stakeholders to define success, and recognize where you need to find balance between a single off-the-shelf CRM platform and adjacent MarTech or sales enablement systems.

    Build a business case

    An effective business case isn’t a single-purpose document for obtaining funding. It can also be used to drive your approach to product selection, requirements gathering, and ultimately evaluating stakeholder and user satisfaction.

    Use your business case to define use cases and milestones as well as success.

    Balance process with technology

    A new solution with old processes will result in incremental increased value. Evaluate existing processes and identify opportunities to improve and remove workarounds. Then define requirements.

    You may find that the tools you have would be adequate with an upgrade and tool optimization. If not, this exercise will prepare you to select the right solution for your current and future needs.

    Drive toward early value

    Lead with the most important benefit and consider the timeline. Most stakeholders will lose interest if they don’t realize benefits within the fist year. Can you reach your goal and report success within that timeline?

    Identify secondary, incremental customer engagement improvements that can be made as you work toward the overall goal to be achieved at the one-year milestone.

    Related Info-Tech Research

    Stock image of an office worker. Build a Strong Technology Foundation for Customer Experience Management
    • Any CRM project needs to be guided by the broader strategy around customer engagement. This blueprint explores how to create a strong technology enablement approach for CXM using voice of the customer analysis.
    Stock image of a target with arrows. Improve Requirements Gathering
    • 70% of projects that fail do so because of poor requirements. If you need to double-click on best practices for eliciting, analyzing, and validating requirements as you build up your CRM picklist and RFP, this blueprint will equip you with the knowledge and tools you need to hit the ground running.
    Stock image of a pen on paper. Drive Successful Sourcing Outcomes with a Robust RFP Process
    • Managing a complex RFP process for an enterprise application like a CRM platform can be a challenging undertaking. This blueprint zooms into how to build, run, administer, and evaluate RFP responses effectively.

    Bibliography

    “Doomed From the Start? Why a Majority of Business and IT Teams Anticipate Their Software Development Projects Will Fail.” Geneca, 25 Jan. 2017. Web.

    Hall, Kerrie. “The State of CRM Data Management 2020.” Validity. 27 April 2020. Web.

    Hinchcliffe, Dion. “The Evolving Role of the CIO and CMO in Customer Experience.” ZDNet, 22 Jan. 2020. Web.

    Klie, L. “CRM Still Faces Challenges, Most Speakers Agree: CRM Systems Have Been Around for Decades, but Interoperability and Data Siloes Still Have to Be Overcome.” CRM Magazine, vol. 23, no. 5, 2019, pp. 13-14.

    Markman, Jon. "Netflix Knows What You Want... Before You Do." Forbes. 9 Jun. 2017. Web.

    Morgan, Blake. “50 Stats That Prove The Value Of Customer Experience.” Forbes, 24 Sept. 2019. Web.

    Taber, David. “What to Do When Your CRM Project Fails.” CIO Magazine, 18 Sept. 2017. Web.

    “The State of Project Management Annual Survey 2018.” Wellingtone, 2018. Web.

    “The History of Microsoft Dynamics.” Eswelt. 2021. Accessed 8 June 2022.

    “Unlock the Mysteries of Your Customer Relationships.” Harvard Business Review. 1 July 2014. Accessed 30 Mar. 2016.

    Gain Real Insights with a Social Analytics Program

    • Buy Link or Shortcode: {j2store}561|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Social media is wildly popular with consumers and as a result, many businesses are starting to develop a presence on social media services like Facebook and Twitter. However, many businesses still struggle with understanding how to leverage consumer insights from these services to drive business decisions. They’re intimidated by the sheer volume of social data, and aren’t sure what to do about it.
    • Companies that do have an analytics program are often operating it on an ad-hoc basis rather than making an effort to integrate social insights with existing sourcing of consumer data. In doing this, they’re failing to make holistic decisions and missing out on valuable consumer and competitive insights.

    Our Advice

    Critical Insight

    • Social analytics are indispensable in gaining real-time insights across marketing, sales, and customer service. SMBs can use social analytics to gain valuable consumer insights at a significantly lower expense than traditional forms of market research.
    • The greatest value from social analytics comes when organizations marry social data sources with other forms of customer information, such as point-of-sale data, customer surveys, focus groups, and psychographic profiles.
    • Social analytics must be integrated with your broader BI program for maximum effect. Consider creating a Customer Insights Center of Excellence (CICOE) to serve as a one-stop shop for both traditional and social customer analytics.
    • IT has an invaluable role to play in helping to govern and manage the analytics program. A best-of-breed Social Media Management Platform is the key enabling technology for conducting analytics, and IT must assist with selection, implementation and operation of this solution.
    • Internal social analytics is an emerging field that allows you to gauge the sentiment of your employees, while turbocharging ideation and feedback processes. Social networking analysis is particularly valuable for internal analysis.

    Impact and Result

    • Understand the value of a social analytics program and the various departmental use cases – how social analytics improves decision making and boosts critical KPIs like revenue attainment and customer satisfaction.
    • Determine the different social metrics (such as sentiment and frequency analysis) your business should be tracking and how to turn metrics into deep consumer insights.
    • Follow a step-by-step guide for successfully executing a social analytics program across your organization.
    • Roll out an internal analytics program to gauge the sentiment of your employees, improve engagement, and understand informal influencer networks.

    Gain Real Insights with a Social Analytics Program Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine the organization’s use cases

    Decide which functional areas in the organization will benefit the most from using social data, and create use cases accordingly.

    • Storyboard: Gain Real Insights with a Social Analytics Program

    2. Define and interpret metrics

    Identify and evaluate key social analytics metrics and understand the importance of combining multiple metrics to get the most out of the analytics program.

    • Social Analytics Maturity Assessment

    3. Execute the social analytics program

    Leverage a cross-departmental Social Media Steering Committee and evaluate SMMPs and other social analytics tools.

    • Social Analytics Specialist
    • Social Analytics Business Plan

    4. Leverage internal social analytics

    Identify specific uses of internal social analytics: crowd-sourcing ideation, harvesting employee feedback, and rewarding internal brand advocates.

    [infographic]

    Implement Hardware Asset Management

    • Buy Link or Shortcode: {j2store}312|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $29,447 Average $ Saved
    • member rating average days saved: 25 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Executives are often aware of the benefits asset management offers, but many organizations lack a defined program to manage their hardware.
    • Efforts to implement hardware asset management (HAM) are stalled because organizations feel overwhelmed navigating the process or under use the data, failing to deliver value.

    Our Advice

    Critical Insight

    • Organizations often implement an asset management program as a one-off project and let it stagnate.
    • Organizations often fail to dedicate adequate resources to the HAM process, leading to unfinished processes and inconsistent standards.
    • Hardware asset management programs yield a large amount of useful data. Unfortunately, this data is often underutilized. Departments within IT become data siloes, preventing effective use of the data.

    Impact and Result

    • As the IT environment continues to change, it is important to establish consistency in the standards around IT asset management.
    • A current state assessment of your HAM program will shed light on the steps needed to safeguard your processes.
    • Define the assets that will need to be managed to inform the scope of the ITAM program before defining processes.
    • Build and involve an ITAM team in the process from the beginning to help embed the change.
    • Define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.

    Implement Hardware Asset Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should Implement Hardware Asset Management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Lay foundations

    Build the foundations for the program to succeed.

    • Implement Hardware Asset Management – Phase 1: Lay Foundations
    • HAM Standard Operating Procedures
    • HAM Maturity Assessment Tool
    • IT Asset Manager
    • IT Asset Administrator

    2. Procure & receive

    Define processes for requesting, procuring, receiving, and deploying hardware.

    • Implement Hardware Asset Management – Phase 2: Procure and Receive
    • HAM Process Workflows (Visio)
    • HAM Process Workflows (PDF)
    • Non-Standard Hardware Request Form
    • Purchasing Policy

    3. Maintain & dispose

    Define processes and policies for managing, securing, and maintaining assets then disposing or redeploying them.

    • Implement Hardware Asset Management – Phase 3: Maintain and Dispose
    • Asset Security Policy
    • Hardware Asset Disposition Policy

    4. Plan implementation

    Plan the hardware budget, then build a communication plan and roadmap to implement the project.

    • Implement Hardware Asset Management – Phase 4: Plan Implementation 
    • HAM Budgeting Tool
    • HAM Communication Plan
    • HAM Implementation Roadmap
    [infographic]

    Workshop: Implement Hardware Asset Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Lay Foundations

    The Purpose

    Build the foundations for the program to succeed.

    Key Benefits Achieved

    Evaluation of current challenges and maturity level

    Defined scope for HAM program

    Defined roles and responsibilities

    Identified metrics and reporting requirements

    Activities

    1.1 Outline hardware asset management challenges.

    1.2 Conduct HAM maturity assessment.

    1.3 Classify hardware assets to define scope of the program.

    1.4 Define responsibilities.

    1.5 Use a RACI chart to determine roles.

    1.6 Identify HAM metrics and reporting requirements.

    Outputs

    HAM Maturity Assessment

    Classified hardware assets

    Job description templates

    RACI Chart

    2 Procure & Receive

    The Purpose

    Define processes for requesting, procuring, receiving, and deploying hardware.

    Key Benefits Achieved

    Defined standard and non-standard requests for hardware

    Documented procurement, receiving, and deployment processes

    Standardized asset tagging method

    Activities

    2.1 Identify IT asset procurement challenges.

    2.2 Define standard hardware requests.

    2.3 Document standard hardware request procedure.

    2.4 Build a non-standard hardware request form.

    2.5 Make lease vs. buy decisions for hardware assets.

    2.6 Document procurement workflow.

    2.7 Select appropriate asset tagging method.

    2.8 Design workflow for receiving and inventorying equipment.

    2.9 Document the deployment workflow(s).

    Outputs

    Non-standard hardware request form

    Procurement workflow

    Receiving and tagging workflow

    Deployment workflow

    3 Maintain & Dispose

    The Purpose

    Define processes and policies for managing, securing, and maintaining assets then disposing or redeploying them.

    Key Benefits Achieved

    Policies and processes for hardware maintenance and asset security

    Documented workflows for hardware disposal and recovery/redeployment

    Activities

    3.1 Build a MAC policy, request form, and workflow.

    3.2 Design process and policies for hardware maintenance, warranty, and support documentation handling.

    3.3 Revise or create an asset security policy.

    3.4 Identify challenges with IT asset recovery and disposal and design hardware asset recovery and disposal workflows.

    Outputs

    User move workflow

    Asset security policy

    Asset disposition policy, recovery and disposal workflows

    4 Plan Implementation

    The Purpose

    Select tools, plan the hardware budget, then build a communication plan and roadmap to implement the project.

    Key Benefits Achieved

    Shortlist of ITAM tools

    Hardware asset budget plan

    Communication plan and HAM implementation roadmap

    Activities

    4.1 Generate a shortlist of ITAM tools that will meet requirements.

    4.2 Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget.

    4.3 Build HAM policies.

    4.4 Develop a communication plan.

    4.5 Develop a HAM implementation roadmap.

    Outputs

    HAM budget

    Additional HAM policies

    HAM communication plan

    HAM roadmap tool

    Further reading

    Implement Hardware Asset Management

    Build IT services value on the foundation of a proactive asset management program.

    ANALYST PERSPECTIVE

    IT asset data impacts the entire organization. It’s time to harness that potential.

    "Asset management is like exercise: everyone is aware of the benefits, but many struggle to get started because the process seems daunting. Others fail to recognize the integrative potential that asset management offers once an effective program has been implemented.

    A proper hardware asset management (HAM) program will allow your organization to cut spending, eliminate wasteful hardware, and improve your organizational security. More data will lead to better business decision-making across the organization.

    As your program matures and your data gathering and utility improves, other areas of your organization will experience similar improvements. The true value of asset management comes from improved IT services built upon the foundation of a proactive asset management program." - Sandi Conrad, Practice Lead, Infrastructure & Operations Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • Asset Managers and Service Delivery Managers tasked with developing an asset management program who need a quick start.
    • CIOs and CFOs who want to reduce or improve budgeting of hardware lifecycle costs.
    • Information Security Officers who need to mitigate the risk of sensitive data loss due to insecure assets.

    This Research Will Help You:

    • Develop a hardware asset management (HAM) standard operating procedure (SOP) that documents:
      • Process roles and responsibilities.
      • Data classification scheme.
      • Procurement standards, processes, and workflows for hardware assets.
      • Hardware deployment policies, processes, and workflows.
      • Processes and workflows for hardware asset security and disposal.
    • Identify requirements for an IT asset management (ITAM) solution to help generate a shortlist.
    • Develop a hardware asset management implementation roadmap.
    • Draft a communication plan for the initiative.

    Executive summary

    Situation

    • Executives are aware of the numerous benefits asset management offers, but many organizations lack a defined ITAM program and especially a HAM program.
    • Efforts to implement HAM are stalled because organizations cannot establish and maintain defined processes and policies.

    Complication

    • Organizations often implement an asset management program as a one- off project and let it stagnate, but asset management needs to be a dynamic, continually involving process to succeed.
    • Organizations often fail to dedicate adequate resources to the HAM process, leading to unfinished processes and inconsistent standards.
    • Hardware asset management programs yield a large amount of useful data. Unfortunately, this data is often underused. Departments within IT become data siloes, preventing effective use of the data.

    Resolution

    • As the IT environment continues to change, it is important to establish consistency in the standards around IT asset management.
    • A current state assessment of your HAM program will shed light on the steps needed to safeguard your processes.
    • Define the assets that will need to be managed to inform the scope of the ITAM program before defining processes.
    • Build and involve an ITAM team in the process from the beginning to help embed the change.
    • Define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.
    • Pace yourself; a staged implementation will make your ITAM program a success.

    Info-Tech Insight

    1. HAM is more than just tracking inventory. A mature asset management program provides data for proactive planning and decision making to reduce operating costs and mitigate risk.
    2. ITAM is not just IT. IT leaders need to collaborate with Finance, Procurement, Security, and other business units to make informed decisions and create value across the enterprise.
    3. Treat HAM like a process, not a project. HAM is a dynamic process that must react and adapt to the needs of the business.

    Implement HAM to reduce and manage costs, gain efficiencies, and ensure regulatory compliance

    Save & Manage Money

    • Companies with effective HAM practices achieve cost savings through redeployment, reduction of lost or stolen equipment, power management, and on-time lease returns.
    • The right HAM system will enable more accurate planning and budgeting by business units.

    Improve Contract Management

    • Real-time asset tracking to vendor terms and conditions allows for more effective negotiation.

    Inform Technology Refresh

    • HAM provides accurate information on hardware capacity and compatibility to inform upgrade and capacity planning

    Gain Service Efficiencies

    • Integrating the hardware lifecycle with the service desk will enable efficiencies through Install/Moves/Adds/Changes (IMAC) processes, for larger organizations.

    Meet Regulatory Requirements

    • You can’t secure organizational assets if you don’t know where they are! Meet governance and privacy laws by knowing asset location and that data is secure.

    Prevent Risk

    • Ensure data is properly destroyed through disposal processes, track lost and stolen hardware, and monitor hardware to quickly identify and isolate vulnerabilities.

    HAM is more than just inventory; 92% of organizations say that it helps them provide better customer support

    Hardware asset management (HAM) provides a framework for managing equipment throughout its entire lifecycle. HAM is more than just keeping an inventory; it focuses on knowing where the product is, what costs are associated with it, and how to ensure auditable disposition according to best options and local environmental laws.

    Implementing a HAM practice enables integration of data and enhancement of many other IT services such as financial reporting, service management, green IT, and data and asset security.

    Cost savings and efficiency gains will vary based on the organization’s starting state and what measures are implemented, but most organizations who implement HAM benefit from it. As organizations increase in size, they will find the greatest gains operationally by becoming more efficient at handling assets and identifying costs associated with them.

    A 2015 survey by HDI of 342 technical support professionals found that 92% say that HAM has helped their teams provide better support to customers on hardware-related issues. Seventy-seven percent have improved customer satisfaction through managing hardware assets. (HDI, 2015)

    HAM delivers cost savings beyond only the procurementstage

    HAM cost savings aren’t necessarily realized through the procurement process or reduced purchase price of assets, but rather through the cost of managing the assets.

    HAM delivers cost savings in several ways:

    • Use a discovery tool to identify assets that may be retired, redeployed, or reused to cut or reallocate their costs.
    • Enforce power management policies to reduce energy consumption as well as costs associated with wasted energy.
    • Enforce policies to lock down unauthorized devices and ensure that confidential information isn’t lost (and you don’t have to waste money recovering lost data).
    • Know the location of all your assets and which are connected to the network to ensure patches are up to date and avoid costly security risks and unplanned downtime.
    • Scan assets to identify and remediate vulnerabilities that can cause expensive security attacks.
    • Improve vendor and contract management to identify areas of hardware savings.

    The ROI for HAM is significant and measurable

    Benefit Calculation Sample Annual Savings

    Reduced help desk support

    • The length of support calls should be reduced by making it easier for technicians to identify PC configuration.
    # of hardware-related support tickets per year * cost per ticket * % reduction in average call length 2,000 * $40 * 20% = $16,000

    Greater inventory efficiency

    • An ITAM solution can automate and accelerate inventory preparation and tasks.
    Hours required to complete inventory * staff required * hourly pay rate for staff * number of times a year inventory required 8 hours * 5 staff * $33 per hour * 2 times a year = $2,640

    Improved employee productivity

    • Organizations can monitor and detect unapproved programs that result in lost productivity.
    # of employees * percentage of employees who encounter productivity loss through unauthorized software * number of hours per year spent using unauthorized software * average hourly pay rate 500 employees * 10% * 156 hours * $18 = $140,400

    Improved security

    • Improved asset tracking and stronger policy enforcement will reduce lost and stolen devices and data.
    # of devices lost or stolen last year * average replacement value of device + # of devices stolen * value of data lost from device (50 * $1,000) + (50 * $5,000) = $300,000
    Total Savings: $459,040
    1. Weigh the return against the annual cost of investing in an ITAM solution to calculate the ROI.
    2. Don’t forget about the intangible benefits that are more difficult to quantify but still significant, such as increased visibility into hardware, more accurate IT planning and budgeting, improved service delivery, and streamlined operations.

    Avoid these common barriers to ITAM success

    Organizations that struggle to implement ITAM successfully usually fall victim to these barriers:

    Organizational resistance to change

    Senior-level sponsorship, engagement, and communication is necessary to achieve the desired outcomes of ITAM; without it, ITAM implementations stall and fail or lack the necessary resources to deliver the value.

    Lack of dedicated resources

    ITAM often becomes an added responsibility for resources who already have other full-time responsibilities, which can quickly cause the program to lose focus. Increase the chance of success through dedicated resources.

    Focus on tool over process

    Many organizations buy a tool thinking it will do most of the work for them, but without supporting processes to define ITAM, the data within the tool can become unreliable.

    Choosing a tool or process that doesn’t scale

    Some organizations are able to track assets through manual discovery, but as their network and user base grows, this quickly becomes impossible. Choose a tool and build processes that will support the organization as it grows.

    Using data only to respond to an audit without understanding root causes

    Often, organizations implement ITAM only to the extent necessary to achieve compliance for audits, but without investigating the underlying causes of non-compliance and thus not solving the real problems.

    To help you make quick progress, Info-Tech Research Group parses hardware asset management into essential processes

    Focus on hardware asset lifecycle management essentials:

    IT Asset Procurement:

    • Define procurement standards for new hardware along with related warranties and support options.
    • Develop processes and workflows for purchasing and work out financial implications to inform budgeting later.

    IT Asset Intake and Deployment:

    • Define policies, processes, and workflows for hardware and receiving, inventory, and tracking practices.
    • Develop processes and workflows for managing imaging, change and moves, and large-scale rollouts.

    IT Asset Security and Maintenance:

    • Develop processes, policies, and workflows for asset tracking and security.
    • Maintain contracts and agreements.

    IT Asset Disposal or Recovery:

    • Manage the employee termination and equipment recovery cycle.
    • Securely wipe and dispose of assets that have reached retirement stage.

    The image is a circular graphic, with Implement HAM written in the middle. Around the centre circle are four phrases: Recover or Dispose; Plan & Procure; Receive & Deploy; Secure & Maintain. Around that circle are six words: Retire; Plan; Request; Procure; Receive; Manage.

    Follow Info-Tech’s methodology to build a plan to implement hardware asset management

    Phase 1: Assess & Plan Phase 2: Procure & Receive Phase 3: Maintain & Dispose Phase 4: Plan Budget & Build Roadmap
    1.1 Assess current state & plan scope 2.1 Request & procure 3.1 Manage & maintain 4.1 Plan budget
    1.2 Build team & define metrics 2.2 Receive & deploy 3.2 Redeploy or dispose 4.2 Communicate & build roadmap
    Deliverables
    Standard Operating Procedure (SOP)
    HAM Maturity Assessment Procurement workflow User move workflow HAM Budgeting Tool
    Classified hardware assets Non-standard hardware request form Asset security policy HAM Communication Plan
    RACI Chart Receiving & tagging workflow Asset disposition policy HAM Roadmap Tool
    Job Descriptions Deployment workflow Asset recovery & disposal workflows Additional HAM policies

    Asset management is a key piece of Info-Tech's COBIT- inspired IT Management and Governance Framework

    The image shows a graphic which is a large grid, showing Info-Tech's research, sorted into categories.

    Cisco IT reduced costs by upwards of $50 million through implementing ITAM

    CASE STUDY

    Industry IT

    Source Cisco Systems, Inc.

    Cisco Systems, Inc.

    Cisco Systems, Inc. is the largest networking company in the world. Headquartered in San Jose, California, the company employees over 70,000 people.

    Asset Management

    As is typical with technology companies, Cisco boasted a proactive work environment that encouraged individualism amongst employees. Unfortunately, this high degree of freedom combined with the rapid mobilization of PCs and other devices created numerous headaches for asset tracking. At its peak, spending on hardware alone exceeded $100 million per year.

    Results

    Through a comprehensive ITAM implementation, the new asset management program at Cisco has been a resounding success. While employees did have to adjust to new rules, the process as a whole has been streamlined and user-satisfaction levels have risen. Centralized purchasing and a smaller number of hardware platforms have allowed Cisco to cut its hardware spend in half, according to Mark Edmondson, manager of IT services expenses for Cisco Finance.

    This case study continues in phase 1

    The image shows four bars, from bottom to top: 1. Asset Gathering; 2. Asset Distribution; 3. Asset Protection; 4. Asset Data. On the right, there is an arrow pointing upwards labelled ITAM Program Maturity.

    Info-Tech delivers: Use our tools and templates to accelerate your project to completion

    HAM Standard Operating Procedures (SOP)

    HAM Maturity Assessment

    Non-Standard Hardware Request Form

    HAM Visio Process Workflows

    HAM Policy Templates

    HAM Budgeting Tool

    HAM Communication Plan

    HAM Implementation Roadmap Tool

    Measured value for Guided Implementations (GIs)

    Engaging in GIs doesn’t just offer valuable project advice, it also results in significant cost savings.

    GI Measured Value
    Phase 1: Lay Foundations
    • Time, value, and resources saved by using Info-Tech’s tools and templates to assess current state and maturity, plan scope of HAM program, and define roles and metrics.
    • For example, 2 FTEs * 14 days * $80,000/year = $8,615
    Phase 2: Procure & Receive
    • Time, value, and resources saved by using Info-Tech’s tools and templates to build processes for hardware request, procurement, receiving, and deployment.
    • For example, 2 FTEs * 14 days * $80,000/year = $8,615
    Phase 3: Maintain & Dispose
    • Time, value, and resources saved by following Info-Tech’s tools and methodology to build processes and policies for managing and maintaining hardware and disposing or redeploying of equipment.
    • For example, 2 FTE * 14 days * $80,000/year = $8,615
    Phase 4: Plan Implementation
    • Time, value, and resources saved by following Info-Tech’s tools and methodology to select tools, plan the hardware budget, and build a roadmap.
    • For example, 2 FTE * 14 days * $80,000/year = $8,615
    Total savings $25,845

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation overview

    1. Lay Foundations 2. Procure & Receive 3. Maintain & Dispose 4. Budget & Implementation
    Best-Practice Toolkit

    1.1 Assess current state & plan scope

    1.2 Build team & define metrics

    2.1 Request & procure

    2.2 Receive & deploy

    3.1 Manage & maintain

    3.2 Redeploy or dispose

    4.1 Plan budget

    4.2 Communicate & build roadmap

    Guided Implementation
    • Assess current state.
    • Define scope of HAM program.
    • Define roles and metrics.
    • Define standard and non-standard hardware.
    • Build procurement process.
    • Determine asset tagging method and build equipment receiving and deployment processing.
    • Define processes for managing and maintaining equipment.
    • Define policies for maintaining asset security.
    • Build process for redeploying or disposing of assets.
    • Discuss best practices for effectively managing a hardware budget.
    • Build communications plan and roadmap.
    Results & Outcomes
    • Evaluation of current maturity level of HAM
    • Defined scope for the HAM program including list of hardware to track as assets
    • Defined roles and responsibilities
    • Defined and documented KPIs and metrics to meet HAM reporting requirements
    • Defined standard and non- standard requests and processes
    • Defined and documented procurement workflow and purchasing policy
    • Asset tagging method and process
    • Documented equipment receiving and deployment processes
    • MAC policies and workflows
    • Policies and processes for hardware maintenance and asset security
    • Documented workflows for hardware disposal and recovery/redeployment
    • Shortlist of ITAM tools
    • Hardware asset budget plan
    • Communication plan and HAM implementation roadmap

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.comfor more information.

    Phases: Teams, Scope & Hardware Procurement Hardware Procurement and Receiving Hardware Maintenance & Disposal Budgets, Roadmap & Communications
    Duration* 1 day 1 day 1 day 1 day
    * Activities across phases may overlap to ensure a timely completion of the engagement
    Projected Activities
    • Outline hardware asset management goals
    • Review HAM maturity and anticipated milestones
    • Define scope and classify hardware assets
    • Define roles and responsibilities
    • Define metrics and reporting requirements
    • Define standard and non-standard hardware requests
    • Review and document procurement workflow
    • Discuss appropriate asset tagging method
    • Design and document workflow for receiving and inventorying equipment
    • Review/create policy for hardware procurement and receiving
    • Identify data sources and methodology for inventory and data collection
    • Define install/moves/adds/changes (MAC) policy
    • Build workflows to document user MAC processes and design request form
    • Design process and policies for hardware maintenance, warranty, and support documentation handling
    • Design hardware asset recovery and disposal workflows
    • Define budgeting process and review Info-Tech’s HAM Budgeting Tool
    • Develop a communication plan
    • Develop a HAM implementation plan
    Projected Deliverables
    • Standard operating procedures for hardware
    • Visio diagrams for all workflows
    • Workshop summary with milestones and task list
    • Budget template
    • Policy draft

    Phase 1

    Lay Foundations

    Implement Hardware Asset Management

    A centralized procurement process helped cut Cisco’s hardware spend in half

    CASE STUDY

    Industry IT

    Source Cisco Systems, Inc.

    Challenge

    Cisco Systems’ hardware spend was out of control. Peaking at $100 million per year, the technology giant needed to standardize procurement processes in its highly individualized work environment.

    Users had a variety of demands related to hardware and network availability. As a result, data was spread out amongst multiple databases and was managed by different teams.

    Solution

    The IT team at Cisco set out to solve their hardware-spend problem using a phased project approach.

    The first major step was to identify and use the data available within various departments and databases. The heavily siloed nature of these databases was a major roadblock for the asset management program.

    This information had to be centralized, then consolidated and correlated into a meaningful format.

    Results

    The centralized tracking system allowed a single point of contact (POC) for the entire lifecycle of a PC. This also created a centralized source of information about all the PC assets at the company.

    This reduced the number of PCs that were unaccounted for, reducing the chance that Cisco IT would overspend based on its hardware needs.

    There were still a few limitations to address following the first step in the project, which will be described in more detail further on in this blueprint.

    This case study continues in phase 2

    Step 1.1: Assess current state and plan scope

    Phase 1: Assess & Plan

    1.1 Assess current state & plan scope

    1.2 Build team & define metrics

    This step will walk you through the following activities:

    1.1.1 Complete MGD (optional)

    1.1.2 Outline hardware asset management challenges

    1.1.3 Conduct HAM maturity assessment

    1.1.4 Classify hardware assets to define scope of the program

    This step involves the following participants:

    • CIO/CFO
    • IT Director
    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Security (optional)
    • Operations (optional)

    Step Outcomes

    • Understand key challenges related to hardware asset management within your organization to inform program development.
    • Evaluate current maturity level of hardware asset management components and overall program to determine starting point.
    • Define scope for the ITAM program including list of hardware to track as assets.

    Complete the Management & Governance Diagnostic (MGD) to weigh the effectiveness of ITAM against other services

    1.1.1 Optional Diagnostic

    The MGD helps you get the data you need to confirm the importance of improving the effectiveness of your asset management program.

    The MGD allows you to understand the landscape of all IT processes, including asset management. Evaluate all team members’ perceptions of each process’ importance and effectiveness.

    Use the results to understand the urgency to change asset management and its relevant impact on the organization.

    Establish process owners and hold team members accountable for process improvement initiatives to ensure successful implementation and realize the benefits from more effective processes.

    To book a diagnostic, or get a copy of our questions to inform your own survey, visit Info-Tech’s Benchmarking Tools, contact your account manager, or call toll-free 1-888-670-8889 (US) or 1-844-618-3192 (CAN).

    Sketch out challenges related to hardware asset management to shape the direction of the project

    Common HAM Challenges

    Processes and Policies:

    • Existing asset management practices are labor intensive and time consuming
    • Manual spreadsheets are used, making collaboration and automation difficult
    • Lack of HAM policies and standard operating procedures
    • Asset management data is not centralized
    • Lack of clarity on roles and responsibilities for ITAM functions
    • End users don’t understand the value of asset management

    Tracking:

    • Assets move across multiple locations and are difficult to track
    • Hardware asset data comes from multiple sources, creating fragmented datasets
    • No location data is available for hardware
    • No data on ownership of assets

    Security and Risk:

    • No insight into which assets contain sensitive data
    • There is no information on risks by asset type
    • Rogue systems need to be identified as part of risk management best practices
    • No data exists for assets that contain critical/sensitive data

    Procurement:

    • No centralized procurement department
    • Multiple quotes from vendors are not currently part of the procurement process
    • A lack of formal process can create issues surrounding employee onboarding such as long lead times
    • Not all procurement standards are currently defined
    • Rogue purchases create financial risk

    Receiving:

    • No formal process exists, resulting in no assigned receiving location and no assigned receiving role
    • No automatic asset tracking system exists

    Disposal:

    • No insight into where disposed assets go
    • Formal refresh and disposal system is needed

    Contracts:

    • No central repository exists for contracts
    • No insight into contract lifecycle, hindering negotiation effectiveness and pricing optimization

    Outline hardware asset management challenges

    1.1.1 Brainstorm HAM challenges

    Participants

    • CIO/CFO
    • IT Director
    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Security
    • Operations (optional)

    A. As a group, outline the hardware asset management challenges facing the organization.

    Use the previous slide to help you get started. You can use the following headings as a guide or think of your own:

    • Processes and Policies
    • Tracking
    • Procurement
    • Receiving
    • Security and Risk
    • Disposal
    • Contracts

    B. If you get stuck, use the Hardware Asset Management Maturity Assessment Tool to get a quick view of your challenges and maturity targets and kick-start the conversation.

    To be effective with hardware asset management, understand the drivers and potential impact to the organization

    Drivers of effective HAM Results of effective HAM
    Contracts and vendor licensing programs are complex and challenging to administer without data related to assets and their environment. Improved access to accurate data on contracts, licensing, warranties, installed hardware and software for new contracts, renewals, and audit requests.
    Increased need to meet compliance requires a formal approach to tracking and managing assets, regardless of device type. Encryption, hardware tracking and discovery, software application controls, and change notifications all contribute to better asset controls and data security.
    Cost cutting is on the agenda, and management is looking to reduce overall IT spend in the organization in any possible way. Reduction of hardware spend by as much as 5% of the total budget through data for better forecasting and planning.
    Assets with sensitive data are not properly secured, go missing, or are not safely disposed of when retired. Document and enforce security policies for end users and IT staff to ensure sensitive data is properly secured, preventing costs much larger than the cost of only the device.

    Each level of HAM maturity comes with its own unique challenges

    Maturity People & Policies Processes Technology
    Chaos
    • No dedicated staff
    • No policies published
    • Procedures not documented or standardized
    • Hardware not safely secured or tagged
    • Hardware purchasing decisions not based on data
    • Minimal tracking tools in place
    Reactive
    • Semi-focused HAM manager
    • No policies published
    • Reliance on suppliers to provide reports for hardware purchases
    • Hardware standards are enforced
    • Discovery tools and spreadsheets used to manage hardware
    Controlled
    • Full-time HAM manager
    • End-user policies published
    • HAM manager involved in budgeting and planning sessions
    • Inventory tracking is in place
    • Hardware is secured and tagged
    • Discovery and inventory tools used to manage hardware
    • Compliance reports run as needed
    Proactive
    • Extended HAM team, including Help Desk, HR, Purchasing
    • Corporate hardware use policies in place and enforced
    • HAM process integrated with help desk and HR processes
    • More complex reporting and integrated financial information and contracts with asset data
    • Hardware requests are automated where possible
    • Product usage reports and alerts in place to harvest and reuse licenses
    • Compliance and usage reports used to negotiate software contracts
    Optimized
    • HAM manager trained and certified
    • Working with HR, Legal, Finance, and IT to enforce policies
    • Quarterly meetings with ITAM team to review policies, procedures, upcoming contracts, and rollouts; data is reviewed before any financial decisions made
    • Full transparency into hardware lifecycle
    • Aligned with business objectives
    • Detailed savings reports provided to executive team annually
    • Automated policy enforcement and process workflows

    Conduct a hardware maturity assessment to understand your starting point and challenges

    1.1.3 Complete HAM Maturity Assessment Tool

    Complete the Hardware Asset Management Maturity Assessment Tool to understand your organization’s overall maturity level in HAM, as well as the starting maturity level aligned with each step of the blueprint, in order to identify areas of strength and weakness to plan the project. Use this to track progress on the project.

    An effective asset management project has four essential components, with varying levels of management required

    The hardware present in your organization can be classified into four categories of ascending strategic complexity: commodity, inventory, asset, and configuration.

    Commodity items are devices that are low-cost, low-risk items, where tracking is difficult and of low value.

    Inventory is tracked primarily to identify location and original expense, which may be depreciated by Finance. Typically there will not be data on these devices and they’ll be replaced as they lose functionality.

    Assets will need the full lifecycle managed. They are identified by cost and risk. Often there is data on these devices and they are typically replaced proactively before they become unstable.

    Configuration items will generally be tracked in a configuration management database (CMDB) for the purpose of enabling the support teams to make decisions involving dependencies, configurations, and impact analysis. Some data will be duplicated between systems, but should be synchronized to improve accuracy between systems.

    See Harness Configuration Management Superpowers to learn more about building a CMDB.

    Classify your hardware assets to determine the scope and strategy of the program

    Asset: A unique device or configuration of devices that enables a user to perform productive work tasks and has a defined location and ownership attributes.

    • Hardware asset management involves tracking and managing physical components from procurement through to retirement. It provides the base for software asset management and is an important process that can lead to improved lifecycle management, service request fulfillment, security, and cost savings through harvesting and redeployment.
    • When choosing your strategy, focus on those devices that are high cost and high risk/function such as desktops, laptops, servers, and mobile devices.

    ASSET - Items of high importance and may contain data, such as PCs, mobile devices, and servers.

    INVENTORY - Items that require significant financial investment but no tracking beyond its existence, such as a projector.

    COMMODITY - Items that are often in use but are of relatively low cost, such as keyboards or mice.

    Classify your hardware assets to define the scope of the program

    1.1.4 Define the assets to be tracked within your organization

    Participants

    • Participants
    • CIO/CFO
    • IT Director
    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Security (optional)
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 1 – Overview & Scope

    1. Determine value/risk threshold at which items should be tracked (e.g. over $1,000 and holding data).
    2. Divide a whiteboard or flip chart into three columns: commodity, asset, and inventory.
    3. Divide participants into groups by functional role to brainstorm devices in use within the organization. Write them down on sticky notes.
    4. Place the sticky notes in the column that best describes the role of the product in your organization.

    Align the scope of the program with business requirements

    CASE STUDY

    Industry Public Administration

    Source Client Case Study

    Situation

    A state government designed a process to track hardware worth more than $1,000. Initially, most assets consisted of end-user computing devices.

    The manual tracking process, which relied on a series of Excel documents, worked well enough to track the lifecycle of desktop and laptop assets.

    However, two changes upended the organization’s program: the cost of end-user computing devices dropped dramatically and the demand for network services led to the proliferation of expensive equipment all over the state.

    Complication

    The existing program was no longer robust enough to meet business requirements. Networking equipment was not only more expensive than end-user computing devices, but also more critical to IT services.

    What was needed was a streamlined process for procuring high-cost, high-utility equipment, tracking their location, and managing their lifecycle costs without compromising services.

    Resolution

    The organization decided to formalize, document, and automate hardware asset management processes to meet the new challenges and focus efforts on high-cost, high-utility end-user computing devices only.

    Step 1.2: Build team and define metrics

    Phase 1: Assess & Plan

    1.1 Assess current state & plan scope

    1.2 Build team and define metrics

    This step will walk you through the following activities:

    1.2.1 Define responsibilities for Asset Manager and Asset Administrator

    1.2.2 Use a RACI chart to determine roles within HAM team

    1.2.3 Further clarify HAM responsibilities for each role

    1.2.4 Identify HAM reporting requirements

    This step involves the following participants:

    • CIO/CFO
    • IT Director
    • IT Managers
    • Asset Manager
    • Asset Coordinators
    • ITAM Team
    • Service Desk
    • End-User Device Support Team

    Step Outcomes:

    • Defined responsibilities for Asset Manager and Asset Administrator
    • Documented RACI chart assigning responsibility and accountability for core HAM processes
    • Documented responsibilities for ITAM/HAM team
    • Defined and documented KPIs and metrics to meet HAM reporting requirements

    Form an asset management team to lead the project

    Asset management is an organizational change. To gain buy-in for the new processes and workflows that will be put in place, a dedicated, passionate team needs to jump-start the project.

    Delegate the following roles to team members and grow your team accordingly.

    Asset Manager

    • Responsible for setting policy and governance of process and data accuracy
    • Support budget process
    • Support asset tracking processes in the field
    • Train employees in asset tracking processes

    Asset Administrator

    • The front-lines of asset management
    • Communicates with and supports asset process implementation teams
    • Updates and contributes information to asset databases
    Service Desk, IT Operations, Applications
    • Responsible for advising asset team of changes to the IT environment, which may impact pricing or ability to locate devices
    • Works with Asset Coordinator/Manager to set standards for lifecycle stages
    • The ITAM team should visit and consult with each component of the business as well as IT.
    • Engage with leaders in each department to determine what their pain points are.
    • The needs of each department are different and their responses will assist the ITAM team when designing goals for asset management.
    • Consultations within each department also communicates the change early, which will help with the transition to the new ITAM program.

    Info-Tech Insight

    Ensure that there is diversity within the ITAM team. Assets for many organizations are diverse and the composition of your team should reflect that. Have multiple departments and experience levels represented to ensure a balanced view of the current situation.

    Define the responsibilities for core ITAM/HAM roles of Asset Manager and Asset Administrator

    1.2.1 Use Info-Tech’s job description templates to define roles

    The role of the IT Asset Manager is to oversee the daily and long-term strategic management of software and technology- related hardware within the organization. This includes:

    • Planning, monitoring, and recording software licenses and/or hardware assets to ensure compliance with vendor contracts.
    • Forming procurement strategies to optimize technology spend across the organization.
    • Developing and implementing procedures for tracking company assets to oversee quality control throughout their lifecycles.

    The role of the IT Asset Administrator is to actively manage hardware and software assets within the organization. This includes:

    • Updating and maintaining accurate asset records.
    • Planning, monitoring, and recording software licenses and/or hardware assets to ensure compliance with vendor contracts.
    • Administrative duties within procurement and inventory management.
    • Maintaining records and databases regarding warranties, service agreements, and lifecycle management.
    • Product standardization and tracking.

    Use Info-Tech’s job description templates to assist in defining the responsibilities for these roles.

    Organize your HAM team based on where they fit within the strategic, tactical, and operational components

    Typically the asset manager will answer to either the CFO or CIO. Occasionally they answer to a vendor manager executive. The hierarchy may vary based on experience and how strategic a role the asset manager will play.

    The image shows a flowchart for organizing the HAM team, structured by three components: Strategic (at the top); Tactical (in the middle); and Operational (at the bottom). The chart shows how the job roles flow together within the hierarchy.

    Determine the roles and responsibilities of the team who will support your HAM program

    1.2.2 Complete a RACI

    A RACI chart will identify who should be responsible, accountable, consulted, and informed for each key activity during the consolidation.

    Participants

    • Project Sponsor
    • IT Director, CIO
    • Project Manager
    • IT Managers and Asset Manager(s)
    • ITAM Team

    Document

    Document in the Standard Operating Procedure.

    Instructions:

    1. Write out the list of all stakeholders along the top of a whiteboard. Write out the key initiative steps for the consolidation project along the left side (use this list as a starting point).
    2. For each initiative, identify each team member’s role. Are they:
      • Responsible? The one responsible for getting the job done.
      • Accountable? Only one person can be accountable for each task.
      • Consulted? Involved through input of knowledge and information.
      • Informed? Receive information about process execution and quality.
    3. As you proceed through the initiative, continue to add tasks and assign responsibility to this RACI chart.

    A sample RACI chart is provided on the next slide

    Start with a RACI chart to determine the responsibilities

    1.2.2 Complete a RACI chart for your organization

    HAM Tasks CIO CFO HAM Manager HAM Administrator Service Desk (T1,T2, T3) IT Operations Security Procurement HR Business Unit Leaders Compliance /Legal Project Manager
    Policies and governance A I R I I C I C C I I
    Strategy A R R R R
    Data entry and quality management C I A I C C I I C C
    Risk management and asset security A R C C R C C
    Process compliance auditing A R I I I I I
    Awareness, education, and training I A I I C
    Printer contracts C A C C C R C C
    Hardware contract management A I R R I I R R I I
    Workflow review and revisions I A C C C C
    Budgeting A R C I C
    Asset acquisition A R C C C C I C C
    Asset receiving (inspection/acceptance) I A R R I
    Asset deployment A R R I I
    Asset recovery/harvesting A R R I I
    Asset disposal C A R R I I
    Asset inventory (input/validate/maintain) I I A/R R R R I I I

    Further clarify HAM responsibilities for each role

    1.2.3 Define roles and responsibilities for the HAM team

    Participants

    • Participants IT Asset Managers and Coordinators
    • ITAM Team
    • IT Managers and IT Director

    Document

    1. Discuss and finalize positions to be established within the ITAM/HAM office as well as additional roles that will be involved in HAM.
    2. Review the sample responsibilities below and revise or create responsibilities for each key position within the HAM team.
    3. Document in the HAM Standard Operating Procedures.
    Role Responsibility
    IT Manager
    • Responsible for writing policies regarding asset management and approving final documents
    • Build and revise budget, tracking actual spend vs. budget, seeking final approvals from the business
    • Process definition, communication, reporting and ensuring people are following process
    • Awareness campaign for new policy and process
    Asset Managers
    • Approval of purchases up to $10,000
    • Inventory and contract management including contract review and recommendations based on business and IT requirements
    • Liaison between business and IT regarding software and hardware
    • Monitor and improve workflows and asset related processes
    • Monitor controls, audit and recommend policies and procedures as needed
    • Validate, manage and analyze data as related to asset management
    • Provide reports as needed for decision making and reporting on risk, process effectiveness and other purposes as required
    • Asset acquisition and disposal
    Service Desk
    Desktop team
    Security
    Infrastructure teams

    Determine criteria for success: establish metrics to quantify and demonstrate the results and value of the HAM function

    HAM metrics fall in the following categories:

    HAM Metrics

    • Quantity e.g. inventory levels and need
    • Cost e.g. value of assets, budget for hardware
    • Compliance e.g. contracts, policies
    • Quality e.g. accuracy of data
    • Duration e.g. time to procure or deploy hardware

    Follow a process for establishing metrics:

    1. Identify and obtain consensus on the organization’s ITAM objectives, prioritized if possible.
    2. For each ITAM objective, select two or three metrics in the applicable categories (not all categories will apply to all objectives); be sure to select metrics that are achievable with reasonable effort.
    3. Establish a baseline measurement for each metric.
    4. Establish a method and accountability for ongoing measurement and analysis/reporting.
    5. Establish accountability for taking action on reported results.
    6. As ITAM expands and matures, change or expand the metrics as appropriate.

    Define KPIs and associated metrics

    • Identify the critical success factors (CSFs) for your hardware asset management program based on strategic goals.
    • For each success factor, identify the key performance indicators (KPIs) to measure success and specific metrics that will be tracked and reported on.
    • Sample metrics are below:
    CSF KPI Metrics
    Improve accuracy of IT budget and forecasting
    • Asset costs and value
    • Average cost of workstation
    • Total asset spending
    • Total value of assets
    • Budget vs. spend
    Identify discrepancies in IT environment
    • Unauthorized or failing assets
    • Number of unauthorized assets
    • Assets identified as cause of service failure
    Avoid over purchasing equipment
    • Number of unused and underused computers
    • Number of unaccounted-for computers
    • Money saved from harvesting equipment instead of purchasing new
    Make more-effective purchasing decisions
    • Predicted replacement time and cost of assets
    • Deprecation rate of assets
    • Average cost of maintaining an asset
    • Number of workstations in repair
    Improve accuracy of data
    • Accuracy of asset data
    • Accuracy rate of inventory data
    • Percentage improvement in accuracy of audit of assets
    Improved service delivery
    • Time to deploy new hardware
    • Mean time to purchase new hardware
    • Mean time to deploy new hardware

    Identify hardware asset reporting requirements and the data you need to collect to meet them

    1.2.4 Identify asset reporting requirements

    Participants

    • CIO/CFO
    • IT Director
    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 13: Reporting

    1. Discuss the goals and objectives of implementing or improving hardware asset management, based on challenges identified in Step 1.2.
    2. From the goals, identify the critical success factors for the HAM program
    3. For each CSF, identify one to three key performance indicators to evaluate achievement of the success factor.
    4. For each KPI, identify one to three metrics that can be tracked and reported on to measure success. Ensure that the metrics are tangible and measurable and will be useful for decision making or to take action.
    5. Determine who needs this information and the frequency of reporting.
    6. If you have existing ITAM data, record the baseline metric.
    CSF KPI Metrics Stakeholder/frequency

    Phase 1 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Lay Foundations

    Proposed Time to Completion: 4 weeks

    Step 1.1: Assess current state and plan scope

    Start with an analyst kick-off call:

    • Review challenges.
    • Assess current HAM maturity level.
    • Define scope of HAM program.

    Then complete these activities…

    • Complete MGD (optional).
    • Outline hardware asset management challenges.
    • Conduct HAM maturity assessment.
    • Classify hardware assets to define scope of the program.

    With these tools & templates:

    HAM Maturity Assessment

    Standard Operating Procedures

    Step 1.2: Build team and define metrics

    Review findings with analyst:

    • Define roles and responsibilities.
    • Assess reporting requirements.
    • Document metrics to track.

    Then complete these activities…

    • Define responsibilities for Asset Manager and Asset Administrator.
    • Use a RACI chart to determine roles within HAM team.
    • Document responsibilities for HAM roles.
    • Identify HAM reporting requirements.

    With these tools & templates:

    RACI Chart

    Asset Manager and Asset Administrator Job Descriptions

    Standard Operating Procedures

    Phase 1 Results & Insights:

    For asset management to succeed, it needs to support the business. Engage business leaders to determine needs and build your HAM program around these goals.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.4 Classify hardware assets to define scope of the program

    Determine value/risk threshold at which assets should be tracked, then divide a whiteboard into four quadrants representing four categories of assets. Participants write assets down on sticky notes and place them in the appropriate quadrant to classify assets.

    1.2.2 Build a RACI chart to determine responsibilities

    Identify all roles within the organization that will play a part in hardware asset management, then document all core HAM processes and tasks. For each task, assign each role to be responsible, accountable, consulted, or informed.

    Phase 2

    Procure and Receive

    Implement Hardware Asset Management

    Step 2.1: Request and Procure Hardware

    Phase 2: Procure & Receive

    2.1 Request & Procure

    2.2 Receive & Deploy

    This step will walk you through the following activities:

    2.1.1 Identify IT asset procurement challenges

    2.1.2 Define standard hardware requests

    2.1.3 Document standard hardware request procedure

    2.1.4 Build a non-standard hardware request form

    2.1.5 Make lease vs. buy decisions for hardware assets

    2.1.6 Document procurement workflow

    2.1.7 Build a purchasing policy

    This step involves the following participants:

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • CFO or other management representative from Finance

    Step Outcomes:

    • Definition of standard hardware requests for roles, including core vs. optional assets
    • End-user request process for standard hardware
    • Non-standard hardware request form
    • Lease vs. buy decisions for major hardware assets
    • Defined and documented procurement workflow
    • Documented purchasing policy

    California saved $40 million per year using a green procurement strategy

    CASE STUDY

    Industry Government

    Source Itassetmanagement.net

    Challenge

    Signed July 27, 2004, Executive order S-20-04, the “Green Building Initiative,” placed strict regulations on energy consumption, greenhouse gas emissions, and raw material usage and waste.

    In compliance with S-20-04, the State of California needed to adopt a new procurement strategy. Its IT department was one of the worst offenders given the intensive energy usage by the variety of assets managed under the IT umbrella.

    Solution

    A green IT initiative was enacted, which involved an extensive hardware refresh based on a combination of agent-less discovery data and market data (device age, expiry dates, power consumption, etc.).

    A hardware refresh of almost a quarter-million PCs, 9,500 servers, and 100 email systems was rolled out as a result.

    Other changes, including improved software license compliance and data center consolidation, were also enacted.

    Results

    Because of the scale of this hardware refresh, the small changes meant big savings.

    A reduction in power consumption equated to savings of over $40 million per year in electricity costs. Additionally, annual carbon emissions were trimmed by 200,000 tons.

    Improve your hardware asset procurement process to…

    Asset Procurement

    • Standardization
    • Aligned procurement processes
    • SLAs
    • TCO reduction
    • Use of centralized/ single POC

    Standardize processes: Using standard products throughout the enterprise lowers support costs by reducing the variety of parts that must be stocked for onsite repairs or for provisioning and supporting equipment.

    Align procurement processes: Procurement processes must be aligned with customers’ business requirements, which can have unique needs.

    Define SLAs: Providing accurate and timely performance metrics for all service activities allows infrastructure management based on fact rather than supposition.

    Reduce TCO: Management recognizes service infrastructure activities as actual cost drivers.

    Implement a single POC: A consolidated service desk is used where the contact understands both standards (products, processes, and practices) and the user’s business and technical environment.

    Identify procurement challenges to identify process improvement needs

    2.1.1 Identify IT asset procurement challenges

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    1. As a group, brainstorm existing challenges related to IT hardware requests and procurement.
    2. If you get stuck, consider the common challenges listed below.
    3. Use the results of the discussion to focus on which problems can be resolved and integrated into your organization as operational standards.

    Document hardware standards to speed time to procure and improve communications to users regarding options

    The first step in your procurement workflow will be to determine what is in scope for a standard request, and how non-standard requests will be handled. Questions that should be answered by this procedure include:

    • What constitutes a non-standard request?
    • Who is responsible for evaluating each type of request? Will there be one individual or will each division in IT elect a representative to handle requests specific to their scope of work?
    • What additional security measures need to be taken?
    • Are there exceptions made for specific departments or high-ranking individuals?

    If your end-user device strategy requires an overhaul, schedule time with an Info-Tech analyst to review our blueprint Build an End-User Computing Strategy.

    Once you’ve answered questions like these, you can outline your hardware standards as in the example below:

    Use Case Mobile Standard Mac Standard Mobile Power User
    Asset Lenovo ThinkPad T570 iMac Pro Lenovo ThinkPad P71
    Operating system Windows 10 Pro Mac OSX Windows 10 Pro, 64 bit
    Display 15.6" 21.5" 17.3”

    Memory

    32GB 8GB 64GB
    Processor Intel i7 – 7600U Processor 2.3GHz Xeon E3 v6 Processor
    Drive 500GB 1TB 1TB
    Warranty 3 year 1 year + 2 extended 3 year

    Info-Tech Insight

    Approach hardware standards from a continual improvement frame of mind. Asset management is a dynamic process. Hardware standards will need to adapt over time to match the needs of the business. Plan assessments at routine intervals to ensure your current hardware standards align with business needs.

    Document specifications to meet environmental, security, and manageability requirements

    Determine environmental requirements and constraints.

    Power management

    Compare equipment for power consumption and ability to remotely power down machines when not in use.

    Heat and noise

    Test equipment run to see how hot the device gets, where the heat is expelled, and how much noise is generated. This may be particularly important for users who are working in close quarters.

    Carbon footprint

    Ask what the manufacturer is doing to reduce post-consumer waste and eliminate hazardous materials and chemicals from their products.

    Ensure security requirements can be met.

    • Determine if network/wireless cards meet security requirements and if USB ports can be turned off to prevent removal of data.
    • Understand the level of security needed for mobile devices including encryption, remote shut down or wipe of hard drives, recovery software, or GPS tracking.
    • Decide if fingerprint scanners with password managers would be appropriate to enable tighter security and reduce the forgotten-password support calls.

    Review features available to enhance manageability.

    • Discuss manageability goals with your IT team to see if any can be solved with added features, for example:
      • Remote control for troubleshooting and remote management of data security settings.
      • Asset management software or tags for bar coding, radio frequency identification (RFID), or GPS, which could be used in combination with strong asset management practices to inventory, track, and manage equipment.

    If choosing refurbished equipment, avoid headaches by asking the right questions and choosing the right vendor

    • Is the equipment functional and for how long is it expected to last?
    • How long will the vendor stand behind the product and what support can be expected?
      • This is typically two to five years, but will vary from vendor to vendor.
      • Will they repair or replace machines? Many will just replace the machine.
    • How big is the inventory supply?
      • What kind of inventory does the vendor keep and for how long can you expect the vendor to keep it?
      • How does the vendor source the equipment and do they have large quantities of the same make and model for easier imaging and support?
    • How complete is the refurbishment process?
      • Do they test all components, replace as appropriate, and securely wipe or replace hard drives?
      • Are they authorized to reload MS Windows OEM?
    • Is the product Open Box or used?
      • Open Box is a new product returned back to the vendor. Even if it is not used, the product cannot be resold as a new product. Open Box comes with a manufacturer’s warranty and the latest operating system.
      • If used, how old is the product?

    "If you are looking for a product for two or three years, you can get it for less than half the price of new. I bought refurbished equipment for my call center for years and never had a problem". – Glen Collins, President, Applied Sales Group

    Info-Tech Insight

    Price differences are minimal between large and small vendors when dealing with refurbished machines. The decision to purchase should be based on ability to provide and service equipment.

    Define standard hardware requests, including core and optional assets

    2.1.2 Identify standards for hardware procurement by role

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • Representatives from all other areas of the business

    Document

    Document in the Standard Operating Procedures, Section 7: Procurement.

    1. Divide a whiteboard into columns representing all major areas of the business.
    2. List the approximate number of end users present at each tier and record these totals on the board.
    3. Distribute sticky notes. Use two different sizes: large sizes represent critically important hardware and small sizes represent optional hardware.
    4. Define core hardware assets for each division as well as optional hardware assets.
    5. Focus on the small sticky notes to determine if these optional purchases are necessary.
    6. Finalize the group decision to determine the standard hardware procurement for each role in the organization. Record results in a table similar to the example below:
    Department Core Hardware Assets Optional Hardware Assets
    IT PC, tablet, monitor Second monitor
    Sales PC, monitor Laptop
    HR PC, monitor Laptop
    Marketing PC (iMac) Tablet, laptop

    Document procedures for users to make standard hardware requests

    2.1.3 Document standard hardware request procedure

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • Representatives from all other areas of the business

    Document

    Document in the Standard Operating Procedures, Section 6: End-User Request Process.

    Discuss and document the end-user request process:

    1. In which cases can users request a primary device?
    2. In which cases can users request a secondary (optional device)?
    3. What justification is needed to approve of a secondary device?
      1. E.g. The request for a secondary device should be via email to the IS Projects and Procurements Officer. This email should outline the business case for why multiple devices are required.
    4. Will a service catalog be available and integrated with an ITAM solution for users to make standard requests? If so, can users also configure their options?
    5. Document the process in the standard operating procedure. Example:

    End-User Request Process

    • Hardware and software will be purchased through the user-facing catalog.
    • Peripherals will be ordered as needed.
    • End-user devices will be routed to business managers for approval prior to fulfillment by IT.
    • Requests for secondary devices must be accompanied by a business case.
    • Equipment replacements due to age will be managed through IT replacement processes.

    Improve the process for ordering non-standard hardware by formalizing the request process, including business needs

    2.1.4 Build a non-standard hardware request form

    • Although the goal should be to standardize as much as possible, this isn’t always possible. Ensure users who are requesting non-standard hardware have a streamlined process to follow that satisfies the justifications for increased costs to deliver.
    • Use Info-Tech’s template to build a non-standard hardware request form that may be used by departments/users requesting non-standard hardware in order to collect all necessary information for the request to be evaluated, approved, and sent to procurement.
    • Ensure that the requestor provides detailed information around the equipment requested and the reason standard equipment does not suffice and includes all required approvals.
    • Include instructions for completing and submitting the form as well as expected turnaround time for the approval process.

    Info-Tech Insight

    Include non-standard requests in continual improvement assessment. If a large portion of requests are for non-standard equipment, it’s possible the hardware doesn’t meet the recommended requirements for specialized software in use with many of your business users. Determine if new standards need to be set for all users or just “power users.”

    Identify the information you need to collect to ensure a smooth purchasing process

    Categories Peripherals Desktops/Laptops Servers
    Financial
    • Operational expenses
    • Ordered for inventory with the exceptions of monitors that will be ordered as needed
    • Equipment will be purchased through IT budget
    • Capital expenses
    • Ordered as needed…
    • Inventory kept for…
    • End-user devices will be purchased through departmental budgets
    • Capital expenses
    • Ordered as needed to meet capacity or stability requirements
    • Devices will be purchased through IT budgets
    Request authorization
    • Any user can request
    • Users who are traveling can purchase and expense peripherals as needed, with manager approvals
    • Tier 3 technicians
    Required approvals
    • Manager approvals required for monitors
    • Infrastructure and applications manager up to [$]
    • CIO over [$]
    Warranty requirements
    • None
    • Three years
    • Will be approved with project plan
    Inventory requirements
    • Minimum inventory at each location of 5 of each: mice, keyboards, cables
    • Docking stations will be ordered as needed
    • Laptops (standard): 5
    • Laptops (ultra light): 1
    • Desktops: 5
    • Inventory kept in stock as per DR plan
    Tracking requirements
    • None
    • Added to ITAM database, CMDB
    • Asset tag to be added to all equipment
    • Added to ITAM database, CMDB

    Info-Tech Best Practice

    Take into account the possibility of encountering taxation issues based on where the equipment is being delivered as well as taxes imposed or incurred in the location from which the asset was shipped or sent. This may impact purchasing decisions and shipping instructions.

    Develop a procurement plan to get everyone in the business on the same page

    • Without an efficient and structured process around how IT purchases are budgeted and authorized, maverick spending and dark procurement can result, limiting IT’s control and visibility into purchases.
    • The challenge many IT departments face is that there is a disconnect between meeting the needs of the business and bringing in equipment according to existing policies and procedures.
    • The asset manager should demonstrate how they can bridge the gaps and improve tracking mechanisms at the same time.

    Improve procurement decisions:

    • Demonstrate how technology is a value-add.
    • Make a clear case for the budget by using the same language as the rest of the business.
    • Quantify the output of technology investments in tangible business terms to justify the cost.
    • Include the refresh cycle in the procurement plan to ensure mission- critical systems will include support and appropriate warranty.
    • Plan technology needs for the future and ensure IT technology will continue to meet changing needs.
    • Synchronize redundant organizational procurement chains in order to lower cost.

    Document the following in your procurement procedure:

    • Process for purchase requests
    • Roles and responsibilities, including requestors and approvers
    • Hardware assets to purchase and why they are needed
    • Timelines for purchase
    • Process for vendors

    Info-Tech Insight

    IT procurement teams are often heavily siloed from ITAM teams. The procurement team is typically found in the finance department. One way to bridge the gap is to implement routine, reliable reporting between departments.

    Determine if it makes sense to lease or buy your equipment; weigh the pros and cons of leasing hardware

    Pros

    • Keeps operational costs low in the short term by containing immediate cost.
    • Easy, predictable payments makes it easier to budget for equipment over long term.
    • Get the equipment you need to start doing business right away if you’re just starting out.
    • After the leasing term is up, you can continue the lease and update your hardware to the latest version.
    • Typical leases last 2 or 3 years, meaning your hardware can get upgrades when it needs it and your business is in a better position to keep up with technology.
    • Leasing directly from the vendor provides operational flexibility.
    • Focus on the business and let the vendor focus on equipment service and updates as you don’t have to pay for maintenance.
    • Costs structured as OPEX.

    Cons

    • In the long term, leasing is almost always more expensive than buying because there’s no equity in leased equipment and there may be additional fees and interest.
    • Commitment to payment through the entire lease period even if you’re not using the equipment anymore.
    • Early termination fees if you need to get out of the lease.
    • No option to sell equipment once you’re finished with it to make money back.
    • Maintenance is up to leasing company’s specifications.
    • Product availability may be limited.

    Recommended for:

    • Companies just starting out
    • Business owners with limited capital or budget
    • Organizations with equipment that needs to be upgraded relatively often

    Weigh the pros and cons of purchasing hardware

    Pros

    • Complete control over assets.
    • More flexible and straightforward procurement process.
    • Tax incentives: May be able to fully deduct the cost of some newly purchased assets or write off depreciation for computers and peripherals on taxes.
    • Preferable if your equipment will not be obsolete in the next two or three years.
    • You can resell the asset once you don’t need it anymore to recover some of the cost.
    • Customization and management of equipment is easier when not bound by terms of leasing agreement.
    • No waiting on vendor when maintenance is needed; no permission needed to make changes.

    Cons

    • High initial cost of investment with CAPEX expense model.
    • More paperwork.
    • You (as opposed to vendor) are responsible for equipment disposal in accordance with environmental regulations.
    • You are responsible for keeping up with upgrades, updates, and patches.
    • You risk ending up with out-of-date or obsolete equipment.
    • Hardware may break after terms of warranty are up.

    Recommended for:

    • Established businesses
    • Organizations needing equipment with long-term lifecycles

    Make a lease vs. buy decision for equipment purchases

    2.1.4 Decide whether to purchase or lease

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • Representatives from all other areas of the business

    Document

    Document policy decisions in the Standard Operating Procedures – Section 7: Procurement

    1. Identify hardware equipment that requires a purchase vs. lease decision.
    2. Discuss with Finance whether it makes sense to purchase or lease each major asset, considering the following:
    • Costs of equipment through each method
    • Tax deductions
    • Potential resale value
    • Potential revenue from using the equipment
    • How quickly the equipment will be outdated or require refresh
    • Size of equipment
    • Maintenance and support requirements
    • Overall costs
  • The leasing vs. buying decision should take considerable thought and evaluation to make the decision that best fits your organizational needs and situation.
  • Determine appropriate warranty and service-level agreements for your organization

    Determine acceptable response time, and weigh the cost of warranty against the value of service.

    • Standard warranties vary by manufacturer, but are typically one or three years.
    • Next-day, onsite service may be part of the standard offering or may be available as an uplift.
    • Four-hour, same-day service can also be added for high availability needs.
    • Extended warranties can be purchased beyond three years, although not many organizations take advantage of this offering.
    • Other organizations lower or remove the warranty and have reported savings of as much as $150 per machine.

    Speak to your partner to see how they can help the process of distributing machines.

    • Internal components change frequently with laptops and desktops. If purchasing product over time rather than buying in bulk, ensure the model will be available for a reasonable term to reduce imaging and support challenges.
    • Determine which services are important to your organization and request these services as part of the initial quote. If sending out a formal RFQ or RFP, document required services and use as the basis for negotiating SLAs.
    • Document details of SLA, including expectations of services for manufacturer, vendor, and internal team.
    • If partner will be providing services, request they stock an appropriate number of hot spares for frequently replaced parts.
    • If self-certifying, review resource capabilities, understand skill and certification requirements; for example, A+ certification may be a pre-requisite.
    • Understand DOA policy and negotiate a “lemon policy,” meaning if product dies within 15 or 30 days it can be classified as DOA. Seek clarity on return processes.

    Consider negotiation strategies, including how and when to engage with different partners during acquisition

    Direct Model

    • Dell’s primary sales model is direct either through a sales associate or through its e-commerce site. Promotions are regularly listed on the website, or if customization is required, desktops and laptops have some flexibility in configuration. Discounts can be negotiated with a sales rep on quantity purchases, but the discount level changes based on the model and configuration.
    • Other tier-one manufacturers typically sell direct only from their e-commerce sites, providing promotions based on stock they wish to move, and providing some configuration flexibility. They rely heavily on the channel for the majority of their business.

    Channel Model

    • Most tier one manufacturers have processes in place to manage a smaller number of partners rather than billing and shipping out to individual customers. Deviating from this process and dealing direct with end customers can create order processing issues.
    • Resellers have the ability to negotiate discounts based on quantities. Discounts will vary based on model, timing (quarter or year end), and quantity commitment.
    • Negotiations on large quantities should involve a manufacturer rep as well as the reseller to clearly designate roles and services, ensure processes are in place to fulfill your needs, and agree on pricing scheme. This will prevent misunderstandings and bring clarity to any commitments.
    • Often the channel partners are authorized to provide repair services under warranty for the manufacturer.
    • Dell also uses the channel model for distribution where customers demand additional services.

    Expect discounts to reflect quantity and method of purchase

    Transaction-based purchases will receive the smallest discounting.

    • Understand requirements to find the most appropriate make and model of equipment.
    • Prepare a forecast of expected purchases for the year and discuss discounting.
    • Typically initial discounts will be 3-5% off suggested retail price.
    • Once a history is in place, and the vendor is receiving regular orders, it may extend deeper discounts.

    Bulk purchases will receive more aggressive discounting of 5-15% off suggested retail price, depending on quantities.

    • Examine shipping options and costs to take advantage of bulk deliveries; in some cases vendors may waive shipping fees as an extension of the discounting.
    • If choosing end-of-line product, ensure appropriate quantity of a single model is available to efficiently roll out equipment.
    • Various pricing models can be used to obtain best price.

    Larger quantities rolled out over time will require commitments to the manufacturer to obtain deepest discounts.

    • Discuss all required services as part of negotiation to ensure there are no surprise charges.
    • Several pricing models can be used to obtain the best price.
      • Suggested retail price minus as much as 20%.
      • Cost plus 3% up to 10% or more.
      • Fixed price based on negotiating equipment availability with budget requirements.

    If sending out to bid, determine requirements and scoring criteria

    It’s nearly impossible to find two manufacturers with the exact same specifications, so comparisons between vendors is more art than science.

    New or upgraded components will be introduced into configurations when it makes the most sense in a production cycle. This creates a challenge in comparing products, especially in an RFP. The best way to handle this is to:

    • Define and document minimum technology requirements.
    • Define and document service needs.
    • Compare vendors to see if they’ve met the criteria or not; if yes, compare prices.
    • If the vendors have included additional offerings, see if they make sense for your organization. If they do, include that in the scoring. If not, exclude and score based on price.
    • Recognize that the complexity of the purchase will dictate the complexity of scoring.

    "The hardware is the least important part of the equation. What is important is the warranty, delivery, imaging, asset tagging, and if they cannot deliver all these aspects the hardware doesn’t matter." – Doug Stevens, Assistant Manager Contract Services, Toronto District School Board

    Document and analyze the hardware procurement workflow to streamline process

    The procurement process should balance the need to negotiate appropriate pricing with the need to quickly approve and fulfill requests. The process should include steps to follow for approving, ordering, and tracking equipment until it is ready for receipt.

    Within the process, it is particularly important to decide if this is where equipment is added into the database or if it will happen upon receipt.

    A poorly designed procurement workflow:

    • Includes many bottlenecks, stopping and starting points.
    • May impact project and service requests and requires unrealistic lead times.
    • May lead to lost productivity for users and lost credibility for the IT department.

    A well-designed hardware procurement workflow:

    • Provides reasonable lead times for project managers and service or hardware request fulfillment.
    • Provides predictability for technical resources to plan deployments.
    • Reduces bureaucracy and workload for following up on missing shipments.
    • Enables improved documentation of assets to start lifecycle management.

    Info-Tech Insight

    Where the Hardware Asset Manager is unable to affect procurement processes to reduce time to deliver, consider bringing inventory onsite or having your hardware vendor keep stock, ready to ship on demand. Projects, replacements, and new-user requests cannot be delayed in a service-focused IT organization due to bureaucratic processes.

    Document and analyze your procurement workflow to identify opportunities for improvement and communicate process

    Determine if you need one workflow for all equipment or multiples for small vs. large purchases.

    Occasionally large rollouts require significant changes from lower dollar purchases.

    Watch for:

    • Back and forth communications
    • Delays in approvals
    • Inability to get ETAs from vendors
    • Too many requests for quotes for small purchases
    • Entry into asset database

    This sample can be found in the HAM Process Workflows.

    The image shows a workflow, titled Procurement-Equipment-Small Quantity. On the left, the chart is separated into categories: IT Procurment; Tier 2 or Tier 3; IT Director; CIO.

    Design the process workflow for hardware procurement

    2.1.6 Illustrate procurement workflow with a tabletop exercise

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • CFO or other management representative from Finance

    Document

    Document in the Standard Operating Procedures, Section 7: Procurement

    1. In a group, distribute sticky notes or cue cards.
    2. Designate a space on the table/whiteboard to plot the workflow.
    3. Determine which individuals are responsible for handling non-standard requests. Establish any exceptions that may apply to your defined hardware standard.
    4. Gather input from Finance on what the threshold will be for hardware purchases that will require further approval.
    5. Map the procurement process for a standard hardware purchase.
    6. If applicable, map the procurement process for a non-standard request separately.
    7. Evaluate the workflow to identify any areas of inefficiency and make any changes necessary to improve the process.
    8. Be sure to discuss and include:
      • All necessary approvals
      • Time required for standard equipment process
      • Time required for non-standard equipment process
      • How information will be transferred to ITAM database

    Document and share an organizational purchasing policy

    2.1.7 Build a purchasing policy

    A purchasing policy helps to establish company standards, guidelines, and procedures for the purchase of all information technology hardware, software, and computer-related components as well as the purchase of all technical services.

    The policy will ensure that all purchasing processes are consistent and in alignment with company strategy. The purchasing policy is key to ensuring that corporate purchases are effective and the best value for money is obtained.

    Implement a purchasing policy to prevent or reduce:

    • Costly corporate conflict of interest cases.
    • Unauthorized purchases of non-standard, difficult to support equipment.
    • Unauthorized purchases resulting in non-traceable equipment.
    • Budget overruns due to decentralized, equipment acquisition.

    Download Info-Tech’s Purchasing Policytemplate to build your own purchasing policy.

    Step 2.2: Receive and Deploy Hardware

    Phase 2: Procure & Receive

    2.1 Request & Procure

    2.2 Receive & Deploy

    This step will walk you through the following activities:

    2.2.1 Select appropriate asset tagging method

    2.2.2 Design workflow for receiving and inventorying equipment

    2.2.3 Document the deployment workflow(s)

    This step involves the following participants:

    • Asset Manager
    • Purchasing
    • Receiver (optional)
    • Service Desk Manager
    • Operations (optional)

    Step Outcomes:

    • Understanding of the pros and cons of various asset tagging methods
    • Defined asset tagging method, process, and location by equipment type
    • Identified equipment acceptance, testing, and return procedures
    • Documented equipment receiving and inventorying workflow
    • Documented deployment workflows for desktop hardware and large-scale deployments

    Cisco implemented automation to improve its inventory and deployment system

    CASE STUDY

    Industry Networking

    Source Cisco IT

    Challenge

    Although Cisco Systems had implemented a centralized procurement location for all PCs used in the company, inventory tracking had yet to be addressed.

    Inventory tracking was still a manual process. Given the volume of PCs that are purchased each year, this is an incredibly labor-intensive process.

    Sharing information with management and end users also required the generation of reports – another manual task.

    Solution

    The team at Cisco recognized that automation was the key component holding back the success of the inventory management program.

    Rolling out an automated process across multiple offices and groups, both nationally and internationally, was deemed too difficult to accomplish in the short amount of time needed, so Cisco elected to outsource its PC management needs to an experienced vendor.

    Results

    As a result of the PC management vendor’s industry experience, the implementation of automated tracking and management functions drastically improved the inventory management situation at Cisco.

    The vendor helped determine an ideal leasing set life of 30 months for PCs, while also managing installations, maintenance, and returns.

    Even though automation helped improve inventory and deployment practices, Cisco still needed to address another key facet of asset management: security.

    This case study continues in phase 3.

    An effective equipment intake process is critical to ensure product is correct, documented, and secured

    Examine your current process for receiving assets. Typical problems include:

    Receiving inventory at multiple locations can lead to inconsistent processes. This can make invoice reconciliation challenging and result in untracked or lost equipment and delays in deployment.

    Equipment not received and secured quickly. Idle equipment tends to go missing if left unsupervised for too long. Missed opportunities to manage returns where equipment is incorrect or defective.

    Disconnect between procurement and receiving where ETAs are unknown or incorrect. This can create an issue where no one is prepared for equipment arrival and is especially problematic on large orders.

    How do you solve these problems? Create a standardized workflow that outlines clear steps for asset receiving.

    A workflow will help to answer questions such as:

    • How do you deal with damaged shipments? Incorrect shipments?
    • Did you reach an agreement with the vendor to replace damaged/incorrect shipments within a certain timeframe?
    • When does the product get tagged and entered into the system as received?
    • What information needs to get captured on the asset tag?

    Standardize the process for receiving your hardware assets

    The first step in effective hardware asset intake is establishing proper procedures for receiving and handling of assets.

    Process: Start with information from the procurement process to determine what steps need to follow to receive into appropriate systems and what processes will enable tagging to happen as soon as possible.

    People: Ensure anyone who may impact this process is aware of the importance of documenting before deployment. Having everyone who may be handling equipment on board is key to success.

    Security: Equipment will be secured at the loading dock or reception. It will need to be secured as inventory and be secured if delivering directly to the bench for imaging. Ensure all receiving activities are done before equipment is deployed.

    Tools: A centralized ERP system may already provide a place to receive and reconcile with purchasing and invoicing, but there may still be a need to receive directly into the ITAM and/or CMDB database rather than importing directly from the ERP system.

    Tagging: A variety of methods can be used to tag equipment to assist with inventory. Consider the overall lifecycle management when determining which tagging methods are best.

    Info-Tech Insight

    Decentralized receiving doesn’t have to mean multiple processes. Take advantage of enterprise solutions that will centralize the data and ensure everyone follows the same processes unless there is an uncompromising and compelling logistical reason to deviate.

    Evaluate the pros and cons of different asset tagging methods

    Method Cost Strengths Weaknesses Recommendation
    RFID with barcoding – asset tag with both a barcode and RFID solution $$$$
    • Secure, fast, and robust
    • Track assets in real time
    • Quick and efficient
    • Most expensive option, requiring purchase of barcode scanner with RFID reader and software)
    • Does not work as well in an environment with less control over assets
    • Requires management of asset database
    • Best in a controlled environment with mature processes and requirement for secure assets
    RFID only – small chip with significant data capacity $$$
    • Track assets from remote locations
    • RFID can be read through boxes so you don’t have to unpack equipment
    • Scan multiple RFID-tagged hardware simultaneously
    • Large data capacity on small chip
    • Expensive, requiring purchase of RFID reading equipment and software
    • Ideal if your environment is spread over multiple locations
    Barcoding only – adding tags with unique barcodes $$
    • Reasonable security
    • Report inventory directly to database
    • Relatively low cost
    • Only read one at a time
    • Need to purchase barcode scanners and software
    • Can be labor intensive to deploy with manual scanning of individual assets
    • Less secure
    • Can’t hold as much data
    • Not as secure as barcodes with RFID but works for environments that are more widely distributed and less controlled

    Evaluate the pros and cons of different asset tagging methods

    Method Cost Strengths Weaknesses Recommendation
    QR codes – two-dimensional codes that can store text, binary, image, or URL data $$
    • Easily scannable from many angles
    • Save and print on labels
    • Can be read by barcode scanning apps or mobile phones
    • Can encode more data than barcodes
    • QR codes need to be large enough to be usable, which can be difficult with smaller IT assets
    • Scanning on mobile devices takes longer than scanning barcodes
    • Ideal if you need to include additional data and information in labels and want workers to use smartphones to scan labels
    Manual tags – tag each asset with your own internal labels and naming system $
    • Most affordable
    • Manual
    • Tags are not durable
    • Labor intensive and time consuming
    • Leaves room for error, misunderstanding, and process variances between locations
    • As this is the most time consuming and resource intensive with a low payoff, it is ideal for low maturity organizations looking for a low-cost option for tagging assets
    Asset serial numbers – tag assets using their serial number $
    • Less expensive
    • Unique serial numbers identified by vendor
    • Serial numbers have to be added to database manually, which is labor intensive and leaves room for error
    • Serial numbers can rub off over time
    • Hard to track down already existing assets
    • Doesn’t help track location of assets after deployment
    • Potential for duplicates
    • Inconsistent formats of serial numbers by manufacturers makes this method prone to error and not ideal for asset management

    Select the appropriate method for tagging and tracking your hardware assets

    2.2.1 Select asset tagging method

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 8

    1. Define your asset tagging method. For most organizations, asset tracking is done via barcoding or QR codes, either by using one method or a combination of the two. Other methods, including RFID, may be applicable based on cost or tracking complexity. Overall, barcodes embedded with RFID are the most robust and efficient method for asset tagging, but also the most expensive. Choose the best method for your organization, taking into account affordability, labor-intensiveness, data complexity needs, and ease of deployment.
    2. Define the process for tagging assets, including how soon they should receive the tag, whose responsibility it is, and whether the tag type varies depending on the asset type.
    3. Define the location of asset tags according to equipment type. Example:
    Asset Type Asset Tag Location
    PC desktop Right upper front corner
    Laptop Right corner closest to user when laptop is closed
    Server Right upper front corner
    Printer Right upper front corner
    Modems Top side, right corner

    Inspect and test equipment before accepting it into inventory to ensure it’s working according to specifications

    Upon receipt of procured hardware, validate the equipment before accepting it into inventory.

    1. Receive - Upon taking possession of the equipment, stage them for inspection before placing them into inventory or deploying for immediate use.
    2. Inspect - The inspection process should involve at minimum examining the products that have been delivered to determine conformance to purchase specifications.
    3. Test -Depending on the type and cost of hardware, some assets may benefit from additional testing to determine if they perform at a satisfactory level before being accepted.
    4. Accept - If the products conform to the requirements of the purchase order, acknowledge receipt so the supplier may be paid. Most shipments are automatically considered as accepted and approved for payment within a specific timeframe.

    Assign responsibility and accountability for inspection and acceptance of equipment, verifying the following:

    • The products conform to purchase order requirements.
    • The quantity ordered is the same as the quantity delivered.
    • There is no damage to equipment.
    • Delivery documentation is acceptable.
    • Products are operable and perform according to specifications.
    • If required, document an acceptance testing process as a separate procedure.

    Build the RMA procedure into the receiving process to handle receipt of defective equipment

    The return merchandise authorization (RMA) process should be a standard part of the receiving process to handle the return of defective materials to the vendor for either repair or replacement.

    If there is a standard process in place for all returns in the organization, you can follow the same process for returning hardware equipment:

    • Call the vendor to receive a unique RMA number that will be attached to the equipment to be returned, then follow manufacturer specifications for returning equipment within allowable timelines according to the contract where applicable.
    • Establish a lemon policy with vendors, allowing for full returns up to 30 days after equipment is deployed if the product proves defective after initial acceptance.

    Info-Tech Insight

    Make sure you’re well aware of the stipulations in your contract or purchase order. Sometimes acceptance is assumed after 60 days or less, and oftentimes the clock starts as soon as the equipment is shipped out rather than when it is received.

    Info-Tech Best Practice

    Keep in mind that the serial number on the received assed may not be the asset that ultimately ends up on the user’s desk if the RMA process is initiated. Record the serial number after the RMA process or add a correction process to the workflow to ensure the asset is properly accounted for.

    Determine what equipment should be stocked for quick deployment where demand is high or speed is crucial

    The most important feature of your receiving and inventory process should be categorization. A well-designed inventory system should reflect not only the type of asset, but also the usage level.

    A common technique employed by asset managers is to categorize your assets using an ABC analysis. Assets are classified as either A, B, or C items. The ratings are based on the following criteria:

    A

    A items have the highest usage. Typically, 10-20% of total assets in your inventory account for upwards of 70-80% of the total asset requests.

    A items should be tightly controlled with secure storage areas and policies. Avoiding stock depletion is a top priority.

    B

    B items are assets that have a moderate usage level, with around 30% of total assets accounting for 15-25% of total requests.

    B items must be monitored; B items can transition to A or C items, especially during cycles of heavier business activity.

    C

    C items are assets that have the lowest usage, with upwards of 50% of your total inventory accounting for just 5% of total asset requests.

    C items are reordered the least frequently, and present a low demand and high risk for excessive inventory (especially if they have a short lifecycle). Many organizations look to move towards an on-demand policy to mitigate risk.

    Info-Tech Insight

    Get your vendor to keep stock of your assets. If large quantities of a certain asset are required but you lack the space to securely store them onsite, ask your vendor to keep stock for you and release as you issue purchase orders. This speeds up delivery and delays warranty activation until the item is shipped. This does require an adherence to equipment standards and understanding of demand to be effective.

    Define the process for receiving equipment into inventory

    Define the following in your receiving process:

    • When will equipment be opened once delivered?
    • Who will open and validate equipment upon receipt?
    • How will discrepancies be resolved?
    • When will equipment be tagged and identified in the tracking tool?
    • When will equipment be locked in secure storage?
    • Where will equipment go if it needs to be immediately deployed?

    The image shows a workflow chart titled Receiving and Tagging. The process is split into two sections, labelled on the left as: Desktop Support Team and Procurement.

    Design the workflow for receiving and inventorying equipment

    2.2.2 Illustrate receiving workflow with a tabletop exercise

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • CFO or other management representative from Finance

    Document

    Document in the Standard Operating Procedures, Section 8: Receiving and Equipment Inventory

    Option 1: Whiteboard

    1. Discuss the workflow and draw it on the whiteboard.
    2. Assess whether you are using the best workflow. Modify it if necessary.
    3. Use the sample workflow from this step as a guide if starting from scratch.
    4. Engage the team in refining the process workflow.
    5. Transfer data to Visio and add to the SOP.

    Option 2: Tabletop Exercise

    1. Distribute index cards to each member of the team.
    2. Have each person write a single task they perform on the index card. Be granular. Include the title or the name of the person responsible.
    3. Mark cards that are decision points. Use a card of a different color or use a marker to make a colored dot.
    4. Arrange the index cards in order, removing duplicates.
    5. Assess whether you are using the best workflow. Engage the team to refine it if necessary.
    6. Transfer data to Visio and add to the SOP.

    Improve device deployment by documenting software personas for each role

    • Improve the deployment process for new users by having a comprehensive list of software used by common roles within the organization. With large variations in roles, it may be impossible to build a complete list, but as you start to see patterns in requirements, you may find less distinct personas than anticipated.
    • Consider a survey to business units to determine what they need if this will solve some immediate problems. If this portion of the project will be deferred, use the data uncovered in the discovery process to identify which software is used by which roles.
    • Replacement equipment can have the software footprint created by what was actually utilized by the user, not necessarily what software was installed on the previous device.

    The image shows 4 bubbles, representing software usage. The ARC-GIS bubble is the largest, Auto CAD the second largest, and MS Office and Adobe CS equal in size.

    A software usage snapshot for an urban planner/engineer.

    • Once software needs are determined, use this information to review the appropriate device for each persona.
      • Ensure hardware is appropriate for the type of work the user does and supports required software.
      • If it is more appropriate for a user to have a tablet, ensure the software they use can be used on any device.
    • Review deployment methods to determine if there is any opportunity to improve the imaging or software deployment process with better tools or methodologies.
    • Document the device’s location if it will be static, or if the user may be more mobile, add location information for their primary location.
    • Think about the best place to document – if this information can be stored in Active Directory and imported to the ITAM database, you can update once and use in multiple applications. But this process is built into your add/move/change workflows.

    Maintain a lean library to simplify image management

    Simplify, simplify, simplify. Use a minimal number of desktop images and automate as much as you can.

    • Embrace minimalism. When it comes to managing your desktop image library, your ultimate goal should be to minimize the manual effort involved in provisioning new desktops.
    • Less is more. Try to maintain as few standard desktop images as possible and consider a thin gold image, which can be patched and updated on a regular basis. A thin image with efficient application deployment will improve the provisioning process.
    • Standardize and repeat. System provisioning should be a repeatable process. This means it is ripe for standardization and automation. Look at balancing the imaging process with software provisioning, using group policy and deployment tools to reduce time to provision and deliver equipment.
    • Outsource where appropriate. Imaging is one of the most employed services, where the image is built in-house and deployed by the hardware vendor. As a minimum, quarterly updates should still be provided to integrate the latest patches into the operating system.

    Document the process workflow for hardware deployment

    Define the process for deploying hardware to users.

    Include the following in your workflow:

    • How will equipment be configured and imaged before deployment?
    • Which images will be used for specific roles?
    • Which assets are assigned to specific roles?
    • How will the device status be changed in the ITAM tool once deployed?

    The image shows a workflow chart titled Hardware Deployment. It is divided into two categories, listed on the left: Desktop Support Team and Procurement.

    Large-scale deployments should be run as projects, benefitting from economies of scale in each step

    Large-scale desktop deployments or data center upgrades will likely be managed as projects.

    These projects should include project plans, including resources, timelines, and detailed procedures.

    Define the process for large-scale deployment if it will differ from the regular deployment process.

    The image is a graphic of a flowchart titled Deployment-Equipment-Large Quantity Rollout. It is divided into three categories, listed on the left: IT Procurement; Desktop Rollout Team; Asset Manager.

    Document the deployment workflow(s)

    2.2.3 Document deployment workflows for desktop and large-scale deployment

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • CFO or other management representative from Finance

    Document

    Document in the Standard Operating Procedures, Section 9: Deployment

    Document each step in the system deployment process with notecards or on a whiteboard. Identify the challenges faced by your organization and strategize potential solutions.

    1. Outline each step in the process of desktop deployment. Be as granular as possible. On each card, describe the step as well as the individual responsible for it.
    2. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    3. Examine each challenge or pain point. Discuss whether or not there is a clear solution to the problem. If yes, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, taking into account people, processes, and available technology.
    4. Document separately the process for large-scale deployment if required.

    Look for opportunities to improve the request and deployment process with better communication and tools

    The biggest challenge in deploying equipment is meeting expectations of the business, and without cooperation from multiple departments, this becomes significantly more difficult.

    • Work with the procurement and the services team to ensure inventory is accessible, and regularly validate that inventory levels in the ITAM database are accurate.
    • Work with the HR department to predict (where possible) anticipated new hires. Plan for inventory ebbs and flows to match the hiring timelines where there are large variations.
    • If service catalogs will be made available for communicating options and SLAs for equipment purchases, work with the service catalog administrators to automate inventory checks and notifications. Work with the end-user device managers to set standards and reduce equipment variations to a manageable amount.
    • Where deployments are part of equipment refresh, ensure data is up to date for the services team to plan the project rollouts and know which software should be redeployed with the devices.
    • Infrastructure and security teams may have specific hardware assets relating to networking, data centers, and security, which may bypass the end-user device workflows but need to be tagged and entered into inventory early in the process. Work with these teams to have their equipment follow the same receiving and inventory processes. Deployment will vary based on equipment type and location.

    Automate hardware deployment where users are dispersed and deployment volume is high

    Self-serve kiosks (vending machines) can provide cost reductions in delivery of up to 25%. Organizations that have a high distribution rate are seeing reductions in cost of peripherals averaging 30-35% and a few extreme cases of closer to 85%.

    Benefits of using vending machines:

    • Secure equipment until deployed.
    • Equipment can be either purchased by credit card or linked to employee ID cards, enabling secure transactions and reporting.
    • Access rights can be controlled in real time, preventing terminated employees from accessing equipment or managing how many devices can be deployed to each user.
    • Vending machines can be managed through a cellular or wireless network.
    • Technology partners can be tasked with monitoring and refilling vending machines.
    • Employees are able to access technology wherever a vending machine can be located rather than needing to travel to the help desk.
    • Equipment loans and new employee packages can be managed through vending machines.

    Phase 2 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Request, Procure, Receive, and Deploy

    Proposed Time to Completion: 4 weeks

    Step 2.1: Request & Procure

    Start with an analyst kick-off call:

    • Define standard and non-standard hardware.
    • Weigh the pros and cons of leasing vs. buying.
    • Build the procurement process.

    Then complete these activities…

    • Define standard hardware requests.
    • Document standard hardware request procedure.
    • Document procurement workflow.
    • Build a purchasing policy.

    With these tools & templates:

    • Standard Operating Procedures
    • Non-Standard Hardware Request Form
    • Hardware Procurement Workflow
    • Purchasing Policy

    Step 2.2: Receive & Deploy

    Review findings with analyst:

    • Determine appropriate asset tagging method.
    • Define equipment receiving process.
    • Define equipment deployment process.

    Then complete these activities…

    • Select appropriate asset tagging method.
    • Design workflow for receiving and inventorying equipment.
    • Document the deployment workflow(s).

    With these tools & templates:

    • Standard Operating Procedures
    • Equipment Receiving & Tagging Workflow
    • Deployment Workflow

    Phase 2 Insight: Bridge the gap between IT and Finance to build a smoother request and procurement process through communication and routine reporting. If you’re unable to affect procurement processes to reduce time to deliver, consider bringing inventory onsite or having your hardware vendor keep stock, ready to ship on demand.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.2 Define standard hardware requests

    Divide whiteboard into columns representing core business areas. Define core hardware assets for end users in each division along with optional hardware assets. Discuss optional assets to narrow and define standard equipment requests.

    2.2.1 Select appropriate method for tagging and tracking assets

    Discuss the various asset tagging methods and choose the tagging method that is most appropriate for your organization. Define the process for tagging assets and document the standard asset tag location according to equipment type.

    Phase 3

    Maintain and Dispose

    Implement Hardware Asset Management

    Cisco overcame organizational resistance to change to improve asset security

    CASE STUDY

    Industry Networking

    Source Cisco IT

    Challenge

    Cisco Systems had created a dynamic work environment that prized individuality. This environment created high employee satisfaction, but it also created a great deal of risk surrounding device security.

    Cisco lacked an asset security policy; there were no standards for employees to follow. This created a surplus of not only hardware, but software to support the variety of needs amongst various teams at Cisco.

    Solution

    The ITAM team at Cisco recognized that their largest problem was the lack of standardization with respect to PCs. Variance in cost, lifecycle, and software needs/compatibility were primary issues.

    Cisco introduced a PC leasing program with the help of a PC asset management vendor to correct these issues. The primary goal was to increase on-time returns of PCs. A set life of 30 months was defined by the vendor.

    Results

    Cisco engaged employees to help contribute to improving its asset management protocols, and the approach worked.

    On-time returns increased from 60% to 80%. Costs were reduced due to active tracking and disposal of any owned assets still present.

    A reduction in hardware and software platforms has cut costs and increased security thanks to improved tracking capabilities.

    This case study continues in phase 4

    Step 3.1: Manage, Maintain, and Secure Hardware Assets

    Phase 3: Maintain & Dispose

    3.1 Manage & Maintain

    3.2 Dispose or Redeploy

    This step will walk you through the following activities:

    3.1.1 Build a MAC policy and request form

    3.1.2 Build workflows to document user MAC processes

    3.1.3 Design process and policies for hardware maintenance, warranty, and support documentation handling

    3.1.4 Revise or create an asset security policy

    This step involves the following participants:

    • Asset Manager
    • Service Desk Manager
    • Operations (optional)
    • Security Department

    Step Outcomes

    • Understanding of inventory management process best practices
    • Templates for move/add/change request policy and form
    • Documented process workflows for the user move/add/change process
    • Process and policies for hardware maintenance, warranty, and support documentation handling
    • Defined policies for maintaining asset security

    Determine methods for performing inventory audits on equipment

    Auto-discovery

    • Auto-discovery tools will be crucial to the process of understanding what equipment is connected to the network and in use.
    • The core functionality of discovery tools is to scan the environment and collect configuration data from all connected assets, but most tools can also be used to collect usage data, network monitoring, and software asset management data including software distribution, compliance, and license information.
    • These tools may not connect to peripheral devices such as monitors and external drives, will not scan devices that are turned off or disconnected from the network, may not inventory remote users, and will rarely provide location information. This often results in a need to complete physical audits as well.

    Info-Tech Insight

    One of the most common mistakes we see when it comes to asset management is to assume that the discovery tool will discovery most or all of your inventory and do all the work. It is better to assume only 80-90% coverage by the discovery tool and build ownership records to uncover the unreportable assets that are not tied into the network.

    Physical audit

    • The physical audit can be greatly improved with barcode, RFID, or QR codes, allowing items to be scanned, records opened, then updated.
    • If not everything is tagged or entered into the ITAM database, then searching closets, cabinets, and desk drawers may be required to tag and enter those devices into the database.
    • Provide the inventory team with exact instructions on what needs to be collected, verified, and recorded. Depending on the experience and thoroughness of the team, spot checks early in the process may alleviate quality issues often discovered at the end of the inventory cycle.

    Determine requirements for performing inventory audits on equipment

    Conduct an annual hardware audit to ensure hardware is still assigned to the person and location identified in your ITAM system, and assess its condition.

    Perform a quarterly review of hardware stock levels in order to ensure all equipment is relevant and usable. The table below is an example of how to organize this information.

    Item Target Stock Levels Estimated $ Value
    Desktop computers
    Standard issue laptops
    Mice
    Keyboards
    Network cables
    Phones

    Info-Tech Insight

    Don’t forget about your remotely deployed assets. Think about how you plan to inventory remotely deployed equipment. Some tools will allow data collection through an agent that will talk to the server over the internet, and some will completely ignore those assets or provide a way to manually collect the data and email back to the asset manager. Mobile device management tools may also help with this inventory process. Determine what is most appropriate based on the volume of remote workers and devices.

    Build an inventory management process to maintain an accurate view of owned hardware assets

    • Your inventory should capture which assets are on hand, where they are located, and who owns them, at minimum. Maintaining an accurate, up-to-date view of owned hardware assets allows you to see at any time the actual state of the components that make up your infrastructure across the enterprise.
    • Automated inventory practices save time and effort from doing physical inventories and also reduce the interruption to business users while improving accuracy of data.
    • If you are just starting out, define the process for conducting an inventory of deployed assets, and then define the process for regular upkeep and audit of inventory data.

    Inventory Methods

    • Electronic – captures networked asset information only and can be deployed over the network with no deskside service interaction.
    • Physical – captures environmental detail and must be performed manually by a service technician with possible disruption to users.
    • Full inventory – both physical and electronic inventory of assets.

    Internal asset information to collect electronically

    • Hardware configuration
    • Installed software
    • Operating system
    • System BIOS
    • Network configuration
    • Network drive mappings
    • Printer setups
    • System variables

    External asset information that cannot be detected electronically

    • Assigned user
    • Associated assets
    • Asset/user location
    • Usage of asset
    • Asset tag number

    IMAC (Install, Move, Add, Change) services will form the bulk of asset management work while assets are deployed

    IMAC services are usually performed at a user’s deskside by a services technician and can include:

    • Installing new desktops or peripherals
    • Installing or modifying software
    • Physically moving an end user’s equipment
    • Upgrading or adding components to a desktop

    Specific activities may include:

    Changes

    • Add new user IDs
    • Manage IDs
    • Network changes
    • Run auto-discovery scan

    Moves

    • Perform new location site survey
    • Coordinate with facilities
    • Disconnect old equipment
    • Move to new location
    • Reconnect at new location
    • Test installed asset
    • Obtain customer acceptance
    • Close request

    Installs and Adds

    • Perform site survey
    • Perform final configuration
    • Coordinate with Facilities
    • Asset tagging
    • Transfer data from old desktop
    • Wipe old desktop hard drive
    • Test installed asset
    • Initiate auto-discovery scan
    • Obtain customer acceptance
    • Close request

    A strong IMAC request process will lessen the burden on IT asset managers

    • When assets are actively in use, Asset Managers must also participate in the IMAC (Install-Move-Add-Change) process and ensure that any changes to asset characteristics or locations are updated and tracked in the asset management tool and that the value and usefulness of the asset is monitored.
    • The IMAC process should not only be reactive in response to requests, but proactive to plan for moves and relocations during any organizational change events.

    Recommendations:

    Automate. Wherever possible, use tools to automate the IMAC process.

    E-forms, help desk, ticketing, or change management software can automate the request workflow by allowing the requestor to submit a request ticket that can then be automatically assigned to a designated team member according to the established chain of command. As work is completed, the ticket can be updated, and the requestor will be able to check the status of the work at any time.

    Communicate the length of any downtime associated with execution of the IMAC request to lessen the frustration and impatience among users.

    Involve HR. When it comes to adding or removing user accounts, HR can be a valuable resource. As most new employees should be hired through HR, work with them to improve the onboarding process with enough advanced notice to set up accounts and equipment. Role changes with access rights and software modifications can benefit from improved communications. Review the termination process as well, to secure data and equipment.

    Build a MAC request policy and form for end users

    A consistent Move, Add, Change (MAC) request process is essential for lessening the burden on the IT department. MAC requests are used to address any number of tasks, including:

    • Relocation of PCs and/or peripherals.
    • New account setup.
    • Hardware or software upgrades.
    • Equipment swaps or replacements.
    • User account/access changes.
    • Document generation.
    • User acceptance testing.
    • Vendor coordination.

    Create a request form.

    If you are not using help desk or other ticketing software, create a request template that must be submitted for each MAC. The request should include:

    • The name and department of the requester.
    • The date of the request.
    • Severity of the request. For example, severity can be graded on a score of high, medium, or low where high represents a mission-critical change that could compromise business continuity if not addressed immediately, and low represents a more cosmetic change that will not negatively affect operations. The severity of the request can be determined by the service-level agreement (SLA) associated with the service.
    • Date the request must be completed by. Or at least, what would be the ideal date for completion. This will vary greatly depending on the severity of the request. For example, deleting the access of a terminated employee would be very time sensitive.
    • Item or service to be moved, added, or changed. Include location, serial number, or other designated identifier where possible.
    • If the item or service is to be moved, indicated where it is being moved.
    • It is a good idea to include a comments section where the requester can add any additional questions or details.

    Use Info-Tech’s templates to build your MAC policy and request form

    3.1.1 Build a MAC policy and request form

    Desktop Move/Add/Change Policy

    This desktop move/add/change policy should be put in place to mitigate the risk associated with unauthorized changes, minimize disruption to the business, IT department, and end users, and maintain consistent expectations.

    Move, Add, Change Request Form

    Help end users navigate the move/add/change process. Use the Move/Add/Change Request Form to increase efficiency and organization for MAC requests.

    Document the process for user equipment moves

    Include the following in your process documentation:

    • How and when will any changes to user or location information be made in the ITAM tool?
    • Will any changes in AD automatically update in the ITAM tool?
    • How should requests for equipment moves or changes be made?
    • How will resources be scheduled?

    The image shows a flowchart titled SErvice Request - User Moves. The chart of processes is split into three categories, listed on the left side of the chart: User Manager; IT Coordinator; and Tier 2 & Facilities.

    Build workflows to document user MAC processes

    3.1.2 Build MAC process workflows

    Participants

    • Asset Manager
    • Service Desk Manager
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 10: Equipment Install, Adds, Moves, and Changes

    Document each step in the system deployment process using notecards or on a whiteboard. Identify the challenges faced by your organization and strategize potential solutions.

    1. Outline each step in the process of desktop deployment. Be as granular as possible. On each card, describe the step as well as the individual responsible for each step.
    2. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    3. Examine each challenge or pain point. Discuss whether or not there is a clear solution to the problem. If so, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, taking into account people, processes, and available technology.
    4. Document separately the process for large-scale deployment if required.

    Define a policy to ensure effective maintenance of hardware assets

    Effective maintenance and support of assets provides longer life, higher employee productivity, and increased user satisfaction.

    • Your asset management documentation and database should store equipment maintenance contract information so that it can be consulted whenever hardware service is required.
    • Record who to contact as well as how, warranty information, and any SLAs that are associated with the maintenance agreement.
    • Record all maintenance that hardware equipment receives, which will be valuable for evaluating asset and supplier performance.
    • In most cases, the Service Desk should be the central point of contact for maintenance calls to all suppliers.

    Sample equipment maintenance policy terms:

    • Maintenance and support arrangements are required for all standard and non-standard hardware.
    • All onsite hardware should be covered by onsite warranty agreements with appropriate response times to meet business continuity needs.
    • Defective items under warranty should be repaired in a timely fashion.
    • Service, maintenance, and support shall be managed through the help desk ticketing system.

    Design process and policies for hardware maintenance, warranty, and support documentation handling

    3.1.3 Design process for hardware maintenance

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Security
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 10

    1. Discuss and document the policy for hardware maintenance, warranty, and support.
    2. Key outcomes should include:
    • Who signs off on policies?
    • What is the timeline for documentation review?
    • Where are warranty and maintenance documents stored?
    • How will equipment be assessed for condition during audits?
    • How often will deployed equipment be reimaged?
    • How will equipment repair needs be requested?
    • How will repairs for equipment outside warranty be handled?
  • Document in the Standard Operating Procedure.
  • Use your HAM program to improve security and meet regulatory requirements

    ITAM complements and strengthens security tools and processes, improving the company’s ability to protect its data and systems and reduce operational risk.

    It’s estimated that businesses worldwide lose more than $221 billion per year as a result of security breaches. HAM is one important factor in securing data, equipment investment, and meeting certain regulatory requirements.

    How does HAM help keep your organization secure?

    • Educating users on best practices for securing their devices, and providing physical security such as cable locks and tracking mechanisms.
    • Best practices for reporting lost or stolen equipment for quickly removing access and remotely wiping devices.
    • Accurate location and disposal records will enable accurate reporting for HIPAA and PCI DSS audits where movement of media or hardware containing data is a requirement. Best practices for disposal will include properly wiping drives, recording information, and ensuring equipment is disposed of according to environmental regulations.
    • Secure access to data through end-user mobile devices. Use accurate records and MDM tools to securely track, remove access, and wipe mobile devices if compromised.
    • Encrypt devices that may be difficult to track such as USB drives or secure ports to prevent data from being copied to external drives.
    • Managed hardware allows software to be managed and patched on a regular basis.

    Best Practices

    1. Educate end users about traveling with equipment. Phones and laptops are regularly stolen from cars; tablets and phones are left on planes. Encourage users to consider how they store equipment on the way home from work.
    2. Cable locks used at unsecured offsite or onsite work areas should be supplied to employees.
    3. Equipment stored in IT must be secured at all times.

    Implement mobile device management (MDM) solutions

    Organizations with a formal mobile management strategy have fewer problems with their mobile devices.

    Develop a secure MDM to:

    • Provide connection and device support when the device is fully subsidized by the organization to increase device control.
    • Have loaner devices for when traveling to limit device theft or data loss.
    • Personal devices not managed by MDM should be limited to internet access on a guest network.
    • Limit personal device access to only internet access or a limited zone for data access and a subset of applications.
    • Advanced MDM platforms provide additional capabilities including containerization.

    The benefits of a deployed MDM solution:

    • Central management of a variety of devices and platforms is the most important advantage of MDM. Administrators can gain visibility into device status and health, set policies to groups of users, and control who has access to what.
    • Security features such as enforcing passcodes and remote wipe are also essential, given the increased risk of mobile devices.
      • Remote wipe should be able to wipe either the whole device or just selected areas.
    • Separation of personal data is becoming increasingly important as BYOD becomes the norm. This is a feature that vendors are approaching radically differently.
    • Device lock: Be able to lock the device itself, its container, or its SIM. Even if the SIM is replaced, the device should still remain locked. Consider remote locking a device if retrieval is possible.

    Mobile device management is constantly evolving to incorporate new features and expand to new control areas. This is a high-growth area that warrants constant up-to-date knowledge on the latest developments.

    What can be packed into an MDM can vary and be customized in many forms for what your organization needs.

    Secure endpoint devices to protect the data you cannot control

    Endpoint Encryption

    Endpoints Average None
    Desktop 73% 4%
    Laptops 65% 9%
    Smartphones 27% 28%
    Netbooks 26% 48%
    Tablets 16% 59%
    Grand average 41%

    Benefits from endpoint encryption:

    • Reduced risk associated with mobile workers.
    • Enabled sharing of data in secured workspace.
    • Enhanced end-user accountability.
    • Reduced number of data breach incidents.
    • Reduced number of regulatory violations.

    Ways to reduce endpoint encryption costs:

    • Use multiple vendors (multiple platforms): 33%
    • Use a single vendor (one platform): 40%
    • Use a single management console: 22%
    • Outsource to managed service provider: 26%
    • Permit user self-recovery: 26%

    Remote Wiping

    • If all else fails, a device can always be erased of all its data, protecting sensitive data that may have been on it.
    • Selective wipe takes it a step further by erasing only sensitive data.

    Selective wipe is not perfect.

    It is nearly impossible to keep the types of data separate, even with a sandbox approach. Selective wipe will miss some corporate data, and even a full remote wipe can only catch some of users’ increasingly widely distributed data.

    Selective wipe can erase:

    • Corporate profiles, email, and network settings.
    • Data within a corporate container or other sandbox.
    • Apps deployed across the enterprise.

    Know when to perform a remote wipe.

    Not every violation of policy warrants a wipe. Playing Candy Crush during work hours probably does not warrant a wipe, but jail breaking or removing a master data management client can open up security holes that do warrant a wipe.

    Design an effective asset security policy to protect the business

    Data security is not simply restricted to compromised software. In fact, 70% of all data breaches in the healthcare industry since 2010 are due to device theft or loss, not hacking. (California Data Breach Report – October, 2014) ITAM is not just about tracking a device, it is also about tracking the data on the device.

    Organizations often struggle with the following with respect to IT asset security:

    • IT hardware asset removal control.
    • Personal IT hardware assets (BYOD).
    • Data removal from IT hardware assets.
    • Inventory control with respect to leased hardware and software.
    • Unused software.
    • Repetitive versions of software.
    • Unauthorized software.

    Your security policy should seek to protect IT hardware and software that:

    • Have value to the business.
    • Require ongoing maintenance and support.
    • Create potential risk in terms of financial loss, data loss, or exposure.

    These assets should be documented and controlled in order to meet security requirements.

    The asset security policy should encompass the following:

    • Involved parties.
    • Hardware removal policy/documentation procedure.
    • End-user asset security responsibilities.
    • Theft/loss reporting procedure.
    • BYOD standards, procedures, and documentation requirements.
    • Data removal.
    • Software usage.
    • Software installation.

    Info-Tech Insight

    Hardware can be pricey; data is priceless. The cost of losing a device is minimal compared to the cost of losing data contained on a device.

    Revise or create an asset security policy

    3.1.4 Develop IT asset security policy

    Participants

    • CIO or IT Director
    • Asset Manager
    • Service Desk Manager
    • Security
    • Operations (optional)

    Document

    Document in the Asset Security Policy.

    1. Identify asset security challenges within your organization. Record them in a table like the one below.
    Challenge Current Security Risk Target Policy
    Hardware removal Secure access and storage, data loss Designated and secure storage area
    BYOD No BYOD policy in place N/A → phasing out BYOD as an option
    Hardware data removal Secure data disposal Data disposal, disposal vendor
    Unused software Lack of support/patching makes software vulnerable Discovery and retirement of unused software
    Unauthorized software Harder to track, less secure Stricter stance on pirated software
    1. Brainstorm the reasons for why these challenges exist.
    2. Identify target policy details that pertain to each challenge. Record the outcomes in section(s) 5.1, 5.2, or 5.3 of the Asset Security Policy.

    Poor asset security and data protection had costly consequences for UK Ministry of Justice

    CASE STUDY

    Industry Legal

    Source ICO

    Challenge

    The Ministry of Justice (MoJ) in the UK had a security problem: hard drives that contained sensitive prisoner data were unencrypted and largely unprotected for theft.

    These hard drives contained information related to health, history of drug use, and past links to organized crime.

    After two separate incidents of hard drive theft that resulted in data breaches, the Information Commissioner’s Office (ICO), stepped in.

    Solution

    It was determined that after the first hard drive theft in October 2011, replacement hard drives with encryption software were provisioned to prisons managed by the MoJ.

    Unfortunately, the IT security personnel employed by the MoJ were unaware that the encryption software required manual activation.

    When the second hard drive theft occurred, the digital encryption could not act as a backup to poor physical security (the hard drive was not secured in a locker as per protocol).

    Results

    The perpetrators were never found and the stolen hard drives were never recovered.

    As a result of the two data breaches, the MoJ had to implement costly security upgrades to its data protection system.

    The ICO fined the MoJ £180,000 for its repeated security breaches. This costly fine could have been avoided if more diligence was present in the MoJ’s asset management program.

    Step 3.2: Dispose or Redeploy Assets

    3.1 Manage & Maintain

    3.2 Dispose or Redeploy

    This step will walk you through the following activities:

    3.2.1 Identify challenges with IT asset recovery and disposal

    3.2.2 Design hardware asset recovery and disposal workflows

    3.2.3 Build a hardware asset disposition policy

    This step involves the following participants:

    • Infrastructure Director/Manager
    • Asset Manager
    • Service Desk Manager
    • Operations (optional)

    Step Outcomes:

    • Defined process to determine when to redeploy vs. dispose of hardware assets
    • Process for recovering and redeploying hardware equipment
    • Process for safely disposing of assets that cannot be redeployed
    • Comprehensive asset disposition policy

    Balance the effort to roll out new equipment against the cost to maintain equipment when building your lifecycle strategy

    The image shows two line graphs. The graph on the left is titled: Desktop Refresh Rate by Company Size (based on Revenue). The graph on the right is titled: Laptop Refresh Rate by Company Size (based on Revenue). Each graph has four lines, defined by a legend in the centre of the image: yellow is small ($25mm); dark blue is Mid ($25-500MM); light blue is large ( data-verified=$500MM); and orange is Overall.">

    (Info-Tech Research Group; N=96)

    Determining the optimal length of time to continue to use equipment will depend on use case and equipment type

    Budget profiles Refresh methods

    Stretched

    Average equipment age: 7+ years

    To save money, some organizations will take a cascading approach, using the most powerful machines for engineers or scientists to ensure processing power, video requirements and drives will meet the needs of their applications and storage needs; then passing systems down to departments who will require standard-use machines. The oldest and least powerful machines are either used as terminals or disposed.

    Generous

    Average equipment age: 3 years

    Organizations that do not want to risk user dissatisfaction or potential compatibility or reliability issues will take a more aggressive replacement approach. These organizations often have less people assigned to end-user device maintenance and will not repair equipment outside of warranty. There is little variation in processing power among devices, with major differences determined by mobility and operating system.

    Cautious

    Average equipment age: 4 to 5 years

    Organizations that fit between the other two profiles will look to stretch the budget beyond warranty years, but will keep a close eye on maintenance requirements. Repairs needed outside of warranty will require an eye to costs, efforts, and subsequent administrative work of loaning equipment to keep the end user productive while waiting on service.

    Recommendations to keep users happy and equipment in prime form is to check condition at the 2-3 year mark, reimage at least once to improve performance, and have backup machines, if equipment starts to become problematic.

    Build a process to determine when and how to redeploy or dispose of hardware assets at end of use

    • When equipment is no longer needed for the function or individual to whom it was assigned, the Hardware Asset Manager needs to use data to ensure the right decision is made as to what to do with the asset.
    • End of use involves evaluating options for either continuing to use the equipment in another capacity or by another individual or determining that the asset has no remaining value to the organization in any capacity and it is time to retire it.
    • If the asset is retired, it may still have capacity for continued use outside of the organization or it may be disposed.

    Redeployment

    • Deliver the asset to a new user if it is no longer needed by the original user but still has value and usability.
    • Redeployment saves money and prevents unnecessary purchases.
    • Common when employees leave the company or a merge or acquisition changes the asset pool.

    VS.

    Disposal

    • When an asset is no longer of use to the organization, it may be disposed of.
    • Need to consider potential financial and public relations considerations if disposal is not done according to environmental legislation.
    • Need to ensure proper documentation and data removal is built into disposition policy.

    Use persistent documentation and communication to improve hardware disposal and recovery

    Warning! Poor hardware disposal and recovery practices can be caused by the following:

    1. Your IT team is too busy and stretched thin. Data disposal is one of many services your IT team is likely to have to deal with, but this service requires undivided attention. By standardizing hardware refreshes, you can instill more predictability with your hardware life cycles and better manage disposal.
    2. Poor inventory management. Outdated data and poor tracking practices can result in lost assets during the disposal phase. It only takes a single lost asset to cause a disastrous data breach in your supply chain.
    3. Obliviousness to disposal regulations. Electronic disposal and electronically stored data are governed by strict regulation.

    How do you improve your hardware disposal and recovery process?

    • A specific, controlled process needs to be in place to wipe all equipment and verify that it’s been wiped properly. Otherwise, companies will continue to spend money to protect data while equipment is in use, but overlook the dangerous implications of careless IT asset disposal. Create a detailed documentation process to track your assets every step of the way to ensure that data and applications are properly disposed of. Detailed documentation can also help bolster sustainability reporting for organizations wishing to track such data.
    • Better communication should be required. Most decommissioning or refresh processes use multiple partners for manufacturing, warehousing, data destruction, product resale, and logistics. Setting up and vetting these networks can take years, and even then, managing them can be like playing a game of telephone; transparency is key.

    Address three core challenges of asset disposal and recovery

    Asset Disposal

    Data Security

    Sixty-five percent of organizations cite data security as their top concern. Many data breaches are a result of hardware theft or poor data destruction practices.

    Choosing a reputable IT disposal company or data removal software is crucial to ensuring data security with asset disposal.

    Environmental

    Electronics contain harmful heavy metals such as mercury, arsenic, and cadmium.

    Disposal of e-waste is heavily regulated, and improper disposal can result in hefty fines and bad publicity for organizations.

    Residual value

    Many obsolete IT assets are simply confined to storage at their end of life.

    This often imposes additional costs with maintenance or storage fees and leaves a lot of value on the table through assets that could be sold or re-purposed within the organization.

    Identify challenges with IT asset recovery and disposal with a triple bottom line scorecard

    3.2.1 Identify challenges with IT asset recovery and disposal

    Participants

    • Infrastructure Director/Manager
    • Asset Manager
    • Service Desk Manager
    • Operations (optional)
    1. Divide the whiteboard into three boxes: Social, Economic, and Environmental.
    2. Divide each box into columns like the one shown below:
    Economic
    Challenge Objectives Targets Initiatives
    No data capture during disposal Develop reporting standards 80% disposed assets recorded Work with Finance to develop reporting procedure
    Idle assets Find resale market/dispose of idle assets 50% of idle assets disposed of within the year Locate resale vendor and disposal service
    1. Ask participants to list challenges associated with each area.
    2. Once challenges facing recovery and disposal have been exhausted from the group, assign a significance of 1-5 (1 being the lowest and 5 being the highest) to each challenge.
    3. Discuss the most significant challenges and how they might be addressed through the next steps of building recovery & disposal processes.

    Build a process for recovery and redeployment of hardware

    • Having hardware standards in place makes redeploying easier by creating a larger pool of possible users for a standardized asset.
    • Most redeployment activities will be carried out by the Help Desk as a service request ticket, so it is important to have clear communication and guidelines with the Help Desk as to which tasks need to be carried out as part of the request.

    Ensure the following are addressed:

    • Where will equipment be stored before being redeployed?
    • Will shipping be required and are shipping costs factored into analysis?
    • Ensure equipment is cleaned before it is redeployed.
    • Do repairs and reconfigurations need to be made?
    • How will software be removed and licenses harvested and reported to Software Asset Manager?
    • How will data be securely wiped and protected?

    The image shows a work process in flowchart format titled Equipment Recovery. The chart is divided into two sections, listed on the left: Business Manager/HR and Desktop Support Team.

    Define the process for safely disposing of assets that cannot be redeployed

    Asset Disposal Checklist

    1. Review the data stored on the device.
    2. Determine if there has been any sensitive or confidential information stored.
    3. Remove all sensitive/confidential information.
    4. Determine if software licenses are transferable.
    5. Remove any non- transferable software prior to reassignment.
    6. Update the department’s inventory record to indicate new individual assigned custody.
    7. In the event of a transfer to another department, remove data and licensed software.
    8. If sensitive data has been stored, physically destroy the storage device.
    • Define the process for retiring and disposing of equipment that has reached replacement age or no longer meets minimum conditions or standards.
    • Clearly define the steps that need to be taken both before and after the involvement of an ITAD partner.

    The image shows a flowchart titled Equipment Disposal. It is divided into two sections, labelled on the left as: Desktop Support Team and Asset Manager.

    Design hardware asset recovery and disposal workflows

    3.2.2 Design hardware asset recovery and disposal policies and workflows

    Participants

    • Infrastructure Director/Manager
    • Asset Manager
    • Service Desk Manager
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Sections 11 and 12

    Document each step in the recovery and disposal process in two separate workflows using notecards or on a whiteboard. Identify the challenges faced by your organization and strategize potential solutions.

    1. Keeping in mind current challenges around hardware asset recovery and disposal, design the target state for both the asset recovery and disposal processes.
    2. Outline each step of the process and be as granular as possible.
    3. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    4. Examine each challenge or pain point. Discuss whether or not there is a clear solution to the problem. If so, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, taking into account people, processes, and available technology.
    5. Review the checklists on the previous slides to ensure all critical tasks are accounted for in your process workflows.

    Add equipment disposition to asset lifecycle decisions to meet environmental regulations and mitigate risk

    Although traditionally an afterthought in asset management, IT asset disposition (ITAD) needs to be front and center. Increase focus on data security and concern surrounding environmental sustainability and develop an awareness of the cost efficiencies possible through best-practices disposition.

    Optimized ITAD solutions:

    1. Protect sensitive or valuable data
    2. Support sustainability
    3. Focus on asset value recovery

    Info-Tech Insight

    A well-thought-out asset management program mitigates risk and is typically less costly than dealing with a large-scale data loss incident or an inappropriate disposal suit. Also, it protects your company’s reputation – which is difficult to put a price on.

    Partner with an ITAD vendor to support your disposition strategy

    Maximizing returns on assets requires knowledge and skills in asset valuation, upgrading to optimize market return, supply chain management, and packaging and shipping. It’s unlikely that the return will be adequate to justify that level of investment, so partnering with a full-service ITAD vendor is a no-brainer.

    • An ITAD vendor knows the repurpose and resale space better than your organization. They know the industry and have access to more potential buyers.
    • ITAD vendors can help your organization navigate costly environmental regulations for improper disposal of IT assets.

    Disposal doesn’t mean your equipment has to go to waste.

    Additionally, your ITAD vendor can assist with a large donation of hardware to a charitable organization or a school.

    Donating equipment to schools or non-profits may provide charitable receipts that can be used as taxable benefits.

    Before donating:

    • Ensure equipment is needed and useful to the organization.
    • Be prepared for an appraisal requirement. Receipts can only be issued for fair market value.
    • Prevent compromised data by thoroughly wiping or completely replacing drives.
    • Ensure official transfer of ownership to prevent liability if improper disposal practices follow.

    Info-Tech Insight

    Government assistance grants may be available to help keep your organization’s hardware up to date, thereby providing incentives to upgrade equipment while older equipment still has a useful life.

    Protect the organization by sufficiently researching potential ITAD partners

    Research ITAD vendors as diligently as you would primary hardware vendors.

    Failure to thoroughly investigate a vendor could result in a massive data breach, fines for disposal standards violations, or a poor resale price for your disposed assets. Evaluate vendors using questions such as the following:

    • Are you a full-service vendor or are you connected to a wholesaler?
    • Who are your collectors and processors?
    • How do you handle data wiping? If you erase the data, how many passes do you perform?
    • What do you do with the e-waste? How much is reused? How much is recycled?
    • Do you have errors and omissions insurance in case data is compromised?
    • How much will it cost to recycle or dispose of worthless equipment?
    • How much will I receive for assets that still have useful life?

    ITAD vendors that focus on recycling will bundle assets to ship to an e-waste plant – leaving money on the table.

    ITAD vendors with a focus on reuse will individually package salable assets for resale – which will yield top dollars.

    Info-Tech Insight

    To judge the success of a HAM overhaul, you need to establish a baseline with which to compare final results. Be sure to take HAM “snapshots” before ITAD partnering so it’s easy to illustrate the savings later.

    Work with ITAD partner or equipment supplier to determine most cost-effective method and appropriate time for disposal

    2-4 Two-to-four year hardware refresh cycle

    • Consider selling equipment to an ITAD partner who specializes in sales of refurbished equipment.
    • Consider donating equipment to schools or non-profits, possibly using an ITAD partner who specializes in refurbishing equipment and managing the donation process.

    5-7 Five-to-seven year hardware refresh cycle

    • At this stage equipment may still have a viable life, but would not be appropriate for school or non-profit donations, due to a potentially shorter lifespan. Consider selling equipment to an ITAD partner who has customers interested in older, refurbished equipment.

    7+ Seven or more years hardware refresh cycle

    • If keeping computers until they reach end of life, harvest parts for replacement on existing machines and budget for disposal fees.
    • Ask new computer supplier about disposal services or seek out ITAD partner who will disassemble and dispose of equipment in an environmentally responsible manner.

    Info-Tech Insight

    • In all cases, ensure hard drives are cleansed of data with no option for data recovery. Many ITAD partners will provide a drive erasure at DoD levels as part of their disposal service.
    • Many ITAD partners will provide analysts to help determine the most advantageous time to refresh.

    Ensure data security and compliance by engaging in reliable data wiping before disposition

    Failure to properly dispose of data can not only result in costly data breaches, but also fines and other regulatory repercussions. Choosing an ITAD vendor or a vendor that specializes in data erasure is crucial. Depending on your needs, there are a variety of data wiping methods available.

    Certified data erasure is the only method that leaves the asset’s hard drive intact for resale or donation. Three swipes is the bare minimum, but seven is recommended for more sensitive data (and required by the US Department of Defense). Data erasure applications may be destructive or non-destructive – both methods overwrite data to make it irretrievable.

    Physical destruction must be done thoroughly, and rigorous testing must be done to verify data irretrievability. Methods such as hand drilling are proven to be unreliable.

    Degaussing uses high-powered magnets to erase hard drives and makes them unusable. This is the most expensive option; degaussing devices can be purchased or rented.

    Info-Tech Best Practice

    Data wiping can be done onsite or can be contracted to an ITAD partner. Using an ITAD partner can ensure greater security at a more affordable price.

    Make data security a primary driver of asset disposition practices

    It is estimated that 10-15% of data loss cases result from insecure asset disposal. Protect yourself by following some simple disposition rules.

    1. Reconcile your data onsite
    • Verify that bills of landing and inventory records match before assets leave. Otherwise, you must take the receiver’s word on shipment contents.
  • Wipe data at least once onsite
    • Do at least one in-house data wipe before the assets leave the site for greater data security.
  • Transport promptly after data wiping
    • Prompt shipment will minimize involvement with the assets, and therefore, cost. Also, the chance of missing assets will drop dramatically.
  • Avoid third-party transport services
    • Reputable ITAD companies maintain strict chain of custody control over assets. Using a third party introduces unnecessary risk.
  • Keep detailed disposition records
    • Records will protect you in the event of an audit, a data loss incident, or an environmental degradation claim. They could save you millions.
  • Wipe all data-carrying items
    • Don’t forget cell phones, fax machines, USB drives, scanners, and printers – they can carry sensitive information that can put the organization at risk.
  • Only partner with insured ITAD vendors
    • You are never completely out of danger with regards to liability, but partnering with an insured vendor is potent risk mitigation.
  • Work these rules into your disposition policy to mitigate data loss risk.

    Support your HAM efforts with a comprehensive disposition policy

    3.2.3 Build a Hardware Asset Disposition Policy

    Implementation of a HAM program is a waste of time if you aren’t going to maintain it. Maintenance requires the implementation of detailed policies, training, and an ongoing commitment to proper management.

    Use Info-Tech’s Hardware Asset Disposition Policy to:

    1. Establish and define clear standards, procedures, and restrictions surrounding disposition.
    2. Ensure continual compliance with applicable data security and environmental legislation.
    3. Assign specific responsibilities to individuals or groups to ensure ongoing adherence to policy standards and that costs or benefits are in line with expectations.

    Phase 3 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Maintain & Dispose

    Proposed Time to Completion: 4 weeks

    Start with an analyst kick-off call:

    • Discuss inventory management best practices.
    • Build process for moves, adds, and changes.
    • Build process for hardware maintenance.
    • Define policies for maintaining asset security.

    Then complete these activities…

    • Build a MAC policy and request form.
    • Build workflows to document user MAC processes.
    • Design processes and policies for hardware maintenance, warranty, and support documentation handling.
    • Build an asset security policy.

    With these tools & templates:

    • Standard Operating Procedures
    • Asset Security Policy

    Step 3.2: Dispose or Redeploy Assets

    Review findings with analyst:

    • Discuss when to dispose vs. redeploy assets.
    • Build process for redeploying vs. disposing of assets.
    • Review ITAD vendors.

    Then complete these activities…

    • Identify challenges with IT asset recovery and disposal.
    • Design hardware asset recovery and disposal workflows.
    • Build a hardware asset disposition policy.

    With these tools & templates:

    • Standard Operating Procedures
    • Asset Recovery Workflow
    • Asset Disposal Workflow
    • Hardware Asset Disposition Policy

    Phase 3 Insight: Not all assets are created equal. Taking a blanket approach to asset maintenance and security is time consuming and costly. Focus on the high-cost, high-use, and data-sensitive assets first.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1.4 Revise or create an asset security policy

    Discuss asset security challenges within the organization; brainstorm reasons the challenges exist and process changes to address them. Document a new asset security policy.

    3.2.2 Design hardware asset recovery and disposal workflows

    Document each step in the hardware asset recovery and disposal process, including all decision points. Examine challenges and amend the workflow to address them.

    Phase 4

    Plan Budget Process and Build Roadmap

    Implement Hardware Asset Management

    Cisco deployed an enterprise-wide re-education program to implement asset management

    CASE STUDY

    Industry Networking

    Source Cisco IT

    Challenge

    Even though Cisco Systems had designed a comprehensive asset management program, implementing it across the enterprise was another story.

    An effective solution, complete with a process that could be adopted by everyone within the organization, would require extensive internal promotion of cost savings, efficiencies, and other benefits to the enterprise and end users.

    Cisco’s asset management problem was as much a cultural challenge as it was a process challenge.

    Solution

    The ITAM team at Cisco began discussions with departments that had been tracking and managing their own assets.

    These sessions were used as an educational tool, but also as opportunities to gather internal best practices to deploy across the enterprise.

    Eventually, Cisco introduced weekly meetings with global representation to encourage company-wide communication and collaboration.

    Results

    By establishing a process for managing PC assets, we have cut our hardware costs in half.” – Mark Edmonson, Manager – IT Services Expenses

    Cisco reports that although change was difficult to adopt, end-user satisfaction has never been higher. The centralized asset management approach has resulted in better contract negotiations through better data access.

    A reduced number of hardware and software platforms has streamlined tracking and support, and will only drive down costs as time goes on.

    Step 4.1: Plan Hardware Asset Budget

    Phase 4: Plan Budget & Build Roadmap

    4.1 Plan Budget

    4.2 Communicate & Build Roadmap

    This step will walk you through the following activities:

    4.1 Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

    This step involves the following participants:

    • IT Director
    • Asset Manager
    • Finance Department

    Step Outcomes

    • Know where to find data to budget for hardware needs accurately
    • Learn how to manage a hardware budget
    • Plan hardware asset budget with a budgeting tool

    Gain control of the budget to increase the success of HAM

    A sophisticated hardware asset management program will be able to uncover hidden costs, identify targets for downsizing, save money through redistributing equipment, and improve forecasting of equipment to help control IT spending.

    While some asset managers may not have experience managing budgets, there are several advantages to ITAM owning the hardware budget:

    • Be more involved in negotiating pricing with suppliers.
    • Build better relationships with stakeholders across the business.
    • Forecast requirements more accurately.
    • Inform benchmarks for hardware performance.
    • Gain more responsibility and have a greater influence on purchasing decisions.
    • Directly impact the reduction in IT spend.
    • Manage the asset database more easily and have a greater understanding of hardware needs.
    • Build a continuous rolling refresh.

    Use ITAM data to forecast hardware needs accurately and realistically

    Your IT budget should be realistic, accounting for business needs, routine maintenance, hardware replacement costs, unexpected equipment failures, and associated support and warranty costs. Know where to find the data you need and who to work with to forecast hardware needs as accurately as possible.

    What type of data should I take into account?

    Plan for:

    • New hardware purchases required
      • Planned refreshes based on equipment lifecycle
      • Inventory for break and fix
      • Standard equipment for new hires
      • Non-standard equipment required
      • Hardware for planned projects
      • Implementation and setup costs
      • Routine hardware implementation
      • Large hardware implementation for projects
      • Support and warranty costs

    Take into account:

    • Standard refresh cycle for each hardware asset
    • Amount of inventory to keep on hand
    • Length of time from procurement to inventory
    • Current equipment costs and equipment price increases
    • Equipment depreciation rates and resale profits

    Where do I find the information I need to budget accurately?

    • Work with HR to forecast equipment needs for new hires.
    • Work with the Infrastructure Manager to forecast devices and equipment needed for approved and planned projects.
    • Use the asset management database to forecast hardware refresh and replacement needs based on age and lifecycle.
    • Work with business stakeholders to ensure all new equipment needs are accounted for in the budget.

    Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

    4.1.1 Build HAM budget

    This tool is designed to assist in developing and justifying the budget for hardware assets for the upcoming year. The tool will allow you to budget for projects requiring hardware asset purchases as well as equipment requiring refresh and to adjust the budget as needed to accommodate both projects and refreshes. Follow the instructions on each tab to complete the tool.

    The hardware budget should serve as a planning and communications tool for the organization

    The most successful relationships have a common vocabulary. Thus, it is important to translate “tech speak” into everyday language and business goals and initiatives as you plan your budget.

    One of the biggest barriers that infrastructure and operations team face with regards to equipment budgeting is the lack of understanding of IT infrastructure and how it impacts the rest of the organization. The biggest challenge is to help the rest of the organization overcome this barrier.

    There are several things you can do to overcome this barrier:

    • Avoid using technical terms or jargon. Terms many would consider common knowledge, such as “WLAN,” are foreign to many.
    • Don’t assume the business knows how the technology you’re referring to will impact their day-to-day work. You will need to demonstrate it to them.
    • Help the audience understand the business impact of not implementing each initiative. What does this mean for them?
    • Discuss the options on the table in terms of the business value that the hardware can enable. Review how deferring refresh projects can impact user-facing applications, systems, and business unit operations.
    • Present options. If you can’t implement everything on the project list, present what you can do at different levels of funding.

    Info-Tech Insight

    Err on the side of inviting more discussion. Your budgeting process relies on business decision makers and receiving actionable feedback requires an ongoing exchange of information.

    Help users understand the importance of regular infrastructure refreshes

    Getting business users to support regular investments in maintenance relies on understanding and trust. Present the facts in plain language. Provide options, and clearly state the impact of each option.

    Example: Your storage environment is nearing capacity.

    Don’t:

    Explain the project exclusively in technical terms or slang.

    We’re exploring deduping technology as well as cheap solid state, SATA, and tape storage to address capacity.”

    Do:

    • Explain impact in terms that the business can understand.

    Deduplication technology can reduce our storage needs by up to 50%, allowing us to defer a new storage purchase.”

    • Be ready to present project alternatives and impacts.

    Without implementing deduplication technology, we will need to purchase additional storage by the end of the year at an estimated cost of $25,000.”

    • Connect the project to business initiatives and strategic priorities.

    This is a cost-effective technique to increase storage capacity to manage annual average data growth at around 20% per year.

    Step 4.2: Build Communication Plan and Roadmap

    Phase 4: Plan Budget & Build Roadmap

    4.1 Plan Budget

    4.2 Communicate & Build Roadmap

    This step will walk you through the following activities:

    4.2 Develop a HAM implementation roadmap

    This step involves the following participants:

    • CIO
    • IT Director
    • Asset Manager
    • Service Desk Manager

    Step Outcomes

    • Documented end-user hardware asset management policies
    • Communications plan to achieve support from end users and other business units
    • HAM implementation roadmap

    Educate end users through ITAM training to increase program success

    As part of your communication plan and overall HAM implementation, training should be provided to end users within the organization.

    All facets of the business, from management to new hires, should be provided with ITAM training to help them understand their role in the project’s success.

    ITAM solutions are complex by nature with both business process and technical knowledge required to use them correctly. Keep the message appropriate to the audience – end users don’t need to know the complete process, but will need to know policy and how to request.

    Management may have priorities that appear to clash with new processes. Engage management by making them aware of the benefits and importance of ITAM. Include the benefits and consequences of not implementing ITAM in your education approach. Encourage them to support efforts by reinforcing your messages to end users.

    New hires should have ITAM training bundled into their onboarding process. Fresh minds are easier to train and the ITAM program will be seen as an organizational standard, not merely a change.

    Policy documents can help summarize end users’ obligations and clarify processes. Consider an IT Resources Acceptable UsePolicy.

    "The lowest user is the most important user in your asset management program. New employees are your most important resource. The life cycle of the assets will go much smoother if new employees are brought on board." – Tyrell Hall, ITAM Program Coordinator

    Info-Tech Insight

    During training, you should present the material through the lens of “what’s in it for me?” Otherwise, you risk alienating end users through implementing organizational change viewed as low value.

    Include policy design and enforcement in your communication plan

    • Hardware asset management policies should define the actions to be taken to protect and preserve technology assets from failure, loss, destruction, theft, or damage.
    • Implementing asset management policies enforces the notion that the organization takes its IT assets and the management of them seriously, and will help ensure the benefits of ITAM are achieved.
    • Designing, approving, documenting, and adopting one set of standard ITAM policies for each department to follow will ensure the processes are enforced equally across the organization.
    • Good ITAM policies answer the “what, how, and why” of IT asset management, provide the means for ITAM governance, and provide a basis for strategy and decision making.

    Info-Tech Insight

    Use policy templates to jumpstart your policy development and ensure policies are comprehensive, but be sure to modify and adapt policies to suit your corporate culture or they will not gain buy-in from employees. For a policy to be successful, it must be a living document and have participation and involvement from the committees and departments to whom it will pertain.

    Use Info-Tech’s policy templates to build HAM policies

    4.2.1 Build HAM policies

    Use these HAM policy templates to get started:

    Information Technology Standards Policy

    This policy establishes standards and guidelines for a company’s information technology environment to ensure the confidentiality, integrity, and availability of company computing resources.

    Desktop Move/Add/Change Policy

    This desktop move/add/change policy is put in place for users to request to change their desktop computing environments. This policy applies configuration changes within a company.

    Purchasing Policy

    The purchasing policy helps to establish company standards, guidelines, and procedures for the purchase of all information technology hardware, software, and computer-related components as well as the purchase of all technical services.

    Hardware Asset Disposition Policy

    This policy assists in creating guidelines around disposition in the last stage of the asset lifecycle.

    Additional policy templates

    Info-Tech Insight

    Use policy templates to jumpstart your policy development and ensure policies are comprehensive, but modify and adapt them to suit your corporate culture or they will not gain buy-in from employees. For a policy to be successful, it must be a living document and have participation from the committees and departments to whom it will pertain.

    Create a communication plan to achieve end-user support and adherence to policies

    Communication is crucial to the integration and overall implementation of your ITAM program. An effective communication plan will:

    • Gain support from management at the project proposal phase.
    • Create end-user buy-in once the program is set to launch.
    • Maintain the presence of the program throughout the business.
    • Instill ownership throughout the business from top-level management to new hires.

    Use the variety of components as part of your communication plan in order to reach the organization.

    1. Advertise successes.
    • Regularly demonstrate the value of the ITAM program with descriptive statistics focused on key financial benefits.
    • Share data with the appropriate personnel; promote success to obtain further support from senior management.
  • Report and share asset data.
    • Sharing detailed asset-related reports frequently gives decision makers useful data to aid in their strategy.
    • These reports can help your organization prepare for audits, adjust asset budgeting, and detect unauthorized assets.
  • Communicate the value of ITAM.
    • Educate management and end users about how they fit into the bigger picture.
    • Individuals need to know that their behaviors can adversely affect data quality and, ultimately, lead to better decision making.
  • Develop a communication plan to convey the right messages

    4.2.2 Develop a communication plan to convey the right messages

    Participants

    • CIO
    • IT Director
    • Asset Manager
    • Service Desk Manager

    Document

    Document in the HAM Communication Plan

    1. Identify the groups that will be affected by the HAM program as those who will require communication.
    2. For each group requiring a communication plan, identify the following:
    • Benefits of HAM for that group of individuals (e.g. better data, security).
    • The impact the change will have on them (e.g. change in the way a certain process will work).
    • Communication method (i.e. how you will communicate).
    • Timeframe (i.e. when and how often you will communicate the changes).
  • Complete this information in a table like the one below and document in the Communication Plan.
  • Group Benefits Impact Method Timeline
    Service Desk Improve end-user device support Follow new processes Email campaign 3 months
    Executives Mitigate risks, better security, more data for reporting Review and sign off on policies
    End Users Smoother request process Adhere to device security and use policies
    Infrastructure Faster access to data and one source of truth Modified processes for centralized procurement and inventory

    Implement ITAM in a phased, constructive approach

    • One of the most difficult decisions to make when implementing ITAM is: “where do we start?”
    • The pyramid to the right mirrors Maslow’s hierarchy of needs. The base is the absolute bare minimum that should be in place, and each level builds upon the previous one.
    • As you track up the pyramid, your ITAM program will become more and more mature.

    Now that your asset lifecycle environment has been constructed in full, it’s time to study it. Gather data about your assets and use the results to create reports and new solutions to continually improve the business.

    • Asset Data
    • Asset Protection: safely protect and dispose of assets once they are mass distributed throughout your organization.
    • Asset Distribution: determine standards for asset provisioning and asset inventory strategy.
    • Asset Gathering: define what assets you will procure, distribute, and track. Classifying your assets by tier will allow you to make decisions as you progress up the pyramid.

    ↑ ITAM Program Maturity

    Integrate your HAM program into the organization to assist its implementation

    The HAM program cannot perform on its own – it must be integrated with other functional areas of the organization in order to maintain its stability and support.

    • Effective IT asset management is supported by a comprehensive set of processes as part of its implementation.
    • For example, integration with the purchasing/procurement team is required to gather hardware and software purchase data to control asset costs and mitigate software license compliance risk.
    • Integration with Finance is required to support internal cost allocations and charge backs.

    To integrate your ITAM program into your organization effectively, a clear implementation roadmap needs to be designed. Prioritize “quick wins” in order to demonstrate success to the business early and gain buy-in from your team. Long-term goals should be designed that will be supported by the outcomes of the short-term gains of your ITAM program.

    Short-term goal Long-term goal
    Identify inventory classification and tool (hardware first) Hardware contract data integration (warranty, maintenance, lease)
    Create basic ITAM policies and processes Continual improvement through policy impact review and revision
    Implement ITAM auto-discovery tools Software compliance reports, internal audits

    Info-Tech Insight

    Installing an ITAM tool does not mean you have an effective asset management program. A complete solution needs to be built around your tool, but the strength of ITAM comes from processes embedded in the organization that are shaped and supported by your ITAM data.

    Develop an IT hardware asset management implementation roadmap

    4.2.3 Develop a HAM implementation roadmap

    Participants

    • CIO
    • IT Director
    • Asset Manager
    • Service Desk Manager

    Document

    Document in the IT Hardware Asset Management Implementation Roadmap

    1. Identify up to five streams to work on initiatives for the hardware asset management project.
    2. Fill out key tasks and objectives for each process. Assign responsibility for each task.
    3. Select a start date and end date for each task. See tab 1 of the tool for instructions on which letters to input for each stage of the process.
    4. Once your list is complete, open tab 3 of the tool to see your completed sunshine diagram.
    5. Keep this diagram visible for your team and use it as a guide to task completion as you work towards your future-state value stream.

    Focus on continual improvement to sustain your ITAM program

    Periodically review the ITAM program in order to achieve defined goals, objectives, and benefits.

    Act → Plan → Do → Check

    Once ITAM is in place in your organization, a focus on continual improvement creates the following benefits:

    • Remain in sync with the business: your asset management program reflects the current and desired future states of your organization at the time of its creation. But the needs of the business change. As mentioned previously, asset management is a dynamic process, so in order for your program to keep pace, a focus on continual improvement is needed.
      • For example, imagine if your organization had designed your ITAM program before cloud-based solutions were an option. What if your asset classification scheme did not include personal devices or tablets or your asset security policy lacked a section on BYOD?
    • Create funding for new projects through ITAM continual improvement: one of the goals is to save money through more efficient use of your assets by “sweating” out underused hardware and software.
      • It may be tempting to simply present the results to Finance as savings, but instead, describe the results as “available funds for other projects.” Otherwise, Finance may view the savings as a nod to restrict IT’s budget and allocate funds elsewhere. Make it clear that any saved funds are still required, albeit in a different capacity.

    Info-Tech Best Practice

    Look for new uses for ITAM data. Ask management what their goals are for the next 12-18 months. Analyze the data you are gathering and determine how your ITAM data can assist with achieving these goals.

    Phase 4 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Step 4.1: Plan Budget

    Start with an analyst kick-off call:

    • Know where to find data to budget for hardware needs accurately.
    • Learn how to manage a hardware budget.

    Then complete these activities…

    • Plan hardware asset budget.

    With these tools & templates:

    HAM Budgeting Tool

    Step 4.2: Communicate & Roadmap

    Review findings with analyst:

    • Develop policies for end users.
    • Build communications plan.
    • Build an implementation roadmap.

    Then complete these activities…

    • Build HAM policies.
    • Develop a communication plan.
    • Develop a HAM implementation roadmap.

    With these tools & templates:

    HAM policy templates

    HAM Communication Plan

    HAM Implementation Roadmap

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1.1 Build a hardware asset budget

    Review upcoming hardware refresh needs and projects requiring hardware purchases. Use this data to forecast and budget equipment for the upcoming year.

    4.2.2 Develop a communication plan

    Identify groups that will be affected by the new HAM program and for each group, document a communications plan.

    Insight breakdown

    Overarching Insights

    HAM is more than just tracking inventory. A mature asset management program provides data for proactive planning and decision making to reduce operating costs and mitigate risk.

    ITAM is not just IT. IT leaders need to collaborate with Finance, Procurement, Security, and other business units to make informed decisions and create value across the enterprise.

    Treat HAM like a process, not a project. HAM is a dynamic process that must react and adapt to the needs of the business.

    Phase 1 Insight

    For asset management to succeed, it needs to support the business. Engage business leaders to determine needs and build your HAM program around these goals.

    Phase 2 Insight

    Bridge the gap between IT and Finance to build a smoother request and procurement process through communication and routine reporting. If you’re unable to affect procurement processes to reduce time to deliver, consider bringing inventory onsite or having your hardware vendor keep stock, ready to ship on demand.

    Phase 3 Insight

    Not all assets are created equal. Taking a blanket approach to asset maintenance and security is time consuming and costly. Focus on the high-cost, high-use, and data-sensitive assets first.

    Phase 4 Insight

    Deploying a fancy ITAM tool will not make hardware asset management implementation easier. Implementation is a project that requires you focus on people and process first – the technology comes after.

    Related Info-Tech research

    Implement Software Asset Management

    Build an End-User Computing Strategy

    Find the Value – and Remain Valuable – With Cloud Asset Management

    Consolidate IT Asset Management

    Harness Configuration Management Superpowers

    IT Asset Management Market Overview

    Bibliography

    Chalkley, Martin. “Should ITAM Own Budget?” The ITAM Review. 19 May 2011. Web.

    “CHAMP: Certified Hardware Asset Management Professional Manual.” International Association of Information Technology Asset Managers, Inc. 2008. Web.

    Foxen, David. “The Importance of Effective HAM (Hardware Asset Management).” The ITAM Review. 19 Feb. 2015. Web.

    Foxen, David. “Quick Guide to Hardware Asset Tagging.” The ITAM Review. 5 Sep. 2014. Web.

    Galecki, Daniel. “ITAM Lifecycle and Savings Opportunities – Mapping out the Journey.” International Association of IT Asset Managers, Inc. 16 Nov. 2014. Web.

    “How Cisco IT Reduced Costs Through PC Asset Management.” Cisco IT Case Study. 2007. Web.

    Irwin, Sherry. “ITAM Metrics.” The ITAM Review. 14 Dec. 2009. Web.

    “IT Asset and Software Management.” ECP Media LLC, 2006. Web.

    Rains, Jenny. “IT Hardware Asset Management.” HDI Research Brief. May 2015. Web.

    Riley, Nathan. “IT Asset Management and Tagging Hardware: Best Practices.” Samanage Blog. 5 March 2015. Web.

    “The IAITAM Practitioner Survey Results for 2016 – Lean Toward Ongoing Value.” International Association of IT Asset Managers, Inc. 24 May 2016. Web.

    Unify a Mixed Methodology Portfolio

    • Buy Link or Shortcode: {j2store}441|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • As portfolio manager, you oversee a portfolio made up of projects using different types of planning and execution methodologies – from traditional Waterfall, to Agile, to hybrid approaches and beyond. The discontinuity between reporting metrics and funding models makes a holistic and perpetually actionable view of the portfolio elusive.
    • Agile’s influence is growing within the organization’s project ecosystem. Even projects that don’t formally use Agile methods often adopt agile tendencies, such as mitigating risk with shorter, more iterative development cycles and increasing collaboration with stakeholders. While this has introduced efficiencies at the project level, it has not translated into business agility, with decision makers still largely playing a passive role in terms of steering the portfolio.
    • Senior management still expects traditional commitments and deadlines, not “sprints” and “velocity.” The reluctance of many Agile purists to adhere to traditional timeline, budget, and scope commitments is not making Agile a particularly popular conversation topic among the organization’s decision-making layer.
    • As portfolio manager, it’s your job to unify these two increasingly fragmented worlds into a unified portfolio.

    Our Advice

    Critical Insight

    • As Agile’s influence grows and project methodologies morph and proliferate, a more engaged executive layer is required than what we see in a traditional portfolio approach. Portfolio owners have to decide what gets worked on at a regular cadence.
    • What’s the difference? In the old paradigm, nobody stopped the portfolio owners from approving too much. Decisions were based on what should be done, rather than what could get done in a given period, with the resources available.
    • The engaged portfolio succeeds by making sure that the right people work on the right things as much as possible. The portfolio owner plays a key, ongoing role in identifying the work that needs to be done, and the portfolio managers optimize the usage of resources.

    Impact and Result

    • Establish universal control points. While the manager of a mixed methodology portfolio doesn’t need to enforce a standardized project methodology, she or he does need to establish universal control points for both intake and reporting at the portfolio level. Use this research to help you define a sustainable process that will work for all types of projects.
    • Scale the approvals process. For a mixed methodology portfolio to work, the organization needs to reconcile different models for approving and starting projects. This blueprint will help you define a right-sized intake process and decision-making paradigm for sprints and project phases alike.
    • Foster ongoing executive engagement. Mixed methodology success is contingent on regular and ongoing executive engagement. Use the tools and templates associated with this blueprint to help get buy-in and commitment upfront, and then to build out portfolio reports and dashboard that will help keep the executive layer informed and engaged long term.

    Unify a Mixed Methodology Portfolio Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should consider an Engaged Agile Portfolio approach, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Get portfolio commitments

    Assess the current state of the portfolio and ensure that portfolio owners and other stakeholders are onboard before you move forward to develop and implement new portfolio processes.

    • Unify a Mixed Methodology Portfolio – Phase 1
    • Mixed Methodology Portfolio Analyzer
    • Mixed Methodology Portfolio Strategy Template
    • Mixed Methodology Portfolio Stakeholder Survey Tool

    2. Define your portfolio processes

    Wireframe standardized portfolio processes for all project methodologies to follow.

    • Unify a Mixed Methodology Portfolio – Phase 2
    • Agile Portfolio Sprint Prioritization Tool
    • Project Methodology Assessment Tool

    3. Implement your processes

    Pilot your new portfolio processes and decision-making paradigm. Then, execute a change impact analysis to inform your communications strategy and implementation plan.

    • Unify a Mixed Methodology Portfolio – Phase 3
    • Process Pilot Plan Template
    • Intake and Prioritization Impact Analysis Tool
    • Resource Management Impact Analysis Tool
    [infographic]

    Workshop: Unify a Mixed Methodology Portfolio

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Current State of the Portfolio

    The Purpose

    Determine the current state of your project execution and portfolio oversight practices.

    Align different types of projects within a unified portfolio.

    Define the best roles and engagement strategies for individual stakeholders as you transition to an Engaged Agile Portfolio.

    Key Benefits Achieved

    A current state understanding of project and portfolio management challenges.

    Bolster the business case for developing an Engaged Agile Portfolio.

    Increase stakeholder and team buy-in.

    Activities

    1.1 Calculate the size of your portfolio in human resource hours.

    1.2 Estimate your project sizes and current project methodology mix.

    1.3 Document the current known status of your in-flight projects.

    1.4 Perform a project execution portfolio oversight survey.

    Outputs

    Your portfolio’s project capacity in resource hours.

    Better understanding of project demand and portfolio mix.

    Current state visibility.

    An objective assessment of current areas of strengths and weaknesses.

    2 Define Your Portfolio Processes

    The Purpose

    Objectively and transparently approve, reject, and prioritize projects.

    Prioritize work to start and stop on a sprint-by-sprint basis.

    Maintain a high frequency of accurate reporting.

    Assess and report the realization of project benefits.

    Key Benefits Achieved

    Improve timeliness and accuracy of project portfolio reporting.

    Make better, faster decisions about when to start and stop work on different projects.

    Increase stakeholder satisfaction.

    Activities

    2.1 Develop a portfolio intake workflow.

    2.2 Develop a prioritization scorecard and process.

    2.3 Establish a process to estimate sprint demand and resource supply.

    2.4 Develop a process to estimate sprint value and necessity.

    Outputs

    An intake workflow.

    A prioritization scorecard and process.

    A process to estimate sprint demand and resource supply.

    A process to estimate sprint value and necessity.

    3 Implement Your Processes

    The Purpose

    Analyze the potential change impacts of your new portfolio processes and how they will be felt across the organization.

    Develop an implementation plan to ensure strategy buy-in.

    Key Benefits Achieved

    A strategic and well-planned approach to process implementation.

    Activities

    3.1 Analyze change impacts of new portfolio processes.

    3.2 Prepare a communications plan based upon change impacts.

    3.3 Develop an implementation plan.

    3.4 Present new portfolio processes to portfolio owners.

    Outputs

    A change impact analysis.

    A communications plan.

    An implementation plan.

    Portfolio strategy buy-in.

    Modernize Enterprise Storage

    • Buy Link or Shortcode: {j2store}538|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Storage & Backup Optimization
    • Parent Category Link: /storage-and-backup-optimization
    • Current storage solutions are nearing end of life, performance or capacity limits.
    • Data continues to grow at an exponential rate, and management complexity is growing even faster. Some kinds of data, like unstructured data, are leading factors in the exponential growth of data.
    • Emerging storage technologies and storage software/automation are disrupting the market and redefining the role of disk arrays, including how storage aligns with people and process.
    • Storage infrastructure budgets are not satisfying the exponential growth of data.

    Our Advice

    Critical Insight

    • Start with the data, not storage. Answer what is being stored and why before investigating the where and how of storage solutions.
    • Governance and archiving are not IT projects. These can have tremendous benefits for managing data growth but must involve the larger business.
    • More capacity is not a long-term solution. Data is growing faster than decreasing storage costs. Data and capacity mitigation strategies will help in more effective and efficient infrastructure utilization and cost reduction.

    Impact and Result

    • It’s about the data. Start with what is being supported and why. Decide on what and how data is stored before you decide on where. Let the needs of your workloads and governance requirements of your business drive your storage infrastructure decisions and the technologies you adopt.
    • Identify current and future capacity needs for current and future data drivers. Evaluating the ability of current infrastructure to meet these needs will help you discover necessary additions to meet these requirements.
    • Identify governance requirements and constraints that exist across the organization and are specific to workloads. Technology has to conform to these requirements and constraints, not the other way around.
    • Align people and process with technology changes. To effectively utilize the changes in storage, appropriate changes must be made to existing people and process.

    Modernize Enterprise Storage Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should modernize enterprise storage, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build the case for storage modernization

    Develop the business case for modernizing storage and assess your existing infrastructure for meeting data needs.

    • Modernize Enterprise Storage – Phase 1: Build the Case for Storage Modernization
    • Modernize Enterprise Storage Workbook

    2. Develop your storage technology needs and goals

    Review data governance, explore emerging storage technologies, and identify current and future storage needs.

    • Modernize Enterprise Storage – Phase 2: Develop Your Storage Technology Needs and Goals
    • Evaluate Hyperconverged Infrastructure for Your Infrastructure Roadmap
    • Evaluate Software-Defined Storage Solutions for Your Infrastructure Roadmap
    • Evaluate All Flash in Primary Storage for Your Infrastructure Roadmap
    • Infrastructure Roadmap Technology Assessment Tool

    3. Develop and communicate the roadmap, TCO, and RFP

    Communicate the roadmap with people, process, and technology initiatives, develop an RFP, and conduct a TCO.

    • Modernize Enterprise Storage – Phase 3: Develop and Communicate the Roadmap and RFP
    • Modernize Enterprise Storage Communications Report
    [infographic]

    Workshop: Modernize Enterprise Storage

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Business Case and Assess Current State

    The Purpose

    Identify a business case and need for storage modernization by assessing current and future storage needs.

    Key Benefits Achieved

    A clear understanding of the business expectations and needs of storage infrastructure.

    Activities

    1.1 Identify current storage pain points.

    1.2 Discuss storage modernization drivers.

    1.3 Identify data growth drivers.

    1.4 Determine relative growth burden.

    Outputs

    Alignment of storage modernization with organizational pain points

    Desired outcomes of storage modernization

    An understanding of growth impact across drivers

    An understanding of capacity and expansion needs

    2 Review Governance and Emerging Technologies

    The Purpose

    Review existing data governance.

    Explore emerging technologies and trends in the storage space.

    Key Benefits Achieved

    Review data governance objectives that must be met.

    Identify a shortlist of storage technologies and trends that may be of interest.

    Activities

    2.1 Shortlist interest in storage technologies.

    2.2 Prioritize shortlist of storage technologies.

    2.3 Identify solutions that meet data and governance needs.

    Outputs

    A starting point for research into new and emerging storage technologies

    Expressed interest in adopting storage technologies

    A list of storage solutions needed to deliver on future data and governance needs

    3 Identify Storage Needs and Develop Initiatives

    The Purpose

    Identify the people, process, and technology initiatives required to adopt new storage technologies.

    Key Benefits Achieved

    Align your organizational people and process with new and disruptive technologies to best take advantage of what these new technologies have to offer.

    Activities

    3.1 Complete future storage structure planning tool.

    3.2 Identify storage modernization technology initiatives.

    3.3 Identify storage modernization people initiatives.

    3.4 Identify storage modernization process initiatives.

    Outputs

    A understanding of the future state of your storage infrastructure

    Technology initiatives needed to adopt storage structure

    People initiatives needed to adopt storage structure

    Process initiatives needed to adopt storage structure

    4 Build a Roadmap and RFP, Calculate TCO

    The Purpose

    Develop an executive communications report.

    Conduct a TCO analysis comparing on-premises and cloud storage solutions.

    Key Benefits Achieved

    Communicate storage modernization goals and plans to stakeholders.

    Activities

    4.1 Prioritize storage modernization initiatives.

    4.2 Complete project timeline and build roadmap.

    4.3 Compare TCO of on-premises and cloud storage solutions.

    Outputs

    Alignment of people, process, and technology with storage adoption

    Communicate storage modernization goals and plans to stakeholders and executives

    Compare cost of on-premises and cloud storage alternatives

    Optimize the Mentoring Program to Build a High-Performing Learning Organization

    • Buy Link or Shortcode: {j2store}596|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Employee Development
    • Parent Category Link: /train-and-develop
    • Many organizations have introduced mentoring programs without clearly defining and communicating the purpose and goals around having a program; they simply jumped on the mentoring bandwagon.
    • As a result, these programs have little impact. They don’t add value for mentors, mentees, or the organization.
    • It can be difficult to design a program that is well-suited to your organization, will be adopted by employees, and will drive the results you are looking for.
    • In particular, it is difficult to successfully match mentors and mentees so both derive maximum value from the endeavor.

    Our Advice

    Critical Insight

    • As workforce composition shifts, there is a need for mentoring programs to move beyond the traditional senior–junior format option; organizational culture and goals will dictate the best approach.
    • An organization’s mentoring program doesn’t need to be restricted to one format; individual preferences and goals should also factor in. Be open to choosing format on a case-by-case basis.
    • Be sure to gain upper management buy-in and support early to ensure mentoring becomes a valued part of your organization.
    • Ensure that goal setting, communication, ongoing support for participants, and evaluation all play a role in your mentoring program.

    Impact and Result

    • Mentoring can have a significant positive impact on mentor, mentee, and organization.
    • Mentees gain guidance and advice on their career path and skill development. Mentors often experience re-engagement with their job and the satisfaction of helping another person.
    • Mentoring participants benefit from obtaining different perspectives of both the business and work-related problems. Participation in a mentoring program has been linked to greater access to promotions, pay raises, and increased job satisfaction.
    • Mentoring can have a number of positive outcomes for the organization, including breaking down silos, transferring institutional knowledge, accelerating leadership skills, fostering open communication and dialogue, and resolving conflict.

    Optimize the Mentoring Program to Build a High-Performing Learning Organization Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Align the mentoring program with the organizational culture and goals

    Build a best-fit program that creates a learning culture.

    • Storyboard: Optimize the Mentoring Program to Build a High Performing Learning Organization

    2. Assess the organizational culture and current mentoring program

    Align mentoring practices with culture to improve the appropriateness and effectiveness of the program.

    • Mentoring Program Diagnostic

    3. Align mentoring practices with culture to improve the appropriateness and effectiveness of the program.

    Track project progress and have all program details defined in a central location.

    • Mentoring Project Plan Template
    • Peer Mentoring Guidelines
    • Mentoring Program Guidelines

    4. Gather feedback from the mentoring program participants

    Evaluate the success of the program.

    • Mentoring Project Feedback Surveys Template

    5. Get mentoring agreements in place

    Improve your mentoring capabilities.

    • Mentee Preparation Checklist
    • Mentoring Agreement Template
    [infographic]

    Create a Holistic IT Dashboard

    • Buy Link or Shortcode: {j2store}117|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $8,049 Average $ Saved
    • member rating average days saved: 8 Average Days Saved
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement
    • IT leaders do not have a single holistic view of how their 45 IT processes are operating.
    • Expecting any single individual to understand the details of all 45 IT processes is unrealistic.
    • Problems in performance only become evident when the process has already failed.

    Our Advice

    Critical Insight

    • Mature your IT department by measuring what matters.
    • Don’t measure things just because you can; change what you measure as your organization matures.

    Impact and Result

    • Use Info-Tech’s IT Metrics Library to review typical KPIs for each of the 45 process areas and select those that apply to your organization.
    • Configure your IT Management Dashboard to record your selected KPIs and start to measure performance.
    • Set up the cadence for review of the KPIs and develop action plans to improve low-performing indicators.

    Create a Holistic IT Dashboard Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to develop your KPI program that leads to improved performance.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Choose the KPIs

    Identify the KPIs that matter to your organization’s goals.

    • Create a Holistic IT Dashboard – Phase 1: Choose the KPIs
    • IT Metrics Library

    2. Build the Dashboard

    Use the IT Management Dashboard on the Info-Tech website to display your chosen KPIs.

    • Create a Holistic IT Dashboard – Phase 2: Build the Dashboard

    3. Create the Action Plan

    Use the review of your KPIs to build an action plan to drive performance.

    • Create a Holistic IT Dashboard – Phase 3: Build the Action Plan
    [infographic]

    Workshop: Create a Holistic IT Dashboard

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify What to Measure (Offsite)

    The Purpose

    Determine the KPIs that matter to your organization.

    Key Benefits Achieved

    Identify organizational goals

    Identify IT goals and their organizational goal alignment

    Identify business pain points

    Activities

    1.1 Identify organizational goals.

    1.2 Identify IT goals and organizational alignment.

    1.3 Identify business pain points.

    Outputs

    List of goals and pain points to create KPIs for

    2 Configure the Dashboard Tool (Onsite)

    The Purpose

    Learn how to configure and use the IT Management Dashboard.

    Key Benefits Achieved

    Configured IT dashboard

    Initial IT scorecard report

    Activities

    2.1 Review metrics and KPI best practices.

    2.2 Use the IT Metrics Library.

    2.3 Select the KPIs for your organization.

    2.4 Use the IT Management Dashboard.

    Outputs

    Definition of KPIs to be used, data sources, and ownership

    Configured IT dashboard

    3 Review and Develop the Action Plan

    The Purpose

    Learn how to review and plan actions based on the KPIs.

    Key Benefits Achieved

    Lead KPI review to actions to improve performance

    Activities

    3.1 Create the scorecard report.

    3.2 Interpret the results of the dashboard.

    3.3 Use the IT Metrics Library to review suggested actions.

    Outputs

    Initial IT scorecard report

    Action plan with initial actions

    4 Improve Your KPIs (Onsite)

    The Purpose

    Use your KPIs to drive performance.

    Key Benefits Achieved

    Improve your metrics program to drive effectiveness

    Activities

    4.1 Develop your action plan.

    4.2 Execute the plan and tracking progress.

    4.3 Develop new KPIs as your practice matures.

    Outputs

    Understanding of how to develop new KPIs using the IT Metrics Library

    5 Next Steps and Wrap-Up (Offsite)

    The Purpose

    Ensure all documentation and plans are complete.

    Key Benefits Achieved

    Documented next steps

    Activities

    5.1 Complete IT Metrics Library documentation.

    5.2 Document decisions and next steps.

    Outputs

    IT Metrics Library

    Action plan

    Further reading

    Create a Holistic IT Dashboard

    Mature your IT department by measuring what matters.

    Executive Brief

    Analyst Perspective

    Measurement alone provides only minimal improvements

    It’s difficult for CIOs and other top-level leaders of IT to know if everything within their mandate is being managed effectively. Gaining visibility into what’s happening on the front lines without micromanaging is a challenge most top leaders face.

    Understanding Info-Tech’s Management and Governance Framework of processes that need to be managed and being able to measure what’s important to their organization's success can give leaders the ability to focus on their key responsibilities of ensuring service effectiveness, enabling increased productivity, and creating the ability for their teams to innovate.

    Even if you know what to measure, the measurement alone will lead to minimal improvements. Having the right methods in place to systematically collect, review, and act on those measurements is the differentiator to driving up the maturity of your IT organization.

    The tools in this blueprint can help you identify what to measure, how to review it, and how to create effective plans to improve performance.

    Tony Denford

    Research Director, Info-Tech Research Group

    Executive Summary

    Your Challenge

    • IT leaders do not have a single holistic view of how their IT processes are operating.
    • Expecting any single individual to understand the details of all IT processes is unrealistic.
    • Problems in performance only become evident when the process has already failed.

    Common Obstacles

    • Business changes quickly, and what should be measured changes as a result.
    • Most measures are trailing indicators showing past performance.
    • Measuring alone does not result in improved performance.
    • There are thousands of operational metrics that could be measured, but what are the right ones for an overall dashboard?

    Info-Tech's Approach

    • Use Info-Tech’s IT Metrics Library to review typical KPIs for each of the process areas and select those that apply to your organization.
    • Configure your IT Management Dashboard to record your selected KPIs and start to measure performance.
    • Set up the cadence for review of the KPIs and develop action plans to improve low-performing indicators.

    Info-Tech Insight

    Mature your IT department by aligning your measures with your organizational goals. Acting early when your KPIs deviate from the goals leads to improved performance.

    Your challenge

    This research is designed to help organizations quickly choose holistic measures, review the results, and devise action plans.

    • The sheer number of possible metrics can be overwhelming. Choose metrics from our IT Metrics Library or choose your own, but always ensure they are in alignment with your organizational goals.
    • Ensure your dashboard is balanced across all 45 process areas that a modern CIO is responsible for.
    • Finding leading indicators to allow your team to be proactive can be difficult if your team is focused on the day-to-day operational tasks.
    • It can be time consuming to figure out what to do if an indicator is underperforming.

    Build your dashboard quickly using the toolset in this research and move to improvement actions as soon as possible.

    The image is a bar graph, titled KPI-based improvements. On the X-axis are four categories, each with one bar for Before KPIs and another for After KPIs. The categories are: Productivity; Fire Incidents; Request Response Time; and Savings.

    Productivity increased by 30%

    Fire/smoke incidents decreased by 25% (high priority)

    Average work request response time reduced by 64%

    Savings of $1.6 million in the first year

    (CFI, 2013)

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • What should be measured can change over time as your organization matures and the business environment changes. Understanding what creates business value for your organization is critical.
    • Organizations almost always focus on past result metrics. While this is important, it will not indicate when you need to adjust something until it has already failed.
    • It’s not just about measuring. You also need to review the measures often and act on the biggest risks to your organization to drive performance.

    Don’t get overwhelmed by the number of things you can measure. It can take some trial and error to find the measures that best indicate the health of the process.

    The importance of frequent review

    35% - Only 35% of governing bodies review data at each meeting. (Committee of University Chairs, 2008)

    Common obstacles

    Analysis paralysis

    Poor data can lead to incorrect conclusions, limit analysis, and undermine confidence in the value of your dashboard.

    Achieving perfect data is extremely time consuming and may not add much value. It can also be an excuse to avoid getting started with metrics and analytics.

    Data quality is a struggle for many organizations. Consider how much uncertainty you can tolerate in your analysis and what would be required to improve your data quality to an acceptable level. Consider cost, technological resources, people resources, and time required.

    Info-Tech Insight

    Analytics are only as good as the data that informs it. Aim for just enough data quality to make informed decisions without getting into analysis paralysis.

    Common obstacles

    The problem of surrogation

    Tying KPIs and metrics to performance often leads to undesired behavior. An example of this is the now infamous Wells Fargo cross-selling scandal, in which 3.5 million credit card and savings accounts were opened without customers’ consent when the company incented sales staff to meet cross-selling targets.

    Although this is an extreme example, it’s an all-too-common phenomenon.

    A focus on the speed of closure of tickets often leads to shortcuts and lower-quality solutions.

    Tying customer value to the measures can align the team on understanding the objective rather than focusing on the measure itself, and the team will no longer be able to ignore the impact of their actions.

    Surrogation is a phenomenon in which a measure of a behavior replaces the intent of the measure itself. People focus on achieving the measure instead of the behavior the measure was intended to drive.

    Info-Tech’s thought model

    The Threefold Role of the IT Executive Core CIO Objectives
    IT Organization - Manager A - Optimize the Effectiveness of the IT Organization
    Enterprise - Partner B - Boost the Productivity of the Enterprise
    Market - Innovator C - Enable Business Growth Through Technology

    Low-Maturity Metrics Program

    Trailing indicators measure the outcomes of the activities of your organization. Hopefully, the initiatives and activities are aligned with the organizational goals.

    High-Maturity Metrics Program

    The core CIO objectives align with the organizational goals, and teams define leading indicators that show progress toward those goals. KPIs are reviewed often and adjustments are made to improve performance based on the leading indicators. The results are improved outcomes, greater transparency, and increased predictability.

    The image is a horizontal graphic with multiple text boxes. The first (on the left) is a box that reads Organizational Goals, second a second box nested within it that reads Core CIO Objectives. There is an arrow pointing from this box to the right. The arrow connects to a text box that reads Define leading indicators that show progress toward objectives. To the right of that, there is a title Initiatives & activities, with two boxes beneath it: Processes and Projects. Below this middle section, there is an arrow pointing left, with the text: Adjust behaviours. After this, there is an arrow pointing right, to a box with the title Outcomes, and the image of an unlabelled bar graph.

    Info-Tech’s approach

    Adopt an iterative approach to develop the right KPIs for your dashboard

    Periodically: As appropriate, review the effectiveness of the KPIs and adjust as needed.

    Frequently: At least once per month, but the more frequent, the more agility your organization will have.

    The image shows a series of steps in a process, each connected by an arrow. The process is iterative, so the steps circle back on themselves, and repeat. The process begins with IT Metrics Library, then Choose or build KPIs, then Build Dashboard, then Review KPIs and Create action plan. Review KPIs and Create action plan are steps that the graphic indicates should be repeated, so the arrows are arranged in a circle around these two items. Following that, there is an additional step: Are KPIs and action plans leading to improved results? After this step, we return to the Choose or build KPIs step.

    The Info-Tech difference:

    1. Quickly identify the KPIs that matter to your organization using the IT Metrics Library.
    2. Build a presentable dashboard using the IT Management Dashboard available on the Info-Tech website.
    3. When indicators show underperformance, quickly get them back on track using the suggested research in the IT Metrics Library.
    4. If your organization’s needs are different, define your own custom metrics using the same format as the IT Metrics Library.
    5. Use the action plan tool to keep track of progress

    Info-Tech’s methodology for creating a holistic IT dashboard

    1. Choose the KPIs 2. Build the Dashboard 3. Create the Action Plan
    Phase Steps
    1. Review available KPIs
    2. Select KPIs for your organization
    3. Identify data sources and owners
    1. Understand how to use the IT Management Dashboard
    2. Build and review the KPIs
    1. Prioritize low-performing indicators
    2. Review suggested actions
    3. Develop your action plan
    Phase Outcomes A defined and documented list of the KPIs that will be used to monitor each of the practice areas in your IT mandate A configured dashboard covering all the practice areas and the ability to report performance in a consistent and visible way An action plan for addressing low-performing indicators

    Insight summary

    Mature your IT department by aligning your measures with your organizational goals. Acting early when your KPIs deviate from the goals leads to improved performance.

    Don’t just measure things because you can. Change what you measure as your organization becomes more mature.

    Select what matters to your organization

    Measure things that will resolve pain points or drive you toward your goals.

    Look for indicators that show the health of the practice, not just the results.

    Review KPIs often

    Ease of use will determine the success of your metrics program, so keep it simple to create and review the indicators.

    Take action to improve performance

    If indicators are showing suboptimal performance, develop an action plan to drive the indicator in the right direction.

    Act early and often.

    Measure what your customers value

    Ensure you understand what’s valued and measure whether the value is being produced. Let front-line managers focus on tactical measures and understand how they are linked to value.

    Look for predictive measures

    Determine what action will lead to the desired result and measure if the action is being performed. It’s better to predict outcomes than react to them.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    IT Metrics Library

    Customize the KPIs for your organization using the IT Metrics Library

    IT Metrics Library Action Plan

    Keep track of the actions that are generated from your KPI review

    Key deliverable:

    IT Management Dashboard and Scorecard

    The IT Overall Scorecard gives a holistic view of the performance of each IT function

    Blueprint benefits

    IT Benefits

    • An IT dashboard can help IT departments understand how well they are performing against key indicators.
    • It can allow IT teams to demonstrate to their business partners the areas they are focusing on.
    • Regular review and action planning based on the results will lead to improved performance, efficiency, and effectiveness.
    • Create alignment of IT teams by focusing on common areas of performance.

    Business Benefits

    • Ensure alignment and transparency between the business and IT.
    • Understand the value that IT brings to the operation and strategic initiatives of your organization.
    • Understand the contribution of the IT team to achieving business outcomes.
    • Focus IT on the areas that are important to you by requesting new measures as business needs change.

    Measure the value of this blueprint

    Utilize the existing IT Metrics Library and IT Dashboard tools to quickly kick off your KPI program

    • Developing the metrics your organization should track can be very time consuming. Save approximately 120 hours of effort by choosing from the IT Metrics Library.
    • The need for a simple method to display your KPIs means either developing your own tool or buying one off the shelf. Use the IT Management Dashboard to quickly get your KPI program up and running. Using these tools will save approximately 480 hours.
    • The true value of this initiative comes from using the KPIs to drive performance.

    Keeping track of the number of actions identified and completed is a low overhead measure. Tracking time or money saved is higher overhead but also higher value.

    The image is a screen capture of the document titled Establish Baseline Metrics. It shows a table with the headings: Metric, Current, Goal.

    The image is a chart titled KPI benefits. It includes a legend indicating that blue bars are for Actions identified, purple bars are for Actions completed, and the yellow line is for Time/money saved. The graph shows Q1-Q4, indicating an increase in all areas across the quarters.

    Executive Brief Case Study

    Using data-driven decision making to drive stability and increase value

    Industry: Government Services

    Source: Info-Tech analyst experience

    Challenge

    A newly formed application support team with service desk responsibilities was becoming burned out due to the sheer volume of work landing on their desks. The team was very reactive and was providing poor service due to multiple conflicting priorities.

    To make matters worse, there was a plan to add a major new application to the team’s portfolio.

    Solution

    The team began to measure the types of work they were busy doing and then assessed the value of each type of work.

    The team then problem solved how they could reduce or eliminate their low-value workload.

    This led to tracking how many problems were being resolved and improved capabilities to problem solve effectively.

    Results

    Upon initial data collection, the team was performing 100% reactive workload. Eighteen months later slightly more than 80% of workload was proactive high-value activities.

    The team not only was able to absorb the additional workload of the new application but also identified efficiencies in their interactions with other teams that led to a 100% success rate in the change process and a 92% decrease in resource needs for major incidents.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostic and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 - Choose the KPIs

    Call #1: Scope dashboard and reporting needs.

    Call #2: Learn how to use the IT Metrics Library to select your metrics.

    Phase 2 – Build the Dashboard

    Call #3: Set up the dashboard.

    Call #4: Capture data and produce the report.

    Phase 3 – Create the Action Plan

    Call #5: Review the data and use the metrics library to determine actions.

    Call #6: Improve the KPIs you measure.

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 5 and 8 calls over the course of 2 to 3 months.

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Identify What to Measure Configure the Dashboard Tool Review and Develop the Action Plan Improve Your KPIs Compile Workshop Output
    Activities

    1.1 Identify organizational goals.

    1.2 Identify IT goals and organizational alignment.

    1.3 Identify business pain points.

    2.1 Determine metrics and KPI best practices.

    2.2 Learn how to use the IT Metrics Library.

    2.3 Select the KPIs for your organization.

    2.4 Configure the IT Management Dashboard.

    3.1 Create the scorecard report.

    3.2 Interpret the results of the dashboard.

    3.3 Use the IT Metrics Library to review suggested actions.

    4.1 Develop your action plan.

    4.2 Execute the plan and track progress.

    4.3 Develop new KPIs as your practice matures.

    5.1 Complete the IT Metrics Library documentation.

    5.2 Document decisions and next steps.

    Outcomes 1. List of goals and pain points that KPIs will measure

    1. Definition of KPIs to be used, data sources, and ownership

    2. Configured IT dashboard

    1. Initial IT scorecard report

    2. Action plan with initial actions

    1. Understanding of how to develop new KPIs using the IT Metrics Library

    1. IT Metrics Library documentation

    2. Action plan

    Phase 1

    Choose the KPIs

    Phase 1

    1.1 Review Available KPIs

    1.2 Select KPIs for Your Org.

    1.3 Identify Data Sources and Owners

    Phase 2

    2.1 Understand the IT Management Dashboard

    2.2 Build and Review the KPIs

    Phase 3

    3.1 Prioritize Low-Performing Indicators

    3.2 Review Suggested Actions

    3.3 Develop the Action Plan

    This phase will walk you through the following activities:

    Reviewing and selecting the KPIs suggested in the IT Metrics Library.

    Identifying the data source for the selected KPI and the owner responsible for data collection.

    This phase involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Step 1.1

    Review Available KPIs

    Activities

    1.1.1 Download the IT Metrics Library and review the KPIs for each practice area.

    Choose the KPIs

    Step 1.1 – Review Available KPIs

    Step 1.2 – Select KPIs for Your Org.

    Step 1.3 – Identify Data Sources and owners

    This step will walk you through the following activities:

    Downloading the IT Metrics Library

    Understanding the content of the tool

    Reviewing the intended goals for each practice area

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    Downloaded tool ready to select the KPIs for your organization

    Using the IT Metrics Library

    Match the suggested KPIs to the Management and Governance Framework

    The “Practice” and “Process” columns relate to each of the boxes on the Info-Tech Management and Governance Framework. This ensures you are measuring each area that needs to be managed by a typical IT department.

    The image shows a table on the left, and on the right, the Info-Tech Management and Governance Structure. Sections from the Practice and Process columns of the table have arrows emerging from them, pointing to matching sections in the framework.

    Using the IT Metrics Library

    Content for each entry

    KPI - The key performance indicator to review

    CSF - What needs to happen to achieve success for each goal

    Goal - The goal your organization is trying to achieve

    Owner - Who will be accountable to collect and report the data

    Data Source (typical) - Where you plan to get the data that will be used to calculate the KPI

    Baseline/Target - The baseline and target for the KPI

    Rank - Criticality of this goal to the organization's success

    Action - Suggested action if KPI is underperforming

    Blueprint - Available research to address typical underperformance of the KPI

    Practice/Process - Which practice and process the KPI represents

    1.1.1 Download the IT Metrics Library

    Input

    • IT Metrics Library

    Output

    • Ideas for which KPIs would be useful to track for each of the practice areas

    Materials

    • Whiteboard/flip charts

    Participants

    • IT senior leadership
    • Process area owners
    • Metrics program owners and administrators

    4 hours

    1. Click the link below to download the IT Metrics Library spreadsheet.
    2. Open the file and select the “Data Entry” tab.
    3. The sheet has suggested KPIs for each of the 9 practice areas and 45 processes listed in the Info-Tech Management and Governance Framework. You can identify this grouping in the “Practice” and “Process” columns.
    4. For each practice area, review the suggested KPIs and their associated goals and discuss as a team which of the KPIs would be useful to track in your organization.

    Download the IT Metrics Library

    Step 1.2

    Select KPIs for Your Organization

    Activities

    1.2.1 Select the KPIs that will drive your organization forward

    1.2.2 Remove unwanted KPIs from the IT Metrics Library

    Choose the KPIs

    Step 1.1 – Review Available KPIs

    Step 1.2 – Select KPIs for Your Org.

    Step 1.3 – Identify Data Sources and Owners

    This step will walk you through the following activities:

    • Selecting the KPIs for your organization and removing unwanted KPIs from IT Metrics Library

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    A shortlist of selected KPIs

    1.2.1 Select the KPIs that will drive your organization forward

    Input

    • IT Metrics Library

    Output

    • KPIs would be useful to track for each of the practice areas

    Materials

    • IT Metrics Library

    Participants

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    4 hours

    1. Review the suggested KPIs for each practice area and review the goal.
    2. Some suggested KPIs are similar, so make sure the goal is appropriate for your organization.
    3. Pick up to three KPIs per practice.

    1.2.2 Remove unwanted KPIs

    Input

    • IT Metrics Library

    Output

    • KPIs would be useful to track for each of the practice areas

    Materials

    • IT Metrics Library

    Participants

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    0.5 hours

    1. To remove unwanted KPIs from the IT Metric Library Tool, select the unwanted row, right-click on the row, and delete it.
    2. The result should be up to three KPIs per practice area left on the spreadsheet.

    Step 1.3

    Identify data sources and owners

    Activities

    1.3.1 Document the data source

    1.3.2 Document the owner

    1.3.3 Document baseline and target

    Choose the KPIs

    Step 1.1 – Review Available KPIs

    Step 1.2 – Select KPIs for Your Org.

    Step 1.3 – Identify Data Sources and Owners

    This step will walk you through the following activities:

    Documenting for each KPI where you plan to get the data, who is accountable to collect and report the data, what the current baseline is (if available), and what the target is

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    A list of KPIs for your organization with appropriate attributes documented

    1.3 Identify data sources, owners, baseline, and target

    Input

    • IT Metrics Library

    Output

    • Completed IT Metrics Library

    Materials

    • IT Metrics Library

    Participants

    • Process area owners
    • Metrics program owners and administrators

    2 hours

    1. For each selected KPI, complete the owner, data source, baseline, and target if the information is available.
    2. If the information is not available, document the owner and assign them to complete the other columns.

    Phase 2

    Build the Dashboard

    Phase 1

    1.1 Review Available KPIs

    1.2 Select KPIs for Your Org.

    1.3 Identify Data Sources and Owners

    Phase 2

    2.1 Understand the IT Management Dashboard

    2.2 Build and Review the KPIs

    Phase 3

    3.1 Prioritize Low-Performing Indicators

    3.2 Review Suggested Actions

    3.3 Develop the Action Plan

    This phase will walk you through the following activities:

    Understanding the IT Management Dashboard

    Configuring the IT Management Dashboard and entering initial measures

    Produce thing IT Scorecard from the IT Management Dashboard

    Interpreting the results

    This phase involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Step 2.1

    Understand the IT Management Dashboard

    Activities

    2.1.1 Logging into the IT Management Dashboard

    2.1.2 Understanding the “Overall Scorecard” tab

    2.1.3 Understanding the “My Metrics” tab

    Build the Dashboard

    Step 2.1 – Understand the IT Management Dashboard

    Step 2.2 – Build and review the KPIs

    This step will walk you through the following activities:

    Accessing the IT Management Dashboard

    Basic functionality of the tool

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    Understanding of how to administer the IT Management Dashboard

    2.1.1 Logging into the IT Management Dashboard

    Input

    • Info-Tech membership

    Output

    • Access to the IT Management Dashboard

    Materials

    • Web browser

    Participants

    • Metrics program owners and administrators

    0.5 hours

    1. Using your web browser, access your membership at infotech.com.
    2. Log into your Info-Tech membership account.
    3. Select the “My IT Dashboard” option from the menu (circled in red).
    4. If you cannot gain access to the tool, contact your membership rep.

    The image is a screen capture of the Info-Tech website, with the Login button at the top right of the window circled in red.

    2.1.2 Understanding the “Overall Scorecard” tab

    0.5 hours

    1. Once you select “My IT Dashboard,” you will be in the “Overall Scorecard” tab view.
    2. Scrolling down reveals the data entry form for each of the nine practice areas in the Info-Tech Management and Governance Framework, with each section color-coded for easy identification.
    3. Each of the section headers, KPI names, data sources, and data values can be updated to fit the needs of your organization.
    4. This view is designed to show a holistic view of all areas in IT that are being managed.

    2.1.3 Understanding the “My Metrics” tab

    0.5 hours

    1. On the “My Metrics” tab you can access individual scorecards for each of the nine practice areas.
    2. Below the “My Metrics” tab is each of the nine practice areas for you to select from. Each shows a different subset of KPIs specific to the practice.
    3. The functionality of this view is the same as the overall scorecard. Each title, KPI, description, and actuals are editable to fit your organization’s needs.
    4. This blueprint does not go into detail on this tab, but it is available to be used by practice area leaders in the same way as the overall scorecard.

    Step 2.2

    Build and review the KPIs

    Activities

    2.2.1 Entering the KPI descriptions

    2.2.2 Entering the KPI actuals

    2.2.3 Producing the IT Overall Scorecard

    Build the Dashboard

    Step 2.1 – Understand the IT Management Dashboard

    Step 2.2 – Build and review the KPIs

    This step will walk you through the following activities:

    Entering the KPI descriptions

    Entering the actuals for each KPI

    Producing the IT Overall Scorecard

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    An overall scorecard indicating the selected KPI performance

    2.2.1 Entering the KPI descriptions

    Input

    • Access to the IT Management Dashboard
    • IT Metrics Library with your organization’s KPIs selected

    Output

    • KPI descriptions entered into tool

    Materials

    • Web browser

    Participants

    • Metrics program owners and administrators

    1 hour

    1. Navigate to the IT Management Dashboard as described in section 2.1.1 and scroll down to the practice area you wish to complete.
    2. If needed, modify the section name to match your organization’s needs.
    3. Select “Add another score.”

    2.2.1 Entering the KPI descriptions

    1 hour

    1. Select if your metric is a custom metric or a standard metric available from one of the Info-Tech diagnostic tools.
    2. Enter the metric name you selected from the IT Metrics Library.
    3. Select the value type.
    4. Select the “Add Metric” button.
    5. The descriptions only need to be entered when they change.

    Example of a custom metric

    The image is a screen capture of the Add New Metric function. The metric type selected is Custom metric, and the metric name is Employee Engagement. There is a green Add Metric button, which is circled in red.

    Example of a standard metric

    The image is a screen capture of the Add New Metric function. The metric type selected is Standard Metric. The green Add Metric button at the bottom is circled in red.

    2.2.2 Entering the KPI actuals

    Input

    • Actual data from each data source identified

    Output

    • Actuals recorded in tool

    Materials

    • Web browser

    Participants

    • Metrics program owners and administrators

    1 hour

    1. Select the period you wish to create a scorecard for by selecting “Add New Period” or choosing one from the drop-down list.
    2. For each KPI on your dashboard, collect the data from the data source and enter the actuals.
    3. Select the check mark (circled) to save the data for the period.

    The image is a screen capture of the My Overall Scorecard Metrics section, with a button at the bottom that reads Add New Period circled in red

    The image has the text People and Resources at the top. It shows data for the KPI, and there is a check mark circled in red.

    2.2.3 Producing the IT Overall Scorecard

    Input

    • Completed IT Overall Scorecard data collection

    Output

    • IT Overall Scorecard

    Materials

    • Web browser

    Participants

    • Metrics program owners and administrators

    0.5 hours

    1. Select the period you wish to create a scorecard for by selecting from the drop-down list.
    2. Click the “Download as PDF” button to produce the scorecard.
    3. Once the PDF is produced it is ready for review or distribution.

    Phase 3

    Create the Action Plan

    Phase 1

    1.1 Review Available KPIs

    1.2 Select KPIs for Your Org.

    1.3 Identify Data Sources and Owners

    Phase 2

    2.1 Understand the IT Management Dashboard

    2.2 Build and Review the KPIs

    Phase 3

    3.1 Prioritize Low-Performing Indicators

    3.2 Review Suggested Actions

    3.3 Develop the Action Plan

    This phase will walk you through the following activities:

    Prioritizing low-performing indicators

    Using the IT Metrics Library to review suggested actions

    Developing your team’s action plan to improve performance

    This phase involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Step 3.1

    Prioritize low-performing indicators

    Activities

    3.1.1 Determine criteria for prioritization

    3.1.2 Identify low-performing indicators

    3.1.3 Prioritize low-performing indicators

    Create the action plan

    Step 3.1 – Prioritize low-performing indicators

    Step 3.2 – Review suggested actions

    Step 3.3 – Develop the action plan

    This step will walk you through the following activities:

    Determining the criteria for prioritization of low-performing indicators

    Identifying low-performing indicators

    Prioritizing the low-performing indicators

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    A prioritized list of low-performing indicators that need remediation

    3.1.1 Determine criteria for prioritization

    Often when metrics programs are established, there are multiple KPIs that are not performing at the desired level. It’s easy to expect the team to fix all the low-performing indicators, but often teams are stretched and have conflicting priorities.

    Therefore it’s important to spend some time to prioritize which of your indicators are most critical to the success of your business.

    Also consider, if one area is performing well and others have multiple poor indicators, how do you give the right support to optimize the results?

    Lastly, is it better to score slightly lower on multiple measures or perfect on most but failing badly on one or two?

    3.1.1 Determine criteria for prioritization

    Input

    • Business goals and objectives
    • IT goals and objectives
    • IT organizational structure

    Output

    • Documented scorecard remediation prioritization criteria

    Materials

    • Whiteboard or flip charts

    Participants

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    1 hour

    1. Identify any KPIs that are critical and cannot fail without high impact to your organization.
    2. Identify any KPIs that cannot fail for an extended period and document the time period.
    3. Rank the KPIs from most critical to least critical in the IT Metrics Library.
    4. Look at the owner accountable for the performance of each KPI. If there are any large groups, reassess the ownership or rank.
    5. Periodically review the criteria to see if they’re aligned with meeting current business goals.

    3.1.2 Identify low-performing indicators

    Input

    • Overall scorecard
    • Overall scorecard (previous period)
    • IT Metrics Library

    Output

    • List of low-performing indicators that need remediation
    • Planned actions to improve performance

    Materials

    • Whiteboard or flip charts

    Participants

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    1 hour

    1. Review the overall scorecard for the current period. List any KPIs that are not meeting the target for the current month in the “Action Plan” tab of the IT Metrics Library.
    2. Compare current month to previous month. List any KPIs that are moving away from the long-term target documented in the tool IT Metrics Library.
    3. Revise the target in the IT Metrics Library as business needs change.

    3.1.3 Prioritize low-performing indicators

    Input

    • IT Metrics Library

    Output

    • Prioritized list of planned actions for low-performing indicators

    Materials

    • IT Metrics Library

    Participants

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators
    • Task owners

    1 hour

    1. Look through the list of new and outstanding planned actions in the “Action Plan” tab of the IT Metrics Library, review progress, and prioritize outstanding items.
    2. Compare the list that needs remediation with the rank in the data entry tab.
    3. Adjust the priority of the outstanding and new actions to reflect the business needs.

    Step 3.2

    Review suggested actions

    Activities

    3.2.1 Review suggested actions in the IT Metrics Library

    Create the Action Plan

    Step 3.1 – Prioritize low-performing indicators

    Step 3.2 – Review suggested actions

    Step 3.3 – Develop the action plan

    This step will walk you through the following activities:

    Reviewing the suggested actions in the IT Metrics Library

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    An idea of possible suggested actions

    Take Action

    Knowing where you are underperforming is only half the battle. You need to act!

    • So far you have identified which indicators will tell you whether or not your team is performing and which indicators are most critical to your business success.
    • Knowing is the first step, but things will not improve without some kind of action.
    • Sometimes the action needed to course-correct is small and simple, but sometimes it is complicated and may take a long time.
    • Utilize the diverse ideas of your team to find solutions to underperforming indicators.
    • If you don’t have a viable simple solution, leverage the IT Metrics Library, which suggests high-level action needed to improve each indicator. If you need additional information, use your Info-Tech membership to review the recommended research.

    3.2.1 Review suggested actions in the IT Metrics Library

    Input

    • IT Metrics Library

    Output

    • Suggested actions

    Materials

    • IT Metrics Library

    Participants

    • Process area owners
    • Metrics program owners and administrators
    • Task owners

    0.5 hours

    1. For each of your low-performing indicators, review the suggested action and related research in the IT Metrics Library.

    Step 3.3

    Develop the action plan

    Activities

    3.3.1 Document planned actions

    3.3.2 Assign ownership of actions

    3.3.3 Determine timeline of actions

    3.3.4 Review past action status

    Create the action plan

    Step 3.1 – Prioritize low- performing indicators

    Step 3.2 – Review suggested actions

    Step 3.3 – Develop the action plan

    This step will walk you through the following activities:

    Using the action plan tool to document the expected actions for low-performing indicators

    Assigning an owner and expected due date for the action

    Reviewing past action status for accountability

    This step involves the following participants:

    • Senior IT leadership
    • Process area owners
    • Metrics program owners and administrators

    Outcomes of this step

    An action plan to invoke improved performance

    3.3.1 Document planned actions

    Input

    • IT Metrics Library

    Output

    • Planned actions

    Materials

    • IT Metrics Library

    Participants

    • Process area owners
    • Metrics program owners and administrators
    • Task owners

    1 hour

    1. Decide on the action you plan to take to bring the indicator in line with expected performance and document the planned action in the “Action Plan” tab of the IT Metrics Library.

    Info-Tech Insight

    For larger initiatives try to break the task down to what is likely manageable before the next review. Seeing progress can motivate continued action.

    3.3.2 Assign ownership of actions

    Input

    • IT Metrics Library

    Output

    • Identified owners for each action

    Materials

    • IT Metrics Library

    Participants

    • Process area owners
    • Metrics program owners and administrators
    • Task owners

    0.5 hours

    1. For each unassigned task, assign clear ownership for completion of the task.
    2. The task owner should be the person accountable for the task.

    Info-Tech Insight

    Assigning clear ownership can promote accountability for progress.

    3.3.3 Determine timeline of actions

    Input

    • IT Metrics Library

    Output

    • Expected timeline for each action

    Materials

    • IT Metrics Library

    Participants

    • Process area owners
    • Metrics program owners and administrators
    • Task owners

    0.5 hours

    1. For each task, agree on an estimated target date for completion.

    Info-Tech Insight

    If the target completion date is too far in the future, break the task into manageable chunks.

    3.3.4 Review past action status

    Input

    • IT Metrics Library

    Output

    • Complete action plan for increased performance

    Materials

    • IT Metrics Library

    Participants

    • Process area owners
    • Metrics program owners and administrators
    • Task owners

    0.5 hours

    1. For each task, review the progress since last review.
    2. If desired progress is not being made, adjust your plan based on your organizational constraints.

    Info-Tech Insight

    Seek to understand the reasons that tasks are not being completed and problem solve for creative solutions to improve performance.

    Measure the value of your KPI program

    KPIs only produce value if they lead to action

    • Tracking the performance of key indicators is the first step, but value only comes from taking action based on this information.
    • Keep track of the number of action items that come out of your KPI review and how many are completed.
    • If possible, keep track of the time or money saved through completing the action items.

    Keeping track of the number of actions identified and completed is a low overhead measure.

    Tracking time or money saved is higher overhead but also higher value.

    The image is a chart titled KPI benefits. It includes a legend indicating that blue bars are for Actions identified, purple bars are for Actions completed, and the yellow line is for Time/money saved. The graph shows Q1-Q4, indicating an increase in all areas across the quarters.

    Establish Baseline Metrics

    Baseline metrics will be improved through:

    1. Identifying actions needed to remediate poor-performing KPIs
    2. Associating time and/or money savings as a result of actions taken
    Metric Current Goal
    Number of actions identified per month as a result of KPI review 0 TBD
    $ saved through actions taken due to KPI review 0 TBD
    Time saved through actions taken due to KPI review 0 TBD

    Summary of Accomplishment

    Problem Solved

    Through this project we have identified typical key performance indicators that are important to your organization’s effective management of IT.

    You’ve populated the IT Management Dashboard as a simple method to display the results of your selected KPIs.

    You’ve also established a regular review process for your KPIs and have a method to track the actions that are needed to improve performance as a result of the KPI review. This should allow you to hold individuals accountable for improvement efforts.

    You can also measure the effectiveness of your KPI program by tracking how many actions are identified as a result of the review. Ideally you can also track the money and time savings.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech Workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Select the KPIs for your organization

    Examine the benefits of the KPIs suggested in the IT Metrics Library and help selecting those that will drive performance for your maturity level.

    Build an action plan

    Discuss options for identifying and executing actions that result from your KPI review. Determine how to set up the discipline needed to make the most of your KPI review program.

    Research Contributors and Experts

    Valence Howden

    Principal Research Director, CIO – Service Management Info-Tech Research Group

    • Valence has extensive experience in helping organizations be successful through optimizing how they govern themselves, how they design and execute strategies, and how they drive service excellence in all work.

    Tracy-Lynn Reid

    Practice Lead, CIO – People & Leadership Info-Tech Research Group

    • Tracy-Lynn covers key topics related to People & Leadership within an information technology context.

    Fred Chagnon

    Practice Lead, Infrastructure & Operations Info-Tech Research Group

    • Fred brings extensive practical experience in all aspects of enterprise IT Infrastructure, including IP networks, server hardware, operating systems, storage, databases, middleware, virtualization and security.

    Aaron Shum

    Practice Lead, Security, Risk & Compliance Info-Tech Research Group

    • With 20+ years of experience across IT, InfoSec, and Data Privacy, Aaron currently specializes in helping organizations implement comprehensive information security and cybersecurity programs as well as comply with data privacy regulations.

    Cole Cioran

    Practice Lead, Applications and Agile Development Info-Tech Research Group

    • Over the past twenty-five years, Cole has developed software; designed data, infrastructure, and software solutions; defined systems and enterprise architectures; delivered enterprise-wide programs; and managed software development, infrastructure, and business systems analysis practices.

    Barry Cousins

    Practice Lead, Applications – Project and Portfolio Mgmt. Info-Tech Research Group

    • Barry specializes in Project Portfolio Management, Help/Service Desk, and Telephony/Unified Communications. He brings an extensive background in technology, IT management, and business leadership.

    Jack Hakimian

    Vice President, Applications Info-Tech Research Group

    • Jack has close to 25 years of Technology and Management Consulting experience. He has served multi-billion-dollar organizations in multiple industries, including Financial Services and Telecommunications. Jack also served several large public sector institutions.

    Vivek Mehta

    Research Director, CIO Info-Tech Research Group

    • Vivek publishes on topics related to digital transformation and innovation. He is the author of research on Design a Customer-Centric Digital Operating Model and Create Your Digital Strategy as well as numerous keynotes and articles on digital transformation.

    Carlos Sanchez

    Practice Lead, Enterprise Applications Info-Tech Research Group

    • Carlos has a breadth of knowledge in enterprise applications strategy, planning, and execution.

    Andy Neill

    Practice Lead, Enterprise Architecture, Data & BI Info-Tech Research Group

    • Andy has extensive experience in managing technical teams, information architecture, data modeling, and enterprise data strategy.

    Michael Fahey

    Executive Counselor Info-Tech Research Group

    • As an Executive Counselor, Mike applies his decades of business experience and leadership, along with Info-Tech Research Group’s resources, to assist CIOs in delivering outstanding business results.

    Related Info-Tech Research

    Develop Meaningful Service Metrics to Ensure Business and User Satisfaction

    • Reinforce service orientation in your IT organization by ensuring your IT metrics generate value-driven resource behavior.

    Use Applications Metrics That Matter

    • It all starts with quality and customer satisfaction.

    Take Control of Infrastructure Metrics

    • Master the metrics maze to help make decisions, manage costs, and plan for change.

    Bibliography

    Bach, Nancy. “How Often Should You Measure Your Organization's KPIs?” EON, 26 June 2018. Accessed Jan. 2020.

    “The Benefits of Tracking KPIs – Both Individually and for a Team.” Hoopla, 30 Jan. 2017. Accessed Jan. 2020.

    Chepul, Tiffany. “Top 22 KPI Examples for Technology Companies.” Rhythm Systems, Jan. 2020. Accessed Jan. 2020.

    Cooper, Larry. “CSF's, KPI's, Metrics, Outcomes and Benefits” itSM Solutions. 5 Feb. 2010. Accessed Jan 2020.

    “CUC Report on the implementation of Key Performance Indicators: case study experience.” Committee of University Chairs, June 2008. Accessed Jan 2020.

    Harris, Michael, and Bill Tayler. “Don’t Let Metrics Undermine Your Business.” HBR, Sep.–Oct 2019. Accessed Jan. 2020.

    Hatari, Tim. “The Importance of a Strong KPI Dashboard.” TMD Coaching. 27 Dec. 2018. Accessed Jan. 2020.

    Roy, Mayu, and Marian Carter. “The Right KPIs, Metrics for High-performing, Cost-saving Space Management.” CFI, 2013. Accessed Jan 2020.

    Schrage, Michael, and David Kiron. “Leading With Next-Generation Key Performance Indicators.” MIT Sloan Management Review, 26 June 2018. Accessed Jan. 2020.

    Setijono, Djoko, and Jens J. Dahlgaard. “Customer value as a key performance indicator (KPI) and a key improvement indicator (KII)” Emerald Insight, 5 June 2007. Accessed Jan 2020.

    Skinner, Ted. “Balanced Scorecard KPI Examples: Comprehensive List of 183 KPI Examples for a Balanced Scorecard KPI Dashboard (Updated for 2020).” Rhythm Systems, Jan. 2020. Accessed Jan 2020.

    Wishart, Jessica. “5 Reasons Why You Need The Right KPIs in 2020” Rhythm Systems, 1 Feb. 2020. Accessed Jan. 2020.

    Implement Risk-Based Vulnerability Management

    • Buy Link or Shortcode: {j2store}296|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $122,947 Average $ Saved
    • member rating average days saved: 34 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
    • Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option itself.

    Our Advice

    Critical Insight

    • Patches are often seen as the only answer to vulnerabilities, but these are not always the most suitable solution.
    • Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
    • There is more than one way to tackle the problem. Leverage your existing security controls in order to protect the organization.

    Impact and Result

    • At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.
    • Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.
    • The risk-based approach will allow you prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities, while allowing your standard remediation cycle to address the medium to low vulnerabilities.
    • With your program defined and developed, you now need to configure your vulnerability scanning tool, or acquire one if you don’t already have a tool in place.
    • Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

    Implement Risk-Based Vulnerability Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should design and implement a vulnerability management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify vulnerability sources

    Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.

    • Vulnerability Management SOP Template

    2. Triage vulnerabilities and assign priorities

    Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.

    • Vulnerability Tracking Tool
    • Vulnerability Management Risk Assessment Tool
    • Vulnerability Management Workflow (Visio)
    • Vulnerability Management Workflow (PDF)

    3. Remediate vulnerabilities

    Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available. Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

    4. Measure and formalize

    Evolve the program continually by developing metrics and formalizing a policy.

    • Vulnerability Management Policy Template
    • Vulnerability Scanning Tool RFP Template
    • Penetration Test RFP Template

    Infographic

    Workshop: Implement Risk-Based Vulnerability Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Vulnerability Sources

    The Purpose

    Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.

    Key Benefits Achieved

    Attain visibility on all of the vulnerability information sources, and a common understanding of vulnerability management and its scope.

    Activities

    1.1 Define the scope & boundary of your organization’s security program.

    1.2 Assign responsibility for vulnerability identification and remediation.

    1.3 Develop a monitoring and review process of third-party vulnerability sources.

    1.4 Review incident management and vulnerability management

    Outputs

    Defined scope and boundaries of the IT security program

    Roles and responsibilities defined for member groups

    Process for review of third-party vulnerability sources

    Alignment of vulnerability management program with existing incident management processes

    2 Triage and Prioritize

    The Purpose

    We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.

    Key Benefits Achieved

    A consistent, documented process for the evaluation of vulnerabilities in your environment.

    Activities

    2.1 Evaluate your identified vulnerabilities.

    2.2 Determine high-level business criticality.

    2.3 Determine your high-level data classifications.

    2.4 Document your defense-in-depth controls.

    2.5 Build a classification scheme to consistently assess impact.

    2.6 Build a classification scheme to consistently assess likelihood.

    Outputs

    Adjusted workflow to reflect your current processes

    List of business operations and their criticality and impact to the business

    Adjusted workflow to reflect your current processes

    List of defense-in-depth controls

    Vulnerability Management Risk Assessment tool formatted to your organization

    Vulnerability Management Risk Assessment tool formatted to your organization

    3 Remediate Vulnerabilities

    The Purpose

    Identifying potential remediation options.

    Developing criteria for each option in regard to when to use and when to avoid.

    Establishing exception procedure for testing and remediation.

    Documenting the implementation of remediation and verification.

    Key Benefits Achieved

    Identifying and selecting the remediation option to be used

    Determining what to do when a patch or update is not available

    Scheduling and executing the remediation activity

    Planning continuous improvement

    Activities

    3.1 Develop risk and remediation action.

    Outputs

    List of remediation options sorted into “when to use” and “when to avoid” lists

    4 Measure and Formalize

    The Purpose

    You will determine what ought to be measured to track the success of your vulnerability management program.

    If you lack a scanning tool this phase will help you determine tool selection.

    Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

    Key Benefits Achieved

    Outline of metrics that you can then configure your vulnerability scanning tool to report on.

    Development of an inaugural policy covering vulnerability management.

    The provisions needed for you to create and deploy an RFP for a vulnerability management tool.

    An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

    Activities

    4.1 Measure your program with metrics, KPIs, and CSFs.

    4.2 Update the vulnerability management policy.

    4.3 Create an RFP for vulnerability scanning tools.

    4.4 Create an RFP for penetration tests.

    Outputs

    List of relevant metrics to track, and the KPIs, CSFs, and business goals for.

    Completed Vulnerability Management Policy

    Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

    Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

    Further reading

    Implement Risk-Based Vulnerability Management

    Get off the patching merry-go-round and start mitigating risk!

    Table of Contents

    4 Analyst Perspective

    5 Executive Summary

    6 Common Obstacles

    8 Risk-based approach to vulnerability management

    16 Step 1.1: Vulnerability management defined

    24 Step 1.2: Defining scope and roles

    34 Step 1.3: Cloud considerations for vulnerability management

    33 Step 1.4: Vulnerability detection

    46 Step 2.1: Triage vulnerabilities

    51 Step 2.2: Determine high-level business criticality

    56 Step 2.3: Consider current security posture

    61 Step 2.4: Risk assessment of vulnerabilities

    71 Step 3.1: Assessing remediation options

    Table of Contents

    80 Step 3.2: Scheduling and executing remediation

    85 Step 3.3: Continuous improvement

    89 Step 4.1: Metrics, KPIs, and CSFs

    94 Step 4.2: Vulnerability management policy

    97 Step 4.3: Select & implement a scanning tool

    107 Step 4.4: Penetration testing

    118 Summary of accomplishment

    119 Additional Support

    120 Bibliography

    Analyst Perspective

    Vulnerabilities will always be present. Know the unknowns!

    In this age of discovery, technology changes at such a rapid pace. New things are discovered, both in new technology and in old. The pace of change can often be very confusing as to where to start and what to do.

    The ever-changing nature of technology means that vulnerabilities will always be present. Taking measures to address these completely will consume all your department’s time and resources. That, and your efforts will quickly become stale as new vulnerabilities are uncovered. Besides, what about the systems that simply can’t be patched? The key is to understand the vulnerabilities and the levels of risk they pose to your organization, to prioritize effectively and to look beyond patching.

    A risk-based approach to vulnerability management will ensure you are prioritizing appropriately and protecting the business. Reduce the risk surface!

    Vulnerability management is more than just systems and application patching. It is a full process that includes patching, compensating controls, segmentation, segregation, and heightened diligence in security monitoring.

    Jimmy Tom, Research Advisor – Security, Privacy, Risk, and Compliance, Info-Tech Research Group.Jimmy Tom
    Research Advisor – Security, Privacy, Risk, and Compliance
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.

    Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option.

    Common Obstacles

    Patches are often seen as the answer to vulnerabilities, but these are not always the most suitable solution.

    Some systems deemed vulnerable simply cannot be patched or easily replaced.

    Companies are unaware of the risk implications that come from leaving the vulnerability open and from the remediation option itself.

    Info-Tech’s Approach

    Design and implement a vulnerability management program that identifies, prioritizes, and remediates vulnerabilities.

    Understand what needs to be considered when implementing remediation options, including patches, configuration changes, and defense-in-depth controls.

    Build a process that is easy to understand and allows vulnerabilities to be remediated proactively, instead of in an ad hoc fashion.

    Info-Tech Insight

    Vulnerability management does not always equal patch management. There is more than one way to tackle the problem, particularly if a system cannot be easily patched or replaced. If a vulnerability cannot be completely remediated, steps to reduce the risk to a tolerable level must be taken.

    Common obstacles

    These barriers make vulnerability management difficult to address for many organizations:
    • The value of vulnerability management is not well articulated in many organizations. As a result, investment in vulnerability scanning technology is often insufficient.
    • Many organizations feel that a “patch everything” approach is the most effective path.
    • Vulnerability management is commonly misunderstood as being a process that only supports patch management.
    • There is often misalignment between SecOps and ITOps in remediation action and priority, affecting the timeliness of remediation.
    CVSS Score Distribution From the National Vulnerability Database: Pie Charts presenting the CVSS Core Distribution for the National Vulnerability Database. The left circle represents 'V3' and the right 'V2', where V3 has an extra option for 'Critical', above 'High', 'Medium', and 'Low', and V2 does not.
    (Source: NIST National Vulnerability Database Dashboard)

    Leverage risk to sort, triage, and prioritize vulnerabilities

    Reduce your risk surface to avoid cost to your business; everything else is table stakes.

    Reduce the critical and high vulnerabilities below the risk threshold and operationalize the remediation of medium/low vulnerabilities by following your effective vulnerability management program cycles.

    Identify vulnerability sources

    An inventory of your scanning tool and vulnerability threat intelligence data sources will help you determine a viable strategy for addressing vulnerabilities. Defining roles and responsibilities ahead of time will ensure you are not left scrambling when dealing with vulnerabilities.

    Triage and prioritize

    Bring the vulnerabilities into context by assessing vulnerabilities based on your security posture and mechanisms and not just what your data sources report. This will allow you to gauge the true urgency of the vulnerabilities based on risk and determine an effective mitigation plan.

    Remediate vulnerabilities

    Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available.

    Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

    Measure and formalize

    Upon implementation of the program, measure with metrics to ensure that the program is successful. Improve the program with each iteration of vulnerability mitigation to ensure continuous improvement.

    Tactical Insight 1

    All actions to address vulnerabilities should be based on risk and the organization’s established risk tolerance.

    Tactical Insight 2

    Reduce the risk surface down below the risk threshold.

    The industry has shifted to a risk-based approach

    Traditional vulnerability management is no longer viable.

    “For those of us in the vulnerability management space, ensuring that money, resources, and time are strategically spent is both imperative and difficult. Resources are dwindling fast, but the vulnerability problem sure isn’t.” (Kenna Security)

    “Using vulnerability scanners to identify unpatched software is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and mitigation actions that touch the entire ecosystem.” (Balbix)

    “Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. It helps you understand vulnerability risks with threat context and insight into potential business impact.” (Tenable)

    “A common mistake when prioritizing patching is equating a vulnerability’s Common Vulnerability Scoring System (CVSS) score with risk. Although CVSS scores can provide useful insight into the anatomy of a vulnerability and how it might behave if weaponized, they are standardized and thus don’t reflect either of the highly situational variables — namely, weaponization likelihood and potential impact — that factor into the risk the vulnerability poses to an organization.” (SecurityWeek)

    Why a take risk-based approach?

    Vulnerabilities, by the numbers

    60% — In 2019, 60% of breaches were due to unpatched vulnerabilities.

    74% — In the same survey, 74% of survey responses said they cannot take down critical applications and systems to patch them quickly. (Source: SecurityBoulevard, 2019)

    Info-Tech Insight

    Taking a risk-based approach will allow you to focus on mitigating risk, rather than “just patching” your environment.

    The average cost of a breach in 2020 is $3.86 million, and “…the price tag was much less for mature companies and industries and far higher for firms that had lackluster security automation and incident response processes.” (Dark Reading)

    Vulnerability Management

    A risk-based approach

    Reduce the risk surface to avoid cost to your business, everything else is table stakes

    Logo for Info-Tech.
    Logo for #iTRG.

    1

    Identify

    4

    Address

    Mitigate the risk surface by reducing the time across the phases ›Mitigate the risk by implementing:
    • patch systems & apps
    • compensating controls
    • systems and apps hardening
    • systems segregation
    Chart presenting an example of 'Risk Surface' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. The area between the line and your organization's risk tolerance is labelled 'Risk Surface'.

    Objective: reduce risk surface by reducing time to address

    Your organization's risk tolerance threshold

    Identify vulnerability management scanning tools & external threat intel sources (Mitre CVE, US-CERT, vendor alerts, etc.)Vulnerability information feeds:
    • scanning tool
    • external threat intel
    • internal threat intel

    2

    Analyze

    Assign actual risk (impact x urgency) to the organization based on current security posture

    Triage based on risk ›

    Your organization's risk tolerance threshold

    Risk tolerance threshold map with axes 'Impact' and 'Likelihood'. High levels of one and low levels of the other, or medium levels of both, is 'Medium', High level of one and Medium levels of the other is 'High', and High levels of both is 'Critical'.

    3

    Assess

    Plan risk mitigation strategy ›Consider:
    • risk tolerance
    • compensating controls
    • business impact

    Info-Tech’s vulnerability management methodology

    Focus on developing the most efficient processes.

    Vulnerability management isn’t “old school.”

    The vulnerability management market is relatively mature; however, vulnerability management remains a very relevant and challenging topic.

    Security practitioners are inundated with the advice they need to prioritize their vulnerabilities. Every vulnerability scanning vendor will proclaim their ability to prioritize the identified vulnerabilities.

    Third-party prioritization methodology can’t be effectively applied across all organizations. Each organization is too unique with different constraints. No tool or service can account for these variables.

    Equation to find 'Vulnerability Priority'.

    When patching is not possible, other options exist: configuration changes (hardening), defense-in-depth, compensating controls, and even elevated security monitoring are possible options.

    Info-Tech Insight

    Vulnerability management is not only patch management. Patching is only one aspect.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Vulnerability Management SOP

    The Standard operating procedure (SOP) will comprise the end-to-end description of the program: roles & responsibilities, data flow, and expected outcomes of the program.

    Sample of the key deliverable, Vulnerability Management SOP.
    Vulnerability Management Policy

    Template for your vulnerability management policy.

    Sample of the Vulnerability Management Policy blueprint.Vulnerability Tracking Tool

    This tool offers a template to track vulnerabilities and how they are remedied.

    Sample of the Vulnerability Tracking Tool blueprint.
    Vulnerability Scanning RFP Template

    Request for proposal template for the selection of a vulnerability scanning tool.

    Sample of the Vulnerability Scanning RFP Template blueprint.Vulnerability Risk Assessment Tool

    Methodology to assess vulnerability risk by determining impact and likelihood.

    Sample of the Vulnerability Risk Assessment Tool blueprint.

    Blueprint benefits

    IT Benefits

    • A standardized, consistent methodology to assess, prioritize, and remediate vulnerabilities.
    • A risk-based approach that aligns with what’s important to the business.
    • A way of dealing with the high volumes of vulnerabilities that your scanning tool is reporting.
    • Identification of “where to start” in terms of vulnerability management.
    • Ability to not lose yourself in the patch madness but rather take a sound approach to scheduling and prioritizing patches and updates.
    • Knowledge of what to do when patching is simply not possible or feasible.

    Business Benefits

    • Alignment with IT in ensuring that business processes are only interrupted when absolutely necessary while maintaining a regular cadence of vulnerability remediation.
    • A consistent program that the business can plan around and predict when interruptions will occur.
    • IT’s new approach being integrated with existing IT operations processes, offering the most efficient yet expedient method of dealing with vulnerabilities.

    Info-Tech’s process can save significant financial resources

    PhaseMeasured Value
    Phase 1: Identify vulnerability sources
      Define the process, scope, roles, vulnerability sources, and current state
      • Consultant at $100 an hour for 16 hours = $1,600
    Phase 2: Triage vulnerabilities and assign urgencies
      Establish triaging and vulnerability evaluation process
      • Consultant at $100 an hour for 16 hours = $1,600
      Determine high-level business criticality and data classifications
      • Consultant at $100 an hour for 40 hours = $4,000
      Assign urgencies to vulnerabilities
      • Consultant at $100 an hour for 8 hours = $800
    Phase 3: Remediate vulnerabilities
      Prepare documentation for the vulnerability process
      • Consultant at $100 an hour for 8 hours = $800
      Establish defense-in-depth modelling
      • Consultant at $100 an hour for 24 hours = $2,400
      Identify remediation options and establish criteria for use
      • Consultant at $100 an hour for 40 hours = $4,000
      Formalize backup and testing procedures, including exceptions
      • Consultant at $100 an hour for 8 hours = $800
      Remediate vulnerabilities and verify
      • Consultant at $100 an hour for 24 hours = $2,400
    Phase 4: Continually improve the vulnerability management process
      Establish a metrics program for vulnerability management
      • Consultant at $100 an hour for 16 hours = $1,600
      Update vulnerability management policy
      • Consultant at $100 an hour for 8 hours = $800
      Develop a vulnerability scanning tool RFP
      • Consultant at $100 an hour for 40 hours = $4,000
      Develop a penetration test RFP
      • Consultant at $100 an hour for 40 hours = $4,000
    Potential financial savings from using Info-Tech resourcesPhase 1 ($1,600) + Phase 2 ($6,400) + Phase 3 ($10,400) + Phase 4 ($10,400) = $28,800

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Discuss current state and vulnerability sources.

    Call #3: Identify triage methods and business criticality.

    Call #4:Review current defense-in-depth and discuss risk assessment.

    Call #5: Discuss remediation options and scheduling.

    Call #6: Review release and change management and continuous improvement.

    Call #7: Identify metrics, KPIs, and CSFs.

    Call #8: Review vulnerability management policy.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1Day 2Day 3Day 4Day 5
    Activities
    Identify vulnerability sources

    1.1 What is vulnerability management?

    1.2 Define scope and roles

    1.3 Cloud considerations for vulnerability management

    1.4 Vulnerability detection

    Triage and prioritize

    2.1 Triage vulnerabilities

    2.2 Determine high-level business criticality

    2.3 Consider current security posture

    2.4 Risk assessment of vulnerabilities

    Remediate vulnerabilities

    3.1 Assess remediation options

    3.2 Schedule and execute remediation

    3.3 Drive continuous improvement

    Measure and formalize

    4.1 Metrics, KPIs & CSFs

    4.2 Vulnerability Management Policy

    4.3 Select & implement a scanning tool

    4.4 Penetration testing

    Next Steps and Wrap-Up (offsite)

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables
    1. Scope and boundary definition of vulnerability management program
    2. Responsibility assignment for vulnerability identification and remediation
    3. Monitoring and review process of third-party vulnerability sources
    4. Incident management and vulnerability convergence
    1. Methodology for evaluating identified vulnerabilities
    2. Identification of high-level business criticality
    3. Defined high-level data classifications
    4. Documented defense-in-depth controls
    5. Risk assessment criteria for impact and likelihood
    1. Documented risk assessment methodology and remediation options
    1. Defined metrics, key performance indicators (KPIs), and critical success factors (CSFs)
    2. Initial draft of vulnerability management policy
    3. Scanning tool selection criteria
    4. Introduction to penetration testing
    1. Completed vulnerability management standard operating procedure
    2. Defined vulnerability management risk assessment criteria
    3. Vulnerability management policy draft

    Implement Risk-Based Vulnerability Management

    Phase 1

    Identify Vulnerability Sources

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    Establish a common understanding of vulnerability management, define the roles, scope, and information sources of vulnerability detection.

    This phase involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Step 1.1

    Vulnerability Management Defined

    Activities

    None for this section

    This step will walk you through the following activities:

    Establish a common understanding of vulnerability management and its place in the IT organization.

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Foundational knowledge of vulnerability management in your organization.

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    What is vulnerability management?

    It’s more than just patching.

    • Vulnerability management is the regular and ongoing practice of scanning an operating environment to uncover vulnerabilities. These vulnerabilities can be outdated applications, unpatched operating systems and software, open ports, obsolete hardware, or any combination of these.
    • The scanning and detection of vulnerabilities is the first step. Planning and executing of remediation is next, along with the approach, prioritized sequence of events, and timing.
    • A vendor-supplied software patch or firmware update is often the easy answer, however, this is not always a viable solution. What if you can’t patch in a timely fashion? What if patching is not possible as it will break the application and bring down operations? What if no patch exists due to the age of the application or operating platform?

    “Most organizations do not have a formal process for vulnerability management.” (Morey Haber, VP of Technology, BeyondTrust, 2016)

    Effective vulnerability management

    It’s not easy, but it’s much harder without a process in place.
    • Effective vulnerability management requires a formal process for organizations to follow; without one, vulnerabilities are dealt with in an ad hoc fashion.
    • Patching isn’t the only solution, but it’s the one that often draws focus.
    • Responsibilities for the different aspects of vulnerability management are often unclear, such as for testing, remediation, and implementation.
    • Identifying new threats without proper vulnerability scanning tools can be a near-impossible task.
    • Determining which vulnerabilities are most urgent can be an inconsistent process, increasing the organizational risk.
    • Measuring the effectiveness of your vulnerability remediation activities can help you better manage resources in SecOps and ITOps. Your staff will be spending the appropriate effort on vulnerabilities that warrant that level of attention.

    You’re not just doing this for yourself. It’s also for your auditors.

    Many compliance and regulatory obligations require organizations to have thorough documentation of their vulnerability management practices.

    Vulnerability management revolves around your asset security services

    Diagram with 'Asset Security Services' at the center. On either side are 'Network Security Services' and 'Identity Security Services', all three of which flow up into 'Security Analytics | Security Incident Response', and all four share a symbiotic flow with 'Management' below and contribute to 'Mega Trend Mapping' above. Management is supported by 'Governance'.Vulnerabilities can be found primarily within your assets but also connect to your information risk management. These must be effectively managed as part of a holistic security program.

    Without management, vulnerabilities left unattended can be easy for attackers to exploit. It becomes difficult to identify the correct remediation option to mitigate against the vulnerabilities.

    Vulnerability management works in tandem with SecOps and ITOps

    Vulnerability Management Process Inputs/Outputs:
    'Vulnerability Management (Process and Tool)' outputs are 'Incident Management', 'Release Management', 'Change Management', 'IT Asset Management', 'Application Security Testing', 'Threat Intelligence', and 'Security Risk Management'; inputs are 'Vulnerability Disclosure', 'Threat Intelligence', and 'Security Risk Management'.

    Arrows denote direction of information feed

    Vulnerability management serves as the input into a number of processes for remediation, including:
    • Incident management, to deal with issues
    • Release management, for patch management
    • Change management, for change control
    • IT asset management, to track version information, e.g. for patching
    • Application security testing, for the verification of vulnerabilities

    A two-way data flow exists between vulnerability management and:

    • Security risk management, for the overall risk posture of the organization
    • Threat intelligence, as vulnerability management reveals only one of several threat vectors

    For additional information please refer to Info-Tech’s research for each area:

    • Vulnerability management can leverage your existing processes to gain an operational element for the program.
    • As you strive to mature each of the processes on their own, vulnerability management will benefit accordingly.
    • Review our research for each of these areas and speak to one of our analysts if you wish to improve any of the listed processes.

    Info-Tech’s Information Security Program Framework

    Vulnerability management is a component of the Infrastructure Security section of Security Management

    Information Security Framework with Level 1 and Level 2 capabilities in two main sections, 'Management' and 'Governance'. Level 2 capabilities are grouped within Level 1 capabilities.For more information, review our Build an Information Security Strategy blueprint, or speak to one of our analysts.

    Info-Tech Insight

    Vulnerability management is but one piece of the information security puzzle. Ensure that you have all the pieces!

    Case Study

    Logo for Cimpress.
    INDUSTRY: Manufacturing
    SOURCE: Cimpress, 2016

    One organization is seeing immediate benefits by formalizing its vulnerability management program.

    Challenge

    Cimpress was dealing with many challenges in regards to vulnerability management. Vulnerability scanning tools were used, but the reports that were generated often gave multiple vulnerabilities that were seen as critical or high and required many resources to help address them. Scanning was done primarily in an attempt to adhere to PCI compliance rather than to effectively enable security. After re-running some scans, Cimpress saw that some vulnerabilities had existed for an extended time period but were deemed acceptable.

    Solution

    The Director of Information Security realized that there was a need to greatly improve this current process. Guidelines and policies were formalized that communicated when scans should occur and what the expectations for remediations should be. Cimpress also built a tiered approach to prioritize vulnerabilities for remediation that is specific to Cimpress instead of relying on scanning tool reports.

    Results

    Cimpress found better management of the vulnerabilities within its system. There was no pushback to the adoption of the policies, and across the worldwide offices, business units have been proactively trying to understand if there are vulnerabilities. Vulnerability management has been expanded to vendors and is taken into consideration when doing any mergers and acquisitions. Cimpress continues to expand its program for vulnerability management to include application development and vulnerabilities within any existing legacy systems.

    Step 1.2

    Defining the scope and roles

    Activities
    • 1.2.1 Define the scope and boundary of your organization’s security program
    • 1.2.2 Assign responsibility for vulnerability identification and remediation

    This step will walk you through the following activities:

    Define and understand the scope and boundary of the security program. For example, does it include OT? Define roles and responsibilities for vulnerability identification and remediation

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Understand how far vulnerability management extends and what role each person in IT plays in the remediation of vulnerabilities

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    Determine the scope of your security program

    This will help you adjust the depth and breadth of your vulnerability management program.
    • Determining the scope will help you decide how much organizational risk the vulnerability management program will oversee.
    • Scope can be defined along four aspects:
      • Data Scope – What data elements in your organization does your security program cover? How is data classified?
      • Physical Scope – What physical scope, such as geographies, does the security program cover?
      • Organizational Scope – How are business units engaged with security initiatives? Does the scope cover all subsidiary organizations?
      • IT Scope – What parts of the organization does IT cover? Does their coverage include operational technology (OT) and industrial control systems (ICS)?
    Stock image of figures standing in connected circles.

    1.2.1 Define the scope and boundary of your organization’s security program

    60 minutes

    Input: List of Data Scope, Physical Scope, Organization Scope, and IT Scope

    Output: Defined scope and boundaries of the IT security program

    Materials: Whiteboard/Flip Charts, Sticky Notes, Markers, Vulnerability Management SOP Template

    Participants: Business stakeholders, IT leaders, Security team members

    1. On a whiteboard, write the headers: Data Scope, Physical Scope, Organizational Scope, and IT Scope.
    2. Give each group member a handful of sticky notes. Ask them to write down as many items as possible for the organization that could fall under one of the four scope buckets.
    3. In a group, discuss the sticky notes and the rationale for including them. Discuss your security-related locations, data, people, and technologies, and define their scope and boundaries.

    The goal is to identify what your vulnerability management program is responsible for and document it.

    Consider the following:

    How is data being categorized and classified? How are business units engaged with security initiatives? How are IT systems connected to each other? How are physical locations functioning in terms of information security management?

    Download the Vulnerability Management SOP Template

    Assets are part of the scope definition

    An inventory of IT assets is necessary if there is to be effective vulnerability management.

    • Organizations need an up-to-date and comprehensive asset inventory for vulnerability management. This is due to multiple reasons:
      • When vulnerabilities are announced, they will need to be compared to an inventory to determine if the organization has any relevant systems or versions.
      • It indicates where all IT assets can be found both physically and logically.
      • Asset inventories typically have owners assigned to the assets and systems whose responsibility it is to carry out remediations for vulnerabilities.
    • Furthermore, asset inventories can provide insight into where data can be found within the organization. This is extremely useful within a formal data classification program, which plays a large factor in vulnerability management.
    If you need assistance building your asset inventory, review Info-Tech’s Implement Hardware Asset Management and Implement Software Asset Management blueprints.

    Info-Tech Insight

    Create a formal IT asset inventory before continuing with the rest of this project. Otherwise, you risk being at the mercy of a weak vulnerability management program.

    Assign responsibility for vulnerability identification and remediation

    Determine who is critical to effectively detecting and managing vulnerabilities.
    • Some of the remediation steps will involve members of IT management to identify the true organizational risk of a vulnerability.
    • Vulnerability remediation comes in different shapes and sizes. In addition to patching, this can include implementing compensating controls, server and application hardening, or the segregating of vulnerable systems.
      • Who carries out each of these activities? Who coordinates the activities and tracks them to ensure completion?
    • The people involved may be members outside of the security team, such as members from IT operations, infrastructure, and applications. The specific roles that each of these groups play should be clearly identified.
    Stock image of many connected profile photos in a cloud network.

    1.2.2 Assign responsibility for vulnerability identification and remediation

    60 minutes

    Input: Sample list of vulnerabilities and requisite actions from each group, High-level organizational chart with area functions

    Output: Defined set of roles and responsibilities for member groups

    Materials: Vulnerability Management SOP Template

    Participants: CIO, CISO, IT Management representatives for each area of IT

    1. Display the table of responsibilities that need to be assigned.
    2. List all the positions within the IT security team.
    3. Map these to the positions that require IT security team members.
    4. List all positions that are part of the IT team.
    5. Map these to the positions that require IT team members.

    If your organization does not have a dedicated IT security team, you can perform this exercise by mapping the relevant IT staff to the different positions shown on the right.

    Download the Vulnerability Management SOP TemplateSample of the Roles and Responsibilities table from the Vulnerability Management SOP Template.

    Step 1.3

    Cloud considerations for vulnerability management

    Activities

    None for this section.

    This step will walk you through the following activities:

    Review cloud considerations for vulnerability management

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Understand the various types of cloud offerings and the implications (and limitations) of vulnerability management in a cloud environment.

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    Cloud considerations

    Cloud will change your approach to vulnerability management.
    • There will be a heavy dependence on the cloud service provider to ensure that vulnerabilities in their foundational technologies have been addressed.
    • Depending on the level of “as-a-Service,” customers will have varying degrees of control and visibility into the underlying operations.
    • With vendor acquiescence, you can set your tool to scan a given cloud environment, depending on how much visibility you have into their environment based on the service you have purchased.
    • Due to compliance obligations of their customers, there is a growing trend among cloud providers to allow more scanning of cloud environments.
    • In the absence of customer scanning capability, vendors may offer attestation of vulnerability management and remediation.
    Table outlining who has control, between the 'Organization' and the 'Vendor', of different cloud capabilities in different cloud strategies.

    For more information, see Info-Tech Research Group’s Document Your Cloud Strategy blueprint.

    Cloud environment scanning

    Cloud scanning is becoming a more common necessity but still requires special consideration.

    An organization’s cloud environment is just an extension of its own environment. As such, cloud environments need to be scanned for vulnerabilities.

    Private Cloud
    If your organization owns a private cloud, these environments can be tested normally.
    Public Cloud
    Performing vulnerability testing against public, third-party cloud environments is an area experiencing rapid growth and general acceptance, although customer visibility will still be limited.

    In many cases, a customer must rely on the vendor’s assurance that vulnerabilities are being addressed in a sufficient manner.

    Security standards’ compliance requirements are driving the need for cloud suppliers to validate and assure that they are appropriately scanning for and remediating vulnerabilities.

    Infrastructure- or Platform-as-a-Service (IaaS or PaaS) Environments
    • There is a general trend for PaaS and IaaS vendors to allow testing if given due notice.
    • Your contract with the cloud vendor or the vendor’s terms and conditions will outline the permissibility of customer vulnerability scanning. In some cases, a cloud vendor will deny the ability to do vulnerability scanning if they already provide a solution as part of their service.
    • Always ensure that the vendor is aware of your vulnerability scanning activity so that false positives aren’t triggering their security measures as possible denial-of-service (DoS) attacks.
    Software-as-a-Service (SaaS) Environments
    • SaaS offers very limited visibility to the services behind the software that the customer sees. You therefore cannot test for patch levels or vulnerabilities.
    • SaaS customers must rely exclusively on the provider for the regular scanning and remediation of vulnerabilities in the back-end technologies supporting the SaaS application.
    • You can only test the connection points to SaaS environments. This involves trying to figure out what you can see, e.g. looking for encrypted traffic.

    Certain testing (e.g. DoS or load testing) will be very limited by your cloud vendor. Cloud vendors won’t open themselves to testing that would possibly impact their operations.

    Step 1.4

    Vulnerability detection

    Activities
    • 1.4.1 Develop a monitoring and review process of third-party vulnerability sources
    • 1.4.2 Incident management and vulnerability management

    This step will walk you through the following activities:

    Create an inventory of your vulnerability monitoring capability and third-party vulnerability information sources.

    Determine how incident management and vulnerability management interoperate.

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Catalog of vulnerability information data sources. Understanding of the intersection of incident management and vulnerability management.

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    Vulnerability detection

    Vulnerabilities can be identified through numerous mediums.

    Info-Tech has determined the following to be the four most common ways to identify vulnerabilities.

    Vulnerability Assessment and Scanning Tools
    • Computer programs that function to identify and assess security vulnerabilities and weaknesses within computers, computer systems, applications, or networks.
    • Using a known vulnerability database, the tool scans targeted hosts or systems to identify flaws and generate reports and recommendations based on the results.
    • There are four main types of tools under this category: network and operating system vulnerability scanners, application scanning and testing tools, web application scanners, and exploitation tools.
    Penetration Tests
    • The act of identifying vulnerabilities on computers, computer systems, applications, or networks followed by testing of the vulnerability to validate the findings.
    • Penetration tests are considered a service that is offered by third-parties in which a variety of products, tools, and methods are used to exploit systems and gain access to data.
    Open Source Monitoring
    • New vulnerabilities are detected daily with each vulnerability’s information being uploaded to an information-sharing platform to enable other organizations to be able to identify the same vulnerability on their systems.
    • Open source platforms are used to alert and distribute information on newly discovered vulnerabilities to security professionals.
    Security Incidents
    • Any time an incident response plan is called into action to mitigate an incident, there should be formal communication with the vulnerability management team.
    • Any IT incident an organization experiences should provide a feed for analysis into your vulnerability management program.

    Automate with a vulnerability scanning tool

    Vulnerabilities are too numerous for manual scanning and detection.
    • Vulnerability management is not only the awareness of the existence of vulnerabilities but that they are actively present in your environment.
    • A vulnerability scanner will usually report dozens, if not hundreds, of vulnerabilities on a regular and recurring basis. Typical IT environments have several dozen, if not hundreds, of servers. We haven’t even considered the amount of network equipment or the hundreds of user workstations in an environment.
    • This tool will give you information of the presence of a vulnerability in your environment and the host on which the vulnerability exists. This includes information on the version of software that contains a vulnerability and whether you are running that version. The tool will also report on the criticality of the vulnerability based on industry criticality ratings.
    • The tools are continually updated by the vendor with the latest definition updates for the latest vulnerabilities out there. This ensures you are always scanning for the greatest number of potential vulnerabilities.
    Automation requires oversight.
    1. Vulnerability scanners bring great automation to the task of scanning and detecting vulnerabilities in high numbers.
    2. Vulnerability scanners, however, do not have your level of intelligence. Any compensating controls, network segregation, or other risk mitigation features that you have in place will not be known by the tool.
    3. Determining the risk and urgency of a vulnerability within the context of your specific environment will still require internal review by you or your SecOps team.

    For guidance on tool selection

    Refer to section 4.3 Selecting and Implement a Scanning Tool in this blueprint.

    Vulnerability scanning tool considerations

    Select a vulnerability scanning tool with the features you need to be effective.
    • Vulnerability scanning tool selection can be an exciting and confusing process. You will need to consider what features you desire in a tool and whether you want the tool to go beyond just scanning and reporting.
    • In addition to vulnerability scanning, some tools will integrate with your IT service management (service desk ticketing system) tool and asset, configuration, and change management modules. This can facilitate the necessary workflow that the remediation process follows once a vulnerability is discovered.
    • A number of vulnerability scanning tool vendors have started offering remediation as part of their software features. This includes the automation and orchestration functionality and configuration and asset management to track its remediation activities.
    • A side benefit of the asset discovery feature in vulnerability scanning tools is that it can help enhance an organization’s asset inventory and license compliance, particularly in cases where end users are able to install software on their workstations.
    Stock photo of a smartphone scanning a barcode.

    For guidance on tool vendors

    Visit SoftwareReviews for information on vulnerability management tools and vendors.

    Vulnerability scanning tool best practices

    How often should scans be performed?

    One-off scans provide snapshots in time. Repeated scans over time provide tracking for how systems are changing and how well patches are being applied and software is being updated.

    The results of a scan (asset inventory, configuration data, and vulnerability data) are basic information needed to understand your security posture. This data needs to be as up to date as possible.

    ANALYST PERSPECTIVE: Organizations should look for continuous scanning

    Continuous scanning is the concept of providing continual scanning of your systems so any asset, configuration, or vulnerability information is up to date. Most vendors will advertise continuous scanning but you need to be skeptical of how this feature is met.

    Continuous Scanning Methods

    Continuous agent scanning

    Real-time scanning that is completed through agent-based scanning. Provides real-time understanding of system changes.

    On-demand scanning

    Cyclical scanning is the method where once you’re done scanning an area, you start it again. This is usually done because doing some scans on some areas of your network take time. How long the scan takes depends on the scan itself. How often you perform a scan depends on how long a scan takes. For example, if a scan takes a day, you perform a daily scan.

    Cloud-based scanning

    Cloud-scanning-as-a-Service can provide hands-free continuous monitoring of your systems. This is usually priced as a subscription model.

    Vulnerability scanning tool best practices

    Where to perform a scan.

    What should be scannedHow to point a scanner
    The general idea is that you want to scan pretty much everything. Here are considerations for three environments:
    Mobile Devices

    You need to scan mobile devices for vulnerabilities, but the problem is these can be hard to scan and often come and go on your network. There are always going to be some devices that aren’t on the network when scanning occurs.

    Several ways to scan mobile devices:

    • Intercept the device when it remotes into your network using a VPN. You catch the device with a remote scan. This can only be done if a VPN is required.
    • An agent-based approach can be used for mobile devices. Locally installed software gives the information needed to evaluate the security posture of a device. Discernibly, concerns around device processing, memory, and network bandwidth come into play. Ease of installation becomes key for agents.
    Virtualization
    • In a virtual environment, you will have servers being dynamically spun up. Ensure your tool is able to scan these new servers automatically.
    • Often, vulnerability scanning tool providers will restrict scanning to preapproved scanners. Look for tools that are preapproved by the VM vendors.
    Cloud Environments
    • You can set your tool to scan a given cloud environment. The main concern here is who owns the cloud. If it is a private cloud, there is little concern.
    • If it is a third-party cloud (AWS, Azure, etc.) you need to confirm with the cloud service provider that scanning of your cloud environment can occur.
    • There is a trend to allow more scanning of cloud environments.
    • You need to tell the scanner an IP address, a group of IP addresses, an asset group, or a combination of those.
    • You can categorize by functional classifications – internet-facing servers, workstations, network devices, etc., or by organizational structure – Finance, HR, Legal, etc.
    • If you have a strong change management system, you can better hone when and where to perform a scan based on actual changes.
    • You can set the number of concurrent outbound TCP connections that are being made. For example, set the tool so it sends out to 10 ports at a time, rather than pinging at 64k ports on a machine, which would flood the NIC.
    • Side Note: Flooding a host with pings from a scanning tool can be done to find out DoS thresholds on a machine. There are no bandwidth concerns for a network DoS, however, because the packets are so small.

    Vulnerability scanning tool best practices

    Communication and measurement

    Pre-Scan Communication With Users

    • It is always important to inform owners and users of systems that a scan will be happening.
    • Although it is unlikely any performance issues will arise, it is important to notify end users of potential impact.
    • Local admins or system owners may have controls in place that stop vulnerability scans and you need to inform the owners so that they can safelist the scanner you will be using.
    Vulnerability Scanning Tool Tracking Metrics
    • Vulnerability score by operating system, application, or organization division.
      • This provides a look at the widely accepted severity of the vulnerability as it relates across the organization’s systems.
    • Most vulnerable applications and application version.
      • This provides insight into how outdated applications are creating risk exposure for an organization.
      • This will also provide metrics on the effectiveness of your patching program.
    • Number of assets scanned within the last number of days.
      • This provides visibility into how often your assets are being scanned and thus protected.
    • Number of unowned devices or unapproved applications.
      • This metric will track how many unowned devices or unapproved applications may be on your network. Unowned devices may be rogue devices or just consultant/contractor devices.

    Third-party vulnerability information sources

    IT security forums and mailing lists are another source of vulnerability information.

    Proactively identify new vulnerabilities as they are announced.

    By monitoring for vulnerabilities as they are announced through industry alerts and open-source mechanisms, it is possible to identify vulnerabilities beyond your scanning tool’s penetration tests.

    Common sources:
    • Vendor websites and mailing lists
      • Vendors are the trusted sources for vulnerability and patch information on their products, particularly with new industry vulnerability disclosure requirements. Vendors are the most familiar with their products, downloads are most likely malware free, and additional information is often included.
      • There are some issues: vendors won’t announce a vulnerability until a patch is created, which creates a potential unknown risk exposure; numerous vendor sites will have to be monitored continually.
    • Third-party websites
      • A non-vendor site providing information on vulnerabilities. They often will cover a specific technology or an industry section, becoming a potential “one-stop shop” for some. They will often provide vulnerability information that is augmented with different remediation recommendations faster than vendors.
      • However, it’s more likely that malicious code could be downloaded and it will often not be comprehensive information on patching.
    • Third-party mailing lists, newsgroups, live paid subscriptions, and live open-source feeds
      • These are alerting and notification services for the detection and dissemination of vulnerability information. They provide information on the latest and most critical vulnerabilities, e.g. US-CERT Cybersecurity Alerts.
    • Vulnerability databases
      • These usually consist of dedicated databases on vulnerabilities. They perform the hard work of identifying and aggregating vulnerability and patch information into a central repository for end-user consumption. The commentary features on these databases provide excellent insight for practitioners, e.g. National Vulnerability Database (NVD).
    Stock photo of a student checking a bulletin board.

    Third-party vulnerability information sources

    IT security forums and mailing lists are another source of vulnerability information.

    Third-party sources for vulnerabilities

    • Open Source Vulnerability Database (OSVDB)
      • An open-source database that is run independently of any vendors.
    • Common Vulnerabilities and Exposures (CVE)
      • Free, international dictionary of publicly known information security vulnerabilities and exposures.
    • National Vulnerability Database (NVD)
      • Through NIST, the NVD is the US government’s repository of vulnerabilities and includes product names, flaws, and any impact metrics.
      • The National Checklist Repository Program (NCRP), also provided by NIST, provides security checklists for configurations of operating systems and applications.
      • The Center for Internet Security, a separate entity unrelated to NIST, provides configuration benchmarks that are often referenced by the NCRP.
    • Open Web Application Security Project (OWASP)
      • OWASP is another free project helping to expose vulnerabilities within software.
    • US-CERT National Cyber Alert System (US-CERT Alerts)
      • Cybersecurity Alerts – Provide timely information about current security issues, vulnerabilities, and exploits.
      • Cybersecurity Tips – Provide advice about common security issues for the general public.
      • Cybersecurity Bulletins – Provide weekly summaries of new vulnerabilities. Patch information is provided when available.
    • US-CERT Vulnerability Notes Database (US-CERT Vulnerability Notes)
      • Database of searchable security vulnerabilities that were deemed not critical enough to be covered under US-CERT Alerts. Note that the NVD covers both US-CERT Alerts and US-CERT Notes.
    • Open Vulnerability Assessment Language (OVAL)
      • Coding language for security professionals to discuss vulnerability checking and configuration issues. Vulnerabilities are identified using tests that are disseminated in OVAL definitions (XML executables that can be used by end users).

    1.4.1 Develop a monitoring and review process for third-party vulnerability sources

    60 minutes

    Input: Third-party resources list

    Output: Process for review of third-party vulnerability sources

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, CISO

    1. Identify what third-party resources are useful and relevant.
    2. Shortlist your third-party sources.
    3. Identify what is the best way to receive information from a third party.
    4. Document the method to receive or check information from the third-party source.
    5. Identify who is responsible for maintaining third-party vulnerability information sources
    6. Capture this information in the Vulnerability Management SOP Template.
    Download the Vulnerability Management SOP TemplateSample of the Third Party Vulnerability Monitoring tables from the Vulnerability Management SOP Template.

    Incidents and vulnerability management

    Incidents can also be a sources of vulnerabilities.

    When any incident occurs, for example:

    • A security incident, such as malware detected on a machine
    • An IT incident, such as an application becomes unresponsive
    • A crisis occurs, like a worker accident

    There can be underlying vulnerabilities that need to be processed.

    Three Types of IT Incidents exist:
    1. Information Security Incident
    2. IT Incident and/or Problem
    3. Crisis

    Note: You need to have developed your various incident response plans to develop information feeds to the vulnerability mitigation process.
    If you are missing an incident response plan, take a look at Info-Tech’s Related Resources.

    Info-Tech Related Resources:
    If you do not have a formalized information security incident management program, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.

    If you do not have a formalized problem management process, take a look at Info-Tech’s blueprint Incident and Problem Management.

    If you do not have a formalized IT incident management process, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.

    If you do not have formalized crisis management, take a look at Info-Tech’s blueprint Implement Crisis Management Best Practices.

    1.4.2 Incident management and vulnerability management

    60 minutes

    Input: Existing incident response processes, Existing crisis communications plans

    Output: Alignment of vulnerability management program with existing incident management processes

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

    1. Inventory what incident response plans the organization has. These include:
      1. Information Security Incident Response Plan
      2. IT Incident Plan
      3. Problem Management Plan
      4. Crisis Management Plan
    2. Identify what part of those plans contains the post-response recap or final analysis.
    3. Formalize a communication process between the incident response plan and the vulnerability mitigation process.

    Note: Most incident processes will cover some sort of root cause analysis and investigation of the incident. If a vulnerability of any kind is detected within this analysis it needs to be reported on and treated as a detected vulnerability, thus warranting the full vulnerability mitigation process.

    Download the Vulnerability Management SOP Template

    Implement Risk-Based Vulnerability Management

    Phase 2

    Triage & prioritize

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    Examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach, and prepare for remediation options.

    This phase involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Step 2.1

    Triage vulnerabilities

    Activities
    • 2.1.1 Evaluate your identified vulnerabilities

    This step will walk you through the following activities:

    Review your vulnerability information sources and determine a methodology that will be used to consistently evaluate vulnerabilities as your scanning tool alerts you to them.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    A consistent, documented process for the evaluation of vulnerabilities in your environment.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Triaging vulnerabilities

    Use Info-Tech’s methodology to allocate urgencies to your vulnerabilities to assign the appropriate resources to each one.

    When evaluating numerous vulnerabilities, use the following three factors to help determine the urgency of vulnerabilities:

    • The intrinsic qualities of the vulnerability
    • The business criticality of the affected asset
    • The sensitivity of the data stored on the affected asset

    Intrinsic qualities of the vulnerability — Vulnerabilities need to be examined for the inherent risk they pose specifically to the organization, which includes if an exploit has been identified or if the industry views this as a serious and likely threat.

    Business criticality of the affected asset — Assets with vulnerabilities need to be assessed for their criticality to the business. Vulnerabilities on systems that are critical to business operations or customer interactions are usually top of mind.

    Sensitivity of the data of the affected asset — Beyond just the criticality of the business, there must be consideration of the sensitivity of the data that may be compromised or modified as a result of any vulnerabilities.

    Info-Tech Insight

    This methodology allows you to determine urgency of vulnerabilities, but your remediation approach needs to be risk-based, within the context of your organization.

    Triage your vulnerabilities, filter out the noise

    Triaging enables your vulnerability management program to focus on what it should focus on.

    Use the Info-Tech Vulnerability Mitigation Process Template to define how to triage vulnerabilities as they first appear.

    Triaging is an important step in vulnerability management, whether you are facing ten to tens of thousands of vulnerability notifications.
    Many scanning tools already provide the capability to compare known vulnerabilities against existing assets through integration with the asset inventory.

    There are two major use cases for this process:
    1. For organizations that have identified vulnerabilities but do not know their own systems well enough. This can be due to a lack of a formal asset inventory.
    2. For proactive organizations that are regularly staying up to date with industry announcements regarding vulnerabilities. Once an alert has been made publicly, this process can assist in confirming if the vulnerability is relevant to the organization.
    The Info-Tech methodology for initial triaging of vulnerabilities:
    Flowchart of the Info-Tech methodology for initial triaging of vulnerabilities, beginning with 'Vulnerability has been identified' and ending with either 'Vulnerability has been triaged' or 'No action needed'.

    Even if neither of these use cases apply to your organization, triaging still addresses the issues of false positives. Triaging provides a quick way to determine if vulnerabilities are relevant.

    After eliminating the noise, evaluate your vulnerabilities to determine urgency

    Consider the intrinsic risk to the organization.

    Is there an associated, verified exploit?
    • For a vulnerability to become a true threat to the organization, it must be exploited to cause damage. In today’s threat landscape, exploit kits are sold online that allow individuals with low technical knowledge to exploit a vulnerability.
    • Not all vulnerabilities have an associated exploit, but this does not mean that these vulnerabilities can be left alone. In many cases, it is just a matter of time before an exploit is created.
    • Another point to consider is that while exploits can exist theoretically, they may not be verified. Vulnerabilities always pose some level of risk, but if there are no known verified exploits, there is less risk attached.
    Is there a CVSS base score of 7.0 or higher?
    • Common Vulnerability Scoring System (CVSS) is an open-source industry scoring method to assess the potential severity of vulnerabilities.
    • CVSS takes into account: attack vector, complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact.
    • Vulnerabilities that have a score of 4.0 or lower are classified as low vulnerabilities, while scores between 4.0 and 6.9 are put in the medium category. Scores of 7 or higher are in the high and critical categories. As we will review in the Risk Assessment section, you will want to immediately deal with high and critical vulnerabilities.
    Is there potential for significant lateral movement?
    • Even though a vulnerability may appear to be part of an inconsequential asset, it is important to consider whether it can be leveraged to gain access to other areas of the network or system by an attacker.
    • Another consideration should be whether the vulnerability can be exploited by remote or local access. Remote exploits pose a greater risk as this can mean that attackers can perform an exploit from any location. Local exploits carry less risk, although the risk of insider threats should be considered here as well.

    2.1.1 Evaluate your identified vulnerabilities

    60 minutes

    Input: Visio workflow of Info-Tech’s vulnerability management process

    Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

    Using the criteria from the previous slide, Info-Tech has created a methodology to evaluate your vulnerabilities by examining their intrinsic qualities.

    The methodology categorizes the vulnerabilities into high, medium, and low risk importance categorizations, before assigning final urgency scores in the later steps.

    1. Review the evaluation process in the Vulnerability Management Workflow library.
    2. Determine if this process makes sense for the organization; otherwise, change the flow to include any other considerations of process flows.
    3. As this process is used to evaluate vulnerabilities, document vulnerabilities to an importance category. This can be done in the Vulnerability Tracking Tool or using a similar internal vulnerability tracking document, if one exists.

    Download the Vulnerability Management SOP Template

    Step 2.2

    Determine high-level business criticality

    Activities
    • 2.2.1 Determine high-level business criticality
    • 2.2.2 Determine your high-level data classifications

    This step will walk you through the following activities:

    Determining high-level business criticality and data classifications will help ensure that IT security is aligned with what is critical to the business. This will be very important when decisions are made around vulnerability risk and the urgency of remediation action.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO

    Outcomes of this step

    Understanding and consistency in how business criticality and business data is assessed by IT in the vulnerability management process.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Understanding business criticality is key to determining vulnerability urgency

    Prioritize operations that are truly critical to the operation of the business, and understand how they would be impacted by an exploited vulnerability.

    Use the questions below to help assess which operations are critical for the business to continue functioning.

    For example, email is often thought of as a business-critical operation when this is not always the case. It is important to the business, but as regular operations can continue for some time without it, it would not be considered extremely business critical.

    Questions to askDescription
    Is there a hard-dollar impact from downtime?This refers to when revenue or profits are directly impacted by a business disruption. For example, when an online ordering system is compromised and shut down, it impacts sales, and therefore, revenue.
    Is there an impact on goodwill/ customer trust?If downtime means delays in service delivery or otherwise impacts goodwill, there is an intangible impact on revenue that may make the associated systems mission critical.
    Is regulatory compliance a factor?Depending on the circumstances of the vulnerabilities, it can be a violation of regulatory compliance and would cause significant fines.
    Is there a health or safety risk?Some operations are critical to health and safety. For example, medical organizations have operations that are necessary to ensure that individuals’ health and safety are maintained. An exploited vulnerability that prevents these operations can directly impact the lives of these individuals.
    Don’t start from scratch – your disaster recovery plan (DRP) may have a business impact analysis (BIA) that can provide insight into which applications and operations are considered business critical.

    Analyst Perspective

    When assessing the criticality of business operations, most core business applications may be deemed business critical over the long term.

    Consider instead what the impact is over the first 24 or 48 hours of downtime.

    2.2.1 Determine high-level business criticality

    120 minutes; less time if a Disaster recovery plan business impact analysis exists

    Input: List of business operations, Insight into business operations impacts to the business

    Output: List of business operations and their criticality and impact to the business

    Materials: Vulnerability Management SOP Template

    Participants: Participants from the business, IT Security Manager, CISO, CIO

    1. List your core business operations at a high level.
    2. Use a High, Medium, or Low ranking to prioritize the business operations based on mission-critical criteria and the impact of the vulnerability.
    3. When using the process flow, consider if the vulnerability directly affects any of these business operations and move through the process flow based on the corresponding High, Medium, or Low ranking.
    Example prioritization of business operations for a manufacturing company:Questions to ask:
    1. Is there a hard-dollar impact from downtime?
    2. Is there impact on goodwill or customer trust?
    3. Is regulatory compliance a factor?
    4. Is there a health or safety risk?

    Download the Vulnerability Management SOP Template

    Determine vulnerability urgency by its data classification

    Consider how to classify your data based on if the Confidentiality, Integrity, or Availability (CIA) is compromised.

    To properly classify your data, consider how the confidentiality, integrity, and availability of that data would be affected if it were to be exploited by a vulnerability. Review the table below for an explanation for each objective.
    Confidentiality

    Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

    Integrity

    Guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity.

    Availability

    Ensuring timely and reliable access to and use of information.

    Each piece of data should be ranked as High, medium, or low across confidentiality, integrity, and availability based on adverse effect.Arrow pointing right.Low — Limited adverse effect

    Moderate — Serious adverse effect

    High — Severe or catastrophic adverse effect

    If you wish to build a whole data classification methodology, refer to our Discover and Classify Your Data blueprint.

    How to determine data classification when CIA differs:

    The overall ranking of the data will be impacted by the highest objective’s ranking.

    For example, if confidentiality and availability are low, but integrity is high, the overall impact is high.

    This process was developed in part by Federal Information Processing Standards Publication 199.

    2.2.2 Determine your high-level data classifications

    120 minutes, less time if data classification already exists

    Input: Knowledge of data use and sensitivity

    Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, CISO, CIO

    If your organization has formal data classification in place, it should be leveraged to determine the high, medium, and low rankings necessary for the process flows. However, if there is no formal data classification in place, the process below can be followed:

    1. List common assets or applications that are prone to vulnerabilities.
    2. Consider the data that is on these devices and provide a high (severe or catastrophic adverse effect), medium (serious adverse effect), or low (limited adverse effect) ranking based on confidentiality, availability, and integrity.
      1. Use the table on the previous slide to assist in providing the ranking.
      2. Remember that it is the highest ranking that dictates the overall ranking of the data.
    3. Document which data belongs in each of the categories to provide contextual evidence.

    Download the Vulnerability Management SOP Template

    This process should be part of your larger data classification program. If you need assistance in building this out, review the Info-Tech research, Discover and Classify Your Data.

    Step 2.3

    Consider current security posture

    Activities
    • 2.3.1 Document your defense-in-depth controls

    This step will walk you through the following activities:

    Your defense-in-depth controls are the existing layers of security technology that protects your environment. These are relevant when considering the urgency and risk of vulnerabilities in your environment, as they will mitigate some of the risk.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    Understanding and documentation of your current defense-in-depth controls.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Review your current security posture

    What you have today matters.
    • In most cases, your vulnerability scanning tool alone will not have the context of your security posture in the results of its scans. This can skew the true urgency of detected vulnerabilities in your environment.
    • What you have in place today is what comprises your organization’s overall security posture. This bears high relevance to the determination of the risk that a vulnerability poses to your environment.
    • Elements such as enterprise architecture and defense in depth mechanisms should be factored into determining the risk of a vulnerability and what kind of immediacy is warranted to address it.
    • Details of your current security posture will also contribute to the assessment and selection of remediation options.
    Stock image of toy soldiers split into two colours, facing eachother down.

    Enterprise architecture considerations

    What does your network look like?
    • Most organizations have a network topology that has been put in place with operational needs in mind. These includes specific vLANs or subnets, broadcast domains, or other methods of traffic segregation.
    • The firewall and network ACLs (access control lists) will manage traffic and the routes that data packets follow to traverse a network.
    • Organizations may physically separate data network types, for example, a network for IT services and one for operational technology (OT)(OT is often known as ICS (industrial control systems) or SCADA (supervisory control and data acquisition)) or other types of production technology.
    • The deployment of distribution and access switches across an enterprise can also be a factor, where a flatter network will have fewer network devices within the topology.
    • In a directory services environment such as Windows Active Directory, servers and applications can be segregated by domains and trust relationships, organizational units, and security groups.
    What’s the relevance to vulnerability management?

    For a vulnerability to be exploited, a malicious actor must find a way to access the vulnerable system to make use of the vulnerability in question.

    Any enterprise architecture characteristics that you have in place may lessen the probability of a successful vulnerability exploit.

    This may potentially “buy time” for SecOps to address and remediate the vulnerability.

    Defense-in-depth

    Defense-in-depth provides extra layers of protection to the organization.

    • Defense-in-depth refers to the coordination of security controls to add layers of security to the organization.
      • This means that even if attackers are able to get past one control or layer, they are hindered by additional security.
    • Defense-in-depth is distinct from the previous section on enterprise architecture as these are security controls put in place with the purpose of being lines of defense within your security posture.
    • This can be extremely useful in managing vulnerabilities; thus, it is important to establish the existing defense-in-depth controls. By establishing the base model for your defense-in-depth, it will allow you to leverage these controls to manage vulnerabilities.
    • Controls are typically distributed across endpoints, network infrastructure, servers, and physical security.

    Note: Defense-in-depth controls do not entirely mitigate vulnerability risk. They provide a way in which the vulnerability cannot be exploited, but it continues to exist on the application. This must be kept in mind as the controls or applications themselves change, as it can re-open the vulnerability and cause potential problems.

    Examples of defense-in-depth controls can consist of any of the following:
    • Antivirus software
    • Authentication security
    • Multi-factor authentication
    • Firewalls
    • Demilitarized zones (DMZ)
    • Sandboxing
    • Network zoning
    • Application whitelisting
    • Access control lists
    • Intrusion detection & prevention systems
    • Airgapping
    • User security awareness training

    2.3.1 Document your defense-in-depth controls

    2 hours, less time if a security services catalog exists

    Input: List of technologies within your environment, List of IT security controls that are in place

    Output: List of defense-in-depth controls

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, Infrastructure Manager, IT Director, CISO

    1. Document the existing defense-in-depth controls within your system.
    2. Review the initial list that has been provided and see if these are controls that currently exist.
    3. Indicate any other controls that are being used by the organization. This may already exist if you have a security services catalog.
    4. Indicate who the owners of the different controls are.
    5. Track the information in the Vulnerability Management SOP Template.

    Download the Vulnerability Management SOP Template

    Sample table of security controls within a Defense-in-depth model with column headers 'Defense-in-depth control', 'Description', 'Workflow', and 'Control Owner'.

    Step 2.4

    Risk assessment of vulnerabilities

    Activities
    • 2.4.1 Build a classification scheme to consistently assess impact
    • 2.4.2 Build a classification scheme to consistently assess likelihood

    This step will walk you through the following activities:

    Assessing risk will be the cornerstone of how you evaluate vulnerabilities and what priority you place on remediation. This is actual risk to the organization and not simply what the tool reports without the context of your defense-in-depth controls.

    This step involves the following participants:

    • IT Security Manager
    • IT Operations Management
    • CISO
    • CIO

    Outcomes of this step

    A risk matrix tailored to your organization, based on impact and likelihood. This will provide a consistent, unambiguous way to assess risk across the vulnerability types that is reported by your scanning tool.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Vulnerabilities and risk

    Vulnerabilities must be addressed to mitigate risk to the business.
    • Vulnerabilities are a concern because they are potential threats to the business. Vulnerabilities that are not addressed can turn from potential threats into actual threats; it is only a matter of time and opportunity.
    • Your organization will already be familiar with risk management, as every decision carries a business risk component. There may even be a senior manager assigned as corporate risk officer to manage organizational risk.
    • The organization likely has a risk tolerance level that defines the organization’s risk appetite. This may be measured in dollars, non-productivity time, or other units of inefficiency.
    • The risk of a vulnerability can be calculated using impact and likelihood. Impact is the effect that the vulnerability will have if it is exploited by a malicious actor. Likelihood is the degree to which a vulnerability exploit can possibly occur.
    Stock image of a cartoon character in a tie hanging on the needle of a 'RISK' meter as it sits at 'LOW'.

    Info-Tech Insight

    Risk to the organization is business language that everyone can understand. This is particularly true when the risk is to productivity or to the company’s bottom line.

    A risk-based approach to vulnerability management

    CVSS scores are just the starting point!

    Vulnerabilities are constant.
    • There will always be vulnerabilities in the environment, many of which won’t be reported as they are currently unknown.
    • Don’t focus on trying to resolve all vulnerabilities in your environment. You are neither resourced for it nor can the business tolerate the downtime needed to remediate every single vulnerability.
      • The constant follow of new vulnerabilities will quickly render your efforts useless and it will become a game of “whack-a-mole.”
    • Being able to prioritize which vulnerabilities require appropriate levels of response is crucial to ensuring that an organization stays ahead of the continual flow.
    • Your vulnerability scanning tool will report the severity of a vulnerability, often using an industry Common Vulnerability Scoring System (CVSS) system ranging from 0 to 10. It will then scan your environment for the presence of the vulnerability and report accordingly.
      • Your vulnerability scanning tool will not be aware of any mitigation components in your environment, such as compensating controls, network segregation, server/application hardening, or any other measures that can reduce the risk. That is why determining actual risk is a crucial step.

    Stock image of a whack-a-mole game.

    Info-Tech Insight

    Vulnerability scanning is a valuable function, but it does not tell the full picture. You must determine how urgent a vulnerability truly is, based on your specific environment.

    Prioritize remediation by levels of risk

    Address critical and high risk with high immediacy.

    • Addressing the critical and high-risk vulnerabilities with urgency will ensure that you are addressing a more manageable number of vulnerabilities.
    • An optimized vulnerability management process will address the medium and low risk vulnerabilities within the regular cycle.
    • This may be very similar to what you do today in an ad hoc fashion:
      • Zero-day vulnerabilities tend to warrant a stop in operations and are dealt with immediately (or as soon as a vendor has a fix).
      • The standard remediation process (patching/updating, change of configuration, etc.) happens within a regular controlled time cycle.
    • Formalizing this process will ensure that appropriate attention is given to vulnerabilities that warrant it and that the remaining vulnerabilities are dealt with as a regular, recurring activity.

    Mitigate the risk surface by reducing the time across the phases

    Chart titled 'Mitigate the risk surface by reducing the time across the phases' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. A note on the line reads 'Objective: Reduce risk surface by reducing time to address'. The area between the line and your organization's risk tolerance is labelled 'Risk Surface, to be addressed with high priority'. A bracket around Risk levels 'High' and 'Critical' reads 'Priority focus zone (risk surface)'. Risk lines within levels 'Low' and 'Medium' read 'Follow standard vulnerability management cycles'.

    Risk matrix

    Risk = Impact x Likelihood
    • Info-Tech’s Vulnerability Management Risk Assessment Tool provides a method of calculating the risk of a vulnerability. The risk rating is assigned using the impact of the risk and the likelihood or probability that the event may occur.
    • The tool puts the vulnerability into your organization’s context: How many people will be affected? What service types are vulnerable and how does that impact the business? Is there an anticipated update from the vendor of the system being affected?
    • Urgency of remediation should be based on the business consequences if the vulnerability were to be exploited, relative to the business’ risk tolerance.

    Info-Tech Insight

    Risk determination should be done within the context of your current environment and not simply based on what your vulnerability tool is reporting.

    A risk matrix is useful in calculating a risk rating for vulnerabilities. Risk matrix with axes 'Impact' and 'Time' and individual vulnerabilities mapped onto it via their risk rating. The example 'Organizational Risk Tolerance Threshold' line runs diagonally through the 'Medium' squares.

    2.4.1 Build a classification scheme to consistently assess impact

    60 minutes

    Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service

    Output: Vulnerability Management Risk Assessment Tool formatted to your organization

    Materials: Vulnerability Management Risk Assessment Tool

    Participants: Functional Area Managers, IT Security Manager, CISO

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    1. Define a set of questions to measure risk impact or edit existing questions in the tool.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk. The drop-down box content can be modified in the hidden Labels tab.

    Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.

    Download the Vulnerability Management Risk Assessment Tool

    Screenshot of table from Info-Tech's Vulnerability Management Risk Assessment Tool for assessing Impact. Column headers are 'Weight', 'Question', 'OS vulnerability', 'Application vulnerability', 'Network vulnerability', and 'Vendor patch release'.

    2.4.2 Build a classification scheme to consistently assess likelihood

    60 minutes

    Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service

    Output: Vulnerability Management Risk Assessment Tool formatted to your organization

    Materials: Vulnerability Management Risk Assessment Tool

    Participants: Functional Area Managers, IT Security Manager, CISO

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    1. Define a set of questions to measure risk impact or edit existing questions in the tool.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk. The drop-down box content can be modified in the hidden Labels tab.

    Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability that your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.

    Download the Vulnerability Management Risk Assessment Tool

    Screenshot of table from Info-Tech's Vulnerability Management Risk Assessment Tool for assessing Likelihood. Column headers are 'Weight', 'Question', 'OS vulnerability', 'Application vulnerability', and 'Network vulnerability'.

    Prioritize based on risk

    Select the best remediation option to minimize risk.

    Through the combination of the identified risk and remediation steps in this phase, the prioritization for vulnerabilities will become clear. Vulnerabilities will be assigned a priority once their intrinsic qualities and threat potential to business function and data have been identified.

    • Remediation options will be identified for the higher urgency vulnerabilities.
    • Options will be assessed for whether they are appropriate.
    • They will be further tested to determine if they can be used adequately prior to full implementation.
    • Based on the assessments, the remediation will be implemented or another option will be considered.
    Prioritization
    1. Assignment of risk
    2. Identification of remediation options
    3. Assessment of options
    4. Implementation

    Remediation plays an incredibly important role in the entire program. It plays a large part in wider risk management when you must consider the risk of the vulnerability, the risk of the remediation option, and the risk associated with the overall process.

    Implement Risk-Based Vulnerability Management

    Phase 3

    Remediate vulnerabilities

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    • Identifying potential remediation options.
    • Developing criteria for each option with regards to when to use and when to avoid.
    • Establishing exception procedure for testing and remediation.
    • Documenting the implementation of remediations and verification.

    This phase involves the following participants:

    • CISO, or equivalent
    • Security Manager/Analyst
    • Network, Administrator, System, Database Manager
    • Other members of the vulnerability management team
    • Risk managers for the risk-related steps

    Determining how to remediate

    Patching is only one option.

    This phase will allow organizations to build out the specific processes for remediating vulnerabilities. The overall process will be the same but what will be critical is the identification of the correct material. This includes building the processes around:
    • Identifying and selecting the remediation option to be used.
    • Determining what to do when a patch or update is not available.
    • Scheduling and executing the remediation activity.
    • Continuous improvement.

    Each remediation option carries a different level of risk that the organization needs to consider and accept by building out this program.

    It is necessary to be prepared to do this in real time. Careful documentation is needed when dealing with vulnerabilities. Use the Vulnerability Tracking Tool to assist with documentation in real time. This is separate from using the process template but can assist in the documentation of vulnerabilities.

    Step 3.1

    Assessing remediation options

    Activities
    • 3.1.1 Develop risk and remediation action

    This step will walk you through the following activities:

    With the risk assessment from the previous activity, we can now examine remediation options and make a decision. This activity will guide us through that.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    List of remediation options and criteria on when to consider each.

    Remediate vulnerabilities
    Step 3.1Step 3.2Step 3.3

    Identify remediation options

    There are four options when it comes to vulnerability remediation.

    Patches and Updates

    Patches are software or pieces of code that are meant to close vulnerabilities or provide fixes to any bugs within existing software. These are typically provided by the vendor to ensure that any deployed software is properly protected after vulnerabilities have been detected.

    Configuration Changes

    Configuration changes involve administrators making significant changes to the system or network to remediate against the vulnerability. This can include disabling the vulnerable application or specific element and can even extend to removing the application altogether.

    Remediation

    Compensating Controls

    By leveraging security controls, such as your IDS/IPS, firewalls, or access control, organizations can have an added layer of protection against vulnerabilities beyond the typical patches and configuration changes. This can be used as a measure while waiting to implement another option (if one exists) to reduce the risk of the vulnerability in the short or long term.

    Risk Acceptance

    Whenever a vulnerability is not remediated, either indefinitely or for a short period of time, the organization is accepting the associated risk. Segregation of the vulnerable system can occur in this instance. This can occur in cases where a system or application cannot be updated without detrimental effect to the business.

    Patches and updates

    Patches are often the easiest and most common method of remediation.

    Patches are usually the most desirable remediation solution when it comes to vulnerability management. They are typically provided by the vendor of the vulnerable application or system and are meant to eliminate the existing vulnerability.

    When to use

    • When adequate testing can be performed on the patch to be implemented.
    • When there is a change window approaching for the affected systems.
    • When there is standardization across the IT assets to allow for easier installation of patches.

    When to avoid

    • When the patch cannot be adequately tested.
    • When a patch has been tested, but it caused an unfavorable consequence such as a system or application failure.
    • When there is no near change window in which to install the patches, which is often the case for critical systems.
    When to consider other remediation options
    • For critical systems, it can be difficult to implement a patch as they often require the system to be rebooted or go through some downtime. There must be consideration towards whether there is a change window approaching if a patch is to be implemented on a business-critical system.
      • If there is no opportunity to implement the patch, or no approaching change window, it is wise to leverage another remediation option.
    • When patches are not currently available from the vendor or they are in production, other remediation options are needed.
    • Other remediation options can be used in tandem with the patch. For example, if a patch is being deferred until the change window, it would be wise to use alternate remediation options to close the vulnerability.

    Compensating controls

    Compensating controls can decrease the risk of vulnerabilities that cannot be (immediately) remediated.

    • Compensating controls are measures put in place when direct remediation measures are impractical or non-existent.
    • Similar to the payment card industry’s PCI DSS 1.0 provision of compensating controls, these are meant to meet the intent or rigor of the original requirement; unlike PCI DSS, these measures are to mitigate risk rather than meet compliance.
    • The compensating control should be viewed as only a temporary measure for dealing with a vulnerability, although circumstances may dictate a degree of permanence in the application of the compensating control.
    • Examples where compensating controls may be needed are:
      • The software vendor is developing an update or patch to address a vulnerability.
      • Through your testing process, a patch will adversely affect the performance or operation of the target system and be detrimental to the business.
      • A critical application will only run on a legacy operating system, the latter of which is no longer supported by the vendor.
      • A legacy application is no longer being supported but is critical to your operations. A replacement, if one exists, will take time to implement.
    Examples of compensating controls
    • Segregating a vulnerable server or application on the network, physically or logically.
    • Hardening the operating system or application.
    • Restricting user logins to the system or application.
    • Implementing access controls on the network route to the system.
    • Instituting application whitelisting.

    Configuration changes

    Configuration changes involve making changes directly to the application or system in which there is a vulnerability. This can vary from disabling or removing the vulnerable element or, in the case of applications built in-house, changing the coding of the application itself. These are commonly used in network vulnerabilities such as open ports.

    When to use

    • A patch is not available.
    • The vulnerable element can be significantly changed, or even disabled, without significantly disrupting the business.
    • The application is built in-house, as the vulnerability must be closed internally.
    • There is adequate testing to ensure that the configuration change does not affect the business.
    • A configuration change in your network or system can affect numerous endpoints or systems, reducing endpoint patching or use of defense-in-depth controls.

    When to avoid

    • When a suitable patch is available.
    • When the vulnerability is on a business-critical element with no nearby change window or it cannot be disabled.
    • When there is no opportunity in which to perform testing to ensure that there are no unintended consequences.
    When to consider other remediation options
    • Configuration changes require careful documentation as changes are occurring to the system and applications. If there is a need to perform a back-out process and return to the original configuration, this can be extremely difficult without clear documentation of what occurred.
    • If business systems are too critical or important to the regular business function to perform any changes, it is necessary to consider other options.

    Info-Tech Insight

    Remember your existing processes: configuration changes may need to be approved and orchestrated through your organization’s configuration and change management processes.

    Case Study

    Remediation options do not have to be used separately. Use the Shellshock 2014 case as an example.

    INDUSTRY: All
    SOURCE: Public Domain
    Challenge

    Bashdoor, more commonly known as Shellshock, was announced on September 24, 2014.

    This bug involved the Bash shell, which normally executes user commands, but this vulnerability meant that malicious attackers could exploit it.

    This was rated a 10/10 by CVSS – the highest possible score.

    Within hours of the announcement, hackers began to exploit this vulnerability across many organizations.

    Solution

    Organizations had to react quickly and multiple remediation options were identified:

    • Configuration changes – Companies were recommended to use other shells instead of the Bash shell.
    • Defense-in-depth controls – Using HTTP server logs, it could be possible to identify if the vulnerability had been exploited.
    • Patches – Many vendors released patches to close this vulnerability including Debian, Ubuntu, and Red Hat.
    Results

    Companies began to protect themselves against these vulnerabilities.

    While many organizations installed patches as quickly as possible, some also wished to test the patch and leveraged defense-in-depth controls in the interim.

    However, even today, many still have the Shellshock vulnerability and exploits continue to occur.

    Accept the risk and do nothing

    By choosing not to remediate vulnerabilities, you must accept the associated risk. This should be your very last option.

    Every time that a vulnerability is not remediated, it continues to pose a risk to the organization. While it may seem that every vulnerability needs to be remediated, this is simply not possible due to limited resources. Further, it can take away resources from other security initiatives as opposed to low-priority vulnerabilities that are extremely unlikely to be exploited.

    Common criteria for vulnerabilities that are not remediated:
    • Affected systems are of extremely low criticality.
    • Affected systems are deemed too critical to take offline to perform adequate remediation.
    • Low urgency is assigned to those vulnerabilities.
    • Cost and time required for the remediation are too high.
    • No adequate solutions exist – the vendor has not released a patch, there are weak defense-in-depth controls, and it is not possible to perform a configuration change.

    Risk acceptance is not uncommon…

    • With an ever-increasing number of vulnerabilities, organizations are struggling to keep up and often, intentionally or unintentionally, accept the risk associated.
    • In the end, non-remediation means full acceptance of the risk and any consequences.

    Enterprise risk management
    Arrow pointing up.
    Risk acceptance of vulnerabilities

    While these are common criteria, they must be aligned to the enterprise risk management framework and approved by management.

    Don’t forget the variables that were assessed in Phase 2. This includes the risk from potential lateral movement or if there is an existing exploit.

    Risk considerations

    When determining if risk acceptance is appropriate, consider the cost of not mitigating vulnerabilities.

    Don’t accept the risk because it seems easy. Consider the financial impact of leaving vulnerabilities open.

    With risk acceptance, it is important to review the financial impact of a security incident resulting from that vulnerability. There is always the possibility of exploitation for vulnerabilities. A simple metric taken from NIST SP800-40 to use for this is:

    Cost not to mitigate = W * T * R

    Where (W) is the number of work stations, (T) is the time spent fixing systems or lost in productivity, and (R) is the hourly rate of the time spent.

    As an example provided by NIST SP800-40 Version 2.0, Creating a Patch and Vulnerability Management Program:

    “For an organization where there are 1,000 computers to be fixed, each taking an average of 8 hours of down time (4 hours for one worker to rebuild a system, plus 4 hours the computer owner is without a computer to do work) at a rate of $70/hour for wages and benefits:

    1,000 computers * 8 hours * $70/hour = $560,000”

    Info-Tech Insight

    Always consider the financial impact that can occur from an exploited vulnerability that was not remediated.

    3.1.1 Develop risk and remediation action

    90 minutes

    Input: List of remediation options

    Output: List of remediation options sorted into “when to use” and “when to avoid” lists

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, IT Infrastructure Manager, IT Operations Manager, Corporate Risk Officer, CISO

    It is important to define and document your organization-specific criteria for when a remediation option is appropriate and inappropriate.

    1. List each remediation option on a flip chart and create two headings: “When to use” and “When to avoid.”
    2. Each person will list “when to use” criteria on a green sticky note and “when to avoid” criteria on a red one for each option; these will be placed on the appropriate flip chart.
    3. Discuss as a group which criteria are appropriate and which should be removed.
    4. Move on to the next remediation option when completed.
      • Ensure to include when there are remediation options that will be connected. For example, the risk may be accepted until the next available change window, or a defense-in-depth control is used before a patch can be fully installed.
    5. Once the criteria has been established, document this in the Vulnerability Management SOP Template.
    When to use:
    • When adequate testing can be performed on the patch to be implemented.
    • When there is a change window approaching, especially for critical systems.
    • When there is standardization across the IT assets to allow for easier installation of patches.
    When to avoid:
    • When the patch cannot be adequately tested.
    • When a patch has been tested, but it has caused an unfavorable consequence such as a system or application failure.
    • When there is no near change window in which to install the patches.
    (Example from the Vulnerability Management SOP Template for Patches.)

    Download the Vulnerability Management SOP Template

    Step 3.2

    Scheduling and executing remediation

    Activities

    None for this section.

    This step will walk you through the following activities:

    Although there are no specific activities for this section, it will walk you through your existing processes configuration and change management to ensure that you are leveraging those activities in your vulnerability remediation actions.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    Gained understanding of how IT operations processes configuration and change management can be leveraged for the vulnerability remediation process. Don’t reinvent the wheel!

    Remediate vulnerabilities
    Step 3.1Step 3.2Step 3.3

    Implementing the remediation

    Vulnerability management converges with your IT operations functions.
    • Once a remediation strategy has been formulated, you can leverage your release and change management processes to orchestrate the testing, version tracking, scheduling, approval, and implementation activities.
    • Each of these processes should exist in your environment in some form. Leveraging these will engage the IT operations team to carry out their tasks in the remediation process.
    • There can be a partial or full handoff to these processes, however, the owner of the vulnerability management program is responsible for verifying the application of the remediation measure and that the overall risk has been reduced.
    • Although full blueprints exist that cover each of these processes in great detail, the following slides provide an overview of each of these IT operations processes and how they intersect with vulnerability management.
    Stock image of a person on a laptop overlaid by an icon with gears indicating settings.

    Release Management

    Control the quality of deployments and releases of software updates.

    • The release management process exists to ensure that new software releases (such as patches and updates) are properly tested and documented with version control prior to their implementation into the production environment.
    • The process should map out the logistics of the deployment process to ensure that it is consistent and controlled.
    • Testing is an important part of release management and the urgency of a vulnerability remediation operation can expedite this process to ensure minimal delays. Once testing has been completed successfully, the update is then “promoted” to production-ready status and submitted into the change management process.
    • Often a separate release team may not exist, however, release management still occurs.

    For guidance on implementing or improving your release management process, refer to Info-Tech’s Stabilize Release and Deployment Management blueprint or speak to one of our experts.

    Info-Tech Insight

    Many organizations don’t have a separate release team. Rather, whomever is doing the deployment will submit a change request and the testing details are vetted through the organization’s change management process.

    For guidance on the change management process review our Optimize Change Management blueprint.

    Change Management

    Leverage change control, interruption management, approval, and scheduling.
    • Change management likely exists in some shape or form in your organization. There is usually someone or a committee, such as a change advisory board (CAB), that gives approval for a change.
    • Leveraging the change management process will ensure that your vulnerability remediation has undergone the proper review and approval before implementation. There will usually be business sign-off as part of a change management approval process.
    • Communication will also be integrated in the change management process, so the change manager will ensure that appropriate, timely communications are sent to the proper key stakeholders.
    • The change management process will link to release management and configuration management processes if they exist.

    For further guidance on implementing or improving your change management process, refer to Info-Tech’s Optimize Change Management blueprint or speak to one of our experts.

    “With no controls in place, IT gets the blame for embarrassing outages. Too much control, and IT is seen as a roadblock to innovation.” (VP IT, Federal Credit Union)

    Post-implementation activities

    Vulnerability remediation isn’t a “set it and forget it” activity.
    • Once vulnerability remediation has occurred, it is imperative that the results are reported back to the vulnerability management program manager. This ensures that the loop is closed and the tracking of the remediation activity is done properly.
      • Organizations that are subject to audit by external entities will understand the importance of such documentation.
    • The results of post-implementation review from the change management process will be of great interest, particularly if there was any deviation from the planned activities.
    • Although change execution will usually undergo some form of testing during the maintenance window, there is always the possibility that something has broken as a result of the software update. Be quick to respond to these types of incidents!
      • One example of an issue that is near impossible to test during a maintenance window is one that manifests only when the system or software comes under load. This is what makes for busy Monday mornings after a weekend change window.
    A scan with your vulnerability management software after remediation can be a way to verify that the overall risk has been reduced, if remediation was done by way of patching/updates.

    Info-Tech Insight

    After every change completion, whether due to vulnerability remediation or not, it is a good idea to ensure that your infrastructure team increases its monitoring diligence and that your service desk is ready for any sudden influx of end-user calls.

    Step 3.3

    Continuous improvement

    Activities

    None for this section.

    This step will walk you through the following activities:

    Although this section has no activities, it will review the process by which you may continually improve vulnerability management.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    An understanding of the importance of ongoing improvements to the vulnerability management program.

    Remediate vulnerabilities
    Step 3.1Step 3.2Step 3.3

    Drive continuous improvement

    • Also known as “Continual Improvement” within the ITIL best practice framework.
    • Your vulnerability management program will not be perfect on first launch. In fact, due to the ever-changing nature of vulnerabilities and the technology designed to detect and combat vulnerabilities, the processes within your vulnerability management program will need to be tweaked from time to time.
    • Continuous improvement is a sustained, proactive approach to process improvement. The practice allows for all process participants to observe and suggest incremental improvements that can help improve the overall process.
    • In many cases, continuous improvement can be triggered by changes in the environment. This makes perfect sense for vulnerability management process improvement as a change in the environment will require vulnerability scanning to ensure that such changes have not introduced new vulnerabilities into the environment, increasing your risk surface.
    • One key method to tracking continuous improvement is through the effective use of metrics, covered in Section 4.1 of this blueprint.
    “The success rate for continual improvement efforts is less than 60 percent. A major – if not the biggest – factor affecting the deployment of long-term continual improvement initiatives today is the fundamental change taking place in the way companies manage and execute work.” (Industry analyst at a consulting firm, 2014)

    Continuous Improvement

    Continuously re-evaluate the vulnerability management process.

    As your systems and assets change, your vulnerability management program may need updates in two ways.

    When new assets and systems are introduced:

    • When new systems and assets are introduced, it is important for organizations to recognize how these can affect vulnerability management.
    • It will be necessary to identify the business criticality of the new assets and systems and the sensitivity of the data that can be found on them.
    • Without doing so, these will be considered rogue systems or assets – there is no clear process for assigning urgencies.
    • This will only cause problems as actions may be taken that are not aligned with the organization’s risk management framework.

    Effective systems and asset management are needed to track this. Review Info-Tech’s Implement Systems Management to Improve Availability and Visibility blueprint for more help.

    Document any changes to the vulnerability management program in the Vulnerability Management SOP Template.

    When defense-in-depth capabilities are modified:

    • As you build an effective security program, more controls will be added that can be used to protect the organization.
    • These should be documented and evaluated based on ability to mitigate against vulnerabilities.
    • The defense-in-depth model that was previously established should be updated to include the new capabilities that can be used.
    • Defense-in-depth models are continually evolving as the security landscape evolves, and organizations must be ready for this.

    To assist in building a defense-in-depth model, review Build an Information Security Strategy.

    Implement Risk-Based Vulnerability Management

    Phase 4

    Measure and formalize

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    • You will determine what ought to be measured to track the success of your vulnerability management program.
    • If you lack a scanning tool this phase will help you determine tool selection.
    • Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

    This phase involves the following participants:

    • IT Security Manager
    • SecOps team members
    • Procurement representatives
    • CISO
    • CIO

    Step 4.1

    Metrics, Key Performance Indicators (KPIs), and Critical Success Factors (CSFs)

    Activities
    • 4.1.1 Measure your program with metrics, KPIs, and CSFs

    This step will walk you through the following activities:

    After a review of the differences between raw metrics, key performance indicators (KPI), and critical success factors (CSF), compile a list of what metrics you will be tracking, why, and the business goals for each.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO
    • CIO

    Outcomes of this step

    Outline of metrics you can configure your vulnerability scanning tool to report on.

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    You can’t manage what you can’t measure

    Metrics provides visibility.

    • Management consultant Peter Drucker introduced the concept of metrics tied to key performance indicators (KPIs), and the concept holds true: without metrics, you lack the visibility to manage or improve a process.
    • Metrics aren’t just a collection of statistics, they have to be meaningful, they have to tell the story, and most importantly, they have to answer the “so what?” question. What is the significance of a metric – do they illustrate a trend or an anomaly? What actions should be carried out when a metric hits a certain threshold?
    • It would be prudent to track several metrics that can be combined to tell the full story. For example, tracking the number of critical vulnerabilities alone does not give a sense of the overall risk to the organization, nor does it offer any information on how quickly they have been remediated or what amount of effort was invested.
    Stock image of measuring tape.

    Metrics, KPIs, and CSFs

    Tracking the right information and making the information relevant.
    • There is often confusion between raw metrics, key performance indicators, and critical success factors.
    • Raw metrics are what is trackable from your systems and processes as a set of measurements without any context. Raw metrics in themselves are useful in telling the story of “what are we doing?”
    • KPIs are the specific metric or combination of metrics that help you track or gauge performance. KPIs tell the story of “how are we doing?” or “how well are we doing?”
    • CSFs are the specific KPIs that track the activities that are absolutely critical to accomplish for the business or business unit to be successful.
    The activity tracker on your wrist is a wealth of metrics, KPIs, and CSFs.

    If you wear an activity tracker, you are likely already familiar with the differences between metrics, key performance indicators, and critical success factors:

    • The raw metrics are your heart rate, step count, hours of sleep, caloric intake, etc.
    • KPIs are the individual goals that you have set: maintain a heart rate within the appropriate range for your age/activity level, achieve a step count goal per day, get x hours of sleep per night, consume a calorie range of y per day, etc.
    • CSFs are your overall goal: increase your cardiovascular capacity, lose weight, feel more energetic, etc.

    Your security systems can be similarly measured and tracked – transfer this skill!

    Tracking relevant information

    Tell the story in the numbers.

    Below are a number of suggested metrics to track, and why.

    Business Goal

    Critical Success Factor

    Key Performance Indicator

    Metric to track

    Minimize overall risk exposureReduction of overall risk due to vulnerabilitiesDecrease in vulnerabilitiesTrack the number of vulnerabilities year after year.
    Appropriate allocation of time and resourcesProper prioritization of vulnerability mitigation activitiesDecrease of critical and high vulnerabilitiesTrack the number of high-urgency vulnerabilities.
    Consistent timely remediation of threats to the businessMinimize risk when vulnerabilities are detectedRemediate vulnerabilities more quicklyMean time to detect: track the average time between the identification to remediation.
    Track effectiveness of scanning toolMinimize the ratio, indicating that the tool sees everythingRatio between known assets and what the scanner tracksScanner coverage compared to known assets in the organization.
    Having effective tools to track and addressAccuracy of the scanning toolDifference or ratio between reported vulnerabilities and verified onesNumber of critical or high vulnerabilities verified, between the scanning tool’s criticality rating and actual criticality.
    Reduction of exceptions to ensure minimal exposureVisibility into persistent vulnerabilities and risk mitigation measuresNumber of exceptions grantedNumber of vulnerabilities in which little or no remediation action was taken.

    4.1.1 Measure your program with metrics, KPIs, and CSFs

    60 minutes

    Input: List of metrics current being measured by the vulnerability management tool

    Output: List of relevant metrics to track, and the KPIs, CSFs, and business goals related to the metric

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, IT operations management, CISO

    Metrics can offer a way to view how the organization is dealing with vulnerabilities and if there is improvement.

    1. Determine the high-level vulnerability management goals for the organization.
    2. Even with a formal process in place, the organization should be considering ways it can improve.
    3. Determine metrics that can help quantify those goals and how they can be measured.
    4. Metrics should always be easy to measure. If it’s a complex process to find the information required, it means that it is not a metric that should be used.
    5. Document your list of metrics in the Vulnerability Management SOP Template.

    Download the Vulnerability Management SOP Template

    Step 4.2

    Vulnerability Management Policy

    Activities
    • 4.2.1 Update the vulnerability management program policy

    This step will walk you through the following activities:

    If you have a vulnerability management policy, this activity may help augment it. Otherwise, if you don’t have one, this would be a great starting point.

    This step involves the following participants:

    • IT Security Manager
    • CISO
    • CIO
    • Human resources representative

    Outcomes of this step

    An inaugural policy covering vulnerability management

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    Vulnerability Management Program Policy

    Policies provide governance and enforcement of processes.
    • Policies offer formal guidance on the “rules” of a program, describing its purpose, scope, detailed program description, and consequences of non-compliance. Often they will have a employee sign-off acknowledging understanding.
    • In many organizations, policies are endorsed by senior executives, which gives the policy its “teeth” across the company. The human resources department will always have input due to the implications of the non-compliance aspect.
    • Policies are written to ensure an outcome of consistent expected behavior and are often written to protect the company from liability.
    • Policies should be easy to understand and unambiguous, reflect the current state, and be enforceable. Enforceability can come in the form of audit, technology, or any other means of determining compliance and enforcing behavior.
    Stock image of a judge's gavel.

    4.2.1 Update the vulnerability management policy

    60 minutes

    Input: Vulnerability Management SOP, HR guidance on policy creation and approval

    Output: Completed Vulnerability Management Policy

    Materials: Vulnerability Management SOP, Vulnerability Management Policy Template

    Participants: IT Security Manager, IT operations management, CISO, Human resources representative

    After having built your entire process in this project, formalize it into a vulnerability management policy. This will set the standards and expectations for vulnerability management in the organization, while the process will be around the specific actions that need to be taken around vulnerability management.

    This is separate and distinct from the Vulnerability Management SOP Template, which is a process and procedure document.
    1. Review Info-Tech’s Vulnerability Management Policy and customize it to your organization’s specifications.
    2. Use your Vulnerability Management SOP as a resource when specifying some of the details within the policy.
    Sample of Info-Tech's Vulnerability Management Policy Template

    Download the Vulnerability Management Policy Template

    Step 4.3

    Select and implement a scanning tool

    Activities
    • 4.3.1 Create an RFP for vulnerability scanning tools

    This step will walk you through the following activities:

    If you need to select a new vulnerability scanning tool, or replace your existing one, this activity will help set up a request for proposal (RFP).

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO

    Outcomes of this step

    The provisions needed for you to create and deploy an RFP for a vulnerability management tool.

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    Vulnerability management and penetration testing

    Similar in nature, yet provide different security functions.

    Vulnerability Scanning Tools

    Scanning tools focus on the network and operating systems. These tools look for items such as missing patches or open ports. They won’t detect specific application vulnerabilities.

    Exploitation Tools

    These tools will look to exploit a detected vulnerability to validate it.

    Penetration Tests

    A penetration test simulates the actions of an external or internal cyber attacker that aims to breach the information security of the organization. (Formal definition of penetration test)

    ‹————— What’s the difference again? —————›
    Vulnerability scanning tools are just one type of tool.When you add an exploitation tool to the mix, you move down the spectrum.Penetration tests will use scanning tools, exploitation tools, and people.

    What is the value of each?

    • For vulnerability scans, the person performing the scan provides the value – value comes from the organization itself.
    • For exploitation tools on their own, the value comes from the tool itself being used in a safe environment.
    • For penetration tests, the tester is providing the value. They are the value add.

    What’s the implication for me?

    Info-Tech Recommends:
    • A combination of vulnerability scanning and penetration testing. This will improve your security posture through systematic risk reduction and improve your security program through the testing of prevention, detection, and response capabilities with unique recommendations being generated.
    • Start with as much vulnerability scanning as possible to identify gaps to fix and then move onto a penetration test to do a more robust and validated assessment.
    • For penetration tests, start with a transparent box test first, then move to an opaque box. Ideally, this is done with different third parties.

    Vulnerability scanning software

    All organizations can benefit from having one.

    Scanning tools will benefit areas beyond just vulnerability management

    • Network security: It improves the accuracy and granularity of your network security technologies such as WAFs, NGFWs, IDPS, and SIEM.
    • Asset management: Vulnerability scanning can identify new or unknown assets and provide current status information on assets.
    • System management: Information from a vulnerability scan supports baselining activities and determination of high-value and high-risk assets.

    Vulnerability Detection Use Case

    Most organizations use scanners to identify and assess system vulnerabilities and prioritize efforts.

    Compliance Use Case

    Others will use scanners just for compliance, auditing, or larger GRC reasons.

    Asset Discovery Use Case

    Many organizations will use scanners to perform active host and application identification.

    Scanning Tool Market Trends

    Vulnerability scanning tools have expanded value from conventional checking for vulnerabilities to supporting configuration checking, asset discovery, inventory management, patch management, SSL certificate validation, and malware detection.

    Expect to see network and system vulnerability scanners develop larger vulnerability management functions and develop exploitation tool functionality. This will become a table stakes option enabling organizations to provide higher levels of validation of detected vulnerabilities. Some tools already possess these capabilities:

    • Core Impact is an exploitation tool with vulnerability scanning aspects.
    • Metasploit is an exploitation tool with some new vulnerability scanning aspects.
    • Nessus is mainly a vulnerability scanning tool but has some exploitation aspects.

    Device proliferation (BYOD, IoT, etc.) is increasing the need for stronger vulnerability management and scanners. This is driving the need for numerous device types and platform support and the development of baseline and configuration norms to support system management.

    Increased regulatory or compliance controls are also stipulating the need for vulnerability scanning, especially by a trusted third party.

    Organizations are outsourcing security functions or moving to cloud-based deployment options for any security technology they can. Expect to see massive growth of vulnerability scanning as a service.

    Vulnerability scanning market

    There are several technology types or functional differentiators that divide the market up.

    Vulnerability Exploitation Tools

    • These will actually test defences and better emulate real life than just scanning. These tools include packet manipulation tools (such as hping) and password cracking tools (such as John the Ripper or Cain and Abel).
    • These tools will provide much more granular information on your network, operations systems, and applications.
    • The main limitation of these tools is how to use them. If you do not have development or test environments that mimic your real production environments to run the exploit tools, these tools may not be appropriate. It may work if you can find some downtime on production systems, but only in very specific and careful instances.
    • Lower maturity security programs usually just do network and application vulnerability scanning. Higher maturity programs will also use penetration testing, application testing, and vulnerability exploitation tools.
    • Network vulnerability scanning tools should always be used. Once you identify any servers or ports running web applications, then you run a web application vulnerability scanner.
    • Exploitation tools and application testing tools are used in more specific use cases that are often related to more-demanding security programs.

    Scanning Tool Market Trends

    • These are considered baseline tools and are near commoditization.
    • Vulnerability scanning tools are not granular enough to detect application-level vulnerabilities (thus the need for application scanners and testing tools) and they don’t validate the exploitability of the vulnerability (thus the need for exploit tools).

    Web Application Scanning Tools

    These tools perform dynamic application security testing (DAST) and static application security testing (SAST).

    Application Scanning and Testing Tools

    • These perform a detailed scan against an application to detect any problematic or malicious code and try to break the application using known vulnerabilities.
    • These tools will identify if something is vulnerable to an exploit but won’t actually run the exploit.
    • These tools are evaluated based on their ability to detect application-specific issues and validate them.

    Vulnerability scanning tool features

    Evaluate vulnerability scanning tools on specific features or functions that are the best differentiators.

    Differentiator

    Description

    Deployment OptionsDo you want a traditional on-premises, cloud-based, or managed service?
    Vulnerability Database CoverageScanners use a library of known vulnerabilities to test for. Evaluate based on the amount of exploits/vulnerabilities the tool can scan for.
    Scanning MethodEvaluate if you want agent-based, authenticated active, unauthenticated active, passive, or some combination of those scanning methods.
    IntegrationWhat is the breadth of other security and non-security technologies the tool can integrate with?
    RemediationHow detailed are the recommended remediation actions? The more granular, the better.

    Differentiator

    Description

    PrioritizationDoes the tool evaluate vulnerabilities based on commonly accepted methods or through a custom-designed prioritization methodology?
    Platform SupportWhat is the breadth of environment, application, and device support in the tool? Consider your need for virtual support, cloud support, device support, and application-specific support. Also consider how often new scanning modules are supported (e.g. how quickly Windows 10 was supported).
    PricingAs with many security controls that have been around for a long time and are commonly used, pricing becomes a main consideration, especially when there are so many open-source options available.

    Common areas people mistake as tool differentiators:

    • Accuracy – Scanning tools are evaluated more on efficiency than effectiveness. Evaluate on the ability to detect, remediate, and manage vulnerabilities rather than real vulnerability detection and the number of false positives. To reduce false positives, you need to use exploitation tools.
    • Performance – Scanning tools have such a small footprint in an environment and the actual scanning itself is such a small impact that evaluation on performance doesn’t matter.

    For more information on vulnerability scanning tools and how they rate, review the Vulnerability Management category on SoftwareReviews.

    Vulnerability scanning deployment options

    Understand the different deployment options to identify which is best for your security program.

    Option

    Description

    Pros

    Cons

    Use Cases

    On-PremisesEither an on-premises appliance or an on-premises virtualized machine that performs external and internal scanning.
    • Small resource need, so limited network impact.
    • Strong internal scanning.
    • Easier integration with other technologies.
    • Network footprint and resource usage.
    • Maintenance and support costs.
    • Most common deployment option.
    • Appropriate if you have cloud concerns or strong internal network scanning, or if you require strong integration with other systems.
    CloudEither hosted on a public cloud infrastructure or hosted by a third party and offered “as a service.”
    • Small network footprint.
    • On-demand scanning as needed.
    • Optimal external scanning capabilities.
    • Can only do edge-related scanning unless authenticated or agent based.
    • No internal network scanning with passive or unauthenticated active scanning methods.
    • Very limited network resources.
    • Compliance obligations that dictate external vulnerability scanning.
    ManagedA third party is contracted to manage and maintain your vulnerability scanner so you can dedicate resources elsewhere.
    • Expert management of environment scanning, optimizing tool usage.
    • Most scanning work time is report customization and tuning and remediation efforts; thus, managed doesn’t provide sizable resource alleviation.
    • Third party has and owns the vulnerability information.
    • Limited staff resources or expertise to maintain and manage scanner.

    Vulnerability scanning methods

    Understand the different scanning methods to identify which tool best supports your needs.

    Method

    Description

    Pros

    Cons

    Use Cases

    Agent-Based ScanningLocally installed software gives the information needed to evaluate the security posture of a device.
    • Provides information that can’t be discovered remotely such as installed applications that aren’t running at a given time.
    • Device processing, memory, and network bandwidth impact.
    • Asset without an agent is not scanned.
    • Need for continuous scanning.
    • Organization has strong asset management
    Authenticated Active ScanningTool uses authenticated credentials to log in to a device or application to perform scanning.
    • Provides information that can’t be discovered remotely such as installed applications that aren’t running at a given time.
    • Best accuracy for vulnerability detection across a network.
    • Aggregation and centralization of authenticated credentials creates a major risk.
    • All use cases.
    Unauthenticated Active ScanningScanning of devices without any authentication.
    • Emulates realistic scan by an attacker.
    • Provides limited scope of scanning.
    • Some compliance use cases.
    • Perform after either agent or authenticated scanning.
    Passive ScanningScanning of network traffic.
    • Lowest resource impact.
    • Not enough information can be provided for true prioritization and remediation.
    • Augmenting scanning technique to agent or authenticated scanning.

    IP Management and IPv6

    IP management and the ability to manage IPv6 is a new area for scanning tool evaluation.

    Scanning on IPv4

    Scanning tools create databases of systems and devices with IP addresses.
    Info-Tech Recommends:

    • It is easier to do discovery by directing the scanner at a set IP address or range of IP addresses; thus, it’s useful to organize your database by IPs.
    • Do discovery by phases: Start with internet-facing systems. Your perimeter usually is well-defined by IP addresses and system owners and is most open to attack.
    • Stipulate a list of your known IP addresses through the DHCP registration and perform a scan on that.
    • Depending on your IP address space, another option is to scan your entire IP address space.

    Current Problem With IP Addresses

    IP addresses are becoming no longer manageable or even owned by organizations. They are often provided by ISPs or other third parties.

    Even if it is your range, chances are you don't do static IP ranges today.

    Info-Tech Recommends:

    • Agent-based scanning or MAC address-based scanning
    • Use your DHCP for scanning

    Scanning on IPv6

    First, you need to know if your organization is moving to IPv6. IPv6 is not strategically routed yet for most organizations.

    If you are moving to IPv6, Info-Tech recommends the following:

    • Because you cannot point a scanner at an IPv6 IP range, any scanning tool needs to have a strategy around how to handle IPv6 and properly scan based on IP ranges.
    • You need to know IPv4 to IPv6 translations.
    • Evaluate vulnerability scanning tools on whether any IPv6 features are on par with IPv4 features.

    If you are already on IPv6, Info-Tech recommends the following:

    • If you are on an IPv6 native network, it is nearly impossible to scan the network. You have to always scan your known addresses from your DHCP.

    4.3.1 Create an RFP for vulnerability scanning tools

    2 hours

    Input: List of key feature requirements for the new tool, List of intersect points with current software, Network topology and layout of servers and applications

    Output: Completed RFP document that can be distributed to vendor proponents

    Materials: Whiteboard/flip charts, Vulnerability Scanning Tool RFP Template

    Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative

    Use a request for proposal (RFP) template to convey your desired scanning tool requirements to vendors and outline the proposal and procurement steps set by your organization.

    1. Determine what kind of requirements will be needed for your scanning tool RFP, based on people, process, and technology requirements.
    2. Consider items such as the desired capabilities and the scope of the scanning.
    3. Conduct interviews with relevant stakeholders to determine the exact requirements needed.
    4. Use Info-Tech’s Vulnerability Scanning Tool RFP Template. It lists many requirements but can be customized to your organization’s specific needs.

    Download the Vulnerability Scanning Tool RFP Template

    4.3.1 Create an RFP for vulnerability scanning tools (continued)

    Things to Consider:
    • Ensure there is adequate resource dedication to support and maintenance for vulnerability scanning.
    • Consider if you will benefit from an RFP. If there is a more appropriate option for your need and your organization, consider that instead.
    • If you don’t know the product you want, then perform an RFI.
    • In the RFP, you need to express your driving needs for the tool so the vendor can best understand your use case.
    • Identify who should participate in the RFP creation and evaluation. Make sure they have time available and it does not conflict with other items.
    • Determine if you want to send it to a select few or if you want to send it to a lot of vendors.
    • Determine a response date so you can know who is soliciting your business.
    • You need to have a process to handle questions from vendors.
    Info-Tech RFP Table of Contents:
    1. Statement of Work
    2. General Information
    3. Proposal Preparation Instructions
    4. Scope of Work, Specifications, and Requirements
    5. Vendor Qualifications and References
    6. Budget and Estimated Pricing
    7. Vendor Certification

    Download the Vulnerability Scanning Tool RFP Template

    Step 4.4

    Penetration testing

    Activities
    • 4.1.1 Create an RFP for penetration tests

    This step will walk you through the following activities:

    We will review penetration testing, its distinction from vulnerability management, and why you may want to engage a penetration testing service.

    We provide a request for proposal (RFP) template that we can review if this is an area of interest.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO
    • CIO

    Outcomes of this step

    An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    Penetration testing

    Penetration tests are critical parts of any strong security program.

    Penetration testing will emulate the methods an attacker would use in the real world to circumvent your security controls and gain access to systems and data.

    Penetration testing is much more than just running a scanner or other automated tools and then generating a report. Penetration testing performs critical exploit validation to create certainty around your vulnerability.

    The primary objective of a penetration test is to identify and validate security weaknesses in an organization’s security systems.

    Reasons to Test:

    • Assess current security control effectiveness
    • Develop an action plan of items
    • Build a business case for a better security program
    • Increased security budget through vulnerability validation
    • Third-party, unbiased validation
    • Adhere to compliance or regulatory requirements
    • Raise security awareness
    • Demonstrate how an attacker can escalate privileges
    • Effective way to test incident response

    Regulatory Considerations:

    • There is a lot of regulatory wording saying that organizations can’t get a system that is managed, integrated, and supported by one vendor and then have it tested by the same vendor.
    • There is the need for separate third-party testing.
    • Penetration testing is required for PCI, cloud providers, and federal entities.

    How and where is the value being generated?

    Penetration testing is a service provided by trained and tested professionals with years of experience. The person behind the test is the most important part of the test. The person is able to emulate a real-life attacker better than any computer. It is just a vulnerability scan if you use tools or executables alone.

    “A penetration test is an audit with validation.” (Joel Shapiro, Vice President Sales, Digital Boundary Group)

    Start by considering the spectrum of penetration tests

    Network Penetration Tests

    Conventional testing of network defences.

    Testing vectors include:

    • Perimeter infrastructure
    • Wireless, WEP/WPA cracking
    • Cloud penetration testing
    • Telephony systems or VoIP
    Types of tests:
    • Denial-of-service testing
    • Out-of-band attacks
    • War dialing
    • Wireless network testing/war driving
    • Spoofing
    • Trojan attacks
    • Brute force attacks
    • Watering hole attacks
    • Honeypots
    • Cloud-penetration testing
    Application Penetration Tests

    Core business functions are now being provided through web applications, either to external customers or to internal end users.

    Types: Web apps, non-web apps, mobile apps

    Application penetration and security testing encompasses:

    • Code review – analyzing the application code for sensitive information of vulnerabilities in the code.
    • Authorization testing – testing systems responsible for user session management to see if unauthorized access can be permitted.
    • Authentication process for user testing.
    • Functionality testing – test the application functionality itself.
    • Website pen testing – active analysis of weaknesses or vulnerabilities.
    • Encryption testing – testing things like randomness or key strength.
    • User-session integrity testing.
    Human-Centric Testing
    • Penetration testing is developing a people aspect as opposed to just being technology focused.
    • End users and their susceptibility to social engineering attacks (spear phishing, phone calls, physical site testing, etc.) is now a common area to test.
    • Social engineering penetration testing is not only about identifying your human vulnerabilities, but also about proactively training your end users. As well as discovering and fixing potential vulnerabilities, social engineering penetration testing will help to raise security awareness within an organization.

    Info-Tech Insight

    Your pen test should use multiple methods. Demonstrating weakness in one area is good but easy to identify. When you blend techniques, you get better success at breaching and it becomes more life-like. Think about prevention, detection, and response testing to provide full insight into your security defenses.

    Penetration testing types

    Evaluate four variables to determine which type of penetration test is most appropriate for your organization.

    Evaluate these dimensions to determine relevant penetration testing.

    Network, Application, or Human

    Evaluate your need to perform different types of penetration testing.

    Some level of network and application testing is most likely appropriate.

    The more common decision point is to consider to what degree your organization requires human-centric penetration testing.

    External or Internal

    External: Attacking an organization’s perimeter and internet-facing systems. For these, you generally provide some level of information to the tester. The test will begin with publicly available information gathering followed by some kind of network scanning or probing against externally visible servers or devices (DNS server, email server, web server, firewall, etc.)

    Internal: Carried out within the organization’s network. This emulates an attack originating from an internal point (disgruntled employee, authorized user, etc.). The idea is to see what could happen if the perimeter is breached.

    Transparent, Semi-Transparent, or Opaque Box

    Opaque Box: The penetration tester is not provided any information. This emulates a real-life attack. Test team uses publicly available information (corporate website, DNS, USENET, etc.) to start the test. These tests are more time consuming and expensive. They often result in exploitation of the easiest vulnerability.
    Use cases: emulating a real-life attack; testing detection and response capabilities; limited network segmentation.

    Transparent Box: Tester is provided full disclosure of information. The tester will have access to everything they need: building floor plans, data flow designs, network topology, etc. This represents what a credentialed and knowledgeable insider would do.
    Use cases: full assessment of security controls; testing of attacker traversal capabilities.

    Aggressiveness of the Test

    Not Aggressive: Very slow and careful penetration testing. Usually spread out in terms of packets being sent and number of calls to individuals. It attempts to not set off any alarm bells.

    Aggressive: A full DoS attack or something similar. These would be DoS attacks that take down systems or full SQL injection attacks all at once versus small injections over time. Testing options cover anything including physical tests, network tests, social engineering, and data extraction and exfiltration. This is more costly and time consuming.

    Assessing Aggressiveness: How aggressive the test should be is based on the threats you are concerned with. Assess who you are concerned with: random individuals on the internet, state-sponsored attacks, criminals, hacktivists, etc. Who you are concerned with will determine the appropriate aggressiveness of the test.

    Penetration testing scope

    Establish the scope of your penetration test before engaging vendors.

    Determining the scope of what is being tested is the most important part of a penetration test. Organizations need to be as specific as possible so the vendor can actually respond or ask questions.

    Organizations need to define boundaries, objectives, and key success factors.

    For scope:
    • If you go too narrow, the realism of the test suffers.
    • If you go too broad, it is more costly and there’s a possible increase in false positives.
    • Balance scope vs. budget.
    Boundaries to scope before a test:
    • IP addresses
    • URLs
    • Applications
    • Who is in scope for social engineering
    • Physical access from roof to dumpsters defined
    • Scope prioritized for high-value assets
    Objectives and key success factors to scope:
    • When is the test complete? Is it at the point of validated exploitation?
    • Are you looking for as many holes as possible, or are you looking for how many ways each hole can be exploited?

    What would be out of scope?

    • Are there systems, IP addresses, or other things you want out of scope? These are things you don’t explicitly want any penetration tester to touch.
    • Are there third-party connections to your environment that you don’t want to be tested? These are instances such as cloud providers, supply chain connections, and various services.
    • Are there things that would be awkward to test? For example, determine if you include high-level people in a social engineering test. Do you conduct social engineering for the CEO? If you get their credentials, it could be an awkward moment.

    Ways to break up a penetration test:

    • Location – This is the most common way to break up a penetration test.
    • Division – Self-contained business units are often done as separate tests so you can see how each unit does.
    • IT systems – For example, you put certain security controls in a firewall and want to test its effectiveness.
    • Applications – For example, you are launching a new website or a new portal and you want to test it.

    Penetration testing appropriateness

    Determine your penetration testing appropriateness.

    Usual instances to conduct a penetration test:
    • Setting up a new physical office. Penetration testing will not only test security capabilities but also resource availability and map out network flows.
    • New infrastructure hardware implemented. All new infrastructure needs to be tested.
    • Changes or upgrades to existing infrastructure. Need for testing varies depending on the size of the change.
    • New application deployment. Need to test before being pushed to production environments.
    • Changes or upgrades to existing applications. When fundamental functional changes occur, perform testing:
      • Before upgrades or patching
      • After upgrades or patching
    • Periodic testing. It is a best practice to periodically test your security control effectiveness. Consider at least an annual test.

    Specific timing considerations: Testing should be completed during non-production times of day. Testing should be completed after a backup has been performed.

    Assess your threats to determine your appropriate test type:

    Penetration testing is about what threats you are concerned about. Understand your risk profile, risk tolerance level, and specific threats to see how relevant penetration tests are.

    • Are external attackers concerning to you? Are you distressed about how an attacker can use brute force to enter your network? If so, focus on ingress points, such as FWs, routers, and DMZ.
    • Is social engineering a concern for you (i.e. phone-based or email-based)? Then you are concerned about a credentialed hacker.
    • Is it an insider threat, a disgruntled employee, etc.? This also includes an internal system that is under command and control (C&C).

    ANALYST PERSPECTIVE: Do a test only after you take a first pass.
    If you have not done some level of vulnerability assessment on your own (performing a scan, checking third-party sources, etc.) don’t waste your money on a penetration test. Only perform a penetration test after you have done a first pass and identified and remediated all the low-hanging fruit.

    4.4.1 Create an RFP for penetration tests

    2 hours

    Input: List of criteria and scope for the penetration test, Systems and application information if white box

    Output: Completed RFP document that can be distributed to vendor proponents

    Materials: Whiteboard/flip charts, Penetration Test RFP Template

    Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative

    Use an RFP template to convey your desired penetration test requirements to vendors and outline the proposal and procurement steps set by your organization.

    1. Determine what kind of requirements will be needed for your penetration test RFP based on people, process, and technology requirements.
      • Consider items such as your technology environment and the scope of the penetration tests.
    2. Conduct an interview with relevant stakeholders to determine the exact requirements needed.
    3. Use Info-Tech’s Penetration Test RFP Template, which lists many requirements but can be customized to your organization’s specific needs.

    Download the Penetration Test RFP Template

    4.4.1 Create an RFP for penetration tests (continued)

    Steps of a penetration test:
    1. Determine scope
    2. Gather targeted intelligence
    3. Review exploit attempts, such as access and escalation
    4. Test the collection of sensitive data
    5. Run reporting
    Info-Tech RFP Table of Contents:
    1. Statement of Work
    2. General Information
    3. Proposal Preparation Instructions
    4. Scope of Work, Specifications, and Requirements
    5. Vendor Qualifications and References
    6. Budget and Estimated Pricing
    7. Vendor Certification

    Download the Penetration Test RFP Template

    Penetration testing considerations – service providers

    Consider what type of penetration testing service provider is best for your organization

    Professional Service Providers

    Professional Services Firms. These firms will often provide a myriad of professional services across auditing, financial, and consulting services. If they offer security-related consulting services, they will most likely offer some level of penetration testing.

    Security Service Firms. These are dedicated security consulting or advisory firms that will offer a wide spectrum of security-related services. Penetration testing may be one aspect of larger security assessments and strategy development services.

    Dedicated Penetration Testing Firms. These are service providers that will often offer the full gamut of penetration testing services.

    Integrators

    Managed Security Service Providers. These providers will offer penetration testing. For example, Dell SecureWorks offers numerous services including penetration testing. For organizations like this, you need to be skeptical of ulterior motives. For example, expect recommendations around outsourcing from Dell SecureWorks.

    Regional or Small Integrators. These are service providers that provide security services of some kind. For example, they would help in the implementation of a firewall and offer penetration testing services as well.

    Info-Tech Recommends:

    • Always be conscientious of who is conducting the testing and what else they offer. Even if you get another party to test rather than your technology provider, they will try to obtain you as a client. Remember that for larger technology vendors, security testing is a small revenue stream for them and it’s a way to find technology clients. They may offer penetration testing for free to obtain other business.
    • Most of the penetration testers were systems administrators (for network testing) or application developers (for application testing) at some point before becoming penetration testers. Remember this when evaluating providers and evaluating remediation recommendations.
    • Evaluate what kind of open-source tools, commercial tools, and proprietary tools are being used. In general, you don’t want to rely on an open-source scanner. For open source, they will have more outdated vulnerability databases, system identification can also be limited compared to commercial, and reporting is often lacking.
    • Above all else, ensure your testers are legally capable, experienced, and abide by non-disclosure agreements.

    Penetration testing best practices – communications

    Communication With Service Provider

    • During testing there should be designated points of contact between the service provider and the client.
    • There needs to be secure channels for communication of information between the tester and the client both during the test and for any results.
    • Results should always be explained to the client by the tester, regardless of the content or audience.
    • There should be a formal debrief with the results report.
    Immediate reporting of issues
    • Before any testing commences, immediate reporting conditions need to be defined. These are instances when you would want immediate notification of something occurring.
    • Stipulate certain systems or data types that if broken into or compromised, you would want to be notified right away.
    • Example:
      • If you are conducting social engineering, require notification for all account credentials that are compromised. Once credentials are compromised, it destroys all accountability for those credentials and the actions associated with those credentials by any user.
      • Require immediate reporting of specific high-critical systems that are compromised or if access is even found.
      • Require immediate reporting when regulated data is discovered or compromised in any way.

    Communication With Internal Staff

    Do you tell your internal staff that this is happening?

    This is sometimes called a “double blind test” when you don’t let your IT team know of the test occurring.

    Pros to notifying:
    • This tests the organization’s security monitoring, incident detection, and response capabilities.
    • Letting the team know they are going to see some activity will make sure they don’t get too worried about it.
    • There may be systems you can’t jeopardize but still need to test so notification beforehand is essential (e.g. you wouldn’t allow ERP testing with notification).
    Cons:
    • It does not give you a real-life example of how you respond if something happens.
    • Potential element of disrespect to IT people.

    Penetration testing best practices – results and remediation

    What to expect from penetration test results report:

    A final results report will state all findings including what was done by the testers, what vulnerabilities or exploitations were detected, how they were compromised, the related risk, and related remediation recommendations.

    Expect four major sections:
    • Introduction. An overview of the penetration test methodology including rating methodology of vulnerabilities.
    • Executive Summary. A management-level description of the test, often including a summary of any recommendations.
    • Technical Review. An overview of each item that was looked at and touched. This area breaks down what was done, how it was done, what was found, and any related remediation recommendations. Expect graphs and visuals in this section.
    • Detailed Findings. An in-depth breakdown of all testing methods used and results. Each vulnerability will be explained regarding how it was detected, what the risk is, and what the remediation recommendation is.
    Two areas that will vary by service provider:

    Prioritization

    • Most providers will boast their unique prioritization methodology.
    • A high, medium, and low rating scale based on some combination of variables (e.g. ease of exploitation, breadth of hole, information accessed resulting in further exploitation).
    • The prioritization won’t take into account asset value or criticality.
    • Keep in mind the penetration test is not an input into ultimate vulnerability prioritization, but it can help determine your urgency.

    Remediation

    • Remediation recommendations will vary across providers.
    • Generally, fairly generic recommendations are provided (e.g. remove your old telnet and input up-to-date SSH).
    • Most of the time, it is along the lines of “we found a hole; close the hole.”

    Summary of Accomplishment

    Problem Solved

    At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.

    Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.

    The risk-based approach will allow you to prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities while allowing your standard remediation cycle to address the medium to low vulnerabilities.

    With your program defined and developed, you now need to configure your vulnerability scanning tool or acquire one if you don’t already have a tool in place.

    Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Photo of Jimmy Tom.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Sample of the Implement Vulnerability Management storyboard.
    Review of the Implement Vulnerability Management storyboard
    Sample of the Vulnerability Mitigation SOP template.
    Build your vulnerability management SOP

    Contributors

    Contributors from 2016 version of this project:

    • Morey Haber, Vice President of Technology, BeyondTrust
    • Richard Barretto, Manager, Information Privacy and Security, Cimpress
    • Joel Shapiro, Vice President Sales, Digital Boundary Group

    Contributors from current version of this project:

    • 2 anonymous contributors from the manufacturing sector
    • 1 anonymous contributor from a US government agency
    • 2 anonymous contributors from the financial sector
    • 1 anonymous contributor from the medical technology industry
    • 2 anonymous contributors from higher education
    • 1 anonymous contributor from a Canadian government agency
    • 7 anonymous others; information gathered from advisory calls

    Bibliography

    Arya. “COVID-19 Impact: Vulnerability Management Solution Market | Strategic Industry Evolutionary Analysis Focus on Leading Key Players and Revenue Growth Analysis by Forecast To 2028 – FireMon, Digital Shadows, AlienVault.” Bulletin Line, 6 Aug. 2020. Accessed 6 Aug. 2020.

    Campagna, Rich. “The Lean, Mean Vulnerability Management Machine.” Security Boulevard, 31 Mar. 2020. Accessed 15 Aug. 2020.

    Constantin, Lucian. “What are vulnerability scanners and how do they work?” CSO Online, 10 Apr. 2020. Accessed 1 Sept. 2020.

    “CVE security vulnerabilities published in 2019.” CVE Details. Accessed 22 Sept. 2020.

    Garden, Paul, et al. “2019 Year End Report – Vulnerability QuickView.” Risk Based Security, 2020. Accessed 22 Sept. 2020.

    Keary, Eoin. “2019 Vulnerability Statistics Report.” Edgescan, Feb. 2019. Accessed 22 Sept. 2020.

    Lefkowitz, Josh. ““Risk-Based Vulnerability Management is a Must for Security & Compliance.” SecurityWeek, 1 July 2019. Accessed 1 Nov. 2020.

    Mell, Peter, Tiffany Bergeron, and David Henning. “Creating a Patch and Vulnerability Management Program.” Creating a Patch and Vulnerability Management Program. NIST, Nov. 2005. Web.

    “National Vulnerability Database.” NIST. Accessed 18 Oct. 2020.

    “OpenVAS – Open Vulnerability Assessment Scanner.” OpenVAS. Accessed 14 Sept. 2020.

    “OVAL.” OVAL. Accessed 21 Oct. 2020.

    Paganini, Pierluigi. “Exploiting and Verifying Shellshock: CVE-2014-6271.” INFOSEC, 27 Sept. 2014. Web.

    Pritha. “Top 10 Metrics for your Vulnerability Management Program.” CISO Platform, 28 Nov. 2019. Accessed 25 Oct. 2020.

    “Risk-Based Vulnerability Management: Understanding Vulnerability Risk With Threat Context And Business Impact.” Tenable. Accessed 21 Oct. 2020.

    Stone, Mark. “Shellshock In-Depth: Why This Old Vulnerability Won’t Go Away.” SecurityIntelligence, 6 Aug. 2020. Web.

    “The Role of Threat Intelligence in Vulnerability Management.” NOPSEC, 18 Sept. 2014. Accessed 18 Aug. 2020.

    “Top 15 Paid and Free Vulnerability Scanner Tools in 2020.” DNSstuff, 6 Jan. 2020. Accessed 15 Sept. 2020.

    Truta, Filip. “60% of Breaches in 2019 Involved Unpatched Vulnerabilities.” Security Boulevard, 31 Oct. 2019. Accessed 2 Nov. 2020.

    “Vulnerability Management Program.” Core Security. Accessed 15 Sept. 2020.

    “What is Risk-Based Vulnerability Management?” Balbix. Accessed 15 Sept. 2020.

    White, Monica. “The Cost Savings of Effective Vulnerability Management (Part 1).” Kenna Security, 23 April 2020. Accessed 20 Sept. 2020.

    Wilczek, Marc. “Average Cost of a Data Breach in 2020: $3.86M.” Dark Reading, 24 Aug. 2020. Accessed 5 Nov 2020.

    Make Prudent Decisions When Increasing Your Salesforce Footprint

    • Buy Link or Shortcode: {j2store}134|cart{/j2store}
    • member rating overall impact (scale of 10): 8.9/10 Overall Impact
    • member rating average dollars saved: $55,224 Average $ Saved
    • member rating average days saved: 4 Average Days Saved
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • Too often, organizations fail to achieve economy of scale. They neglect to negotiate price holds, do not negotiate deeper discounts as volume increases, or do not realize there are already existing contracts within the organization.
    • Understand what to negotiate. Organizations do not know what can and cannot be negotiated, which means value gets left on the table.
    • Integrations with other applications must be addressed from the outset. Many users buy the platform only to realize later on that the functionality they wanted does not exist and may be an extra expense with customization.

    Our Advice

    Critical Insight

    • Buying power dissipates when you sign the contract. Get the right product for the right number of users for the right term and get it right the first time.
    • Getting the best price does not assure a great total cost of ownership or ROI. There are many components as part of the purchasing process that if unaccounted for can lead to dramatic and unbudgeted spend.
    • Avoid buyer’s remorse through due diligence before signing the deal. If you need to customize the software or extend it with a third-party add-in, identify your costs and timelines upfront. Plan for successful adoption.

    Impact and Result

    • Centralize purchasing instead of enabling small deals to maximize discount levels by creating a process to derive a cost-effective methodology when subscribing to Sales Cloud, Service Cloud, and Force.com.
    • Educate your organization on Salesforce’s licensing methods and contract types, enabling informed purchasing decisions. Critical components of every agreement that need to be negotiated are a renewal escalation cap, term protection, and license metrics to document what comes with each. Re-bundling protection is also critical in case a product is no longer desired.
    • Proactively addressing integrations and business requirements will enable project success and enable the regular upgrades the come with a multi-tenant cloud services SaaS solution.

    Make Prudent Decisions When Increasing Your Salesforce Footprint Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you need to understand and document your Salesforce licensing strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish software requirements

    Begin your journey by understanding whether Salesforce is the right CRM. Also proactively approach Salesforce licensing by understanding which information to gather and assessing the current state and gaps.

    • Make Prudent Decisions When Increasing Your Salesforce Footprint – Phase 1: Establish Software Requirements
    • Salesforce Licensing Purchase Reference Guide
    • RASCI Chart

    2. Evaluate licensing options

    Review current products and licensing models to determine which licensing models will most appropriately fit the organization's environment.

    • Make Prudent Decisions When Increasing Your Salesforce Footprint – Phase 2: Evaluate Licensing Options
    • Salesforce TCO Calculator
    • Salesforce Discount Calculator

    3. Evaluate agreement options

    Review Salesforce’s contract types and assess which best fits the organization’s licensing needs.

    • Make Prudent Decisions When Increasing Your Salesforce Footprint – Phase 3: Evaluate Agreement Options
    • Salesforce Terms and Conditions Evaluation Tool

    4. Purchase and manage licenses

    Conduct negotiations, purchase licensing, finalize a licensing management strategy, and enhance your CRM with a Salesforce partner.

    • Make Prudent Decisions When Increasing Your Salesforce Footprint – Phase 4: Purchase and Manage Licenses
    • Controlled Vendor Communications Letter
    • Vendor Communication Management Plan
    [infographic]

    Workshop: Make Prudent Decisions When Increasing Your Salesforce Footprint

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Software Requirements

    The Purpose

    Assess current state and align goals; review business feedback.

    Interview key stakeholders to define business objectives and drivers.

    Key Benefits Achieved

    Have a baseline for whether Salesforce is the right solution.

    Understand Salesforce as a solution.

    Examine all CRM options.

    Activities

    1.1 Perform requirements gathering to review Salesforce as a potential solution.

    1.2 Gather your documentation before buying or renewing.

    1.3 Confirm or create your Salesforce licensing team.

    1.4 Meet with stakeholders to discuss the licensing options and budget allocation.

    Outputs

    Copy of your Salesforce Master Subscription Agreement

    RASCI Chart

    Salesforce Licensing Purchase Reference Guide

    2 Evaluate Licensing Options

    The Purpose

    Review product editions and licensing options.

    Review add-ons and licensing rules.

    Key Benefits Achieved

    Understand how licensing works.

    Discuss licensing rules and their application to your current environment.

    Determine the product and license mix that is best for your requirements.

    Activities

    2.1 Determine the editions, licenses, and add-ons for your Salesforce CRM solution.

    2.2 Calculate total cost of ownership.

    2.3 Use the Salesforce Discount Calculator to ensure you are getting the discount you deserve.

    2.4 Meet with stakeholders to discuss the licensing options and budget allocation.

    Outputs

    Salesforce CRM Solution

    Salesforce TCO Calculator

    Salesforce Discount Calculator

    Salesforce Licensing Purchase Reference Guide

    3 Evaluate Agreement Options

    The Purpose

    Review terms and conditions of Salesforce contracts.

    Review vendors.

    Key Benefits Achieved

    Determine if MSA or term agreement is best.

    Learn what specific terms to negotiate.

    Activities

    3.1 Perform a T&Cs review and identify key “deal breakers.”

    3.2 Decide on an agreement that nets the maximum benefit.

    Outputs

    Salesforce T&Cs Evaluation Tool

    Salesforce Licensing Purchase Reference Guide

    4 Purchase and Manage Licenses

    The Purpose

    Finalize the contract.

    Discuss negotiation points.

    Discuss license management and future roadmap.

    Discuss Salesforce partner and implementation strategy.

    Key Benefits Achieved

    Discuss negotiation strategies.

    Learn about licensing management best practices.

    Review Salesforce partner options.

    Create an implementation plan.

    Activities

    4.1 Know the what, when, and who to negotiate.

    4.2 Control the flow of communication.

    4.3 Assign the right people to manage the environment.

    4.4 Discuss Salesforce partner options.

    4.5 Discuss implementation strategy.

    4.6 Meet with stakeholders to discuss licensing options and budget allocation.

    Outputs

    Salesforce Negotiation Strategy

    Vendor Communication Management Plan

    RASCI Chart

    Info-Tech’s Core CRM Project Plan

    Salesforce Licensing Purchase Reference Guide

    Streamline Application Maintenance

    • Buy Link or Shortcode: {j2store}402|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: 20 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Maintenance
    • Parent Category Link: /maintenance
    • Application maintenance teams are accountable for the various requests and incidents coming from a variety business and technical sources. The sheer volume and variety of requests create unmanageable backlogs.
    • The increasing complexity and reliance on technology within the business has set unrealistic expectations on maintenance teams. Stakeholders expect teams to accommodate maintenance without impact on project schedules.

    Our Advice

    Critical Insight

    • Improving maintenance’s focus and attention may mean doing less but more valuable work. Teams need to be realistic about what can be committed and be prepared to justify why certain requests have to be pushed down the backlog (e.g. lack of business value, high risks).
    • Maintenance must be treated like any other development activity. The same intake and prioritization practices and quality standards must be upheld, and best practices followed.

    Impact and Result

    • Justify the necessity of streamlined maintenance. Gain a grounded understanding of stakeholder objectives and concerns, and validate their achievability against the current state of the people, process, and technologies involved in application maintenance.
    • Strengthen triaging and prioritization practices. Obtain a holistic picture of the business and technical impacts, risks, and urgencies of each accepted maintenance requests in order to justify its prioritization and relevance within your backlog. Identify opportunities to bundle requests together or integrate them within project commitments to ensure completion.
    • Establish and govern a repeatable process. Develop a maintenance process with well-defined stage gates, quality controls, and roles and responsibilities, and instill development best practices to improve the success of delivery.

    Streamline Application Maintenance Research & Tools

    Start here – read the Executive Brief

    Read our Executive Brief to understand the common struggles found in application maintenance, their root causes, and the Info-Tech methodology to overcoming these hurdles.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand your maintenance priorities

    Understand the stakeholder priorities driving changes in your application maintenance practice.

    • Streamline Application Maintenance – Phase 1: Assess the Current Maintenance Landscape
    • Application Maintenance Operating Model Template
    • Application Maintenance Resource Capacity Assessment
    • Application Maintenance Maturity Assessment

    2. Instill maintenance governance

    Identify the appropriate level of governance and enforcement to ensure accountability and quality standards are upheld across maintenance practices.

    • Streamline Application Maintenance – Phase 2: Develop a Maintenance Release Schedule

    3. Enhance triaging and prioritization practices

    Build a maintenance triage and prioritization scheme that accommodates business and IT risks and urgencies.

    • Streamline Application Maintenance – Phase 3: Optimize Maintenance Capabilities

    4. Streamline maintenance delivery

    Define and enforce quality standards in maintenance activities and build a high degree of transparency to readily address delivery challenges.

    • Streamline Application Maintenance – Phase 4: Streamline Maintenance Delivery
    • Application Maintenance Business Case Presentation Document
    [infographic]

    Workshop: Streamline Application Maintenance

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Your Maintenance Priorities

    The Purpose

    Understand the business and IT stakeholder priorities driving the success of your application maintenance practice.

    Understand any current issues that are affecting your maintenance practice.

    Key Benefits Achieved

    Awareness of business and IT priorities.

    An understanding of the maturity of your maintenance practices and identification of issues to alleviate.

    Activities

    1.1 Define priorities for enhanced maintenance practices.

    1.2 Conduct a current state assessment of your application maintenance practices.

    Outputs

    List of business and technical priorities

    List of the root-cause issues, constraints, and opportunities of current maintenance practice

    2 Instill Maintenance Governance

    The Purpose

    Define the processes, roles, and points of communication across all maintenance activities.

    Key Benefits Achieved

    An in-depth understanding of all maintenance activities and what they require to function effectively.

    Activities

    2.1 Modify your maintenance process.

    2.2 Define your maintenance roles and responsibilities.

    Outputs

    Application maintenance process flow

    List of metrics to gauge success

    Maintenance roles and responsibilities

    Maintenance communication flow

    3 Enhance Triaging and Prioritization Practices

    The Purpose

    Understand in greater detail the process and people involved in receiving and triaging a request.

    Define your criteria for value, impact, and urgency, and understand how these fit into a prioritization scheme.

    Understand backlog management and release planning tactics to accommodate maintenance.

    Key Benefits Achieved

    An understanding of the stakeholders needed to assess and approve requests.

    The criteria used to build a tailored prioritization scheme.

    Tactics for efficient use of resources and ideal timing of the delivery of changes.

    A process that ensures maintenance teams are always working on tasks that are valuable to the business.

    Activities

    3.1 Review your maintenance intake process.

    3.2 Define a request prioritization scheme.

    3.3 Create a set of practices to manage your backlog and release plans.

    Outputs

    Understanding of the maintenance request intake process

    Approach to assess the impact, urgency, and severity of requests for prioritization

    List of backlog management grooming and release planning practices

    4 Streamline Maintenance Delivery

    The Purpose

    Understand how to apply development best practices and quality standards to application maintenance.

    Learn the methods for monitoring and visualizing maintenance work.

    Key Benefits Achieved

    An understanding of quality standards and the scenarios for where they apply.

    The tactics to monitor and visualize maintenance work.

    Streamlined maintenance delivery process with best practices.

    Activities

    4.1 Define approach to monitor maintenance work.

    4.2 Define application quality attributes.

    4.3 Discuss best practices to enhance maintenance development and deployment.

    Outputs

    Taskboard structure and rules

    Definition of application quality attributes with user scenarios

    List of best practices to streamline maintenance development and deployment

    5 Finalize Your Maintenance Practice

    The Purpose

    Create a target state built from appropriate metrics and attainable goals.

    Consider the required items and steps for the implementation of your optimization initiatives.

    Key Benefits Achieved

    A realistic target state for your optimized application maintenance practice.

    A well-defined and structured roadmap for the implementation of your optimization initiatives.

    Activities

    5.1 Refine your target state maintenance practices.

    5.2 Develop a roadmap to achieve your target state.

    Outputs

    Finalized application maintenance process document

    Roadmap of initiatives to achieve your target state

    Master the Public Cloud IaaS Acquisition Models

    • Buy Link or Shortcode: {j2store}228|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $3,820 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Understanding the differences in IaaS platform agreements, purchasing options, associated value, and risks. What are your options for:

    • Upfront or monthly payments
    • Commitment discounts
    • Support options
    • Migration planning and support

    Our Advice

    Critical Insight

    IaaS platforms offer similar technical features, but they vary widely on their procurement model. By fully understanding the procurement differences and options, you will be able to purchase wisely, save money both long and short term, and mitigate investment risk.

    Most vendors have similar processes and options to buy. Finding a transparent explanation and summary of each platform in a side-by-side review is difficult.

    • Are vendor reps being straight forward?
    • What are the licensing requirements?
    • What discounts or incentives can I negotiate?
    • How much do I have to commit to and for how long?

    Impact and Result

    This project will provide several benefits for both IT and the business. It includes:

    • Best IaaS platform to support current and future procurement requirements.
    • Right-sized cloud commitment tailored to the organization’s budget.
    • Predictable and controllable spend model.
    • Flexible and reliable IT infrastructure that supports the lines of business.
    • Reduced financial and legal risk.

    Master the Public Cloud IaaS Acquisition Models Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to learn how the public cloud IaaS procurement models compare. Review Info-Tech’s methodology and understand the top three platforms, features, and benefits to support and inform the IaaS vendor choice.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Educate

    Learn the IaaS basics, terminologies, purchasing options, licensing requirements, hybrid options, support, and organization requirements through a checklist process.

    • Master the Public Cloud IaaS Acquisition Models – Phase 1: Educate
    • Public Cloud Procurement Checklist
    • Microsoft Public Cloud Licensing Guide

    2. Evaluate

    Review and understand the features, downsides, and differences between the big three players.

    • Master the Public Cloud IaaS Acquisition Models – Phase 2: Evaluate
    • Public Cloud Procurement Comparison Summary

    3. Execute

    Decide on a primary vendor that meets requirements, engage with a reseller, negotiate pricing incentives, migration costs, review, and execute the agreement.

    • Master the Public Cloud IaaS Acquisition Models – Phase 3: Execute
    • Public Cloud Acquisition Executive Summary Template

    Infographic

    The Rapid Application Selection Framework

    • Buy Link or Shortcode: {j2store}608|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $37,512 Average $ Saved
    • member rating average days saved: 22 Average Days Saved
    • Parent Category Name: Selection & Implementation
    • Parent Category Link: /selection-and-implementation
    • Selection takes forever. Traditional software selection drags on for years, sometimes in perpetuity.
    • IT is viewed as a bottleneck and the business has taken control of software selection.
    • “Gut feel” decisions rule the day. Intuition, not hard data, guides selection, leading to poor outcomes.
    • Negotiations are a losing battle. Money is left on the table by inexperienced negotiators.
    • Overall: Poor selection processes lead to wasted time, wasted effort, and applications that continually disappoint.

    Our Advice

    Critical Insight

    • Adopt a formal methodology to accelerate and improve software selection results.
    • Improve business satisfaction by including the right stakeholders and delivering new applications on a truly timely basis.
    • Kill the “sacred cow” requirements that only exist because “it’s how we’ve always done it.”
    • Forget about “RFP” overload and hone in on the features that matter to your organization.
    • Skip the guesswork and validate decisions with real data.
    • Take control of vendor “dog and pony shows” with single-day, high-value, low-effort, rapid-fire investigative interviews.
    • Master vendor negotiations and never leave money on the table.

    Impact and Result

    Improving software selection is a critical project that will deliver huge value.

    • Hit a home run with your business stakeholders: use a data-driven approach to select the right application vendor for their needs – fast.
    • Shatter stakeholder expectations with truly rapid application selections.
    • Boost collaboration and crush the broken telephone with concise and effective stakeholder meetings.
    • Lock in hard savings and do not pay list price by using data-driven tactics.

    The Rapid Application Selection Framework Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. The Rapid Application Selection Framework

    • The Rapid Application Selection Framework Deck

    2. The Guide to Software Selection: A Business Stakeholder Manual

    • The Guide to Software Selection: A Business Stakeholder Manual

    3. The Software Selection Workbook

    • The Software Selection Workbook

    4. The Vendor Evaluation Workbook

    • The Vendor Evaluation Workbook
    [infographic]

    AI Governance

    • Buy Link or Shortcode: {j2store}206|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $389 Average $ Saved
    • member rating average days saved: 3 Average Days Saved
    • Parent Category Name: Business Intelligence Strategy
    • Parent Category Link: /business-intelligence-strategy
    • The use of AI and machine learning (ML) has gained momentum as organizations evaluate the potential applications of AI to enhance the customer experience, improve operational efficiencies, and automate business processes.
    • Growing applications of AI have reinforced concerns about ethical, fair, and responsible use of the technology that assists or replaces human decision making.

    Our Advice

    Critical Insight

    • Implementing AI systems requires careful management of the AI lifecycle, governing data, and machine learning model to prevent unintentional outcomes not only to an organization’s brand reputation but, more importantly, to workers, individuals, and society.
    • When adopting AI, it is important to have a strong ethical and risk management framework surrounding its use.

    Impact and Result

    • AI governance enables management, monitoring, and control of all AI activities within an organization.

    AI Governance Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. AI Governance Deck – A framework for building responsible, ethical, fair, and transparent AI.

    Create the foundation that enables management, monitoring, and control of all AI activities within the organization. The AI governance framework will allow you to define an AI risk management approach and defines methodology for managing and monitoring the AI/ML models in production.

    • AI Governance Storyboard
    [infographic]

    Further reading

    AI Governance

    A Framework for Building Responsible, Ethical, Fair, and Transparent AI

    Are you ready for AI?

    Business leaders must manage the associated risks as they scale their use of AI

    In recent years, following technological breakthroughs and advances in development of machine learning (ML) models and management of large volumes of data, organizations are scaling their use of artificial intelligence (AI) technologies.

    The use of AI and ML has gained momentum as organizations evaluate the potential applications of AI to enhance the customer experience, improve operational efficiencies, and automate business processes.

    Growing applications of AI have reinforced concerns about ethical, fair, and responsible use of the technology that assists or replaces human decision-making.

    Implementing AI systems requires careful management of the AI lifecycle, governing data, and machine learning model to prevent unintentional outcomes not only to an organization’s brand reputation but also, more importantly, to workers, individuals, and society. When adopting AI, it is important to have strong ethical and risk management frameworks surrounding its use.

    “Responsible AI is the practice of designing, building and deploying AI in a manner that empowers people and businesses, and fairly impacts customers and society – allowing companies to engender trust and scale AI with confidence.” (World Economic Forum)

    Regulations and risk assessment tools

    Governments around the world are developing AI assessment methodologies and legislation for AI. Here are a couple of examples:

    • Responsible use of artificial intelligence (AI) guiding principles (Canada):
      1. understand and measure the impact of using AI by developing and sharing tools and approaches
      2. be transparent about how and when we are using AI, starting with a clear user need and public benefit
      3. provide meaningful explanations about AI decision-making, while also offering opportunities to review results and challenge these decisions
      4. be as open as we can by sharing source code, training data, and other relevant information, all while protecting personal information, system integration, and national security and defense
      5. provide sufficient training so that government employees developing and using AI solutions have the responsible design, function, and implementation skills needed to make AI-based public services better
    • The Algorithmic Impact Assessment tool (Canada) is used to determine the impact level of an automated decision-system. It defines 48 risk and 33 mitigation questions. Assessment scores consider factors such as systems design, algorithm, decision type, impact, and data.
    • The National AI Initiative Act of 2020 (DIVISION E, SEC. 5001) (US) became law on January 1, 2021. This is a program across the entire Federal government to accelerate AI research and application.
    • Bill C-27, Artificial Intelligence and Data Act (AIDA) (Canada), when passed, would be the first law in Canada regulating the use of artificial intelligence systems.
    • The EU Artificial Intelligence Act (EU) assigns applications of AI to three risk categories: applications and systems that create an unacceptable risk, such as government-run social scoring; high-risk applications, such as a CV-scanning tool that ranks job applicants; and lastly, applications not explicitly listed as high-risk.
    • The FEAT Principles Assessment Methodology was created by the Monetary Authority of Singapore (MAS) in collaboration with other 27 industry partners for financial institutions to promote fairness, ethics, accountability, and transparency (FEAT) in the use of artificial intelligence and data analytics (AIDA).

    AI policies around the world

    Map of AI policies around the world, marked by circles of varying color and size. The legend on the right indicates '# of AI Policies (2019-2021)' by color.
    Source of data: OECD.AI (2021), powered by EC/OECD (2021), database of national AI policies, accessed on 7/09/2022, https://oecd.ai.

    The need for AI governance

    “To adopt AI, organizations will need to review and enhance their processes and governance frameworks to address new and evolving risks.” (Canadian RegTech Association, Safeguarding AI Use Through Human-Centric Design, 2020)

    To ensure responsible, transparent, and ethical AI systems, organizations will need to review existing risk control frameworks and update them to include AI risk management and impact assessment frameworks and processes.

    As ML and AI technologies are constantly evolving, the AI governance and AI risk management frameworks will need to evolve to ensure the appropriate safeguards and controls are in place.

    This applies not only to the machine learning models and AI system custom built by the organization’s data science and AI team, but it also includes AI-powered vendor tools and technologies. The vendors should be able to explain how AI is used in their products, how the model was trained, and what data was used to train the model.

    AI governance enables management, monitoring, and control of all AI activities within an organization.

    Stock image of a chip o a circuitboard labelled 'AI'.

    Key concepts

    Info-Tech Research Group defines the key terms used in this document as follows:

    Machine learning systems learn from experience and without explicit instructions. They learn patterns from data, then analyze and make predictions based on past behavior and the patterns learned.

    Artificial intelligence is a combination of technologies and can include machine learning. AI systems perform tasks that mimic human intelligence, such as learning from experience and problem solving. Most importantly, AI makes its own decisions without human intervention.

    We use the definition of data ethics by Open Data Institute: “Data ethics is a branch of ethics that considers the impact of data practices on people, society and the environment. The purpose of data ethics is to guide the values and conduct of data practitioners in data collection, sharing and use.”

    Algorithmic or machine bias is systematic and repeatable errors in a computer system that create unfair outcomes, such as privileging one arbitrary group of users over others. Algorithmic bias is not a technical problem. It’s a social and political problem, and in the context of implementing AI for business benefits, it’s a business problem.

    Download the blueprint Mitigate Machine Bias blueprint for detailed discussion on bias, fairness, and transparency in AI systems

    Key concepts – explainable, transparent and trustworthy

    Responsible AI is the practice of designing, building and deploying AI in a manner that empowers people and businesses and fairly impacts customers and society – allowing companies to engender trust and scale AI with confidence” (CIFAR).

    The AI system is considered trustworthy when people understand how the technology works and when we can assess that it’s safe and reliable. We must be able to trust the output of the system and understand how the system was designed, what data was used to train it, and how it was implemented.

    Explainable AI, sometimes abbreviated as XAI, refers to the ability to explain how an AI model makes predictions, its anticipated impact, and its potential biases.

    Transparency means communicating with and empowering users by sharing information internally and with external stakeholders, including beneficiaries and people impacted by the AI-powered product or service.

    68% [of Canadians] are concerned they don’t understand the technology well enough to know the risks.

    77% say they are concerned about the risks AI poses to society (TD, 2019)

    AI Governance Framework

    Monitoring
    Monitoring compliance and risk of AI/ML systems/models in production

    Tools & Technologies
    Tools and technologies to support AI governance framework implementation

    Model Governance
    Ensures accountability and traceability for AI/ML models

    AI Governance Framework with the surrounding 7 headlines and an adjective between each pair: 'Accountable', 'Trustworthy', 'Responsible', 'Ethical', 'Fair', 'Explainable', 'Transparent'. Organization
    Structure, roles, and responsibilities of the AI governance organization

    Operating Model
    How AI governance operates and works with other organizational structures to deliver value

    Risk and Compliance
    Alignment with corporate risk management and ensuring compliance with regulations and assessment frameworks

    Policies/Procedures/ Standards
    Policies and procedures to support implementation of AI governance

    Take Action on Service Desk Customer Feedback

    • Buy Link or Shortcode: {j2store}494|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $27,500 Average $ Saved
    • member rating average days saved: 110 Average Days Saved
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • IT leaders lack information to help inform and prioritize where improvements are most needed.
    • The service desk relies only on traditional metrics such as time to respond or percentage of SLAs met, but no measures of customer satisfaction with the service they receive.
    • There are signs of dissatisfied users, but no mechanism in place to formally capture those perceptions in order to address them.
    • Even if transactional (ticket) surveys are in use, often nothing is done with the data collected or there is a low response rate, and no broader satisfaction survey is in place.

    Our Advice

    Critical Insight

    • If customer satisfaction is not being measured, it’s often because service desk leaders don’t know how to design customer satisfaction surveys, don’t have a mechanism in place to collect feedback, or lack the resources to take accountability for a customer feedback program.
    • If customer satisfaction surveys are in place, it can be difficult to get full value out of them if there is a low response rate due to poor survey design or administration, or if leadership doesn’t understand the value of / know how to analyze the data.
    • It can actually be worse to ask your customers for feedback and do nothing with it than not asking for feedback at all. Customers may end up more dissatisfied if they take the time to provide value then see nothing done with it.

    Impact and Result

    • Understand how to ask the right questions to avoid survey fatigue.
    • Design and implement two complementary satisfaction surveys: a transactional survey to capture satisfaction with individual ticket experiences and inform immediate improvements, and a relationship survey to capture broader satisfaction among the entire user base and inform longer-term improvements.
    • Build a plan and assign accountability for customer feedback management, including analyzing feedback, prioritizing customer satisfaction insights and using them to improve performance, and communicating the results back to your users and stakeholders.

    Take Action on Service Desk Customer Feedback Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take Action on Service Desk Customer Feedback Deck – A step-by-step document that walks you through how to measure customer satisfaction, design and implement transactional and relationship surveys, and analyze and act on user feedback.

    Whether you have no Service Desk customer feedback program in place or you need to improve your existing process for gathering and responding to feedback, this deck will help you design your surveys and act on their results to improve CSAT scores.

    • Take Action on Service Desk Customer Feedback Storyboard

    2. Transactional Service Desk Survey Template – A template to design a ticket satisfaction survey.

    This template provides a sample transactional (ticket) satisfaction survey. If your ITSM tool or other survey mechanism allows you to design or write your own survey, use this template as a starting point.

    • Transactional Service Desk Survey Template

    3. Sample Size Calculator – A tool to calculate the sample size needed for your survey.

    Use the Sample Size Calculator to calculate your ideal sample size for your relationship surveys.

  • Desired confidence level
  • Acceptable margin of error
  • Company population size
  • Ideal sample size
    • Sample Size Calculator

    4. End-User Satisfaction Survey Review Workflows – Visio templates to map your review process for both transactional and relationship surveys

    This template will help you map out the step-by-step process to review collected feedback from your end-user satisfaction surveys, analyze the data, and act on it.

    • End-User Satisfaction Survey Review Workflows

    Infographic

    Further reading

    Take Action on Service Desk Customer Feedback

    Drive up CSAT scores by asking the right questions and effectively responding to user feedback.

    EXECUTIVE BRIEF

    Analyst Perspective

    Collecting feedback is only half the equation.

    The image contains a picture of Natalie Sansone.

    Natalie Sansone, PhD


    Research Director, Infrastructure & Operations

    Info-Tech Research Group

    Often when we ask service desk leaders where they need to improve and if they’re measuring customer satisfaction, they either aren’t measuring it at all, or their ticket surveys are turned on but they get very few responses (or only positive responses). They fail to see the value of collecting feedback when this is their experience with it.

    Feedback is important because traditional service desk metrics can only tell us so much. We often see what’s called the “watermelon effect”: metrics appear “green”, but under the surface they’re “red” because customers are in fact dissatisfied for reasons unmeasured by standard internal IT metrics. Customer satisfaction should always be the goal of service delivery, and directly measuring satisfaction in addition to traditional metrics will help you get a clearer picture of your strengths and weaknesses, and where to prioritize improvements.

    It’s not as simple as asking customers if they were satisfied with their ticket, however. There are two steps necessary for success. The first is collecting feedback, which should be done purposefully, with clear goals in mind in order to maximize the response rate and value of responses received. The second – and most critical – is acting on that feedback. Use it to inform improvements and communicate those improvements. Doing so will not only make your service desk better, increasing satisfaction through better service delivery, but also will make your customers feel heard and valued, which alone increases satisfaction.

    The image contains a picture of Emily Sugerman.

    Emily Sugerman, PhD


    Research Analyst, Infrastructure & Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    • The service desk relies only on traditional metrics such as time to respond, or percentage of SLAs met, but not on measures of customer satisfaction with the service they receive.
    • There are signs of dissatisfied users (e.g. shadow IT, users avoid the service desk, go only to their favorite technician) but no mechanism in place to formally capture those perceptions.
    • Transactional ticket surveys were turned on when the ITSM tool was implemented, but either nobody responds to them, or nobody does anything with the data received.
    • IT leaders lack information to help inform and prioritize where improvements are most needed.
    • Service desk leaders don’t know how to design survey questions to ask their users for feedback and/or they don’t have a mechanism in place to survey users.
    • If customer satisfaction surveys are in place, nothing is done with the results because service desk leaders either don’t understand the value of analyzing the data or don’t know how to analyze the data.
    • Executives only want a single satisfaction number to track and don’t understand the value of collecting more detailed feedback.
    • IT lacks the resources to take accountability for the feedback program, or existing resources don’t have time to do anything with the feedback they receive.
    • Understand how to ask the right questions to avoid survey fatigue (where users get overwhelmed and stop responding).
    • Design and implement a transactional survey to capture satisfaction with individual ticket experiences and use the results to inform immediate improvements.
    • Design and implement a relationship survey to capture broader satisfaction among the entire user base and use the results to inform longer-term improvements.
    • Build a plan and assign accountability for analyzing feedback, using it to prioritize and make actionable improvements to address feedback, and communicating the results back to your users and stakeholders.

    Info-Tech Insight

    Asking your customers for feedback then doing nothing with it is worse than not asking for feedback at all. Your customers may end up more dissatisfied than they were before, if their opinion is sought out and then ignored. It’s valuable to collect feedback, but the true value for both IT and its customers comes from acting on that feedback and communicating those actions back to your users.

    Traditional service desk metrics can be misleading

    The watermelon effect

    When a service desk appears to hit all its targets according to the metrics it tracks, but service delivery is poor and customer satisfaction is low, this is known as the “watermelon effect”. Service metrics appear green on the outside, but under the surface (unmeasured), they’re red because customers are dissatisfied.

    Traditional SLAs and service desk metrics (such as time to respond, average resolution time, percentage of SLAs met) can help you understand service desk performance internally to prioritize your work and identify process improvements. However, they don’t tell you how customers perceive the service or how satisfied they are.

    Providing good service to your customers should be your end goal. Failing to measure, monitor, and act on customer feedback means you don’t have the whole picture of how your service desk is performing and whether or where improvements are needed to maximize satisfaction.

    There is a shift in ITSM to focus more on customer experience metrics over traditional ones

    The Service Desk Institute (SDI) suggests that customer satisfaction is the most important indicator of service desk success, and that traditional metrics around SLA targets – currently the most common way to measure service desk performance – may become less valuable or even obsolete in the future as customer experience-focused targets become more popular. (Service Desk Institute, 2021)

    SDI conducted a Customer Experience survey of service desk professionals from a range of organizations, both public and private, from January to March 2018. The majority of respondents said that customer experience is more important than other metrics such as speed of service or adherence to SLAs, and that customer satisfaction is more valuable than traditional metrics. (SDI, 2018).

    The image contains a screenshot of two pie graphs. The graph on the left is labelled: which of these is most important to your service desk? Customer experience is first with 54%. The graph on the right is labelled: Which measures do you find more value in? Customer satisfaction is first with 65%.

    However, many service desk leaders aren’t effectively measuring customer feedback

    Not only is it important to measure customer experience and satisfaction levels, but it’s equally important to act on that data and feed it into a service improvement program. However, many IT leaders are neglecting either one or both of those components.

    Obstacles to collecting feedback

    Obstacles to acting on collected feedback

    • Don’t understand the value of measuring customer feedback.
    • Don’t have a good mechanism in place to collect feedback.
    • Don’t think that users would respond to a survey (either generally unresponsive or already inundated with surveys).
    • Worried that results would be negative or misleading.
    • Don’t know what questions to ask or how to design a survey.
    • Don’t understand the importance of analyzing and acting on feedback collected.
    • Don’t know how to analyze survey data.
    • Lack of resources to take accountability over customer feedback (including analyzing data, monitoring trends, communicating results).
    • Executives or stakeholders only want a satisfaction score.

    A strong customer feedback program brings many benefits to IT and the business

    Insight into customer experience

    Gather insight into both the overall customer relationship with the service desk and individual transactions to get a holistic picture of the customer experience.

    Data to inform decisions

    Collect data to inform decisions about where to spend limited resources or time on improvement, rather than guessing or wasting effort on the wrong thing.

    Identification of areas for improvement

    Better understand your strengths and weaknesses from the customer’s point of view to help you identify gaps and priorities for improvement.

    Customers feel valued

    Make customers feel heard and valued; this will improve your relationship and their satisfaction.

    Ability to monitor trends over time

    Use the same annual relationship survey to be able to monitor trends and progress in making improvements by comparing data year over year.

    Foresight to prevent problems from occurring

    Understand where potential problems may occur so you can address and prevent them, or who is at risk of becoming a detractor so you can repair the relationship.

    IT staff coaching and engagement opportunities

    Turn negative survey feedback into coaching and improvement opportunities and use positive feedback to boost morale and engagement.

    Take Action on Service Desk Customer Feedback

    The image contains a screenshot of a Thought Model titled: Take Action on Service Desk Customer Feedback.

    Info-Tech’s methodology for measuring and acting on service desk customer feedback

    Phase

    1. Understand how to measure customer satisfaction

    2. Design and implement transactional surveys

    3. Design and implement relationship surveys

    4. Analyze and act on feedback

    Phase outcomes

    Understand the main types of customer satisfaction surveys, principles for survey design, and best practices for surveying your users.

    Learn why and how to design a simple survey to assess satisfaction with individual service desk transactions (tickets) and a methodology for survey delivery that will improve response rates.

    Understand why and how to design a survey to assess overall satisfaction with the service desk across your organization, or use Info-Tech’s diagnostic.

    Measure and analyze the results of both surveys and build a plan to act on both positive and negative feedback and communicate the results with the organization.

    Insight Summary

    Key Insight:

    Asking your customers for feedback then doing nothing with it is worse than not asking for feedback at all. Your customers may end up more dissatisfied than they were before if they’re asked for their opinion then see nothing done with it. It’s valuable to collect feedback, but the true value for both IT and its customers comes from acting on that feedback and communicating those actions back to your users.

    Additional insights:

    Insight 1

    Take the time to define the goals of your transactional survey program before launching it – it’s not as simple as just deploying the default survey of your ITSM tool out of the box. The objectives of the survey – including whether you want to keep a pulse on average satisfaction or immediately act on any negative experiences – will influence a range of key decisions about the survey configuration.

    Insight 2

    While transactional surveys provide useful indicators of customer satisfaction with specific tickets and interactions, they tend to have low response rates and can leave out many users who may rarely or never contact the service desk, but still have helpful feedback. Include a relationship survey in your customer feedback program to capture a more holistic picture of what your overall user base thinks about the service desk and where you most need to improve.

    Insight 3

    Satisfaction scores provide valuable data about how your customers feel, but don’t tell you why they feel that way. Don’t neglect the qualitative data you can gather from open-ended comments and questions in both types of satisfaction surveys. Take the time to read through these responses and categorize them in at least a basic way to gain deeper insight and determine where to prioritize your efforts.

    Understand how to measure customer satisfaction

    Phase 1

    Understand the main types of customer satisfaction surveys, principles for survey design, and best practices for surveying your users.

    Phase 1:

    Phase 2:

    Phase 3:

    Phase 4:

    Understand how to measure customer satisfaction

    Design and implement transactional surveys

    Design and implement relationship surveys

    Analyze and act on feedback

    Three methods of surveying your customers

    Transactional

    Relationship

    One-off

    Also known as

    Ticket surveys, incident follow-up surveys, on-going surveys

    Annual, semi-annual, periodic, comprehensive, relational

    One-time, single, targeted

    Definition

    • Survey that is tied to a specific customer interaction with the service desk (i.e. a ticket).
    • Assesses how satisfied customers are with how the ticket was handled and resolved.
    • Sent immediately after ticket is closed.
    • Short – usually 1 to 3 questions.
    • Survey that is sent periodically (i.e. semi-annually or annually) to the entire customer base to measure overall relationship with the service desk.
    • Assesses customer satisfaction with their overall service experience over a longer time period.
    • Longer – around 15-20 questions.
    • One-time survey sent at a specific, targeted point in time to either all customers or a subset.
    • Often event-driven or project-related.
    • Assesses satisfaction at one time point, or about a specific change that was implemented, or to inform a specific initiative that will be implemented.

    Pros and cons of the three methods

    Transactional

    Relationship

    One-off

    Pros

    • Immediate feedback
    • Actionable insights to immediately improve service or experience
    • Feeds into team coaching
    • Multiple touchpoints allow for trending and monitoring
    • Comprehensive insight from broad user base to improve overall satisfaction
    • Reach users who don’t contact the service desk often or respond to ticket surveys
    • Identify unhappy customers and reasons for dissatisfaction
    • Monitor broader trends over time
    • Targeted insights to measure the impact of a specific change or perception at a specific point of time

    Cons

    • Customer may become frustrated being asked to fill out too many surveys
    • Can lead to survey fatigue and low response rates
    • Tend to only see responses for very positive or negative experiences
    • High volume of data to analyze
    • Feedback is at a high-level
    • Covers the entire customer journey, not a specific interaction
    • Users may not remember past interactions accurately
    • A lot of detailed data to analyze and more difficult to turn into immediate action
    • Not as valuable without multiple surveys to see trends or change

    Which survey method should you choose?

    Only relying on one type of survey will leave gaps in your understanding of customer satisfaction. Include both transactional and relationship surveys to provide a holistic picture of customer satisfaction with the service desk.

    If you can only start with one type, choose the type that best aligns with your goals and priorities:

    If your priority is to identify larger improvement initiatives the service desk can take to improve overall customer satisfaction and trust in the service desk:

    If your priority is to provide customers with the opportunity to let you know when transactions do not go well so you can take immediate action to make improvements:

    Start with a relationship survey

    Start with a transactional survey

    The image contains a screenshot of a bar graph on SDI's 2018 Customer Experience in ITSM report.

    Info-Tech Insight

    One-off surveys can be useful to assess whether a specific change has impacted satisfaction, or to inform a planned change/initiative. However, as they aren’t typically part of an on-going customer feedback program, the focus of this research will be on transactional and relationship surveys.

    3 common customer satisfaction measures

    The three most utilized measures of customer satisfaction include CSAT, CES, and NPS.

    CSAT CES NPS
    Name Customer Satisfaction Customer Effort Score Net Promoter score
    What it measures Customer happiness Customer effort Customer loyalty
    Description Measures satisfaction with a company overall, or a specific offering or interaction Measures how much effort a customer feels they need to put forth in order to accomplish what they wanted Single question that asks consumers how likely they are to recommend your product, service, or company to other people
    Survey question How satisfied are/were you with [company/service/interaction/product]? How easy was it to [solve your problem/interact with company/handle my issue]? Or: The [company] made it easy for me to handle my issue How likely are you to recommend [company/service/product] to a friend?
    Scale 5, 7, or 10 pt scale, or using images/emojis 5, 7, or 10 pt scale 10-pt scale from highly unlikely to highly likely
    Scoring Result is usually expressed as a percentage of satisfaction Result usually expressed as an average Responses are divided into 3 groups where 0-6 are detractors, 7-8 are passives, 9-10 are promoters
    Pros
    • Well-suited for specific transactions
    • Simple and able to compare scores
    • Simple number, easy to analyze
    • Effort tends to predict future behavior
    • Actionable data
    • Simple to run and analyze
    • Widely used and can compare to other organizations
    • Allows for targeting customer segments
    Cons
    • Need high response rate to have representative numberEasy to ask the wrong questions
    • Not as useful without qualitative questions
    • Only measures a small aspect of the interaction
    • Only useful for transactions
    • Not useful for improvement without qualitative follow-up questions
    • Not as applicable to a service desk as it measures brand loyalty

    When to use each satisfaction measure

    The image contains a screenshot of a diagram that demonstrates which measure to use based off of what you would like to access, and which surveys it aligns with.

    How to choose which measure(s) to incorporate in your surveys

    The best measures are the ones that align with your specific goals for collecting feedback.

    • Most companies will use multiple satisfaction measures. For example, NPS can be tracked to monitor the overall customer sentiment, and CSAT used for more targeted feedback.
    • For internal-facing IT departments, CSAT is the most popular of the three methods, and NPS may not be as useful.
    • Choose your measure and survey types based on what you are trying to achieve and what kind of information you need to make improvements.
    • Remember that one measure alone isn’t going to give you actionable feedback; you’ll need to follow up with additional measures (especially for NPS and CES).
    • For CSAT surveys, customize the satisfaction measures in as many ways as you need to target the questions toward the areas you’re most interested in.
    • Don’t stick to just these three measures or types of surveys – there are other ways to collect feedback. Experiment to find what works for you.
    • If you’re designing your own survey, keep in mind the principles on the next slide.

    Info-Tech Insight

    While we focus mainly on traditional survey-based approaches to measuring customer satisfaction in this blueprint, there’s no need to limit yourselves to surveys as your only method. Consider multiple techniques to capture a wider audience, including:

    • Customer journey mapping
    • Focus groups with stakeholders
    • Lunch and learns or workshop sessions
    • Interviews – phone, chat, in-person
    • Kiosks

    Principles for survey design

    As you design your satisfaction survey – whether transactional or relational – follow these guidelines to ensure the survey delivers value and gets responses.

    1. Focus on your goal
    2. Don’t include unnecessary questions that won’t give you actionable information; it will only waste respondents’ time.

    3. Be brief
    4. Keep each question as short as possible and limit the total number of survey questions to avoid survey fatigue.

    5. Include open-ended questions
    6. Most of your measures will be close-ended, but include at least one comment box to allow for qualitative feedback.

    7. Keep questions clear and concise
    8. Ensure that question wording is clear and specific so that all respondents interpret it the same way.

    9. Avoid biased or leading questions
    10. You won’t get accurate results if your question leads respondents into thinking or answering a certain way.

    11. Avoid double-barreled questions
    12. Don’t ask about two different things in the same question – it will confuse respondents and make your data hard to interpret.

    13. Don’t restrict responses
    14. Response options should include all possible opinions (including “don’t know”) to avoid frustrating respondents.

    15. Make the survey easy to complete
    16. Pre-populate information where possible (e.g. name, department) and ensure the survey is responsive on mobile devices.

    17. Keep questions optional
    18. If every question is mandatory, respondents may leave the survey altogether if they can’t or don’t want to answer one question.

    19. Test your survey
    20. Test your survey with your target audience before launching, and incorporate feedback - they may catch issues you didn’t notice.

    Prevent survey fatigue to increase response rates

    If it takes too much time or effort to complete your survey – whether transactional or relational – your respondents won’t bother. Balance your need to collect relevant data with users’ needs for a simple and worthwhile task in order to get the most value out of your surveys.

    There are two types of survey fatigue:

    1. Survey response fatigue
    2. Occurs when users are overwhelmed by too many requests for feedback and stop responding.

    3. Survey taking fatigue
    4. Occurs when the survey is too long or irrelevant to users, so they grow tired and abandon the survey.

    Fight survey fatigue:

    • Make it as easy as possible to answer your survey:
      • Keep the survey as short as possible.
      • For transactional surveys, allow respondents to answer directly from email without having to click a separate link if possible.
      • Don’t make all questions mandatory or users may abandon it if they get to a difficult or unapplicable question.
      • Test the survey experience across devices for mobile users.
    • Communicate the survey’s value so users will be more likely to donate their time.
    • Act on feedback: follow up on both positive and negative responses so users see the value in responding.
    • Consider attaching an incentive to responding (e.g. name entered in a monthly draw).

    Design and implement transactional surveys

    Phase 2

    Learn why and how to design a simple survey to assess satisfaction with individual service desk transactions (tickets) and a methodology for survey delivery that will improve response rates.

    Phase 1:

    Phase 2:

    Phase 3:

    Phase 4:

    Understand how to measure customer satisfaction

    Design and implement transactional surveys

    Design and implement relationship surveys

    Analyze and act on feedback

    Use transactional surveys to collect immediate and actionable feedback

    Recall the definition of a transactional survey:

    • Survey that is tied to a specific customer interaction with the service desk (i.e. a ticket).
    • Assesses how satisfied customers are with how the ticket was handled and resolved.
    • Sent immediately after ticket is closed.
    • Short – usually 1 to 3 questions.

    Info-Tech Insight

    While feedback on transactional surveys is specific to a single transaction, even one negative experience can impact the overall perception of the service desk. Pair your transactional surveys with an annual relationship survey to capture broader sentiment toward the service desk.

    Transactional surveys serve several purposes:

    • Gives end users a mechanism to provide feedback when they want to.
    • Provides continual insight into customer satisfaction throughout the year to monitor for trends or issues in between broader surveys.
    • Provides IT leaders with actionable insights into areas for improvement in their processes, knowledge and skills, or customer service.
    • Gives the service desk the opportunity to address any negative experiences or perceptions with customers, to repair the relationship.
    • Feeds into individual or team coaching for service desk staff.

    Make key decisions ahead of launching your transactional surveys

    If you want to get the most of your surveys, you need to do more than just click a button to enable out-of-the-box surveys through your ITSM tool. Make these decisions ahead of time:

    Decision Considerations For more guidance, see
    What are the goals of your survey? Are you hoping to get an accurate pulse of customer sentiment (if so, you may want to randomly send surveys) or give customers the ability to provide feedback any time they have some (if so, send a survey after every ticket)? Slide 25
    How many questions will you ask? Keep the survey as short as possible – ideally only one mandatory question. Slide 26
    What questions will you ask? Do you want a measure of NPS, CES, or CSAT? Do you want to measure overall satisfaction with the interaction or something more specific about the interaction? Slide 27
    What will be the response options/scale? Keep it simple and think about how you will use the data after. Slide 28
    How often will you send the survey? Will it be sent after every ticket, every third ticket, or randomly to a select percentage of tickets, etc.? Slide 29
    What conditions would apply? For example, is there a subset of users who you never want to receive a survey or who you always want to receive a survey? Slide 30
    What mechanism/tool will you use to send the survey? Will your ITSM tool allow you to make all the configurations you need, or will you need to use a separate survey tool? If so, can it integrate to your ITSM solution? Slide 30

    Key decisions, continued

    Decision Considerations For more guidance, see
    What will trigger the survey? Typically, marking the ticket as either ‘resolved’ or ‘closed’ will trigger the survey. Slide 31
    How long after the ticket is closed will you send the survey? You’ll want to leave enough time for the user to respond if the ticket wasn’t resolved properly before completing a survey, but not so much time that they don’t remember the ticket. Slide 31
    Will the survey be sent in a separate email or as part of the ticket resolution email? A separate email might feel like too many emails for the user, but a link within the ticket closure email may be less noticeable. Slide 32
    Will the survey be embedded in email or accessed through a link? If the survey can be embedded into the email, users will be more likely to respond. Slide 32
    How long will the survey link remain active, and will you send any reminders? Leave enough time for the user to respond if they are busy or away, but not so much time that the data would be irrelevant. Balance the need to remind busy end users with the possibility of overwhelming them with survey fatigue. Slide 32
    What other text will be in the main body of the survey email and/or thank you page? Keep messaging short and straightforward and remind users of the benefit to them. Slide 33
    Where will completed surveys be sent/who will have access? Will the technician assigned to the ticket have access or only the manager? What email address/DL will surveys be sent to? Slide 33

    Define the goals of your transactional survey program

    Every survey should have a goal in mind to ensure only relevant and useful data is collected.

    • Your survey program must be backed by clear and actionable goals that will inform all decisions about the survey.
    • Survey questions should be structured around that goal, with every question serving a distinct purpose.
    • If you don’t have a clear plan for how you will action the data from a particular question, exclude it.
    • Don’t run a survey just for the sake of it; wait until you have a clear plan. If customers respond and then see nothing is done with the data, they will learn to avoid your surveys.

    Your survey objectives will also determine how often to send the survey:

    If your objective is:

    Keep a continual pulse on average customer satisfaction

    Gain the opportunity to act on negative feedback for any poor experience

    Then:

    Send survey randomly

    Send survey after every ticket

    Rationale:

    Sending a survey less often will help avoid survey fatigue and increase the chances of users responding whether they have good, bad, or neutral feedback

    Always having a survey available means users can provide feedback every time they want to, including for any poor experience – giving you the chance to act on it.

    Info-Tech Insight

    Service Managers often get caught up in running a transactional survey program because they think it’s standard practice, or they need to report a satisfaction metric. If that’s your only objective, you will fail to derive value from the data and will only turn customers away from responding.

    Design survey content and length

    As you design your survey, keep in mind the following principles:

    1. Keep it short. Your customers won’t bother responding if they see a survey with multiple questions or long questions that require a lot of reading, effort, or time.
    2. Make it simple. This not only makes it easier for your customers to complete, but easier for you to track and monitor.
    3. Tie your survey to your goals. Remember that every question should have a clear and actionable purpose.
    4. Don’t measure anything you can’t control. If you won’t be able to make changes based on the feedback, there’s no value asking about it.
    5. Include an (optional) open-ended question. This will allow customers to provide more detailed feedback or suggestions.

    Q: How many questions should the survey contain?

    A: Ideally, your survey will have only one mandatory question that captures overall satisfaction with the interaction.

    This question can be followed up with an optional open-ended question prompting the respondent for more details. This will provide a lot more context to the overall rating.

    If there are additional questions you need to ask based on your goals, clearly make these questions optional so they don’t deter respondents from completing the survey. For example, they can appear only after the respondent has submitted their overall satisfaction response (i.e. on a separate, thank you page).

    Additional (optional) measures may include:

    • Customer effort score (how easy or difficult was it to get your issue resolved?)
    • Customer service skills of the service desk
    • Technical skills/knowledge of the agents
    • Speed or response or resolution

    Design question wording

    Tips for writing survey questions:

    • Be clear and concise
    • Keep questions as short as possible
    • Cut out any unnecessary words or phrasing
    • Avoid biasing, or leading respondents to select a certain answer
    • Don’t attempt to measure multiple constructs in a single question.

    Sample question wording:

    How satisfied are you with this support experience?

    How would you rate your support experience?

    Please rate your overall satisfaction with the way your issue was handled.

    Instead of this….

    Ask this….

    “We strive to provide excellent service with every interaction. Please rate how satisfied you are with this interaction.”

    “How satisfied were you with this interaction?”

    “How satisfied were you with the customer service skills, knowledge, and responsiveness of the technicians?”

    Choose only one to ask about.

    “How much do you agree that the service you received was excellent?”

    “Please rate the service you received.”

    “On a scale of 1-10, thinking about your most recent experience, how satisfied would you say that you were overall with the way that your ticket was resolved?”

    “How satisfied were you with your ticket resolution?”

    Choose response options

    Once you’ve written your survey question, you need to design the response options for the question. Put careful thought into balancing ease of responding for the user with what will give you the actionable data you need to meet your goals. Keep the following in mind:

    When planning your response options, remember to keep the survey as easy to respond to as possible – this means allowing a one-click response and a scale that’s intuitive and simple to interpret.

    Think about how you will use the responses and interpret the data. If you choose a 10-point scale, for example, what would you classify as a negative vs positive response? Would a 5-point scale suffice to get the same data?

    Again, use your goals to inform your response options. If you need a satisfaction metric, you may need a numerical scale. If your goal is just to capture negative responses, you may only need two response options: good vs bad.

    Common response options:

    • Numerical scale (e.g. very dissatisfied to very satisfied on a 5-point scale)
    • Star rating (E.g. rate the experience out of 5 stars)
    • Smiley face scale
    • 2 response options: Good vs Bad (or Satisfied vs Dissatisfied)

    Investigate the capabilities of your ITSM tool. It may only allow one built-in response option style. But if you have the choice, choose the simplest option that aligns with your goals.

    Decide how often to send surveys

    There are two common choices for when to send ticket satisfaction surveys:

    After random tickets

    After every ticket

    Pros

    • May increase response rate by avoiding survey fatigue.
    • May be more likely to capture a range of responses that more accurately reflect sentiment (versus only negative).
    • Gives you the opportunity to receive feedback whenever users have it.
    • If your goal is to act on negative feedback whenever it arises, that’s only possible if you send a survey after every ticket.

    Cons

    • Overrepresents frequent service desk users and underrepresents infrequent users.
    • Users who have feedback to give may not get the chance to give it/service desk can’t act on it.
    • Customers who frequently contact the service desk will be overwhelmed by surveys and may stop responding.
    • Customers may only reply if they have very negative or positive feedback.

    SDI’s 2018 Customer Experience in ITSM survey of service desk professionals found:

    Almost two-thirds (65%) send surveys after every ticket.

    One-third (33%) send surveys after randomly selected tickets are closed.

    Info-Tech Recommendation:

    Send a survey after every ticket so that anyone who has feedback gets the opportunity to provide it – and you always get the chance to act on negative feedback. But, limit how often any one customer receives a ticket to avoid over-surveying them – restrict to anywhere between one survey a week to one per month per customer.

    Plan detailed survey logistics

    Decision #1

    Decision #2

    What tool will you use to deliver the survey?

    What (if any) conditions apply to your survey?

    Considerations

    • How much configuration does your ITSM tool allow? Will it allow you to configure the survey according to your decisions? Many ITSM tools, especially mid-market, do not allow you to change the response options or how often the survey is sent.
    • How does the survey look and act on mobile devices? If a customer receives the survey on their phone, they need to be able to easily respond from there or they won’t bother at all.
    • If you wish to use a different survey tool, does it integrate with your ITSM solution? Would agents have to manually send the survey? If so, how would they choose who to send the survey to, and when?

    Considerations

    Is there a subset of users who you never want to receive a survey (e.g. a specific department, location, role, or title)?

    Is there a subset of users who you always want to receive a survey, no matter how often they contact the service desk (e.g. VIP users, a department that scored low on the annual satisfaction survey, etc.)?

    Are there certain times of the year that you don’t want surveys to go out (e.g. fiscal year end, holidays)?

    Are there times of the day that you don’t want surveys to be sent (e.g. only during business hours; not at the end of the day)?

    Recommendations

    The built-in functionality of your ITSM tool’s surveys will be easiest to send and track; use it if possible. However, if your tool’s survey module is limited and won’t give you the value you need, consider a third-party solution or survey tool that integrates with your ITSM solution and won’t require significant manual effort to send or review the surveys.

    Recommendations

    If your survey module allows you to apply conditions, think about whether any are necessary to apply to either maximize your response rate (e.g. don’t send a survey on a holiday), avoid annoying certain users, or seek extra feedback from dissatisfied users.

    Plan detailed survey logistics

    Decision #2

    Decision #1

    What will trigger the survey?

    When will the survey be sent?

    Considerations

    • Usually a change of ticket status triggers the survey, but you may have the option to send it after the ticket is marked ‘resolved’ or ‘closed’. The risk of sending the survey after the ticket is ‘resolved’ is the issue may not actually be resolved yet, but waiting until it’s ‘closed’ means the user may be less likely to respond as more time has passed.
    • Some tools allow for a survey to be sent after every agent reply.
    • Some have the option to manually generate a survey, which may be useful in some cases; those cases would need to be well defined.

    Considerations

    • Once you’ve decided the trigger for the survey, decide how much time should pass after that trigger before the survey is sent.
    • The amount of time you choose will be highly dependent on the trigger you choose. For example, if you want the ‘resolved’ status to send a survey, you may want to wait 24h to send the survey in case the user responds that their issue hasn’t been properly resolved.
    • If you choose ‘closed’ as your trigger, you may want the survey to be sent immediately, as waiting any longer could further reduce the response rate.
    • Your average resolution time may also impact the survey wait time.

    Recommendations

    Only send the survey once you’re sure the issue has actually been resolved; you could further upset the customer if you ask them how happy they are with the resolution if resolution wasn’t achieved. This means sending the survey once the user confirms resolution (which closes ticket) or the agent closes the ticket.

    Recommendations

    If you are sending the survey upon ticket status moving to ‘resolved’, wait at least 24 hours before sending the survey in case the user responds that their issue wasn’t actually resolved. However, if you are sending the survey after the ticket has been verified resolved and closed, you can send the survey immediately while the experience is still fresh in their memory.

    Plan detailed survey logistics

    Decision #1

    Decision #2

    How will the survey appear in email?

    How long will the survey remain active?

    Considerations

    • If the survey link is included within the ticket resolution email, it’s one less email to fatigue users, but users may not notice there is a survey in the email.
    • If the survey link is included in its own separate email, it will be more noticeable to users, but could risk overwhelming users with too many emails.
    • Can users view the entire survey in the email and respond directly within the email, or do they need to click on a link and respond to the survey elsewhere?

    Considerations

    • Leaving the survey open at least a week will give users who are out of office or busy more time to respond.
    • However, if users respond to the survey too long after their ticket was resolved, they may not remember the interaction well enough to give any meaningful response.
    • Will you send any reminders to users to complete the survey? It may improve response rate, or may lead to survey fatigue from reaching out too often.

    Recommendations

    Send the survey separately from the ticket resolution email or users will never notice it. However, if possible, have the entire survey embedded within the email so users can click to respond directly from their email without having to open a separate link. Reduce effort, to make users more likely to respond.

    Recommendations

    Leave enough time for the user to respond if they are busy or away, but not so much time that the data will be irrelevant. Balance the need to remind busy end users, with the possibility of overwhelming them with survey fatigue. About a week is typical.

    Plan detailed survey logistics

    Decision #1

    Decision #2

    What will the body of the email/messaging say?

    Where will completed surveys be sent?

    Considerations

    • Communicate the value of responding to the survey.
    • Remember, the survey should be as short and concise as possible. A lengthy body of text before the actual survey can deter respondents.
    • Depending on your survey configuration, you may have a ‘thank you’ page that appears after respondents complete the survey. Think about what messaging you can save for that page and what needs to be up front.
    • Ensure there is a clear reference to which ticket the survey is referencing (with the subject of the ticket, not just ticket number).

    Considerations

    • Depending on the complexity of your ITSM tool, you may designate email addresses to receive completed surveys, or configure entire dashboards to display results.
    • Decide who needs to receive all completed surveys in order to take action.
    • Decide whether the agent who resolved the ticket will have access to the full survey response. Note that if they see negative feedback, it may affect morale.
    • Are there any other stakeholders who should receive the immediate completed surveys, or can they view summary reports and dashboards of the results?

    Recommendations

    Most users won’t read a long message, especially if they see it multiple times, so keep the email short and simple. Tell users you value their feedback, indicate which interaction you’re asking about, and say how long the survey should take. Thank them after they submit and tell them you will act on their feedback.

    Recommendations

    Survey results should be sent to the Service Manager, Customer Experience Lead, or whoever is the person responsible for managing the survey feedback. They can choose how to share feedback with specific agents and the service desk team.

    Response rates for transactional surveys are typically low…

    Most IT organizations see transactional survey response rates of less than 20%.

    The image contains a screenshot of a SDI survey taken to demonstrate customer satisfaction respond rate.

    Source: SDI, 2018

    SDI’s 2018 Customer Experience in ITSM survey of service desk professionals found that 69% of respondents had survey response rates of 20% or less. However, they did not distinguish between transactional and relationship surveys.

    Reasons for low response rates:

    • Users tend to only respond if they had a very positive or very negative experience worth writing about, but don’t typically respond for interactions that go as expected or were average.
    • Survey is too long or complicated.
    • Users receive too many requests for feedback.
    • Too much time has passed since the ticket was submitted/resolved and the user doesn’t remember the interaction.
    • Users think their responses disappear into a black hole or aren’t acted upon so they don’t see the value in taking the time to respond. Or, they don’t trust the confidentiality of their responses.

    “In my experience, single digits are a sign of a problem. And a downward trend in response rate is also a sign of a problem. World-class survey response rates for brands with highly engaged customers can be as high as 60%. But I’ve never seen it that high for internal support teams. In my experience, if you get a response rate of 15-20% from your internal customers then you’re doing okay. That’s not to say you should be content with the status quo, you should always be looking for ways to increase it.”

    – David O’Reardon, Founder & CEO of Silversix

    … but there are steps you can take to maximize your response rate

    It is still difficult to achieve high response rates to transactional surveys, but you can at least increase your response rate with these strategies:

    1. Reduce frequency
    2. Don’t over-survey any one user or they will start to ignore the surveys.

    3. Send immediately
    4. Ask for feedback soon after the ticket was resolved so it’s fresh in the user’s memory.

    5. Make it short and simple
    6. Keep the survey short, concise, and simple to respond to.

    7. Make it easy to complete
    8. Minimize effort involved as much as possible. Allow users to respond directly from email and from any device.

    9. Change email messaging
    10. Experiment with your subject line or email messaging to draw more attention.

    11. Respond to feedback
    12. Respond to customers who provide feedback – especially negative – so they know you’re listening.

    13. Act on feedback
    14. Demonstrate that you are acting on feedback so users see the value in responding.

    Use Info-Tech’s survey template as a starting point

    Once you’ve worked through all the decisions in this step, you’re ready to configure your transactional survey in your ITSM solution or survey tool.

    As a starting point, you can leverage Info-Tech’s Transactional Service Desk Survey Templatee to design your templates and wording.

    Make adjustments to match your decisions or your configuration limitations as needed.

    Refer to the key decisions tables on slides 24 and 25 to ensure you’ve made all the configurations necessary as you set up your survey.

    The image contains a screenshot of Info-Tech's survey templates.

    Design and implement relationship surveys

    Phase 3

    Understand why and how to design a survey to assess overall satisfaction with the service desk across your organization, or use Info-Tech’s diagnostic.

    Phase 1:

    Phase 2:

    Phase 3:

    Phase 4:

    Understand how to measure customer satisfaction

    Design and implement transactional surveys

    Design and implement relationship surveys

    Analyze and act on feedback

    How can we evaluate overall Service Desk service quality?

    Evaluating service quality in any industry is challenging for both those seeking feedback and those consuming the service: “service quality is more difficult for the consumer to evaluate than goods quality.”

    You are in the position of trying to measure something intangible: customer perception, which “result[s] from a comparison of consumer expectations with actual service performance,” which includes both the service outcome and also “the process of service delivery”

    (Source: Parasuraman et al, 1985, 42).

    Your mission is to design a relationship survey that is:

    • Comprehensive but not too long.
    • Easy to understand but complex enough to capture enough detail.
    • Able to capture satisfaction with both the outcome and the experience of receiving the service.

    Use relationship surveys to measure overall service desk service quality

    Recall the definition of a relationship survey:

    • Survey that is sent periodically (i.e. semi-annually or annually) to the entire customer base to measure the overall relationship with the service desk.
    • Shows you where your customer experience is doing well and where it needs improving.
    • Asks customers to rate you based on their overall experience rather than on a specific product or interaction.
    • Longer and more comprehensive than transactional surveys, covering multiple dimensions/ topics.

    Relationship surveys serve several purposes:

    • Gives end users an opportunity to provide overall feedback on a wider range of experiences with IT.
    • Gives IT the opportunity to respond to feedback and show users their voices are heard.
    • Provides insight into year-over-year trends and customer satisfaction.
    • Provides IT leaders the opportunity to segment the results by demographic (e.g. by department, location, or seniority) and target improvements where needed most.
    • Feeds into strategic planning and annual reports on user experience and satisfaction

    Info-Tech Insight

    Annual relationship surveys provide great value in the form of year-over-year internal benchmarking data, which you can use to track improvements and validate the impact of your service improvement efforts.

    Understand the gaps that decrease service quality

    The Service Quality Model (Parasuraman, Zeithaml and Berry, 1985) shows how perceived service quality is negatively impacted by the gap between expectations for quality service and the perceptions of actual service delivery:

    Gap 1: Consumer expectation – Management perception gap:

    Are there differences between your assumptions about what users want from a service and what those users expect?

    Gap 2: Management perception – Service quality specification gap:

    Do you have challenges translating user expectations for service into standardized processes and guidelines that can meet those expectations?

    Gap 3: Service quality specifications – Service delivery gap:

    Do staff members struggle to carry out the service quality processes when delivering service?

    Gap 4: Service delivery – External communications gap:

    Have users been led to expect more than you can deliver? Alternatively, are users unaware of how the organization ensures quality service, and therefore unable to appreciate the quality of service they receive?

    Gap 5: Expected service – Perceived service gap:

    Is there a discrepancy between users’ expectations and their perception of the service they received (regardless of any user misunderstanding)?

    The image contains a screenshot of the Service Quality Model to demonstrate the consumer and consumers.

    Your survey questions about service and support should provide insight into where these gaps exist in your organization

    Make key decisions ahead of launch

    Decision/step Considerations
    Align the relationship survey with your goals Align what is motivating you to launch the survey at this time and the outcomes it is intended to feed into.
    Identify what you’re measuring Clarify the purpose of the questions. Are you measuring feedback on your service desk, specifically? On all of IT? Are you trying to capture user effort? User satisfaction? These decisions will affect how you word your questions.
    Determine a framework for your survey Reporting on results and tracking year-over-year changes will be easier if you design a basic framework that your survey questions fall into. Consider drawing on an existing service quality framework to match best practices in other industries.
    Cover logistical details Designing a relationship survey requires attention to many details that may initially be overlooked: the survey’s length and timing, who it should be sent to and how, what demographic info you need to collect to slice and dice the results, and if it will be possible to conduct the survey anonymously.
    Design question wording It is important to keep questions clear and concise and to avoid overly lengthy surveys.
    Select answer scales The answer scales you select will depend on how you have worded the questions. There is a wide range of answer scales available to you; decide which ones will produce the most meaningful data.
    Test the survey Testing the survey before widely distributing it is key. When collecting feedback, conduct at least a few in person observations of someone taking the survey to get their unvarnished first impressions.
    Monitor and maximize your response rate Ensure success by staying on top of the survey during the period it is open.

    Align the relationship survey with your goals

    What is motivating you to launch the survey at this time?

    Is there a renewed focus on customer service satisfaction? If so, this survey will track the initiative’s success, so its questions must align with the sponsors’ expectations.

    Are you surveying customer satisfaction in order to comply with legislation, or directives to measure customer service quality?

    What objectives/outcomes will this survey feed into?

    What do you need to report on to your stakeholders? Have they communicated any expectations regarding the data they expect to see?

    Does the CIO want the annual survey to measure end-user satisfaction with all of IT?

    • Or do you only want to measure satisfaction with one set of processes (e.g. Service Desk)?
    • Are you seeking feedback on a project (e.g. implementation of new ERP)?
    • Are you seeking feedback on the application portfolio?

    In 1993 the U.S. president issued an Executive Order requiring executive agencies to “survey customers to determine the kind and quality of services they want and their level of satisfaction with existing services” and “post service standards and measure results against them.” (Clinton, 1993)

    Identify what you’re measuring

    Examples of Measures

    Clarify the purpose of the questions

    Each question should measure something specific you want to track and be phrased accordingly.

    Are you measuring feedback on the service desk?

    Service desk professionalism

    Are you measuring user satisfaction?

    Service desk timeliness

    Your customers’ happiness with aspects of IT’s service offerings and customer service

    Trust in agents’ knowledge

    Users’ preferred ticket intake channel (e.g. portal vs phone)

    Satisfaction with self-serve features

    Are you measuring user effort?

    Are you measuring feedback on IT overall?

    Satisfaction with IT’s ability to enable the business

    How much effort your customer needs to put forth to accomplish what they wanted/how much friction your service causes or alleviates

    Satisfaction with company-issued devices

    Satisfaction with network/Wi-Fi

    Satisfaction with applications

    Info-Tech Insight

    As you compose survey questions, decide whether they are intended to capture user satisfaction or effort: this will influence how the question is worded. Include a mix of both.

    Determine a framework for your survey

    If your relationship survey covers satisfaction with service support, ensure the questions cover the major aspects of service quality. You may wish to align your questions on support with existing frameworks: for example, the SERVQUAL service quality measurement instrument identifies 5 dimensions of service quality: Reliability, Assurance, Tangibles, Empathy, and Responsiveness (see below). As you design the survey, consider if the questions relate to these five dimensions. If you have overlooked any of the dimensions, consider if you need to revise or add questions.

    Service dimension

    Definition

    Sample questions

    Reliability

    “Ability to perform the promised service dependably and accurately”1

    • How satisfied are you with the effectiveness of Service Desk’s ability to resolve reported issues?

    Assurance

    “Knowledge and courtesy of employees and their ability to convey trust and confidence”2

    • How satisfied are you with the technical knowledge of the Service Desk staff?
    • When you have an IT issue, how likely are you to contact Service Desk by phone?

    Tangibles

    “Appearance of physical facilities, equipment, personnel, and communication materials”3

    • How satisfied are you that employees in your department have all the necessary technology to ensure optimal job performance?
    • How satisfied are you with IT’s ability to communicate to you regarding the information you need to perform your job effectively?

    Empathy

    “Caring, individualized attention the firm provides its customers”4

    • How satisfied are you that IT staff interact with end users in a respectful and professional manner?

    Responsiveness

    “Willingness to help customers and provide prompt service”5

    • How satisfied are you with the timeliness of Service Desk’s resolution to reported issues?
    1-5. Arlen, Chris,2022. Paraphrasing Zeithaml, Parasuraman, and Berry, 1990.

    Cover logistical details of the survey

    Identify who you will send it to

    Will you survey your entire user base or a specific subsection? For example, a higher education institution may choose to survey students separately from staff and faculty. If you are gathering data on customer satisfaction with a specific implementation, only survey the affected stakeholders.

    Determine timing

    Avoid sending out the survey during known periods of time pressure or absence (e.g. financial year-end, summer vacation).

    Decide upon its length

    Consider what survey length your users can tolerate. Configure the survey to show the respondents’ progression or their percentage complete.

    Clearly introduce the survey

    The survey should begin with an introduction that thanks users for completing the survey, indicates its length and anonymity status, and conveys how the data will be used, along with who the participants should contact with any questions about the survey.

    Decide upon incentives

    Will you incentivize participation (e.g. by entering the participants in a draw or rewarding highest-participating department)?

    Collect demographic information

    Ensure your data can be “sliced and diced” to give you more granular insights into the results. Ask respondents for information such as department, location, seniority, and tenure to help with your trend analysis later.

    Clarify if anonymous

    Users may be more comfortable participating if they can do so anonymously (Quantisoft, n.d.). If you promise anonymity, ensure your survey software/ partner can support this claim. Note the difference between anonymity (identity of participant is not collected) and confidentiality (identifying data is collected but removed from the reported results).

    Decide how to deliver the survey

    Will you be distributing the survey yourself through your own licensed software (e.g. through Microsoft Forms if you are an MS shop)? Or, will you be partnering with a third-party provider? Is the survey optimized for mobile? Some find up to 1/3 of participants use mobile devices for their surveys (O’Reardon, 2018).

    Use the Sample Size Calculator to determine your ideal sample size

    Use Info-Tech’s Sample Size Calculator to calculate the number of people you need to complete your survey to have statistically representative results.

    The image contains a screenshot of the Sample Size Calculator.

    In the example above, the service desk supports 1000 total users (and sent the survey to each one). To be 95% confident that the survey results fall within 5% of the true value (if every user responded), they would need 278 respondents to complete their survey. In other words, to have a sample that is representative of the whole population, they would need 278 completed surveys.

    Explanation of terms:

    Confidence Level: A measure of how reliable your survey is. It represents the probability that your sample accurately reflects the true population (e.g. your entire user base). The industry standard is typically 95%. This means that 95 times out of 100, the true data value that you would get if you surveyed the entire population would fall within the margin of error.

    Margin of Error: A measure of how accurate the data is, also known as the confidence interval. It represents the degree of error around the data point, or the range of values above and below the actual results from a survey. A typical margin of error is 5%. This means that if your survey sample had a score of 70%, the true value if you sampled the entire population would be between 65% and 75%. To narrow the margin of error, you would need a bigger sample size.

    Population Size: The total set of people you want to study with your survey. For example, the total number of users you support.

    Sample Size: The number of people who participate in your survey (i.e. complete the survey) out of the total population.

    Info-Tech’s End-User Satisfaction Diagnostics

    If you choose to leverage a third-party partner, an Info-Tech satisfaction survey may already be part of your membership. There are two options, depending on your needs:

    I need to measure and report customer satisfaction with all of IT:

    • IT’s ability to enable the organization to meet its existing goals, innovate, adapt to business needs, and provide the necessary technology.
    • IT’s ability to provide training, respond to feedback, and behave professionally.
    • Satisfaction with IT services and applications.

    Both products measure end-user satisfaction

    One is more general to IT

    One is more specific to service desk

    I need to measure and report more granularly on Service Desk customer satisfaction:

    • Efficacy and timeliness of resolutions
    • Technical and communication skills
    • Ease of contacting the service desk
    • Effectiveness of portal/ website
    • Ability to collect and apply user feedback

    Choose Info-Tech's End User Satisfaction Survey

    Choose Info-Tech’s Service Desk Satisfaction Survey

    Design question wording

    Write accessible questions:

    Instead of this….

    Ask this….

    48% of US adults meet or exceed PIACC literacy level 3 and thus able to deal with texts that are “often dense or lengthy.”

    52% of US adults meet level 2 or lower.

    Keep questions clear and concise. Avoid overly lengthy surveys.

    Source: Highlights of the 2017 U.S. PIAAC Results Web Report
    1. How satisfied are you with the response times of the service desk?
    2. How satisfied are you with the timeliness of the service desk?

    Users will have difficulty perceiving the difference between these two questions.

    1. How satisfied are you with the time we take to acknowledge receipt of your ticket?
    2. How satisfied are you with the time we take to completely resolve your ticket?

    Tips for writing survey questions:

    “How satisfied are you with the customer service skills, knowledge, and responsiveness of the technicians?”

    This question measures too many things and the data will not be useful.

    Choose only one to ask about.

    • Cut out any unnecessary words or phrasing. Highlight/bold key words or phrases.
    • Avoid biasing or leading respondents to select a certain answer.
    • Don’t attempt to measure multiple constructs in a single question.

    “On a scale of 1-10, thinking about the past year, how satisfied would you say that you were overall with the way that your tickets were resolved?”

    This question is too wordy.

    “How satisfied were you with your ticket resolution?”

    Choose answer scales that best fit your questions and reporting needs

    Likert scale

    Respondents select from a range of statements the position with which they most agree:

    E.g. How satisfied are you with how long it generally takes to resolve your issue completely?

    E.g. Very dissatisfied/Somewhat dissatisfied/ Neutral/ Somewhat satisfied/ Very satisfied/ NA

    Frequency scale

    How often does the respondent have to do something, or how often do they encounter something?

    E.g. How frequently do you need to re-open tickets that have been closed without being satisfactorily resolved?

    E.g. Never/ Rarely/ Sometimes/ Often/ Always/ NA

    Numeric scale

    By asking users to rate their satisfaction on a numeric scale (e.g., 1-5, 1-10), you can facilitate reporting on averages:

    E.g. How satisfied are you with IS’s ability to provide services to allow the organization to meet its goals?

    E.g. 1 – Not at all Satisfied to 10 – Fully Satisfied / NA

    Forced ranking

    Learn more about your users’ priorities by asking them to rank answers from most to least important, or selecting their top choices (Sauro, 2018):

    E.g. From the following list, drag and drop the 3 aspects of our service that are most important to you into the box on the right.

    Info-Tech Insight

    Always include an optional open-ended question, which allows customers to provide more feedback or suggestions.

    Test the survey before launching

    Review your questions for repetition and ask for feedback on your survey draft to discover if readers interpret the questions differently than you intended.

    Test the survey with different stakeholder groups:

    • IT staff: To discover overlooked topics.
    • Representatives of your end-user population: To discover whether they understand the intention of the questions.
    • Executives: To validate whether you are capturing the data they are interested in reporting on.

    Testing methodology:

    • Ask your test subjects to take the survey in your presence so you can monitor their experience as they take it.
    • Ask them to narrate their experience as they take the survey.
    • Watch for:
      • The time it takes to complete the survey.
      • Moments when they struggle or are uncertain with the survey’s wording.
      • Questions they find repetitive or pointless.

    Info-Tech Insight

    In the survey testing phase, try to capture at least a few real-time responses to the survey. If you collect survey feedback only once the test is over, you may miss some key insights into the user experience of navigating the survey.

    “Follow the golden rule: think of your audience and what they may or may not know. Think about what kinds of outside pressures they may bring to the work you’re giving them. What time constraints do they have?”

    – Sally Colwell, Project Officer, Government of Canada Pension Centre

    Monitor and maximize your response rate

    Ensure success by staying on top of the survey during the period it is open.

    • When will your users complete the survey? You know your own organization’s culture best, but SurveyMonkey found that weekday survey responses peaked at mid-morning and mid-afternoon (Wronski). Ensure you send the communication at a time it will not be overlooked. For example, some studies found Mondays to have higher response rates; however, the data is not consistent (Amaresan, 2021). Send the survey at a time you believe your users are least likely to be inundated with other notifications.
    • Have a trusted leader send out the first communication informing the end-user base of the survey. Ensure the recipient understands your motivation and how their responses will be used to benefit them (O’Reardon, 2016). Remind them that participating in the survey benefits them: since IT is taking actions based on their feedback, it’s their chance to improve their employee experience of the IT services and tools they use to do their job.
    • In the introductory communication, test different email subject lines and email body content to learn which versions increase respondents’ rates of opening the survey link, and “keep it short and clear” (O’Reardon, 2016).
    • If your users tend to mistrust emailed links due to security training, tell them how to confirm the legitimacy of the survey.

    “[Send] one reminder to those who haven’t completed the survey after a few days. Don’t use the word ‘reminder’ because that’ll go straight in the bin, better to say something like, ‘Another chance to provide your feedback’”

    – David O’Reardon, Founder & CEO of Silversix

    Analyze and act on feedback

    Phase 4

    Measure and analyze the results of both surveys and build a plan to act on both positive and negative feedback and communicate the results with the organization.

    Phase 1:

    Phase 2:

    Phase 3:

    Phase 4:

    Understand how to measure customer satisfaction

    Design and implement transactional surveys

    Design and implement relationship surveys

    Analyze and act on feedback

    Leverage the service recovery paradox to improve customer satisfaction

    The image contains a screenshot of a graph to demonstrate the service recovery paradox.

    A service failure or a poor experience isn’t what determines customer satisfaction – it’s how you respond to the issue and take steps to fix it that really matters.

    This means one poor experience with the service desk doesn’t necessarily lead to an unhappy user; if you quickly and effectively respond to negative feedback to repair the relationship, the customer may be even happier afterwards because you demonstrated that you value them.

    “Every complaint becomes an opportunity to turn a bad IT customer experience into a great one.”

    – David O’Reardon, Founder & CEO of Silversix

    Collecting feedback is only the first step in the customer feedback loop

    Closing the feedback loop is one of the most important yet forgotten steps in the process.

    1. Collect Feedback
    • Send transactional surveys after every ticket is resolved.
    • Send a broader annual relationship survey to all users.
  • Analyze Feedback
    • Calculate satisfaction scores.
    • Read open-ended comments.
    • Analyze for trends, categories, common issues and priorities.
  • Act on Feedback
    • Respond to users who provided feedback.
    • Make improvements based on feedback.
  • Communicate Results
    • Communicate feedback results and improvements made to respondents and to service desk staff.
    • Summarize results and actions to key stakeholders and business leaders.

    Act on feedback to get the true value of your satisfaction program

    • SDI (2018) survey data shows that the majority of service desk professionals are using their customer satisfaction data to feed into service improvements. However, 30% still aren’t doing anything with the feedback they collect.
    • Collecting feedback is only one half of a good customer feedback program. Acting on that feedback is critical to the success of the program.
    • Using feedback to make improvements not only benefits the service desk but shows users the value of responding and will increase future response rates.
    The image contains a screenshot of a bar graph that demonstrates SDI: What do service desk professionals do with customer satisfaction data?

    “Your IT service desk’s CSAT survey should be the means of improving your service (and the employee experience), and something that encourages people to provide even more feedback, not just the means for understanding how well it’s doing”

    – Joe the IT Guy, SysAid

    Assign responsibility for acting on feedback

    If collecting and analyzing customer feedback is something that happens off the side of your desk, it either won’t get done or won’t get done well.

    • Formalize the customer satisfaction program. It’s not a one-time task, but an ongoing initiative that requires significant time and dedication.
    • Be clear on who is accountable for the program and who is responsible for all the tasks involved for both transactional and relationship survey data collection, analysis, and communication.

    Assign accountability for the customer feedback program to one person (i.e. Service Desk Manager, Service Manager, Infrastructure & Operations Lead, IT Director), who may take on or assign responsibilities such as:

    • Designing surveys, including survey questions and response options.
    • Configuring survey(s) in ITSM or survey tool.
    • Sending relationship surveys and subsequent reminders to the organization.
    • Communicating results of both surveys to internal staff, business leaders, and end users.
    • Analyzing results.
    • Feeding results into improvement plans, coaching, and training.
    • Creating reports and dashboards to monitor scores and trends.

    Info-Tech Insight

    While feedback can feed into internal coaching and training, the goal should never be to place blame or use metrics to punish agents with poor results. The focus should always be on improving the experience for end users.

    Determine how and how often to analyze feedback data

    • Analyze and report scores from both transactional and relationship surveys to get a more holistic picture of satisfaction across the organization.
    • Determine how you will calculate and present satisfaction ratings/scores, both overall and for individual questions. See tips on the right for calculating and presenting NPS and CSAT scores.
    • A single satisfaction score doesn’t tell the full story; calculate satisfaction scores at multiple levels to determine where improvements are most needed.
      • For example, satisfaction by service desk tier, team or location, by business department or location, by customer group, etc.
    • Analyze survey data regularly to ensure you communicate and act on feedback promptly and avoid further alienating dissatisfied users. Transactional survey feedback should be reviewed at least weekly, but ideally in real time, as resources allow.

    Calculating NPS Scores

    Categorize respondents into 3 groups:

    • 9-10 = Promoters, 7-8 = Neutral, 1-6 = Detractors

    Calculate overall NPS score:

    • % Promoters - % Detractors

    Calculating CSAT Scores

    • CSAT is usually presented as a percentage representing the average score.
    • To calculate, take the total of all scores, divide by the maximum possible score, then multiply by 100. For example, a satisfaction rating of 80% means on average, users gave a rating of 4/5 or 8/10.
    • Note that some organizations present CSAT as the percentage of “satisfied” users, with satisfied being defined as either “yes” on a two-point scale or a score of 4 or 5 on a 5-point scale. Be clear how you are defining your satisfaction rating.

    Don’t neglect qualitative feedback

    While it may be more difficult and time-consuming to analyze, the reward is also greater in terms of value derived from the data.

    Why analyze qualitative data

    How to analyze qualitative data

    • Quantitative data (i.e. numerical satisfaction scores) tells you how many people are satisfied vs dissatisfied, but it doesn’t tell you why they feel that way.
    • If you limit your data analysis to only reporting numerical scores, you will miss out on key insights that can be derived from open-ended feedback.
    • Qualitative data from open-ended survey questions provides:
      • Explanations for the numbers
      • More detailed insight into why respondents feel a certain way
      • More honest and open feedback
      • Insight into areas you may not have thought to ask about
      • New ideas and recommendations

    Methods range in sophistication; choose a technique depending on your tools available and goals of your program.

    1. Manual 2. Semi-automated 3. AI & Analysis Tools
    • Read all comments.
    • Sort into positive vs negative groups.
    • Add tags to categorize comments (e.g. by theme, keyword, service).
    • Look for trends and priorities, differences across groups.
    • Run a script to search for specific keywords.
    • Use a word cloud generator to visualize the most commonly mentioned words (e.g. laptop, email).
    • Due to limitations, manual analysis will still be necessary.
    • Use a feedback analysis/text analysis tool to mine feedback.
    • Software will present reports and data visualizations of common themes.
    • AI-powered tools can automatically detect sentiment or emotion in comments or run a topic analysis.

    Define a process to respond to both negative and positive feedback

    Successful customer satisfaction programs respond effectively to both positive and negative outcomes. Late or lack of responses to negative comments may increase customer frustration, while not responding at all to the positive comments may give the perception of indifference.

    1. Define what qualifies as a positive vs negative score
    2. E.g. Scores of 1 to 2 out of 5 are negative, scores of 4 to 5 out of 5 are positive.

    3. Define process to respond to negative feedback
    • Negative responses should go directly to the Service Desk Manager or whoever is accountable for feedback.
    • Set an SLO for when the user will be contacted. It should be within 24h but ideally much sooner.
    • Investigate the issue to understand exactly what happened and get to the root cause.
    • Identify remediation steps to ensure the issue does not occur again.
    • Communicate to the customer the action you have taken to improve.
  • Define process to respond to positive feedback
    • Positive responses should also be reviewed by the person accountable for feedback, but the timeline to respond may be longer.
    • Show respondents that you value their time by thanking them for responding. Showing appreciate helps to build a long-term relationship with the user.
    • Share positive results with the team to improve morale, and as a coaching/training mechanism.
    • Consider how to use positive feedback as an incentive or reward.

    Build a plan to communicate results to various stakeholders

    Regular communication about your feedback results and action plan tied to those results is critical to the success of your feedback program. Build your communication plan around these questions:

    1. Who should receive communication?

    Each audience will require different messaging, so start by identifying who those audiences are. At a minimum, you should communicate to your end users who provided feedback, your service desk/IT team, and business leaders or stakeholders.

    2. What information do they need?

    End users: Thank them for providing feedback. Demonstrate what you will do with that feedback.

    IT team: Share results and what you need them to do differently as a result.

    Business leaders: Share results, highlight successes, share action plan for improvement.

    3. Who is responsible for communication?

    Typically, this will be the person who is accountable for the customer feedback program, but you may have different people responsible for communicating to different audiences.

    4. When will you communicate?

    Frequency of communication will depend on the survey type – relationship or transactional – as well as the audience, with internal communication being much more frequent than end-user communication.

    5. How will you communicate?

    Again, cater your approach to the audience and choose a method that will resonate with them. End users may view an email, an update on the portal, a video, or update in a company meeting; your internal IT team can view results on a dashboard and have regular meetings.

    Communication to your users impacts both response rates and satisfaction

    Based on the Customer Communication Cycle by David O’Reardon, 2018
    1. Ask users to provide feedback through transactional and relationship surveys.
    2. Thank them for completing the survey – show that you value their time, regardless of the type of feedback they submitted.
    3. Be transparent and summarize the results of the survey(s). Make it easy to digest with simple satisfaction scores and a summary of the main insights or priorities revealed.
    4. Before asking for feedback, explain how you will use feedback to improve the service. After collecting feedback, share your plan for making improvements based on what the data told you.
    5. After you’ve made changes, communicate again to share the results with respondents. Make it clear that their feedback had a direct result on the service they receive. Communicating this before running another survey will also increase the likelihood of respondents providing feedback again.

    Info-Tech Insight

    Focus your communications to users around them, not you. Demonstrate that you need feedback to improve their experience, not just for you to collect data.

    Translate feedback into actionable improvements

    Taking action on feedback is arguably the most important step of the whole customer feedback program.

    Prioritize improvements

    Prioritize improvements based on low scores and most commonly received feedback, then build into an action plan.

    Take immediate action on negative feedback

    Investigate the issue, diagnose the root cause, and repair both the relationship and issue – just like you would an incident.

    Apply lessons learned from positive feedback

    Don’t neglect actions you can take from positive feedback – identify how you can expand upon or leverage the things you’re doing well.

    Use feedback in coaching and training

    Share positive experiences with the team as lessons learned, and use negative feedback as an input to coaching and training.

    Make the change stick

    After making a change, train and communicate it to your team to ensure the change sticks and any negative experiences don’t happen again.

    “Without converting feedback into actions, surveys can become just a pointless exercise in number watching.”

    – David O’Reardon, Founder & CEO of Silversix

    Info-Tech Insight

    Outline exactly what you plan to do to address customer feedback in an action plan, and regularly review that action plan to select and prioritize initiatives and monitor progress.

    For more guidance on tracking and prioritizing ongoing improvement initiatives, see the blueprints Optimize the Service Desk with a Shift Left Strategy and Build a Continual Improvement Plan for the Service Desk.

    Leverage Info-Tech resources to guide your improvement efforts

    Map your identified improvements to the relevant resource that can help:

    Improve service desk processes:

    Improve end-user self-service options:

    Assess and optimize service desk staffing:

    Improve ease of contacting the service desk:

    Standardize the Service Desk Optimize the Service Desk With a Shift-Left Strategy Staff the Service Desk to Meet Demand Improve Service Desk Ticket Intake

    Improve service desk processes:

    Improve end-user self-service options:

    Assess and optimize service desk staffing:

    Improve ease of contacting the service desk::

    Improve Incident and Problem Management Improve Incident and Problem Management Deliver a Customer Service Training Program to Your IT Department Modernize and Transform Your End-User Computing Strategy

    Map process for acting on relationship survey feedback

    Use Info-Tech’s Relationship Satisfaction Survey Review Process workflow as a template to define your own process.

    The image contains a screenshot of the Relationship Satisfaction Survey Review Process.

    Map process for acting on transactional survey feedback

    Use Info-Tech’s Transactional Satisfaction Survey Review Process workflow as a template to define your own process.

    The image contains a screenshot of the Transactional Satisfaction Survey Review Process.

    Related Info-Tech Research

    Standardize the Service Desk

    This project will help you build and improve essential service desk processes, including incident management, request fulfillment, and knowledge management to create a sustainable service desk.

    Optimize the Service Desk With a Shift-Left Strategy

    This project will help you build a strategy to shift service support left to optimize your service desk operations and increase end-user satisfaction.

    Build a Continual Improvement Plan

    This project will help you build a continual improvement plan for the service desk to review key processes and services and manage the progress of improvement initiatives.

    Deliver a Customer Service Training Program to Your IT Department

    This project will help you deliver a targeted customer service training program to your IT team to enhance their customer service skills when dealing with end users, improve overall service delivery and increase customer satisfaction.

    Sources Cited

    Amaresan, Swetha. “The best time to send a survey, according to 5 studies.” Hubspot. 15 Jun 2021. Accessed October 2022.
    Arlen, Chris. “The 5 Service Dimensions All Customers Care About.” Service Performance Inc. n.d. Accessed October 2022.
    Clinton, William Jefferson. “Setting Customer Service Standards.” (1993). Federal Register, 58(176).
    “Understanding Confidentiality and Anonymity.” The Evergreen State College. 2022. Accessed October 2022.
    "Highlights of the 2017 U.S. PIAAC Results Web Report" (NCES 2020-777). U.S. Department of Education. Institute of Education Sciences, National Center for Education Statistics.
    Joe the IT Guy. “Are IT Support’s Customer Satisfaction Surveys Their Own Worst Enemy?” Joe the IT Guy. 29 August 2018. Accessed October 2022.
    O’Reardon, David. “10 Ways to Get the Most out of your ITSM Ticket Surveys.” LinkedIn. 2 July 2019. Accessed October 2022.
    O'Reardon, David. "13 Ways to increase the response rate of your Service Desk surveys".LinkedIn. 8 June 2016. Accessed October 2022.
    O’Reardon, David. “IT Customer Feedback Management – A Why & How Q&A with an Expert.” LinkedIn. 13 March 2018. Accessed October 2022.
    Parasuraman, A., Zeithaml, V. A., & Berry, L. L. (1985). "A Conceptual Model of Service Quality and Its Implications for Future Research." Journal of Marketing, 49(4), 41–50.
    Quantisoft. "How to Increase IT Help Desk Customer Satisfaction and IT Help Desk Performance.“ Quantisoft. n.d. Accessed November 2022.
    Rumberg, Jeff. “Metric of the Month: Customer Effort.” HDI. 26 Mar 2020. Accessed September 2022.
    Sauro, Jeff. “15 Common Rating Scales Explained.” MeasuringU. 15 August 2018. Accessed October 2022.
    SDI. “Customer Experience in ITSM.” SDI. 2018. Accessed October 2022.
    SDI. “CX: Delivering Happiness – The Series, Part 1.” SDI. 12 January 2021. Accessed October 2022.
    Wronski, Laura. “Who responds to online surveys at each hour of the day?” SurveyMonkey. n.d. Accessed October 2022.

    Research contributors

    Sally Colwell

    Project Officer

    Government of Canada Pension Centre