Build a Strategy for Big Data Platforms

  • Buy Link or Shortcode: {j2store}203|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Big Data
  • Parent Category Link: /big-data
  • The immaturity of the big data market means that organizations lack examples and best practices to follow, and they are often left trailblazing their own paths.
  • Experienced and knowledgeable big data professionals are limited and without creative resourcing; IT might struggle to fill big data positions.
  • The term NoSQL has become a catch-all phrase for big data technologies; however, the technologies falling under the umbrella of NoSQL are disparate and often misunderstood. Organizations are at risk of adopting incorrect technologies if they don’t take the time to learn the jargon.

Our Advice

Critical Insight

  • NoSQL plays a key role in the emergence of the big data market, but it has not made relational databases outdated. Successful big data strategies can be conducted using SQL, NoSQL, or a combination of the two.
  • Assign a Data Architect to oversee your initiative. Hire or dedicate someone who has the ability to develop both a short-term and long-term vision and that has hands-on experience with data management, mining and modeling. You will still need someone (like a database administrator) who understands the database, the schemas, and the structure.
  • Understand your data before you attempt to use it. Take a master data management approach to ensure there are rules and standards for managing your enterprise’s data, and take extra caution when integrating external sources.

Impact and Result

  • Assess whether SQL, NoSQL, or a combination of both technologies will provide you with the appropriate capabilities to achieve your business objectives and gain value from your data.
  • Form a Big Data Team to bring together IT and the business in order to leave a successful initiative.
  • Conduct ongoing training with your personnel to ensure up-to-date skills and end-user understanding.
  • Frequently scan the big data market space to identify new technologies and opportunities to help optimize your big data strategy.

Build a Strategy for Big Data Platforms Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Develop a big data strategy

Know where to start and where to focus attention in the implementation of a big data strategy.

  • Storyboard: Build a Strategy for Big Data Platforms

2. Assess the appropriateness of big data technologies

Decide the most correct tools to use in order to solve enterprise data management problems.

  • Big Data Diagnostic Tool

3. Determine the TCO of a scale out implementation

Compare the TCO of a SQL (scale up) with a NoSQL (scale out) deployment to determine whether NoSQL will save costs.

  • Scale Up vs. Scale Out TCO Tool
[infographic]

Considerations for a Move to Virtual Desktops

  • Buy Link or Shortcode: {j2store}69|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: End-User Computing Strategy
  • Parent Category Link: /end-user-computing-strategy
  • Hybrid work environments, remote from anywhere and any device, and the security concerns that go hand-in-hand with these strategies have accelerated the move to VDI and DaaS.
  • IT departments can encounter many obstacles to VDI and DaaS, many of which will be determined by your business model and other factors, including complicated shared infrastructure, inadequate training or insufficient staff, and security and compliance concerns.
  • If you do not consider how your end user will be impacted, you will run into multiple issues that affect end-user satisfaction, productivity, and adoption.
  • How will you manage and navigate the right solution for your organization?

Our Advice

Critical Insight

  • In the world of VDI and DaaS, if you do not get buy-in from the end user, the rate of adoption and the overall success of the implementation will prove difficult to measure. It will be impossible to calculate ROI even as you feel the impact of your TCO.

Impact and Result

  • The dimensions of end-user experience can be broken down into four distinct categories that will impact not only the end user but also the business: performance, availability, functionality, and security.
  • Picturing your landscape in this framework will help clearly define your considerations when deciding on whether a VDI or DaaS solution is right for your business.

Considerations for a Move to Virtual Desktops Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Considerations for a Move to Virtual Desktops Storyboard – A guide to the strategic, technical, and support implications that should be considered in support of a move to VDI or DaaS.

By defining your goals, framing solutions based on end-user workloads, and understanding the pros and cons of various solutions, you can visualize what success looks like for your VDI/DaaS deployment. This includes defining your KPIs by end-user experience, knowing the decision gates for a successful deployment, and defining your hypothesis for value to make your decision more accurate and gain C-suite buy-in.

  • Considerations for a Move to Virtual Desktops Storyboard
[infographic]

Further reading

What strategic, technical, and support implications should be considered in support of a move to VDI or DaaS?

Executive Summary

Insight

End-user experience is your #1 consideration

Virtual desktop infrastructure (VDI)/desktop as a service (DaaS) users expect their user experience to be at least equal to that provided by a physical PC, and they do not care about the underlying infrastructure. If the experience is less, then IT has failed in the considerations for VDI/ DaaS. In this research we analyze the data that the IT industry tracks but doesn't use or sometimes even look at regarding user experience (UX).

Identify the gaps in your IT resources that are critical to success

Understanding the strengths and weaknesses in your in-house technical skills and business requirements will assist you in making the right decision when it comes to VDI or DaaS solutions. In the case of DaaS this will include a managed service provider for small to medium-sized IT teams. Many IT teams lack a seasoned IT project manager who can identify gaps, risks, and weaknesses in the organization's preparedness. Redeploy your IT staff to new roles that impact management and monitoring of UX.

IT should think about VDI and DaaS solutions

Ultimately, IT needs to reduce its complexity, increase user satisfaction, reduce management and storage costs, and maintain a secure and effective environment for both the end user and the business. They must also ensure productivity standards throughout the considerations, strategically, tactically, and in support of a move to a VDI or DaaS solution.

Executive Summary

Your Challenge

With the evolution of VDI over the last 15-plus years, there has been a proliferation of solutions, such as Citrix desktop services, VMware Horizon, and in-house hypervisor solutions (e.g. ESX hosts). There has also been a great deal of growth and competition of DaaS and SaaS solutions in the cloud space. Hybrid work environments, remote from anywhere and any device, and the security concerns that go hand-in-hand with these strategies have certainly accelerated the move to VDI and DaaS.

How will you manage and navigate the right solution for your organization?

Common Obstacles

IT departments can encounter many obstacles to VDI and DaaS, many of which will be determined by your business model and other factors, such as:

  • Complicated shared infrastructure such as federated multitenant partners and legacy app servers.
  • Inadequate in-house training or insufficient staff to execute migration or manage post-migration activates such as governance and retention policies.
  • Security, compliance, legal, and data classification concerns. Some security tools cannot be deployed in the cloud, limiting you to an on-premises solution.
Info-Tech’s Approach

By defining your end goals, framing solutions based on end-user workloads, and understanding the pros and cons of what solution(s) will meet your needs, you can visualize what success looks like.

  1. Define your KPIs by end-user experience.
  2. Knowing what the decision gates are for a successful VDI/DaaS deployment will prove out your selection process.
  3. Define your hypothesis for value. How you determine value will make your decision more accurate and gain C-suite buy-in.

Info-Tech Insight

Every IT organization needs to be asking what success looks like. If you do not consider how your end user will be impacted, whether they are doing something as simple as holding a team meeting with voice and video or working with highly technical workloads on a virtual environment, you will run into multiple issues that affect end-user satisfaction, productivity, and adoption. Understand the tension metrics that may conflict with meeting business objectives and KPIs.

Voice of the customer

Client-Driven Insight

Different industries have different requirements and issues, so they look at solutions differently.

Info-Tech Insight

If end-user experience is at the forefront of business requirements, then any solution that fits the business KPIs can be successful.

Client Pain Point

Description Indicators

Flexible work environmentWhat VDI solution can support a work-from-anywhere scenario? Possible solutions: Azure Virtual Desktop, IGEL client, Citrix virtual apps, and desktop services.
Security concerns Corporate resources need to be secure. Working with untrusted endpoints or unsecured locations. Using VPN-type solution.
End-user experience What performance metrics should be used to evaluate UX? Are there issues around where the endpoint is located? What kind of link do they have to the virtual desktop? What solutions are there?
Optimization of routing What routings need to take place to achieve reduced latency and improved experience?
Multifactor authenticationSecurity features such as a multilayered MFA and corporate data protection.
Business continuity What are the options when dealing with cloud outages, meeting SLAs, and building resilience?
Optimizing app performance and response times Define users based on a multiuser environment. Engineers and designers require more CPU resources, which negatively impacts on other users. Optimize CPU to avoid this situation. MS Teams and video streaming apps are not performing in an optimized manner.
Optimization of cloud costs Scalability and usage schedule. Minimize cloud costs with tools to handle workloads and usage.
Third-party access outsourcingContractors and third parties accessing business resources need to control data and source code along with developer tools in a centrally managed SaaS.

The enterprise end-user compute landscape is changing

Starting on the left are three computer types 'Windows on a PC', 'Mac', and 'VDI on a Thick Client'. In the next part, the first two are combined into 'BYOD', and the tree begins at 'Win11'. Branches from Win11 are: 'DIY' which branches to 'Autopilot & Endpoint Manager (Intune)'; 'Outsource' which branches to 'Device as a Service' which brances to 'Dell', 'Lenovo', and 'HP'; and another branch from 'Outsource', 'Azure Desktop', Which snakes us around to the top of the diagram at 'VDI'. VDI branches to 'VDI on a thin client' and 'VDI on a Browser', then they both branch into 'DIY' which branches to 'Citrix', 'VMware', and 'Azure', and 'Outsource' which branches to 'Desktop as a Service Vendor'.

Surveys are telling us a story

Questions you should be asking before you create your RFP
  • What are the use cases and types of workloads?
  • What is the quality of the network connection and bandwidth for the user base?
  • What are the application requirements?
  • What type of end points does the user have and what is the configuration?
  • Where are the data storage containers, how are they accessed, and are there proximity constraints?
  • What is the business security and identity policy requirements?
  • What are the functional and nonfunctional requirements?
  • Will the virtual desktops be persistent or non-persistent?

How would you rate the user experience on your VDI/DaaS solution?


(Source: Hysolate, 2020)

  • 18% of CISOs say htue employees are happy with their company's VDI/DaaS solution
  • 82% say their employees are neutral or unhappy with their company's VDI/DaaS solution

Info-Tech Insight

Asking critical use-case questions should give you a clear picture of the end-user experience outcome.

End-user KPI metrics are difficult to gather

Security is always quoted as a primary justification for VDI/DaaS, while UX is far down the list of KPIs. WHY?

IT engineers use network and performance metrics to manage end-user complaints of “slowness,” which in reality is not what the user is experiencing.

IT needs to invest in more meaningful metrics to manage end-user pain:

  • Logon duration
  • App load time
  • App response time
  • Session response time
  • Graphic quality and responsiveness and latency
  • Application availability and performance
Bar chart of justifications used for business investment in VDI/DaaS. The most used justification is 'IT Efficiency' at 38%, and highlighted in the 2nd last place is 'Employee Experience' at 11%.
(Source: Enterprise Strategy Group, 2020)

Dimensions of user experience

The dimensions of end-user experience can be broken down into four distinct categories that will impact not only the end user but also the business.

Picturing your landscape in this framework will help clearly define your considerations when deciding on whether a VDI or DaaS solution is right for your business. We will investigate how these scenarios impact the end user, what that means, and how that can guide the questions that you are asking as you move to an RFP.

Info-Tech Insight

In the world of VDI and DaaS, if you do not get buy-in from the end user, the rate of adoption and the overall success of the implementation will prove difficult to measure. It will be impossible to calculate ROI even as you feel the impact of your TCO.

Three arrows pointing right with labels in sequence 'Dimensions', 'Operational Metrics', and 'Technical Capabilities/ Controls'

Cycle diagram with many tiers, titled 'USER EXPERIENCE'. The first tier from the center has four items cycling clockwise 'Availability', 'Functionality', 'Security', and 'Performance'. The second tier is associated to the first tier: under Availability is 'Maintenance', 'Uptime', and 'Degradation'; under Functionality is 'Graphics Quality', 'User Friction', and 'Usability'; under Security is 'Endpoint Monitoring', 'Plane Control', and 'Identity'; under Performance is 'Response Time', 'Reliability', and 'Latency'. Around the edge on the third tier are many different related terms.

KPIs and metrics

  • Understand the types of end-user activities that are most likely to be reported as being slow.
  • You need to know what storage, CPU, memory, and network resources are being used when the user performs those activities. In other words, what is the OS doing behind the scenes and what hardware is it using?
  • Once you have determined which resources are being used by the various activities you will have to monitor the UX metrics to see which OS, network, storage, or server configuration issue is causing the performance issue that the user is reporting.

What IT measures

Most business KPI objectives concentrate on business goals, whether it be cost containment, security, simplification, ease of management, or centralization of apps and data, but rarely is there a KPI for end-user experience.

You can’t fix what you can’t see. Putting a cost benefit to end-user satisfaction may come in the form of productivity.

This may be a central reason why VDI has not been widely adopted as an architecture since it came to the marketplace more than 15 years ago.

Samples of different KPIs and metrics.

VDI processes to monitor

Monitoring end-user metrics will mitigate the tension between business KPIs and end-user satisfaction

Metric

Description

End-User
Experience

PERFORMANCELogon durationOnce the user puts in their password, how long does it take to get to their desktop? What is the measurement and how do you measure?
App load timeWhen an app is launched by the user there should be immediate indication that it is loading.
App response timeWhen the user performs a task, there should be no wait time, or hourglass icon, waiting for the app to catch up to the user input. (There is no succinct way to measure this.)
Session response timeHow does the user’s OS respond to I/O? The user should not experience any latency issues when doing a drag and drop, clicking on a menu item, or doing a search.
AVAILABILITYSLAsWhen something goes wrong in the VDI/DaaS environment, how quickly can the user expect to get back to their tasks?
Geographic locationWhen all other considerations are configured correctly, the user experience may be impacted by their location. So, for example, a user working out of Mexico and logging into a VDI may experience latency based on location compared to a user in California, for example, where the resources are stored, managed, and monitored.
Application availabilityMuch like app load time and response time, the only factor affecting the user experience is the back-end load on the app itself, for example a CAD or heavy resource app not properly resourced.
FUNCTIONALITYConfiguration of user desktopDegradation in functionality is caused by improper allocation of CPU, RAM, and GPU for the tasks at hand, creating a bad UX and end-user satisfaction score.
Graphics quality and responsivenessThe user should have the same experience as if on their own physical machine. A video experience should not have any lag in it, for example. MS Teams should not have latency or sound quality issues.
Predictive analysisContinuous performance and availability monitoring.
END USERBrowser real user monitoring (RUM)A real-time view into how the web application is performing from the point of view of a real end user.
Customer satisfaction scoreSurvey-based metrics on customer satisfaction.

“If employees are the competitive edge and key differentiator for a business, I&O has a duty of care to ensure that the employees’ digital experience enables and does not impede the value of that asset.” (John Annand, Principal Director, Info-Tech Research Group)

The case for VDI today

Is security and data sovereignty the only reason?

Technical capability
AVAILABILITYVDI is a better fit than DaaS in organizations that have limited or unreliable internet connectivity.
FUNCTIONALITYApplication flexibility: Resource-intensive applications may require specific virtual desktop configurations, for example in-house GIS apps, CAD, and gaming software requiring specific GPU configurations.
SECURITYData protection is often stated as a need to maintain an on-premises VDI solution, ensuring sensitive and highly privileged data does not travel across the internet.
AVAILABILITYWhile some cloud providers will allow you to bring your OS licensing along with a cloud migration, many subscriptions already include OS licensing, and you may be paying additional licensing costs.
SECURITYVDI makes sense if security and control are primary business KPIs, the IT resources are experienced virtual infrastructure engineers and administrators, and funding is not a hindrance.
PERFORMANCEWhen processing power is a functional requirement, such as CPU, GPU, and storage capacity, VDI offers performance benefits over a standard PC, reducing the need to deploy high-powered PCs to end users.

“Though the desktops are moving to the cloud, accountability is not.” (Gary Bea, Director of Consulting Services and Technical Operations, Goliath Technologies)

The case for DaaS

Any device anywhere: key benefits of DaaS

Technical capabilityChallenges
AVAILABILITYDelivers a consistent user experience regardless of location or device.

Info-Tech Insight

The total cost of the solution will be higher than you anticipate, and management is complex. Additionally, your ability to set your conditions and controls is limited.

Info-Tech Insight

Depending on your technical abilities and experience with cloud services, you will likely benefit from professional third-party services, technical services, and consulting, which can be critical when deciding if DaaS can fit into your current IT architecture, processes, and security posture.

SECURITYEnhances security posture by eliminating your client VPN and keeping sensitive data off the endpoint device.
FUNCTIONALITYOnboard and offboard users quickly and securely.
FUNCTIONALITYProvides centralize workspace management.
FUNCTIONALITYScale up or down on demand with a consumption- and subscription-based contract.
FUNCTIONALITYSignificantly reduce operational overhead compared to managing a traditional VDI deployment.

Technical capability comparison

Table comparing technical capabilities using a scale of circle quarters: zero quarters being 'Poor' and 4 quarters being 'Good'. There are six columns in the body, three of which are under 'VDI': 'Thin Client', 'Thick Client', and 'Web Client', and the other three are 'Desktop as a service', 'Device as a service', and 'Win11 w/ Autopilot & Intune'. Rows are split into four categories: In 'Performance' are 'Reliability', 'Response Time', and 'Latency'; in 'Availability' are 'Uptime' and 'Degradation'; in 'Functionality' are 'Usability', 'Graphics Quality', and 'User Friction'; in 'Security' are 'Endpoint Mgt.', 'Control Plane', and 'Identity'.

X as an endpoint client

From an end-user experience perspective, what makes sense in terms of usage and cost?

Thin Client
  • ✓ Easy provisioning and simple to use and manage
  • ✓ Easy to secure and update
  • ✓ Less vulnerable to data loss
  • ✓ Easily scaled
  • ✓ Requires less power
  • ✓ Cheaper than PCs
  • x compared to a PC
  • x Not powerful enough to manage loads such as CAD
  • x Infrastructure and network must be robust and up to date to avoid possible network latency
  • Examples: Terminals, Dell Wyse 5070, Lenovo M625, IGEL, HP Thin Client, repurposed PCs, Chromebook
Desktop as a Service
  • ✓ Flexibility: work from anywhere, on any device, collaboratively
  • ✓ Resource scalability not reliant on on-premises server hardware
  • ✓ Easy to configure, install, and maintain
  • ✓ Reliable and easy to provision
  • ✓ Centralized sensitive data cloud security
  • x Requires high-speed internet, especially for remote users
  • x Learning curve can cause user friction
  • x Workload configuration use cases
  • Examples: Citrix, VM Horizon, AWS WorkSpaces, WVD, BYOD
Thick Client
  • ✓ Completely flexible, for use with on-premises or cloud infrastructure
  • ✓ Able to work offline
  • ✓ Multimedia or bandwidth-intensive resource processing
  • ✓ Higher server capacity due to less resource load on servers
  • x Higher maintenance and updates attention
  • x Patching, security, and data migration friction
  • x More security vulnerability
  • x Less cost effective
  • Examples: Windows, MacOS desktops, laptops, smartphones, tablets
Device as a Service
  • ✓ Device supply chain flow fulfillment, services, and recovery
  • ✓ Able to update to new equipment more frequently
  • ✓ Scale up and down as needed
  • ✓ Better device backup, asset tracking , security, and EOL disposal
  • x Challenging risk management, regulatory obligations, and liabilities
  • x Change in helpdesk and business workflows
  • x Vendor may limit selection
  • Examples: PCs, smartphones, mobile computing devices, Lenovo, HP, Microsoft, Dell, Macs, iPads, iPhones
Web Client
  • ✓ Can be accessed from any computer; only requires username and password
  • ✓ Client works with a URL, so browser-based
  • ✓ Updates are easier than on a Windows client
  • x Security risk and information leakage
  • x Dependent on internet access
  • x Unable to work on high-impact resource apps (e.g. CAD, graphics)
  • x Limited user base, less technical operations
  • Examples: Chrome, Edge, HTML5

Security: on-premises versus cloud

Security decisions based on risk tolerance

  • What is your risk tolerance? When deciding between VDI and DaaS, the first consideration is whether the business is better served with an on-premises or a cloud solution.
  • Low risk tolerance: Considerer data sovereignty, complex compliance requirements, and data classification. For example, at the Pentagon, DoD requires heavy compliance with security and data sovereignty. DaaS cloud providers may be in a better position to respond to threats and attacks in a timely manner.
  • Low risk tolerance: If the business mandates security tools that cannot be deployed in cloud solutions, VDI is a better solution.
  • Low risk tolerance: Smaller businesses that don’t have resources with the expertise and skill set to handle security are better served in cloud. Security operations centers (SOCs) are more likely to present in large corporations.
  • Low risk tolerance: When patching requires customization, for example in legacy applications, the ability to test patches is impacted, which may cause possible complications or failures.
  • High risk tolerance: For cloud-based solutions, patching is taken out of the IT team’s hands, and testing is done against the complete cloud solution.

Info-Tech Insight

What is the better security posture and control plane? Clarify your stakeholders’ objectives, then see if VDI is an adequate solution.

Security needs for VDI and DaaS

  • IDENTITY AND ACCESS MANAGEMENT — MFA, authorization, provisioning, SSO, identity federation, data owners, workflows, role-based access control (RBAC), user lifecycle management
  • ENCRYPTION — TLS 1.3, and 256-bit, endpoint encryption, file encryption, AES, PKI, BitLocker
  • DATA LOSS PREVENTION — Centralized policy management, sensitive data detection, HIPAA, GDPR
  • ANTIVIRUS & PATCH MANAGEMENT — Group policy management, AV exclusions, anti-ransomware, keylogger mitigation
  • DDoS protection — HTTP, UDP flood mitigation, content delivery network, always-on services
  • ENDPOINT DETECTION & RESPONSE — Detect and react to advanced active attacks on endpoints

Activity

Define the virtual infrastructure solution for your end users

  1. Define and build your value hypothesis/proposition
    1. What is the business case? Who is championing the investment?
    2. Identify the project management team and stakeholders.
    3. Set goals to be achieved based on value.
    4. Identify KPIs and metrics to measure success.
  2. Identify use cases and personas
    1. Identify possible user friction (e.g. emotional, cognitive, interaction).
    2. Understand current infrastructure shortcomings/capabilities (e.g. network, security posture/tolerance, staffing needs, qualified technicians, end-user devices).
  3. Articulate use cases into functional and nonfunctional requirements
    1. Separate must haves and nice to haves.
    2. Categorize requirements into identifiable functionality capabilities.
    3. Review your outputs and identify “gotchas” using the MECE (mutually exclusive, collectively exhaustive) principle.

Related Info-Tech Research

Stock image of a dashboard.Modernize and Transform Your End-User Computing Strategy

Phase 3.2 of this research set covers virtual desktop infrastructure.

Stock image of a world surrounded by clouds.Implement Desktop Virtualization and Transition to Everything as a Service

Follow Info-Tech’s process for implementing the right desktop virtualization solution to create a project plan that will help ensure that you not only choose the right solution but also implement it effectively.

Stock image of a finger pushing a button.Cloud Strategy Workbook

Use this tool to assess cloud services (desktop-as-a-service).

Stock image of a world surrounded by clouds.Desktop Virtualization TCO Calculator

This tool is designed to help you understand what desktop virtualization looks like from a cost perspective.

Bibliography

Anderson, Joseph. “Five Ways VDI Will Grow in 2022 Thanks to Hybrid Work.” StratoDesk, 28 Feb. 2022. Web.

Bowker, Mark. “Are Desktops Doomed? Trends in Digital Workspaces, VDI, and DaaS.” ESG, May 2020. Web.

“The CISO's Dilemma: How Chief Information Security Officers Are Balancing Enterprise Endpoint Security and Worker Productivity in Response to COVID-19.” Hysolate, Oct. 2020. Web.

King, Val. “Why the End-User Experience Is Not Good for Your Remote Workforce .” Whitehat Virtual Technologies, 2 Dec. 2021. Web.

Perry, Yifat. “VDI vs DaaS: 5 Key Differences and 6 Leading Solutions.” NetApp, 26 Aug. 2020. Web.

Rigg, Christian. “Best virtual desktop services 2022.” TechRadar, 20 Jan. 2022 . Web.

Seget, Vladan. “Key metrics to consider when assessing the performance of your VDI/DaaS environment.” vladan.fr, 19 April 2021. Web.

Spruijt, Ruben. “Why Should You Care About VDI and Desktop-as-a-Service?” Nutanix, 28 Jan. 2020. Web.

Stowers, Joshua. “The Best Desktop as a Service (DaaS) Providers 2022.” business.com, 21 Dec. 2021. Web.

“Virtual Desktop Infrastructure(VDI) Market 2022.” MarketWatch, 5 Jan. 2022. Web. Press release.

Zamir, Tal. “VDI Security Best Practices: Busting the Myths.” Hysolate, 29 Nov. 2021. Web.

Zychowicz, Paul. “Why do virtual desktop deployments fail?” Turbonomic Blog, 16 Dec. 2016. Web.

Develop an IT Infrastructure Services Playbook

  • Buy Link or Shortcode: {j2store}451|cart{/j2store}
  • member rating overall impact (scale of 10): 10.0/10 Overall Impact
  • member rating average dollars saved: 2 Average Days Saved
  • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
  • Parent Category Name: Operations Management
  • Parent Category Link: /i-and-o-process-management
  • Infrastructure and operations teams are managing deployments on- and off-premises, and across multiple infrastructure services providers.
  • Though automation tools speed up the delivery process, documentation is always pushed off so the team can meet urgent deadlines.
  • Without documented delivery processes, wait times are longer, controls are adequate but ad hoc, builds are non-standard, and errors are more likely to be introduced in production.

Our Advice

Critical Insight

  • Prioritize in-demand services to add to the playbook. Pilot a few services to get value from the project quickly.
  • Do not get lost in automation or tooling. You do not need a complex tool or back-end automation to get value from this project.
  • Learn, then iterate. With a few completed service processes, it is much easier to identify opportunities for service automation.

Impact and Result

  • Prioritize in-demand services for documentation and standardization.
  • Build service workflows and document service requirements in the services playbook.
  • Create a costing model and track costs to deliver defined services.
  • Leverage data on costs and service requirements to improve service delivery.

Develop an IT Infrastructure Services Playbook Research & Tools

Start here – read the Executive Brief

Read this Executive Brief to find out why you should create an infrastructure services playbook, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Define and prioritize infrastructure services

Produce a prioritized list of high-demand infrastructure services.

  • Develop an IT Infrastructure Services Playbook – Phase 1: Define and Prioritize Infrastructure Services
  • Infrastructure Services Playbook

2. Build workflows and an infrastructure services playbook

Design workflows and create the first draft of the infrastructure services playbook.

  • Develop an IT Infrastructure Services Playbook – Phase 2: Build Workflows and an Infrastructure Services Playbook
  • Infrastructure Service Workflows (Visio)
  • Infrastructure Service Workflows (PDF)

3. Identify costs and mature service delivery capabilities

Build a service rate sheet to track costs and develop better service capabilities.

  • Develop an IT Infrastructure Services Playbook – Phase 3: Identify Costs and Mature Service Delivery Capabilities
  • Service Rate Sheet
  • Infrastructure Service Catalog Mind Map Example
[infographic]

Workshop: Develop an IT Infrastructure Services Playbook

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Define and Prioritize Infrastructure Services

The Purpose

Define and prioritize infrastructure services.

Key Benefits Achieved

Identify candidate services for the Playbook.

Activities

1.1 Define the services you own.

1.2 Prioritize infrastructure services.

Outputs

Affinity map of infrastructure services

Service pain points and root causes

A list of high-demand infrastructure services

2 Build the Infrastructure Services Playbook

The Purpose

Build workflows and an infrastructure services playbook.

Key Benefits Achieved

Produce a draft infrastructure services playbook.

Activities

2.1 Design workflow for service delivery.

2.2 Add steps and requirements to the Services Playbook.

Outputs

Documented service workflows

Infrastructure Services Playbook

3 Identify Costs and Mature Service Delivery Capabilities

The Purpose

Identify costs and mature service delivery capabilities.

Key Benefits Achieved

Build an infrastructure service rate sheet.

Define next steps for infrastructure service capabilities.

Activities

3.1 Optimize infrastructure cost estimates.

3.2 Mature your I&O organization into a service broker.

Outputs

Service Rate Sheet

Master list of infrastructure services

Action plan for Playbook implementation

Further reading

Develop an IT Infrastructure Services Playbook

Automation, SDI, and DevOps – build a cheat sheet to manage a changing Infrastructure & Operations environment.

Table of contents

Analyst Perspective

Executive Summary

Project Overview

Summary and Conclusion

ANALYST PERSPECTIVE

Technology is changing how infrastructure services are delivered.

"Managing a hybrid infrastructure environment is challenge enough. Add to this the pressure on IT Operations to deliver services faster and more continuously – it’s a recipe for boondoggle deployments, overcommitted staff, end-user frustration, and operational gridlock.

It’s not every service you provide that causes problems, so prioritize a few in-demand, painful services. Build and maintain durable, flexible processes that enable your team to provide consistent, repeatable services at a standard cost. Identify opportunities to improve service delivery.

You’ll save the business time and money and your own team significant grief." (Andrew Sharp, Research Manager, Infrastructure & Operations, Info-Tech Research Group)

Your infrastructure and operations team is a service provider; standardize, document, and communicate service capabilities

This Research is Designed For:

  • CTOs and Infrastructure Managers
  • Service Level Managers
  • ITSM Managers and Process Owners

This Research Will Help You:

  • Inventory services that IT Infrastructure & Operations (I&O) provides to the business (servers, storage, and network).
  • Standardize services and track costs.
  • Articulate the value of these services to business owners.
  • Develop a catalog of infrastructure services.

This Research Will Also Assist:

  • CIOs
  • Application Development Managers
  • Security Managers
  • Auditors

This Research Will Help Them:

  • Understand the complexities of technical service delivery.
  • Make better strategic IT infrastructure decisions.

Executive summary

Situation

  • Infrastructure and operations teams are managing deployments on- and off-premises and across multiple infrastructure service providers.
  • Though automation tools speed up the delivery process, documentation is always pushed off so the team can meet urgent deadlines.

Complication

  • Cloud providers have set the bar high for ease of access to stable infrastructure services.
  • Without documented delivery processes, wait times are longer, controls are adequate but ad hoc, builds are non-standard, and errors are more likely to be introduced in production.

Resolution

  • Prioritize in-demand services for documentation and standardization.
  • Build service workflows and document service requirements in the services playbook.
  • Create a costing model and track costs to deliver defined services.
  • Leverage data on costs and service requirements to improve service delivery.

Info-Tech Insight

  1. Keep it simple. Work through a few in-demand services to get early value from the project.
  2. Don’t get lost in automation or tooling. You don’t need a complex tool or back-end automation to get value from standardized services.
  3. Do then iterate. With a few completed service processes, it’s much easier to identify opportunities for service automation.

Create an infrastructure services playbook to improve efficiency, support DevOps, and streamline service delivery

Begin building an infrastructure services playbook by defining the services you provide. This will also help your team support changes to service delivery (e.g. more use of cloud services and the shift to DevOps).

In this blueprint, the first step will be to document infrastructure services to:

  1. Clarify infrastructure capabilities and achievable service levels.

    Document infrastructure services to clarify achievable service levels with given resources and what you will need to meet service-level requirement gaps. Establishing your ability to meet customer demands is the first step toward becoming a broker of internal or external services.
  2. Standardize infrastructure service delivery.

    Sometimes, it’s extremely important to do the exact same thing every time (e.g. server hardening). Sometimes, your team needs room to deviate from the script. Create a playbook that allows you to standardize service delivery as needed.
  3. Make good strategic infrastructure decisions.

    Knowledge is power. Defined services and capabilities will help you make important strategic infrastructure decisions around capacity planning and when outsourcing is appropriate.

Review and optimize infrastructure service delivery as you shift to more cloud-based services

If you can’t standardize and streamline how you support cloud services, you risk AppDev and business leaders circumventing the I&O team.

Logo for 'vmware'.

Example:

Create a new server resource in a virtual environment vs. public cloud

In a virtualized environment, provisioning processes can still be relatively siloed.

In a software-defined environment, many steps require knowledge across the infrastructure stack. Better documentation will help your team deliver services outside their area of specialty.

Logo for 'Microsoft Azure'.
  • Identify CPU requirements for a virtual machine (VM)
  • Calculate VM memory requirements
  • Configure the floppy drive for a VM
  • Configure IDE devices for a VM
  • Configure SCSI adapters for a VM
  • Configure network adapters for a VM
  • Configure VM priority for host CPU resources
  • Server is live

  • Complete SDI code development & review, version control, build status, etc.
  • Identify software and specifications for the instance you want to use
  • Review configuration, storage, and security settings
  • Secure the instance with an existing key pair or create a new key pair
  • Update documentation – public IP address, physical & logical connections, data flows, etc.
  • Launch and connect to instance
  • Server is live

Strengthen DevOps with an infrastructure playbook

The purpose behind DevOps is to reduce friction and deliver faster, more continuous, more automated services through the use of cross-functional teams.

DevOps: bridging Applications Development and Infrastructure & Operations by embracing a culture, practices, and tools born out of Lean and Agile methodologies.

  • Create a common language across functions.
  • Ensure that all service steps are documented.
  • Move towards more standard deployments.
  • Increase transparency within the IT department.
  • Cultivate trust across teams.
  • Build the foundation for automated services.
A colorful visualization of the DevOps cycle. On the Development side is 'Feedback', Plan', 'Build', 'Integrate', then over to the Operations side is 'Deploy', and 'Operate', then back to Dev with 'Feedback', starting the cycle over again.

"The bar has been raised for delivering technology products and services – what was good enough in previous decades is not good enough now." (Kim, Humble, Debois, Willis (2016))

Leverage an infrastructure services playbook to improve service delivery, one step at a time

Crawl

  • Prioritize infrastructure services that are good candidates for standardization.
  • Document the steps and requirements to deliver the service.
  • Use the playbook and workflows internally as you gather requirements and deliver on requests.
  • Track costs internally.

Walk

  • Provide infrastructure clients with the playbook and allow them to make requests against it.
  • Update and maintain existing documentation.
  • Automate, where possible.
  • Showback costs to the business.

Run

  • Provide infrastructure customers with scripts to provision infrastructure resources.
  • Audit requests before fulfilling them.
  • Chargeback costs, as needed.
A turtle smiles happily on four legs, simply content to be alive. Another turtle moves quickly on two legs, seemingly in a runner's trance, eyes closed, oblivious to the fact that another turtle has beaten him to finish line.

Focus on in-demand infrastructure services — PHASE 1

Standardize in-demand, repeatable services first.

Demand for infrastructure services is usually driven by external requests or operational requirements. Prioritize services based on criticality, durability, frequency, availability, and urgency requirements.

Scheduling Delays
  • Dealing with a slew of capital projects driven by a major funding initiative, the IT team of a major US transit system is struggling to execute on basic operational tasks.

  • Action:
  • A brainstorming and prioritization exercise identifies web server deployment as their most in-demand service.
  • Identifying breakdowns in web server deployment helps free up resources for other tasks and addresses a serious pain point.
Think outside the box
  • On a new project for a sporting goods client, the IT department for a marketing firm deploys and supports a “locker” kiosk that users engage with for a chance to win a gift.

  • Action:
  • As the campaign proves successful, the I&O Manager creates a playbook to guide kiosk support and deployment in the future, including required skills, timelines, success metrics, and costs.
Keep it standard, keep it safe
  • An IT audit at a higher education institution finds that no standard process for server hardening has been defined or documented by the infrastructure team.

  • Action:
  • Improving IT security is a strategic priority for the department.
  • The infrastructure team decides to standardize and document processes, guidelines, and configurations for hardening OS, SCCM, SaltStack, scripting, and patching.

Leverage service workflows to populate the playbook — PHASE 2

Infrastructure as Code is breaking down traditional infrastructure silos and support models.

  1. Document the workflow to deliver the service. Identify pain points and target broken processes first.
    Provision –› Configure –› Run –› Quiesce –› Destroy
  2. Define logical expected results and metrics for problematic steps in the process. Identify challenges and possible improvements to each problematic step.
    Building and deploying toolsets is taking a long time
    Start
    • Create a baseline offering for common requests.
    • Make clear that non-standard requests will take time to fulfil.
    Stop
    • Move to just one web server.
    Continue
    • Use weekly drop-ins to communicate the change.
  3. Document skills and roles, approvers, and pre-requirements to fill out the documentation, as needed. Use the documented process to guide internal process and align with external expectations.

Cross-silo knowledge is needed: In a software-defined environment, building and launching a new server requires knowledge across the stack.

  • Complete SDI code development & review, version control, build status, etc.
  • Identify software and specifications for the instance you want to use
  • Review configuration, storage, and security settings
  • Secure the instance with an existing key pair, or create a new key pair
  • Update documentation – public IP address, physical & logical connections, data flows, etc.
  • Launch and connect to the instance
  • Server is live

Take a progressive approach to cost tracking — PHASE 3

Infrastructure & Operations are bound by two metrics:

  1. Are systems up?
  2. Is technology delivered as efficiently as possible?

Because tracking cost is integral to efficiency, cost and budget management, by proxy, is one of the most important Infrastructure & Operations metrics.

Cost management is not a numbers game. It is an indicator of how well infrastructure is managed.

Track costs in a practical way that delivers value to your organization:

  1. Build and leverage an internal rate sheet to help estimate cost to serve.
  2. Showback rate sheet to help managers and architects make better infrastructure decisions.
  3. Chargeback costs to defined cost centers.

Project overview

Use Info-Tech’s methodology to get value faster from your infrastructure services playbook.

Phases

Phase 1: Define and prioritize infrastructure services Phase 2: Build the infrastructure services playbook Phase 3: Identify costs and mature service delivery capabilities

Steps

1.1 Define the services you own 2.1 Design workflows for service delivery 3.1 Estimate infrastructure service costs
1.2 Prioritize infrastructure services 2.2 Add steps and requirements to the services playbook 3.2 Mature your I&O organization into a service broker

Tools & Templates

Infrastructure Services Playbook Infrastructure Service Workflows Service Rate Sheet

Use these icons to help direct you as you navigate this research

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

A small monochrome icon of a wrench and screwdriver creating an X.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

A small monochrome icon depicting a person in front of a blank slide.

This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Guided Implementation

Workshop

Consulting

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation Overview

Your Trusted Advisor is just a call away.

Scoping
(Call 1)

Scope requirements, objectives, and stakeholders. Review the playbook toolset and methodology, and establish fit-for-need.

Identify Services
(Call 2)

Brainstorm common infrastructure services your group provides. Consolidate the list and identify priority services.

Create Service Workflows
(Calls 3-4)

Build Visio workflows for 2-3 priority services.

Populate the Playbook
(Calls 4-5)

Add data to the playbook based on infrastructure service workflows

Create a Rate Sheet for Costs
(Call 6)

Build a rate sheet that allows you to calculate costs for additional

Your Guided Implementation will pair you with an advisor from our analyst team for the duration of your infrastructure services project.

Workshop Overview

Module 1
(Day 1)
Module 1
(Day 1)
Module 1
(Day 1)
Offsite deliverables wrap-up (Day 5)
Activities
Define and Prioritize Infrastructure Services

1.1 Assess current maturity of services and standardization processes.

1.2 Identify, group, and break out important infrastructure services.

1.3 Define service delivery pain points and perform root-cause analysis.

1.4 Prioritize services based on demand criteria.

Build the Infrastructure Services Playbook

2.1 Determine criteria for standard versus custom services.

2.2 Document standard workflows for better alignment and consistent delivery.

2.3 Build a flowchart for the identified high-demand service(s).

2.4 Outline information as it relates to the service lifecycle in the Playbook template.

Identify Costs and Mature Service Delivery Capabilities

4.1 Gather information for the rate sheet.

4.2 Choose an allocation method for overhead costs.

4.3 Select the right approach in the crawl, walk, run model for your organization.

4.4 Discuss the promotion plan and target revision dates for playbook and rate sheet.

Deliverables
  1. High-demand infrastructure services list
  1. Right-sized criteria for standardization
  2. Service workflows
  3. Infrastructure Services Playbook
  1. Service Rate Sheet
  2. Deployment plan

Develop an IT Infrastructure Services Playbook

PHASE 1

Define and Prioritize Infrastructure Services

Step 1.1: Define the services you own

PHASE 1

Define and prioritize infrastructure services

1.1

Define the services you own

1.2

Prioritize infrastructure services

This step will walk you through the following activities:

  • Define “infrastructure service”
  • Brainstorm service offerings
  • Consolidate services with affinity map

This step involves the following participants:

  • Infrastructure Manager
  • I&O SMEs

Results & Insights

  • Results: Consolidated list of end-to-end services
  • Insights: Avoid analysis paralysis by brainstorming without restrictions. It is more effective to cut down in Step 1.2 rather than risk neglecting important services for the playbook.

Consider a range of infrastructure services

Your infrastructure team is a service provider to the applications team – and sometimes other users as well.

Service Requests
  • A developer requests a new web server.
  • The marketing department asks for a database to support a six-month digital marketing campaign.
Projects
  • A new service is promoted to production.
Operations
  • Firewall rules are updated to support server, network, or security posture changes.
  • Standard practices are followed and maintained to harden a range of different operating systems.
  • Engineers follow a standard process to integrate new tools and entitlements into Active Directory.
  • Patches and firmware updates are applied to core infrastructure components as needed.
Problems
  • A database batch job often breaks on overnight batch jobs and requires manual intervention to check and restart.
A visualization of the word 'Infrastructure Services' being orbited by 'Service Requests', 'Projects', 'Operations', and 'Problems'.

IT infrastructure & operations teams deliver services that fulfil requests, support projects, resolve problems, and operate systems.

Enterprise Application Selection and Implementation

  • Buy Link or Shortcode: {j2store}29|cart{/j2store}
  • Related Products: {j2store}29|crosssells{/j2store}
  • member rating overall impact (scale of 10): 9.0/10
  • member rating average dollars saved: $37,356
  • member rating average days saved: 34
  • Parent Category Name: Applications
  • Parent Category Link: /applications

The challenge

  • Large scale implementations are prone to failure. This is probably also true in your company. Typically large endeavors like this overrun the budget, are late to deliver, or are abandoned altogether. It would be best if you manage your risks when starting such a new project.

Our advice

Insight

  • Large-scale software implementations continue to fail at very high rates. A recent report by McKinsey & Company estimates that 66% go over budget, 33% over time, and 17% delivered less value than expected. Most companies will survive a botched implementation, but 17% threatened the existence of the company involved.
  • With all the knowledge sharing that we have today with oodles of data at our disposal, we should expect IT-providers to have clear, standardized frameworks to handle these implementations. But projects that overrun by more than 200% still occur more often than you may think.
  • When you solicit a systems integrator (SI), you want to equip yourself to manage the SI and not be utterly dependent on their methodology.

Impact and results 

  • You can assume proper accountability for the implementation and avoid over-reliance on the systems integrator.
  • Leverage the collective knowledge and advice of additional IT professionals
  • Review the pitfalls and lessons learned from failed integrations.
  • Manage risk at every stage.
  • Perform a self-assessment at various stages of the integration path.

The roadmap

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

Executive Summary

Determine the rations for your implementation

See if a custom-of-the-shelf process optimization makes sense.

  • Storyboard: Govern and Manage an Enterprise Software Implementation (ppt)

Prepare

Determine the right (level of) governance for your implementation.

  • Large Software Implementation Maturity Assessment Tool (xls)
  • Project Success Measurement Tool (xls)
  • Risk Mitigation Plan Template (xls)

Plan and analyze

Prepare for the overall implementation journey and gather your requirements. Then conduct a stage-gate assessment of this phase.

  • Project Phases Entry and Exit Criteria Checklist Tool (xls)
  • Project Lessons Learned Document (doc)

Design, build and deploy

Conduct a stage-gate assessment after every step below.

  • Make exact designs of the software implementation and ensure that all stakeholders and the integrator completely understand.
  • Build the solution according to the requirements and designs.
  • Thoroughly test and evaluate that the implementation meets your business expectations. 
  • Then deploy

Initiate your roadmap

Review your dispositions to ensure they align with your goals. 

  • Build an Application Rationalization Framework – Phase 4: Initiate Your Roadmap (ppt)
  • Disposition Prioritization Tool (xls)

Maintain an Organized Portfolio

  • Buy Link or Shortcode: {j2store}432|cart{/j2store}
  • member rating overall impact (scale of 10): 9.0/10 Overall Impact
  • member rating average dollars saved: $3,059 Average $ Saved
  • member rating average days saved: 10 Average Days Saved
  • Parent Category Name: Portfolio Management
  • Parent Category Link: /portfolio-management
  • All too often, the portfolio of programs and projects looks more like a random heap than a strategically organized and balanced collection of investments that will drive the business forward.
  • Portfolio managers know that with the right kind of information and the right level of process maturity they can get better results through the portfolio; however, organizations often assume (falsely) that the required level of maturity is out of reach from their current state and perpetually delay improvements.

Our Advice

Critical Insight

  • The information needed to define clear and usable criteria for organizing the portfolio of programs and projects already exists. Portfolio managers only need to identify the sources of that information and institute processes for regularly reviewing that information in order to define those criteria.
  • Once a portfolio manager has a clear idea of the goals and constraints that shape what ought to be included (or removed) from the portfolio and once these have been translated into clear and usable portfolio criteria, basic portfolio management processes can be instituted to ensure that these criteria are used consistently throughout the various stages of the project lifecycle.
  • Portfolio management frameworks and processes do not need to be built from scratch. Well-known frameworks – such as the one outlined in COBIT 5 APO05 – can be instituted in a way that will allow even low-maturity organizations to start organizing their portfolio.
  • Organizations do not need to grow into portfolio management frameworks to get the benefits of an organized portfolio; instead, they can grow within such frameworks.

Impact and Result

  • An organized portfolio will ensure that the projects and programs included in it are strategically aligned and can actually be executed within the finite constraints of budgetary and human resource capacity.
  • Portfolio managers are better empowered to make decisions about which projects should be included in the portfolio (and when) and are better empowered to make the very tough decisions about which projects should be removed from the portfolio (i.e. cancelled).
  • Building and maturing a portfolio management framework will more fully integrate the PMO into the broader IT management and governance frameworks, making it a more integral part of strategic decisions and a better business partner in the long run.

Maintain an Organized Portfolio Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should maintain an organized portfolio of programs and projects, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Assess the current state of the portfolio and PPM processes

Analyze the current mix of programs and projects in your portfolio and assess the maturity of your current PPM processes.

  • Maintain an Organized Portfolio – Phase 1: Assess the Current State of the Portfolio and PPM Processes
  • Project Portfolio Organizer
  • COBIT APO05 (Manage Portfolio) Alignment Workbook

2. Enhance portfolio organization through improved PPM criteria and processes

Enhance and optimize your portfolio management processes to ensure portfolio criteria are clearly defined and consistently applied across the project lifecycle when making decisions about which projects to include or remove from the portfolio.

  • Maintain an Organized Portfolio – Phase 2: Enhance Portfolio Organization Through Improved PPM Criteria and Processes
  • Portfolio Management Standard Operating Procedures

3. Implement improved portfolio management practices

Implement your portfolio management improvement initiatives to ensure long-term sustainable adoption of new PPM practices.

  • Maintain an Organized Portfolio – Phase 3: Implement Improved Portfolio Management Practices
  • Portfolio Management Improvement Roadmap Tool
[infographic]

Workshop: Maintain an Organized Portfolio

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Assess Portfolio Mix and Portfolio Process Current State

The Purpose

Analyze the current mix of the portfolio to determine how to better organize it according to organizational goals and constraints.

Assess which PPM processes need to be enhanced to better organize the portfolio.

Key Benefits Achieved

An analysis of the existing portfolio of projects (highlighting areas of concern).

An analysis of the maturity of current PPM processes and their ability to support the maintenance of an organized portfolio.

Activities

1.1 Pre-work: Prepare a complete project list.

1.2 Define existing portfolio categories, criteria, and targets.

1.3 Analyze the current portfolio mix.

1.4 Identify areas of concern with current portfolio mix.

1.5 Review the six COBIT sub-processes for portfolio management (APO05.01-06).

1.6 Assess the degree to which these sub-processes have been currently achieved at the organization.

1.7 Assess the degree to which portfolio-supporting IT governance and management processes exist.

1.8 Perform a gap analysis.

Outputs

Analysis of the current portfolio mix

Assessment of COBIT alignment and gap analysis.

2 Define Portfolio Target Mix, Criteria, and Roadmap

The Purpose

Define clear and usable portfolio criteria.

Record/design portfolio management processes that will support the consistent use of portfolio criteria at all stages of the project lifecycle.

Key Benefits Achieved

Clearly defined and usable portfolio criteria.

A portfolio management framework that supports the consistent use of the portfolio criteria across all stages of the project lifecycle.

Activities

2.1 Identify determinants of the portfolio mix, criteria, and constraints.

2.2 Define the target mix, portfolio criteria, and portfolio metrics.

2.3 Identify sources of funding and resourcing.

2.4 Review and record the portfolio criteria based upon the goals and constraints.

2.5 Create a PPM improvement roadmap.

Outputs

Portfolio criteria

Portfolio metrics for intake, monitoring, closure, termination, reprioritization, and benefits tracking

Portfolio Management Improvement Roadmap

3 Design Improved Portfolio Sub-Processes

The Purpose

Ensure that the portfolio criteria are used to guide decision making at each stage of the project lifecycle when making decisions about which projects to include or remove from the portfolio.

Key Benefits Achieved

Processes that support decision making based upon the portfolio criteria.

Processes that ensure the portfolio remains consistently organized according to the portfolio criteria.

Activities

3.1 Ensure that the metrics used for each sub-process are based upon the standard portfolio criteria.

3.2 Establish the roles, accountabilities, and responsibilities for each sub-process needing improvement.

3.3 Outline the workflow for each sub-process needing improvement.

Outputs

A RACI chart for each sub-process

A workflow for each sub-process

4 Change Impact Analysis and Stakeholder Engagement Plan

The Purpose

Ensure that the portfolio management improvement initiatives are sustainably adopted in the long term.

Key Benefits Achieved

Stakeholder engagement.

Sustainable long-term adoption of the improved portfolio management practices.

Activities

4.1 Conduct a change impact analysis.

4.2 Create a stakeholder engagement plan.

Outputs

Change Impact Analysis

Stakeholder Engagement Plan

Completed Portfolio Management SOP

Effectively Manage CxO Relations

  • Buy Link or Shortcode: {j2store}384|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Manage Business Relationships
  • Parent Category Link: /manage-business-relationships

With the exponential pace of technological change, an organization's success will depend largely on how well CIOs can evolve from technology evangelists to strategic business partners. This will require CIOs to effectively broker relationships to improve IT's effectiveness and create business value. A confidential journal can help you stay committed to fostering productive relationships while building trust to expand your sphere of influence.

Our Advice

Critical Insight

Highly effective executives have in common the ability to successfully balance three things: time, personal capabilities, and relationships. Whether you are a new CIO or an experienced leader, the relentless demands on your time and unpredictable shifts in the organization’s strategy require a personal game plan to deliver business value. Rather than managing stakeholders one IT project at a time, you need an action plan that is tailored for unique work styles.

Impact and Result

A personal relationship journal will help you:

  • Understand the context in which key stakeholders operate.
  • Identify the best communication approach to engage with different workstyles.
  • Stay committed to fostering relationships through difficult periods.

Effectively Manage CxO Relations Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Effectively Manage CxO Relations Storyboard – A guide to creating a personal action plan to help effectively manage relationships across key stakeholders.

Use this research to create a personal relationship journal in four steps:

  • Effectively Manage CxO Relations Storyboard

2. Personal Relationship Management Journal Template – An exemplar to help you build your personal relationship journal.

Use this exemplar to build a journal that is readily accessible, flexible, and easy to maintain.

  • Personal Relationship Management Journal Template

Infographic

Further reading

Effectively Manage CxO Relations

Make relationship management a daily habit with a personalized action plan.

Analyst Perspective

"Technology does not run an enterprise, relationships do." – Patricia Fripp

As technology becomes increasingly important, an organization's success depends on the evolution of the modern CIO from a technology evangelist to a strategic business leader. The modern CIO will need to leverage their expansive partnerships to demonstrate the value of technology to the business while safeguarding their time and effort on activities that support their strategic priorities. CIOs struggling to transition risk obsolescence with the emergence of new C-suite roles like the Digital Transformation Officer, Chief Digital Officer, Chief Data Officer, and so on.

CIOs will need to flex new social skills to accommodate diverse styles of work and better predict dynamic situations. This means expanding beyond their comfort level to acquire new social skills. Having a clear understanding of one's own work style (preferences, natural tendencies, motivations, and blind spots) is critical to identify effective communication and engagement tactics.

Building trust is an art. Striking a balance between fulfilling your own goals and supporting others will require a carefully curated approach to navigate the myriad of personalities and work styles. A personal relationship journal will help you stay committed through these peaks and troughs to foster productive partnerships and expand your sphere of influence over the long term.

Photo of Joanne Lee
Joanne Lee
Principal, Research Director, CIO Advisory
Info-Tech Research Group

Executive Summary

Your Challenge

In today's unpredictable markets and rapid pace of technological disruptions, CIOs need to create business value by effectively brokering relationships to improve IT's performance. Challenges they face:

  • Operate in silos to run the IT factory.
  • Lack insights into their stakeholders and the context in which they operate.
  • Competing priorities and limited time to spend on fostering relationships.
  • Relationship management programs are narrowly focused on associated change management in IT project delivery.

Common Obstacles

Limited span of influence.

Mistaking formal roles in organizations for influence.

Understanding what key individuals want and, more importantly, what they don't want.

Lack of situational awareness to adapt communication styles to individual preferences and context.

Leveraging different work styles to create a tangible action plan.

Perceiving relationships as "one and done."

Info-Tech's Approach

A personal relationship journal will help you stay committed to fostering productive relationships while building trust to expand your sphere of influence.

  • Identify your key stakeholders.
  • Understand the context in which they operate to define a profile of their mandate, priorities, commitments, and situation.
  • Choose the most effective engagement and communication strategies for different work styles.
  • Create an action plan to monitor and measure your progress.

Info-Tech Insight

Highly effective executives have in common the ability to balance three things: time, personal capabilities, and relationships. Whether you are a new CIO or an experienced leader, the relentless demand on your time and unpredictable shifts in the organization's strategy will require a personal game plan to deliver business value. This will require more than managing stakeholders one IT project at a time: It requires an action plan that fosters relationships over the long term.

Key Concepts

Stakeholder Management
A common term used in project management to describe the successful delivery of any project, program, or activity that is associated with organizational change management. The goal of stakeholder management is intricately tied to the goals of the project or activity with a finite end. Not the focus of this advisory research.

Relationship Management
A broad term used to describe the relationship between two parties (individuals and/or stakeholder groups) that exists to create connection, inclusion, and influence. The goals are typically associated with the individual's personal objectives and the nature of the interaction is seen as ongoing and long-term.

Continuum of Commitment
Info-Tech's framework that illustrates the different levels of commitment in a relationship. It spans from active resistance to those who are committed to actively supporting your personal priorities and objectives. This can be used to baseline where you are today and where you want the relationship to be in the future.

Work Style
A reference to an individual's natural tendencies and expectations that manifest itself in their communication, motivations, and leadership skills. This is not a behavior assessment nor a commentary on different personalities but observable behaviors that can indicate different ways people communicate, interact, and lead.

Glossary
CDxO: Chief Digital Officer
CDO: Chief Data Officer
CxO: C-Suite Executives

The C-suite is getting crowded, and CIOs need to foster relationships to remain relevant

The span of influence and authority for CIOs is diminishing with the emergence of Chief Digital Officers and Chief Data Officers.

63% of CDxOs report directly to the CEO ("Rise of the Chief Digital Officer," CIO.com)

44% of organizations with a dedicated CDxO in place have a clear digital strategy versus 22% of those without a CDxO (KPMG/Harvey Nash CIO Survey)

The "good news": CIOs tend to have a longer tenure than CDxOs.

A diagram that shows the average tenure of C-Suites in years.
Source: "Age and Tenure of C-Suites," Korn Ferry

The "bad news": The c-suite is getting overcrowded with other roles like Chief Data Officer.

A diagram that shows the number of CDOs hired from 2017 to 2021.
Source: "Chief Data Officer Study," PwC, 2022

An image of 7 lies technology executives tell ourselves.

Info-Tech Insight

The digital evolution has created the emergence of new roles like the Chief Digital Officer and Chief Data Officer. They are a response to bridge the skill gap that exists between the business and technology. CIOs need to focus on building effective partnerships to better communicate the business value generated by technology or they risk becoming obsolete.

Create a relationship journal to effectively manage your stakeholders

A diagram of relationship journal

Info-Tech's approach

From managing relationships with friends to key business partners, your success will come from having the right game plan. Productive relationships are more than managing stakeholders to support IT initiatives. You need to effectively influence those who have the potential to champion or derail your strategic priorities. Understanding differences in work styles is fundamental to adapting your communication approach to various personalities and situations.

A diagram that shows from 1.1 to 4.1

A diagram of business archetypes

Summary of Insights

Insight 1: Expand your sphere of influence
It's not just about gaining a volume of acquaintances. Figure out where you want to spend your limited time, energy, and effort to develop a network of professional allies who will support and help you achieve your strategic priorities.

Insight 2: Know thyself first and foremost
Healthy relationships start with understanding your own working style, preferences, and underlying motivations that drive your behavior and ultimately your expectations of others. A win/win scenario emerges when both parties' needs for inclusion, influence, and connection are met or mutually conceded.

Insight 3: Walk a mile in their shoes
If you want to build successful partnerships, you need to understand the context in which your stakeholder operates: their motivations, desires, priorities, commitments, and challenges. This will help you adapt as their needs shift and, moreover, leverage empathy to identify the best tactics for different working styles.

Insight 4: Nurturing relationships is a daily commitment
Building, fostering, and maintaining professional relationships requires a daily commitment to a plan to get through tough times, competing priorities, and conflicts to build trust, respect, and a shared sense of purpose.

Related Info-Tech Research

Supplement your CIO journey with these related blueprints.

Photo of First 100 Days as CIO

First 100 Days as CIO

Photo of Become a Strategic CIO

Become a Strategic CIO

Photo of Improve IT Team Effectiveness

Improve IT Team Effectiveness

Photo of Become a Transformational CIO

Become a Transformational CIO

Executive Brief Case Study

Logo of Multicap Limited

  • Industry: Community Services
  • Source: Scott Lawry, Head of Digital

Conversation From Down Under

What are the hallmarks of a healthy relationship with your key stakeholders?
"In my view, I work with partners like they are an extension of my team, as we rely on each other to achieve mutual success. Partnerships involve a deeper, more intimate relationship, where both parties are invested in the long-term success of the business."

Why is it important to understand your stakeholder's situation?
"It's crucial to remember that every IT project is a business project, and vice versa. As technology leaders, our role is to demystify technology by focusing on its business value. Empathy is a critical trait in this endeavor, as it allows us to see a stakeholder's situation from a business perspective, align better with the business vision and goals, and ultimately connect with people, rather than just technology."

How do you stay committed during tough times?
"I strive to leave emotions at the door and avoid taking a defensive stance. It's important to remain neutral and not personalize the issue. Instead, stay focused on the bigger picture and goals, and try to find a common purpose. To build credibility, it's also essential to fact-check assumptions regularly. By following these principles, I approach situations with a clear mind and better perspective, which ultimately helps achieve success."

Photo of Scott Lawry, Head Of Digital at Multicap Limited

Key Takeaways

In a recent conversation with a business executive about the evolving role of CIOs, she expressed: "It's the worst time to be perceived as a technology evangelist and even worse to be perceived as an average CIO who can't communicate the business value of technology."

This highlights the immense pressure many CIOs face when evolving beyond just managing the IT factory.

The modern CIO is a business leader who can forge relationships and expand their influence to transform IT into a core driver of business value.

Stakeholder Sentiment

Identify key stakeholders and their perception of IT's effectiveness

1.1 Identify Key Stakeholders

A diagram of Identify Key Stakeholders

Identify and prioritize your key stakeholders. Be diligent with stakeholder identification. Use a broad view to identify stakeholders who are known versus those who are "hidden." If stakeholders are missed, then so are opportunities to expand your sphere of influence.

1.2 Understand Stakeholder's Perception of IT

A diagram that shows Info-Tech's Diagnostic Reports and Hospital Authority XYZ

Assess stakeholder sentiments from Info-Tech's diagnostic reports and/or your organization's satisfaction surveys to help identify individuals who may have the greatest influence to support or detract IT's performance and those who are passive observers that can become your greatest allies. Determine where best to focus your limited time amid competing priorities by focusing on the long-term goals that support the organization's vision.

Info-Tech Insight

Understand which individuals can directly or indirectly influence your ability to achieve your priorities. Look inside and out, as you may find influencers beyond the obvious peers or executives in an organization. Influence can result from expansive connections, power of persuasion, and trust to get things done.

Visit Info-Tech's Diagnostic Programs

Activity: Identify and Prioritize Stakeholders

30-60 minutes

1.1 Identify Key Stakeholders

Start with the key stakeholders that are known to you. Take a 360-degree view of both internal and external connections. Leverage external professional & network platforms (e.g. LinkedIn), alumni connections, professional associations, forums, and others that can help flush out hidden stakeholders.

1.2 Prioritize Key Stakeholders

Use stakeholder satisfaction surveys like Info-Tech's Business Vision diagnostic as a starting point to identify those who are your allies and those who have the potential to derail IT's success, your professional brand, and your strategic priorities. Review the results of the diagnostic reports to flush out those who are:

  • Resisters: Vocal about their dissatisfaction with IT's performance and actively sabotage or disrupt
  • Skeptics: Disengaged, passive observers
  • Ambassadors: Aligned but don't proactively support
  • Champions: Actively engaged and will proactively support your success

Consider the following:

  • Influencers may not have formal authority within an organization but have relationships with your stakeholders.
  • Influencers may be hiding in many places, like the coach of your daughter's soccer team who rows with your CEO.
  • Prioritize, i.e. three degrees of separation due to potential diverse reach of influence.

Key Output: Create a tab for your most critical stakeholders.

A diagram that shows profile tabs

Download the Personal Relationship Management Journal Template.

Understand stakeholders' business

Create a stakeholder profile to understand the context in which stakeholders operate.

2.1 Create individual profile for each stakeholder

A diagram that shows different stakeholder questions

Collect and analyze key information to understand the context in which your stakeholders operate. Use the information to derive insights about their mandate, accountabilities, strategic goals, investment priorities, and performance metrics and challenges they may be facing.

Stakeholder profiles can be used to help design the best approach for personal interactions with individuals as their business context changes.

If you are short on time, use this checklist to gather information:

  • Stakeholder's business unit (BU) strategy goals
  • High-level organizational chart
  • BU operational model or capability map
  • Key performance metrics
  • Projects underway and planned
  • Financial budget (if available)
  • Milestone dates for key commitments and events
  • External platforms like LinkedIn, Facebook, Twitter, Slack, Instagram, Meetup, blogs

Info-Tech Insight

Understanding what stakeholders want (and more importantly, what they don't) requires knowing their business and the personal and social circumstances underlying their priorities and behaviors.

Activity: Create a stakeholder profile

30-60 minutes

2.1.0 Understand stakeholder's business context

Create a profile for each of your priority stakeholders to document their business context. Review all the information collected to understand their mandate, core accountability, and business capabilities. The context in which individuals operate is a window into the motivations, pressures, and vested interests that will influence the intersectionality between their expectations and yours.

2.1.1 Document Observable Challenges as Private Notes

Crushing demands and competing priorities can lead to tension and stress as people jockey to safeguard their time. Identify some observable challenges to create greater situational awareness. Possible underlying factors:

  • Sudden shifts/changes in mandate
  • Performance (operations, projects)
  • Finance
  • Resource and talent gaps
  • Politics
  • Personal circumstances
  • Capability gaps/limitations
  • Capacity challenges

A diagram that shows considerations of this activity.

Analyze Stakeholder's Work Style

Adapt communication styles to the situational context in which your stakeholders operate

2.2 Determine the ideal approach for engaging each stakeholder

Each stakeholder has a preferred modality of working which is further influenced by dynamic situations. Some prefer to meet frequently to collaborate on solutions while others prefer to analyze data in solitude before presenting information to substantiate recommendations. However, fostering trust requires:

  1. Understanding your preferred default when engaging others.
  2. Knowing where you need to expand your skills.
  3. Identifying which skills to activate for different professional scenarios.

Adapting your communication style to create productive interactions will require a diverse arsenal of interpersonal skills that you can draw upon as situations shift. The ability to adapt your work style to dial any specific trait up or down will help to increase your powers of persuasion and influence.

"There are only two ways to influence human behavior: you can manipulate it, or you can inspire it." – Simon Sinek

Activity: Identify Engagement Strategies

30 minutes

2.2.0 Establish work styles

Every individual has a preferred style of working. Determine work styles starting with self-awareness:

  • Express myself - How you communicate and interact with others
  • Expression by others - How you want others to communicate and interact with you

Through observation and situational awareness, we can make inferences about people's work style.

  • Observations - Observable traits of other people's work style
  • Situations - Personal and professional circumstances that influence how we communicate and interact with one another

Where appropriate and when opportunities arise, ask individuals directly about their preferred work styles and method for communication. What is their preferred method of communication? During a normal course of interaction vs. for urgent priorities?

2.2.1 Brainstorm possible engagement strategies

Consider the following when brainstorming engagement strategies for different work styles.

A table of involvement, influence, and connection.

Think engagement strategies in different professional scenarios:

  • Meetings - Where and how you connect
  • Communicating - How and what you communicate to create connection
  • Collaborating - What degree of involved in shared activities
  • Persuading - How you influence or direct others to get things done

Expand New Interpersonal Skills

Use the Business Archetypes to brainstorm possible approaches for engaging with different work styles. Additional communication and engagement tactics may need to be considered based on circumstances and changing situations.

A diagram that shows business archetypes and engagement strategies.

Communicate Effectively

Productive communication is a dialogue that requires active listening, tailoring messages to fluid situations, and seeking feedback to adapt.

A diagram of elements that contributes to better align intention and impact

Be Relevant

  • Understand why you need to communicate
  • Determine what you need to convey
  • Tailor your message to what matters to the audience and their context
  • Identify the most appropriate medium based on the situation

Be Consistent and Accurate

  • Say what you mean and mean what you say to avoid duplicity
  • Information should be accurate and complete
  • Communicate truthfully; do not make false promises or hide bad news
  • Don't gossip

Be Clear and Concise

  • Keep it simple and avoid excessive jargon
  • State asks upfront to set intention and transparency
  • Avoid ambiguity and focus on outcomes over details
  • Be brief and to the point or risk losing stakeholder's attention

Be Attentive and Authentic

  • Stay engaged and listen actively
  • Be curious and inquire for clarification or explanation
  • Be flexible to adapt to both verbal and non-verbal cues
  • Be authentic in your approach to sharing yourself
  • Avoid "canned" approaches

A diagram of listen, observe, reflect.


"Good communication is the bridge between confusion and clarity."– Nat Turner (LinkedIn, 2020)

Exemplar: Engaging With Jane

A diagram that shows Exemplar: Engaging With Jane

Exemplar: Engaging With Ali

A diagram that shows Exemplar: Engaging With Ali

Develop an Action Plan

Moving from intent to action requires a plan to ensure you stay committed through the peaks and troughs.

Create Your 120-Day Plan

An action plan example

Key elements of the action plan:

  • Strategic priorities – Your top focus
  • Objective – Your goals
  • 30-60-90-120 Day Topics – Key agenda items
  • Meeting Progress Notes – Key takeaways from meetings
  • Private Notes – Confidential observations

Investing in relationships is a long-term process. You need to accumulate enough trust to trade or establish coalitions to expand your sphere of influence. Even the strongest of professional ties will have their bouts of discord. To remain committed to building the relationship during difficult periods, use an action plan that helps you stay grounded around:

  • Shared purpose
  • Removing emotion from the situation
  • Continuously learning from every interaction

Photo of Angela Diop
"Make intentional actions to set intentionality. Plans are good to keep you grounded and focused especially when relationship go through ups and down and there are changes: to new people and new relationships."
– Angela Diop, Senior Director, Executive Services, Info-Tech & former VP of Information Services with Unity Health Care

Activity: Design a Tailored Action Plan

30-60 minutes

3.1.0 Determine your personal expectations

Establish your personal goals and expectations around what you are seeking from the relationship. Determine the strength of your current connection and identify where you want to move the relationship across the continuum of commitment.

Use insights from your stakeholder's profile to explore their span of influence and degree of interest in supporting your strategic priorities.

3.1.1 Determine what you want from the relationship

Based on your personal goals, identify where you want to move the relationship across the continuum of commitment: What are you hoping to achieve from the relationship? How will this help create a win/win situation for both you and the key stakeholder?

A diagram of Continuum of Commitment.

3.1.2 Identify your metrics for progress

Fostering relationships take time and commitment. Utilizing metrics or personal success criteria for each of your focus areas will help you stay on track and find opportunities to make each engagement valuable instead of being transactional.

A graph that shows influence vs interest.

Make your action plan impactful

Level of Connection

The strength of the relationship will help inform the level of time and effort needed to achieve your goals.

  • Is this a new or existing relationship?
  • How often do you connect with this individual?
  • Are the connections driven by a shared purpose or transactional as needs arise?

Focus on Relational Value

Cultivate your network and relationship with the goal of building emotional connection, understanding, and trust around your shared purpose and organization's vision through regular dialogue. Be mindful of transactional exchanges ("quid pro quo") to be strategic about its use. Treat every interaction as equally important regardless of agenda, duration, or channel of communication.

Plan and Prepare

Everyone's time is valuable, and you need to come prepared with a clear understanding of why you are engaging. Think about the intentionality of the conversation:

  • Gain buy-in
  • Create transparency
  • Specific ask
  • Build trust and respect
  • Provide information to clarify, clear, or contain a situation

Non-Verbal Communication Matters

Communication is built on both overt expressions and subtext. While verbal communication is the most recognizable form, non-lexical components of verbal communication (i.e. paralanguage) can alter stated vs. intended meaning. Engage with the following in mind:

  • Tone, pitch, speed, and hesitation
  • Facial expressions and gestures
  • Choice of channel for engagement

Exemplar: Action Plan for VP, Digital

A diagram that shows Exemplar: Action Plan for VP, Digital

Make Relationship Management a Daily Habit

Management plans are living documents and need to be flexible to adapt to changes in stakeholder context.

Monitor and Adjust to Communicate Strategically

A diagram that shows Principles for Effective Communication and Key Measures

Building trust takes time and commitment. Treat every conversation with your key stakeholders as an investment in building the social capital to expand your span of influence when and where you need it to go. This requires making relationship management a daily habit. Action plans need to be a living document that is your personal journal to document your observations, feelings, and actions. Such a plan enables you to make constant adjustments along the relationship journey.

"Without involvement, there is no commitment. Mark it down, asterisk it, circle it, underline it."– Stephen Convey (LinkedIn, 2016)

Capture some simple metrics

If you can't measure your actions, you can't manage the relationship.

An example of measures: what, why, how - metrics, and intended outcome.

While a personal relationship journal is not a formal performance management tool, identifying some tangible measures will improve the likelihood of aligning your intent with outcomes. Good measures will help you focus your efforts, time, and resources appropriately.

Keep the following in mind:

  1. WHAT are you trying to measure?
    Specific to the situation or scenario
  2. WHY is this important?
    Relevant to your personal goals
  3. HOW will you measure?
    Achievable and quantifiable
  4. WHAT will the results tell you?
    Intended outcome that is directional

Summary of accomplishments

Knowledge Gained

  • Relationship management is critical to a CIO's success
  • A personal relationship journal will help build:
    • Customized approach to engaging stakeholders
    • New communication skills to adapt to different work styles

New Concepts

  • Work style assessment framework and engagement strategies
  • Effective communication strategies
  • Continuum of commitment to establish personal goals

Approach to Creating a Personal Journal

  • Step-by-step approach to create a personal journal
  • Key elements for inclusion in a journal
  • Exemplar and recommendations

Related Info-Tech Research

Photo of Tech Trends and Priorities Research Centre

Tech Trends and Priorities Research Centre

Access Info-Tech's Tech Trend reports and research center to learn about current industry trends, shifts in markets, and disruptions that are impacting your industry and sector. This is a great starting place to gain insights into how the ecosystem is changing your business and the role of IT within it.

Photo of Embed Business Relationship Management in IT

Embed Business Relationship Management in IT

Create a business relationship management (BRM) function in your program to foster a more effective partnership with the business and drive IT's value to the organization.

Photo of Become a Transformational CIO

Become a Transformational CIO

Collaborate with the business to lead transformation and leave behind a legacy of growth.

Appendix: Framework

Content:

  • Adaptation of DiSC profile assessment
  • DiSC Profile Assessment
  • FIRO-B Framework
  • Experience Cube

Info-Tech's Adaption of DiSC Assessment

A diagram of business archetypes

Info-Tech's Business Archetypes was created based on our analysis of the DiSC Profile and Myers-Briggs FIRO-B personality assessment tools that are focused on assessing interpersonal traits to better understand personalities.

The adaptation is due in part to Info-Tech's focus on not designing a personality assessment tool as this is neither the intent nor the expertise of our services. Instead, the primary purpose of this adaptation is to create a simple framework for our members to base their observations of behavioral cues to identify appropriate communication styles to better interact with key stakeholders.

Cautionary note:
Business archetypes are personas and should not be used to label, make assumptions and/or any other biased judgements about individual personalities. Every individual has all elements and aspects of traits across various spectrums. This must always remain at the forefront when utilizing any type of personality assessments or frameworks.

Click here to learn about DiSC Profile
Click here learn about FIRO-B
Click here learn about Experience Cube

DiSC Profile Assessment

A photo of DiSC Profile Assessment

What is DiSC?

DisC® is a personal assessment tool that was originally developed in 1928 by psychologist William Moulton Marston, who designed it to predict job performance. The tool has evolved and is now widely used by thousands of organizations around the world, from large government agencies and Fortune 500 companies to nonprofit and small businesses, to help improve teamwork, communication, and productivity in the workplace. The tool provides a common language people can use to better understand themselves and those they interact with - and use this knowledge to reduce conflict and improve working relationships.

What does DiSC mean?

DiSC is an acronym that stands for the four main personality profiles described in the Everything DiSC model: (D)ominance, (i)nfluence, (S)teadiness, (C)onscientiousness

People with (D) personalities tend to be confident and emphasize accomplishing bottom-line results.
People with (i) personalities tend to be more open and emphasize relationships and influencing or persuading others.
People with (S) personalities tend to be dependable and emphasize cooperation and sincerity.
People with (C) personalities tend to emphasize quality, accuracy, expertise, and competency.

Go to this link to explore the DiSC styles

FIRO-B® – Interpersonal Assessment

A diagram of FIRO framework

What is FIRO workplace relations?

The Fundamental Interpersonal Relations Orientation Behavior (FIRO-B®) tool has been around for forty years. The tool assesses your interpersonal needs and the impact of your behavior in the workplace. The framework reveals how individuals can shape and adapt their individual behaviors, influence others effectively, and build trust among colleagues. It has been an excellent resource for coaching individuals and teams about the underlying drivers behind their interactions with others to effectively build successful working relationships.

What does the FIRO framework measure?

The FIRO framework addresses five key questions that revolve around three interpersonal needs. Fundamentally, the framework focuses on how you want to express yourself toward others and how you want others to behave toward you. This interaction will ultimately result in the universal needs for (a) inclusion, (b) control, and (c) affection. The insights from the results are intended to help individuals adjust their behavior in relationships to get what they need while also building trust with others. This will allow you to better predict and adapt to different situations in the workplace.

How can FIRO influence individual and team performance in the workplace?

FIRO helps people recognize where they may be giving out mixed messages and prompts them to adapt their exhibited behaviors to build trust in their relationships. It also reveals ways of improving relationships by showing individuals how they are seen by others, and how this external view may differ from how they see themselves. Using this lens empowers people to adjust their behavior, enabling them to effectively influence others to achieve high performance.

In team settings, it is a rich source of information to explore motivations, underlying tensions, inconsistent behaviors, and the mixed messages that can lead to mistrust and derailment. It demonstrates how people may approach teamwork differently and explains the potential for inefficiencies and delays in delivery. Through the concept of behavioral flexibility, it helps defuse cultural stereotypes and streamline cross-cultural teams within organizations.

Go to this link to explore FIRO-B for Business

Experience Cube

A diagram of experience cube model.

What is an experience cube?

The Experience Cube model was developed by Gervase Bushe, a professor of Leadership and Organization at the Simon Fraser University's school of Business and a thought leader in the field of organizational behavior. The experience cube is intended as a tool to plan and manage conversations to communicate more effectively in the moment. It does this by promoting self-awareness to better reduce anxiety and adapt to evolving and uncertain situations.

How does the experience cube work?

Using the four elements of the experience cube (Observations, Thoughts, Feelings, and Wants) helps you to separate your experience with the situation from your potential judgements about the situation. This approach removes blame and minimizes defensiveness, facilitating a positive discussion. The goal is to engage in a continuous internal feedback loop that allows you to walk through all four quadrants in the moment to help promote self-awareness. With heightened self-awareness, you may (1) remain curious and ask questions, (2) check-in for understanding and clarification, and (3) build consensus through agreement on shared purpose and next steps.

Observations: Sensory data (information you take in through your senses), primarily what you see and hear. What a video camera would record.

Thoughts: The meaning you add to your observations (i.e. the way you make sense of them, including your beliefs, expectations, assumptions, judgments, values, and principles). We call this the "story you make up."

Feelings: Your emotional or physiological response to the thoughts and observations. Feelings words such as sad, mad, glad, scared, or a description of what is happening in your body.

Wants: Clear description of the outcome you seek. Wants go deeper than a simple request for action. Once you clearly state what you want, there may be different ways to achieve it.

Go to this link to explore more: Experience Cube

Research Contributors and Experts

Photo of Joanne Lee
Joanne Lee
Principal, Research Director, CIO Advisory
Info-Tech Research Group

Joanne is a professional executive with over twenty-five years of experience in digital technology and management consulting spanning healthcare, government, municipal, and commercial sectors across Canada and globally. She has successfully led several large, complex digital and business transformation programs. A consummate strategist, her expertise spans digital and technology strategy, organizational redesign, large complex digital and business transformation, governance, process redesign, and PPM. Prior to joining Info-Tech Research Group, Joanne was a Director with KPMG's CIO Advisory management consulting services and the Digital Health practice lead for Western Canada. She brings a practical and evidence-based approach to complex problems enabled by technology.

Joanne holds a Master's degree in Business and Health Policy from the University of Toronto and a Bachelor of Science (Nursing) from the University of British Columbia.



Photo of Gord Harrison
Gord Harrison
Senior Vice President, Research and Advisory
Info-Tech Research Group

Gord Harrison, SVP, Research and Consulting, has been with Info-Tech Research Group since 2002. In that time, Gord leveraged his experience as the company's CIO, VP Research Operations, and SVP Research to bring the consulting and research teams together under his current role, and to further develop Info-Tech's practical, tactical, and value-oriented research product to the benefit of both organizations.

Prior to Info-Tech, Gord was an IT consultant for many years with a focus on business analysis, software development, technical architecture, and project management. His background of educational game software development, and later, insurance industry application development gave him a well-rounded foundation in many IT topics. Gord prides himself on bringing order out of chaos and his customer-first, early value agile philosophy keeps him focused on delivering exceptional experiences to our customers.



Photo of Angela Diop
Angela Diop
Senior Director, Executive Services
Info-Tech Research Group

Angela has over twenty-five years of experience in healthcare, as both a healthcare provider and IT professional. She has spent over fifteen years leading technology departments and implementing, integrating, managing, and optimizing patient-facing and clinical information systems. She believes that a key to a healthcare organization's ability to optimize health information systems and infrastructure is to break the silos that exist in healthcare organizations.

Prior to joining Info-Tech, Angela was the Vice President of Information Services with Unity Health Care. She has demonstrated leadership and success in this area by fostering environments where business and IT collaborate to create systems and governance that are critical to providing patient care and sustaining organizational health.

Angela has a Bachelor of Science in Systems Engineering and Design from the University of Illinois and a Doctorate of Naturopathic Medicine from Bastyr University. She is a Certified CIO with the College of Healthcare Information Management Executives. She is a two-time Health Information Systems Society (HIMSS) Davies winner.



Photo of Edison Barreto
Edison Barreto
Senior Director, Executive Services
Info-Tech Research Group

Edison is a dynamic technology leader with experience growing different enterprises and changing IT through creating fast-paced organizations with cultural, modernization, and digital transformation initiatives. He is well versed in creating IT and business cross-functional leadership teams to align business goals with IT modernization and revenue growth. Over twenty-five years of Gaming, Hospitality, Retail, and F&B experience has given him a unique perspective on guiding and coaching the creation of IT department roadmaps to focus on business needs and execute successful changes.

Edison has broad business sector experience, including:
Hospitality, Gaming, Sports and Entertainment, IT policy and oversight, IT modernization, Cloud first programs, R&D, PCI, GRDP, Regulatory oversight, Mergers acquisitions and divestitures.



Photo of Mike Tweedie
Mike Tweedie
Practice Lead, CIO Strategy
Info-Tech Research Group

Michael Tweedie is the Practice Lead, CIO – IT Strategy at Info-Tech Research Group, specializing in creating and delivering client-driven, project-based, practical research, and advisory. He brings more than twenty-five years of experience in technology and IT services as well as success in large enterprise digital transformations.

Prior to joining Info-Tech, Mike was responsible for technology at ADP Canada. In that role, Mike led several large transformation projects that covered core infrastructure, applications, and services and worked closely with and aligned vendors and partners. The results were seamless and transparent migrations to current services, like public cloud, and a completely revamped end-user landscape that allowed for and supported a fully remote workforce.

Prior to ADP, Mike was the North American Head of Engineering and Service Offerings for a large French IT services firm, with a focus on cloud adoption and complex ERP deployment and management; he managed large, diverse global teams and had responsibilities for end-to-end P&L management.

Mike holds a Bachelor's degree in Architecture from Ryerson University.



Photo of Carlene McCubbin
Carlene McCubbin
Practice Lead, People and Leadership
Info-Tech Research Group

Carlene McCubbin is a Research Lead for the CIO Advisory Practice at Info-Tech Research Group covering key topics in operating models & design, governance, and human capital development.

During her tenure at Info-Tech, Carlene has led the development of Info-Tech's Organization and Leadership practice and worked with multiple clients to leverage the methodologies by creating custom programs to fit each organization's needs.

Before joining Info-Tech, Carlene received her Master of Communications Management from McGill University, where she studied development of internal and external communications, government relations, and change management. Her education honed her abilities in rigorous research, data analysis, writing, and understanding the organization holistically, which has served her well in the business IT world.



Photo of Anubhav Sharma
Anubhav Sharma
Research Director, CIO Strategy
Info-Tech Research Group

Anubhav is a digital strategy and execution professional with extensive experience in leading large-scale transformation mandates for organizations both in North America and globally, including defining digital strategies for leading banks and spearheading a large-scale transformation project for a global logistics pioneer across ten countries. Prior to joining Info-Tech Research Group, he held several industry and consulting positions in Fortune 500 companies driving their business and technology strategies. In 2023, he was recognized as a "Top 50 Digital Innovator in Banking" by industry peers.

Anubhav holds an MBA in Strategy from HEC Paris, a Master's degree in Finance from IIT-Delhi, and a Bachelor's degree in Engineering.



Photo of Kim Osborne-Rodriguez
Kim Osborne-Rodriguez
Research Director, CIO Strategy
Info-Tech Research Group

Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach to digital transformation, with a track record of supporting successful implementations.

Kim holds a Bachelor's degree in Mechatronics Engineering from University of Waterloo.



Photo of Amanda Mathieson
Amanda Mathieson
Research Director, People and Leadership
Info-Tech Research Group

Amanda joined Info-Tech Research Group in 2019 and brings twenty years of expertise working in Canada, the US, and globally. Her expertise in leadership development, organizational change management, and performance and talent management comes from her experience in various industries spanning pharmaceutical, retail insurance, and financial services. She takes a practical, experiential approach to people and leadership development that is grounded in adult learning methodologies and leadership theory. She is passionate about identifying and developing potential talent, as well as ensuring the success of leaders as they transition into more senior roles.

Amanda has a Bachelor of Commerce degree and Master of Arts in Organization and Leadership Development from Fielding Graduate University, as well as a post-graduate diploma in Adult Learning Methodologies from St. Francis Xavier University. She also has certifications in Emotional Intelligence – EQ-i 2.0 & 360, Prosci ADKAR® Change Management, and Myers-Briggs Type Indicator Step I and II.

Bibliography

Bacey, Christopher. "KPMG/Harvey Nash CIO Survey finds most organizations lack enterprise-wide digital strategy." Harvey Nash/KPMG CIO Survey. Accessed Jan. 6, 2023. KPMG News Perspective - KPMG.us.com

Calvert, Wu-Pong Susanna. "The Importance of Rapport. Five tips for creating conversational reciprocity." Psychology Today Magazine. June 30, 2022. Accessed Feb. 10, 2023. psychologytoday.com/blog

Coaches Council. "14 Ways to Build More Meaningful Professional Relationships." Forbes Magazine. September 16, 2020. Accessed Feb. 20, 2023. forbes.com/forbescoachescouncil

Council members. "How to Build Authentic Business Relationships." Forbes Magazine. June 15, 2021. Accessed Jan. 15, 2023. Forbes.com/business council

Deloitte. "Chief Information Officer (CIO) Labs. Transform and advance the role of the CIO." The CIO program. Accessed Feb. 5, 2021.

Dharsarathy, Anusha et al. "The CIO challenge: Modern business needs a new kind of tech leader." McKinsey and Company. January 27, 2020. Accessed Feb 2023. Mckinsey.com

DiSC profile. "What is DiSC?" DiSC Profile Website. Accessed Feb. 5, 2023. discprofile.com

FIRO Assessment. "Better working relationships". Myers Brigg Website. Resource document downloaded Feb. 10, 2023. myersbriggs.com/article

Fripp, Patricia. "Frippicisms." Website. Accessed Feb. 25, 2023. fripp.com

Grossman, Rhys. "The Rise of the Chief Digital Officer." Russell Reynolds Insights, January 1, 2012. Accessed Jan. 5, 2023. Rise of the Chief Digital Officer - russellreynolds.com

Kambil, Ajit. "Influencing stakeholders: Persuade, trade, or compel." Deloitte Article. August 9, 2017. Accessed Feb. 19, 2023. www2.deloitte.com/insights

Kambil, Ajit. "Navigating the C-suite: Managing Stakeholder Relationships." Deloitte Article. March 8, 2017. Accessed Feb. 19, 2023. www2.deloitte.com/insights

Korn Ferry. "Age and tenure in the C-suite." Kornferry.com. Accessed Jan. 6, 2023. Korn Ferry Study Reveals Trends by Title and Industry

Kumthekar, Uday. "Communication Channels in Project". Linkedin.com, 3 March 2020. Accessed April 27, 2023. Linkedin.com/Pulse/Communication Channels

McWilliams, Allison. "Why You Need Effective Relationships at Work." Psychology Today Magazine. May 5, 2022. Accessed Feb. 11, 2023. psychologytoday.com/blog

McKinsey & Company. "Why do most transformations fail? A conversation with Harry Robinson." Transformation Practice. July 2019. Accessed Jan. 10, 2023. Mckinsey.com

Mind Tools Content Team. "Building Good Work Relationships." MindTools Article. Accessed Feb. 11, 2023. mindtools.com/building good work relationships

Pratt, Mary. "Why the CIO-CFO relationship is key to digital success." TechTarget Magazine. November 11, 2021. Accessed Feb. 2023. Techtarget.com

LaMountain, Dennis. "Quote of the Week: No Involvement, No Commitment". Linkedin.com, 3 April 2016. Accessed April 27, 2023. Linkedin.com/pulse/quote-week-involvement

PwC Pulse Survey. "Managing Business Risks". PwC Library. 2022. Accessed Jan. 30, 2023. pwc.com/pulse-survey

Rowell, Darin. "3 Traits of a Strong Professional Relationship." Harvard Business Review. August 8, 2019. Accessed Feb. 20, 2023. hbr.org/2019/Traits of a strong professional relationship

Sinek, Simon. "The Optimism Company from Simon Sinek." Website. Image Source. Accessed, Feb. 21, 2023. simonsinek.com

Sinek, Simon. "There are only two ways to influence human behavior: you can manipulate it or you can inspire it." Twitter. Dec 9, 2022. Accessed Feb. 20, 2023. twitter.com/simonsinek

Whitbourne, Susan Krauss. "10 Ways to Measure the Health of Relationship." Psychology Today Magazine. Aug. 7, 2021. Accessed Jan. 30, 2023. psychologytoday.com/blog

Build a Roadmap for Service Management Agility

  • Buy Link or Shortcode: {j2store}280|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Service Management
  • Parent Category Link: /service-management
  • Business is moving faster than ever and IT is getting more demands at a faster pace.
  • Many IT organizations have traditional structures and approaches that have served them well in the past. However, these frameworks and approaches alone are no longer sufficient for today’s challenges and rapidly changing environment.
  • The inability to adaptively design and deliver services as requirements change has led to diminishing service quality and an increase in shadow IT.

Our Advice

Critical Insight

  • Being Agile is a mindset. It is not meant to be prescriptive, but to encourage you to leverage the best approaches, frameworks, and tools to meet your needs and get the job done now.
  • The goal of service management is to enable and drive value for the business. Service management practices have to be flexible and adaptable enough to manage and deliver the right service value at the right time at the right level of quality.

Impact and Result

  • Understand Agile principles, how they align with service management principles, and what the optimal states for agility look like.
  • Use Info-Tech’s advice and tools to perform an assessment of your organization’s state of agility, identify the gaps, and create a custom roadmap to incorporate agility into your service management practice.
  • Increase business satisfaction. The ultimate outcome of having agility in your service delivery is satisfied customers.

Build a Roadmap for Service Management Agility Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should create a roadmap for service management agility, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Understand the optimal state for agility

Understand the components of agility and what the optimal states are for service management agility.

  • Build a Roadmap for Service Management Agility – Phase 1: Understand the Optimal States for Agility

2. Assess your current state of agility

Determine the current state of agility in the service management practice.

  • Build a Roadmap for Service Management Agility – Phase 2: Assess Your Current State of Agility
  • Service Management Agility Assessment Tool

3. Build the roadmap

Create a roadmap for service management agility and present it to key stakeholders to obtain their support.

  • Build a Roadmap for Service Management Agility – Phase 3: Build the Roadmap for Service Management Agility
  • Service Management Agility Roadmap Template
  • Building Agility Into Our Service Management Practice Stakeholders Presentation Template
[infographic]

Workshop: Build a Roadmap for Service Management Agility

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Define the Optimal States for Agility in Service Management

The Purpose

Understand agility and how it can complement service management.

Understand how the components of culture, structure, processes, and resources enable agility in service management.

Key Benefits Achieved

Clear understanding of Agile principles.

Identifying opportunities for agility.

Understanding of how Agile principles align with service management.

Activities

1.1 Understand agility.

1.2 Understand how Agile methodologies can complement service management through culture, structure, processes, and resources.

Outputs

Summary of Agile principles.

Summary of optimal components in culture, structure, processes, and resources that enable agility.

2 Assess Your Current State of Agility in Service Management

The Purpose

Assess your current organizational agility with respect to culture, structure, processes, and resources.

Identify your agility strengths and weaknesses with the agility score.

Key Benefits Achieved

Understand your organization’s current enablers and constraints for agility.

Have metrics to identify strengths or weaknesses in culture, structure, processes, and resources.

Activities

2.1 Complete an agility assessment.

Outputs

Assessment score of current state of agility.

3 Build the Roadmap for Service Management Agility

The Purpose

Determine the gaps between the current and optimal states for agility.

Create a roadmap for service management agility.

Create a stakeholders presentation.

Key Benefits Achieved

Have a completed custom roadmap that will help build sustainable agility into your service management practice.

Present the roadmap to key stakeholders to communicate your plans and get organizational buy-in.

Activities

3.1 Create a custom roadmap for service management agility.

3.2 Create a stakeholders presentation on service management agility.

Outputs

Completed roadmap for service management agility.

Completed stakeholders presentation on service management agility.

Service Desk

  • Buy Link or Shortcode: {j2store}11|cart{/j2store}
  • Related Products: {j2store}11|crosssells{/j2store}
  • Up-Sell: {j2store}11|upsells{/j2store}
  • member rating overall impact (scale of 10): 9.4/10
  • member rating average dollars saved: $22,900
  • member rating average days saved: 20
  • Parent Category Name: Infra and Operations
  • Parent Category Link: /infra-and-operations
The service desk is typically the first point of contact for clients and staff who need something. Make sure your team is engaged, involved, knowledgeable, and gives excellent customer service.

Identify and Build the Data & Analytics Skills Your Organization Needs

  • Buy Link or Shortcode: {j2store}301|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Data Management
  • Parent Category Link: /data-management

The rapid technological evolution in platforms, processes, and applications is leading to gaps in the skills needed to manage and use data. Some common obstacles that could prevent you from identifying and building the data & analytics skills your organization needs include:

  • Lack of resources and knowledge to secure professionals with the right mix of D&A skills and right level of experience/skills
  • Lack of well-formulated and robust data strategy
  • Underestimation of the value of soft skills

Our Advice

Critical Insight

Skill deficiency is frequently stated as a roadblock to realizing corporate goals for data & analytics. Soft skills and technical skills are complementary, and data & analytics teams need a combination of both to perform effectively. Identify the essential skills and the gap with current skills that fit your organization’s data strategy to ensure the right skills are available at the right time and minimize pertinent risks.

Impact and Result

Follow Info-Tech's advice on the roles and skills needed to support your data & analytics strategic growth objectives and how to execute an actionable plan:

  • Define the skills required for each essential data & analytics role.
  • Identify the roles and skills gaps in alignment with your current data strategy.
  • Establish an action plan to close the gaps and reduce risks.

Identify and Build the Data & Analytics Skills Your Organization Needs Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Identify and Build the Data & Analytics Skills Your Organization Needs Deck – Use this research to assist you in identifying and building roles and skills that are aligned with the organization’s data strategy.

To generate business value from data, data leaders must first understand what skills are required to achieve these goals, identify the current skill gaps, and then develop skills development programs to enhance the relevant skills. Use Info-Tech's approach to identify and fill skill gaps to ensure you have the right skills at the right time.

  • Identify and Build the Data & Analytics Skills Your Organization Needs Storyboard

2. Data & Analytics Skills Assessment and Planning Tool – Use this tool to help you identify the current and required level of competency for data & analytics skills, analyze gaps, and create an actionable plan.

Start with skills and roles identified as the highest priority through a high-level maturity assessment. From there, use this tool to determine whether the organization’s data & analytics team has the key role, the right combination of skill sets, and the right level competency for each skill. Create an actionable plan to develop skills and fill gaps.

  • Data & Analytics Skills Assessment and Planning Tool
[infographic]

Further reading

Identify and Build the Data & Analytics Skills Your Organization Needs

Blending soft skills with deep technical expertise is essential for building successful data & analytics teams.

Analyst Perspective

Blending soft skills with deep technical expertise is essential for building successful data & analytics teams.

In today's changing environment, data & analytics (D&A) teams have become an essential component, and it is critical for organizations to understand the skill and talent makeup of their D&A workforce. Chief data & analytics officers (CDAOs) or other equivalent data leaders can train current data employees or hire proven talent and quickly address skills gaps.

While developing technical skills is critical, soft skills are often left underdeveloped, yet lack of such skills is most likely why the data team would face difficulty moving beyond managing technology and into delivering business value.

Follow Info-Tech's methodology to identify and address skills gaps in today's data workplace. Align D&A skills with your organization's data strategy to ensure that you always have the right skills at the right time.

Ruyi Sun
Research Specialist,
Data & Analytics, and Enterprise Architecture
Info-Tech Research Group

Executive Summary

Your Challenge

The rapid technological evolution in platforms, processes, and applications is leading to gaps in the skills needed to manage and use data. Some critical challenges organizations with skills deficiencies might face include:

  • Time loss due to delayed progress and reworking of initiatives
  • Poor implementation quality and low productivity
  • Reduced credibility of data leader and data initiatives

Common Obstacles

Some common obstacles that could prevent you from identifying and building the data and analytics (D&A) skills your organization needs are:

  • Lack of resources and knowledge to secure professionals with the right mixed D&A skills and the right experience/skill level
  • Lack of well-formulated and robust data strategy
  • Neglecting the value of soft skills and placing all your attention on technical skills

Info-Tech's Approach

Follow Info-Tech's guidance on the roles and skills required to support your D&A strategic growth objectives and how to execute an actionable plan:

  • Define skills required for each essential data and analytics role
  • Identify roles and skills gap in alignment with your current data strategy
  • Establish action plan to close the gaps and reduce risks

Info-Tech Insight

Skills gaps are a frequently named obstacle to realizing corporate goals for D&A. Soft skills and technical skills are complementary, and a D&A team needs both to perform effectively. Identify the essential skills and the gap with current skills required by your organization's data strategy to ensure the right skill is available at the right time and to minimize applicable risks.

The rapidly changing environment is impacting the nature of work

Scarcity of data & analytics (D&A) skills

  • Data is one of the most valuable organizational assets, and regardless of your industry, data remains the key to informed decision making. More than 75% of businesses are looking to adopt technologies like big data, cloud computing, and artificial intelligence (AI) in the next five years (World Economic Forum, 2023). As organizations pivot in response to industry disruptions and technological advancements, the nature of work is changing, and the demand for data expertise has grown.
  • Despite an increasing need for data expertise, organizations still have trouble securing D&A roles due to inadequate upskilling programs, limited understanding of the skills required, and more (EY, 2022). Notably, scarce D&A skills have been critical. More workers will need at least a base level of D&A skills to adequately perform their jobs.

Stock image of a data storage center.

Organizations struggle to remain competitive when skills gaps aren't addressed

Organizations identify skills gaps as the key barriers preventing industry transformation:

60% of organizations identify skills gaps as the key barriers preventing business transformation (World Economic Forum, 2023)

43% of respondents agree the business area with the greatest need to address potential skills gaps is data analytics (McKinsey & Company, 2020)

Most organizations are not ready to address potential role disruptions and close skills gaps:

87% of surveyed companies say they currently experience skills gaps or expect them within a few years (McKinsey & Company, 2020)

28% say their organizations make effective decisions on how to close skills gaps (McKinsey & Company, 2020)

Neglecting soft skills development impedes CDOs/CDAOs from delivering value

According to BearingPoint's CDO survey, cultural challenges and limited data literacy are the main roadblocks to a CDO's success. To drill further into the problem and understand the root causes of the two main challenges, conduct a root cause analysis (RCA) using the Five Whys technique.

Bar Chart of 'Major Roadblocks to the Success of a CDO' with 'Limited data literacy' at the top.
(Source: BearingPoint, 2020)

Five Whys RCA

Problem: Poor data literacy is the top challenge CDOs face when increasing the value of D&A. Why?

  • People that lack data literacy find it difficult to embrace and trust the organization's data insights. Why?
  • Data workers and the business team don't speak the same language. Why?
  • No shared data definition or knowledge is established. Over-extensive data facts do not drive business outcomes. Why?
  • Leaders fail to understand that data literacy is more than technical training, it is about encompassing all aspects of business, IT, and data. Why?
  • A lack of leadership skills prevents leaders from recognizing these connections and the data team needing to develop soft skills.

Problem: Cultural challenge is one of the biggest obstacles to a CDO's success. Why?

  • Decisions are made from gut instinct instead of data-driven insights, thus affecting business performance. Why?
  • People within the organization do not believe that data drives operational excellence, so they resist change. Why?
  • Companies overestimate the organization's level of data literacy and data maturity. Why?
  • A lack of strategies in change management, continuous improvement & data literacy for data initiatives. Why?
  • A lack of expertise/leaders possessing these relevant soft skills (e.g. change management, etc.).

As organizations strive to become more data-driven, most conversations around D&A emphasize hard skills. Soft skills like leadership and change management are equally crucial, and deficits there could be the root cause of the data team's inability to demonstrate improved business performance.

Data cannot be fully leveraged without a cohesive data strategy

Business strategy and data strategy are no longer separate entities.

  • For any chief data & analytics officer (CDAO) or equivalent data leader, a robust and comprehensive data strategy is the number one tool for generating measurable business value from data. Data leaders should understand what skills are required to achieve these goals, consider the current skills gap, and build development programs to help employees improve those skills.
  • Begin your skills development programs by ensuring you have a data strategy plan prepared. A data strategy should never be formulated independently from the business. Organizations with high data maturity will align such efforts to the needs of the business, making data a major part of the business strategy to achieve data centricity.
  • Refer to Info-Tech's Build a Robust and Comprehensive Data Strategy blueprint to ensure data can be leveraged as a strategic asset of the organization.

Diagram of 'Data Strategy Maturity' with two arrangements of 'Data Strategy' and 'Business Strategy'. One is 'Aligned', the other is 'Data Centric.'

Info-Tech Insight

The process of achieving data centricity requires alignment between the data and business teams, and that requires soft skills.

Follow Info-Tech's methodology to identify the roles and skills needed to execute a data strategy

  1. Define Key Roles and Skills

    Digital Leadership Skills, Soft Skills, Technical Skills
    Key Output
    • Defined essential competencies, responsibilities for some common data roles
  2. Uncover the Skills Gap

    Data Strategy Alignment, High-Level Data Maturity Assessment, Skills Gap Analysis
    Key Output
    • Data roles and skills aligned with your current data strategy
    • Identified current and target state of data skill sets
  3. Build an Actionable Plan

    Initiative Priority, Skills Growth Feasibility, Hiring Feasibility
    Key Output
    • Identified action plan to address the risk of data skills deficiency

Info-Tech Insight

Skills gaps are a frequently named obstacle to realizing corporate goals for D&A. Soft skills and technical skills are complementary, and a D&A team needs both to perform effectively. Identify the essential skills and the gap with current skills that fit your organization's data strategy to ensure the right skill is available at the right time and to minimize applicable risks.

Research benefits

Member benefits

  • Reduce time spent defining the target state of skill sets.
  • Gain ability to reassess the feasibility of execution on your data strategy, including resources and timeline.
  • Increase confidence in the data leader's ability to implement a successful skills development program that is aligned with the organization's data strategy, which correlates directly to successful business outcomes.

Business benefits

  • Reduce time and cost spent hiring key data roles.
  • Increase chance of retaining high-quality data professionals.
  • Reduce time loss for delayed progress and rework of initiatives.
  • Optimize quality of data initiative implementation.
  • Improve data team productivity.

Insight summary

Overarching insight

Skills gaps are a frequently named obstacle to realizing corporate goals for D&A. Soft skills and technical skills are complementary, and a D&A team needs both to perform effectively. Identify the essential skills and the gap with current skills that fit your organization's data strategy to ensure the right skill is available at the right time and to minimize applicable risks.

Phase 1 insight

Technological advancements will inevitably require new technical skills, but the most in-demand skills go beyond mastering the newest technologies. Soft skills are essential to data roles as the global workforce navigates the changes of the last few years.

Phase 2 insight

Understanding and knowing your organization's data maturity level is a prerequisite to assessing your current skill and determining where you must align in the future.

Phase 3 insight

One of the misconceptions that organizations have includes viewing skills development as a one-time effort. This leads to underinvestment in data team skills, risk of falling behind on technological changes, and failure to connect with business partners. Employees must learn to continuously adapt to the changing circumstances of D&A.

While the program must be agile and dynamic to reflect technological improvements in the development of technical skills, the program should always be anchored in soft skills because data management is fundamentally about interaction, collaboration, and people.

Tactical insight

Seeking input and support across your business units can align stakeholders to focus on the right data analytics skills and build a data learning culture.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Guided Implementation

Workshop

Consulting

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is four to six calls over the course of two to three months.

What does a typical GI on this topic look like?

Phase 1

Phase 2

Phase 3

Call #1: Understand common data & analytics roles and skills, and your specific objectives and challenges. Call #2: Assess the current data maturity level and competency of skills set. Identify the skills gap. Call #3: Identify the relationship between current initiatives and capabilities. Initialize the corresponding roadmap for the data skills development program.

Call #4: (follow-up call) Touching base to follow through and ensure that benefits have received.

Identify and Build the Data & Analytics Skills Your Organization Needs

Phase 1

Define Key Roles and Skills

Define Key Roles and Skills Uncover the Skills Gap Build an Actionable Plan

This phase will walk you through the following activities:

  • 1.1 Review D&A Skill & Role List in Data & Analytics Assessment and Planning Tool

This phase involves the following participants:

  • Data leads

Key resources for your data strategy: People

Having the right role is a key component for executing effective data strategy.

D&A Common Roles

  • Data Steward
  • Data Custodian
  • Data Owner
  • Data Architect
  • Data Modeler
  • Artificial Intelligence (AI) and Machine Learning (ML) Specialist
  • Database Administrator
  • Data Quality Analyst
  • Security Architect
  • Information Architect
  • System Architect
  • MDM Administrator
  • Data Scientist
  • Data Engineer
  • Data Pipeline Developer
  • Data Integration Architect
  • Business Intelligence Architect
  • Business Intelligence Analyst
  • ML Validator

AI and ML Specialist is projected to be the fastest-growing occupation in the next five years (World Economic Forum, 2023).

While tech roles take an average of 62 days to fill, hiring a senior data scientist takes 70.5 days (Workable, 2019). Start your recruitment cycle early for this demand.

D&A Leader Roles

  • Chief Data Officer (CDO)/Chief Data & Analytics Officer (CDAO)
  • Data Governance Lead
  • Data Management Lead
  • Information Security Lead
  • Data Quality Lead
  • Data Product Manager
  • Master Data Manager
  • Content and Record Manager
  • Data Literacy Manager

CDOs act as impactful change agents ensuring that the organization's data management disciplines are running effectively and meeting the business' data needs. Only 12.0% of the surveyed organizations reported having a CDO as of 2012. By 2022, this percentage had increased to 73.7% (NewVantage Partners, 2022).

Sixty-five percent of respondents said lack of data literacy is the top challenge CDOs face today (BearingPoint, 2020). It has become imperative for companies to consider building a data literacy program which will require a dedicated data literacy team.

Key resources for your data strategy: Skill sets

Distinguish between the three skills categories.

  • Soft Skills

    Soft skills are described as power skills regarding how you work, such as teamwork, communication, and critical thinking.
  • Digital Leadership Skills

    Not everyone working in the D&A field is expected to perform advanced analytical tasks. To thrive in increasingly data-rich environments, however, every data worker, including leaders, requires a basic technological understanding and skill sets such as AI, data literacy, and data ethics. These are digital leadership skills.
  • Technical Skills

    Technical skills are the practical skills required to complete a specific task. For example, data scientists and data engineers require programming skills to handle and manage vast amounts of data.

Info-Tech Insight

Technological advancements will inevitably require new technical skills, but the most in-demand skills go beyond mastering the newest technologies. Soft skills are essential to data roles as the global workforce navigates the changes of the last few years.

Soft skills aren't just nice to have

They're a top asset in today's data workplace.

Leadership

  • Data leaders with strong leadership abilities can influence the organization's strategic execution and direction, support data initiatives, and foster data cultures. Organizations that build and develop leadership potential are 4.2 times more likely to financially outperform those that do not (Udemy, 2022).

Business Acumen

  • The process of deriving conclusions and insights from data is ultimately utilized to improve business decisions and solve business problems. Possessing business acumen helps provide the business context and perspectives for work within data analytics fields.

Critical Thinking

  • Critical thinking allows data leaders at every level to objectively assess a problem before making judgment, consider all perspectives and opinions, and be able to make decisions knowing the ultimate impact on results.

Analytical Thinking

  • Analytical thinking remains the most important skill for workers in 2023 (World Economic Forum, 2023). Data analytics expertise relies heavily on analytical thinking, which is the process of breaking information into basic principles to analyze and understand the logic and concepts.

Design Thinking & Empathy

  • Design thinking skills help D&A professionals understand and prioritize the end-user experience to better inform results and assist the decision-making process. Organizations with high proficiency in design thinking are twice as likely to be high performing (McLean & Company, 2022).

Learning Focused

  • The business and data analytics fields continue to evolve rapidly, and the skills, especially technical skills, must keep pace. Learning-focused D&A professionals continuously learn, expanding their knowledge and enhancing their techniques.

Change Management

  • Change management is essential, especially for data leaders who act as change agents developing and enabling processes and who assist others with adjusting to changes with cultural and procedural factors. Organizations with high change management proficiency are 2.2 times more likely to be high performing (McLean & Company, 2022).

Resilience

  • Being motivated and adaptable is essential when facing challenges and high-pressure situations. Organizations highly proficient in resilience are 1.8 times more likely to be high performing (McLean & Company, 2022).

Managing Risk & Governance Mindset

  • Risk management ability is not limited to highly regulated institutions. All data workers must understand risks from the larger organizational perspective and have a holistic governance mindset while achieving their individual goals and making decisions.

Continuous Improvement

  • Continuously collecting feedback and reflecting on it is the foundation of continuous improvement. To uncover and track the lessons learned and treat them as opportunities, data workers must be able to discover patterns and connections.

Teamwork & Collaboration

  • Value delivery in a data-centric environment is a team effort, requiring collaboration across the business, IT, and data teams. D&A experts with strong collaborative abilities can successfully work with other teams to achieve shared objectives.

Communication & Active Listening

  • This includes communicating with relevant stakeholders about timelines and expectations of data projects and associated technology and challenges, paying attention to data consumers, understanding their requirements and needs, and other areas of interest to the organization.

Technical skills for everyday excellence

Digital Leadership Skills

  • Technological Literacy
  • Data and AI Literacy
  • Cloud Computing Literacy
  • Data Ethics
  • Data Translation

Data & Analytics Technical Competencies

  • Data Mining
  • Programming Languages (Python, SQL, R, etc.)
  • Data Analysis and Statistics
  • Computational and Algorithmic Thinking
  • AI/ML Skills (Deep Learning, Computer Vision, Natural Language Processing, etc.)
  • Data Visualization and Storytelling
  • Data Profiling
  • Data Modeling & Design
  • Data Pipeline (ETL/ELT) Design & Management
  • Database Design & Management
  • Data Warehouse/Data Lake Design & Management

1.1 Review D&A Skill & Role List in the Data & Analytics Assessment and Planning Tool

Sample of Tab 2 in the Data & Analytics Assessment and Planning Tool.

Tab 2. Skill & Role List

Objective: Review the library of skills and roles and customize them as needed to align with your organization's language and specific needs.

Download the Data & Analytics Assessment and Planning Tool

Identify and Build the Data & Analytics Skills Your Organization Needs

Phase 2

Uncover the Skills Gap

Define Key Roles and Skills Uncover the Skills Gap Build an Actionable Plan

This phase will walk you through the following activities:

  • 2.1 High-level assessment of your present data management maturity
  • 2.2 Interview business and data leaders to clarify current skills availability
  • 2.3 Use the Data & Analytics Assessment and Planning Tool to Identify your skills gaps

This phase involves the following participants:

  • Data leads
  • Business leads and subject matter experts (SMEs)
  • Key business stakeholders

Identify skills gaps across the organization

Gaps are not just about assigning people to a role, but whether people have the right skill sets to carry out tasks.

  • Now that you have identified the essential skills and roles in the data workplace, move to Phase 2. This phase will help you understand the required level of competency, assess where the organization stands today, and identify gaps to close.
  • Using the Data & Analytics Assessment and Planning Tool, start with areas that are given the highest priority through a high-level maturity assessment. From there, three levels of gaps will be found: whether people are assigned to a particular position, the right combination of D&A skill sets, and the right competency level for each skill.
  • Lack of talent assigned to a position

  • Lack of the right combination of D&A skill sets

  • Lack of appropriate competency level

Info-Tech Insight

Understanding your organization's data maturity level is a prerequisite to assessing the skill sets you have today and determining where you need to align in the future.

2.1 High-level assessment of your present data management maturity

Identifying and fixing skills gaps takes time, money, and effort. Focus on bridging the gap in high-priority areas.

Input: Current state capabilities, Use cases (if applicable), Data culture diagnostic survey results (if applicable)
Output: High-level maturity assessment, Prioritized list of data management focused area
Materials: Data Management Assessment and Planning Tool (optional), Data & Analytics Assessment and Planning Tool
Participants: Data leads, Business leads and subject matter experts (SMEs), Key business stakeholders

Objectives:

Prioritize these skills and roles based on your current maturity levels and what you intend to accomplish with your data strategy.

Steps:

  1. (Optional Step) Refer to the Build a Robust and Comprehensive Data Strategy blueprint. You can assess your data maturity level using the following frameworks and methods:
    • Review current data strategy and craft use cases that represent high-value areas that must be addressed for their teams or functions.
    • Use the data culture assessment survey to determine your organization's data maturity level.
  2. (Optional Step) Refer to the Create a Data Management Roadmap blueprint and Data Management Assessment and Planning Tool to dive deep into understanding and assessing capabilities and maturity levels of your organization's data management enablers and understanding your priority areas and specific gaps.
  3. If you have completed Data Management Assessment and Planning Tool, fill out your maturity level scores for each of the data management practices within it - Tab 3 (Current-State Assessment). Skip Tab 4 (High-Level Maturity Assessment).
  4. If you have not yet completed Data Management Assessment and Planning Tool, skip Tab 3 and continue with Tab 4. Assign values 1 to 3 for each capability and enabler.
  5. You can examine your current-state data maturity from a high level in terms of low/mid/high maturity using either Tabs 3 or 4.
  6. Suggested focus areas along the data journey:
    • Low Maturity = Data Strategy, Data Governance, Data Architecture
    • Mid Maturity = Data Literacy, Information Management, BI and Reporting, Data Operations Management, Data Quality Management, Data Security/Risk Management
    • High Maturity = MDM, Data Integration, Data Product and Services, Advanced Analytics (ML & AI Management).

Download the Data & Analytics Assessment and Planning Tool

2.2 Interview business and data leaders to clarify current skills availability

1-2 hours per interview

Input: Sample questions targeting the activities, challenges, and opportunities of each unit
Output: Identified skills availability
Materials: Whiteboard/Flip charts, Data & Analytics Assessment and Planning Tool
Participants: Data leads, Business leads and subject matter experts (SMEs), Key business stakeholders

Instruction:

  1. Conduct a deep-dive interview with each key data initiative stakeholder (data owners, SMEs, and relevant IT/Business department leads) who can provide insights on the skill sets of their team members, soliciting feedback from business and data leaders about skills and observations of employees as they perform their daily tasks.
  2. Populate a current level of competency for each skill in the Data & Analytics Assessment and Planning Tool in Tabs 5 and 6. Having determined your data maturity level, start with the prioritized data management components (e.g. if your organization sits at low data maturity level, start with identifying relevant positions and skills under data governance, data architecture, and data architecture elements).
  3. More detailed instructions on how to utilize the workbook are at the next activity.

Key interview questions that will help you :

  1. Do you have personnel assigned to the role? What are their primary activities? Do the personnel possess the soft and technical skills noted in the workbook? Are you satisfied with their performance? How would you evaluate their degree of competency on a scale of "vital, important, nice to have, or none"? The following aspects should be considered when making the evaluation:
    • Key Performance Indicators (KPIs): Business unit data will show where the organization is challenged and will help identify potential areas for development.
    • Project Management Office: Look at successful and failed projects for trends in team traits and competencies.
    • Performance Reviews: Look for common themes where employees excel or need to improve.
    • Focus Groups: Speak with a cross section of employees to understand their challenges.
  2. What technology is currently used? Are there requirements for new technology to be bought and/or optimized in the future? Will the workforce need to increase their skill level to carry out these activities with the new technology in place?

Download the Data & Analytics Assessment and Planning Tool

2.3 Use the Data & Analytics Assessment and Planning Tool to identify skills gaps

1-3 hours — Not everyone needs the same skill levels.

Input: Current skills competency, Stakeholder interview results and findings
Output: Gap identification and analysis
Materials: Data & Analytics Assessment and Planning Tool
Participants: Data leads

Instruction:

  1. Select your organization's data maturity level in terms of Low/Mid/High in cell A6 for both Tab 5 (Soft Skills Assessment) and Tab 6 (Technical Skills Assessment) to reduce irrelevant rows.
  2. Bring together key business stakeholders (data owners, SMEs, and relevant IT custodians) to determine whether the data role exists in the organization. If yes, assign a current-state value from “vital, important, nice to have, or none” for each skill in the assessment tool. Info-Tech has specified the desired/required target state of each skill set.
  3. Once you've assigned the current-state values, the tool will automatically determine whether there is a gap in skill set.

Download the Data & Analytics Assessment and Planning Tool

Identify and Build the Data & Analytics Skills Your Organization Needs

Phase 3

Build an Actionable Plan

Define Key Roles and Skills Uncover the Skills Gap Build an Actionable Plan

This phase will walk you through the following activities:

  • 3.1 Use the Data & Analytics Assessment and Planning Tool to build your actionable roadmap

This phase involves the following participants:

  • Data leads
  • Business leads and subject matter experts (SMEs)
  • Key business stakeholders

Determine next steps and decision points

There are three types of internal skills development strategies

  • There are three types of internal skills development strategies organizations can use to ensure the right people with the right abilities are placed in the right roles: reskill, upskill, and new hire.
  1. Reskill

    Reskilling involves learning new skills for a different or newly defined position.
  2. Upskill

    Upskilling involves building a higher level of competency in skills to improve the worker's performance in their current role.
  3. New hire

    New hire involves hiring workers who have the essential skills to fill the open position.

Info-Tech Insight

One of the misconceptions that organizations have includes viewing skills development as a one-time effort. This leads to underinvestment in data team skills, risk of falling behind on technological changes, and failure to connect with business partners. Employees must learn to continuously adapt to the changing circumstances of D&A. While the program must be agile and dynamic to reflect technological improvements in the development of technical skills, the program should always be anchored in soft skills because data management is fundamentally about interaction, collaboration, and people.

How to determine when to upskill, reskill, or hire to meet your skills needs

Reskill

Reskilling often indicates a change in someone's career path, so this decision requires a goal aligned with both individuals and the organization to establish a mutually beneficial situation.

When making reskilling decisions, organizations should also consider the relevance of the skill for different positions. For example, data administrators and data architects have similar skill sets, so reskilling is appropriate for these employees.

Upskill

Upskilling tends to focus more on the soft skills necessary for more advanced positions. A data strategy lead, for example, might require design thinking training, which enables leaders to think from different perspectives.

Skill growth feasibility must also be considered. Some technical skills, particularly those involving cutting-edge technologies, require continual learning to maintain operational excellence. For example, a data scientist may require AI/ML skills training to incorporate use of modern automation technology.

New Hire

For open positions and skills that are too resource-intensive to reskill or upskill, it makes sense to recruit new employees. Consider, however, time and cost feasibility of hiring. Some positions (e.g. senior data scientist) take longer to fill. To minimize risks, coordinate with your HR department and begin recruiting early.

Data & Analytics skills training

There are various learning methods that help employees develop priority competencies to achieve reskilling or upskilling.

Specific training

The data team can collaborate with the human resources department to plan and develop internal training sessions aimed at specific skill sets.

This can also be accomplished through external training providers such as DCAM, which provides training courses on data management and analytics topics.

Formal education program

Colleges and universities can equip students with data analytics skills through formal education programs such as MBAs and undergraduate or graduate degrees in Data Science, Machine Learning, and other fields.

Certification

Investing time and effort to obtain certifications in the data & analytics field allows data workers to develop skills and gain recognition for continuous learning and self-improvement.

AWS Data Analytics and Tableau Data Scientist Certification are two popular data analytics certifications.

Online learning from general providers

Some companies offer online courses in various subjects. Coursera and DataCamp are two examples of popular providers.

Partner with a vendor

The organization can partner with a vendor who brings skills and talents that are not yet available within the organization. Employees can benefit from the collaboration process by familiarizing themselves with the project and enhancing their own skills.

Support from within your business

The data team can engage with other departments that have previously done skills development programs, such as Finance and Change & Communications, who may have relevant resources to help you improve your business acumen and change management skills.

Info-Tech Insight

Seeking input and support across your business units can align stakeholders to focus on the right data analytics skills and build a data learning culture.

Data & Analytics skills reinforcement

Don't assume learners will immediately comprehend new knowledge. Use different methods and approaches to reinforce their development.

Innovation Space

  • Skills development is not a one-time event, but a continuous process during which innovation should be encouraged. A key aspect of being innovative is having a “fail fast” mentality, which means collecting feedback, recognizing when something isn't working, encouraging experimentation, and taking a different approach with the goal of achieving operational excellence.
  • Human-centered design (HCD) also yields innovative outcomes with a people-first focus. When creating skills development programs for various target groups, organizations should integrate a human-centered approach.

Commercial Lens

  • Exposing people to a commercial way of thinking can add long-term value by educating people to act in the business' best interest and raising awareness of what other business functions contribute. This includes concepts such as project management, return on investment (ROI), budget alignment, etc.

Checklists/Rubrics

  • Employees should record what they learn so they can take the time to reflect. A checklist is an effective technique for establishing objectives, allowing measurement of skills development and progress.

Buddy Program

  • A buddy program helps employees gain and reinforce knowledge and skills they have learned through mutual support and information exchange.

Align HR programs to support skills integration and talent recruitment

With a clear idea of skills needs and an executable strategy for training and reinforcing of concepts, HR programs and processes can help the data team foster a learning environment and establish a recruitment plan. The links below will direct you to blueprints produced by McLean & Company, a division of Info-Tech Research Group.

Workforce Planning

When integrating the skills of the future into workforce planning, determine the best approach for addressing the identified talent gaps – whether to build, buy, or borrow.

Integrate the future skills identified into the organization's workforce plan.

Talent Acquisition

In cases where employee development is not feasible, the organization's talent acquisition strategy must focus more on buying or borrowing talent. This will impact the TA process. For example, sourcing and screening must be updated to reflect new approaches and skills.

If you have a talent acquisition strategy, assess how to integrate the new roles/skills into recruiting.

Competencies/Succession Planning

Review current organizational core competencies to determine if they need to be modified. New skills will help inform critical roles and competencies required in succession talent pools.

If no competency framework exists, use McLean & Company's Develop a Comprehensive Competency Framework blueprint.

Compensation

Evaluate modified and new roles against the organization's compensation structure. Adjust them as necessary. Look at market data to understand compensation for new roles and skills.

Reassess your base pay structure according to market data for new roles and skills.

Learning and Development

L&D plays a huge role in closing the skills gap. Build L&D opportunities to support development of new skills in employees.

Design an Impactful Employee Development Program to build the skills employees need in the future.

3.1 Use the Data & Analytics Assessment and Planning Tool to build an actionable plan

1-3 hours

Input: Roles and skills required, Key decision points
Output: Actionable plan
Materials: Data & Analytics Assessment and Planning Tool
Participants: Data leads, Business leads and subject matter experts (SMEs), Key business stakeholders

Instruction:

  1. On Tab 7 (Next Steps & Decision Points), you will find a list of tasks that correspond to roles that where there is a skills gap.
  2. Customize this list of tasks initiatives according to your needs.
  3. The Gantt chart, which will be generated automatically after assigning start and finish dates for each activity, can be used to structure your plan and guarantee that all the main components of skills development are addressed.

Sample of Tab 7 in the Data & Analytics Assessment and Planning Tool.

Download the Data & Analytics Assessment and Planning Tool

Related Info-Tech Research

Sample of the Create a Data Management Roadmap blueprint.

Create a Data Management Roadmap

  • This blueprint will help you design a data management practice that will allow your organization to use data as a strategic enabler.

Stock image of a person looking at data dashboards on a tablet.

Build a Robust and Comprehensive Data Strategy

  • Put a strategy in place to ensure data is available, accessible, well-integrated, secured, of acceptable quality, and suitably visualized to fuel organization-wide decision making. Start treating data as strategic and corporate asset.

Sample of the Foster Data-Driven Culture With Data Literacy blueprint.

Foster Data-Driven Culture With Data Literacy

  • By thoughtfully designing a data literacy training program appropriate to the audience's experience, maturity level, and learning style, organizations build a data-driven and engaged culture that helps them unlock their data's full potential and outperform other organizations.

Research Authors and Contributors

Authors:

Name Position Company
Ruyi Sun Research Specialist Info-Tech Research Group

Contributors:

Name Position Company
Steve Wills Practice Lead Info-Tech Research Group
Andrea Malick Advisory Director Info-Tech Research Group
Annabel Lui Principal Advisory Director Info-Tech Research Group
Sherwick Min Technical Counselor Info-Tech Research Group

Bibliography

2022 Workplace Learning Trends Report.” Udemy, 2022. Accessed 20 June 2023.

Agrawal, Sapana, et al. “Beyond hiring: How companies are reskilling to address talent gaps.” McKinsey & Company, 12 Feb. 2020. Accessed 20 June 2023.

Bika, Nikoletta. “Key hiring metrics: Useful benchmarks for tech roles.” Workable, 2019. Accessed 20 June 2023.

Chroust, Tomas. “Chief Data Officer – Leaders of data-driven enterprises.” BearingPoint, 2020. Accessed 20 June 2023.

“Data and AI Leadership Executive Survey 2022.” NewVantage Partners, Jan 2022. Accessed 20 June 2023.

Dondi, Marco, et al. “Defining the skills citizens will need in the future world of work.” McKinsey & Company, June 2021. Accessed 20 June 2023.

Futschek, Gerald. “Algorithmic Thinking: The Key for Understanding Computer Science.” Lecture Notes in Computer Science, vol. 4226, 2006.

Howard, William, et al. “2022 HR Trends Report.” McLean & Company, 2022. Accessed 20 June 2023.

“Future of Jobs Report 2023.” World Economic Forum, May 2023. Accessed 20 June 2023.

Knight, Michelle. “What is Data Ethics?” Dataversity, 19 May 2021. Accessed 20 June 2023.

Little, Jim, et al. “The CIO Imperative: Is your technology moving fast enough to realize your ambitions?” EY, 22 Apr. 2022. Accessed 20 June 2023.

“MDM Roles and Responsibilities.” Profisee, April 2019. Accessed 20 June 2023.

“Reskilling and Upskilling: A Strategic Response to Changing Skill Demands.” TalentGuard, Oct. 2019. Accessed 20 June 2023.

Southekal, Prashanth. “The Five C's: Soft Skills That Every Data Analytics Professional Should Have.” Forbes, 17 Oct. 2022. Accessed 20 June 2023.

External Compliance

  • Buy Link or Shortcode: {j2store}39|cart{/j2store}
  • Related Products: {j2store}39|crosssells{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Security and Risk
  • Parent Category Link: /security-and-risk
Take Control of Compliance Improvement to Conquer Every Audit

Define the Role of Project Management in Agile and Product-Centric Delivery

  • Buy Link or Shortcode: {j2store}352|cart{/j2store}
  • member rating overall impact (scale of 10): 9.0/10 Overall Impact
  • member rating average dollars saved: $3,000 Average $ Saved
  • member rating average days saved: 2 Average Days Saved
  • Parent Category Name: Development
  • Parent Category Link: /development
  • There are many voices with different opinions on the role of project management. This causes confusion and unnecessary churn.
  • Project management and product management naturally align to different time horizons. Harmonizing their viewpoints can take significant work.
  • Different parts of the organization have diverse views on how to govern and fund pieces of work, which leads to confusion when it comes to the role of project management.

Our Advice

Critical Insight

There is no one-size-fits-all approach to product delivery. For many organizations product delivery requires detailed project management practices, while for others it requires much less. Taking an outcome-first approach when planning your product transformation is critical to make the right decision on the balance between project and product management.

Impact and Result

  • Get alignment on the definition of projects and products.
  • Understand the differences between delivering projects and delivering products.
  • Line up your project management activities with the needs of Agile and product-centric projects.
  • Understand how funding can change when moving away from project-centric delivery.

Define the Role of Project Management in Agile and Product-Centric Delivery Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Define the Role of Project Management in Agile and Product-Centric Delivery – A guide that walks you through how to define the role of project management in product-centric and Agile delivery environments.

The activities in this research will guide you through clarifying how you want to talk about projects and products, aligning project management and agility, specifying the different activities for project management, and identifying key differences with funding of products instead of projects.

  • Define the Role of Project Management in Agile and Product-Centric Delivery Storyboard
[infographic]

Further reading

Define the Role of Project Management in Agile and Product-Centric Delivery

Projects and products are not mutually exclusive.

Table of Contents

3 Analyst Perspective

4 Executive Summary

7 Step 1.1: Clarify How You Want to Talk About Projects and Products

13 Step 1.2: Align Project Management and Agility

16 Step 1.3: Specify the Different Activities for Project Management

20 Step 1.4: Identify Key Differences in Funding of Products Instead of Projects

25 Where Do I Go Next?

26 Bibliography

Analyst Perspective

Project management still has an important role to play!

When moving to more product-centric delivery practices, many assume that projects are no longer necessary. That isn’t necessarily the case!

Product delivery can mean different things to different organizations, and in many cases it can involve the need to maintain both projects and project delivery.

Projects are a necessary vehicle in many organizations to drive value delivery, and the activities performed by project managers still need to be done by someone. It is the form and who is involved that will change the most.

Photo of Ari Glaizel, Practice Lead, Applications Delivery and Management, Info-Tech Research Group.

Ari Glaizel
Practice Lead, Applications Delivery and Management
Info-Tech Research Group

Executive Summary

Your Challenge
  • Organizations are under pressure to align the value they provide with the organization’s goals and overall company vision.
  • In response, they are moving to more product-centric delivery practices.
  • Previously, project managers focused on the delivery of objectives through a project, but changes in delivery practices result in de-emphasizing this. What should project managers should be doing?
Common Obstacles
  • There are many voices with different opinions on the role of project management. This causes confusion and unnecessary churn.
  • Project management and product management naturally align to different time horizons. Harmonizing their viewpoints can take significant work.
  • Different parts of the organization have very specific views on how to govern and fund pieces of work, which leads to confusion about the role of project management.
Info-Tech’s Approach
  • Get alignment on the definition of projects and products.
  • Understand the differences between delivering projects and products.
  • Line up your project management activities with the needs of Agile and product-centric projects.
  • Understand how funding can change when moving away from project-centric delivery.

Info-Tech Insight

There is no one-size-fits-all approach to product delivery. For many organizations product delivery requires detailed project management practices, while for others it requires much less. Taking an outcome-first approach when planning your product transformation is critical to make the right decision on the balance between project and product management.

Your evolution of delivery practice is not a binary switch

  1. PROJECTS WITH WATERFALL The project manager is accountable for delivery of the project, and the project manager owns resources and scope.
  2. PROJECTS WITH AGILE DELIVERY A transitional state where the product owner is accountable for feature delivery and the project manager accountable for the overall project.
  3. PRODUCTS WITH AGILE PROJECT AND OPERATIONAL DELIVERY The product owner is accountable for the delivery of the project and products, and the project manager plays a role of facilitator and enabler.
  4. PRODUCTS WITH AGILE DELIVERY Delivery of products can happen without necessarily having projects. However, projects could be instantiated to cover major initiatives.

Info-Tech Insight

  • Organizations do not need to go to full product and Agile delivery to improve delivery practices! Every organization needs to make its own determination on how far it needs to go. You can do it in one step or take each step and evaluate how well you are delivering against your goals and objectives.
  • Many organizations will go to Products With Agile Project and Operational Delivery, and some will go to Products With Agile Delivery.

Activities to undertake as you transition to product-centric delivery

  1. PROJECTS WITH WATERFALL
    • Clarify how you want to talk about projects and products. The center of the conversation will start to change.
  2. PROJECTS WITH AGILE DELIVERY
    • Align project management and agility. They are not mutually exclusive (but not necessarily always aligned).
  3. PRODUCTS WITH AGILE PROJECT AND OPERATIONAL DELIVERY
    • Specify the different activities for project management. As you mature your product practices, project management becomes a facilitator and collaborator.
  4. PRODUCTS WITH AGILE DELIVERY
    • Identify key differences in funding. Delivering products instead of projects requires a change in the focus of your funding.

Step 1.1

Clarify How You Want to Talk About Projects and Products

Activities
  • 1.1.1 Define “product” and “project” in your context
  • 1.1.2 Brainstorm potential changes in the role of projects as you become Agile and product-centric

This step involves the following participants:

  • Product owners
  • Product managers
  • Development team leads
  • Portfolio managers
  • Business analysts

Outcomes of this step

  • An understanding of how the role can change through the evolution from project to more product-centric practices

Definition of terms

Project

“A temporary endeavor undertaken to create a unique product, service, or result. The temporary nature of projects indicates a beginning and an end to the project work or a phase of the project work. Projects can stand alone or be part of a program or portfolio.” (PMBOK, PMI)
Stock image of an open head with a city for a brain.

Product

“A tangible solution, tool, or service (physical or digital) that enables the long-term and evolving delivery of value to customers and stakeholders based on business and user requirements.” (Deliver on Your Digital Product Vision, Info-Tech Research Group)

Info-Tech InsightLet these definitions be a guide, not necessarily to be taken verbatim. You need to define these terms in your context based on your particular needs and objectives. The only caveat is to be consistent with your usage of these terms in your organization.

1.1.1 Define “product” and “project” in your context

30-60 minutes

Output: Your enterprise/organizational definition of products and projects

Participants: Executives, Product/project managers, Applications teams

  1. Discuss what “product” and “project” mean in your organization.
  2. Create common, enterprise-wide definitions for “product” and “project.”
  3. Screenshot of the previous slide's definitions of 'Project' and 'Product'.

Agile and product management does not mean projects go away

Diagram laying out the roadmap for 'Continuous delivery of value'. Beginning with 'Projects With Agile Delivery' in which Projects with features and services end in a Product Release that is disconnected from the continuum. Then the 'Products With Agile Project and Operational Delivery' and 'Products With Agile Delivery' which are connected by a 'Product Roadmap' and 'Product Backlog' have Product Releases that connect to the continuum.

Projects Within Products

Regardless of whether you recognize yourself as a “product-based” or “project-based” shop, the same basic principles should apply.

You go through a period or periods of project-like development to build or implement a version of an application or product.

You also have parallel services along with your project development that encompass the more product-based view. These may range from basic support and maintenance to full-fledged strategy teams or services like sales and marketing.

Info-Tech Note

As your product transformation continues, projects can become optional and needed only as part of your organization’s overall delivery processes

Identify the differences between a project-centric and a product-centric organization

Project Product
Fund projects — Funding –› Fund teams
Line-of-business sponsor — Prioritization –› Product owner
Project owner — Accountability –› Product owner
Makes specific changes to a product —Product management –› Improves product maturity and support of the product
Assignment of people to work — Work allocation –› Assignment of work to product teams
Project manager manages — Capacity management –› Team manages

Info-Tech Insight

Product delivery requires significant shifts in the way you complete development and implementation work and deliver value to your users. Make the changes that support improving end-user value and enterprise alignment.

1.1.2 Brainstorm potential changes in the role of projects as you become Agile and product-centric

5-10 minutes

Output: Increased appreciation of the relationship between project and product delivery

Participants: Executives, Product/project managers, Applications teams

  • Discuss as a group:
    • What stands out in the evolution from project to product?
    • What concerns do you have with the change?
    • What will remain the same?
    • Which changes feel the most impactful?
    • Screenshot of the slide's 'Continuous delivery of value' diagram.

Step 1.2

Align Project Management and Agility

Activities
  • 1.2.1 Explore gaps in Agile/product-centric delivery of projects

This step involves the following participants:

  • Executives
  • Product/Project managers
  • Applications teams

Outcomes of this step

  • A clearer view of how agility can be introduced into projects.

Challenges with the project management role in Agile and product-centric organizations

Many project managers feel left out in the cold. That should not be the case!

In product-centric, Agile teams, many roles that a project manager previously performed are now taken care of to different degrees by the product owner, delivery team, and process manager.

The overall change alters the role of project management from one that orchestrates all activities to one that supports, monitors, and escalates.

Product Owner
  • Defines the “what” and heavily involved in the “when” and the “why”
  • Accountable for delivery of value
Delivery team members
  • Define the “how”
  • Accountable for building and delivering high-quality deliverables
  • Can include roles like user experience, interaction design, business analysis, architecture
Process Manager
  • Facilitates the other teams to ensure valuable delivery
  • Can potentially, in a Scrum environment, play the scrum master role, which involves leading scrums, retrospectives, and sprint reviews and working to resolve team issues and impediments
  • Evolves into more of a facilitator and communicator role

1.2.1 Explore gaps in Agile/ product-centric delivery of projects

5-10 minutes

Output: An assessment of what is in the way to effectively deliver on Agile and product-focused projects

Participants: Executives, Product/project managers, Applications teams

  • Discuss as a group:
    • What project management activities do you see in Agile/product roles?
    • What gaps do you see?
    • How can project management help Agile/product teams be successful?

Step 1.3

Specify the Different Activities for Project Management

Activities
  • 1.3.1 Articulate the changes in a project manager’s role

This step involves the following participants:

  • Executives
  • Product/Project managers
  • Applications teams

Outcomes of this step

  • An understanding of the role of project management in an Agile and product context

Kicking off the project

Product-centric delivery still requires key activities to successfully deliver value. Where project managers get their information from does change.

Stock photo of many hands grabbing a 2D rocketship.
Project Charter

Project managers should still define a charter and capture the vision and scope. The vision and high-level scope is primarily defined by the product owner.

Key Stakeholders and Communication

Clearly defining stakeholders and communication needs is still important. However, they are defined based on significant input and cues by the product owner.

Standardizing on Tools and Processes

To ensure consistency across projects, project managers will want to align tools to how the team manages their backlog and workflow. This will smooth communication about status with stakeholders.

Info-Tech Insight

  1. Product management plays a similar role to the one that was traditionally filled by the project sponsor except for a personal accountability to the product beyond the life of the project.
  2. When fully transitioned to product-centric delivery, these activities could be replaced by a product canvas. See Deliver on Your Digital Product Vision for more information.

During the project: Three key activities

The role of project management evolves from a position of ownership to a position of communication, collaboration, and coordination.

  1. Support
    • Communicate Agile/product team needs to leadership
    • Liaise and co-ordinate for non-Agile/product-focused parts of the organization
    • Coach members of the team
  2. Monitoring
    • Regular status updates to PMO still required
    • Metrics aligned with Agile/product practices
    • Leverage similar tooling and approaches to what is done locally on Agile/product teams (if possible)
  3. Escalation
    • Still a key escalation point for roadblocks that go outside the product teams
    • Collaborate closely with Agile/product team leadership and scrum masters (if applicable)
Cross-section of a head, split into three levels with icons representing the three steps detailed on the left, 'Support', 'Monitoring', and 'Escalation'.

1.3.1: Articulate the changes in a project manager’s role

5-10 minutes

Output: Current understanding of the role of project management in Agile/product delivery

Participants: Executives, Product/project managers, Applications teams

Why is this important?

Project managers still have a role to play in Agile projects and products. Agreeing to what they should be doing is critical to successfully moving to a product-centric approach to delivery.

  • Review how Info-Tech views the role of project management at project initiation and during the project.
  • Review the state of your Agile and product transformation, paying special attention to who performs which roles.
  • Discuss as a group:
    • What are the current activities of project managers in your organization?
    • Based on how you see delivery practices evolving, what do you see as the new role of project managers when it comes to Agile-centric and product-centric delivery.

Step 1.4

Identify Key Differences in Funding of Products Instead of Projects

Activities
  • 1.4.1 Discuss traditional versus product-centric funding methods

This step involves the following participants:

  • Executives
  • Product owners
  • Product managers
  • Project managers
  • Delivery managers

Outcomes of this step

  • Identified differences in funding of products instead of projects

Planning and budgeting for products and families

Reward for delivering outcomes, not features

Autonomy

Icon of a diamond.

Fund what delivers value

Fund long-lived delivery of value through products (not projects).

Give autonomy to the team to decide exactly what to build.

Flexibility

Icon of a dollar sign.

Allocate iteratively

Allocate to a pool based on higher-level business case.

Provide funds in smaller amounts to different product teams and initiatives based on need.

Arrow cycling right in a clockwise motion.



Arrow cycling left in a clockwise motion.

Accountability

Icon of a target.

Measure and adjust

Product teams define metrics that contribute to given outcomes.

Track progress and allocate more (or less) funds as appropriate.

Stock image of two suited hands exchanging coins.

Info-Tech Insight

Changes to funding require changes to product and Agile practices to ensure product ownership and accountability.

(Adapted from Bain & Company)

Budgeting approaches must evolve as you mature your product operating environment

TRADITIONAL PROJECTS WITH WATERFALL DELIVERY TRADITIONAL PROJECTS WITH AGILE DELIVERY PRODUCTS WITH AGILE PROJECT DELIVERY PRODUCTS WITH AGILE DELIVERY

WHEN IS THE BUDGET TRACKED?

Budget tracked by major phases Budget tracked by sprint and project Budget tracked by sprint and project Budget tracked by sprint and release

HOW ARE CHANGES HANDLED?

All change is by exception Scope change is routine; budget change is by exception Scope change is routine; budget change is by exception Budget change is expected on roadmap cadence

WHEN ARE BENEFITS REALIZED?

Benefits realization post project completion Benefits realization ongoing throughout the life of the project Benefits realization ongoing throughout the life of the product Benefits realization ongoing throughout life of the product

WHO DRIVES?

Project Manager
  • Project team delivery role
  • Refines project scope, advocates for changes in the budget
  • Advocates for additional funding in the forecast
Product Owner
  • Project team delivery role
  • Refines project scope, advocates for changes in the budget
  • Advocates for additional funding in the forecast
Product Manager
  • Product portfolio team role
  • Forecasting new initiatives during delivery to continue to drive value throughout the life of the product
Product Manager
  • Product family team role
  • Forecasting new initiatives during delivery to continue to drive value throughout the life of the product
ˆ ˆ
Hybrid Operating Environments

Info-Tech Insight

As you evolve your approach to product delivery, you will be decoupling the expected benefits, forecast, and budget. Managing them independently will improve your ability adapt to change and drive the right outcomes!

1.4.1 Discuss traditional versus product-centric funding methods

30 minutes

Output: Understanding of funding principles and challenges

Participants: Executives, Product owners, Product managers, Project managers, Delivery managers

  1. Discuss how projects are currently funded.
  2. Review how the Agile/product funding models differ from how you currently operate.
  3. What changes do you need to consider to support a product delivery model?
  4. For each change, identify the key stakeholders and list at least one action to take.

Case Study

Global Digital Financial Services Company

This financial services company looked to drive better results by adopting more product-centric practices.

  • Its projects exhibited:
    • High complexity/strong dependencies between components
    • High implementation effort
    • High clarification/reconciliation (more than two departments involved)
    • Multiple methodologies (Agile/Waterfall/Hybrid)
  • The team recognized they could not get rid of projects entirely, but getting to a level where there was a coordinated delivery between projects and products being implemented is important.
Results
  • Moving several initiatives to more product-centric practices allowed for:
    • Delivery within current assigned capacity
    • Limited need for coordination across departments
    • Lower complexity
    • A unified Agile approach to delivery
  • Through balancing the needs of projects and products, there were three key insights about the project management’s role:
    • The role of project management changes depending on the context of the work. There is no one-size-fits-all definition.
    • Project management played a much bigger role when work spanned multiple products and business units.
    • Project management was used as a key coordinator when delivery became complicated and multilayered.
Example of a company where practices fall equally into 'Project' and 'Product' categories, with some being shared by both.
Example of a product-centric company where practices fall mainly into the 'Product category', leaving only one in 'Project'.

Where Do I Go Next?

Deliver on Your Digital Product Vision

  • Build a product vision your organization can take from strategy through execution.

Build a Better Product Owner

  • Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

Implement Agile Practices That Work

  • Improve collaboration and transparency with the business to minimize project failure.

Implement DevOps Practices That Work

  • Streamline business value delivery through the strategic adoption of DevOps practices.

Prepare an Actionable Roadmap for Your PMO

  • Turn planning into action with a realistic PMO timeline.

Deliver Digital Products at Scale

  • Deliver value at the scale of your organization through defining enterprise product families.

Extend Agile Practices Beyond IT

  • Further the benefits of Agile by extending a scaled Agile framework to the business.

Spread Best Practices With an Agile Center of Excellence

  • Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

Tailor IT Project Management Processes to Fit Your Projects

  • Spend less time managing processes and more time delivering results.

Bibliography

Cobb, Chuck. “Are there Project Managers in Agile?” High Impact Project Management, n.d. Web.

Cohn, Mike. “What Is a Product?” Mountain Goat Software, 6 Sept. 2016. Web.

Cobb, Chuck. “Agile Project Manager Job Description.” High Impact Project Management, n.d. Web.

“How do you define a product?” Scrum.org, 4 April 2017. Web.

Johnson, Darren, et al. “How to Plan and Budget for Agile at Scale.” Bain & Company, 8 Oct. 2019. Web.

“Product Definition.” SlideShare, uploaded by Mark Curphey, 25 Feb. 2007. Web.

Project Management Institute. A Guide to the Project Management Body of Knowledge (PMBOK Guide). 7th ed., Project Management Institute, 2021.

Schuurman, Robbin. “Scrum Master vs Project Manager – An Overview of the Differences.” Scrum.org, 11 Feb 2020. Web.

Schuurman, Robbin. “Product Owner vs Project Manager.” Scrum.org, 12 March 2020. Web.

Vlaanderen, Kevin. “Towards Agile Product and Portfolio Management.” Academia.edu, 2010. Web.

“What is a Developer in Scrum?” Scrum.org, n.d. Web.

“What is a Scrum Master?” Scrum.org, n.d. Web.

“What is a Product Owner?” Scrum.org, n.d. Web.

M&A Runbook for Infrastructure and Operations

  • Buy Link or Shortcode: {j2store}60|cart{/j2store}
  • member rating overall impact (scale of 10): 9.0/10 Overall Impact
  • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
  • member rating average days saved: Read what our members are saying
  • Parent Category Name: Strategy and Organizational Design
  • Parent Category Link: /strategy-and-organizational-design
  • I&O is often the last to be informed of an impending M&A deal.
  • The business doesn’t understand the necessary requirements or timeline for integration.
  • It’s hard to prioritize when you’re buried under a mountain of work.
  • Documentation may be lacking or nonexistent, and members of the target organization may be uncooperative.

Our Advice

Critical Insight

  • Manage expectations. The business often expects integration in days or weeks, not months or years. You need to set them straight.
  • Open your checkbook and prepare to hire. Integration will require a temporary increase in resources.
  • Tackle organizational and cultural change. People are harder to integrate than technology. Culture change is the hardest part, and the integration plan should address it.

Impact and Result

  • Tailor your approach based on the business objectives of the merger or acquisition.
  • Separate the must-haves from the nice-to-haves.
  • Ensure adequate personnel and budget.
  • Plan for the integration into normal operations.

M&A Runbook for Infrastructure and Operations Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out how to partner with the business to conquer the challenges in your next merger or acquisition.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Establish goals

Partner with the business to determine goals and establish high-level scope.

  • M&A Runbook for Infrastructure and Operations – Phase 1: Establish Goals
  • I&O M&A Project Napkin

2. Conduct discovery

Find out what the target organization’s I&O looks like.

  • M&A Runbook for Infrastructure and Operations – Phase 2: Conduct Discovery
  • I&O M&A Discovery Letter Template
  • I&O M&A Discovery Template
  • I&O M&A Workbook
  • I&O M&A Risk Assessment Tool

3. Plan short-term integration

Build a plan to achieve a day 1 MVP.

  • M&A Runbook for Infrastructure and Operations – Phase 3: Plan Short-Term Integration
  • I&O M&A Short-Term Integration Capacity Assessment Tool

4. Map long-term integration

Chart a roadmap for long-term integration.

  • M&A Runbook for Infrastructure and Operations – Phase 4: Map Long-Term Integration
  • I&O M&A Long-Term Integration Portfolio Planning Tool
[infographic]

Workshop: M&A Runbook for Infrastructure and Operations

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 High-Level Scope

The Purpose

Establish goals and conduct discovery.

Key Benefits Achieved

Alignment with business goals

Documentation of target organization’s current state

Activities

0.1 Consult with stakeholders.

0.2 Establish M&A business goals.

0.3 Conduct target discovery.

0.4 Document own environment.

0.5 Clarify goals.

Outputs

Stakeholder communication plan

M&A business goals

I&O M&A Discovery Template

Current state of organization

2 Target Assessment

The Purpose

Assess risk and value of target organization.

Key Benefits Achieved

Accurate scope of I&O integration

Risk mitigation plans

Value realization strategies

Activities

1.1 Scope I&O M&A project.

1.2 Assess risks.

1.3 Assess value.

Outputs

I&O M&A Project Napkin

Risk assessment

Value assessment

3 Day 1 Integration Project Plan

The Purpose

Establish day 1 integration project plan.

Key Benefits Achieved

Smoother day 1 integration

Activities

2.1 Determine Day 1 minimum viable operating model post M&A.

2.2 Identify gaps.

2.3 Build day 1 project plan.

2.4 Estimate required resources.

Outputs

Day 1 project plan

4 Long-Term Project Plan

The Purpose

Draw long-term integration roadmap.

Key Benefits Achieved

Improved alignment with M&A goals

Greater realization of the deal’s value

Activities

3.1 Set long-term future state goals.

3.2 Create a long-term project plan.

3.3 Consult with business stakeholders on the long-term plan.

Outputs

Long-term integration project plan

5 Change Management and Continual Improvement

The Purpose

Prepare for organization and culture change.

Refine M&A I&O integration process.

Key Benefits Achieved

Smoother change management

Improved M&A integration process

Activities

4.1 Complete a change management plan.

4.2 Conduct a process post-mortem.

Outputs

Change management plan

Process improvements action items

IT Governance

  • Buy Link or Shortcode: {j2store}22|cart{/j2store}
  • Related Products: {j2store}22|crosssells{/j2store}
  • Up-Sell: {j2store}22|upsells{/j2store}
  • member rating overall impact (scale of 10): 9.2/10
  • member rating average dollars saved: $124,127
  • member rating average days saved: 37
  • Parent Category Name: Strategy and Governance
  • Parent Category Link: /strategy-and-governance
Read our concise Executive Brief to find out why you may want to redesign your IT governance, Review our methodology, and understand how we can support you in completing this process.

Assess Your Cybersecurity Insurance Policy

  • Buy Link or Shortcode: {j2store}255|cart{/j2store}
  • member rating overall impact (scale of 10): 9.1/10 Overall Impact
  • member rating average dollars saved: $33,656 Average $ Saved
  • member rating average days saved: 7 Average Days Saved
  • Parent Category Name: Governance, Risk & Compliance
  • Parent Category Link: /governance-risk-compliance
  • Organizations must adapt their information security programs to accommodate insurance requirements.
  • Organizations need to reduce insurance costs.
  • Some organizations must find alternatives to cyber insurance.

Our Advice

Critical Insight

  • Shopping for insurance policies is not step one.
  • First and foremost, we must determine what the organization is at risk for and how much it would cost to recover.
  • The cyber insurance market is still evolving. As insurance requirements change, effectively managing cyber insurance requires that your organization proactively manages risk.

Impact and Result

Perform an insurance policy comparison with scores based on policy coverage and exclusions.

Assess Your Cybersecurity Insurance Policy Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Assess Your Cybersecurity Insurance Policy Storyboard - A step-by-step document that walks you through how to acquire cyber insurance, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Use this blueprint to score your potential cyber insurance policies and develop skills to overcome common insurance pitfalls.

  • Assess Your Cybersecurity Insurance Policy Storyboard

2. Acquire cyber insurance with confidence – Learn the essentials of the requirements gathering, policy procurement, and review processes.

Use these tools to gather cyber insurance requirements, prepare for the underwriting process, and compare policies.

  • Threat and Risk Assessment Tool
  • DRP Business Impact Analysis Tool
  • Legacy DRP Business Impact Analysis Tool
  • DRP BIA Scoring Context Example
  • Cyber Insurance Policy Comparison Tool
  • Cyber Insurance Controls Checklist

Infographic

Develop a Business Continuity Plan

  • Buy Link or Shortcode: {j2store}411|cart{/j2store}
  • member rating overall impact (scale of 10): 9.1/10 Overall Impact
  • member rating average dollars saved: $37,093 Average $ Saved
  • member rating average days saved: 30 Average Days Saved
  • Parent Category Name: DR and Business Continuity
  • Parent Category Link: /business-continuity
  • Recent crises have increased executive awareness and internal pressure to create a business continuity plan (BCP).
  • Industry and government-driven regulations require evidence of sound business continuity practices.
  • Customers demand their vendors provide evidence of a workable BCP prior to signing a contract.
  • IT leaders, because of their cross-functional view and experience with incident management and DR, are often asked to lead BCP efforts.

Our Advice

Critical Insight

  • BCP requires input from multiple departments with different and sometimes conflicting objectives. There are typically few, if any, dedicated resources for BCP, so it can't be a full-time, resource-intensive project.
  • As an IT leader you have the skill set and organizational knowledge to lead a BCP project, but ultimately business leaders need to own the BCP – they know their processes, and therefore, their requirements to resume business operations better than anyone else.
  • The traditional approach to BCP is a massive project that most organizations can’t execute without hiring a consultant. To execute BCP in-house, carve up the task into manageable pieces as outlined in this blueprint.

Impact and Result

  • Implement a structured and repeatable process that you apply to one business unit at a time to keep BCP planning efforts manageable.
  • Use the results of the pilot to identify gaps in your recovery plans and reduce overall continuity risk while continuing to assess specific risks as you repeat the process with additional business units.
  • Enable business leaders to own the BCP going forward. Develop a template that the rest of the organization can use.
  • Leverage BCP outcomes to refine IT DRP recovery objectives and achieve DRP-BCP alignment.

Develop a Business Continuity Plan Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should develop a business continuity plan, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Identify BCP maturity and document process dependencies

Assess current maturity, establish a team, and choose a pilot business unit. Identify business processes, dependencies, and alternatives.

  • BCP Maturity Scorecard
  • BCP Pilot Project Charter Template
  • BCP Business Process Workflows Example (Visio)
  • BCP Business Process Workflows Example (PDF)

2. Conduct a BIA to determine acceptable RTOs and RPOs

Define an objective impact scoring scale, estimate the impact of downtime, and set recovery targets.

  • BCP Business Impact Analysis Tool

3. Document the recovery workflow and projects to close gaps

Build a workflow of the current steps for business recovery. Identify gaps and risks to recovery. Brainstorm and prioritize solutions to address gaps and mitigate risks.

  • BCP Tabletop Planning Template (Visio)
  • BCP Tabletop Planning Template (PDF)
  • BCP Project Roadmap Tool
  • BCP Relocation Checklists

4. Extend the results of the pilot BCP and implement governance

Present pilot project results and next steps. Create BCMS teams. Update and maintain BCMS documentation.

  • BCP Pilot Results Presentation
  • BCP Summary
  • Business Continuity Teams and Roles Tool

5. Appendix: Additional BCP tools and templates

Use these tools and templates to assist in the creation of your BCP.

  • BCP Recovery Workflow Example (Visio)
  • BCP Recovery Workflow Example (PDF)
  • BCP Notification, Assessment, and Disaster Declaration Plan
  • BCP Business Process Workarounds and Recovery Checklists
  • Business Continuity Management Policy
  • Business Unit BCP Prioritization Tool
  • Industry-Specific BIA Guidelines
  • BCP-DRP Maintenance Checklist
  • Develop a COVID-19 Pandemic Response Plan Storyboard
[infographic]

Workshop: Develop a Business Continuity Plan

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Define BCP Scope, Objectives, and Stakeholders

The Purpose

Define BCP scope, objectives, and stakeholders.

Key Benefits Achieved

Prioritize BCP efforts and level-set scope with key stakeholders.

Activities

1.1 Assess current BCP maturity.

1.2 Identify key business processes to include in scope.

1.3 Flowchart key business processes to identify business processes, dependencies, and alternatives.

Outputs

BCP Maturity Scorecard: measure progress and identify gaps.

Business process flowcharts: review, optimize, and allow for knowledge transfer of processes.

Identify workarounds for common disruptions to day-to-day continuity.

2 Define RTOs and RPOs Based on Your BIA

The Purpose

Define RTOs and RPOs based on your BIA.

Key Benefits Achieved

Set recovery targets based business impact, and illustrate the importance of BCP efforts via the impact of downtime.

Activities

2.1 Define an objective scoring scale to indicate different levels of impact.

2.2 Estimate the impact of downtime.

2.3 Determine acceptable RTO/RPO targets for business processes based on business impact.

Outputs

BCP Business Impact Analysis: objective scoring scale to assess cost, goodwill, compliance, and safety impacts.

Apply the scoring scale to estimate the impact of downtime on business processes.

Acceptable RTOs/RPOs to dictate recovery strategy.

3 Create a Recovery Workflow

The Purpose

Create a recovery workflow.

Key Benefits Achieved

Build an actionable, high-level, recovery workflow that can be adapted to a variety of different scenarios.

Activities

3.1 Conduct a tabletop exercise to determine current recovery procedures.

3.2 Identify and prioritize projects to close gaps and mitigate recovery risks.

3.3 Evaluate options for command centers and alternate business locations (i.e. BC site).

Outputs

Recovery flow diagram – current and future state

Identify gaps and recovery risks.

Create a project roadmap to close gaps.

Evaluate requirements for alternate business sites.

4 Extend the Results of the Pilot BCP and Implement Governance

The Purpose

Extend the results of the pilot BCP and implement governance.

Key Benefits Achieved

Outline the actions required for the rest of your BCMS, and the required effort to complete those actions, based on the results of the pilot.

Activities

4.1 Summarize the accomplishments and required next steps to create an overall BCP.

4.2 Identify required BCM roles.

4.3 Create a plan to update and maintain your overall BCP.

Outputs

Pilot BCP Executive Presentation

Business Continuity Team Roles & Responsibilities

3. Maintenance plan and BCP templates to complete the relevant documentation (BC Policy, BCP Action Items, Recovery Workflow, etc.)

Further reading

Develop a Business Continuity Plan

Streamline the traditional approach to make BCP development manageable and repeatable.

Analyst Perspective

A BCP touches every aspect of your organization, making it potentially the most complex project you’ll take on. Streamline this effort or you won’t get far.

None of us needs to look very far to find a reason to have an effective business continuity plan.

From pandemics to natural disasters to supply chain disruptions to IT outages, there’s no shortage of events that can disrupt your complex and interconnected business processes. How in the world can anyone build a plan to address all these threats?

Don’t try to boil the ocean. Use these tactics to streamline your BCP project and stay on track:

  • Focus on one business unit at a time. Keep the effort manageable, establish a repeatable process, and produce deliverables that provide a starting point for the rest of the organization.
  • Don’t start with an extensive risk analysis. It takes too long and at the end you’ll still need a plan to resume business operations following a disruption. Rather than trying to predict what could cause a disruption, focus on how to recover.
  • Keep your BCP documentation concise. Use flowcharts, checklists, and diagrams instead of traditional manuals.

No one can predict every possible disruption, but by following the guidance in this blueprint, you can build a flexible continuity plan that allows you to withstand the threats your organization may face.

Frank Trovato

Research Director,
IT Infrastructure & Operations Practice
Info-Tech Research Group

Andrew Sharp

Senior Research Analyst,
IT Infrastructure & Operations Practice
Info-Tech Research Group

Executive Summary

Your Challenge

  • Recent crises have increased executive awareness and internal pressure to create a BCP.
  • Industry- and government-driven regulations require evidence of sound business continuity practices.
  • Customers demand their vendors provide evidence of a workable BCP prior to signing a contract.

IT leaders, because of their cross-functional view and experience with incident management and DR, are often asked to lead BCP efforts.

Common Obstacles

  • IT managers asked to lead BCP efforts are dealing with processes and requirements beyond IT and outside of their control.
  • BCP requires input from multiple departments with different and sometimes conflicting objectives.
  • Typically there are few, if any, dedicated resources for BCP, so it can't be a full-time, resource-intensive project.

Info-Tech’s Approach

  • Focus on implementing a structured and repeatable process that can be applied to one business unit at a time to avoid BCP from becoming an overwhelming project.
  • Enable business leaders to own the BCP going forward by establishing a template that the rest of the organization can follow.
  • Leverage BCP outcomes to refine IT DRP recovery objectives and achieve DRP-BCP alignment.

Info-Tech Insight

As an IT leader you have the skill set and organizational knowledge to lead a BCP project, but you must enable business leaders to own their department’s BCP practices and outputs. They know their processes and, therefore, their requirements to resume business operations better than anyone else.

Use this research to create business unit BCPs and structure your overall BCP

A business continuity plan (BCP) consists of separate but related sub-plans, as illustrated below. This blueprint enables you to:

  • Develop a BCP for a selected business unit (as a pilot project), and thereby establish a methodology that can be repeated for remaining business units.
  • Through the BCP process, clarify requirements for an IT disaster recovery plan (DRP). Refer to Info-Tech’s Disaster Recovery Planning workshop for instructions on how to create an IT DRP.
  • Implement ongoing business continuity management to govern BCP, DRP, and crisis management.

Overall Business Continuity Plan

IT Disaster Recovery Plan

A plan to restore IT application and infrastructure services following a disruption.

Info-Tech’s disaster recovery planning blueprint provides a methodology for creating the IT DRP. Leverage this blueprint to validate and provide inputs for your IT DRP.

BCP for Each Business Unit

A set of plans to resume business processes for each business unit. This includes:

  • Identifying business processes and dependencies.
  • Defining an acceptable recovery timeline based on a business impact analysis.
  • Creating a step-by-step recovery workflow.

Crisis Management Plan

A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.

Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.

IT leaders asked to develop a BCP should start with an IT Disaster Recovery Plan

It’s a business continuity plan. Why should you start continuity planning with IT?

  1. IT services are a critical dependency for most business processes. Creating an IT DRP helps you mitigate a key risk to continuity quicker than it takes to complete your overall BCP, and you can then focus on other dependencies such as people, facilities, and suppliers.
  2. A BCP requires workarounds for IT failures. But it’s difficult to plan workarounds without a clear understanding of the potential IT downtime and data loss. Your DRP will answer those questions, and without a DRP, BCP discussions can get bogged down in IT discussions. Think of payroll as an example: if downtime might be 24 hours, the business might simply wait for recovery; if downtime might be a week, waiting it out is not an option.
  3. As an IT manager, you can develop an IT DRP primarily with resources within your control. That makes it an easier starting point and puts IT in a better position to shift responsibility for BCP to business leaders (where it should reside) since essentially the IT portion is done.

Create a Right-Sized Disaster Recovery Plan today.

Modernize the BCP

If your BCP relies heavily on paper-based processes as workarounds, it’s time to update your plan.

Back when transactions were recorded on paper and then keyed into the mainframe system later, it was easier to revert to deskside processes. There is very little in the way of paper-based processes anymore, and as a result, it is increasingly difficult to resume business processes without IT.

Think about your own organization. What IT system(s) are absolutely critical to business operations? While you might be able to continue doing business without IT, this requires regular preparation and training. It’s likely a completely offline process and won’t be a viable workaround for long even if staff know how to do the work. If your data center and core systems are down, technology-enabled workarounds (such as collaboration via mobile technologies or cloud-based solutions) could help you weather the outage, and may be more flexible and adaptable for day-to-day work.

The bottom line:

Technology is a critical dependency for business processes. Consider the role IT systems play as process dependencies and as workarounds as part of continuity planning.

Info-Tech’s approach

The traditional approach to BCP takes too long and produces a plan that is difficult to use and maintain.

The Problem: You need to create a BCP, but don’t know where to start.

  • BCP is being demanded more and more to comply with regulations, mitigate business risk, meet customer demands, and obtain insurance.
  • IT leaders are often asked to lead BCP.

The Complication: A traditional BCP process takes longer to show value.

  • Traditional consultants don’t usually have an incentive to accelerate the process.
  • At the same time, self-directed projects with no defined process go months without producing useful deliverables.
  • The result is a dense manual that checks boxes but isn’t maintainable or usable in a crisis.

A pie chart is separated into three segments, Internal Mandates 43%, Customer Demands 23%, and Regulatory Requirements 34%. The bottom of the image reads Source: Info-Tech Research Group.

The Info-Tech difference:

Use Info-Tech’s methodology to right-size and streamline the process.

  • Reduce required effort. Keep the work manageable and maintain momentum by focusing on one business unit at a time; allow that unit to own their BCP.
  • Prioritize your effort. Evaluate the current state of your BCP to identify the steps that are most in need of attention.
  • Get valuable results faster. Functional deliverables and insights from the first business unit’s BCP can be leveraged by the entire organization (e.g. communication, assessment, and BC site strategies).

Expedite BCP development

Info-Tech’s Approach to BCP:

  • Start with one critical business unit to manage scope, establish a repeatable process, and generate deliverables that become a template for remaining business units.
  • Resolve critical gaps as you identify them, generating early value and risk mitigation.
  • Create concise, practical documentation to support recovery.

Embed training and awareness throughout the planning process.

BCP for Business Unit A:

Scope → Pilot BIA → Response Plan → Gap Analysis

→ Lessons Learned:

  • Leverage early results to establish a BCM framework.
  • Take action to resolve critical gaps as they are identified.
  • BCP for Business Units B through N.
  • Scope→BIA→Response Plan→Gap Analysis

= Ongoing governance, testing, maintenance, improvement, awareness, and training.

By comparison, a traditional BCP approach takes much longer to mitigate risk:

  • An extensive, upfront commitment of time and resources before defining incident response plans and mitigating risk.
  • A “big bang” approach that makes it difficult to predict the required resourcing and timelines for the project.

Organizational Risk Assessment and Business Impact Analysis → Solution Design to Achieve Recovery Objectives → Create and Validate Response Plans

Case Study

Continuity Planning Supports COVID-19 Response

Industry: Non-Profit
Source: Info-Tech Advisory Services

A charitable foundation for a major state university engaged Info-Tech to support the creation of their business continuity plan.

With support from Info-Tech analysts and the tools in this blueprint, they worked with their business unit stakeholders to identify recovery objectives, confirm recovery capabilities and business process workarounds, and address gaps in their continuity plans.

Results

The outcome wasn’t a pandemic plan – it was a continuity plan that was applicable to pandemics. And it worked. Business processes were prioritized, gaps in work-from-home and business process workarounds had been identified and addressed, business leaders owned their plan and understood their role in it, and IT had clear requirements that they were able and ready to support.

“The work you did here with us was beyond valuable! I wish I could actually explain how ready we really were for this…while not necessarily for a pandemic, we were ready to spring into action, set things up, the priorities were established, and most importantly some of the changes we’ve made over the past few years helped beyond words! The fact that the groups had talked about this previously almost made what we had to do easy.“ -- VP IT Infrastructure

Download the BCP Case Study

Project Overview: BCP

Phases Phase 1: Identify BCP Maturity and Document Process Dependencies Phase 2: Conduct a BIA to Determine Acceptable RTOs and RPOs Phase 3: Document the Recovery Workflow and Projects to Close Gaps Phase 4: Extend the Results of the Pilot BCP and Implement Governance
Steps 1.1 Assess current BCP maturity 2.1 Define an objective impact scoring scale 3.1 Determine current recovery procedures 4.1 Consolidate BCP pilot insights to support an overall BCP project plan
1.2 Establish the pilot BCP team 2.2 Estimate the impact of downtime 3.2 Identify and prioritize projects to close gaps 4.2 Outline a business continuity management (BCM) program
1.3 Identify business processes, dependencies, and alternatives 2.3 Determine acceptable RTO/RPO targets 3.3 Evaluate BC site and command center options 4.3 Test and maintain your BCP
Tools and Templates

BCP Business Impact Analysis Tool

Results Presentation

BCP Maturity Scorecard

Tabletop Planning Template

BCP Summary

Pilot Project Charter

Recovery Workflow Examples

Business Continuity Teams and Roles

Business Process Workflows Examples

BCP Project Roadmap

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

BCP Business Impact Analysis Tool: Conduct and document a business impact analysis using this document.

BCP Recovery Workflows Example: Model your own recovery workflows on this example.

BCP Project Roadmap: Use this tool to prioritize projects that can improve BCP capabilities and mitigate gaps and risks.

BCP Relocation Checklists: Plan for and manage a site relocation – whether to an alternate site or work from home.

Key deliverable:

BCP Summary Document

Summarize your organization's continuity capabilities and objectives in a 15-page, easy-to-consume template.

This document consolidates data from the supporting documentation and tools to the right.

Download Info-Tech’s BCP Summary Document

Insight summary

Focus less on risk, and more on recovery

Avoid focusing on risk and probability analysis to drive your continuity strategy. You never know what might disrupt your business, so develop a flexible plan to enable business resumption regardless of the event.

Small teams = good pilots

Choose a small team for your BCP pilot. Small teams are better at trialing new techniques and finding new ways to think about problems.

Calculate downtime impact

Develop and apply a scoring scale to develop a more-objective assessment of downtime impact for the organization. This will help you prioritize recovery.

It’s not no, but rather not now…

You can’t address all the organization’s continuity challenges at once. Prioritize high value, low effort initiatives and create a long-term roadmap for the rest.

Show Value Now

Get to value quickly. Start with one business unit with continuity challenges, and a small, focused project team who can rapidly learn the methodology, identify continuity gaps, and define solutions that can also be leveraged by other departments right away.

Lightweight Testing Exercises

Outline recovery capabilities using lightweight, low risk tabletop planning exercises. Our research shows tabletop exercises increase confidence in recovery capabilities almost as much as live exercises, which carry much higher costs and risks.

Blueprint benefits

Demonstrate compliance with demands from regulators and customers

  • Develop a plan that satisfies auditors, customers, and insurance providers who demand proof of a continuity plan.
  • Demonstrate commitment to resilience by identifying gaps in current capabilities and projects to overcome those gaps.
  • Empower business users to develop their plans and perform regular maintenance to ensure plans don’t go stale.
  • Establish a culture of business readiness and resilience.

Leverage your BCP to drive value (Business Benefits)

  • Enable flexible, mobile, and adaptable business operations that can overcome disruptions large and small. This includes making it easier to work remotely in response to pandemics or facility disruptions.
  • Clarify the risk of the status quo to business leaders so they can make informed decisions on where to invest in business continuity.
  • Demonstrate to customers your ability to overcome disruptions and continue to deliver your services.

Info-Tech Advisory Services lead to Measurable Value

Info-Tech members told us they save an average of $44,522 and 23 days by working with an Info-Tech analyst on BCP (source: client response data from Info-Tech's Measured Value Survey).

Why do members report value from analyst engagement?

  1. Expert advice on your specific situation to overcome obstacles and speed bumps.
  2. Structure the project and stay on track.
  3. Review project deliverables and ensure the process is applied properly.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostic and consistent frameworks are used throughout all four options.

Guided Implementation

Your Trusted Advisor is a call away.

A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between eight to twelve calls over the course of four to six months.

Scoping

Call 1: Scope requirements, objectives, and stakeholders. Identify a pilot BCP project.

Business Processes and Dependencies

Calls 2 - 4: Assess current BCP maturity. Create business process workflows, dependencies, alternates, and workarounds.

Conduct a BIA

Calls 5 – 7: Create an impact scoring scale and conduct a BIA. Identify acceptable RTO and RPO.

Recovery Workflow

Calls 8 – 9: Create a recovery workflow based on tabletop planning.

Documentation & BCP Framework

Call 10: Summarize the pilot results and plan next steps. Define roles and responsibilities. Make the case for a wider BCP program.

Workshop Overview

Contact your account representative for more information.

workshops@infotech.com | 1-888-670-8889

Day 1 Day 2 Day 3 Day 4 Day 5
Identify BCP Maturity, Key Processes, and Dependencies Conduct a BIA to Determine Acceptable RTOs and RPOs Document the Current Recovery Workflow and Projects to Close Gaps Identify Remaining BCP Documentation and Next Steps Next Steps and Wrap-Up (offsite)
Activities

1.1 Assess current BCP maturity.

1.2 Identify key business processes to include in scope.

1.3 Create a flowchart for key business processes to identify business processes, dependencies, and alternatives.

2.1 Define an objective scoring scale to indicate different levels of impact.

2.2 Estimate the impact of a business disruption on cost, goodwill, compliance, and health & safety.

2.3 Determine acceptable RTOs/RPOs for selected business processes based on business impact.

3.1 Review tabletop planning – what is it, how is it done?

3.2 Walk through a business disruption scenario to determine your current recovery timeline, RTO/RPO gaps, and risks to your ability to resume business operations.

3.3 Identify and prioritize projects to close RTO/RPO gaps and mitigate recovery risks.

4.1 Assign business continuity management (BCM) roles to govern BCP development and maintenance, as well as roles required to execute recovery.

4.2 Identify remaining documentation required for the pilot business unit and how to leverage the results to repeat the methodology for remaining business units.

4.3 Workshop review and wrap-up.

5.1 Finalize deliverables for the workshop.

5.2 Set up review time for workshop outputs and to discuss next steps.

Deliverables
  1. Baseline BCP maturity status
  2. Business process flowcharts
  3. Business process dependencies and alternatives recorded in the BIA tool
  1. Potential impact of a business disruption quantified for selected business processes.
  2. Business processes criticality and recovery priority defined
  3. Acceptable RTOs/RPOs defined based on business impact
  1. Current-state recovery workflow and timeline.
  2. RTO/RPO gaps identified.
  3. BCP project roadmap to close gaps
  1. BCM roles and responsibilities defined
  2. Workshop results deck; use this to communicate pilot results and next steps
  1. Finalized deliverables

Phase 1

Identify BCP Maturity and Document Process Dependencies

Phase 1

1.1 Assess Current BCP Maturity

1.2 Establish the pilot BCP team

1.3 Identify business processes, dependencies, and alternatives

Insights & Outcomes

Define the scope for the BCP project: assess the current state of the plan, create a pilot project team and pilot project charter, and map the business processes that will be the focus of the pilot.

Participants

  • BCP Coordinator
  • BCP Executive Sponsor
  • Pilot Business Unit Manager & Process SMEs

Step 1.1

Assess current BCP Maturity

This step will walk you through the following activities:

  • Complete Info-Tech’s BCP Maturity Scorecard

This step involves the following participants:

  • Executive Sponsor
  • BCP Coordinator

You'll use the following tools & templates:

Outcomes & Insights

Establish current BCP maturity using Info-Tech’s ISO 22301-aligned BCP Maturity Scorecard.

Evaluate the current state of your continuity plan

Use Info-Tech’s Maturity Scorecard to structure and accelerate a BCP maturity assessment.

Conduct a maturity assessment to:

  • Create a baseline metric so you can measure progress over time. This metric can also drive buy-in from senior management to invest time and effort into your BCP.
  • Understand the scope of work to create a complete business continuity plan.
  • Measure your progress and remaining gaps by updating your assessment once you’ve completed the activities in this blueprint.

This blueprint primarily addresses the first four sections in the scorecard, which align with the creation of the core components of your business continuity plan.

Info-Tech’s BCP Maturity Scorecard

Info-Tech’s maturity scorecard is aligned with ISO 22301, the international standard that describes the key elements of a functioning business continuity management system or program – the overarching set of documents, practices, and controls that support the ongoing creation and maintenance of your BCP. A fully functional BCMS goes beyond business continuity planning to include crisis management, BCP testing, and documentation management.

Audit tools tend to treat every bullet point in ISO 22301 as a separate requirement – which means there’s almost 400 lines to assess. Info-Tech’s BCP Maturity Scorecard has synthesized key requirements, minimizing repetition to create a high-level self-assessment aligned with the standard.

A high score is a good indicator of likely success with an audit.

Download Info-Tech's BCP Maturity Scorecard

Tool: BCP Maturity Scorecard

Assess your organization’s BCP capabilities.

Use Info-Tech’s BCP Maturity Scorecard to:

  • Assess the overall completeness of your existing BCP.
  • Track and demonstrate progress towards completion as you work through successive planning iterations with additional business units.
  1. Download a copy of the BCP Maturity Scorecard. On tab 1, indicate the percent completeness for each item using a 0-10 scale (0 = 0% complete, 10 = 100% complete).
  2. If you anticipate improvements in a certain area, make note of it in the “Comments” column.
  3. Review a visual representation of your overall scores on tab 2.

Download Info-Tech's BCP Maturity Scorecard

"The fact that this aligns with ISO is huge." - Dr. Bernard Jones MBCI, CBCP

Step 1.2

Establish the pilot BCP team

This step will walk you through the following activities:

  • Assign accountability, responsibility, and roles.
  • Develop a project charter.
  • Identify dependencies and alternates for those dependencies.

This step involves the following participants:

  • Executive Sponsor
  • BCP Coordinator

In this step, you’ll use these tools and templates:

Outcomes & Insights

Assign roles and responsibilities for the BCP pilot project. Set milestones and timelines for the pilot.

Take a pilot approach for BCP

Limit the scope of an initial BCP project to get to value faster.

Pilot Project Goals

  • Establish a repeatable methodology that fits your organization and will accelerate BCP development, with tangible deliverables that provide a template for the rest of the business.
  • Identify high-priority business continuity gaps for the pilot business unit, many of which will also apply to the overall organization.
  • Identify initiatives to start addressing gaps now.
  • Enable business users to learn the BCP methodology and toolset so they can own and maintain their business unit BCPs.

Accomplishments expected:

  • Define key business processes and process dependencies, and alternatives if dependencies are not available.
  • Classify key business processes by criticality for one business unit, using an objective impact scoring scale.
  • Set recovery objectives for these key processes.
  • Document workarounds and recovery plans.
  • Identify gaps in recovery plans and list action items to mitigate risks.
  • Develop a project plan to structure a larger continuity project.

What not to expect from a pilot project:

  • A complete organizational BCP (the pilot is a strong starting point).
  • Implemented solutions to all BCP gaps (proposed solutions will need to be evaluated first).

Structure IT’s role in continuity planning

Clearly define IT’s role in the pilot BCP project to deliver a successful result that enables business units to own BCP in the future.

Though IT is a critical dependency for most processes, IT shouldn’t own the business continuity plan. IT should be an internal BCP process consultant, and each business unit must own their plan.

IT should be an internal BCP consultant.

  • IT departments interact with all business units, which gives IT leaders at least a high-level understanding of business operations across the organization.
  • IT leaders typically also have at least some knowledge of disaster recovery, which provides a foundation for tackling BCP.
  • By contrast, business leaders often have little or no experience with disaster recovery, and don’t have the same level of experience as IT when it comes to working with other business units.

Why shouldn’t IT own the plan?

  • Business unit managers have the authority to direct resources in their department to participate in the BCP process.
  • Business users are the experts in their processes, and are in the best position to identify dependencies, downtime impacts, recovery objectives, and viable solutions (e.g., acceptable alternate sites or process workarounds).
  • Ultimately, business unit managers and executives must decide whether to mitigate, accept, or transfer risks.

Info-Tech Insight

A goal of the pilot is to seed success for further planning exercises. This is as much about demonstrating the value of continuity planning to the business unit, and enabling them to own it, as it is about implementing the methodology successfully.

Create a RACI matrix for the pilot

Assemble a small, focused team for the pilot project empowered to discover, report, and present possible solutions to continuity planning challenges in your organization.

Outline roles and responsibilities on the pilot team using a “RACI” exercise. Remember, only one party can be ultimately accountable for the work being completed.

Example Pilot BCP Project RACI

Board Executive Team BCP Executive Sponsor BCP Team Leader BCP Coordinator Pilot Bus. Unit Manager Expert Bus. Unit Staff IT Manager
Communicate BCP project status I I I A R C C I
Assign resources to pilot BCP project A R C R C R
Conduct continuity planning activities I A/R R R R R
Create pilot BCP deliverables I A R R C C C
Manage BCP documentation I A C R I C C
Integrate results into BCMS I I A R R I C C
Create overall BCP project plan I I A R C C

R: Responsible for doing the work.

A: Accountable to ensure the activity/work happens.

C: Consulted prior to decision or action.

I: Informed of the decision/action once it’s made.

"Large teams excel at solving problems, but it is small teams that are more likely to come up with new problems for their more sizable counterparts to solve." – Wang & Evans, 2019

Info-Tech Insight

Small teams tend to be better at trialing new techniques and finding new ways to think about problems, both of which are needed for a BCP pilot project.

Choose one business unit for the pilot

Many organizations begin their BCP project with a target business unit in mind. It’s still worth establishing whether this business unit meets the criteria below.

Good candidates for a pilot project:

  • Business processes are standardized and documented.
  • Management and staff are motivated to improve business continuity.
  • The business unit is sufficiently well resourced to spare time (e.g. a few hours a week) to dedicate to the BCP process.
  • If the business unit doesn’t meet these criteria, consider addressing shortfalls before the pilot (e.g. via stakeholder management or business process analysis) or selecting another unit.
  • Many of the decisions will ultimately require input and support from the business unit’s manager(s). It is critical that they are bought into and engaged with the project.
  • The leader of the first business unit will be a champion for BCP within the executive team.
  • Sometimes, there’s no clear place to start. If this is the case for you, consider using Info-Tech’s Business Unit BCP Prioritization Tool to determine the order in which business units should undergo BCP development.

Create role descriptions for the pilot project

Use these role descriptions and your RACI chart to define roles for the pilot.

These short descriptions establish the functions, expectations, and responsibilities of each role at a more granular level.

The Board and executives have an outsized influence on the speed at which the project can be completed. Ensure that communication with these stakeholders is clear and concise. Avoid involving them directly in activities and deliverable creation, unless it’s required by their role (e.g. as a business unit manager).

Project Role Description
Board & Executive Team
  • Will receive project status updates but are not directly involved in deliverable creation.
Executive Sponsor
  • Liaison with the executive team.
  • Accountable to ensure the pilot BCP is completed.
  • Set project goals and approve resource allocation and funding.
Pilot Business Unit Manager
  • Drive the project and assign required resources.
  • Delegate day-to-day project management tasks to the BCP Coordinator.
BCP Coordinator
  • Function as the project manager. This includes scheduling activities, coordinating resources, reporting progress, and managing deliverables.
  • Learn and apply the BCP methodology to achieve project goals.
Expert Business Unit Staff
  • Pilot business unit process experts to assist with BCP development for that business unit.
IT Manager
  • Provide guidance on IT capabilities and recovery options.
Other Business Unit Managers
  • Consulted to validate or provide input to the business impact analysis and RTOs/RPOs.

Identify a suitable BCP Coordinator

A skilled and committed coordinator is critical to building an effective and durable BCP.

  • Coordinating the BC planning effort requires a perspective that’s informed by IT, but goes beyond IT.
  • For example, many IT professionals only see business processes where they intersect with IT. The BCP Coordinator needs to be able to ask the right questions to help the business units think through dependencies for critical processes.
  • Business analysts can thrive in this role, which requires someone effective at dissecting business processes, working with business users, identifying requirements, and managing large projects.

Structure the role of the BCP Coordinator

The BCP Coordinator works with the pilot business unit as well as remaining business units to provide continuity and resolve discrepancies as they come up between business units.

Specifically, this role includes:

  • Project management tasks (e.g. scheduling, assigning tasks, coordinating resources, and reporting progress).
  • Learning the BCP methodology (through the pilot) so that this person can lead remaining business units through their BCP process. This enables the IT leader who had been assigned to guide BCP development to step back into a more appropriate consulting role.
  • Managing the BCP workflow.

"We found it necessary to have the same person work with each business unit to pass along lessons learned and resolve contingency planning conflicts for common dependencies." – Michelle Swessel, PM and IT Bus. Analyst, Wisconsin Compensation Rating Bureau (WCRB)

Template: Pilot Project Charter

Formalize participants, roles, milestones, risks for the pilot project.

Your charter should:

  1. Define project parameters, including drivers, objectives, deliverables, and scope.
  2. Identify the pilot business unit.
  3. Assign a BCP pilot team, including a BCP Coordinator, to execute the methodology.
  4. Define before-and-after metrics to enable the team to measure pilot success.
  5. Set achievable, realistic target dates for specific project milestones.
  6. Document risks, assumptions, and constraints.

Download Info-Tech’s BCP Pilot Project Charter Template

Step 1.3

Identify business processes, dependencies, and alternatives

This step will walk you through the following activities:

  • Identify key business processes.
  • Document the process workflow.
  • Identify dependencies and alternates for those dependencies.

This step involves the following participants:

  • BCP Coordinator
  • Pilot Business Unit Manager
  • Expert Business Unit Staff

You'll use the following tools & templates:

Outcomes & Insights

Documented workflows, process dependencies, and workarounds when dependencies are unavailable.

Flowchart business processes

Workflows help you visually identify process dependencies and optimization opportunities.

  • Business continuity planning is business process focused. You need to document business processes, dependencies, and downtime workarounds.
  • Process documentation is a basic BCP audit requirement, but it will also:
    • Keep discussions about business processes well-scoped and focused – by documenting the process, you also clarify for everyone what you’re actually talking about.
    • Remind participants of process dependencies and workarounds.
    • Make it easier to spot possible process breakdowns or improvements.
    • Capture your work, which can be used to create or update SOP documentation.
  • Use flowcharts to capture process workflows. Flowcharts are often quicker to create, take less time to update, and are ultimately more usable than a dense manual.

Info-Tech Insight

Process review often results in discovering informal processes, previously unknown workarounds or breakdowns, shadow IT, or process improvement opportunities.

1.3.1 Prioritize pilot business unit processes

Input

  • List of key business unit processes.

Output

  • List of key business unit processes, now prioritized (at a high-level)

Materials

  • Whiteboard/flip charts
  • BCP Business Impact Analysis Tool

Participants

  • BCP Coordinator (leads the discussion)
  • Pilot Business Unit Manager

30 minutes

  1. Create a list of all formal and informal business processes executed by the pilot business unit.
  2. Discuss the impact of process downtime, and do a quick assessment whether impact of downtime for each process would be high, medium, or low across each of these criteria:
    • Revenue or costs (e.g. supports sales, billing, or productivity)
    • Goodwill (e.g. affects internal or external reputation)
    • Compliance (e.g. affects legal or industry requirements)
    • Health or safety (e.g. affects employee/public health & safety)

Note: A more in-depth analysis will be conducted later to refine priorities. The goal here is a high-level order of priority for the next steps in the planning methodology (identify business processes and dependencies).

  1. In the BCP Business Impact Analysis Tool, Processes and Dependencies tab, record the following:
    • The business processes in rough order of criticality.
    • For each process, provide a brief description that focuses on purpose and impact.
    • For each process, name a process owner (i.e. accountable for process completion – could be a manager or senior staff, not necessarily those executing the process).

1.3.2 Review process flows & identify dependencies

Input

  • List of key business unit processes (prioritized at a high level in Activity 1.3.1).
  • Business process flowcharts.

Output

  • Business process flowcharts

Materials

  • Whiteboard/flip charts
  • Microsoft Visio, or other flowcharting software
  • BCP Business Impact Analysis Tool

Download Info-Tech’s Business Process Workflows Example

1.5 hours

  1. Use a whiteboard to flowchart process steps. Collaborate to clarify process steps and dependencies. If processes are not documented, use this as an opportunity to create standard operating procedures (SOPs) to drive consistency and process optimization, as described in the Info-Tech blueprint, Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind.
  2. Record the dependencies in tab 1 of the BCP Business Impact Analysis Tool in the appropriate columns:
    • People – Anyone involved in the process, from providing guidance to executing the steps.
    • IT Applications – Core IT services (e.g. ERP, CRM) required for this process.
    • End-user devices & equipment – End-user devices, locally-installed apps, IoT, etc.
    • Facility – Any special requirements beyond general office space.
    • Suppliers & Service Providers – Third-parties who support this process.

Info-Tech Insight

Policies and procedures manuals, if they exist, are often out of date or incomplete. Use these as a starting point, but don’t stop there. Identify the go-to staff members who are well versed in how a process works.

1.3.3 Document workarounds

Input

  • Business process flowcharts.
  • List of process dependencies.

Output

  • Workarounds and alternatives in the event dependencies aren’t available.

Materials

  • BCP Business Impact Analysis Tool

Participants

  • BCP Coordinator (facilitates the activity)
  • Pilot Business Unit Manager
  • Business Process Subject Matter Experts (SMEs)

1.5 hours

Identify alternatives to critical dependencies to help you create contingency plans.

  1. For each business process, identify known alternatives for each primary dependency. Ignore for the moment how long the workaround or alternate would be feasible.
  2. Record alternatives in the Business Continuity Business Impact Analysis Tool, Processes and Dependencies tab, Alternatives columns (a separate column for each category of dependency):
    • People – Can other staff execute the process steps? (Example: managers can step in if needed.)
    • IT Applications – Is there a manual workaround or other alternative while enterprise technology services are unavailable? (Example: database is down, but data is stored on physical forms.)
    • End-User Devices and Equipment – What alternatives exist to the usual end-user technologies, such as workstations and desk phones? (Example: some staff have cell phones.)
    • Facility Location and Requirements – Is there an alternate location where this work can be conducted? (Example: work from home, or from another building on the campus.)
    • Suppliers and External Services – Is there an alternative source for key suppliers or other external inputs? (Example: find alternate suppliers for key inputs.)
    • Additional Inputs or Requirements – What workarounds exist for additional artifacts that enable process steps (e.g. physical inventory records, control lists)? (Example: if hourly pay information is missing, run the same payroll as the previous run and reconcile once that information is available.)

Phase 2

Conduct a BIA to Determine Acceptable RTOs and RPOs

Phase 2

2.1 Define an objective impact scoring scale

2.2 Estimate the impact of downtime

2.3 Determine acceptable RTO/RPO targets

Insights & Outcomes

Assess the impact of business process downtime using objective, customized impact scoring scales. Sort business processes by criticality and by assigning criticality tiers, recovery time, and recovery point objectives.

Participants

  • BCP Coordinator
  • Pilot Business Unit Manager
  • Business Process SMEs

Step 2.1

Define an objective scoring scale

This step will walk you through the following activities:

  • Identify impact criteria that are relevant to your business.
  • Create a scale that defines a range of impact for relevant criteria.

This step involves the following participants:

  • BCP Coordinator
  • Pilot Business Unit Manager
  • Expert Business Unit Staff

In this step, you’ll use these tools and templates:

Outcomes & Insights

Define an impact scoring scale relevant to your business, which allows you to more-objectively assess the impact of business process downtime.

Set appropriate recovery objectives

Recovery time and recovery point objectives should align with business impact.

The activities in Phase 2 will help you set appropriate, acceptable recovery objectives based on the business impact of process downtime.

  • The recovery time objective (RTO) and recovery point objective (RPO) are the recovery goals set for individual processes and dependencies to ensure your business unit meets its overall acceptable recovery timeline.

For example:

  • An RTO of four hours means staff and other required resources must be available to support the business processes within four hours of an incident (e.g. relocate to an alternate worksite if necessary, access needed equipment, log-in to needed systems, get support for completing the process from alternate staff, etc.)
  • An RPO of four hours for a customer database means the most recent secondary copy of the data must never be more than four hours old – e.g. running a backup every four hours or less.

Conduct a Business Impact Analysis (BIA)

Create Impact Scoring Scales→Assess the impact of process downtime→Review overall impact of process downtime→Set Criticality Tiers→Set Recovery Time and Recovery Point Objectives

Create financial impact scales

Identify maximum cost and revenue impacts to build financial impact scales to measure the financial impact of process downtime.

Work with the Business Unit Manager and Executive Sponsor to identify the maximum impact in each category to the entire business. Use a worst-case scenario to estimate the maximum for each scale. In the future, you can use this scoring scale to estimate the impact of downtime for other business units.

  • Loss of Revenue: Estimate the upper bound for this figure from the previous year, and divide that by the number of business days in the year. Note: Some organizations may choose to exclude revenue as a category where it won’t be lost (e.g. public-sector organizations).
  • Loss of Productivity: Proxy for lost workforce productivity using payroll numbers. Use the fully loaded payroll for the company, divided by the number of working days in the year as the maximum.
  • Increased Operating Costs: Isolate this to known additional costs resulting from a disruption. Does the interruption itself increase operating costs (e.g. if using timesheets for hourly/contract employees and that information is lost or unavailable, do you assume a full work week)?
  • Financial Penalties: If there are known financial penalties (e.g. due to failure to meet SLAs or other contractual obligations), include those values in your cost estimates.

Info-Tech Insight

Cost estimates are like hand grenades and horseshoes: you don’t need to be exact. It’s much easier to get input and validation from other stakeholders when you have estimates. Even weak estimates are far better than a blank sheet.

Create goodwill, compliance, and safety impact scales

Create a quantitative, more-objective scoring scale for goodwill, compliance and safety by following the guidance below.

  • Impact on Customers: By default, the customer impact scale is based on the percent of your total customer base impacted. You can also modify this scale to include severity of impact or alter it to identify the maximum number of customers that would be impacted.
  • Impact on Staff: Consider staff that are directly employed by the organization or its subsidiaries.
  • Impact on Business Partners: Which business partners would be affected by a business disruption?
  • Impact on Health & Safety: Consider the extent to which process downtime could increase the risk of the health & safety of staff, customers, and the general public. In addition, degradation of health & safety services should be noted.
  • Impact on Compliance: Set up the scale so that you can capture the impact of any critical regulatory requirements that might not be met if a particular process was down for 24 hours. Consider whether you expect to receive leeway or a grace period from the governance body that requires evidence of compliance.

Info-Tech Best Practice

Use just the impact scales that are relevant to your organization.

Tool: Impact Scoring Scales

  • Define 4-point scoring scales in the BCP business impact analysis tool for a more objective assessment than gut-feel rankings.
  • You don’t need to include every category, if they aren’t relevant to your organization.
  • Refine the scoring scale as needed through the pilot project.
  • Use the same scoring scale for impact analyses with additional business units in the future.

An image depicting the Business Impact Analysis Tool. A note pointing to the Level of Impact and Direct Cost Impact Scales columns states: Add the maximum cost impacts across each of the four impact scales to the tool. The rest of the scale will auto-populate based on the criteria outlined in the “Level of Impact” column. A note pointing to the column headers states: Change the names of the column headers in this tab. The changes to column headers will populate across the rest of the tool. Indicate exclusions from the scale here. A note pointing to the Goodwill Impact Scales columns reads: Update the Goodwill impact scales. For example, perhaps a critical impact on customers could be defined as “a significant impact on all customers using the organization’s services in a 24-hour period.” A note pointing to the Compliance, Heath and Safety Impact Scales columns reads: Review the compliance and safety impact scales, and update as required.

Step 2.2

Estimate the impact of downtime

This step will walk you through the following activities:

  • Apply the scoring scale developed in step 2.1 to assess the impact of downtime for specific business processes.

This step involves the following participants:

  • BCP Coordinator
  • Pilot Business Unit Manager
  • Expert Business Unit Staff

In this step, you’ll use these tools and templates:

Outcomes & Insights

Develop an objective view of the impact of downtime for key business processes.

2.2.1 Estimate the impact of downtime

1.5 hours

Input

  • List of business processes, dependencies, and workarounds, all documented in the BIA tool.

Output

  • Impact of downtime scores for key business unit processes.

Materials

  • BCP Business Impact Analysis Tool

Participants

  • BCP Coordinator (facilitates the discussion)
  • Business Process Subject Matter Experts (SMEs)
  • Pilot Business Unit Manager
  1. Print a copy of the Scoring Criteria tab to use as a reference, or have it open on another screen. In tab 3 of the BCP Business Impact Analysis Tool use the drop-down menu to assign a score of 0 to 4 based on levels of impact defined in the Scoring Criteria tab.
  2. Work horizontally across all categories for a single process. This will set a benchmark, familiarize you with the scoring system, and allow you to modify any scoring scales if needed. In general, begin with the process that you know to be most critical.
    • For example, if call center sales operations are down:
      • Loss of Revenue would be the portion of sales revenue generated through the call center. This might score a 2 or 3 depending on the proportion of sales generated through the call center.
      • The Impact on Customers might be a 1 or 2 depending on the extent that existing customers might be using the call center to purchase new products or services.
      • The Legal/Regulatory Compliance and Health or Safety Risk might be a 0.
  3. Next, work vertically across all processes within a single category. This will allow you to compare scores within the category as you create them.

Tool: Impact Analysis

  • The goal of the exercise is to arrive at a defensible ranking of process criticality, based on the impact of downtime.
  • Make sure participants can see the scores you’re assigning during the exercise (e.g. by writing out the scores on a whiteboard, or displaying the tool on a projector or screen) and can reference the scoring scales tab to understand what the scores mean.
  • Take notes to record the rationale behind the impact scores. Consider assigning note-taking duties to one of the participants.

An image of the Impact Analysis Tool. A note pointing to the column headings states: Any customized column headings from tab 2, Scoring Criteria are automatically ported to this tab. A note pointing to the Impact on Goodwill columns reads: Score each application across each scoring scale from 0 to 4. Be sure to refer back to the scoring scale defined in tab 2. Have the scoring scale printed out, written on a whiteboard, or displayed on a separate screen. A note pointing to the tool's dropdown boxes states: Score categories using the drop-down boxes. A note pointing to the centre columns reads: Ignore scoring for categories you choose to exclude. You can hide these columns to clean up the tool if needed.

2.2.2 Sort processes into Criticality Tiers

30 minutes

Input

  • Processes, with assigned impact scores (financial impact, goodwill impact, compliance and safety impact).

Output

  • Business processes sorted into criticality tiers, based on the impact of downtime.

Materials

  • BCP Business Impact Analysis Tool

Participants

  • BCP Coordinator (facilitates the discussion)
  • Business Process Subject Matter Experts (SMEs)
  • Pilot Business Unit Manager
  1. In general, consider the Total Impact on Goodwill, Compliance, and Safety first.
    • An effective tactic to start the process is to assign a tier 1 rating to all processes with a Goodwill, Compliance, and Safety score that’s 50% or more of the highest total score, tier 2 where scores are between 25% and 50%, and tier 3 where scores are below 25% (see table below for an example).
    • In step 2.3, you’ll align recovery time objectives with the criticality tiers. So, Tier 1 processes will target recovery before Tier 2 processes, and Tier 2 processes will target recovery before Tier 3 processes.
  2. Next, consider the Total Cost of Downtime.
  • The Total Cost is calculated by the tool based on the Scoring Criteria in tab 2 and the estimates in the BIA.
  • Consider whether the total cost impact justifies changing the criticality rating. “Smoke test” categorization with participants. Are there any surprises (processes more or less critical than expected)?
  • If the categorization doesn’t seem right, check that the scoring scale was applied consistently.
  • Example: Highest total Goodwill, Compliance, and Safety impact score is 18.

    Tier Score Range % of high score
    Tier 1 - Gold 9-18 50-100%
    Tier 2 - Silver 5 to 9 25-50%
    Tier 3 - Bronze 0 to 5 0-25%

    Step 2.3

    Determine acceptable RTO and RPO targets

    This step will walk you through the following activities:

    • Identify acceptable Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for business processes.

    This step involves the following participants:

    • BCP Coordinator
    • Pilot Business Unit Manager
    • Expert Business Unit Staff

    In this step, you’ll use these tools and templates:

    Outcomes and Insights

    Right-size recovery objectives based on business impact.

    Right-size recovery objectives

    Acceptable RTOs and RPOs must be right-sized to the impact of downtime.

    Rapid recovery typically requires more investment.

    The impact of downtime for most business processes tends to look something like the increasing impact curve in the image to the right.

    In the moments after a disruption, impact tends to be minimal. Imagine, for example, that your organization was suddenly unable to pay its suppliers (don’t worry about the reason for the disruption, for the moment). Chances are, this disruption wouldn’t affect many payees if it lasted just a few minutes, or even a few hours. But if the disruption were to continue for days, or weeks, the impact of downtime would start to spiral out of control.

    In general, we want to target recovery somewhere between the point where impact begins, and the point where impact is intolerable. We want to balance the impact of downtime with the investment required to make processes more resilient.

    Info-Tech Insight

    Account for hard copy files as well as electronic data. If that information is lost, is there a backup? BCP can be the driver to remove the last resistance to paperless processes, allowing IT to apply appropriate data protection.

    Set recovery time objectives and recovery point objectives in the “Debate Space”

    A graph with the X axis labelled as: Increasing downtime/data loss and the Y-axis labelled Increasing Impact. The graph shows a line rising as impact and downtime/data loss increase, with the lowest end of the line (on the left) labelled as minimal impact, and the highest point of the line (on the right) labelled maximum tolerance. The middle section of the line is labelled as the Debate Space, and a note reads: Acceptable RTO/RPO must be between Low Impact and Maximum Tolerance

    2.3.1 Define process-level recovery objectives

    1 hour

    Input

    • Processes, ranked by criticality.

    Output

    • Initial business-defined recovery objectives for each process.

    Materials

    • BCP Business Impact Analysis Tool

    Participants

    • BCP Coordinator (facilitates the discussion)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager
    1. Review the “Debate Space” diagram (shown in previous section) with all participants.
    2. Ask business participants for each process: how much downtime is tolerable, acceptable, or appropriate? How much data loss is tolerable?
      • If participants aren’t yet comfortable setting recovery objectives, identify the point at which downtime and data loss first becomes noticeable and the point at which downtime and data loss becomes intolerable.
      • Choose an RTO and RPO for each process that falls within the range set by these two extremes.

    RTOs and RPOs are business-defined, impact-aligned objectives that you may not be able to achieve today. It may require significant investments of time and capital to enable the organization to meet RTO and RPO.

    2.3.2 Align RTOs within and across criticality tiers

    1 hour

    Input

    • Results from pilot BCP impact analysis.

    Output

    • Initial business-defined recovery objectives for each process.

    Materials

    • BCP Business Impact Analysis Tool
    • Whiteboard/ flipchart

    Participants

    • BCP Coordinator
    • BCP Project Sponsor
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager (optional)

    Set a range for RTO for each Tier.

    1. Start with your least critical/Tier 3 processes. Use the filter in the “Criticality Rating” column in the Impact Analysis tab of the BIA tool to show only Tier 3 processes.
      • What range of RTOs did the group assign for processes in this Tier? Does the group agree that these targets are appropriate for these processes?
      • Record the range of RTOs on the whiteboard or flipchart.
    2. Next, look at Tier 2 processes. Use the same filter to show just Tier 2 processes.
      • Record the range of RTOs, confirm the range with the group, and ensure there’s no overlap with the Tier 3 range.
      • If the RTOs in one Tier overlap with RTOs in another, you’ll need to adjust RTOs or move processes between Tiers (if the impact analysis justifies it).
    Tier RTO
    Tier 1 4 hrs- 24 hrs
    Tier 2 24 hrs - 72 hrs
    Tier 3 72 hrs - 120 hrs

    Phase 3

    Document the Recovery Workflow and Projects to Close Gaps

    3.1 Determine current recovery procedures

    3.2 Identify and prioritize projects to close gaps

    3.3 Evaluate business continuity site and command center options

    Insights & Outcomes

    Outline business recovery processes. Highlight gaps and risks that could hinder business recovery. Brainstorm ideas to address gaps and risks. Review alternate site and business relocation options.

    Participants

    • BCP Coordinator
    • Pilot Business Unit Manager
    • Business Process SMEs

    Step 3.1

    Determine current recovery procedures

    This step will walk you through the following activities:

    • Create a step-by-step, high-level recovery workflow.
    • Highlight gaps and risks in the recovery workflow.
    • Test the workflow against multiple scenarios.

    This step involves the following participants:

    • BCP Coordinator
    • Crisis Management Team
    • Pilot Business Unit Manager
    • Expert Business Unit Staff

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Establish steps required for business recovery and current recovery timelines.

    Identify risks & gaps that could delay or obstruct an effective recovery.

    Conduct a tabletop planning exercise to draft business recovery plans

    Tabletop exercises are the most effective way to test and increase business confidence in business recovery capabilities.

    Why is tabletop planning so effective?

    • It enables you play out a wider range of scenarios than technology-based testing (e.g. full-scale, parallel) due to cost and complexity factors.
    • It is non-intrusive, so it can be executed more frequently than other testing methodologies.
    • It provides a thorough test of your recovery workflow since the exercise is, essentially, paper-based.
    • After you have a BCP in place, this exercise can continue to be a valuable testing exercise for BCP to capture changes in your recovery process.

    A graph titled: Tabletop planning had the greatest impact on respondent confidence in meeting recovery objectives. The graph shows that the relative importance of Tabletop Planning is 57%, compared to 33% for Unit Testing, 3% for Simulation Testing, 6% for Parallel Testing, and 2% for Full-Scale Testing. The source for the graph is Info-Tech Research Group.

    Step 2 - 2 hours
    Establish command center.

    Step 2: Risks

    • Command center is just 15 miles away from primary site.

    Step 2: Gaps

    • Confirm what’s required to set up the command center.
    • Who has access to the EOC?
    • Does the center have sufficient bandwidth, workstations, phones, telephone lines?

    3.1.1 Choose a scenario for your first tabletop exercise

    30 minutes

    Input

    • List of past incidents.
    • Risks to business continuity that are of high concern.

    Output

    • Scenario for the tabletop exercise.

    Materials

    • N/A

    Participant

    • BCP Coordinator (facilitates the exercise)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot business unit manager

    At the business unit level, the goal is to define a plan to resume business processes after an incident.

    A good scenario is one that helps the group focus on the goal of tabletop planning – to discuss and document the steps required to recover business processes. We suggest choosing a scenario for your first exercise that:

    • Disrupts many process dependencies (i.e. facilities, staff, IT services, suppliers).
    • Does not result in major property damage, harm, or loss of life. Business resumption is the focus of this exercise, not emergency response.
    • Has happened in the past, or is of concern to the business.

    An example: a gas leak at company HQ that requires the area to be cordoned off and power to be shut down. The business must resume processes from another location without access to materials, equipment, or IT services at the primary location.

    A plan that satisfies the gas leak scenario should meet the needs of other scenarios that affect your normal workspace. Then use BCP testing to validate that the plan meets a wider range of incidents.

    3.1.2 Define the BCP activation process

    1 hour

    Input

    • Any existing crisis management, incident response or emergency response plans.
    • BC Scenario.

    Output

    • High level incident notification, assessment, and declaration workflow.

    Materials

    • Cue cards, sticky notes, whiteboard and markers, or Visio template.

    Participants

    • BCP Coordinator
    • Crisis Management Team (if one exists)
    • Business Process SMEs
    • Pilot Business Unit Manager

    Answer the questions below to structure your notification, assessment, and BCP activation procedures.

    Notification

    How will you be notified of a disaster event? How will this be escalated to leadership? How will the team responsible for making decisions coordinate (if they can’t meet on-site)? What emergency response plans are in place to protect health and safety? What additional steps are involved if there’s a risk to health and safety?

    Assessment

    Who’s in charge of the initial assessment? Who may need to be involved in the assessment? Who will coordinate if multiple teams are required to investigate and assess the situation? Who needs to review the results of the assessment, and how will the results of the assessment be communicated (e.g. phone bridge, written memo)? What happens if your primary mode of communication is unavailable (e.g. phone service is down)?

    Declaration

    Who is responsible today for declaring a disaster and activating business continuity plans? What are the organization’s criteria for activating continuity plans, and how will BCP activation be communicated? Establish a crisis management team to guide the organization through a wide range of crises by Implementing Crisis Management Best Practices.

    3.1.3 Document the business recovery workflow

    1 hour

    Input

    • Pilot BIA.
    • Any existing crisis management, incident response, or emergency response plans.
    • BC Scenario

    Output

    • Outline of your BCP declaration and business recovery plan.

    Materials

    • Cue cards, sticky notes, whiteboard and markers, or Visio template.

    Participants

    • BCP Coordinator (facilitates the exercise)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager

    Do the following:

    1. Create separate flows for facility, IT, and staff disruptions. Include additional workflows as needed.
      • We suggest you outline the recovery process at least to the point where business processes are restored to a minimum viable functional level.
    2. On white cue cards:
      1. Record the step.
      2. Indicate the task owner.
      3. Estimate how long the step will take.
    3. On yellow cue cards, document gaps in people, process, and technology requirements to complete the step.
    4. On red cue cards, indicate risks (e.g. no backup person for a key staff member).

    Info-Tech Best Practice

    Tabletop planning is most effective when you keep it simple.

    • Be focused; stay on task and on time.
    • Revisit each step and record risks and mitigation strategies.
    • Discuss each step from start to finish.
    • Revise the plan with key task owners.
    • Don’t get weighed down by tools.
    • Simple tools, like cue cards or whiteboards, can be very effective.

    Tool: BCP Recovery Workflow

    Document the steps you identified in the tabletop to create your draft recovery workflow.

    Why use a flowchart?

    • Flowcharts provide an at-a-glance view, are ideal for crisis scenarios where pressure is high and effective, and where timely communication is necessary.
    • For experienced managers and staff, a high-level reminder of process flows or key steps is sufficient.
    • Where more detail is required, include links to supporting documentation (which could include checklists, vendor documentation/contracts, other flowcharts, etc.)

    Create one recovery workflow for all scenarios.

    Traditional planning calls for separate plans for different “what-if” scenarios. This is challenging not just because it’s a lot more documentation – and maintenance – but because it’s impossible to predict every possible incident. Use the template, aligned to recovery of process dependencies, to create one recovery workflow for each business unit that can be used in and tested against different scenarios.

    Download Info-Tech’s BCP Recovery Workflow Example

    "We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management." – Assistant Director-IT Operations, Healthcare Industry

    "Very few business interruptions are actually major disasters. It’s usually a power outage or hardware failure, so I ensure my plans address ‘minor’ incidents as well as major disasters."- BCP Consultant

    3.1.4 Document achievable recovery metrics (RTA/RPA)

    30 minutes

    Input

    • Pilot BCP BIA.
    • Draft recovery workflow.

    Output

    • RTA and RPA for each business process.

    Materials

    • Pilot BCP BIA.

    Participants

    • BCP Coordinator (facilitates the exercise)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager

    Add the following data to your copy of the BCP Business Impact Analysis Tool.

    1. Estimate the recovery time achievable (RTA) for each process based on the required time for the process to be restored to a minimum acceptable functional level. Review your recovery workflow to identify this timeline. For example, if the full process from notification, assessment, and declaration to recovery and relocation would take a full day, set the RTA to 24 hours.
    2. Estimate the recovery point achievable (RPA) for each process based on the maximum amount of data that could be lost. For example, if data on a particular system is backed up offsite once per day, and the onsite system was destroyed just before that backup began, the entire day’s data could be lost and the achievable RPO is 24 hours. Note: Enter a value of 9999 to indicate that data is unrecoverable.

    Info-Tech Insight

    Operating at a minimum acceptable functional level may not be feasible for more than a few days or weeks. Develop plans for immediate continuity first, then develop further plans for long-term continuity processes as required. Recognize that for longer term outages, you will evolve your plans in the crisis to meet the needs of the situation.

    3.1.5 Test the workflow of other scenarios

    1 hour

    Input

    • Draft recovery workflow.

    Output

    • Updated draft recovery workflow.

    Materials

    • Draft recovery workflow.
    • Projector or screen.

    Participants

    • BCP Coordinator (facilitates the exercise)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager

    Work from and update the soft copy of your recovery workflow.

    1. Would any steps change if the scenario changes? If yes, capture the different flow with a decision diamond. See the example Recovery Workflow for a workflow that uses decision diamonds. Identify any new gaps or risks you encounter with red and yellow cards.
    2. Make sure the decision diamonds are as generalized as possible. For example, instead of creating a separate response plan for each scenario that would require you to relocate from your existing building, create one response plan for relocation and one response plan for remaining in place.
    3. See the next section for some examples of different types of scenarios that you may include in your recovery workflow.

    Info-Tech Insight

    Remember that health and safety risks must be dealt with first in a crisis. The business unit recovery workflow will focus on restoring business operations after employees are no longer at risk (e.g. the risk has been resolved or employees have been safely relocated). See Implement Crisis Management Best Practices for ideas on how to respond to and assess a wide range of crises.

    Not all scenarios will have full continuity plans

    Risk management is a business decision. Business continuity planning can help decision makers understand and decide on whether to accept or mitigate high impact, low probability risks.

    For some organizations, it’s not practical or possible to invest in the redundancy that would be necessary to recover in a timely manner from certain major events.

    Leverage existing risk management practices to identify key high impact events that could present major business continuity challenges that could cause catastrophic disruptions to facility, IT, staffing, suppliers, or equipment. If you don’t have a risk register, review the scenarios on the next slide and brainstorm risks with the working group.

    Work through tabletop planning to identify how you might work through an event like this, at a high level. In step 3.2, you can estimate the effort, cost, and benefit for different ideas that can help mitigate the damage to the business to help decision makers choose between investment in mitigation or accepting the risk.

    Document any scenarios that you identify as outside the scope of your continuity plans in the “Scope” section of your BCP Summary document.

    For example:

    A single location manufacturing company is creating a BCP.

    The factory is large and contains expensive equipment; it’s not possible to build a second factory for redundancy. If the factory is destroyed, operations can’t be resumed until the factory is rebuilt. In this case, the BCP outlines how to conduct an orderly business shutdown while the factory is rebuilt.

    Contingency planning to resume factory operations after less destructive events, as well as a BCP for corporate services, is still practical and necessary.

    Considerations for other BCP scenarios

    Scenario Type Considerations
    Local hazard (gas leak, chemical leak, criminal incident, etc.)
    • Systems might be accessible remotely, but hands-on maintenance will be required eventually. “Work from home” won’t be a long-term solution.
    • An alternate site is required for service continuity. Can be within normal commuting distance.
    Equipment/building damage (fire, roof collapse, etc.)
    • Equipment will need repair or replacement (vendor involvement).
    • An alternate site is required for service continuity. Can be nearby.
    Regional natural disasters
    • Utilities may be affected (power, running water, etc.).
    • Expect staff to take care of their families first before work.
    • A geographically distant alternate site is required for service continuity.
    Supplier failure (IT provider outage, disaster at supplier, etc.)
    • Service-level agreements are important to establish recovery timelines. Review contracts and master services agreements.
    Staff (lottery win, work stoppage, pandemic/quarantine)
    • Staff are suddenly unavailable. Expect that no warm handoff to alternates is possible and that time to ramp up on the process is accounted for.
    • In a pandemic scenario, work from home, remote toolsets, and digital/contactless workflows become critical.

    Step 3.2

    Identify and prioritize projects to close gaps

    This step will walk you through the following activities:

    • Brainstorm solutions to identified gaps and risks.
    • Prioritize projects and action items to close gaps and risks.
    • Assess the impact of proposed projects on the recovery workflow.

    This step involves the following participants:

    • BCP Coordinator
    • Pilot Business Unit Manager
    • Expert Business Unit Staff

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Identify and prioritize projects and action items that can improve business continuity capabilities.

    3.2.1 Brainstorm solutions to address risks and gaps

    1 hour

    Input

    • Draft recovery workflow.
    • Known continuity risks and gaps.

    Output

    • Ideas for action items and projects to improve business continuity.

    Materials

    • Flipchart

    Participants

    • BCP Coordinator (facilitates the exercise)
    • Business Process Subject Matter Experts (SMEs)
    • Pilot Business Unit Manager
    1. Review each of the risk and gap cards from the tabletop exercise.
    2. As a group, brainstorm ideas to address gaps, mitigate risks, and improve resiliency. Write the list of ideas on a whiteboard or flip chart paper. The solutions can range from quick-wins and action items to major capital investments. The following slides can help you seed ideas to support brainstorming and idea generation.

    Info-Tech Best Practice

    Try to avoid debates about feasibility at this point. The goal is to get ideas on the board.

    When you’re brainstorming solutions to problems, don’t stop with the first idea, even if the solution seems obvious. The first idea isn’t always the best or only solution – other ideas can expand on it and improve it.

    Step 4: No formal process to declare a disaster and invoke business continuity.

    Step 7: Alternate site could be affected by the same regional event as the main office.

    Step 12: Need to confirm supplier service-level agreements (SLAs).

    1. Continue to create BCP documentation.
    2. Identify a third location for regional disasters.
    3. Contact suppliers to confirm SLAs and validate alignment with RTOs/RPOs.
    4. Add BCP requirements collection to service procurement process?

    Discuss your remote work capabilities

    With COVID-19, most organizations have experience with mass work-from-home.

    Review the following case studies. Do they reflect your experience during the COVID-19 pandemic?

    Unacceptable risk

    • A small insurance company provided laptops to staff so they could work remotely.
    • Complication: Cheque and print stock is a dependency and no plan was made to store check stock offsite in a secure fashion.

    Key dependencies missing

    • A local government provided laptops to key staff so they could work remotely.
    • Complication: The organization didn’t currently own enough Citrix licenses for every user to be online concurrently.

    Unable to serve customers

    • The attestation and land services department of a local government agency provided staff with remote access to key apps.
    • Complication: Their most critical business processes were designed to be in-person – they had no plan to execute these processes from home.

    Consider where your own work-from-home plans fell short.

    • Were your collaboration and communication solutions too difficult for users to use effectively?
    • Did legacy infrastructure affect performance or limit capabilities? Were security concerns appropriately addressed?
    • What challenges did IT face supporting business users on break-fix and new requests?
    • Were there logistical needs (shipping/receiving, etc.) that weren’t met?
    • Develop an updated plan to support work-from-home using Info-Tech’s BCP Relocation Checklists and Home Office Survey template, and integrate these into your overall BCP documentation. Stakeholders can easily appreciate the value of this plan since it’s relevant to recent experience.

    Identify opportunities to improve continuity plans

    What gaps in your continuity response could be addressed with better planning?

    People

    • Alternates are not identified
    • Roles in a disaster are not formalized
    • No internal/external crisis comm. strategy

    Site & Facilities

    • No alternate place of business or command center identified
    • No formal planning or exercises to test alternate site viability

    • Identify a viable secondary site and/or work-from-home plan, and develop a schedule for testing activities. Review in Step 3.3 of the Develop a Business Continuity Plan blueprint.

    External Services & Suppliers

    • Contingency plans for a disruption not planned or formalized
    • No formal review of service-level agreements (SLAs)

    • Contact key suppliers and vendors to establish SLAs, and ensure they meet requirements.
    • Review supplier continuity plans.

    Technology & Physical Assets

    • No secondary site or redundancy for critical IT systems
    • No documented end-to-end IT DR plan

    Tool: BCP Project Roadmap

    Prioritize and visualize BCP projects to present options to decision makers.

    Not all BCP projects can be tackled at once. Enable decision makers to defer, rather than outright reject, projects that aren’t feasible at this time.

    1. Configure the tool in Tab 1. Setup. Adjust criteria and definitions for criteria. Note that shaded columns are required for reporting purposes and can’t be modified.
    2. Add projects and action items in Tab 2. Data Entry. Fields highlighted in red are all required for the dashboard to populate. All other fields are optional but will provide opportunities to track more detailed data on project ideas.
    3. To generate the dashboard in Tab 3. Roadmap, open the Data ribbon and under Queries and Connections click Refresh All. You can now use the slicers on the right of the sheet.

    Download Info-Tech’s BCP Project Roadmap Tool

    Demonstrate BCP project impacts

    Illustrate the benefits of proposed projects.

    1. Review your recovery workflow.
    2. Make updates to a second copy of the high-level outline to illustrate how the business response to a disaster scenario will change once proposed projects are complete.
    • Remove steps that have been made unnecessary.
    • Remove any risks or gaps that have been mitigated or addressed.
    • Verify that proposed projects close gaps between acceptable and achievable recovery capabilities in the BIA tool.
  • The visual impact of a shorter, less-risky recovery workflow can help communicate the benefits of proposed projects to decision makers.
  • Step 3.3

    Evaluate business continuity site and command center options

    This step will walk you through the following activities:

    • Take a deep dive on the requirements for working from an alternate location.
    • Assess different options for an alternate location.

    This step involves the following participants:

    • BCP Coordinator
    • Pilot Business Unit Manager
    • Expert Business Unit Staff

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Identify requirements for an alternate business site.

    Tool: Relocation Checklists

    An alternate site could be another company building, a dedicated emergency operations center, or work-from-home. Use this tool to guide and prepare for any relocation exercise.

    • Coordinate your response with the pre-populated checklists in Tabs 1 & 2, identify who’s responsible for items on the checklists, and update your recovery workflows to reflect new steps. When reviewing the checklist, consider what can be done to prepare ahead of a crisis.
      • For example, you may wish to create crisis communication templates to streamline crisis communications during a disaster.
    • Calculate the effort required to provision equipment for relocated users in Tabs 3 & 4.
    • Evaluate your options for alternate sites with the requirements matrix in Tab 5. Use your evaluation to identify how the organization could address shortcomings of viable options either ahead of time or at the time of an incident.

    Download Info-Tech’s BCP Relocation Checklists

    Create a checklist of requirements for an alternate site

    Leverage the roll-up view, in tab 3, of dependencies required to create a list of requirements for an alternate site in tab 4.

    1. The table on Tab 5 of the relocation checklists is pre-populated with some common requirements. Modify or replace requirements to suit your needs for an alternate business/office site. Be sure to consider distance, transportation, needed services, accessibility, IT infrastructure, security, and seating capacity at a minimum.
    2. Don’t assume. Verify. Confirm anything that requires permissions from the site owner. What network providers have a presence in the building? Can you access the site 24/7 and conduct training exercises? What facilities and services are available? Are you guaranteed the space if needed?

    "There are horror stories about organizations that assumed things about their alternate site that they later found out they weren’t true in practice." – Dr. Bernard Jones, MBCI CBCP

    Info-Tech Insight

    If you choose a shared location as a BCP site, a regional disaster may put you in competition with other tenants for space.

    Identify a command center

    For command center and alternate worksite selection, remember that most incidents are local and short term. Identify an onsite and an offsite command center.

    1. For events where the building is not compromised, identify an onsite location, ideally with remote conferencing capabilities and planning and collaboration tools (projectors, whiteboards, flipcharts). The onsite location can also be used for BCM and crisis management meetings. Remember, most business continuity events are not regional or massively destructive.
    2. For the offsite command center, select a location that is sufficiently far away from your normal business location to maintain separation from local incidents while minimizing commute time. However, consider a geographically distant option (e.g. more than 50 miles away) identified for those scenarios where it is a regional disaster, or plan to leverage online tools to create a virtual command center (see the Insight box below).
    3. The first members of the Emergency Response Team to be notified of the incident will determine which location to use or whether a third alternative is required.

    Info-Tech Insight

    For many organizations, a dedicated command center (TVs on the wall, maps and charts in filing cabinets) isn’t necessary. A conference bridge and collaboration tools allowing everyone to work remotely can be an acceptable offsite command center as long as digital options can meet your command center requirements.

    Create a plan for a return to normal

    Operating in continuity mode for an extended period of time tends to result in higher costs and reduced business capabilities. It’s important to restore normal operations as soon as possible.

    Advance planning can minimize risks and delays in returning to normal operations.

    Leverage the methodology and tools in this blueprint to define your return to normal (repatriation) procedures:

    1. Repeat the tabletop planning exercise to determine the repatriation steps and potential gaps. How will you return to the primary site from your alternate site? Does data need to be re-entered into core systems if IT services are down? Do you need to transfer job duties back to primary staff?
    2. What needs to be done to address the gaps in the return to normal workflow? Are there projects or action items that could make return to normal easier?

    For more on supporting a business move back to the office from the IT perspective, see Responsibly Resume IT Operations in the Office

    Potential business impacts of ongoing operations at a failover site

    • The cost of leasing alternate business worksites.
    • Inability to deliver on strategic initiatives while in emergency/interim operations mode, resulting in lost business opportunities.
    • A growing backlog of work that falls outside of emergency operations mode.
    • Travel and accommodation costs if the alternate site is geographically remote.
    • Additional vendor licensing and contract costs.

    Phase 4

    Extend the Results of the Pilot BCP and Implement Governance

    Phase 4

    4.1 Consolidate BCP pilot insights to support an overall BCP project plan

    4.2 Outline a business continuity management (BCM) program

    4.3 Test and maintain your BCP

    Insights & Outcomes

    Summarize and consolidate your initial insights and documentation. Create a project plan for overall BCP. Identify teams, responsibilities, and accountabilities, and assign documentation ownership. Integrate BCP findings in DR and crisis management practices. Set guidelines for testing, plan maintenance, training, and awareness.

    Participants

    • BCP Coordinator
    • Pilot Business Unit Manager
    • BCP Executive Sponsor

    Step 4.1

    Consolidate BCP pilot insights to support an overall BCP project plan

    This step will walk you through the following activities:

    • Summarize and consolidate outputs and key insights from the BCP pilot.
    • Identify outputs from the pilot that can be re-used for the overall BCP.
    • Create a project charter for an overall BCP.

    This step involves the following participants:

    • BCP Coordinator
    • Pilot Business Unit Manager
    • BCP Executive Sponsor

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Present results from the pilot BCP, and outline how you’ll use the pilot process with other business units to create an overall continuity program.

    Structure the overall BCP program.

    Template: BCP Pilot Results Presentation

    Highlight key findings from the BCP pilot to make the case for next steps.

    • Highlight critical gaps or risks identified, any potential process improvements, and progress made toward improving overall BCP maturity through the pilot project. Summarize the benefits of the pilot project for an executive audience.
    • Review process recovery objectives (RTO/RPO). Provide an overview of recovery capabilities (RTA/RPA). Highlight any significant gaps between objectives and capabilities.
    • Propose next steps, including an overall BCP project and program, and projects and action items to remediate gaps and risks.
    • Develop a project plan to estimate resource requirements for an overall BCP project prior to delivering this presentation. Quantifying required time and resources is a key outcome as it enables the remaining business units to properly scope and resource their BCP development activities and can help managers overcome the fear of the unknown.

    Download Info-Tech’s BCP Pilot Results Presentation

    Tool: BCP Summary

    Sum up information from completed BCP documents to create a high-level BCP overview for auditors and executives.

    The BCP Summary document is the capstone to business unit continuity planning exercises. It consolidates your findings in a short overview of your business continuity requirements, capabilities, and maintenance procedures.

    Info-Tech recommends embedding hyperlinks within the Summary to the rest of your BCP documentation to allow the reader to drill down further as needed. Leverage the following documents:

    • Business Impact Analysis
    • BCP Recovery Workflows
    • Business Process Workflows
    • BCP Project Roadmap
    • BCP Relocation Checklists
    • Business Continuity Policy

    Download Info-Tech’s BCP Summary Document

    Reuse templates for additional exercises

    The same methodology described in this blueprint can be repeated for each business unit. Also, many of the artifacts from the BCP pilot can be reused or built upon to give the remaining business units a head start. For example:

    • BCP Pilot Project Charter Template. Make a copy to use as a base for the next business unit’s BCP project charter, and update the stakeholders/roles and milestone dates. The rest of the content can remain the same in most cases.
    • BCP Reference Workbook. This tool contains information common to all business units and can be updated as needed.
    • BCP Business Impact Analysis Tool. You may need to start a separate copy for each business unit to allow enough space to capture all business processes. However, use the same scoring scale to drive consistent assessments. In addition, the scoring completed by the pilot business unit provides an example and benchmark for assessing other business processes.
    • BCP Recovery Workflow. The notification, assessment, and declaration steps can be standardized so remaining business units can focus primarily on recovery after a disaster is declared. Similarly, many of the steps related to alternate sites and IT workarounds will also apply to other business units.
    • BCP Project Roadmap Tool. Many of the projects identified by the pilot business unit will also apply to other business units – update the list as needed.
    • The Business Unit BCP Prioritization Tool, BCP Executive Presentation, and Business Continuity Policy Template do not need to be updated for each business unit.

    Info-Tech Best Practice

    You may need to create some artifacts that are site specific. For example, relocation plans or emergency plans may not be reusable from one site to another. Use your judgement to reuse as much of the templates as you can – similar templates simplify audit, oversight, and plan management.

    Create an Overall BCP Project Charter

    Modify the pilot project charter to encompass the larger BCP project.

    Adjust the pilot charter to answer the following questions:

    • How much time and effort should the rest of the project take, based on findings from the pilot? When do you expect to meet certain milestones? What outputs and outcomes are expected?
    • In what order should additional business units complete their BCP? Who needs to be involved?
    • What projects to address continuity gaps were identified during the pilot? What investments will likely be required?
    • What additional documentation is required? This section and the appendix include templates to document your BCM Policy, Teams & Contacts, your notification procedures, and more.
    • How does this integrate with the other areas of business resilience and continuity (IT disaster recovery planning and crisis management planning)?
    • What additional activities, such as testing, are required?

    Prioritize business units for further BCP activities.

    As with the pilot, choose a business unit, or business units, where BCP will have the greatest impact and where further BCP activities will have the greatest likelihood of success. Prioritize business units that are critical to many areas of the business to get key results sooner.

    Work with one business unit at a time if:

    • Required resources from the business unit are available to focus on BCP full-time over a short period (one to two weeks).
    • More hands-on guidance (less delegation) is needed.
    • The business unit is large or has complex processes.

    Work with several business units at the same time if:

    • Required resources are only available sporadically over a longer period of time.
    • Less guidance (more delegation) is possible.
    • All business units are small and have well-documented processes.

    Download Info-Tech’s Business Unit BCP Prioritization Tool

    Step 4.2

    Outline a Business Continuity Management (BCM) Program

    This step will walk you through the following activities:

    • Identify teams and roles for BCP and business continuity management.
    • Identify individuals to fill key roles.

    This step involves the following participants:

    • BCP Coordinator
    • Executive Sponsor

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Document BCP teams, roles, and responsibilities.

    Document contact information, alternates, and succession rules.

    Outline a Business Continuity Management Program

    A BCM program, also known as a BCM system, helps structure business continuity activities and practices to deliver long-term benefits to your business.

    A BCM program should:

    • Establish who is responsible and accountable for BCP practices, activities, and documentation, and set documentation management practices.
    • Define a process to improve plans. Review and update continuity requirements, suggest enhancements to recovery capabilities, and measure progress and improvements to the plan over time.
    • Coordinate disaster recovery, business continuity, and crisis management planning outputs and practices.
    • Communicate the value of the continuity program to the organization.

    Develop a Business Continuity Management Program

    Phase 4 of this blueprint will focus on the following elements of a business continuity management program:

    • BCM Roles, Responsibilities, and Accountabilities
    • BCM Document Management Practices
    • Integrate BC, IT DR, Crisis Management, and Emergency Management
    • Business Continuity Plan maintenance and testing
    • Training and awareness

    Schedule a call with an Info-Tech Analyst for help building out these core elements, and for advice on developing the rest of your BCM program.

    Create BCM teams

    Include a mix of strong leaders and strong planners on your BC management teams.

    BC management teams (including the secondary teams such as the emergency response team) have two primary roles:

    1. Preparation, Planning, and Governance: Conduct and consolidate business impact analyses. Review, and support the development of recovery workflows, including emergency response plans and business unit recovery workflows. Organize testing and training. Report on the state of the continuity plan.
    2. Leadership During a Crisis: Coordinate and support the execution of business recovery processes. To meet these goals, each team needs a mix of skill sets.

    Crisis leaders require strong crisis management skills:

    • Ability to make quick decisions under pressure with incomplete information.
    • Excellent verbal communication skills.
    • Strong leadership skills. Calm in stressful situations.
    • Team leaders are ideally, but not necessarily, those with the most senior title on each team. It’s more important that the team leader has the appropriate skill set.

    Collectively, the team must include a broad range of expertise as well as strong planning skills:

    • Diverse expertise to be able to plan for and respond to a wide range of potential incidents, from health and safety to reputational damage.
    • Excellent organizational skills and attention to detail.
    • Excellent written communication skills.

    Note: For specific BC team roles and responsibilities, including key resources such as Legal, HR, and IT SMEs required to prepare for and execute crisis management plans, see Implement Crisis Management Best Practices.

    Structure the BCM Team

    Create a hierarchy of teams to govern and coordinate business continuity planning and crisis management.

    BCM Team: Govern business continuity, DR, and crisis management planning. Support the organization’s response to a crisis, including the decision to declare a disaster or emergency.

    Emergency Response Teams: Assist staff and BC teams during a crisis, with a focus first on health and safety. There’s usually one team per location. Develop and maintain emergency response plans.

    Emergency Response Teams: Assist staff and BC teams during a crisis, with a focus first on health and safety. There’s usually one team per location. Develop and maintain emergency response plans.

    IT Disaster Recovery Team: Manage the recovery of IT services and data following an incident. Develop and maintain the IT DRP.

    Business Unit BCP Teams: Coordinate business process recovery at the business unit level. Develop and maintain business unit BCPs.

    “Planning Mode”

    Executive Team → BC Management Team ↓

    • Emergency Response Teams (ERT)
    • Crisis Management Team
    • IT DR Management Team
    • Business Unit BCP Teams

    “Crisis Mode”

    Executive Team ↔Crisis Management Team↓ ↔ Emergency Response Teams (ERT)

    • BC Management Team
    • IT DR Management Team
    • Business Unit BCP Teams

    For more details on specific roles to include on these teams, as well as more information on crisis management, review Info-Tech’s blueprint, Implement Crisis Management Best Practices.

    Tool: BCM Teams, Roles, Contacts, and Vendors

    Track teams, roles, and contacts in this template. It is pre-populated with roles and responsibilities for business continuity, crisis management, IT disaster recovery, emergency response, and vendors and suppliers critical to business operations.

    • Expect overlap across teams. For example, the BC Management Team will include representation from each secondary team to ensure plans are in sync. Similarly, both the Crisis Communication Team and BC Management Team should include a representative from your legal team to ensure legal issues are considered in communications as well as overall crisis management.
    • Clarify spending and decision authority for key members of each team during a crisis.

    Track contact information in this template only if you don’t have a more streamlined way of tracking it elsewhere.

    Download Info-Tech’s Business Continuity Teams and Roles Tool

    Manage key vendors

    Review supplier capabilities and contracts to ensure they meet your requirements.

    Suppliers and vendors might include:

    • Material shipments
    • IT/telecoms service providers
    • Integrators and business process outsourcing providers
    • Independent contractors
    • Utilities (power, water, etc.)

    Supplier RTOs and RPOs should align with the acceptable RTOs and RPOs defined in the BIA. Where they do not, explore options for improvement.

    Confirm the following:

    1. The supplier’s own BC/DR capabilities – how they would recover their own operations in a disaster scenario.
    2. Any continuity services the supplier provides – how they can help you recover your operations in a disaster scenario.
    3. Their existing contractual obligations for service availability (e.g. SLAs).

    Download Info-Tech’s BCP Supplier Evaluation Questionnaire

    Organize your BCMS documentation

    Your BCP isn’t any one document. It’s multiple documents that work together.

    Continue to work through any additional required documentation. Build a repository where master copies of each document will reside and can be updated as required. Assign ownership of document management to someone with an understanding of the process (e.g. the BCP Coordinator).

    Governance Recovery
    BCMS Policy BCP Summary Core BCP Recovery Workflows
    Business Process Workflows Action Items & Project Roadmap BCP Recovery Checklists
    BIA Teams, Roles, Contact Information BCP Business Process Workarounds and Recovery Checklists
    BCP Maturity Scorecard BCP Project Charter Additional Recovery Workflows
    Business Unit Prioritization Tool BCP Presentation

    Info-Tech Best Practice

    Recovery documentation has a different audience, purpose, and lifecycle than governance documentation, and keeping the documents separate can help with content management. Disciplined document management keeps the plan current and accessible.

    Align your IT DRP with your BCP

    Use the following BCP outputs to inform your DRP:

    • Business process technology dependencies. This includes technology not controlled by IT (e.g. cloud-based services).
    • RTOs and RPOs for business processes.
    • Technology projects identified by the business to improve resilience (e.g. improved mobility support).
    PCP Outputs DRP Activities
    Business processes defined Identify critical applications

    Dependencies identified:

    • People
    • Enterprise tech
    • Personal devices
    • Workspace and facilities
    • Services and other inputs

    Identify IT dependencies:

    • Infrastructure
    • Secondary applications

    Recovery objectives defined:

    • BIA and RTOs/RPOs
    • Recovery workflows

    Identify recovery objectives:

    • BIA and RTOs/RPOs
    • IT Recovery workflows

    Projects identified to close gaps:

    • Resourcing changes (e.g. training secondary staff)
    • Process changes (e.g. optimize processes and define interim processes)
    • Technology changes (e.g. improving mobility)

    Identify projects to close gaps:

    • Projects to improve DR capability (e.g. data replication, standby systems).
    • Projects to improve resiliency (e.g. redundant components)

    Info-Tech Insight

    Don’t think of inconsistencies between your DRP and BCP as a problem. Discrepancies between the plans are part of the discovery process, and they’re an opportunity to have a conversation that can improve alignment between IT service capabilities and business needs. You should expect that there will be discrepancies – managing discrepancies is part of the ongoing process to refine and improve both plans.

    Schedule activities to keep BC and DR in sync

    BC/DR Planning Workflow

    1. Collect BCP outputs that impact IT DRP (e.g. technology RTOs/RPOs).

    2. As BCPs are done, BCP Coordinator reviews outputs with IT DRP Management Team.

    3. Use the RTOs/RPOs from the BCPs as a starting point to determine IT recovery plans.

    4. Identify investments required to meet business-defined RTOs/RPOs, and validate with the business.

    5. Create a DR technology roadmap to meet validated RTOs/RPOs.

    6. Review and update business unit BCPs to reflect updated RTOs/RPOs.

    Find and address shadow IT

    Reviewing business processes and dependencies can identify workarounds or shadow IT solutions that weren’t visible to IT and haven’t been included in IT’s DR plan.

    • If you identify technology process dependencies that IT didn’t know about, it can be an opportunity to start a conversation about service support. This can be a “teachable moment” to highlight the risks of adopting and implementing technology solutions without consulting IT.
    • Highlight the possible impact of using technology services that aren’t supported by IT. For example:
      • RTOs and RPOs may not be in line with business requirements.
      • Costs could be higher than supported solutions.
      • Security controls may not be in line with compliance requirements.
      • IT may not be able to offer support when the service breaks or build new features or functionality that might be required in the future.
    • Make sure that if IT is expected to support shadow IT solutions, these systems are included in the IT DRP and that the risks and costs of supporting the non-core solution are clear to all parties and are compared to an alternative, IT-recommended solutions.

    Shadow IT can be a symptom of larger service support issues. There should be a process for requesting and tracking non-standard services from IT with appropriate technical, security, and management oversight.

    Review and reprioritize BC projects to create an overall BC project roadmap

    Assign the BCP Coordinator the task of creating a master list of BC projects, and then work with the BC management team to review and reprioritize this list, as described below:

    1. Build a list of BC projects as you work with each business unit.
      1. Add proposed projects to a master copy of the BCP Project Roadmap Tool
      2. For each subsequent business unit, copy project names, scoring, and timelines into the master roadmap tool.
    2. Work with the Executive Sponsor, the IT BCM representative, and the BCM team to review and reprioritize projects.
      1. In the master BCP Project Roadmap Tool, review and update project scoring, taking into account the relative importance of each project within the overall list. Rationalize the list (e.g. eliminate duplicate projects).
    3. The project roadmap is a suggested list of projects at this stage. Assign a project sponsor and project manager (from the BC management team or appropriate delegates) to each project to take it through your organization’s normal project scoping and approval process.

    Improving business continuity capabilities is a marathon, not a sprint. Change for the better is still change and introduces risk – massive changes introduce massive risk. Incremental changes help minimize disruption. Use Info-Tech research to deliver organizational change.

    "Developing a BCP can be like solving a Rubik’s Cube. It’s a complex, interdepartmental concern with multiple and sometimes conflicting objectives. When you have one side in place, another gets pushed out of alignment." – Ray Mach, BCP Expert

    Step 4.3

    Test and maintain your BCP

    This step will walk you through the following activities:

    • Create additional documentation to support your business continuity plan.
    • Create a repository for documentation, and assign ownership for BCP documentation.

    This step involves the following participants:

    • BCP Coordinator

    In this step, you’ll use these tools and templates:

    Outcomes & Insights

    Create a plan to maintain the BCP.

    Iterate on your plan

    Tend your garden, and pull the weeds.

    Mastery comes through practice and iteration. Iterating on and testing your plan will help you keep up to date with business changes, identify plan improvements, and help your organization’s employees develop a mindset of continuity readiness. Maintenance drives continued success; don’t let your plan become stagnant, messy, and unusable.

    Your BCM program should structure BCP reviews and updates by answering the following:

    1. When do we review the plan?
    2. What are the goals of a review?
    3. Who must lead reviews and update BCP documents?
    4. How do we track reviews, tests, and updates?

    Structure plan reviews

    There are more opportunities for improvements than just planned reviews.

    At a minimum, review goals should include:

    1. Identify and document changes to BCP requirements.
    2. Identify and document changes to BCP capabilities.
    3. Identify gaps and risks and ways to remediate risks and close gaps.

    Who leads reviews and updates documents?

    The BCP Coordinator is likely heavily involved in facilitating reviews and updating documentation, at least at first. Look for opportunities to hand off document ownership to the business units over time.

    How do we track reviews, tests, and updates?

    Keep track of your good work by keeping a log of document changes. If you don’t have one, you can use the last tab on the BCP-DRP Maintenance Checklist.

    When do we review the plan?

    1. Scheduled reviews: At a minimum, plan reviews once a year. Plan owners should review the documents, identify needed updates, and notify the coordinator of any changes to their plan.
    2. As-needed reviews: Project launches, major IT upgrades, office openings or moves, organizational restructuring – all of these should trigger a BCP review.
    3. Testing exercises: Schedule controlled exercises to test and improve different aspects of your continuity plan, and ensure that lessons learned become part of plan documentation.
    4. Retrospectives: Take the opportunity to learn from actual continuity events and crises by conducting retrospectives to evaluate your response and brainstorm improvements.

    Conduct a retrospective after major incidents

    Use a retrospective on your COVID-19 response as a starting point. Build on the questions below to guide the conversation.

    • If needed, how did we set up remote work for our users? What worked, and what didn’t?
    • Did we discover any long-term opportunities to improve business processes?
    • Did we use any continuity plans we have documented?
    • Did we effectively prioritize business processes for recovery?
    • Were expectations from our business users in line with our plans?
    • What parts of our plan worked, and where can we improve the plan?
    1. Gather stakeholders and team members
    2. Ask:
      1. What happened?
      2. What did we learn?
      3. What did we do well?
      4. What should we have done differently?
      5. What gaps should we take action to address?
    3. Prepare a plan to take action

    Outcomes and benefits

    • Confirm business priorities.
    • Validate that business recovery solutions and procedures are effective in meeting business requirements (i.e. RTOs and RPOs).
    • Identify gaps in continuity resources, procedures, or documentation, and options to close gaps.
    • Build confidence in the response team and recovery capabilities.

    Tool: Testing and Maintenance Schedule

    Build a light-weight maintenance schedule for your BCP and DRP plans.

    This tool helps you set a schedule for plan update activities, identify document and exercise owners, and log updates for audit and governance purposes.

    • Add the names of your documents and brainstorm update activities.
    • Activities (document updates, testing, etc.) might be scheduled regularly, as-needed, or both. If they happen “as needed,” identify the trigger for the activity.
    • Start tracking past activities and resulting changes in Tab 3. You can also track crises that tested your continuity capabilities on this tab.

    Info-Tech Insight

    Everyone gets busy. If there’s a meeting you can schedule months in advance, schedule it months in advance! Then send reminders closer to the date. As soon as you’re done the pilot BCP, set aside time in everyone’s calendar for your first review session, whether that’s three months, six months, or a year from now.

    Appendix

    Additional BCP Tools and Templates

    Template Library: Business Continuity Policy

    Create a high-level policy to govern BCP and clarify BCP requirements.

    Use this template to:

    • Outline the organizational commitment to BCM.
    • Clarify the mandate to prepare, validate, and maintain continuity plans that align with business requirements.
    • Define specific policy statements that signatories to the policy are expected to uphold.
    • Require key stakeholders to review and sign off on the template.

    Download Info-Tech’s Business Continuity Policy template

    Template Library: Workarounds & Recovery Checklists

    Capture the step-by-step details to execute workarounds and steps in the business recovery process.

    If you require more detail to support your recovery procedures, you can use this template to:

    • Record specific steps or checklists to support specific workarounds or recovery procedures.
    • Identify prerequisites for workarounds or recovery procedures.

    Download Info-Tech’s BCP Process Workarounds & Recovery Checklists Template

    Template Library: Notification, Assessment, Declaration

    Create a procedure that outlines the conditions for assessing a disaster situation and invoking the business continuity plan.

    Use this template to:

    • Guide the process whereby the business is notified of an incident, assesses the situation, and declares a disaster.
    • Set criteria for activating business continuity plans.
    • Review examples of possible events, and suggest options on how the business might proceed or react.

    Download Info-Tech’s BCP Notification, Assessment, and Disaster Declaration Plan template

    Template Library: BCP Recovery Workflow Example

    Review an example of BCP recovery workflows.

    Use this template to:

    • Generate ideas for your own recovery processes.
    • See real examples of recovery processes for warehousing, supply, and distribution operations.
    • Review an example of working BCP documentation.

    Download Info-Tech’s BCP Recovery Workflows Example

    Create a Pandemic Response Plan

    If you’ve been asked to build a pandemic-specific response plan, use your core BCP findings to complete these pandemic planning documents.

    • At the onset of the COVID-19 crisis, IT departments were asked to rapidly ramp up work-from-home capabilities and support other process workarounds.
    • IT managers already knew that obstacles to working from home would go beyond internet speed and needing a laptop. Business input is critical to uncover unexpected obstacles.
    • IT needed to address a range of issues from security risk to increased service desk demand from users who don’t normally work from home.
    • Workarounds to speed the process up had to be balanced with good IT practices and governance (Asset Management, Security, etc.)
    • If you’ve been asked to update your Pandemic Response Plan, use this template and your core BCP deliverables to deliver a set of streamlined documentation that draws on lessons learned from the COVID-19 pandemic.

    Structure HR’s role in the pandemic plan

    Leverage the following materials from Info-Tech’s HR-focused sister company, McLean & Company.

    These HR research resources live on the website of Info-Tech’s sister company, McLean & Company. Contact your Account Manager to gain access to these resources.

    Summary of Accomplishment

    Knowledge Gained

    This blueprint outlined:

    • The streamlined approach to BCP development.
    • A BIA process to identify acceptable, appropriate recovery objectives.
    • Tabletop planning exercises to document and validate business recovery procedures.

    Processes Optimized

    • Business continuity development processes were optimized, from business impact analysis to incident response planning.
    • In addition, pilot business unit processes were identified and clarified to support BCP development, which also provided the opportunity to review and optimize those processes.

    Key Deliverables Completed

    • Core BCP deliverables for the pilot business unit, including a business impact analysis, recovery workflows, and a project roadmap.
    • BCP Executive Presentation to communicate pilot results as well as a summary of the methodology to the executive team.
    • BCP Summary to provide a high-level view of BCP scope, objectives, capabilities, and requirements.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Research Contributors and Experts

    Dr. Bernard A. Jones, MBCI, CBCP

    Professor and Continuity Consultant Berkeley College

    Dr. Jones is a professor at Berkeley College within the School of Professional Studies teaching courses in Homeland Security and Emergency Management. He is a member of the National Board of Directors for the Association of Continuity Professionals (ACP) as well as the Information & Publications Committee Chair for the Garden State Chapter of the ACP. Dr. Jones earned a doctorate degree in Civil Security Leadership, Management & Policy from New Jersey City University where his research focus was on organizational resilience.

    Kris L. Roberson

    Disaster Recovery Analyst Veterans United Home Loans

    Kris Roberson is the Disaster Recovery Analyst for Veterans United Home Loans, the #1 VA mortgage lender in the US. Kris oversees the development and maintenance of the Veterans United Home Loans DR program and leads the business continuity program. She is responsible for determining the broader strategies for DR testing and continuity planning, as well as the implementation of disaster recovery and business continuity technologies, vendors, and services. Kris holds a Masters of Strategic Leadership with a focus on organizational change management and a Bachelors in Music. She is a member of Infragard, the National Association of Professional Women, and Sigma Alpha Iota, and holds a Project+ certification.

    Trevor Butler

    General Manager of Information Technology City of Lethbridge

    As the General Manager of Information Technology with the City of Lethbridge, Trevor is accountable for providing strategic management and advancement of the city’s information technology and communications systems consistent with the goals and priorities of the corporation while ensuring that corporate risks are appropriately managed. He has 15+ years of progressive IT leadership experience, including 10+ years with public sector organizations. He holds a B.Mgt. and PMP certification along with masters certificates in both Project Management and Business Analysis.

    Robert Miller

    Information Services Director Witt/Kieffer

    Bob Miller is the Information Services Director at Witt/Kieffer. His department provides end-user support for all company-owned devices and software for Oak Brook, the regional offices, home offices, and traveling employees. The department purchases, implements, manages, and monitors the infrastructure, which includes web hosting, networks, wireless solutions, cell phones, servers, and file storage. Bob is also responsible for the firm’s security planning, capacity planning, and business continuity and disaster preparedness planning to ensure that the firm has functional technology to conduct business and continue business growth.

    Related Info-Tech Research

    Create a Right-Sized Disaster Recovery Plan

    Close the gap between your DR capabilities and service continuity requirements.

    Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

    Go beyond satisfying auditors to drive process improvement, consistent IT operations, and effective knowledge transfer.

    Select the Optimal Disaster Recovery Deployment Model

    Determine which deployment models, including hybrid solutions, best meet your DR requirements.

    Bibliography

    “Business Continuity Planning.” IT Examination HandBook. The Federal Financial Institution Examination Council (FFIEC), February 2015. Web.

    “Business Continuity Plans and Emergency Contact Information.” FINRA, 12 February 2015. Web.

    “COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.” ISACA, n.d. Web.

    Disaster Resource GUIDE. Emergency Lifeline Corporation, n.d. Web.

    “DR Rules & Regulations.” Disaster Recovery Journal, March 2017. Web.

    “Federal Information Security Management Act (FISMA).” Homeland Security, 2014. Web.

    FEMA. “Planning & Templates.” FEMA, n.d. Web.

    “FINRA-SEC-CFTC Joint Advisory (Regulatory Notice 13-25).” FINRA, August 2013. Web.

    Gosling, Mel and Andrew Hiles. “Business Continuity Statistics: Where Myth Meets Fact.” Continuity Central, 24 April 2009. Web.

    Hanwacker, Linda. “COOP Templates for Success Workbook.” The LSH Group, 2016. Web.

    Potter, Patrick. “BCM Regulatory Alphabet Soup – Part Two.” RSA Link, 28 August 2012. Web.

    The Good Practice Guidelines. Business Continuity Institute, 2013. Web.

    Wang, Dashun and James A. Evans. “When Small Teams are Better than Big Ones.” Harvard Business Review, 21 February 2019. Web.

    Formalize Your Digital Business Strategy

    • Buy Link or Shortcode: {j2store}101|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    Your organization already has a digital strategy, but there is a lack of understanding of what digital means across the enterprise. Digital investments have been made in the past but failed to yield or demonstrate business value. Given the pace of change, the current digital strategy is outdated, and new digital opportunities need to be identified to inform the technology innovation roadmap.

    Our Advice

    Critical Insight

    Turn your digital strategy into a compelling change story that will create a unified vision of how you want to transform your business.

    Impact and Result

    • Identify new digitally enabled growth opportunities.
    • Understand which digital ideas yield the biggest return and the value they generate for the organization.
    • Understand the impact of opportunities on your business capabilities.
    • Map a customer journey to identify opportunities to transform stakeholder experiences.

    Formalize Your Digital Business Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Formalize Your Digital Business Strategy – a document that walks you through a series of activities to help brainstorm and ideate on possible new digital opportunities as an input into building your business case for a new IT innovation roadmap.

    Knowing which digital opportunities create the greatest business value requires a structured approach to ideate, prioritize, and understand the value they create for the business to help inform the creation of your business case for investment approval.

    • Formalize Your Digital Strategy Storyboard

    Infographic

    Further reading

    Formalize Your Digital Business Strategy

    Stay relevant in an evolving digital economy

    Executive Summary

    Your Challenge

    Common Obstacles

    Solution

    • Since 2020, the environment has been volatile, leading many CIOs to rethink their priorities and strategies.
    • The organization already has a digital strategy, but there is a lack of understanding of what digital means across the enterprise.
    • Digital investments have been made but fail to demonstrate the business value.
    • The current digital strategy was developed in isolation and failed to garner consensus on a common understanding of the digital vision from across the business.
    • CIOs struggle to understand what existing capabilities need to transform or what new digital capabilities are needed to support the digital ambitions.
    • The existing Digital Strategy is synonymous with the IT Strategy.
    • Identify new digitally enabled growth opportunities.
    • Understand which digital ideas yield the biggest return and the value they generate for the organization.
    • Understand the impact of opportunities on your business capabilities.
    • Map the customer journey to identify opportunities to transform the stakeholder experience.

    Info-Tech Insight

    Turn your existing digital strategy into a compelling change story that will create a unified vision of how you want to transform your business.

    Info-Tech’s Digital Transformation Journey

    Your journey: An IT roadmap for your Digital Business Strategy

    The image contains a screenshot of Info-Tech's Digital Transformation Journey.

    By now, you understand your current business context and capabilities

    The image contains a screenshot of the IT roadmap for your Digital Business Strategy.

    By this point you have leveraged industry roundtables to better understand the art of the possible, exploring global trends, shifts in market forces, customer needs, emerging technologies, and economic forecasts to establish your business objectives and innovation goals.

    Now you need to formalize digital business strategy.

    Phase 1: Industry Trends Report

    The image contains a screenshot of phase 1 industry trends report.

    Phase 2: Digital Maturity Assessment

    The image contains a screenshot of phase 2 digital maturity assessment.

    Phase 3: Zero-In on Business Objectives

    The image contains a screenshot of phase 3 Zero-in on business objectives.

    Business and innovation goals are established through stakeholder interviews and a heatmap of your current capabilities for transformation.

    Since 2020, market dynamics have forced organizations to reassess their strategies

    The unprecedented pace of global disruptions has become both a curse and a silver lining for many CIOs. The ability to maximize the value of digital will be vital to remain relevant in the new digital economy.

    The image contains a screenshot of an image that demonstrates how market dynamics force organizations to reassess their strategies.

    Formalize your digital strategy to address industry trends and market dynamics

    The goal of this phase is to ensure the scope of the current digital strategy reflects the right opportunities to allocate capital to resources, assets, and capabilities to drive strategic growth and operational efficiency.

    There are three key activities outlined in this deck that that can be undertaken by industry members to help evolve their current digital business strategy.

    1. Identify New Digitally Enabled Growth Opportunities
      • Host an ideation session to identify new leapfrog ideas
      • Discuss assumptions, value drivers, and risks
      • Translate ideas into opportunities and consolidate
    2. Evaluate New Digital Opportunities and Business Capabilities
      • Build an opportunity profile
      • Identify business capabilities for transformation
    3. Transform Stakeholder Journeys
      • Understand the impact of opportunities on value-chains
      • Identify stakeholder personas
      • Build a stakeholder journey map
      • Compile your new list of digital opportunities
    The image contains a screenshot of Formalize your digital business strategy.

    Info-Tech’s approach

    1. Identify New Digital Opportunities
      • Conduct an ideation session
      • Identify leapfrog ideas from trends
      • Evaluate each leapfrog idea to define opportunity
    2. Evaluate Opportunities and Business Capabilities
      • Build Opportunity Profile
      • Understand the impact of opportunities on business capabilities
    3. Transform Stakeholder Journeys
      • Analyze value chains
      • Map your Stakeholder Journey
      • Breakdown opportunities into initiatives

    Overview of Key Activities

    Formalize your digital business strategy

    Methodology

    Members Engaged

    • CIO
    • Business Executives

    Info-Tech

    • Industry Analyst
    • Executive Advisor

    Phase 1: New Digital Opportunities

    Phase 2: Evaluate Opportunities and Business Capabilities

    Phase 3: Transform Stakeholder Journeys

    Content Leveraged

    • Digital Business Strategy blueprint
    • Client’s Business Architecture
    1. Hold an ideation session with business executives.
      • Review relevant reports on industry trends, market shifts, and emerging technologies.
      • Establish guiding principles for digital transformation.
      • Leverage a trend-analysis approach to determine the most impactful and relevant trends.
      • From tends, elicit leapfrog ideas for growth opportunities.
      • For each idea, engage in discussion on assumptions, value drivers, benefits, and risks.
    1. Create opportunity profiles.
      • Evaluate each opportunity to determine if it is important to turn into initiatives
    2. Evaluate the impact of opportunities on your business capabilities.
      • Leverage a value-chain analysis to assess the impact of the opportunity across value chains in order to understand the impact across your business capabilities.
    1. Map stakeholder journey:
      • Identify stakeholder personas
      • Identify one journey scenario
      • Map stakeholder journey
      • Consolidate opportunities
    2. Breakdown opportunities into actional initiatives
      • Brainstorm priority initiatives against opportunities.

    Deliverable:

    Client’s Digital Business Strategy

    Phase 1: Deliverable

    1. Compiled list of leapfrog ideas for new growth opportunities

    Phase 2: Deliverables

    1. Opportunity Profile
    2. Business Capability Impact

    Phase 3: Deliverables

    1. Opportunity Profile
    2. Business Capability Impact

    Glossary of Terms

    LEAPFROG IDEAS

    The concept was originally developed in the area of industrial organizations and economic growth. Leapfrogging is the notion that organizations can identify opportunities to skip one or several stages ahead of their competitors.

    DIGITAL OPPORTUNITIES

    Opening of new possibilities to transform or change your business model and create operational efficiencies and customer experiences through the adoption of digital platforms, solutions, and capabilities.

    INITIATIVES

    Breakdown of opportunities into actionable initiatives that creates value for organizations through new or changes to business models, operational efficiencies, and customer experiences.

    1. LEAPFROG IDEAS:
      • Precision medicine
    2. DIGITAL OPPORTUNITY:
      • Machine Learning to sniff out pre-cancer cells
    3. INITIATIVES:
      1. Define genomic analytics capabilities and recruit
      2. Data quality and cleansing review
      3. Implement Machine Learning SW

    Identify Digitally Enabled Opportunities

    Host an ideation session to turn trends into growth opportunities with new leapfrog ideas.

    Phase 1Phase 2Phase 3

    Identify New Digitally Enabled Opportunities

    Evaluate Opportunities and Business Capabilities

    Transform Stakeholder Journeys

    Phase 1

    Host an Ideation Session to Identify New Digital Opportunities

    1.1

    IDENTIFY AND ASSEMBLE YOUR KEY STAKEHOLDERS

    Build support and eliminate blind spots

    It is important to make sure the right stakeholders participate in this working group. Designing a digital strategy will require debate, insights, and business decisions from a broad perspective across the enterprise. The focus is on the value to be generated from digital.

    Consider:

    • Who are the decision makers and key influencers?
    • Who will impact the business?
    • Who has a vested interest in the success or failure of the practice? Who has the skills and competencies necessary to help you be successful?

    Avoid:

    • Don’t focus on the organizational structure and hierarchy. Often stakeholder groups don’t fit the traditional structure.
    • Don’t ignore subject matter experts on either the business or IT side. You will need to consider both.
    1.2

    ESTABLISH GUIDING PRINCIPLES

    Define the guardrails to focus your ideas

    All ideas are great until you need one that works. Establish guiding principles that will help you establish the perimeters for turning big ideas into opportunities.

    Consider:

    • Focus on the breadth and alignment to support business objectives
    • This should help narrow conceptual ideas into actionable initiatives

    Avoid:

    • Don’t recreate the corporate guiding principles
    • Focus on what will help define strategic growth opportunities and operational efficiencies
    1.3

    LEVERAGE STRATEGIC FORESIGHT TO IDENTIFY LEAPFROG IDEAS

    Create space to elicit “big ideas”

    Leverage industry roundtables and trend reports imagining how digital solutions can help drive strategic growth and operational efficiency. Brainstorm new opportunities and discuss their viability to create value and better experiences for your stakeholders.

    Consider:

    • Accelerate this exercise by leveraging stakeholder insights from:
      • Your corporate strategy and financial plan
      • Outputs from stakeholder interviews
      • Market research

    Avoid:

    • Don’t simply go with the existing documented strategic objectives for the business. Ensure they are up to date and interview the decision makers to validate their perspectives if needed.

    Host an Ideation Session

    Identify digitally enabled opportunities

    Industry Roundtables and Trend Reports

    Industry Trends Report

    The image contains a screenshot of phase 1 industry trends report.

    Business Documents

    The image contains a screenshot of Business Documents.

    Digital Maturity Assessment

    The image contains a screenshot of phase 2 digital maturity assessment.

    Activity: 2-4 hours

    Members Engaged

    • CIO
    • Business Executives

    Info-Tech

    • Industry Analyst
    • Executive Advisor

    Hold a visioning session with key business executives (e.g., CIO, CEO, CFO, CCO, and COO) and others as needed. Here is a proposed agenda of activities for the ideation session:

    1. Leverage current trend reports and relevant emerging trend reports, market analysis, and customer research to envision future possibilities.
    2. Establish guiding principles for defining your digital strategy and scope.
    3. Leverage insights from trend reports and market analysis to generate leapfrog ideas that can be turned into opportunities.
    4. For each leapfrog idea, engage in a discussion on assumptions, value drivers, benefits, and risks.

    Content Leveraged

    • Digital Trends Report
    • Industry roundtables and trend reports
    • Digital Maturity Assessment
    • Digital Business Strategy v1.0

    Deliverable:

    1. Guiding principles
    2. Strategic growth opportunities

    1.1 Executive Stakeholder Engagement

    Assemble Executive Stakeholders

    Set yourself up for success with these three steps.

    CIOs tasked with designing digital strategies must add value to the business. Given the goal of digital is to transform the business, CIOs will need to ensure they have both the mandate and support from the business executives.

    Designing the digital strategy is more than just writing up a document. It is an integrated set of business decisions to create a competitive advantage and financial returns. Establishing a forum for debates, decisions, and dialogue will increase the likelihood of success and support during execution.

    1. Confirm your role

    2. Identify Stakeholders

    3. Diverse Perspective

    The digital strategy aims to transform the business. Given the scope, validate your role and mandate to lead this work. Identify a business executive to co-sponsor.

    Identify key decision-makers and influencers who can help make rapid decisions as well as garner support across the enterprise.

    Don’t be afraid to include contrarians or naysayers. They will help reduce any blind spots but can also become the greatest allies through participation.

    1.2 Guiding Principles

    Set the Guiding Principles

    Guiding principles help define the parameters of your digital strategy. They act as priori decisions that establish the guardrails to limit the scope of opportunities from the perspective of people, assets, capabilities, and budgets that are aligned with the business objectives. Consider these components when brainstorming guiding principles:

    Consider these three components when brainstorming

    Breadth

    Digital strategy should span people, culture, organizational structure, governance, capabilities, assets, and technology. The guiding principle should cover a 3600 view across the entire organization.

    Planning Horizon

    Timing should anchor stakeholders to look to the long-term with an eye on the foreseeable future i.e., business value realization in one, two, and three years.

    Depth

    Needs to encompass more than the enterprise view of lofty opportunities but establish boundaries to help define actionable initiatives (i.e., individual projects).

    1.2 Guiding Principles

    Examples of Guiding Principles

    IT Principle NameIT Principle Statement
    1.Enterprise value focusWe aim to provide maximum long-term benefits to the enterprise as a whole while optimizing total costs of ownership and risks.
    2.Fit for purposeWe maintain capability levels and create solutions that are fit for purpose without over engineering them.
    3.SimplicityWe choose the simplest solutions and aim to reduce operational complexity of the enterprise.
    4.Reuse > buy > buildWe maximize reuse of existing assets. If we can’t reuse, we procure externally. As a last resort, we build custom solutions.
    5.Managed dataWe handle data creation and modification and use it enterprise-wide in compliance with our data governance policy.
    6.Controlled technical diversityWe control the variety of what technology platforms we use.
    7.Managed securityWe manage security enterprise-wide in compliance with our security governance policy.
    8.Compliance to laws and regulationsWe operate in compliance with all applicable laws and regulations.
    9.InnovationWe seek innovative ways to use technology for business advantage.
    10.Customer centricityWe deliver best experiences to our customers with our services and products.
    11.Digital by default We always put digital solutions at the core of our plans for all viable solutions across the organization.
    12.Customer-centricity by designWe design new products and services with the goal to drive greater engagement and experiences with our customers.

    1.3 Trend-Analysis

    Leverage strategic foresight to identify growth opportunities

    What is Strategic Foresight?

    In times of increasing uncertainty, rapid change, market volatility, and complexity, the development of strategies can be difficult. Strategic foresight offers a solution.
    Strategic foresight refers to an approach that uses a range of methodologies, such as scanning the horizon for emerging changes and signals, analyzing megatrends, and developing multiple scenarios to identify opportunities (source: OECD, 2022). However, it cannot predict the future and is distinct from:

    • Forecasting tools
    • Strategic planning
    • Scenario planning (only)
    • Predictive analyses of the future

    Why is Strategic Foresight useful?

    • Reduce uncertainties about the future
    • Better anticipate changes
    • Future-proof to stress test proposed strategies
    • Explore innovation to reveal new products, services, and approaches

    Explore Info-Tech’s Strategic Foresight Process Tool

    “When situations lack analogies to the past, it’s hard to envision the future.”

    - J. Peter Scoblic, HBR, 2020

    1.3 Trend-Analysis

    Leverage industry roundtables and trend reports to understand the art of the possible

    Uncover important business and industry trends that can inform possibilities for technology innovation.

    Explore trends in areas such as:

    • Machine Learning
    • Citizen Dev 2.0
    • Venture Architecture
    • Autonomous Organizations
    • Self-Sovereign Cloud
    • Digital Sustainability

    Market research is critical in identifying factors external to your organization and identifying technology innovation that will provide a competitive edge. It’s important to evaluate the impact each trend or opportunity will have in your organization and market.

    Visit Info-Tech’s Trends & Priorities Research Center

    Visit Info-Tech’s Industry Coverage Research to get started.

    The image contains screenshots from Info-Tech blueprints.

    Images are from Info-Tech’s Rethinking Higher Education Report and 2023 Tech Trends Report

    1.3 Trend-Analysis

    Scan the Horizon

    Understand how the environment is evolving in your industry

    Scan the horizon to detect early signs of future changes or threats.

    Horizon scanning involves scanning, analyzing, and communicating changes in an organization’s environment to prepare for potential threats and opportunities. Much of what we know about the future is based around the interactions and trajectory of macro trends, trends, and drivers. These form the foundations for future intelligence.

    Macro Trends

    A macro trend captures a large-scale transformative trend on a global scale that could impact your addressable market

    Industry Trend

    An industry trend captures specific use cases of the macro trend in relation to your market and industry. Consider this in terms of shifts in your market dynamics i.e., competitors, size, transaction, international trade, supply/demand, etc.

    Driver(s)

    A driver is an underlying force causing the trend to occur. There can be multiple causal forces, or drivers, that influence a trend, and multiple trends can be influenced by the same causal force.

    Identify signals of change in the present and their potential future impacts.

    1.3 Trend-Analysis

    Identify macro trends

    Macro trends capture a global shift that can change the market and the industry. Here are examples of macro-trends to consider when scanning the horizon for your own organization:

    Talent Availability

    Customer Expectations

    Emerging Technologies

    Regulatory System

    Supply Chain Continuity

    Decentralized workforce

    Hybrid workforce

    Diverse workforce

    Skills gap

    Digital workforce

    Multigenerational workforce

    Personalization

    Digital experience

    Data ownership

    Transparency

    Accessibility

    On-demand

    Mobility

    AI & robotics

    Virtual world

    Ubiquitous connectivity

    Genomics (nano, bio, smart….)

    Big data

    Market control

    Economic shifts

    Digital regulation

    Consumer protection

    Global green

    Resource scarcity

    Sustainability

    Supply chain digitization

    Circular supply chains

    Agility

    Outsource

    1.3 Trend-Analysis

    Determine impact and relevance of trends

    Understand which trends create opportunities or risks for your organization.

    Key Concepts:

    Once an organization has uncovered a set of trends that are of potential importance, a judgment must be made on which of the trends should be prioritized to understand their impact on your market and ultimately, the implications for your business or organization. Consider the following criteria to help you prioritize your trends.

    Impact to Industry: The degree of impact the trend will have on your industry and market to create possibilities or risks for your business. Will this trend create opportunities for the business? Or does it pose a risk that we need to mitigate?

    Relevance to Organization. The relevance of the trend to your organization. Does the trend align with the mission, vision, and business objectives of your organization?

    Activity: 2-4hours

    In order to determine which trends will have an impact on your industry and are relevant to your organization, you need to use a gating approach to short-list those that may create opportunities to capitalize on while you need to manage the ones that pose risk.

    Impact

    What does this trend mean for my industry and market?

    • Degree – how broad or narrow is the impact
    • Likelihood – the reality of disrupting an industry or market
    • Timing – when do we expect disruption?

    Relevance

    What opportunity or risk does it pose to my business/organization?

    • Significance – depth and breadth across the enterprise
    • Duration – how long is the anticipated impact?

    1.3 Trend-Analysis

    Prioritize Trends for Exploration

    The image contains a screenshot of a table to demonstrate the trends.The image contains a graph that demonstrates the trends from the table on a graph to show how to prioritze them based on relevance and impact.

    Info-Tech Insight

    While the scorecard may produce a ranking based on weighted metrics, you need to leverage the group discussion to help contextualize and challenge assumptions when validating the priority. The room for debate is important to truly understand whether a trend is a fad or a fact that needs to be addressed.

    1.3 Trend-Analysis

    Discuss the driver(s) behind the trend

    Determining the root cause(s) of a trend is an important precursor to understanding the how, why, and to what extent a trend will impact your industry and market.

    Trend analysis can be a valuable approach to reduce uncertainties about the future and an opportunity to understand the underlying drivers (forces) that may be contributing to a shift in pattern. Understanding the drivers is important to help determine implication on your organization and potential opportunities.

    The image contains a screenshot of a driver diagram.

    1.3 Trend-Analysis

    Examples of driver(s)

    INDUSTRY

    Healthcare Exemplar

    Macro Trends

    (Transformative change)

    Industry Trend

    (A pattern of change…)

    Drivers

    (“Why”….)

    Accessibility

    Increase in wait times

    Aging population leading to global workforce shortage

    New models of care e.g., diversify scope of practice

    Address capacity issues

    Understanding the drivers is not about predicting the future. Don’t get stuck in “analysis paralysis.” The key objective is to determine what opportunities and risks the trend and its underlying driver pose to your business. This will help elicit leapfrog opportunities that can be funneled into actionable initiatives.

    Other examples…

    Dimensions

    Macro-Trends

    Industry Trend

    Driver

    Social

    Demographic shift

    Global shortage of healthcare workers

    Workforce age

    Customer expectations

    Patients as partners

    Customer demographics

    Technology

    AI and robotics

    Early detection of cancer

    Patient outcomes

    Ubiquitous connectivity

    Virtual health

    Capacity

    Economic

    Recession

    Cost-savings

    Sustainability

    Consumer spending

    Value-for-money

    Prioritization

    Environment

    Climate change

    Shift in manufacturers

    ESG compliant vendors

    Pandemic

    Supply chain disruption

    Local production

    Political

    Regulatory

    Consolidation of professional colleges

    Operational efficiency

    De-regulation

    New models of care

    New service (business) model

    1.3 Trend-Analysis

    Case Study

    Industry

    Healthcare

    Artificial Intelligence (AI) in Precision Medicine (Genomics)

    Precision Medicine has become very popular over the recent years fueled by research but also political and patient demands to focus more on better outcomes vs. profits. A cancer care center in Canada wanted to look at what was driving this popularity but more importantly, what this potentially meant to their current service delivery model and operations and what opportunities and risks they needed to address in the foreseeable future. They determined the following drivers:

    • Improve patient outcomes
    • Earlier detection of cancer
    • Better patient experience
    • Ability to compute vast amounts of data to reduce manual effort and errors
    • Accelerate from research to clinical trials to delivery

    The image contains a screenshot of AI in Genomics.

    1.3 Trend-Analysis

    INDUSTRY

    Healthcare Exemplar

    Category

    Macro-Trends

    Industry Trends

    (Use-Case)

    Drivers

    Impact to Industry

    Impact to Business

    Talent Availability

    Diverse workforce

    Aboriginal health

    Systemic inequities

    Brand and legal

    Policies in place

    Hybrid workforce

    Virtual care

    COVID-19 and infectious disease

    New models of care

    New digital talent

    Customer Expectation

    Personalization

    On-demand care

    Patient experience

    Patients as consumers

    New operating model

    Digital experience

    Patient portals

    Democratization of data

    Privacy and security

    Capacity

    Emerging Technologies

    Internet of Things (IoT)

    Smart glucometers

    Greater mobility

    System redesign

    Shift from hospital to home care

    Quantum computing

    Genomic sequencing

    Accelerate analysis

    Improve quality of data analysis

    Faster to clinical trial and delivery

    Regulatory System

    Consumer protection

    Protect access to sensitive patient data

    HIPPA legislation

    Restrict access to health record

    Electronic health records

    Global green

    Green certification for redev. projects

    Political optics

    Higher costs

    Contract management

    Supply Chain

    Supply chain disruptions

    Surgical strategic sourcing

    Preference cards

    Quality

    Organizational change management

    New pharma entrants

    Telco’s move into healthcare

    Demand/supply

    Funding model

    Resource competition

    Sample Output From Trend Analysis

    1.3 Elicit New Opportunities

    Leapfrog into the future

    Turn trends into growth opportunities.

    To thrive in the digital age, organizations must innovate big, leverage internal creativity, and prepare for flexibility.

    In this digital era, organizations are often playing catch up to a rapidly evolving technological landscape and following a strict linear approach to innovation. However, this linear catch-up approach does not help companies get ahead of competitors. Instead, organizations must identify avenues to skip one or several stages of technological development to leapfrog ahead of their competitors.

    “The best way to predict the future is to invent it.”

    – Alan Kay

    Leapfrogging takes place when an organization introduces disruptive innovation into the market and sidesteps competitors, who are unable to mobilize to respond to the opportunities.

    1.3 Elicit New Opportunities

    Funnel trends into leapfrog ideas

    Go from trend insights into ideas for opportunities

    Brainstorm ways to generate leapfrog ideas from trend insights.

    Dealing with trends is one of the most important tasks for innovation. It provides the basis of developing the future orientation of the organization. However, being aware of a trend is one thing, to develop strategies for response is another.

    To identify the impact the trend has on the organization, consider the four areas of growth for the organization:

    1. New Customers: Leverage the trend to target new customers for existing products or services.
    2. New Business Models: Adjust the business model to capture a change in how the organization delivers value.
    3. New Markets: Enter or create new markets by applying existing products or services to different problems.
    4. New Product or Service Offerings: Introduce new products or services to the existing market.

    1.3 Elicit New Opportunities

    INDUSTRY: Healthcare

    SOURCE: Memorial Sloan Kettering Cancer Center

    Case Study

    Machine Learning Sensor to Sniff Out Cancer

    Challenge

    Solution

    Results

    Timely access to diagnostic services is a key indicator of a cancer patient’s prognosis i.e., outcome. Early detection of cancer means the difference between life and death for cancer patients.

    Typically, cancer biomarkers need to be present to detect cancer. Often the presence of these biomarkers is late in the disease state when the cancer cells have likely spread, resulting in suspicions of cancer only when the patient does not feel well or suspects something is wrong.

    Researchers in partnership with IBM Watson at Memorial Sloan Kettering Cancer Center (MSK) have created a tool that can sniff for and identify cancer in a blood sample using machine learning.

    Originally, MSK worked with IBM Watson to identify machine learning as an emerging technology that could drive early cancer detection without the use of cancer biomarkers. But they needed to find specific use cases. After a series of concept prototypes, they were able to use machine learning to detect patterns in blood cells vs. cancer biomarkers to detect cancer disease.

    Machine learning was an emerging trend that researchers at MSK felt held great promise. They needed to turn the trend into tangible opportunities by identifying some key use cases that could be prototyped.

    Computational tools in oncology have the ability to greatly reduce clinician labor, improve the consistency of variant classification, and help accelerate the analytics of vast amounts of clinical data that would be prone to errors and delays when done manually.

    From trends to leapfrog ideas

    Additional Examples in the Appendix

    Example of leapfrog ideas that can generate opportunities for consideration

    Trend

    New Customer

    New Market

    New Business or Operating Model

    New Service Offering

    What trend(s) pose a significant impact on your business?

    New stakeholder segment

    Enter or create new markets

    Adjust the business or operating model to capture change in how the business creates and delivers value

    Introduce new digital products, services and experiences

    Virtualize Registration

    Empower patients as consumers of healthcare partners

    Direct B2C to close gap between providers and patients by removing middle administrative overhead.

    24/7 On-Demand Patient Portal

    Leverage AI to develop chatbots and on-demand

    Phase 1: Deliverable

    Phase 1 Deliverable

    Example of output from phase 1 ideation session

    Business Objectives

    New Customers

    (Customer Experience)

    New Markets

    (Health Outcomes)

    New Business or

    Operating Models

    (Operational Excellence)

    New Service Offering

    (Value for Money)

    Description:

    Focus on improving experiences for patients and providers

    Improve quality and standards of care to continually drive better health outcomes

    Deliver care better, faster, and more efficiently

    Reduce cost per capital of delivery care and increase value for services

    Trends:

    • Global workforce shortage due to ageing demographics
    • Clinicians are burnt-out and unable to practice at the top of their profession
    • On-demand care/mobile/wearables
    • Virtual care
    • Faster access to quality service
    • Help navigating complex medical ecosystem from primary to acute to community
    • Standardize care across regions
    • New models of care to expand capacity
    • Improve medication errors
    • Opportunities to use genomics to design personalized medicine
    • Automate tasks
    • Leverage AI and robotics more effectively
    • Regulatory colleges consolidation mandate
    • Use data and analytics to forecast capacity and health outcomes
    • Upskill vs. virtualize workforce
    • Payment reform i.e., move to value-based care vs. fee-for-service
    • Consolidation of back-office functions like HR, supply chain, IT, etc. to reduce cost i.e., shared services model

    Digital Opportunities:

    1. Virtual health command center
    2. Self-scheduling patient portal
    3. Patient way-finder
    4. Smart glucometer for diabetes
    1. Machine learning for early detection of cancer
    2. Visualization tools for capacity planning and forecasting
    3. Contact tracing apps for public health
    1. Build advanced analytics capabilities with new skills and business intelligence tools
    2. Pharmacy robotics
    3. Automate registration
    1. Automate provider billing solution
    2. Payment gateways – supplier portal in the cloud

    Phase 2

    Evaluate Opportunities and Business Capabilities

    Build a better understanding of the opportunities and their impact on your business.

    Phase 1Phase 2Phase 3

    Identify New Digitally Enabled Opportunities

    Evaluate Opportunities and Business Capabilities

    Transform Stakeholder Journeys

    Phase 2

    Evaluate Opportunities and Business Capabilities

    2.1

    CREATE OPPORTUNITY PROFILES

    Evaluate each opportunity

    Some opportunities will have an immediate and significant impact on your business. Some may have a significant impact but on a longer time scale or some may be unlikely to have a significant impact at all. Understanding these trends is an important context for your digital business strategy.

    Consider:

    • Does this opportunity conform with your guiding principles?
    • Can this opportunity feasibly deliver the anticipated benefits?
    • Is this opportunity desired by your stakeholders?

    Avoid:

    • Overly vague language. Opportunities need to be specific enough to evaluate what impact they will have.
    • Simply following what competitors are doing. Be ambitious and tailor your digital strategy to your organizational values, goals, and priorities.
    2.2

    UNDERSTAND THE IMPACT OF OPPORTUNITIES ON BUSINESS CAPABILITIES

    Understand the impact across your value chains

    Each opportunity has the potential to impact multiple areas of your business. Prioritize where to start acting on new opportunities based on your business objectives and capabilities. You need to assess their impacts across value chains. Does the opportunity impact existing value chain(s) or create a new value chain?

    Consider:

    • How well does this opportunity align with your digital vision, mission, and goals?
    • What will be the overall impact of this opportunity?
    • How urgently must you act?

    Avoid:

    • Guessing. Validate assumptions and use clear, unbiased information to make decisions. Info-Tech has extensive resources to assist in evaluating trends, opportunities, and solutions.
    • Making everything a high priority. Most organizations can only prioritize one to two initiatives at a time.

    2.1 Build an opportunity profile

    Evaluate each opportunity

    Discussion Framework:

    In your discussion, evaluate each opportunity to assess assumptions, value drivers, and benefits.

    Ideas matter, but not all ideas are created equal. Now that you have elicited opportunities, discuss the assumptions, risks, and benefits associated with each new digital opportunity.

    Design Thinking

    Leverage the guiding principles as the guardrails to limit the scope of your new digital opportunities. You may want to consider taking a design-thinking approach to innovation by discussing the merits of each opportunity based on:

    • DesirabilityDesirability: People want it. Does the solution enable the organization to meet the expectations of stakeholders?
    • Feasibility
    • Feasibility: Able to Execute. Do we have the capabilities to deliver e.g., the right skills, partners, technology, and leadership?

    • Viability
    • Viability: Delivers Value. Will this idea meet business goals e.g., cost, revenue, and benefits?

    Source: Adapted from IDEO

    Transform the Business

    Must Prioritize

    Should Plan

    Drive Digital Experiences

    Build Digital Capabilities

    High Value/Low Complexity

    • stakeholders want it
    • easy to implement
    • capabilities exist to deliver
    • creates significant value
    • strategic growth = competitive advantage

    High Value/High Complexity

    • customers want it
    • not easy to implement without carefully planning
    • need to invest in developing capabilities
    • Competitive differentiator

    Low Value/Low Complexity

    • stakeholders don’t want it
    • easy to implement but takes resources away from priority
    • some capabilities exist
    • creates marginal value
    • minimal growth

    Low Value/High Complexity

    • stakeholders don’t want it
    • difficult to implement
    • need to invest in developing capabilities
    • no real strategic growth

    Could Have

    Don’t Need

    Transform Operations

    IMPACT

    COMPLEXITY

    Source: Adapted from MoSCoW prioritization model

    Exemplar: Opportunity Profile

    Example:

    An example of a template to capture the output of discussion.

    Automate the Registration Process Around Admission, Discharge, and Transfer (ADT)

    Description of Opportunity:

    ADT is a critical function of registration that triggers patient identification to support services and billing. Currently, ADT is a heavily manual process with a high degree of errors as a result of human intervention. There is an opportunity to leverage intelligent automation by using RPA and AI.

    Alignment With Business Objectives

    Improve patient outcome

    Drive operational efficiency and effectiveness

    Better experiences for patients

    Business Architecture

    This opportunity may impact the following business capabilities:

    • Referral evaluation
    • Admission, discharge, and transfer management
    • Scheduling management
    • Patient registry management
    • Provider registry management
    • Patient billing
    • Provider billing
    • Finance management
    • EHR/EMR integration management
    • Enterprise data warehouse for reporting
    • Provincial/state quality reporting

    Benefits & Outcomes

    • Reduce errors by manual registration
    • Improve turnaround time for registration
    • Create a consistent customer experience
    • Improve capacity
    • Virtualize low-value work

    Key Risks & Assumptions

    • Need to add skills & knowledge to maintain systems
    • Perception of job loss or change by unions
    • assume documentation of standard work for automation vs. non-standard

    Opportunity Owner

    VP, Health Information Management (HIM)

    Incremental Value

    Reduce errors in patient identity

    • Next Steps
    • Investigate use cases for RPA and AI in registration
    • Build business case for funding

    2.2 Business capabilities impact

    Understand the impact on your business capabilities

    Each opportunity has the potential to impact multiple areas of your business. Prioritize where to start acting on new opportunities based on your business objectives and capabilities.

    You will need:

    Industry Reference Architecture.Industry Reference Architecture

    Activity: 1-2 hours

    1. Using your industry reference architecture, highlight the business capabilities that may be impacted by the opportunity. Use a value chain analysis approach to help with this exercise.
    2. Referring to your Prioritized Opportunities for Transformation, prioritize areas to transform. Priority should be given to low maturity areas that are highly or urgently relevant to your overall strategic goals.
    +
    Prioritized Opportunities for Transformation.Prioritized Opportunities for TransformationPrioritized Business Capability Map.

    2.2 Business capabilities impact

    Start with a value chain analysis

    This will help identify the impact on your business capabilities.

    As we identify and prioritize the opportunities available to us, we need to assess impacts on value chains. Does the opportunity directly impact an existing value chain? Or does it open us to the creation of a new value chain?

    The image contains a screenshot of the value chain analysis.

    The value chain perspective allows an organization to identify how to best minimize or enhance impacts and generate value.

    As we move from opportunity to impact, it is important to break down opportunities into the relevant pieces so we can see a holistic picture of the sources of differentiation.

    Exemplar: Prioritized Business Capability Map

    The image contains a screenshot of the exemplar prioritized business capability map.

    In this example, intelligent automation for referral and admission would create opportunity to virtualize repeatable tasks.

    Phase 3

    ETransform Stakeholder Journeys

    Understand the impact of opportunities across the value chain and possibilities of new or better stakeholder experiences.

    Phase 1Phase 2Phase 3

    Identify New Digitally Enabled Opportunities

    Evaluate Opportunities and Business Capabilities

    Transform Stakeholder Journeys

    Phase 3

    Identify opportunities to transform stakeholder experiences

    3.1 IDENTIFY STAKEHOLDER PERSONA

    Understand WHO gains value from the value chain

    To define a stakeholder scenario, you need to understand whom we are mapping for. Developing stakeholder personas is a great way to understand their needs through a lens of empathy.

    Consider:

    • Keep your stakeholder persona groupings to the core clusters typical of your industry.
    • See it from their perspective not the business’s.

    Avoid:

    • Don’t create a multitude of personas based on discrete nuances.
    3.2 BUILD A STAKEHOLDER JOURNEY

    Identify opportunities to transform the stakeholder experience

    A stakeholder or customer journey helps teams visualize the impact of a given opportunity through a value chain. This exercise uncovers the specific initiatives and features that should be considered in the evolution of the digital strategy.

    Consider:

    • Which stakeholders may be most affected by this opportunity?
    • How might stakeholders feel about a given solution as they move through the journey? What pain points can be solved?

    Avoid:

    • Simply listing steps in a process. Put yourself in the shoes of whoever’s journey you are mapping. What do they care about?
    • Choosing a stakeholder with limited involvement in the process.
    3.3 BREAKDOWN OPPORTUNITIES INTO INITIATIVES ALIGNED TO BUSINESS OBJECTIVES

    Unlock key initiatives to deliver value

    Opportunities need to be broken down into actionable initiatives that can be turned into business cases with clear goals, benefits realization, scope, work plans, and investment ask.

    Consider:

    • Multiple initiatives can be grouped into one opportunity that is similar or in phases.
    • Ensure the initiatives support and enable the business goals.

    Avoid:

    • Creating a laundry list of initiatives.
    • Initiatives that don’t align with business goals.

    Map Stakeholder Journey

    Conduct a journey mapping exercise to further refine and identify value streams to transform.

    Stakeholder Journey Mapping

    Digital Business Strategy Blueprint

    Activity: 4-6 hours

    Our analysts can guide and support you, where needed.

    1. First download the Define Your Digital Business Strategy blueprint to review the Stakeholder Journey Mapping exercise.
    2. Identify a stakeholder persona and a one-journey scenario.
    3. Map a stakeholder journey using a single persona across one-journey scenarios to identify pain points and opportunities to improve experiences and generate value.
    4. Consolidate a list of opportunities for business case prioritization.

    Key Concepts:

    Value Stream: a set of activities to create and capture value for and from the end consumer.

    Value Chain: a string of end-to-end processes that creates value for the consumer.

    Journey Scenario: a specific use case across a value chain (s).

    Members Engaged

    • CIO
    • Business Executives

    Info-Tech

    • Industry Analyst
    • Executive Advisor

    Stakeholder Persona.Stakeholder Persona

    1-Journey Use Case.1-Journey Use Case

    Map Stakeholder Journey 
Map Stakeholder Journey

    Content Leveraged

    • Stakeholder Persona
    • Journey Use Case
    • Map Stakeholder Journey

    Deliverable:

    1. Guiding principles
    2. Strategic growth opportunities

    Download the Define Your Digital Business Strategy blueprint for Customer Journey Mapping Activities

    3.1 Persona identification

    Identify a stakeholder persona and journey scenario

    From value chain to journey scenario.

    Stakeholder personas and scenarios help us build empathy towards our customers. It helps put us into the shoes of a stakeholder and relate to their experience to solve problems or understand how they experience the steps or processes required to accomplish a goal. A user persona is a valuable basis for stakeholder journey mapping.

    A stakeholder persona is a fictitious profile to represent a customer or a user segment. Creating this persona helps us understand who your customers really are and why they are using your service or product.

    A stakeholder scenario describes the situation the journey map addresses. Scenarios can be real (for existing products and services) or anticipated.

    Learn more about applying design thinking methodologies

    3.1 Persona identification

    Identify a stakeholder persona

    Who are you transforming for?

    To define a stakeholder scenario, we need to understand who we are mapping for. In each value chain, we identified a stakeholder who gains value from that value chain. We now need to develop a stakeholder persona: a representation of the end user to gain a strong understanding of who they are, what they need, and their pains and gains.

    One of the best ways to flesh out your stakeholder persona is to engage with the stakeholders directly or to gather the input of those who may engage with them within the organization.

    For example, if we want to define a journey map for a student, we might want to gather the input of students or teaching faculty that have firsthand encounters with different student types and are able to define a common student type.

    Info-Tech Insight

    Run a survey to understand your end users and develop a stronger picture of who they are and what they are seeking to gain from your organization.

    3.1 Persona identification

    Identify stakeholder scenarios to map

    For your digital strategy, leverage the existing and opportunity value chains identified in phases 1 and 2 for journey mapping.

    Identify two existing value chains to be transformed.

    In section 1, we identified existing value chains to be transformed. For example, your stakeholder persona is a registration clerk who is part of the Health Information Management team responsible for registering and adjudicating patient identity.

    The image contains a screenshot example of two existing value chains to be transformed.

    Identify one new value chain.

    In section 2, we identified a new value chain. However, for a new opportunity, the scenario is more complex as it may capture many different areas of a value chain. Subsequently, a journey map for a new opportunity may require mapping all parts of the value chain.

    The image contains a screenshot of one value chain.

    3.1 Persona identification

    Example Stakeholder Persona

    Stakeholder demographics

    Name: Anne

    Age: 35

    Occupation: HIM Clerk

    Location: Unity Hospital System

    Pains

    What are their frustrations, fears, and anxieties?

    • Volume of patients to schedule
    • Too many applications to access
    • Data quality is an error
    • Extensive manual entry of data prone to errors
    • Disruptions with calls from patients, doctors, and FOI requests

    What do they need to do?

    What do they want to get done? How will they know they are successful?

    • Automate some non-valuable tasks that can also reduce human errors. Allow patients to self-schedule online or answer FAQs via a chatbox. Would love to have a virtual triage to alleviate volume of calls and redirects.

    Gains

    What are their wants, needs, hopes, and dreams?

    • Reduce errors in data entry for patient identity (reduce manual look-ups).
    • Have standard requests go through a chatbot.
    • Have physicians automate billing through front-end speech recognition software.

    3.1 Persona identification

    Define a journey statement for mapping

    Now that we understand who we are mapping for, we need to define a journey statement to capture the stakeholder journey.

    Leverage the following format to define the journey statement.

    “As a [stakeholder], I need to [prioritized value chain task], so that I can [desired result or overall goal].”

    The image contains a screenshot of a journey statement for mapping.

    3.2 Stakeholder Journey-Map

    Leverage customer journey mapping to capture value chains to be transformed

    Conduct a journey mapping exercise to identify opportunities for innovation or automation.

    A journey-based approach helps an organization understand how a stakeholder moves through a process and interacts with the organization in the form of touch points, channels, and supporting characters. By identifying pain points in the journey and the activity types, we can identify opportunities for innovation and automation along the journey.

    The image contains a screenshot of an example of journey mapping.

    Embrace design-thinking methodologies to elevate the stakeholder journey and build a competitive advantage for your organization.

    3.2 Stakeholder Journey-Map

    Key Concepts

    0. Name: Annie Smith

    Age: 35

    Occupation: HIM Registration Clerk for Unity Hospital System

    Key Concepts.0.Stakeholder Persona

    A fictitious profile of a representative stakeholder group that shares a common yet discrete set of characteristics that embodies how they think, feel, and act.

    1. Journey (Value Chain)

    Describes the end-to-end steps or processes that a customer takes across the value chain that groups a set of activities, interactions, touch-points, and experiences.

    2. Persona’s Goals

    Exemplifies what the persona is thinking and wanting across each specific step of their journey.

    3. Nature of Activity (see detailed definition in this section)

    This section captures two key components: 1) the description of the action or interaction between the personas to achieve their goals, and 2) the classification of the activity to determine the feasibility for automation. The type is based on four main characteristics: 1) routine cognitive, 2) non-routine cognitive , 3) routine manual, and 4) non-routine manual.

    4. Type of Touch-Point

    The channel by which a persona interacts or touches products, services, the organization, or information.

    5. Key Moments & Pain Points

    Captures the emotional experience and value of the persona across each step and interaction.

    6. Metrics

    This section captures the KPIs used to measure the experience, process or activity today. Future KPIs will need to be developed to measure the opportunities.

    7. Opportunities refer to both the possible initiatives to address the persona’s pain points, and the ability to enable business goals.

    3.2 Stakeholder Journey-Map

    Opportunities for Automation: Nature of Activity

    Example
    We identified opportunities for automation

    Categorize the activity type to identify opportunities for automation. While there is no perfect framework for automation, this 4x4 matrix provides a general guide to identifying automation opportunities for consideration.

    Automation example list.Automation Quadrant Analysis

    Info-Tech Insight

    Automation is more than a 1:1 relationship between the defined task or job and automation. When considering automation, look for opportunities to: 1) streamline across multiple processes, 2) utilize artificial intelligence to augment or virtualize manual tasks, and 3) create more structured data to allow for improved data quality over the long-term.

    3.2 Stakeholder Journey-Map

    Example of stakeholder journey output: Healthcare

    Stakeholder: HIM Clerks

    Journey: Follow-up visit of 80-year-old diabetes patient at diabetic clinic outpatient

    Journey

    (Value Chain)

    AppointmentRegistrationIdentity ReconciliationEligibility VerificationTreatment Consult

    Persona’s Goals

    • Confirm appointment
    • Verify referral through provider registry
    • Request medical insurance or care card
    • Enroll patient into CIS
    • Patient registry validation
    • Secondary identification request
    • Verify eligibility through the patient registry
    • Schedule follow referrals & appointments
    • Coding for billing

    Nature of Activity

    Priority

    Priority

    Investigate – ROI

    Investigate – ROI

    Defer

    Type of Touchpoint

    • Telephone (land/mobile)
    • Email
    • CIS Application
    • Verbal
    • Patient registry system
    • Telephone
    • Patient and provider registry
    • CIS
    • Email, call, verbal
    • Physician billing
    • Hospital ERP
    • CIS
    • Paper appointments

    Pain Points & Gains

    • Volume of calls
    • Manual scheduling
    • Too many applications
    • Data entry errors
    • Limited languages
    • Too many applications
    • Data entry errors
    • Too many applications
    • Limited languages
    • Ask patients to repeat info
    • Data entry errors
    • Too many applications
    • Limited languages
    • Ask patients to repeat info
    • Patient identity not linked to physician billing
    • Manual coding entry

    Metrics

    Time to appointment

    Time to enrollment

    Patient mis-match

    Provider mis-match

    Percentage of errors in billing codes

    Opportunities

    • Patient scheduling portal (24/7)
    • Use of AI and chatbots
    • Automate patient matching index digitalization and integration
    • Automate provider matching index digitalization and integration
    • Natural language processing using front-end speech recognition software for billing

    Break opportunities into a series of initiatives aligned to business objectives

    Opportunity 1

    Virtual Registration

    »

    Business Goals

    Initiatives

    Health Outcomes

    Stakeholder Experience

    New Models of Care

    Operational Efficiency

    • Enterprise master patient index integration with patient registry
    • Intelligent automation for outpatient department
    • Customer service chat box for triage FOI1
    • Front-end speech recognition for billing (FESR)

    Opportunity 2

    Machine Learning Pre-Cancer Diagnosis

    »

    Business Goals

    Initiatives

    Health Outcomes

    Stakeholder Experience

    New Models of Care

    Operational Efficiency

    • Enterprise Datawarehouse architecture (build data lake)
    • Build genomics analytics capabilities e.g., recruitment, data-quality review
    • Implementation of machine learning software
    • Supply chain integration with ERP for medical and research supplies
    FOI = Freedom of Information

    Info-Tech Insight

    Evaluate if an opportunity will require a series of discrete activities to execute and/or if they can be a stand-alone initiative.

    Now you are ready to select and prioritize digital initiatives for business case development

    After completing all three phases of activities in this blueprint, you will have compiled a list of new and planned digital initiatives for prioritization and business case development in the next phase.

    Consolidated List of Digital Initiatives.

    Example: Consolidated List of Digital Initiatives

    The next step will focus on prioritizing and building a business case for your top digital initiatives.

    IT Roadmap for your Digital Business Strategy.

    Appendix: Additional Examples

    From trend to leapfrog ideas

    Every idea is a good one, unless you need one that works.

    Additional Examples
    Examples of leapfrog ideas that can generate opportunities for consideration

    Example 1 Finance

    Trend

    New Customer

    New Market

    New Business or Operating Model

    New Service Offering

    What trend(s) pose a significant impact on your business?

    New customer segments

    Enter or create new markets

    Adjust the business or operating model to capture change in how the business creates and delivers value

    Introduce new digital products, services, and experiences

    Open banking

    Account integrators (AISPs)

    Payment integrators
    (PISPs)

    Data monetization

    Social payments

    Example 2: Retail

    Trend

    New Customer

    New Market

    New Business or Operating Model

    New Service Offering

    What trend(s) pose a significant impact on your business?

    New customer segments

    Enter or create new markets

    Adjust the business or operating model to capture change in how the business creates and delivers value

    Introduce new digital products, services, and experiences

    Virtual cashier

    (RFID Enablement)

    Big-box retailers

    Brick & mortar stores

    Automated stores driving new customer experiences

    Digital cart

    From trend to leapfrog ideas

    Every idea is a good one, unless you need one that works.

    Additional Exemplars in Appendix

    Examples of leapfrog ideas that can generate opportunities for consideration

    Example 3:

    Manufacturing

    Trend

    New Customer

    New Market

    New Business or

    Operating Model

    New Service Offering

    What trend(s) pose a significant impact on your business?

    New customer segments

    Enter or create new markets

    Adjust the business or operating model to capture change in how the business creates and delivers value

    Introduce new digital products, services, and experiences

    IT/OT convergence

    Value-added resellers

    New geographies

    Train quality-control algorithms and sell as a service to other manufacturers

    Quality control as a service

    Case Study: International Airport

    Persona Journey Map: International/Domestic Departure

    Persona: Super Traveler

    Name: Annie Smith

    Age: 35

    Occupation: Engineer, Global Consultant

    Journey Activity Name: Inspired to Travel

    Persona’s Goals

    What Am I Thinking?

    • I am planning on traveling to Copenhagen, Denmark for work.
    • It’s my first time and I need to gather information about the destination, accommodation, costs, departure information, bag weight, etc..

    Nature of Activity

    What Am I Doing?

    • Logging onto airline website
    • Confirming departure gates

    Type of Touchpoint

    • Airport rewards program
    • Airport Website
    • Online hotel eCommerce
    • Social media
    • Transportation services on mobile

    Key moments & pain points

    How Am I Feeling?

    • Frustrated because the airport website is difficult to navigate to get information
    • Annoyed because there is no FAQ online and I have to call; there’s a long wait to speak to someone.
    • Stress & uncertainty (cancellation, logistics, insurance, etc..)

    Metrics

    • Travel dates
    • Trip price & budget

    Opportunities

    • Tailored communication based on search history
    • Specific messaging (e.g., alerts for COVID-19, changes in events, etc.)
    • Interactive VR experience that guides customers through the airport as a navigator

    Related Info-Tech Research

    Tech Trends and Priorities Research Center

    • Access Info-Tech’s Tech Trends reports and research center to learn about current industry trends, shifts in markets, and disruptions that are impacting your industry and sector. This is a great starting place to gain insights into how the ecosystem is changing your business and the impact of these changes on IT.

    Digital Business Strategy

    • Leverage Info-Tech’s Digital Business Strategy to identify opportunities to transform the customer experience.

    Industry Reference Architecture

    • Access Info-Tech’s Industry coverage to accelerate your understanding of your business capabilities and opportunities for automation.

    Contact Your Account Manager

    Research Contributors and Experts

    Joanne Lee

    Joanne Lee

    Principal, Research Director, CIO Strategy

    Info-Tech Research Group

    Kim Osborne-Rodgriguez

    Kim Osborne-Rodgriguez

    Research Director, CIO Strategy

    Info-Tech Research Group

    Joanne is an executive with over 25 years of in digital technology and management consulting across both public and private entities from solution delivery to organizational redesign across Canada and globally.

    Prior to joining Info-Tech Research Group, Joanne was a management consultant within KPMG’s CIO management consulting services and the Western Canada Digital Health Practice lead. She has held several executive roles in the industry with the most recent position as Chief Program Officer for a large $450M EHR implementation. Her expertise spans cloud strategy, organizational design, data and analytics, governance, process redesign, transformation, and PPM. She is passionate about connecting people, concepts, and capital.

    Joanne holds a Master’s in Business and Health Policy from the University of Toronto and a Bachelor of Science (Nursing) from the University of British Columbia.

    Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach to digital transformation, with a track record of supporting successful implementations.

    Kim holds a Bachelor’s degree in Mechatronics Engineering from University of Waterloo.

    Research Contributors and Experts

    Jack Hakimian

    Jack Hakimian

    Vice President, Research

    Info-Tech Research Group

    Charl Lombard.

    Charl Lombard

    President, Digital Transformation Consulting

    Info-Tech Research Group

    Jack has more than 25 years of technology and management consulting experience. He has served multi-billion dollar organizations in multiple industries including Financial Services and Telecommunications. Jack also served a number of large public sector institutions.

    Prior to joining the Info-Tech Research Group, he worked for leading consulting players such as Accenture, Deloitte, EY, and IBM.

    Jack led digital business strategy engagements as well as corporate strategy and M&A advisory services for clients across North America, Europe, the Middle East, and Africa. He is a seasoned technology consultant who has developed IT strategies and technology roadmaps, led large business transformations, established data governance programs, and managed the deployment of mission-critical CRM and ERP applications.

    He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master’s degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management.

    Charl has more than 20 years of professional services experience, “majoring” in digital transformation and strategic topics. He has led multiple successful Digital Transformation programs across a range of industries like Information technology, hospitality, Advanced Industries, High Tech, Entertainment, Travel and Transport, Insurance & Financial Services, Metals & Mining, Electric Power, Renewable Energy, Telecoms, Manufacturing) across different geographics (i.e., North America, EU, Africa) in both private and public sectors.

    Prior to joining Info-Tech Research Group, Charl was the Vice President of Global Product Management and Strategy (Saber Hospitality Solution), Associate President, McKinsey Transformation Practice, e-Business Practice for PwC, and tech start-up founder and investor.

    Charl is a frequent speaker at innovation and digital transformation conferences and holds an MBA from the University of Cape Town Graduate School of Business, and a bachelor’s degree from the University of Pretoria, South Africa.

    Research Contributors and Experts

    Mike Tweedie

    Mike Tweedie

    Practice Lead, CIO Strategy

    Info-Tech Research Group

    Michael Alemany

    Michael Alemany

    Vice President, Digital Transformation Consulting

    Info-Tech Research Group

    Mike Tweedie brings over 25 years of experience as a technology executive. He’s led several large transformation projects across core infrastructure, application, and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management.

    Mike holds a Bachelor’s degree in Architecture from Ryerson University.

    Michael is a leader in Info-Tech’s digital transformation consulting practice. He brings over 10 years of experience working with companies across a range of industries. His work experience includes ~4.5 years at McKinsey & Company where he led large-scale transformations for fortune 500 companies. Prior to joining Info-Tech, he worked for Sabre Corp., an SaaS platform provider for the travel and hospitality sector, leading Product Strategy & Operations. Michael holds an MBA from the Tuck School of Business at Dartmouth and a B.S in Business Strategy from Brigham Young University.

    Research Contributors and Experts

    Duane Cooney

    Duane Cooney

    Executive Counselor, Healthcare

    Info-Tech Research Group

    Denis Goulet

    Denis Goulet

    Senior Workshop Director

    Info-Tech Research Group

    Duane brings over 30 years of experiences a healthcare IT leader with a passion for the transformation of people, processes, and technology. He has led large-scale health technology transformation and operations across the enterprise. Before joining Info-Tech, Duane served as the Deputy CIO, Senior Information Technology Director, and Enterprise Architect for both public not-for-profit and private sectors. He has a Bachelors in Computer Science and is a graduate of EDS Operations. He holds certifications in EHR, LEAN/Agile, ITIL, and PMP.

    Denis is an IAF Certified Professional Facilitator who has helped organizations and technology executives develop IT strategies for small to large global enterprises. He firmly believes in a collaborative value-driven approach. Prior to joining Info-Tech Research Group, Denis held several industry positions as CIO, Chief Administrative Office (City Manager), General Manager, and Vice President of Engineering. Denis holds an MBA from Queen’s University and a Diploma in Technology Engineering and Executive Municipal Management.

    Jay Cappis.

    Jay Cappis

    Executive Advisor, Real-Estate

    Info-Tech Research Group

    Christine Brick.

    Christine Brick

    Executive Advisor, Financial Services
    Info-Tech Research Group

    Jay brings over 30 years of experience in management and technology across small and medium enterprises to large global enterprises including Exxon and Xerox. His cross-industry experience includes professional services, commercial real estate, oil and gas, digital start-ups, insurance, and aerospace. Jay has led business process improvements and change management and has expertise in software development lifecycle management and DevOps practices.

    Christine brings over 20 years in IT transformation across DevOps, infrastructure, operations, supply chain, IT Strategy, modernization, cost optimization, data management, and operational risk. She brings expertise in business transformation, mergers and acquisitions, vendor selection, and contract management.

    Bibliography

    Bhatia, AD. “Transforming through disruptions: A conversation with Dan Antonelli. Transformation Insights.” McKinsey & Company. January 31, 2022. Web
    Bertoletti, Antonella and Peter Eeles. “Use an IT Maturity Model.” IBM Garage Methodology. Web. accessed May 30, 2022.
    Catlin, Tanguy, Jay Scanlan, and Paul Willmott. “Raising your Digital Quotient.” McKinsey Quarterly. June 1, 2015. Article
    Custers, Heidi. “Digital Blueprint. Reference Architecture. Deloitte Digital.Accessed May 15, 2022.
    Coundouris, Anthony. “Reviewed: The Top 5 Digital Transformation Frameworks in 2020.” Run-frictionless Blog. Accessed May 15, 2022. Web.
    Daub, Matthias and Anna Wiesinger. “Acquiring the Capabilities you need to go digital.” Business Technology Office – McKinsey and Company. March 2015. Web.
    De La Boutetiere, Alberto Montagner and Angelika Reich. “Unlocking success in digital transformations.” McKinsey and Company. October 2018. Web.
    “Design Thinking Defined.” IDEO.com. November 21, 2022. Web.
    Dorner, Karle and David Edelman. “What ‘Digital’ really means.” McKinsey Digital. July 2015. Web
    “Everything Changed. Or Did it? Harvey Nash KPMG CIO Survey 2020.” KPMG, 2020
    Kane, Gerald C., Doug Palmer, Ahn Nguyen Phillips, David Kiron, Natasha Buckley. “Aligning the organization for its digital future.” Findings from the 2016 Digital Business Global Executive Study and Research Project. MIT Sloan Management Review. July 26, 2016. Web
    LaBerge, Laura, et al. “How COVID-19 has pushed companies over the technology tipping point—and transformed business forever.” McKinsey, 5 Oct. 2020. Accessed 14 June 2021
    Mindtools Content Team. “Cause and Effect Analysis.” Mindtools.com. November 21, 2022. Web.
    “Strategic Foresight.” OECD.org. November 21, 2022, Web
    Sall, Sherman, Dan Lichtenfeld. “The Digital ME Method. Turning digital opportunities into customer engagement and business growth.” Sygnific. 2017. Web.
    Scoblic, J. Peter. “Learning from the Future. How to make robust strategy in times of deep uncertainty.” Harvard Business Review, August 2020.
    Silva, Bernardo and Schoenwaelder, Tom. ‘Why Good Strategies fail. Addressing the three critical strategic tensions.” Deloitte Monitor Group. 2019.

    It wasn't me

    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security and Risk
    • Parent Category Link: /security-and-risk

    You heard the message before, and yet....  and yet it does not sink in.

    In july 2019 already, according to retruster:

    • The average financial cost of a data breach is $3.86m (IBM)
    • Phishing accounts for 90% of data breaches
    • 15% of people successfully phished will be targeted at least one more time within the year
    • BEC scams accounted for over $12 billion in losses (FBI)
    • Phishing attempts have grown 65% in the last year
    • Around 1.5m new phishing sites are created each month (Webroot)
    • 76% of businesses reported being a victim of a phishing attack in the last year
    • 30% of phishing messages get opened by targeted users (Verizon)

    This is ... this means we, as risk professionals may be delivering our messsage the wrong way. So, I really enjoyed my colleague Nick Felix (who got it from Alison Francis) sending me the URL of this video: Enjoy, but mostly: learn, because we want our children to enjoy the fruits of our work.

    Register to read more …

    Build Your Data Practice and Platform

    • Buy Link or Shortcode: {j2store}347|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management

    The complex nature of data investment leads to de-scoping and delivery of data services that do not meet business needs or give value to the business. Subject matter experts are hired to resolve the problem, but their success is impacted by absent architecture, technology, and organizational alignment.

    Our Advice

    Critical Insight

    Walking through a book of architecture building plans with a personal guide is cheaper and faster than employing an architect to build and design your home.

    Impact and Result

    Info-Tech's approach provides a proven methodology that includes the following:

    • Business-aligned data initiatives and capabilities that address data challenges and realize business strategic objectives.
    • Comprehensive data practice designed based on the required business and data capabilities.
    • Data platform design based on Info-Tech data architecture reference patterns and prioritized data initiatives and capabilities.

    Build Your Data Practice and Platform Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build Your Data Practice and Platform Storyboard – A step-by-step document that leverages road-tested patterns and frameworks to properly build your data practice and pattern in continuous alignment with the business landscape.

    Info-Tech's approach provides a proven methodology that includes following:   

  • Business-aligned data initiatives and capabilities that address data challenges and realize business strategic objectives.
  • Comprehensive data practices designed based on the required business and data capabilities.
    • Build Your Data Practice and Platform Storyboard

    2. Data Practice and Platform Models – Leveraging best-of-breed frameworks to help you build a clear, concise, and compelling data practice and platform.

    Data practice & platform pre-build pattern templates based on Info-Tech data reference patterns and data platform design best practices.

    • Data Practice and Platform Models

    Infographic

    Workshop: Build Your Data Practice and Platform

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Business Context and Value

    The Purpose

    Establish business context and value.

    Key Benefits Achieved

    Business context and strategic driver.

    Activities

    1.1 Understand/confirm the organization's strategic goals

    1.2 Classify the strategic goals and map to business drivers

    1.3 Identify the business capabilities that the strategy focuses on

    1.4 Identify the business processes realizing the strategy

    Outputs

    Business context and strategic drivers

    Prioritized business capabilities and processes

    Data culture survey results analysis

    2 Identify Your Top Initiatives

    The Purpose

    Identify your top initiatives.

    Key Benefits Achieved

    High-value business-aligned data initiative.

    Activities

    2.1 Highlight data-related outcomes/goals to realize to fulfill the business goal

    2.2 Map business data initiatives to the business strategic goals

    2.3 Prioritize data initiatives

    Outputs

    High-value, business-aligned data initiatives

    3 Analyze Data Challenges

    The Purpose

    Analyze data challenges.

    Key Benefits Achieved

    Clear understanding of the data challenges.

    Activities

    3.1 Map data challenges to Info-Tech data challenges

    3.2 Review Info-Tech data capabilities based on prioritized initiatives

    3.3 Discuss data platform and practice next steps

    Outputs

    List of data challenges preventing data maturation with the organization

    4 Map Data Capability

    The Purpose

    Map data capability.

    Key Benefits Achieved

    Prioritized data capability.

    Activities

    4.1 Map data challenges to Info-Tech data challenges

    4.2 Review Info-Tech data capabilities based on prioritized initiatives

    4.3 Discuss data platform and practice next steps

    Outputs

    Required data capabilities

    Data platform and practice – plan

    Initialized data management RACI 

    Further reading

    Build Your Data Practice and Platform

    Construct a scalable data foundation

    Analyst Perspective

    Build a data practice and platform that delivers value to your organization.

    The build or optimization of your data practice and data platform must be predicated on a thorough understanding of the organization’s goals, objectives, and priorities and the business capabilities and process they are meant to support and enable.

    Formalizing your practice or constructing your platform just for the sake of doing so often results in an initiative that is lengthy, costly, fizzles out, does not deliver business value, and ends up being considered a failure.

    Leverage Info-Tech’s approach and incorporate our pre-built models and patterns to effectively navigate that crucial and often difficult phase upfront of comprehensively defining business data needs so you can ultimately realize faster time-to-delivery of your overall data practice and platform.

    Photo of Rajesh Parab, Director, Research & Advisory, Data & Analytics Practice, Info-Tech Research Group.

    Rajesh Parab
    Director, Research & Advisory, Data & Analytics Practice
    Info-Tech Research Group

    Photo of Crystal Singh, Director, Research & Advisory, Data & Analytics Practice, Info-Tech Research Group.

    Crystal Singh
    Director, Research & Advisory, Data & Analytics Practice
    Info-Tech Research Group

    Attempting to Solve Data Problems?

    Situation
    • Lack of data centric leadership results in downstream issues such as integration, quality, and accessibility.
    • The complex nature of the data and lack of understanding leads to de-scoping delivery of data services that does not meet business needs or add value.
    • Poorly designed practice and siloed platforms result in an initiative that is lengthy, costly, fizzles out, does not deliver business value, and ends up being considered a failure.
    Complication
    • Data problem: When the data problem is diagnosed, the organization adopts a tactical approach.
    • Confirmation bias: Subject matter experts (SME) are hired to resolve the poorly defined problem, but the success of the SME is impacted by lack of architecture, technology, and organizational alignment.
    • Still no value: The selected tactical approach does not provide a solid foundation or solve your data problem.
    • Strategy for sake of strategy: Implementing a strategic approach for the sake of being strategic but this becomes overwhelming.
    • Fall back to tactical and operational: The data services are now potentially exposed and vulnerable, which strains business continuity and increases data debt.
    • Increased complexity and risk: Data silos, poor understanding, and high complexity results in an unmanageable data environment.
    Resolution
    • Requirements: Define and align your data requirement to business.
    • Capabilities: Discover data, identify data capabilities, and map your requirements.
    • Practices: Design and select fit-for-purpose data practices.
    • Platform: Optimize your data platform investments though sound architecture.

    Info-Tech Insight

    The true value of data comes from defining intentional relationships between the business and the data through a well thought out data platform and practice.

    Situation – Perpetual Data Problem

    Diagram of a head with gears around it and speech bubbles with notes titled 'Data Problem'. The surrounding gears, clockwise from bottom left, say 'Accessibility', 'Trust', 'Data Breach', 'Ambiguity', 'Ownership', 'Duplication', 'System Failure', and 'Manual Manipulation'. The speech bubbles notes, clockwise from bottom left, say 'Value-Add: How do I translate business needs to data capabilities?', 'Practice Organization: How do I organize resources and roles assignment challenges?', 'Platform: How do I organize data flows with no conceptual view of the environment?', and 'Break Down Silos: How do I break down silos?'
    I can’t access the data.
    I don’t trust the data in the report.
    It takes too long to get to the data for decision making
    • Lack of data-centric leadership results in downstream issues: integration, quality, accessibility
    • The organization’s data is too complex to manage without a cohesive plan.
    • The complex nature of the data and a lack of understanding leads to de-scoping delivery of data services that does not meet business needs or add value.
    • Poorly designed practice and siloed platforms result in an initiative that is lengthy, costly, fizzles out, does not deliver business value, and ends up being considered a failure.

    Complication – Data Initiative Fizzles Out

    • Data problem: When the data problem is diagnosed the organization adopts a tactical approach.
    • Confirmation bias: Subject matter experts (SME) are hired to resolve the poorly defined problem, but the success of the SME is impacted by lack of architecture, technology, and organizational alignment.
    • Still no value: the selected tactical approach does not provide a solid foundation or solve your data problem.
    • Strategy for sake of strategy: Implementing a strategic approach for sake of being strategic but this becomes overwhelming.
    • Fall back to tactical and operational: The data services are now potentially exposed and vulnerable, which strains business continuity and increases data debt.
    • Increased complexity and risk: Data silos, poor understanding, and high complexity result in an unmanageable data environment.
    Flowchart beginning with 'Data Symptom Exhibited' and 'Data Problem Diagnosed', then splitting into two paths 'Solve Data Problem as a point solution' or 'Attempt Strategic approach without culture, capacity, and business leadership'. Each approach ends with 'Data too complex, and initiative fizzles out...' and cycles back to the beginning.
    Use the road-tested patterns and frameworks in our blueprint to break the perpetual data solution cycle. Focus on the value that a data and analytics platform will bring rather than focusing on the data problems alone.

    Build Your Data Practice and Platform

    Bring Your Data Strategy to Life

    Logo for Info-Tech.
    Logo for #iTRG.
    CONVENTIONAL WISDOM

    Attempting to Solve Your Data Problems

    DATA SYMPTOM EXHIBITED

    Mismatch report, data quality issue, or similar symptom of a data problem.

    DATA PROBLEM DIAGNOSED

    Data expert identifies it as a data problem.

    COMPLEX STRATEGIC APPROACH ATTEMPTED

    Recognized need to attempt it strategically, but don't have capacity or culture to execute.

    Cycle diagram titled 'Data Problems' with numbers connected to surrounding steps, and a break after Step 3 where one can 'BREAK THE CYCLE'. In the middle are a list of data problems: 'Accessibility’, ‘Data Breach', 'Manual Manipulation', 'System Failure', 'Ambiguity', 'Duplication', 'Ownership', and 'Trust'.
    SOLUTION FAILS

    The tactical solution fails to solve the root cause of the data problem, and the data symptoms persist.

    TACTICAL SOLUTION FALLBACK

    A quick and dirty solution is attempted in order to fix the data problem.

    THE COMPLEX APPROACH FIZZLES OUT

    Attempted strategic approach takes too long, fizzles out.

    BREAK THE CYCLE

    Solving Your Data Problems

    1. DEFINE YOUR DATA REQUIREMENTS Incorporate a Business to Data Approach by utilizing Info-Tech's business capability templates for identifying data needs. BUSINESS-ALIGNED DATA REQUIREMENTS
    2. CONDUCT YOUR DATA DISCOVERY Understand the data behind your business problem. Identify the required data capabilities and domains as required by your business processes. RECOMMENDED DATA CAPABILITIES
    3. DESIGN YOUR DATA PRACTICES Build your custom data practices based on the predefined reusable models. CUSTOMIZED DATA PRACTICE
    4. ARCHITECT YOUR DATA PLATFORM Build your custom data platform based on the redefined reusable architecture patterns. CUSTOMIZED DATA PLATFORM
    CONTINUOUS PHASE: ROADMAP, SPONSORSHIP FEEDBACK AND DELIVERY

    Develop a roadmap to establish the practice and implement the architecture as designed. Ensure continuous alignment of the practice and architecture with the business landscape.

    Phase-by-Phase Approach to Build Your Data Practice and Platform

    Flowchart detailing the path to take through the four phases of this blueprint beginning with the 'Inputs' and 'People' involved and incorporating 'Deliverables' along the way. Phase-by-Phase Approach
    • Phase 1: Step 1 – Define Your Data Requirement
    • Phase 1: Step 2 – Conduct Your Data Discovery
    • Phase 2 – Design Your Data Practice
    • Phase 3 – Architect Your Data Platform

    Measure value when building your data practice and platform

    Sample Data Management Metrics

    Lists of data management metrics in different categories.

    • Refine the metrics for the overall Data Management practice and every initiative therein.
    • Refine the metrics at each platform and practice component to show business value against implementation effort.

    Understand and Build Data Culture

    See your Info-Tech Account Representative for more details on our Data Culture Diagnostic

    Only 14.29% of Transportation and Logistics respondents agree BI and Analytics Process and Technology are sufficient What is a diagnostic?

    Our diagnostics are the simplest way to collect the data you need, turn it into actionable insights, and communicate with stakeholders across the organization.

    52.54% of respondents from the healthcare industry are unaware of their organization’s data security policy
    Ask the Right Questions

    Use our low-effort surveys to get the data you need from stakeholders across the organization.

    Use Our Diagnostic Engine

    Our diagnostic engine does all the heavy lifting and analysis, turning your data into usable information.

    Communicate & Take Action

    Wow your executives with the incredible insights you've uncovered. Then, get to action: make IT better.

    On average only 40% agree that they have the reporting when needed


    (Source: Info-Tech’s Data Culture Diagnostic, 53 Organizations, 3138 Responses)

    35% of respondents feel that a governance body is in place looking at strategic data

    Build a Data-Driven Strategy Using Info-Tech Diagnostic Programs

    Make informed IT decisions by starting your diagnostic program today. Your account manager is waiting to help you.
    Sample of Info-Tech's 'Data Culture Scorecard'.

    Use Our Predefined Data and Analytics Patterns to Build Your DnA Landscape

    Walking through a book of architecture building plans with a personal guide is cheaper and faster than employing an architect to build and design your home

    Two books titled 'The Everything Homebuilding Book' and 'Architecture 101'. An open book with a finger pointing to a diagram.

    The first step is to align business strategy with data strategy and then start building your data practice and data platform

    Flowchart starting with business strategy focuses, then to data strategy focuses, and eventually to 'Data Metrics'.

    Insights

    The true value of data comes from defining intentional relationships between the business and the data through a well-thought-out data platform and practice.

    • Phase 1
      • Some organizations are low maturity so using the traditional Capability Maturity Model Integration (CMMI) would not make sense. A great alternative is to leverage existing models and methodologies to get going off the bat.
      • The Data Strategy is an input into the platform and practice. This is considered the Why; Data Practice and Platform is the How.
    • Phase 2
      • Info-Tech’s approach is business-goal driven and it leverages patterns, which enable the implementation of critical and foundational components and subsequently facilitates the evolution and development of the practice over time.
      • Systems should not be designed in isolation. Cross-functional collaboration throughout the design is critical to ensure all types of issues are revealed early. Otherwise, crucial tests are omitted, deployments fail, and end-users are dissatisfied.
    • Phase 3
      • Build your conceptual data architecture based on well-thought-out formulated patterns that align with your organization’s needs and environment.
      • Functional needs often take precedence over quality architecture. Quality must be baked into design, execution, and decision-making practices to ensure the right trade-offs are made.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Info-Tech’s Methodology for Building Your Data Practice and Platform

    Phase 1 –
    Define Your Data Requirements and Conduct Your Data Discovery
    Phase 2 –
    Design Your Data Practices
    Phase 3 –
    Architect Your Data Platform
    Phase Steps
    1. Identify your top initiatives
    2. Map your data initiatives to data capabilities
    1. Understand the practices value statement
    2. Review the Info-Tech practice pattern
    3. Initiate your practice design and setup
    1. Identify your data component
    2. Refine your data platform architecture
    3. Design your data platform
    4. Identify your new components and capabilities
    5. Initiative platform build and rollout
    Phase Outcomes Business-aligned data initiatives and capabilities that address data challenges and realize business strategic objectives Comprehensive data practice design based on the required business and data capabilities Data platform design based on Info-Tech data architecture reference pattern and prioritized data initiatives and capabilities

    Data Platform and Practice Implementation Plan

    Example timeline for data platform and practice implementation plan with 'Fiscal Years' across the top, and below they're broken down into quarters. Along the left side 'Phase 1: Step 1...', 'Phase 1: Step 2...', 'Phase 2...' and 'Phase 3'. Tasks are mapped onto the timeline in each phase with a short explanation.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889
    Info-Tech’s Workshop support for Build Your Data Practice and Platform. 'Build Your Data Practice and Platform' slide from earlier.
    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Workshop 1

    Data Needs and Discovery

    Workshop 2

    Data Practice Design

    Workshop 3

    Data Platform Design

    Workshop 1:
    Data Needs and Discovery

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889
    Day 1 Day 2 Day 3 Day 4
    Establish Business Context and Value
    Identify Your Top Initiatives
    Analyze Data Challenges
    Map Data Capability
    Activities

    1.1 Understand/confirm your organization’s strategic goals

    1.2 Classify the strategic goals and map to business drivers

    1.3 Identify the business capabilities that the strategy focus is on

    1.4 Identify the business processes realizing the strategy

    2.1 Highlight data-related outcomes /goals to realize to fulfill the business goal

    2.2 Map business data initiatives to the business strategic goals

    2.3 Prioritize Data initiatives

    3.1 Understand data management capabilities and framework

    3.2 Classify business data requirements using Info-Tech’s classification approach

    3.3 Highlight data challenges in your current environment

    4.1 Map data challenges to Info-Tech data challenges

    4.2 Review Info-Tech data capabilities based on prioritized initiative

    4.3 Discuss Data Platform and Practice Next Steps

    Deliverables
    • Business context and strategic drivers
    • Prioritized business capabilities and processes
    • Data Culture Survey results analysis
    • High-value business-aligned data initiative
    • List of data challenges preventing data maturation with the organization
    • Required data capabilities
    • Data platform and practice – plan
    • Initialized data management RACI
    Participants Business stakeholder, Business leader Business Subject Matter Expert, Data IT sponsor (CIO), Head of Data, Data Architect Business stakeholder, Business leader Business Subject Matter Expert, Data IT sponsor (CIO), Head of Data, Data Architect Data experts, Business Subject Matter Expert, Head of Data, Data Architect Data experts, Business Subject Matter Expert, Head of Data, Data Architect

    Workshop 2:
    Data Practice Design

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889
    Day 1 Day 2 Day 3 Day 4
    Plan Your Data Practices
    Design Your Data Practices 1
    Design Your Data Practices 2
    Design Your Data Practices 3
    Activities

    Prerequisite: Business context, business data requirement, and data capabilities

    1.1 Understand data practice framework

    1.2 Define your practice implementation approach

    1.3 Review and update data management RACI

    2.1 Understand Info-Tech data practice patterns for each prioritized practice

    2.2 Define your practice setup for each prioritized practice

    2.3 Highlight critical processes for each practice

    3.1 Understand Info-Tech data practice patterns for each prioritized practice

    3.2 Define your practice setup for each prioritized practice

    3.3 Highlight critical processes for each practice

    4.1 Understand Info-Tech data practice patterns for each prioritized practice

    4.2 Define your practice setup for each prioritized practice

    4.3 Highlight critical processes for each practice

    4.4 Discuss data platform and practice next steps

    Deliverables
    • Data practice implementation approach
    • Data management RACI
    • Data practice setup pattern for your organization
    • Data practice process pattern for your organization
    • Data practice setup pattern for your organization
    • Data practice process pattern for your organization
    • Data practice setup pattern for your organization
    • Data practice process pattern for your organization
    • Data platform and practice – plan
    Participants Data experts, Business Subject Matter Expert, Head of Data, Data Architect Data experts, Business Subject Matter Expert, Head of Data, Data Architect Data experts, Business Subject Matter Expert, Head of Data, Data Architect Data experts, Business Subject Matter Expert, Head of Data, Data Architect

    Workshop 3:
    Data Platform Design

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889
    Day 1Day 2Day 3Day 4
    Data Platform Overview
    Update Data Platform Reference Architecture
    Design Your Data Platform
    Design Your Data Practices 4
    Activities

    Prerequisite: Business context, business data requirement, and data capabilities

    1.1 Understand data platform framework and data capabilities

    1.2 Understand key data architecture principles and best practices

    1.3 Shortlist data platform patterns

    2.1 Map and identify data capabilities to data platform components

    2.2 Build data platform architecture using Info-Tech data platform reference architecture

    2.3 Highlight critical processes for each practice

    3.1 Design your target data platform using Info-Tech’s data platform template

    3.2 Identify new capabilities and components in your platform design

    4.1 Identify new capabilities and component in your platform design

    4.2 Discuss data platform initiatives

    Deliverables
    • Shortlisted data platform patterns
    • Data platform reference architecture for your organization
    • Data platform design for your organization
    • Data platform plan
    ParticipantsData experts, Business Subject Matter Expert, Head of Data, Data ArchitectData experts, Business Subject Matter Expert, Head of Data, Data ArchitectData experts, Business Subject Matter Expert, Head of Data, Data ArchitectData experts, Business Subject Matter Expert, Head of Data, Data Architect

    Build Your Data Practice and Platform

    Phase 1

    Phase 1: Step 1 – Define Your Data Requirements
    Phase 1: Step 2 – Conduct Your Data Discovery

    Phase 1

    1.1 Define Your Data Requirements
    1.2 Conduct Your Data Discovery

    Phase 2 Phase 3

    Phase 1: Step 1 – Define Your Data Requirements will walk you through the following activities:

    • Confirm the organizational strategic goals, business drivers, business capabilities, and processes driving the Data Practice and Platform effort.
    • Identify the data related outcomes, goals, and ideal environment needed to fulfill the business goals.

    This phase involves the following participants:

    A blend of business leaders and business SMEs together with the Data Strategy team.

    Phase 1: Step 2 – Conduct Your Data Discovery will walk you through the following activities:

    • Identify and highlight the data challenges faced in achieving the desired outcome.
    • Map the data challenges to the data capabilities required to realize the desired data outcome.

    This phase involves the following participants:

    Key personnel from IT/Data team: (Data Architect, Data Engineers, Head of Head of Reporting and Analytics)

    Redesign Your IT Organizational Structure

    • Buy Link or Shortcode: {j2store}275|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $71,830 Average $ Saved
    • member rating average days saved: 25 Average Days Saved
    • Parent Category Name: Organizational Design
    • Parent Category Link: /organizational-design

    Most organizations go through an organizational redesign to:

    • Better align to the strategic objectives of the organization.
    • Increase the effectiveness of IT as a function.
    • Provide employees with clarity in their roles and responsibilities.
    • Support new capabilities.
    • Better align IT capabilities to suit the vision.
    • Ensure the IT organization can support transformation initiatives.

    Our Advice

    Critical Insight

    • Organizational redesign is only as successful as the process leaders engage in. It shapes a story framed in a strong foundation of need and a method to successfully implement and adopt the new structure.
    • Benchmarking your organizational redesign to other organizations will not work. Other organizations have different strategies, drivers, and context. It’s important to focus on your organization, not someone else's.
    • You could have the best IT employees in the world, but if they aren’t structured well your organization will still fail in reaching its vision.

    Impact and Result

    • We are often unsuccessful in organizational redesign because we lack an understanding of why this initiative is required or fail to recognize that it is a change initiative.
    • Successful organizational design requires a clear understanding of why it is needed and what will be achieved by operating in a new structure.
    • Additionally, understanding the impact of the change initiative can lead to greater adoption by core stakeholders.

    Redesign Your IT Organizational Structure Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Redesign Your IT Organizational Structure Deck – A defined method of redesigning your IT structure that is founded by clear drivers and consistently considering change management practices.

    The purpose of this storyboard is to provide a four-phased approach to organizational redesign.

    • Redesign Your IT Organizational Structure – Phases 1-4

    2. Communication Deck – A method to communicate the new organizational structure to critical stakeholders to gain buy-in and define the need.

    Use this templated Communication Deck to ensure impacted stakeholders have a clear understanding of why the new organizational structure is needed and what that structure will look like.

    • Organizational Design Communications Deck

    3. Redesign Your IT Organizational Structure Executive Summary Template – A template to secure executive leadership buy-in and financial support for the new organizational structure to be implemented.

    This template provides IT leaders with an opportunity to present their case for a change in organizational structure and roles to secure the funding and buy-in required to operate in the new structure.

    • Redesign Your IT Organizational Structure Executive Summary

    4. Redesign Your IT Organizational Structure Workbook – A method to document decisions made and rationale to support working through each phase of the process.

    This Workbook allows IT and business leadership to work through the steps required to complete the organizational redesign process and document key rationale for those decisions.

    • Redesign Your IT Organizational Structure Workbook

    5. Redesign Your IT Organizational Structure Operating Models and Capability Definitions – A tool that can be used to provide clarity on the different types of operating models that exist as well as the process definitions of each capability.

    Refer to this tool when working through the redesign process to better understand the operating model sketches and the capability definitions. Each capability has been tied back to core frameworks that exist within the information and technology space.

    • Redesign Your IT Organizational Structure Operating Models and Capability Definitions

    Infographic

    Workshop: Redesign Your IT Organizational Structure

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the Organizational Design Foundation

    The Purpose

    Lay the foundation for your organizational redesign by establishing a set of organizational design principles that will guide the redesign process.

    Key Benefits Achieved

    Clearly articulate why this organizational redesign is needed and the implications the strategies and context will have on your structure.

    Activities

    1.1 Define the org design drivers.

    1.2 Document and define the implications of the business context.

    1.3 Align the structure to support the strategy.

    1.4 Establish guidelines to direct the organizational design process.

    Outputs

    Clear definition of the need to redesign the organizational structure

    Understanding of the business context implications on the organizational structure creation.

    Strategic impact of strategies on organizational design.

    Customized Design Principles to rationalize and guide the organizational design process.

    2 Create the Operating Model Sketch

    The Purpose

    Select and customize an operating model sketch that will accurately reflect the future state your organization is striving towards. Consider how capabilities will be sourced, gaps in delivery, and alignment.

    Key Benefits Achieved

    A customized operating model sketch that informs what capabilities will make up your IT organization and how those capabilities will align to deliver value to your organization.

    Activities

    2.1 Augmented list of IT capabilities.

    2.2 Capability gap analysis

    2.3 Identified capabilities for outsourcing.

    2.4 Select a base operating model sketch.

    2.5 Customize the IT operating model sketch.

    Outputs

    Customized list of IT processes that make up your organization.

    Analysis of which capabilities require dedicated focus in order to meet goals.

    Definition of why capabilities will be outsourced and the method of outsourcing used to deliver the most value.

    Customized IT operating model reflecting sourcing, centralization, and intended delivery of value.

    3 Formalize the Organizational Structure

    The Purpose

    Translate the operating model sketch into a formal structure with defined functional teams, roles, reporting structure, and responsibilities.

    Key Benefits Achieved

    A detailed organizational chart reflecting team structures, reporting structures, and role responsibilities.

    Activities

    3.1 Categorize your IT capabilities within your defined functional work units.

    3.2 Create a mandate statement for each work unit.

    3.3 Define roles inside the work units and assign accountability and responsibility.

    3.4 Finalize your organizational structure.

    Outputs

    Capabilities Organized Into Functional Groups

    Functional Work Unit Mandates

    Organizational Chart

    4 Plan for the Implementation & Change

    The Purpose

    Ensure the successful implementation of the new organizational structure by strategically communicating and involving stakeholders.

    Key Benefits Achieved

    A clear plan of action on how to transition to the new structure, communicate the new organizational structure, and measure the effectiveness of the new structure.

    Activities

    4.1 Identify and mitigate key org design risks.

    4.2 Define the transition plan.

    4.3 Create the change communication message.

    4.4 Create a standard set of FAQs.

    4.5 Align sustainment metrics back to core drivers.

    Outputs

    Risk Mitigation Plan

    Change Communication Message

    Standard FAQs

    Implementation and sustainment metrics.

    Further reading

    Redesign Your IT Organizational Structure

    Designing an IT structure that will enable your strategic vision is not about an org chart – it’s about how you work.

    EXECUTIVE BRIEF

    Analyst Perspective

    Structure enables strategy.

    The image contains a picture of Allison Straker.

    Allison Straker

    Research Director,

    Organizational Transformation

    The image contains a picture of Brittany Lutes.

    Brittany Lutes

    Senior Research Analyst,

    Organizational Transformation

    An organizational structure is much more than a chart with titles and names. It defines the way that the organization operates on a day-to-day basis to enable the successful delivery of the organization’s information and technology objectives. Moreover, organizational design sees beyond the people that might be performing a specific role. People and role titles will and often do change frequently. Those are the dynamic elements of organizational design that allow your organization to scale and meet specific objectives at defined points of time. Capabilities, on the other hand, are focused and related to specific IT processes.

    Redesigning an IT organizational structure can be a small or large change transformation for your organization. Create a structure that is equally mindful of the opportunities and the constraints that might exist and ensure it will drive the organization towards its vision with a successful implementation. If everyone understands why the IT organization needs to be structured that way, they are more likely to support and adopt the behaviors required to operate in the new structure.

    Executive Summary

    Your Challenge

    Your organization needs to reorganize itself because:

    • The current IT structure does not align to the strategic objectives of the organization.
    • There are inefficiencies in how the IT function is currently operating.
    • IT employees are unclear about their role and responsibilities, leading to inconsistencies.
    • New capabilities or a change in how the capabilities are organized is required to support the transformation.

    Common Obstacles

    Many organizations struggle when it comes redesigning their IT organizational structure because they:

    • Jump right into creating the new organizational chart.
    • Do not include the members of the IT leadership team in the changes.
    • Do not include the business in the changes.
    • Consider the context in which the change will take place and how to enable successful adoption.

    Info-Tech’s Approach

    Successful IT organization redesign includes:

    • Understanding the drivers, context, and strategies that will inform the structure.
    • Remaining objective by focusing on capabilities over people or roles.
    • Identifying gaps in delivery, sourcing strategies, customers, and degrees of centralization.
    • Remembering that organizational design is a change initiative and will require buy-in.

    Info-Tech Insight

    A successful redesign requires a strong foundation and a plan to ensure successful adoption. Without these, the organizational chart has little meaning or value.

    Your challenge

    This research is designed to help organizations who are looking to:

    • Redesign the IT structure to align to the strategic objectives of the enterprise.
    • Increase the effectiveness in how the IT function is operating in the organization.
    • Provide clarity to employees around their roles and responsibilities.
    • Ensure there is an ability to support new IT capabilities and/or align capabilities to better support the direction of the organization.
    • Align the IT organization to support a business transformation such as becoming digitally enabled or engaging in M&A activities.

    Organizational design is a challenge for many IT and digital executives

    69% of digital executives surveyed indicated challenges related to structure, team silos, business-IT alignment, and required roles when executing on a digital strategy.

    Source: MIT Sloan, 2020

    Common obstacles

    These barriers make IT organizational redesign difficult to address for many organizations:

    • Confuse organizational design and organizational charts as the same thing.
    • Start with the organizational chart, not taking into consideration the foundational elements that will make that chart successful.
    • Fail to treat organizational redesign as a change management initiative and follow through with the change.
    • Exclude impacted or influential IT leaders and/or business stakeholders from the redesign process.
    • Leverage an operating model because it is trending.

    To overcome these barriers:

    • Understand the context in which the changes will take place.
    • Communicate the changes to those impacted to enable successful adoption and implementation of a new organizational structure.
    • Understand that organizational design is for more than just HR leaders now; IT executives should be driving this change.

    Succeed in Organizational Redesign

    75% The percentage of change efforts that fail.

    Source: TLNT, 2019

    55% The percentage of practitioners who identify how information flows between work units as a challenge for their organization.

    Source: Journal of Organizational Design, 2019

    Organizational design defined

    If your IT strategy is your map, your IT organizational design represents the optimal path to get there.

    IT organizational design refers to the process of aligning the organization’s structure, processes, metrics, and talent to the organization’s strategic plan to drive efficiency and effectiveness.

    Why is the right IT organizational design so critical to success?

    Adaptability is at the core of staying competitive today

    Structure is not just an organizational chart

    Organizational design is a never-ending process

    Digital technology and information transparency are driving organizations to reorganize around customer responsiveness. To remain relevant and competitive, your organizational design must be forward looking and ready to adapt to rapid pivots in technology or customer demand.

    The design of your organization dictates how roles function. If not aligned to the strategic direction, the structure will act as a bungee cord and pull the organization back toward its old strategic direction (ResearchGate.net, 2014). Structure supports strategy, but strategy also follows structure.

    Organization design is not a one-time project but a continuous, dynamic process of organizational self-learning and continuous improvement. Landing on the right operating model will provide a solid foundation to build upon as the organization adapts to new challenges and opportunities.

    Understand the organizational differences

    Organizational Design

    Organizational design the process in which you intentionally align the organizational structure to the strategy. It considers the way in which the organization should operate and purposely aligns to the enterprise vision. This process often considers centralization, sourcing, span of control, specialization, authority, and how those all impact or are impacted by the strategic goals.

    Operating Model

    Operating models provide an architectural blueprint of how IT capabilities are organized to deliver value. The placement of the capabilities can alter the culture, delivery of the strategic vision, governance model, team focus, role responsibility, and more. Operating model sketches should be foundational to the organizational design process, providing consistency through org chart changes.

    Organizational Structure

    The organizational structure is the chosen way of aligning the core processes to deliver. This can be strategic, or it can be ad hoc. We recommend you take a strategic approach unless ad hoc aligns to your culture and delivery method. A good organizational structure will include: “someone with authority to make the decisions, a division of labor and a set of rules by which the organization operates” (Bizfluent, 2019).

    Organizational Chart

    The capstone of this change initiative is an easy-to-read chart that visualizes the roles and reporting structure. Most organizations use this to depict where individuals fit into the organization and if there are vacancies. While this should be informed by the structure it does not necessarily depict workflows that will take place. Moreover, this is the output of the organizational design process.

    Sources: Bizfluent, 2019; Strategy & Business, 2015; SHRM, 2021

    The Technology Value Trinity

    The image contains a diagram of the Technology Value Trinity as described in the text below.

    All three elements of the Technology Value Trinity work in harmony to delivery business value and achieve strategic needs. As one changes, the others need to change as well.

    How do these three elements relate?

    • Digital and IT strategy tells you what you need to achieve to be successful.
    • Operating model and organizational design align resources to deliver on your strategy and priorities. This is done by strategically structuring IT capabilities in a way that enables the organizations vision and considers the context in which the structure will operate.
    • I&T governance is the confirmation of IT’s goals and strategy, which ensures the alignment of IT and business strategy and is the mechanism by which you continuously prioritize work to ensure that what is delivered is in line with the strategy.

    Too often strategy, organizational design, and governance are considered separate practices – strategies are defined without teams and resources to support. Structure must follow strategy.

    Info-Tech’s approach to organizational design

    Like a story, a strategy without a structure to deliver on it is simply words on paper.

    Books begin by setting the foundation of the story.

    Introduce your story by:

    • Defining the need(s) that are driving this initiative forward.
    • Introducing the business context in which the organizational redesign must take place.
    • Outlining what’s needed in the redesign to support the organization in reaching its strategic IT goals.

    The plot cannot thicken without the foundation. Your organizational structure and chart should not exist without one either.

    The steps to establish your organizational chart - with functional teams, reporting structure, roles, and responsibilities defined – cannot occur without a clear definition of goals, need, and context. An organizational chart alone won’t provide the insight required to obtain buy-in or realize the necessary changes.

    Conclude your story through change management and communication.

    Good stories don’t end without referencing what happened before. Use the literary technique of foreshadowing – your change management must be embedded throughout the organizational redesign process. This will increase the likelihood that the organizational structure can be communicated, implemented, and reinforced by stakeholders.

    Info-Tech uses a capability-based approach to help you design your organizational structure

    Once your IT strategy is defined, it is critical to identify the capabilities that are required to deliver on those strategic initiatives. Each initiative will require a combination of these capabilities that are only supported through the appropriate organization of roles, skills, and team structures.

    The image contains a diagram of the various services and blueprints that Info-Tech has to offer.

    Embed change management into organizational design

    Change management practices are needed from the onset to ensure the implementation of an organizational structure.

    For each phase of this blueprint, its important to consider change management. These are the points when you need to communicate the structure changes:

    • Phase 1: Begin to socialize the idea of new organizational structure with executive leadership and explain how it might be impactful to the context of the organization. For example, a new control, governance model, or sourcing approach could be considered.
    • Phase 2: The chosen operating model will influence your relationships with the business and can create/eliminate silos. Ensure IT and business leaders have insight into these possible changes and a willingness to move forward.
    • Phase 3: The new organizational structure could create or eliminate teams, reduce or increase role responsibilities, and create different reporting structures than before. It’s time to communicate these changes with those most impacted and be able to highlight the positive outcomes of the various changes.
    • Phase 4: Should consider the change management practices holistically. This includes the type of change and length of time to reach the end state, communication, addressing active resistors, acquiring the right skills, and measuring the success of the new structure and its adoption.

    Info-Tech Insight

    Do not undertake an organizational redesign initiative if you will not engage in change management practices that are required to ensure its successful adoption.

    Measure the value of the IT organizational redesign

    Given that the organizational redesign is intended to align with the overall vision and objectives of the business, many of the metrics that support its success will be tied to the business. Adapt the key performance indicators (KPIs) that the business is using to track its success and demonstrate how IT can enable the business and improve its ability to reach those targets.

    Strategic Resources

    The percentage of resources dedicated to strategic priorities and initiatives supported by IT operating model. While operational resources are necessary, ensuring people are allocating time to strategic initiatives as well will drive the business towards its goal state. Leverage Info-Tech’s IT Staffing Assessment diagnostic to benchmark your IT resource allocation.

    Business Satisfaction

    Assess the improvement in business satisfaction overall with IT year over year to ensure the new structure continues to drive satisfaction across all business functions. Leverage Info-Tech’s CIO Business Vision diagnostic to see how your IT organization is perceived.

    Role Clarity

    The degree of clarity that IT employees have around their role and its core responsibilities can lead to employee engagement and retention. Consider measuring this core job driver by leveraging Info-Tech’s Employee Engagement Program.

    Customer & User Satisfaction

    Measure customer satisfaction with technology-enabled business services or products and improvements in technology-enabled client acquisition or retention processes. Assess the percentage of users satisfied with the quality of IT service delivery and leverage Info-Tech’s End-User Satisfaction Survey to determine improvements.

    Info-Tech’s methodology for Redesigning Your IT Organization

    Phase

    1. Establish the Organizational Design Foundation

    2. Create the Operating Model Sketch

    3. Formalize the Organizational Structure

    4. Plan for Implementation and Change

    Phase Outcomes

    Lay the foundation for your organizational redesign by establishing a set of organizational design principles that will guide the redesign process.

    Select and customize an operating model sketch that will accurately reflect the future state your organization is striving towards. Consider how capabilities will be sourced, gaps in delivery, and alignment.

    Translate the operating model sketch into a formal structure with defined functional teams, roles, reporting structure, and responsibilities.

    Ensure the successful implementation of the new organizational structure by strategically communicating and involving stakeholders.

    Insight summary

    Overarching insight

    Organizational redesign processes focus on defining the ways in which you want to operate and deliver on your strategy – something an organizational chart will never be able to convey.

    Phase 1 insight

    Focus on your organization, not someone else's’. Benchmarking your organizational redesign to other organizations will not work. Other organizations have different strategies, drivers, and context.

    Phase 2 insight

    An operating model sketch that is customized to your organization’s specific situation and objectives will significantly increase the chances of creating a purposeful organizational structure.

    Phase 3 insight

    If you follow the steps outlined in the first three phases, creating your new organizational chart should be one of the fastest activities.

    Phase 4 insight

    Throughout the creation of a new organizational design structure, it is critical to involve the individuals and teams that will be impacted.

    Tactical insight

    You could have the best IT employees in the world, but if they aren’t structured well your organization will still fail in reaching its vision.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:


    Communication Deck

    Communicate the changes to other key stakeholders such as peers, managers, and staff.

    Workbook

    As you work through each of the activities, use this workbook as a place to document decisions and rationale.

    Reference Deck

    Definitions for every capability, base operating model sketches, and sample organizational charts aligned to those operating models.

    Job Descriptions

    Key deliverable:

    Executive Presentation

    Leverage this presentation deck to gain executive buy-in for your new organizational structure.

    Blueprint benefits

    IT Benefits

    • Create an organizational structure that aligns to the strategic goals of IT and the business.
    • Provide IT employees with clarity on their roles and responsibilities to ensure the successful delivery of IT capabilities.
    • Highlight and sufficiently staff IT capabilities that are critical to the organization.
    • Define a sourcing strategy for IT capabilities.
    • Increase employee morale and empowerment.

    Business Benefits

    • IT can carry out the organization’s strategic mission and vision of all technical and digital initiatives.
    • Business has clarity on who and where to direct concerns or questions.
    • Reduce the likelihood of turnover costs as IT employees understand their roles and its importance.
    • Create a method to communicate how the organizational structure aligns with the strategic initiatives of IT.
    • Increase ability to innovate the organization.

    Executive Brief Case Study

    IT design needs to support organizational and business objectives, not just IT needs.

    INDUSTRY: Government

    SOURCE: Analyst Interviews and Working Sessions

    Situation

    IT was tasked with providing equality to the different business functions through the delivery of shared IT services. The government created a new IT organizational structure with a focus on two areas in particular: strategic and operational support capabilities.

    Challenge

    When creating the new IT structure, an understanding of the complex and differing needs of the business functions was not reflected in the shared services model.

    Outcome

    As a result, the new organizational structure for IT did not ensure adequate meeting of business needs. Only the operational support structure was successfully adopted by the organization as it aligned to the individual business objectives. The strategic capabilities aspect was not aligned to how the various business lines viewed themselves and their objectives, causing some partners to feel neglected.

    Info-Tech offers various levels of support to best suit your needs.

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    Phase 1

    Call #1: Define the process, understand the need, and create a plan of action.

    Phase 2

    Call #2: Define org. design drivers and business context.

    Call #3: Understand strategic influences and create customized design principles.

    Call #4: Customize, analyze gaps, and define sourcing strategy for IT capabilities.

    Call #5: Select and customize the IT operating model sketch.

    Phase 3

    Call #6: Establish functional work units and their mandates.

    Call #7: Translate the functional organizational chart to an operational organizational chart with defined roles.

    Phase 4

    Call #8: Consider risks and mitigation tactics associated with the new structure and select a transition plan.

    Call #9: Create your change message, FAQs, and metrics to support the implementation plan.

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Establish the Organizational Redesign Foundation

    Create the Operating Model Sketch

    Formalize the Organizational Structure

    Plan for Implementation and Change

    Next Steps and
    Wrap-Up (offsite)

    Activities

    1.1 Define the org. design drivers.

    1.2 Document and define the implications of the business context.

    1.3 Align the structure to support the strategy.

    1.4 Establish guidelines to direct the organizational design process.

    2.1 Augment list of IT capabilities.

    2.2 Analyze capability gaps.

    2.3 Identify capabilities for outsourcing.

    2.4 Select a base operating model sketch.

    2.5 Customize the IT operating model sketch.

    3.1 Categorize your IT capabilities within your defined functional work units.

    3.2 Create a mandate statement for each work unit.

    3.3 Define roles inside the work units and assign accountability and responsibility.

    3.4 Finalize your organizational structure.

    4.1 Identify and mitigate key org. design risks.

    4.2 Define the transition plan.

    4.3 Create the change communication message.

    4.4 Create a standard set of FAQs.

    4.5 Align sustainment metrics back to core drivers.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. Foundational components to the organizational design
    2. Customized design principles
    1. Heat mapped IT capabilities
    2. Defined outsourcing strategy
    3. Customized operating model
    1. Capabilities organized into functional groups
    2. Functional work unit mandates
    3. Organizational chart
    1. Risk mitigation plan
    2. Change communication message
    3. Standard FAQs
    4. Implementation and sustainment metrics
    1. Completed organizational design communications deck

    This blueprint is part one of a three-phase approach to organizational transformation

    PART 1: DESIGN

    PART 2: STRUCTURE

    PART 3: IMPLEMENT

    IT Organizational Architecture

    Organizational Sketch

    Organizational Structure

    Organizational Chart

    Transition Strategy

    Implement Structure

    1. Define the organizational design drivers, business context, and strategic alignment.

    2. Create customized design principles.

    3. Develop and customize a strategically aligned operating model sketch.

    4. Define the future-state work units.

    5. Create future-state work unit mandates.

    6. Define roles by work unit.

    7. Turn roles into jobs with clear capability accountabilities and responsibilities.

    8. Define reporting relationships between jobs.

    9. Assess options and select go-forward organizational sketch.

    11. Validate organizational sketch.

    12. Analyze workforce utilization.

    13. Define competency framework.

    14. Identify competencies required for jobs.

    15. Determine number of positions per job

    16. Conduct competency assessment.

    17. Assign staff to jobs.

    18. Build a workforce and staffing plan.

    19. Form an OD implementation team.

    20. Develop change vision.

    21. Build communication presentation.

    22. Identify and plan change projects.

    23. Develop organizational transition plan.

    24. Train managers to lead through change.

    25. Define and implement stakeholder engagement plan.

    26. Develop individual transition plans.

    27. Implement transition plans.

    Risk Management: Create, implement, and monitor risk management plan.

    HR Management: Develop job descriptions, conduct job evaluation, and develop compensation packages.

    Monitor and Sustain Stakeholder Engagement

    Phase 1

    Establish the Organizational Redesign Foundation

    This phase will walk you through the following activities:

    1.1 Define the organizational redesign driver(s)

    1.2 Create design principles based on the business context

    1.3a (Optional Exercise) Identify the capabilities from your value stream

    1.3b Identify the capabilities required to deliver on your strategies

    1.4 Finalize your list of design principles

    This phase involves the following participants:

    • CIO
    • IT Leadership
    • Business Leadership

    Embed change management into the organizational design process

    Articulate the Why

    Changes are most successful when leaders clearly articulate the reason for the change – the rationale for the organizational redesign of the IT function. Providing both staff and executive leaders with an understanding for this change is imperative to its success. Despite the potential benefits to a redesign, they can be disruptive. If you are unable to answer the reason why, a redesign might not be the right initiative for your organization.

    Employees who understand the rationale behind decisions made by executive leaders are 3.6 times more likely to be engaged.

    McLean & Company Engagement Survey Database, 2021; N=123,188

    Info-Tech Insight

    Successful adoption of the new organizational design requires change management from the beginning. Start considering how you will convey the need for organizational change within your IT organization.

    The foundation of your organizational design brings together drivers, context, and strategic implications

    All aspects of your IT organization’s structure should be designed with the business’ context and strategic direction in mind.

    Use the following set of slides to extract the key components of your drivers, business context, and strategic direction to land on a future structure that aligns with the larger strategic direction.

    REDESIGN DRIVERS

    Driver(s) can originate from within the IT organization or externally. Ensuring the driver(s) are easy to understand and articulate will increase the successful adoption of the new organizational structure.

    BUSINESS CONTEXT

    Defines the interactions that occur throughout the organization and between the organization and external stakeholders. The context provides insight into the environment by both defining the purpose of the organization and the values that frame how it operates.

    STRATEGY IMPLICATIONS

    The IT strategy should be aligned to the overall business strategy, providing insight into the types of capabilities required to deliver on key IT initiatives.

    Understand IT’s desired maturity level, alignment with business expectations, and capabilities of IT

    Where are we today?

    Determine the current overall maturity level of the IT organization.

    Where do we want to be as an organization?

    Use the inputs from Info-Tech’s diagnostic data to determine where the organization should be after its reorganization.

    How can you leverage these results?

    The result of these diagnostics will inform the design principles that you’ll create in this phase.

    Leverage Info-Tech’s diagnostics to provide an understanding of critical areas your redesign can support:

    CIO Business Vision Diagnostic

    Management & Governance Diagnostic

    IT Staffing Diagnostic

    The image contains a picture of Info-Tech's maturity ladder.

    Consider the organizational design drivers

    Consider organizational redesign if …

    Effectiveness is a concern:

    • Insufficient resources to meet demand
    • Misalignment to IT (and business) strategies
    • Lack of clarity around role responsibility or accountability
    • IT functions operating in silos

    New capabilities are needed:

    • Organization is taking on new capabilities (digital, transformation, M&A)
    • Limited innovation
    • Gaps in the capabilities/services of IT
    • Other external environmental influences or changes in strategic direction

    Lack of business understanding

    • Misalignment between business and IT or how the organization does business
    • Unhappy customers (internal or external)

    Workforce challenges

    • Frequent turnover or inability to attract new skills
    • Low morale or employee empowerment

    These are not good enough reasons …

    • New IT leader looking to make a change for the sake of change or looking to make their legacy known
    • To work with specific/hand-picked leaders over others
    • To “shake things up” to see what happens
    • To force the organization to see IT differently

    Info-Tech Insight

    Avoid change for change’s sake. Restructuring could completely miss the root cause of the problem and merely create a series of new ones.

    1.1 Define the organizational redesign driver(s)

    1-2 hours

    1. As a group, brainstorm a list of current pain points or inhibitors in the current organizational structure, along with a set of opportunities that can be realized during your restructuring. Group these pain points and opportunities into themes.
    2. Leverage the pain points and opportunities to help further define why this initiative is something you’re driving towards. Consider how you would justify this initiative to different stakeholders in the organization.
    3. Questions to consider:
      1. Who is asking for this initiative?
      2. What are the primary benefits this is intended to produce?
      3. What are you optimizing for?
      4. What are we capable of achieving as an IT organization?
      5. Are the drivers coming from inside or outside the IT organization?
    4. Once you’ve determined the drivers for redesigning the IT organization, prioritize those drivers to ensure there is clarity when communicating why this is something you are focusing time and effort on.

    Input

    Output

    • Knowledge of the current organization
    • Pain point and opportunity themes
    • Defined drivers of the initiative

    Materials

    Participants
    • Whiteboard/flip charts (physical or electronic)
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Communications Deck

    Frame the organizational design within the context of the business

    Workforce Considerations:

    • How does your organization view its people resources? Does it have the capacity to increase the number of resources?
    • Do you currently have sufficient staff to meet the demands of the organization? Are you able to outsource resources when demand requires it?
    • Are the members of your IT organization unionized?
    • Is your workforce distributed? Do time zones impact how your team can collaborate?

    Business Context Consideration

    IT Org. Design Implication

    Culture:

    Culture, "the way we do things here,” has huge implications for executing strategy, driving engagement, and providing a guiding force that ensures organizations can work together toward common goals.

    • What is the culture of your organization? Is it cooperative, traditional, competitive, or innovative? (See appendix for details.)
    • Is this the target culture or a stepping-stone to the ideal culture?
    • How do the attitudes and behaviors of senior leaders in the organization reinforce this culture?

    Consider whether your organization’s culture can accept the operating model and organizational structure changes that make sense on paper.

    Certain cultures may lean toward particular operating models. For example, the demand-develop-service operating model may be supported by a cooperative culture. A traditional organization may lean towards the plan-build-run operating model.

    Ensure you have considered your current culture and added exercises to support it.

    If more capacity is required to accomplish the goals of the organization, you’ll want to prepare the leaders and explain the need in your design principles (to reflect training, upskilling, or outsourcing). Unionized environments require additional consideration. They may necessitate less structural changes, and so your principles will need to reflect other alternatives (hiring additional resources, creative options) to support organizational needs. Hybrid or fully remote workforces may impact how your organization interacts.

    Business context considerations

    Business Context Consideration

    IT Org. Design Implication

    Control & Governance:

    It is important to consider how your organization is governed, how decisions are made, and who has authority to make decisions.

    Strategy tells what you do, governance validates you’re doing the right things, and structure is how you execute on what’s been approved.

    • How do decisions get considered and approved in your organization? Are there specific influences that impact the priorities of the organization?
    • Are those in the organization willing to release decision-making authority around specific IT components?
    • Should the organization take on greater accountability for specific IT components?

    Organizations that require more controls may lean toward more centralized governance. Organizations that are looking to better enable and empower their divisions (products, groups, regions, etc.) may look to embed governance in these parts of the organization.

    For enterprise organizations, consider where IT has authority to make decisions (at the global, local, or system level). Appropriate governance needs to be built into the appropriate levels.

    Business context considerations

    Business Context Consideration

    IT Org. Design Implication

    Financial Constraints:

    Follow the money: You may need to align your IT organization according to the funding model.

    • Do partners come to IT with their budgets, or does IT have a central pool that they use to fund initiatives from all partners?
    • Are you able to request finances to support key initiatives/roles prioritized by the organization?
    • How is funding aligned: technology, data, digital, etc.? Is your organization business-line funded? Pooled?
    • Are there special products or digital transformation initiatives with resources outside IT? Product ownership funding?
    • How are regulatory changes funded?
    • Do you have the flexibility to adjust your budget throughout the fiscal year?
    • Are chargebacks in place? Are certain services charged back to business units

    Determine if you can move forward with a new model or if you can adjust your existing one to suit the financial constraints.

    If you have no say over your funding, pre-work may be required to build a business case to change your funding model before you look at your organizational structure – without this, you might have to rule out centralized and focus on hybrid/centralized. If you don’t control the budget (funding comes from your partners), it will be difficult to move to a more centralized model.

    A federated business organization may require additional IT governance to help prioritize across the different areas.

    Budgets for digital transformation might come from specific areas of the business, so resources may need to be aligned to support that. You’ll have to consider how you will work with those areas. This may also impact the roles that are going to exist within your IT organization – product owners or division owners might have more say.

    Business context considerations

    Business Context Consideration

    IT Org. Design Implication

    Business Perspective of IT:

    How the business perceives IT and how IT perceives itself are sometimes not aligned. Make sure the business’ goals for IT are well understood.

    • Are your business partners satisfied if IT is an order taker? Do they agree with the need for IT to become a business partner? Is IT expected to innovate and transform the organization?
    • Is what the business needs from IT the same as what IT is providing currently?

    Business Organization Structure and Growth:

    • How is the overall organization structured: Centralized/decentralized? Functionally aligned? Divided by regions?
    • In what areas does the organization prioritize investments?
    • Is the organization located across a diverse geography?
    • How big is the organization?
    • How is the organization growing and changing – by mergers and acquisitions?

    If IT needs to become more of a business partner, you’ll want to define what that means to your organization and focus on the capabilities to enable this. Educating your partners might also be required if you’re not aligned.

    For many organizations, this will include stakeholder management, innovation, and product/project management. If IT and its business partners are satisfied with an order-taker relationship, be prepared for the consequences of that.

    A global organization will require different IT needs than a single location. Specifically, site reliability engineering (SRE) or IT support services might be deployed in each region. Organizations growing through mergers and acquisitions can be structured differently depending on what the organization needs from the transaction. A more centralized organization may be appropriate if the driver is reuse for a more holistic approach, or the organization may need a more decentralized organization if the acquisitions need to be handled uniquely.

    Business context considerations

    Business Context Consideration

    IT Org. Design Implication

    Sourcing Strategy:

    • What are the drivers for sourcing? Staff augmentation, best practices, time zone support, or another reason?
    • What is your strategy for sourcing?
    • Does IT do all of your technology work, or are parts being done by business or other units?
    • Are we willing/able to outsource, and will that place us into non-compliance (regulations)?
    • Do you have vendor management capabilities in areas that you might outsource?
    • How cloud-driven is your organization?
    • Do you have global operations?

    Change Tolerance:

    • What’s your organization’s tolerance to make changes around organizational design?
    • What's the appetite and threshold for risk?

    Your sourcing strategy affects your organizational structure, including what capabilities you group together. Since managing outsourced capabilities also includes the need for vendor management, you’ll need to ensure there aren’t too many capabilities required per leader. Look closely at what can be achieved through your operating model if IT is done through other groups. Even though these groups may not be in scope of your organization changes, you need to ensure your IT team works with them effectively.

    If your organization is going to push back if there are big structural changes, consider whether the changes are truly necessary. It may be preferred to take baby steps – use an incremental versus big-bang approach.

    A need for incremental change might mean not making a major operating model change.

    Business context considerations

    Business Context Consideration

    IT Org Design. Implication

    Stakeholder Engagement & Focus:

    Identify who your customers and stakeholders are; clarify their needs and engagement model.

    • Who is the customer for IT products and services?
    • Is your customer internal? External? Both?
    • How much of a priority is customer focus for your organization?
    • How will IT interact with customers, end users, and partners? What is the engagement model desired?

    Business Vision, Services, and Products:

    Articulate what your organization was built to do.

    • What does the organization create or provide?
    • Are these products and services changing?
    • What are the most critical capabilities to your organization?
    • What makes your organization a success? What are critical success factors of the organization and how are they measuring this to determine success?

    For a customer or user focus, ensure capabilities related to understanding needs (stakeholder, UX, etc.) are prioritized. Hybrid, decentralized, or demand-develop-service models often have more of a focus on customer needs.

    Outsourcing the service desk might be a consideration if there’s a high demand for the service. A differentiation between these users might mean there’s a different demand for services.

    Think broadly in terms of your organizational vision, not just the tactical (widget creation). You might need to choose an operating model that supports vision.

    Do you need to align your organization with your value stream? Do you need to decentralize specific capabilities to enable prioritization of the key capabilities?

    1.2 Create design principles based on the business context

    1-3 hours

    1. Discuss the business context in which the IT organizational redesign will be taking place. Consider the following standard components of the business context; include other relevant components specific to your organization:
    • Culture
    • Workforce Considerations
    • Control and Governance
    • Financial Constraints
    • Business Perspective of IT
    • Business Organization Structure and Growth
    • Sourcing Strategy
    • Change Tolerance
    • Stakeholder Engagement and Focus
    • Business Vision, Services, and Products
  • Different stakeholders can have different perspectives on these questions. Be sure to consider a holistic approach and engage these individuals.
  • Capture your findings and use them to create initial design principles.
  • Input

    Output

    • Business context
    • Design principles reflecting how the business context influences the organizational redesign for IT

    Materials

    Participants

    • Whiteboard/flip charts (physical or electronic)
    • List of Context Questions
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Communications Deck

    How your IT organization is structured needs to reflect what it must be built to do

    Structure follows strategy – the way you design will impact what your organization can produce.

    Designing your IT organization requires an assessment of what it needs to be built to do:

    • What are the most critical capabilities that you need to deliver, and what does success look like in those different areas?
    • What are the most important things that you deliver overall in your organization?

    The IT organization must reflect your business needs:

    • Understand your value stream and/or your prioritized business goals.
    • Understand the impact of your strategies – these can include your overall digital strategy and/or your IT strategy

    1.3a (Optional Exercise) Identify the capabilities from your value stream

    1 hour

    1. Identify your organization’s value stream – what your overall organization needs to do from supplier to consumer to provide value. Leverage Info-Tech’s industry reference architectures if you haven’t identified your value stream, or use the Document Your Business Architecture blueprint to create yours.
    2. For each item in your value stream, list capabilities that are critical to your organizational strategy and IT needs to further invest in to enable growth.
    3. Also, list those that need further support, e.g. those that lead to long wait times, rework time, re-tooling, down-time, unnecessary processes, unvaluable processes.*
    4. Capture the IT capabilities required to enable your business in your draft principles.
    The image contains a screenshot of the above activity: Sampling Manufacturing Business Capabilities.
    Source: Six Sigma Study Guide, 2014
    Input Output
    • Organization’s value stream
    • List of IT capabilities required to support the IT strategy
    Materials Participants
    • Whiteboard/flip charts (physical or electronic)
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Communications Deck

    Your strategy will help you decide on your structure

    Ensure that you have a clear view of the goals and initiatives that are needed in your organization. Your IT, digital, business, and/or other strategies will surface the IT capabilities your organization needs to develop. Identify the goals of your organization and the initiatives that are required to deliver on them. What capabilities are required to enable these? These capabilities will need to be reflected in your design principles.

    Sample initiatives and capabilities from an organization’s strategies

    The image contains a screenshot of sample initiatives and capabilities from an organization's strategies.

    1.3b Identify the capabilities required to deliver on your strategies

    1 hour

    1. For each IT goal, there may be one or more initiatives that your organization will need to complete in order to be successful.
    2. Document those goals and infinitives. For each initiative, consider which core IT capabilities will be required to deliver on that goal. There might be one IT capability or there might be several.
    3. Identify which capabilities are being repeated across the different initiatives. Consider whether you are currently investing in those capabilities in your current organizational structure.
    4. Highlight the capabilities that require IT investment in your design principles.
    InputOutput
    • IT goals
    • IT initiatives
    • IT, digital, and business strategies
    • List of IT capabilities required to support the IT strategy
    MaterialsParticipants
    • Whiteboard/flip charts (physical or electronic)
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Communications Deck

    Create your organizational design principles

    Your organizational design principles should define a set of loose rules that can be used to design your organizational structure to the specific needs of the work that needs to be done. These rules will guide you through the selection of the appropriate operating model that will meet your business needs. There are multiple ways you can hypothetically organize yourself to meet these needs, and the design principles will point you in the direction of which solution is the most appropriate as well as explain to your stakeholders the rationale behind organizing in a specific way. This foundational step is critical: one of the key reasons for organizational design failure is a lack of requisite time spent on the front-end understanding what is the best fit.

    The image contains an example of organizing design principles as described above.

    1.4 Finalize your list of design principles

    1-3 hours

    1. As a group, review the key outputs from your data collection exercises and their implications.
    2. Consider each of the previous exercises – where does your organization stand from a maturity perspective, what is driving the redesign, what is the business context, and what are the key IT capabilities requiring support. Identify how each will have an implication on your organizational redesign. Leverage this conversation to generate design principles.
    3. Vote on a finalized list of eight to ten design principles that will guide the selection of your operating model. Have everyone leave the meeting with these design principles so they can review them in more detail with their work units or functional areas and elicit any necessary feedback.
    4. Reconvene the group that was originally gathered to create the list of design principles and make any final amendments to the list as necessary. Use this opportunity to define exactly what each design principle means in the context of your organization so everyone has the same understanding of what this means moving forward.
    InputOutput
    • Organizational redesign drivers
    • Business context
    • IT strategy capabilities
    • Organizational design principles to help inform the selection of the right operating model sketch
    MaterialsParticipants
    • Whiteboard/flip charts (physical or electronic)
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Communications Deck

    Example design principles

    Your eight to ten design principles will be those that are most relevant to YOUR organization. Below are samples that other organizations have created, but yours will not be the same.

    Design Principle

    Description

    Decision making

    We will centralize decision making around the prioritization of projects to ensure that the initiatives driving the most value for the organization as a whole are executed.

    Fit for purpose

    We will build and maintain fit-for-purpose solutions based on business units’ unique needs.

    Reduction of duplication

    We will reduce role and application duplication through centralized management of assets and clearly differentiated roles that allow individuals to focus within key capability areas.

    Managed security

    We will manage security enterprise-wide and implement compliance and security governance policies.

    Reuse > buy > build

    We will maximize reuse of existing assets by developing a centralized application portfolio management function and approach.

    Managed data

    We will create a specialized data office to provide data initiatives with the focus they need to enable our strategy.

    Design Principle

    Description

    Controlled technical diversity

    We will control the variety of technology platforms we use to allow for increased operability and reduction of costs.

    Innovation

    R&D and innovation are critical – we will build an innovation team into our structure to help us meet our digital agenda.

    Resourcing

    We will separate our project and maintenance activities to ensure each are given the dedicated support they need for success and to reduce the firefighting mentality.

    Customer centricity

    The new structure will be directly aligned with customer needs – we will have dedicated roles around relationship management, requirements, and strategic roadmapping for business units.

    Interoperability

    We will strengthen our enterprise architecture practices to best prepare for future mergers and acquisitions.

    Cloud services

    We will move toward hosted versus on-premises infrastructure solutions, retrain our data center team in cloud best practices, and build roles around effective vendor management, cloud provisioning, and architecture.

    Phase 2

    Create the Operating Model Sketch

    This phase will walk you through the following activities:

    2.1 Augment the capability list

    2.2 Heatmap capabilities to determine gaps in service

    2.3 Identify the target state of sourcing for your IT capabilities

    2.4 Review and select a base operating model sketch

    2.5 Customize the selected overlay to reflect the desired future state

    This phase involves the following participants:

    • CIO
    • IT Leadership

    Embed change management into the organizational design process

    Gain Buy-In

    Obtain desire from stakeholders to move forward with organizational redesign initiative by involving them in the process to gain interest. This will provide the stakeholders with assurance that their concerns are being heard and will help them to understand the benefits that can be anticipated from the new organizational structure.

    “You’re more likely to get buy-in if you have good reason for the proposed changes – and the key is to emphasize the benefits of an organizational redesign.”

    Source: Lucid Chart

    Info-Tech Insight

    Just because people are aware does not mean they agree. Help different stakeholders understand how the change in the organizational structure is a benefit by specifically stating the benefit to them.

    Info-Tech uses capabilities in your organizational design

    We differentiate between capabilities and competencies.

    Capabilities

    • Capabilities are focused on the entire system that would be in place to satisfy a particular need. This includes the people who are competent to complete a specific task and also the technology, processes, and resources to deliver.
    • Capabilities work in a systematic way to deliver on specific need(s).
    • A functional area is often made up of one or more capabilities that support its ability to deliver on that function.
    • Focusing on capabilities rather then the individuals in organizational redesign enables a more objective and holistic view of what your organization is striving toward.

    Competencies

    • Competencies on the other hand are specific to an individual. It determines if the individual poses the skills or ability to perform.
    • Competencies are rooted in the term competent, which looks to understand if you are proficient enough to complete the specific task at hand.
    • Source: The People Development Magazine, 2020

    Use our IT capabilities to establish your IT organization design

    The image contains a diagram of the various services and blueprints that Info-Tech has to offer.

    2.1 Augment the capability list

    1-3 hours

    1. Using the capability list on the previous slide, go through each of the IT capabilities and remove any capabilities for which your IT organization is not responsible and/or accountable. Refer to the Operating Model and Capability Definition List for descriptions of each of the IT capabilities.
    2. Augment the language of specific capabilities that you feel are not directly reflective of what is being done within your organizational context or that you feel need to be changed to reflect more specifically how work is being done in your organization.
    • For example, some organizations may refer to their service desk capability as help desk or regional support. Use a descriptive term that most accurately reflects the terminology used inside the organization today.
  • Add any core capabilities from your organization that are missing from the provided IT capability list.
    • For example, organizations that leverage DevOps capabilities for their product development may desire to designate this in their operating model.
  • Document the rationale for decisions made for future reference.
  • Input Output
    • Baseline list of IT capabilities
    • IT capabilities required to support IT strategy
    • Customized list of IT capabilities
    Materials Participants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership

    Record the results in the Organizational Design Workbook

    Gaps in delivery

    Identify areas that require greater focus and attention.

    Assess the gaps between where you currently are and where you need to be. Evaluate how critical and how effective your capabilities are:

    • Criticality = Importance
      • Try to focus on those which are highly critical to the organization.
      • These may be capabilities that have been identified in your strategies as areas to focus on.
    • Effectiveness = Performance
      • Identify those where the process or system is broken or ineffective, preventing the team from delivering on the capability.
      • Effectiveness could take into consideration how scalable, adaptable, or sustainable each capability is.
      • Focus on the capabilities that are low or medium in effectiveness but highly critical. Addressing the delivery of these capabilities will lead to the most positive outcomes in your organization.

    Remember to identify what allows the highly effective capabilities to perform at the capacity they are. Leverage this when increasing effectiveness elsewhere.

    High Gap

    There is little to no effectiveness (high gap) and the capability is highly important to your organization.

    Medium Gap

    Current ability is medium in effectiveness (medium gap) and there might be some priority for that capability in your organization.

    Low Gap

    Current ability is highly effective (low gap) and the capability is not necessarily a priority for your organization.

    2.2 Heatmap capabilities to determine gaps in delivery

    1-3 hours

    1. At this point, you should have identified what capabilities you need to have to deliver on your organization's goals and initiatives.
    2. Convene a group of the key stakeholders involved in the IT organizational design initiative.
    3. Review your IT capabilities and color each capability border according to the effectiveness and criticality of that capability, creating a heat map.
    • Green indicates current ability is highly effective (low gap) and the capability is not necessarily a priority for your organization.
    • Yellow indicates current ability is medium in effectiveness (medium gap) and there might be some priority for that capability in your organization.
    • Red indicates that there is little to no effectiveness (high gap) and the capability is highly important to your organization.
    Input Output
    • Selected capabilities from activity 2.1
    • Gap analysis in delivery of capabilities currently
    Materials Participants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership

    Record the results in the Organizational Design Workbook

    Don’t forget the why: why are you considering outsourcing?

    There are a few different “types” of outsourcing:

    1. Competitive Advantage – Working with a third-party organization for the knowledge, insights, and best practices they can bring to your organization.
    2. Managed Service– The third party manages a capability or function for your organization.
    3. Staff Augmentation – Your organization brings in contractors and third-party organizations to fill specific skills gaps.

    Weigh which sourcing model(s) will best align with the needed capabilities to deliver effectively

    Insourcing

    Staff Augmentation

    Managed Service

    Competitive Advantage

    Description

    The organization maintains full responsibility for the management and delivery of the IT capability or service.

    Vendor provides specialized skills and enables the IT capability or service together with the organization to meet demand.

    Vendor completely manages the delivery of value for the IT capability, product or service.

    Vendor has unique skills, insights, and best practices that can be taught to staff to enable insourced capability and competency.

    Benefits

    • Retains in-house control over proprietary knowledge and assets that provide competitive or operational advantage.
    • Gains efficiency due to integration into the organization’s processes.
    • Provision of unique skills.
    • Addresses variation in demand for resources.
    • Labor cost savings.
    • Improves use of internal resources.
    • Improves effectiveness due to narrow specialization.
    • Labor cost savings.
    • Gain insights into aspects that could provide your organization with advantages over competitors.
    • Long-term labor cost savings.
    • Short-term outsourcing required.
    • Increase in-house competencies.

    Drawbacks

    • Quality of services/capabilities might not be as high due to lack of specialization.
    • No labor cost savings.
    • Potentially inefficient distribution of labor for the delivery of services/capabilities.
    • Potential conflicts in management or delivery of IT services and capabilities.
    • Negative impact on staff morale.
    • Limited control over services/capabilities.
    • Limited integration into organization’s processes.
    • Short-term labor expenses.
    • Requires a culture of continuous learning and improvement.

    Your strategy for outsourcing will vary with capability and capacity

    The image contains a diagram to show the Develop Vendor Management Capabilities, as described in the text below.

    Capability

    Capacity

    Outsourcing Model

    Low

    Low

    Your solutions may be with you for a long time, so it doesn’t matter whether it is a strategic decision to outsource development or if you are not able to attract the talent required to deliver in your market. Look for a studio, agency, or development shop that has a proven reputation for long-term partnership with its clients.

    Low

    High

    Your team has capacity but needs to develop new skills to be successful. Look for a studio, agency, or development shop that has a track record of developing its customers and delivering solutions.

    High

    Low

    Your organization knows what it is doing but is strapped for people. Look at “body shops” and recruiting agencies that will support short-term development contracts that can be converted to full-time staff or even a wholesale development shop acquisition.

    High

    High

    You have capability and capacity for delivering on your everyday demands but need to rise to the challenge of a significant, short-term rise in demand on a critical initiative. Look for a major system integrator or development shop with the specific expertise in the appropriate technology.

    Use these criteria to inform your right sourcing strategy

    Sourcing Criteria

    Description

    Determine whether you’ll outsource using these criteria

    1. Critical or commodity

    Determine whether the component to be sourced is critical to your organization or if it is a commodity. Commodity components, which are either not strategic in nature or related to planning functions, are likely candidates for outsourcing. Will you need to own the intellectual property created by the third party? Are you ok if they reuse that for their other clients?

    2. Readiness to outsource

    Identify how easy it would be to outsource a particular IT component. Consider factors such as knowledge transfer, workforce reassignment or reduction, and level of integration with other components.

    Vendor management readiness – ensuring that you have sufficient capabilities to manage vendors – should also be considered here.

    3. In-house capabilities

    Determine if you have the capability to deliver the IT solutions in-house. This will help you establish how easy it would be to insource an IT component.

    4. Ability to attract resources (internal vs. outsourced)

    Determine if the capability is one that is easily sourced with full-time, internal staff or if it is a specialty skill that is best left for a third-party to source.

    Determine your sourcing model using these criteria

    5. Cost

    Consider the total cost (investment and ongoing costs) of the delivery of the IT component for each of the potential sourcing models for a component.

    6. Quality

    Define the potential impact on the quality of the IT component being sourced by the possible sourcing models.

    7. Compliance

    Determine whether the sourcing model would fit with regulations in your industry. For example, a healthcare provider would only go for a cloud option if that provider is HIPAA compliant.

    8. Security

    Identify the extent to which each sourcing option would leave your organization open to security threats.

    9. Flexibility

    Determine the extent to which the sourcing model will allow your organization to scale up or down as demand changes.

    2.3 Identify capabilities that could be outsourced

    1-3 hours

    1. For each of the capabilities that will be in your future-state operating model, determine if it could be outsourced. Review the sourcing criteria available on the previous slide to help inform which sourcing strategy you will use for each capability.
    2. When looking to outsource or co-source capabilities, consider why that capability would be outsourced:
    • Competitive Advantage – Work with a third-party organization for the knowledge, insights, and best practices they can bring to your organization.
    • Managed Service – The third party manages a capability or function for your organization.
    • Staff Augmentation – Your organization brings in contractors and third-party organizations to fill specific skills gaps.
  • Place an asterisk (*) around the capabilities that will be leveraging one of the three previous sourcing options.
  • InputOutput
    • Customized IT capabilities
    • Sourcing strategy for each IT capability
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership

    Record the results in the Organizational Design Workbook

    What is an operating model?

    Leverage a cohesive operating model throughout the organizational design process.

    An IT operating model sketch is a visual representation of the way your IT organization needs to be designed and the capabilities it requires to deliver on the business mission, strategic objectives, and technological ambitions. It ensures consistency of all elements in the organizational structure through a clear and coherent blueprint.

    The visual should be the optimization and alignment of the IT organization’s structure to deliver the capabilities required to achieve business goals. Additionally, it should clearly show the flow of work so that key stakeholders can understand where inputs flow in and outputs flow out of the IT organization. Investing time in the front end getting the operating model right is critical. This will give you a framework to rationalize future organizational changes, allowing you to be more iterative and your model to change as the business changes.

    The image contains an example of an operating model as described in the text above.

    Info-Tech Insight

    Every structure decision you make should be based on an identified need, not on a trend.Build your IT organization to enable the priorities of the organization.

    Each IT operating model is characterized by a variety of advantages and disadvantages

    Centralized

    Hybrid

    Decentralized

    Advantages
    • Maximum flexibility to allocate IT resources across business units.
    • Low-cost delivery model and greatest economies of scale.
    • Control and consistency offers opportunity for technological rationalization and standardization and volume purchasing at the highest degree.
    • Centralizes processes and services that require consistency across the organization.
    • Decentralizes processes and services that need to be responsive to local market conditions.
    • Eliminates duplication and redundancy by allowing effective use of common resources (e.g. shared services, standardization).
    • Goals are aligned to the distinct business units or functions.
    • Greater flexibility and more timely delivery of services.
    • Development resources are highly knowledgeable about business-unit-specific applications.
    • Business unit has greatest control over IT resources and can set and change priorities as needed.

    Disadvantages

    • Less able to respond quickly to local requirements with flexibility.
    • IT can be resistant to change and unwilling to address the unique needs of end users.
    • Business units can be frustrated by perception of lack of control over resources.
    • Development of special business knowledge can be limited.
    • Requires the most disciplined governance structure and the unwavering commitment of the business; therefore, it can be the most difficult to maintain.
    • Requires new processes as pooled resources must be staffed to approved projects.
    • Redundancies, conflicts, and incompatible technologies can result from business units having differentiated services and applications – increasing cost.
    • Ability to share IT resources is low due to lack of common approaches.
    • Lack of integration limits the communication of data between businesses and reduces common reporting.

    Decentralization can take many forms – define what it means to your organization

    Decentralization can take a number of different forms depending on the products the organization supports and how the organization is geographically distributed. Use the following set of explanations to understand the different types of decentralization possible and when they may make sense for supporting your organizational objectives.

    Line of Business

    Decentralization by lines of business (LoB) aligns decision making with business operating units based on related functions or value streams. Localized priorities focus the decision making from the CIO or IT leadership team. This form of decentralization is beneficial in settings where each line of business has a unique set of products or services that require specific expertise or flexible resourcing staffing between the teams.

    Product Line

    Decentralization by product line organizes your team into operationally aligned product families to improve delivery throughput, quality, and resource flexibility within the family. By adopting this approach, you create stable product teams with the right balance between flexibility and resource sharing. This reinforces value delivery and alignment to enterprise goals within the product lines.

    Geographical

    Geographical decentralization reflects a shift from centralized to regional influences. When teams are in different locations, they can experience a number of roadblocks to effective communication (e.g. time zones, regulatory differences in different countries) that may necessitate separating those groups in the organizational structure, so they have the autonomy needed to make critical decisions.

    Functional

    Functional decentralization allows the IT organization to be separated by specialty areas. Organizations structured by functional specialization can often be organized into shared service teams or centers of excellence whereby people are grouped based on their technical, domain, or functional area within IT (Applications, Data, Infrastructure, Security, etc.). This allows people to develop specialized knowledge and skills but can also reinforce silos between teams.

    2.4 Review and select a base operating model sketch

    1 hour

    1. Review the set of base operating model sketches available on the following slides.
    2. For each operating model sketch, there are benefits and risks to be considered. Make an informed selection by understanding the risks that your organization might be taking on by adopting that particular operating model.
    3. If at any point in the selection process the group is unsure about which operating model will be the right fit, refer back to your design principles established in activity 1.4. These should guide you in the selection of the right operating model and eliminate those which will not serve the organization.
    InputOutput
    • Organizational design principles
    • Customized list of IT capabilities
    • Operating model sketch examples
    • Selected operating model sketch
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership

    Record the results in the Organizational Design Workbook

    Centralized Operating Model #1: Plan-Build-Run

    I want to…

    • Establish a formalized governance process that takes direction from the organization on which initiatives should be prioritized by IT.
    • Ensure there is a clear separation between teams that are involved in strategic planning, building solutions, and delivering operational support.
    • Be able to plan long term by understanding the initiatives that are coming down the pipeline and aligning to an infrequent budgeting plan.

    BENEFITS

    • Effective at implementing long-term plans efficiently; separates maintenance and projects to allow each to have the appropriate focus.
    • More oversight over financials; better suited for fixed budgets.
    • Works across centralized technology domains to better align with the business’ strategic objectives – allows for a top-down approach to decision making.
    • Allows for economies of scale and expertise pooling to improve IT’s efficiency.
    • Well-suited for a project-driven environment that employs waterfall or a hybrid project management methodology that is less iterative.

    RISKS

    • Creates artificial silos between the build (developers) and run (operations staff) teams, as both teams focus on their own responsibilities and often fail to see the bigger picture.
    • Miss opportunities to deliver value to the organization or innovate due to an inability to support unpredictable/shifting project demands as decision making is centralized in the plan function.
    • The portfolio of initiatives being pursued is often determined before requirements analysis takes place, meaning the initiative might be solving the wrong need or problem.
    • Depends on strong hand-off processes to be defined and strong knowledge transfer from build to run functions in order to be successful.
    The image contains an example of a Centralized Operating Model: Plan-Build-Run.

    Centralized Operating Model #2: Demand-Develop-Service

    I want to…

    • Listen to the business to understand new initiatives or service enhancements being requested.
    • Enable development and operations to work together to seamlessly deliver in a DevOps culture.
    • Govern and confirm that initiatives being requested by the business are still aligned to IT’s overarching strategy and roadmap before prioritizing those initiatives.

    BENEFITS

    • Aligns well with an end-to-end services model; constant attention to customer demand and service supply.
    • Centralizes service operations under one functional area to serve shared needs across lines of business.
    • Allows for economies of scale and expertise pooling to improve IT’s efficiency.
    • Elevates sourcing and vendor management as its own strategic function; lends well to managed service and digital initiatives.
    • Development and operations housed together; lends well to DevOps-related initiatives and reduces the silos between these two core groups.

    RISKS

    • IT prioritizes the initiatives it thinks are a priority to the business based on how well it establishes good stakeholder relations and communications.
    • Depends on good governance to prevent enhancements and demands from being prioritized without approval from those with accountability and authority.
    • This model thrives in a DevOps culture but does not mean it ensures your organization is a “DevOps” organization. Be sure you're encouraging the right behaviors and attitudes.

    The image contains an example of a Centralized Operating Model: Demand, Develop, Service.

    Hybrid Operating Model #1: LOB/Functional Aligned

    I want to…

    • Better understand the various needs of the organization to align IT priorities and ensure the right services can be delivered.
    • Keep all IT decisions centralized to ensure they align with the overarching strategy and roadmap that IT has set.
    • Organize your shared services in a strategic manner that enables delivery of those services in a way that fits the culture of the organization and the desired method of operating.

    BENEFITS

    • Best of both worlds of centralization and decentralization; attempts to channel benefits from both centralized and decentralized models.
    • Embeds key IT functions that require business knowledge within functional areas, allowing for critical feedback and the ability to understand those business needs.
    • Places IT in a position to not just be “order takers” but to be more involved with the different business units and promote the value of IT.
    • Achieves economies of scale where necessary through the delivery of shared services that can be requested by the function.
    • Shared services can be organized to deliver in the best way that suits the organization.

    RISKS

    • Different business units may bypass governance to get their specific needs met by functions – to alleviate this, IT must have strong governance and prioritize amongst demand.
    • Decentralized role can be viewed as an order taker by the business if not properly embedded and matured.
    • No guaranteed synergy and integration across functions; requires strong communication, collaboration, and steering.
    • Cannot meet every business unit’s needs – can cause tension from varying effectiveness of the IT functions.

    The image contains an example of a Hybrid Operating Model: LOB/Functional Aligned.

    Hybrid Model #2: Product-Aligned Operating Model

    I want to…

    • Align my IT organization into core products (services) that IT provides to the organization and establish a relationship with those in the organization that have alignment to that product.
    • Have roles dedicated to the lifecycle of their product and ensure the product can continuously deliver value to the organization.
    • Maintain centralized set of standards as it applies to overall IT strategy, security, and architecture to ensure consistency across products and reduce silos.

    BENEFITS

    • Focus is on the full lifecycle of a product – takes a strategic view of how technology enables the organization.
    • Promotes centralized backlog around a specific value creator, rather than a traditional project focus that is more transactional.
    • Dedicated teams around the product family ensure you have all of the resources required to deliver on your product roadmap.
    • Reduces barriers between IT and business stakeholders; focuses on technology as a key strategic enabler.
    • Delivery is largely done through frequent releases that can deliver value.

    RISKS

    • If there is little or no business involvement, it could prevent IT from truly understanding business demand and prioritizing the wrong work.
    • A lack of formal governance can create silos between the IT products, causing duplication of efforts, missed opportunities for collaboration, and redundancies in application or vendor contracts.
    • Members of each product can interpret the definition of standards (e.g. architecture, security) differently.

    The image contains an example of the Hybrid Operating Model: Product-Aligned Operating Model.

    Hybrid Operating Model #3: Service-Aligned Operating Model

    I want to…

    • Decentralize the IT organization by the various IT services it offers to the organization while remaining centralized with IT strategy, governance, security and operational services.
    • Ensure IT services are defined and people resources are aligned to deliver on those services.
    • Enable each of IT’s services to have the autonomy to understand the business needs and be able to manage the operational and new project initiatives with a dedicated service owner or business relationship manager.

    BENEFITS

    • Strong enabler of agility as each service has the autonomy to make decisions around operational work versus project work based on their understanding of the business demand.
    • Individuals in similar roles that are decentralized across services are given coaching to provide common direction.
    • Allows teams to efficiently scale with service demand.
    • This is a structurally baseline DevOps model. Each group will have services built within that have their own dedicated teams that will handle the full gambit of responsibilities, from new features to enhancements and maintenance.

    RISKS

    • Service owners require a method to collaborate to avoid duplication of efforts or projects that conflict with the efforts of other IT services.
    • May result in excessive cost through role redundancies across different services, as each will focus on components like integration, stakeholder management, project management, and user experiences.
    • Silos cause a high degree of specialization, making it more difficult for team members to imagine moving to another defined service group, limiting potential career advancement opportunities.
    • The level of complex knowledge required by shared services (e.g. help desk) is often beyond what they can provide, causing them to rely on and escalate to defined service groups more than with other operating models.

    The image contains an example of the Hybrid Operating Model: Service-Aligned Operating Model.

    Decentralized Model: Division Decentralization (LoB, Geography, Function, Product)

    I want to…

    • Decentralize the IT organization to enable greater autonomy within specific groups that have differing customer demands and levels of support.
    • Maintain a standard level of service that can be provided by IT for all divisions.
    • Ensure each division has access to critical data and reports that supports informed decision making.

    BENEFITS

    • Organization around functions allows for diversity in approach in how areas are run to best serve a specific business unit’s needs.
    • Each functional line exists largely independently, with full capacity and control to deliver service at the committed SLAs.
    • Highly responsive to shifting needs and demands with direct connection to customers and all stages of the solution development lifecycle.
    • Accelerates decision making by delegating authority lower into the function.
    • Promotes a flatter organization with less hierarchy and more direct communication with the CIO.

    RISKS

    • Requires risk and security to be centralized and have oversight of each division to prevent the decisions of one division from negatively impacting other divisions or the enterprise.
    • Less synergy and integration across what different lines of business are doing can result in redundancies and unnecessary complexity.
    • Higher overall cost to the IT group due to role and technology duplication across different divisions.
    • It will be difficult to centralize aspects of IT in the future, as divisions adopt to a culture of IT autonomy.

    The image contains an example of the Decentralized Model: Division Decentralization.

    Enterprise Model: Multi-Modal

    I want to…

    • Have an organizational structure that leverages several different operating models based on the needs and requirements of the different divisions.
    • Provide autonomy and authority to the different divisions so they can make informed and necessary changes as they see fit without seeking approval from a centralized IT group.
    • Support the different initiatives the enterprise is focused on delivering and ensure the right model is adopted based on those initiatives.

    BENEFITS

    • Allows for the organization to work in ways that best support individual areas; for example, areas that support legacy systems can be supported through traditional operating models while areas that support digital transformations may be supported through more flexible operating models.
    • Enables a specialization of knowledge related to each division.

    RISKS

    • Inconsistency across the organization can lead to confusion on how the organization should operate.
    • Parts of the organization that work in more traditional operating models may feel limited in career growth and innovation.
    • Cross-division initiatives may require greater oversight and a method to enable operations between the different focus areas.

    The image contains an example of the Enterprise Model: Multi-Modal.

    Create enabling teams that bridge your divisions

    The following bridges might be necessary to augment your divisions:

    • Specialized augmentation: There might not be a sufficient number of resources to support each division. These teams will be leveraged across the divisions; this means that the capabilities needed for each division will exist in this bridge team, rather than in the division.
    • Centers of Excellence: Capabilities that exist within divisions can benefit from shared knowledge across the enterprise. Your organization might set up centers of excellence to support best practices in capabilities organization wide. These are Forums in the unfix model, or communities of practice and support capability development rather than deliveries of each division.
    • Facilitation teams might be required to support divisions through coaching. This might include Agile or other coaches who can help teams adopt practices and embed learnings.
    • Holistic teams provide an enterprise view as they work with various divisions. This can include capabilities like user experience, which can benefit from the holistic perspective rather than a siloed one. People with these capabilities augment the divisions on an as-needed basis.
    The image contains a diagram to demonstrate the use of bridges on divisions.

    2.5 Customize the selected sketch to reflect the desired future state

    1-3 hours

    1. Using the baseline operating model sketch, walk through each of the IT capabilities. Based on the outputs from activity 2.1:
      1. Remove any capabilities for which your IT organization is not responsible and/or accountable.
      2. Augment the language of specific capabilities that you feel are not directly reflective of what is being done within your organizational context or that you feel need to be changed to reflect more specifically how work is being done in your organization.
      3. Add any core capabilities from your organization that are missing from the provided IT capability list.
    2. Move capabilities to the right places in the operating model to reflect how each of the core IT processes should interact with one another.
    3. Add bridges as needed to support the divisions in your organization. Identify which capabilities will sit in these bridges and define how they will enable the operating model sketch to deliver.
    InputOutput
    • Selected base operating model sketch
    • Customized list of IT capabilities
    • Understanding of outsourcing and gaps
    • Customized operating model sketch
    MaterialsParticipants
    • Whiteboard/flip charts
    • Operating model sketch examples
    • CIO
    • IT Leadership

    Record the results in the Organizational Design Workbook

    Document the final operating model sketch in the Communications Deck

    Phase 3

    Formalize the Organizational Structure

    This phase will walk you through the following activities:

    3.1 Create work units

    3.2 Create work unit mandates

    3.3 Define roles inside the work units

    3.4 Finalize the organizational chart

    3.5 Identify and mitigate key risks

    This phase involves the following participants:

    • CIO
    • IT Leadership
    • Business Leadership

    Embed change management into the organizational design process

    Enable adoption of the new structure.

    You don’t have to make the change in one big bang. You can adopt alternative transition plans such as increments or pilots. This allows people to see the benefits of why you are undergoing the change, allows the change message to be repeated and applied to the individuals impacted, and provides people with time to understand their role in making the new organizational structure successful.

    “Transformational change can be invigorating for some employees but also highly disruptive and stressful for others.”

    Source: OpenStax, 2019

    Info-Tech Insight

    Without considering the individual impact of the new organizational structure on each of your employees, the change will undoubtedly fail in meeting its intended goals and your organization will likely fall back into old structured habits.

    Use a top-down approach to build your target-state IT organizational sketch

    The organizational sketch is the outline of the organization that encompasses the work units and depicts the relationships among them. It’s important that you create the structure that’s right for your organization, not one that simply fits with your current staff’s skills and knowledge. This is why Info-Tech encourages you to use your operating model as a mode of guidance for structuring your future-state organizational sketch.

    The organizational sketch is made up of unique work units. Work units are the foundational building blocks on which you will define the work that IT needs to get done. The number of work units you require and their names will not match your operating model one to one. Certain functional areas will need to be broken down into smaller work units to ensure appropriate leadership and span of control.

    Use your customized operating model to build your work units

    WHAT ARE WORK UNITS?

    A work unit is a functional group or division that has a discrete set of processes or capabilities that it is responsible for, which don’t overlap with any others. Your customized list of IT capabilities will form the building blocks of your work units. Step one in the process of building your structure is grouping IT capabilities together that are similar or that need to be done in concert in the case of more complex work products. The second step is to iterate on these work units based on the organizational design principles from Phase 1 to ensure that the future-state structure is aligned with enablement of the organization’s objectives.

    Work Unit Examples

    Here is a list of example work units you can use to brainstorm what your organization’s could look like. Some of these overlap in functionality but should provide a strong starting point and hint at some potential alternatives to your current way of organizing.

    • Office of the CIO
    • Strategy and Architecture
    • Architecture and Design
    • Business Relationship Management
    • Projection and Portfolio Management
    • Solution Development
    • Solution Delivery
    • DevOps
    • Infrastructure and Operations
    • Enterprise Information Security
    • Security, Risk & Compliance
    • Data and Analytics

    Example of work units

    The image contains an example of work units.

    3.1 Create functional work units

    1-3 hours

    1. Using a whiteboard or large tabletop, list each capability from your operating model on a sticky note and recreate your operating model. Use one color for centralized activities and a second color for decentralized activities.
    2. With the group of key IT stakeholders, review the operating model and any important definitions and rationale for decisions made.
    3. Starting with your centralized capabilities, review each in turn and begin to form logical groups of compatible capabilities. Review the decentralized capabilities and repeat the process, writing additional sticky notes for capabilities that will be repeated in decentralized units.
    4. Note: Not all capabilities need to be grouped. If you believe that a capability has a high enough priority, has a lot of work, or is significantly divergent from others put this capability by itself.
    5. Define a working title for each new work unit, and discuss the pros and cons of the model. Ensure the work units still align with the operating model and make any changes to the operating model needed.
    6. Review your design principles and ensure that they are aligned with your new work units.
    InputOutput
    • Organizational business objectives
    • Customized operating model
    • Defined work units
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    Group formation

    Understand the impact of the functional groups you create.

    A group consists of two or more individuals who are working toward a common goal. Group formation is how those individuals are organized to deliver on that common goal. It should take into consideration the levels of hierarchy in your structure, the level of focus you give to processes, and where power is dispersed within your organizational design.

    Importance: Balance highly important capabilities with lower priority capabilities

    Specialization: The scope of each role will be influenced by specialized knowledge and a dedicated leader

    Effectiveness: Group capabilities that increase their efficacy

    Span of Control: Identify the right number of employees reporting to a single leader

    Choose the degree of specialization required

    Be mindful of the number of hats you’re placing on any one role.

    • Specialization exists when individuals in an organization are dedicated to performing specific tasks associated with a common goal and requiring a particular skill set. Aligning the competencies required to carry out the specific tasks based on the degree of complexity associated with those tasks ensures the right people and number of people can be assigned.
    • When people are organized by their specialties, it reduces the likelihood of task switching, reduces the time spent training or cross-training, and increases the focus employees can provide to their dedicated area of specialty.
    • There are disadvantages associated with aligning teams by their specialization, such as becoming bored and seeing the tasks they are performing as monotonous. Specialization doesn’t come without its problems. Monitor employee motivation

    Info-Tech Insight

    Smaller organizations will require less specialization simply out of necessity. To function and deliver on critical processes, some people might be asked to wear several hats.

    Avoid overloading the cognitive capacity of employees

    Cognitive load refers to the number of responsibilities that one can successfully take on.

    • When employees are assigned an appropriate number of responsibilities this leads to:
      • Engaged employees
      • Less task switching
      • Increased effectiveness on assigned responsibilities
      • Reduced bottlenecks
    • While this cognitive load can differ from employee to employee, when assigning role responsibilities, ensure each role isn’t being overburdened and spreading their focus thin.
    • Moreover, capable does not equal successful. Just because someone has the capability to take on more responsibilities doesn’t mean they will be successful.
    • Leverage the cognitive load being placed on your team to help create boundaries between teams and demonstrate clear role expectations.
    Source: IT Revolution, 2021

    Info-Tech Insight

    When you say you are looking for a team that is a “jack of all trades,” you are likely exceeding appropriate cognitive loads for your staff and losing productivity to task switching.

    Factors to consider for span of control

    Too many and too few direct reports have negative impacts on the organization.

    Complexity: More complex work should have fewer direct reports. This often means the leader will need to provide lots of support, even engaging in the work directly at times.

    Demand: Dynamic shifts in demand require more managerial involvement and therefore should have a smaller span of control. Especially if this demand is to support a 24/7 operation.

    Competency Level: Skilled employees should require less hands-on assistance and will be in a better position to support the business as a member of a larger team than those who are new to the role.

    Purpose: Strategic leaders are less involved in the day-to-day operations of their teams, while operational leaders tend to provide hands-on support, specifically when short-staffed.

    Group formation will influence communication structure

    Pick your poison…

    It’s important to understand the impacts that team design has on your services and products. The solutions that a team is capable of producing is highly dependent on how teams are structured. For example, Conway’s Law tells us that small distributed software delivery teams are more likely to produce modular service architecture, where large collocated teams are better able to create monolithic architecture. This doesn’t just apply to software delivery but also other products and services that IT creates. Note that small distributed teams are not the only way to produce quality products as they can create their own silos.

    Sources: Forbes, 2017

    Create mandates for each of your identified work units

    WHAT ARE WORK UNIT MANDATES?

    The work unit mandate should provide a quick overview of the work unit and be clear enough that any reader can understand why the work unit exists, what it does, and what it is accountable for.

    Each work unit will have a unique mandate. Each mandate should be distinguishable enough from your other work units to make it clear why the work is grouped in this specific way, rather than an alternative option. The mandate will vary by organization based on the agreed upon work units, design archetype, and priorities.

    Don’t just adopt an example mandate from another organization or continue use of the organization’s pre-existing mandate – take the time to ensure it accurately depicts what that group is doing so that its value-added activities are clear to the larger organization.

    Examples of Work Unit Mandates

    The Office of the CIO will be a strategic enabler of the IT organization, driving IT organizational performance through improved IT management and governance. A central priority of the Office of the CIO is to ensure that IT is able to respond to evolving environments and challenges through strategic foresight and a centralized view of what is best for the organization.

    The Project Management Office will provide standardized and effective project management practices across the IT landscape, including an identified project management methodology, tools and resources, project prioritization, and all steps from project initiation through to evaluation, as well as education and development for project managers across IT.

    The Solutions Development Group will be responsible for the high-quality development and delivery of new solutions and improvements and the production of customized business reports. Through this function, IT will have improved agility to respond to new initiatives and will be able to deliver high-quality services and insights in a consistent manner.

    3.2 Create work unit mandates

    1-3 hours

    1. Break into teams of three to four people and assign an equal number of work units to each team.
    2. Have each team create a set of statements that describe the overall purpose of that working group. Each mandate statement should:
    • Be clear enough that any reader can understand.
    • Explain why the work unit exists, what it does, and what it is accountable for.
    • Be distinguishable enough from your other work units to make it clear why the work is grouped in this specific way, rather than an alternative option.
  • Have each group present their work unit mandates and make changes wherever necessary.
  • InputOutput
    • Work units
    • Work unit mandates
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    Identify the key roles and responsibilities for the target IT organization

    Now that you have identified the main units of work in the target IT organization, it is time to identify the roles that will perform that work. At the end of this step, the key roles will be identified, the purpose statement will be built, and accountability and responsibility for roles will be clearly defined. Make sure that accountability for each task is assigned to one role only. If there are challenges with a role, change the role to address them (e.g. split roles or shift responsibilities).

    The image contains an example of two work units: Enterprise Architecture and PMO. It then lists the roles of the two work units.

    Info-Tech Insight

    Do not bias your role design by focusing on your existing staff’s competencies. If you begin to focus on your existing team members, you run the risk of artificially narrowing the scope of work or skewing the responsibilities of individuals based on the way it is, rather than the way it should be.

    3.3 Define roles inside the work units

    1-3 hours

    1. Select a work unit from the organizational sketch.
    2. Describe the most senior role in that work unit by asking, “what would the leader of this group be accountable or responsible for?” Define this role and move the capabilities they will be accountable for under that leader. Repeat this activity for the capabilities this leader would be responsible for.
    3. Continue to define each role that will be required in that work unit to deliver or provide oversight related to those capabilities.
    4. Continue until key roles are identified and the capabilities each role will be accountable or responsible for are clarified.
    5. Remember, only one role can have accountability for each capability but several can have responsibility.
    6. For each role, use the list of capabilities that the position will be accountable, responsible, or accountable and responsible for to create a job description. Leverage your own internal job descriptions or visit our Job Descriptions page.
    InputOutput
    • Work units
    • Work unit mandates
    • Responsibilities
    • Accountabilities
    • Roles with clarified responsibilities and accountabilities
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    Delivery model for product or solution development

    Can add additional complexity or clarity

    • Certain organizational structures will require a specific type of resourcing model to meet expectations and deliver on the development or sustainment of core products and solutions.
    • There are four common methods that we see in IT organizations:
      • Functional Roles: Completed work is handed off from functional team to functional team sequentially as outlined in the organization’s SDLC.
      • Shared Service & Resource Pools (Matrix): Resources are pulled whenever the work requires specific skills or pushed to areas where product demand is high.
      • Product or System: Work is directly sent to the teams who are directly managing the product or directly supporting the requestor.
      • Skills & Competencies: Work is directly sent to the teams who have the IT and business skills and competencies to complete the work.
    • Each of these will lead to a difference in how the functional team is skilled. They could have a great understanding of their customer, the product, the solution, or their service.

    Info-Tech Insight

    Despite popular belief, there is no such thing as the Spotify model, and organizations that structured themselves based on the original Spotify drawing might be missing out on key opportunities to obtain productivity from employees.

    Sources: Indeed, 2020; Agility Scales

    There can be different patterns to structure and resource your product delivery teams

    The primary goal of any product delivery team is to improve the delivery of value for customers and the business based on your product definition and each product’s demand. Each organization will have different priorities and constraints, so your team structure may take on a combination of patterns or may take on one pattern and then transform into another.

    Delivery Team Structure Patterns

    How Are Resources and Work Allocated?

    Functional Roles

    Teams are divided by functional responsibilities (e.g. developers, testers, business analysts, operations, help desk) and arranged according to their placement in the software development lifecycle (SDLC).

    Completed work is handed off from team to team sequentially as outlined in the organization’s SDLC.

    Shared Service and Resource Pools

    Teams are created by pulling the necessary resources from pools (e.g. developers, testers, business analysts, operations, help desk).

    Resources are pulled whenever the work requires specific skills or pushed to areas where product demand is high.

    Product or System

    Teams are dedicated to the development, support, and management of specific products or systems.

    Work is directly sent to the teams who are directly managing the product or directly supporting the requester.

    Skills and Competencies

    Teams are grouped based on skills and competencies related to technology (e.g. Java, mobile, web) or familiarity with business capabilities (e.g. HR, Finance).

    Work is directly sent to the teams who have the IT and business skills and competencies to complete the work.

    Delivery teams will be structured according to resource and development needs

    Functional Roles

    Shared Service and Resource Pools

    Product or System

    Skills and Competencies

    When your people are specialists versus having cross-functional skills

    Leveraged when specialists such as Security or Operations will not have full-time work on the product

    When you have people with cross-functional skills who can self-organize around a product’s needs

    When you have a significant investment in a specific technology stack

    The image contains a diagram of functional roles.The image contains a diagram of shared service and resource pools.The image contains a diagram of product or system.The image contains a diagram of skills and competencies.

    For more information about delivering in a product operating model, refer to our Deliver Digital Products at Scale blueprint.

    3.4 Finalize the organizational chart

    1-3 hours

    1. Import each of your work units and the target-state roles that were identified for each.
    2. In the place of the name of each work unit in your organizational sketch, replace the work unit name with the prospective role name for the leader of that group.
    3. Under each of the leadership roles, import the names of team members that were part of each respective work unit.
    4. Validate the final structure as a group to ensure each of the work units includes all the necessary roles and responsibilities and that there is clear delineation of accountabilities between the work units.

    Input

    Output

    • Work units
    • Work unit mandates
    • Roles with accountabilities and responsibilities
    • Finalized organizational chart

    Materials

    Participants

    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook & Executive Communications Deck

    Proactively consider and mitigate redesign risks

    Every organizational structure will include certain risks that should have been considered and accepted when choosing the base operating model sketch. Now that the final organizational structure has been created, consider if those risks were mitigated by the final organizational structure that was created. For those risks that weren’t mitigated, have a tactic to control risks that remain present.

    3.5 Identify and mitigate key risks

    1-3 hours

    1. For each of the operating model sketch options, there are specific risks that should have been considered when selecting that model.
    2. Take those risks and transfer them into the correct slide of the Organizational Design Workbook.
    3. Consider if there are additional risks that need to be considered with the new organizational structure based on the customizations made.
    4. For each risk, rank the severity of that risk on a scale of low, medium, or high.
    5. Determine one or more mitigation tactic(s) for each of the risks identified. This tactic should reduce the likelihood or impact of the risk event happening.
    InputOutput
    • Final organizational structure
    • Operating model sketch benefits and risks
    • Redesign risk mitigation plan
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    Phase 4

    Plan for Implementation & Change

    This phase will walk you through the following activities:

    4.1 Select a transition plan

    4.2 Establish the change communication messages

    4.3 Be consistent with a standard set of FAQs

    4.4 Define org. redesign resistors

    4.5 Create a sustainment plan

    This phase involves the following participants:

    • CIO
    • IT Leadership
    • Business Leadership
    • HR Business Partners

    All changes require change management

    Change management is:

    Managing a change that requires replanning and reorganizing and that causes people to feel like they have lost control over aspects of their jobs.

    – Padar et al., 2017
    People Process Technology

    Embedding change management into organizational design

    PREPARE A

    Awareness: Establish the need for organizational redesign and ensure this is communicated well.

    This blueprint is mostly focused on the prepare and transition components.

    D

    Desire: Ensure the new structure is something people are seeking and will lead to individual benefits for all.

    TRANSITION K

    Knowledge: Provide stakeholders with the tools and resources to function in their new roles and reporting structure.

    A

    Ability: Support employees through the implementation and into new roles or teams.

    FUTURE R

    Reinforcement: Emphasize and reward positive behaviors and attitudes related to the new organizational structure.

    Implementing the new organizational structure

    Implementing the organizational structure can be the most difficult part of the process.

    • To succeed in the process, consider creating an implementation plan that adequately considers these five components.
    • Each of these are critical to supporting the final organizational structure that was established during the redesign process.

    Implementation Plan

    Transition Plan: Identify the appropriate approach to making the transition, and ensure the transition plan works within the context of the business.

    Communication Strategy: Create a method to ensure consistent, clear, and concise information can be provided to all relevant stakeholders.

    Plan to Address Resistance: Given that not everyone will be happy to move forward with the new organizational changes, ensure you have a method to hear feedback and demonstrate concerns have been heard.

    Employee Development Plan: Provide employees with tools, resources, and the ability to demonstrate these new competencies as they adjust to their new roles.

    Monitor and Sustain the Change: Establish metrics that inform if the implementation of the new organizational structure was successful and reinforce positive behaviors.

    Define the type of change the organizational structure will be

    As a result, your organization must adopt OCM practices to better support the acceptance and longevity of the changes being pursued.

    Incremental Change

    Transformational Change

    Organizational change management is highly recommended and beneficial for projects that require people to:

    • Adopt new tools and workflows.
    • Learn new skills.
    • Comply with new policies and procedures.
    • Stop using old tools and workflows.

    Organizational change management is required for projects that require people to:

    • Move into different roles, reporting structures, and career paths.
    • Embrace new responsibilities, goals, reward systems, and values.
    • Grow out of old habits, ideas, and behaviors.
    • Lose stature in the organization.

    Info-Tech Insight

    How you transition to the new organizational structure can be heavily influenced by HR. This is the time to be including them and leveraging their expertise to support the transition “how.”

    Transition Plan Options

    Description

    Pros

    Cons

    Example

    Big Bang Change

    Change that needs to happen immediately – “ripping the bandage off.”

    • It puts an immediate stop to the current way of operating.
    • Occurs quickly.
    • More risky.
    • People may not buy into the change immediately.
    • May not receive the training needed to adjust to the change.

    A tsunami in Japan stopped all imports and exports. Auto manufacturers were unable to get parts shipped and had to immediately find an alternative supplier.

    Incremental Change

    The change can be rolled out slower, in phases.

    • Can ensure that people are bought in along the way through the change process, allowing time to adjust and align with the change.
    • There is time to ensure training takes place.
    • It can be a timely process.
    • If the change is dragged on for too long (over several years) the environment may change and the rationale and desired outcome for the change may no longer be relevant.

    A change in technology, such as HRIS, might be rolled out one application at a time to ensure that people have time to learn and adjust to the new system.

    Pilot Change

    The change is rolled out for only a select group, to test and determine if it is suitable to roll out to all impacted stakeholders.

    • Able to test the success of the change initiative and the implementation process.
    • Able to make corrections before rolling it out wider, to aid a smooth change.
    • Use the pilot group as an example of successful change.
    • Able to gain buy-in and create change champions from the pilot group who have experienced it and see the benefits.
    • Able to prevent an inappropriate change from impacting the entire organization.
    • Lengthy process.
    • Takes time to ensure the change has been fully worked through.

    A retail store is implementing a new incentive plan to increase product sales. They will pilot the new incentive plan at select stores, before rolling it out broadly.

    4.1 Select a transition plan approach

    1-3 hours

    1. List each of the changes required to move from your current structure to the new structure. Consider:
      1. Changes in reporting structure
      2. Hiring new members
      3. Eliminating positions
      4. Developing key competencies for staff
    2. Once you’ve defined all the changes required, consider the three different transition plan approaches: big bang, incremental, and pilot. Each of the transition plan approaches will have drawbacks and benefits. Use the list of changes to inform the best approach.
    3. If you are proceeding with the incremental or the pilot, determine the order in which you will proceed with the changes or the groups that will pilot the new structure first.
    InputOutput
    • Customized operating model sketch
    • New org. chart
    • Current org. chart
    • List of changes to move from current to future state
    • Transition plan to support changes
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • HR Business Partners

    Record the results in the Organizational Design Workbook

    Make a plan to effectively manage and communicate the change

    Success of your new organizational structure hinges on adequate preparation and effective communication.

    The top challenge facing organizations in completing the organizational redesign is their organizational culture and acceptance of change. Effective planning for the implementation and communication throughout the change is pivotal. Make sure you understand how the change will impact staff and create tailored plans for communication.

    65% of managers believe the organizational change is effective when provided with frequent and clear communication.

    Source: SHRM, 2021

    Communicate reasons for organizational structure changes and how they will be implemented

    Leaders of successful change spend considerable time developing a powerful change message, i.e. a compelling narrative that articulates the desired end state, and that makes the change concrete and meaningful to staff.

    The organizational change message should:

    • Explain why the change is needed.
    • Summarize what will stay the same.
    • Highlight what will be left behind.
    • Emphasize what is being changed.
    • Explain how change will be implemented.
    • Address how change will affect various roles in the organization.
    • Discuss the staff’s role in making the change successful.

    Five elements of communicating change

    • What is the change?
    • Why are we doing it?
    • How are we going to go about it?
    • How long will it take us to do it?
    • What will the role be for each department and individual?
    Source: Cornelius & Associates, 2010

    4.2 Establish the change communication messages

    2 hours

    1. The purpose of this activity is to establish a change communication message you can leverage when talking to stakeholders about the new organizational structure.
    2. Review the questions in the Organizational Design Workbook.
    3. Establish a clear message around the expected changes that will have to take place to help realize the new organizational structure.
    InputOutput
    • Customized operating model sketch
    • New org. chart
    • Current org. chart
    • List of changes
    • Transition plan
    • Change communication message for new organizational structure
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    Apply the following communication principles to make your IT organization redesign changes relevant to stakeholders

    Be Clear

    • Say what you mean and mean what you say.
    • Choice of language is important: “Do you think this is a good idea? I think we could really benefit from your insights and experience here.” Or do you mean: “I think we should do this. I need you to do this to make it happen.”
    • Don’t use jargon.

    Be Consistent

    • The core message must be consistent regardless of audience, channel, or medium.
    • Test your communication with your team or colleagues to obtain feedback before delivering to a broader audience.
    • A lack of consistency can be interpreted as an attempt at deception. This can hurt credibility and trust.

    Be Concise

    • Keep communication short and to the point so key messages are not lost in the noise.
    • There is a risk of diluting your key message if you include too many other details.

    Be Relevant

    • Talk about what matters to the stakeholder.
    • Talk about what matters to the initiative.
    • Tailor the details of the message to each stakeholder’s specific concerns.
    • IT thinks in processes but stakeholders only care about results: talk in terms of results.
    • IT wants to be understood but this does not matter to stakeholders. Think: “what’s in it for them?”
    • Communicate truthfully; do not make false promises or hide bad news.

    Frequently asked questions (FAQs) provide a chance to anticipate concerns and address them

    As a starting point for building an IT organizational design implementation, look at implementing an FAQ that will address the following:

    • The what, who, when, why, and where
    • The transition process
    • What discussions should be held with clients in business units
    • HR-centric questions

    Questions to consider answering:

    • What is the objective of the IT organization?
    • What are the primary changes to the IT organization?
    • What does the new organizational structure look like?
    • What are the benefits to our IT staff and to our business partners?
    • How will the IT management team share new information with me?
    • What is my role during the transition?
    • What impact is there to my reporting relationship within my department?
    • What are the key dates I should know about?

    4.3 Be consistent with a standard set of FAQs

    1 hour

    1. Beyond the completed communications plans, brainstorm a list of answers to the key “whats” of your organizational design initiative:
    • What is the objective of the IT organization?
    • What are the primary changes to the IT organization?
    • What does the new organizational structure look like?
    • What are the benefits to our IT staff and to our business partners?
  • Think about any key questions that may rise around the transition:
    • How will the IT management team share new information with me?
    • What is my role during the transition?
    • What impact is there to my reporting relationship within my department?
    • What are the key dates I should know about?
  • Determine the best means of socializing this information. If you have an internal wiki or knowledge-sharing platform, this would be a useful place to host the information.
  • InputOutput
    • Driver(s) for the new organizational structure
    • List of changes to move from current to future state
    • Change communication message
    • FAQs to provide to staff about the organizational design changes
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    The change reaction model

    The image contains a picture of the change reaction model. The model includes a double arrow pointing in both directions of left and right. On top of the arrow are 4 circles spread out on the arrow. They are labelled: Active Resistance, Detachment, Questioning, Acceptance.

    (Adapted from Cynthia Wittig)

    Info-Tech Insight

    People resist changes for many reasons. When it comes to organizational redesign changes, some of the most common reasons people resist change include a lack of understanding, a lack of involvement in the process, and fear.

    Include employees in the employee development planning process

    Prioritize

    Assess employee to determine competency levels and interests.

    Draft

    Employee drafts development goals; manager reviews.

    Select

    Manager helps with selection of development activities.

    Check In

    Manager provides ongoing check-ins, coaching, and feedback.

    Consider core and supplementary components that will sustain the new organizational structure

    Supplementary sustainment components:

    • Tools & Resources
    • Structure
    • Skills
    • Work Environment
    • Tasks
    • Disincentives

    Core sustainment components:

    • Empowerment
    • Measurement
    • Leadership
    • Communication
    • Incentives

    Sustainment Plan

    Sustain the change by following through with stakeholders, gathering feedback, and ensuring that the change rationale and impacts are clearly understood. Failure to so increases the potential that the change initiative will fail or be a painful experience and cost the organization in terms of loss of productivity or increase in turnover rates.

    Support sustainment with clear measurements

    • Measurement is one of the most important components of monitoring and sustaining the new organizational structure as it provides insight into where the change is succeeding and where further support should be added.
    • There should be two different types of measurements:
    1. Standard Change Management Metrics
    2. Organizational Redesign Metrics
  • When gathering data around metrics, consider other forms of measurement (qualitative) that can provide insights on opportunities to enhance the success of the organizational redesign change.
    1. Every measurement should be rooted to a goal. Many of the goals related to organizational design will be founded in the driver of this change initiative
    2. Once the goals have been defined, create one or more measurements that determines if the goal was successful.
    3. Use specific key performance indicators (KPIs) that contain a metric that is being measured and the frequency of that measurement.

    Info-Tech Insight

    Obtaining qualitative feedback from employees, customers, and business partners can provide insight into where the new organizational structure is operating optimally versus where there are further adjustments that could be made to support the change.

    4.4 Consider sustainment metrics

    1 hour

    1. Establish metrics that bring the entire process together and that will ensure the new organizational design is a success.
    2. Go back to your driver(s) for the organizational redesign. Use these drivers to help inform a particular measurement that can be used to determine if the new organizational design will be successful. Each measurement should be related to the positive benefits of the organization, an individual, or the change itself.
    3. Once you have a list of measurements, use these to determine the specific KPI that can be qualified through a metric. Often you are looking for an increase or decrease of a particular measurement by a dollar or percentage within a set time frame.
    4. Use the example metrics in the workbook and update them to reflect your organization’s drivers.
    InputOutput
    • Driver(s) for the new organizational structure
    • List of changes to move from current to future state
    • Change communication message
    • Sustainment metrics
    MaterialsParticipants
    • Whiteboard/Flip Charts
    • CIO
    • IT Leadership
    • Business Leadership

    Record the results in the Organizational Design Workbook

    Related Info-Tech Research

    Build a Strategic IT Workforce Plan

    • Continue into the second phase of the organizational redesign process by defining the required workforce to deliver.
    • Leveraging trends, data, and feedback from your employees, define the competencies needed to deliver on the defined roles.

    Implement a New IT Organizational Structure

    • Organizational design implementations can be highly disruptive for IT staff and business partners.
    • Without a structured approach, IT leaders may experience high turnover, decreased productivity, and resistance to the change.

    Define the Role of Project Management in Agile and Product-Centric Delivery

    • There are many voices with different opinions on the role of project management. This causes confusion and unnecessary churn.
    • Project management and product management naturally align to different time horizons. Harmonizing their viewpoints can take significant work.

    Research Contributors and Experts

    The image contains a picture of Jardena London.

    Jardena London

    Transformation Catalyst, Rosetta Technology Group

    The image contains a picture of Jodie Goulden.

    Jodie Goulden

    Consultant | Founder, OrgDesign Works

    The image contains a picture of Shan Pretheshan.

    Shan Pretheshan

    Director, SUPA-IT Consulting

    The image contains a picture of Chris Briley.

    Chris Briley

    CIO, Manning & Napier

    The image contains a picture of Dean Meyer.

    Dean Meyer

    President N. Dean Meyer and Associates Inc.

    The image contains a picture of Jimmy Williams.

    Jimmy Williams

    CIO, Chocktaw Nation of Oklahoma

    Info-Tech Research Group

    Cole Cioran, Managing Partner

    Dana Daher, Research Director

    Hans Eckman, Principal Research Director

    Ugbad Farah, Research Director

    Ari Glaizel, Practice Lead

    Valence Howden, Principal Research Director

    Youssef Kamar, Senior Manager, Consulting

    Carlene McCubbin, Practice Lead

    Baird Miller, Executive Counsellor

    Josh Mori, Research Director

    Rajesh Parab, Research Director

    Gary Rietz, Executive Counsellor

    Bibliography

    “A Cheat Sheet for HR Professionals: The Organizational Development Process.” AIHR, 2021. Web.

    Acharya, Ashwin, Roni Lieber, Lissa Seem, and Tom Welchman. “How to identify the right ‘spans of control’ for your organization.” McKinsey, 21 December 2017. Web.

    Anand. N., and Jean-Louis Barsoux. “What everyone gets wrong about change management. Harvard Business Review, December 2017. Web.

    Atiken, Chris. “Operating model design-first principles.” From Here On, 24 August 2018. Web.

    “Avoid common digital transformation challenges: Address your IT Operating Model Now.” Sofigate, 5 May 2020. Web.

    Baumann, Oliver, and Brian Wu. “The many dimensions of research on designing flat firms.” Journal of Organizational Design, no. 3, vol. 4. 09 May 2022.Web.

    Bertha, Michael. “Cross the project to product chasm.” CIO, 1 May 2020. Web.

    Blenko, Marcia, and James Root. “Design Principles for a Robust Operating Model.” Bain & Company, 8 April 2015. Web.

    Blenko, Marcia, Leslie Mackrell, and Kevin Rosenberg. “Operating models: How non-profits get from strategy to results.” The Bridge Span Group, 15 August 2019. Web.

    Boulton, Clint. “PVH finds perfect fit in hybrid IT operating model amid pandemic.” CIO, 19 July 2021. Web.

    Boulton, Clint. “Why digital disruption leaves no room for bimodal IT.” CIO, 11 May 2017. Web.

    Bright, David, et al. “Chapter 10: Organizational Structure & Change.” Principles of Management, OpenStax, Rice University, 20 March 2019. Book.

    Campbell, Andrew. “Design Principles: How to manage them.” Ashridge Operating Models. 1 January 2022. Web.

    D., Maria. “3 Types of IT Outsourcing Models and How to Choose Between Them.” Cleveroad, 29 April 2022. Web.

    Devaney, Eric. “9 Types of Organizational Structure Every Company Should Consider.” HubSpot, 11 February 2022. Web.

    Devaney, Erik. “The six building blocks of organizational structure.” Hubspot, 3 June 2020. Web.

    Eisenman, M., S. Paruchuri, and P. Puranam. “The design of emergence in organizations.” Journal of Organization Design, vol. 9, 2020. Web.

    Forbes Business Development Council. “15 Clear Signs It’s Time to Restructure the Business.” Forbes, 10 February 2020. Web.

    Freed, Joseph. “Why Cognitive Load Could Be The Most Important Employee Experience Metric In The Next 10 Years.” Forbes, 30 June 2020. Web.

    Galibraith, Jay. “The Star Model.” JayGalbraith.com, n.d. Web.

    Girod, Stéphane, and Samina Karim. “Restructure or reconfigure?” Harvard Business Review, April 2017. Web.

    Goldman, Sharon. “The need for a new IT Operating Model: Why now?” CIO, 27 August 2019. Web.

    Halapeth, Milind. “New age IT Operating Model: Creating harmony between the old and the new.” Wirpo, n.d. Web.

    Harvey, Michelle. “Why a common operating model is efficient for business productivity.” CMC, 10 May 2020. Web.

    Helfand, Heidi. “Dynamic Reteaming.” O’Reilly Media, 7 July 2020. Book.

    JHeller, Martha. “How Microsoft CIO Jim DuBois changed the IT Operating Model.” CIO, 2 February 2016. Web.

    Heller, Martha. “How Stryker IT Shifted to a global operating model.” CIO, 19 May 2021. Web.

    Heller, Michelle. “Inside blue Shields of California’s IT operating model overhaul.” CIO, 24 February 2021. Web.

    Hessing, Ted. “Value Stream Mapping.” Six Sigma Study Guide, 11 April 2014. Web.

    Huber, George, P. “What is Organization Design.” Organizational Design Community, n.d. Web.

    Indeed Editorial Team. “5 Advantages and Disadvantages of the Matrix Organizational Structure.” Indeed, 23 November 2020. Web.

    Indeed Editorial Team. “How to plan an effective organization restructure.” Indeed, 10 June 2021. Web.

    “Insourcing vs Outsourcing vs Co-Sourcing.” YML Group, n.d. Web.

    “Investing in more strategic roles.” CAPS Research, 3 February 2022. Web.

    Jain, Gagan. “Product IT Operating Model: The next-gen model for a digital work.” DevOps, 22 July 2019. Web.

    Kane, Gerald, D. Plamer, and Anh Phillips. “Accelerating Digital Innovation Inside and Out.” Deloitte Insights, 4 June 2019. Web.

    Krush, Alesia. “IT companies with ‘flat’ structures: utopia or innovative approach?” Object Style, 18 October 2018. Web.

    Law, Michael. “Adaptive Design: Increasing Customer Value in Your Organisation.” Business Agility Institute, 5 October 2020. Web.

    LucidContent Team. “How to get buy-in for changes to your organizational structure.” Lucid Chart, n.d. Web.

    Matthews, Paul. “Do you know the difference between competence and capability?” The People Development Magazine, 25 September 2020. Web.

    Meyer, Dean N. “Analysis: Common symptoms of organizational structure problems.” NDMA, n.d. Web.

    Meyer, N. Dean. “Principle-based Organizational Structure.” NDMA Publishing, 2020. Web.

    Morales Pedraza, Jorge. Answer to posting, “What is the relationship between structure and strategy?” ResearchGate.net, 5 March 2014. Web.

    Nanjad, Len. “Five non-negotiables for effective organization design change.” MNP, 01 October 2021. Web.

    Neilson, Gary, Jaime Estupiñán, and Bhushan Sethi. “10 Principles of Organizational Design.” Strategy & Business, 23 March 2015. Web.

    Nicastro, Dom. “Understanding the Foundational Concepts of Organizational Design.” Reworked, 24 September 2020. Web.

    Obwegeser, Nikolaus, Tomoko Yokoi, Michael Wade, and Tom Voskes. “7 Key Principles to Govern Digital Initiatives.” MIT Sloan, 1 April 2020. Web.

    “Operating Models and Tools.” Business Technology Standard, 23 February 2021. Web.

    “Organizational Design Agility: Journey to a combined community.” ODF-BAI How Space, Organizational Design Forum, 2022. Web.

    “Organizational Design: Understanding and getting started.” Ingentis, 20 January 2021. Web.

    Padar, Katalin, et al. “Bringing project and change management roles into sync.” Journal of Change Management, 2017. Web.

    Partridge, Chris. “Evolve your Operating Model- It will drive everything.” CIO, 30 July 2021. Web.

    Pijnacker, Lieke. “HR Analytics: role clarity impacts performance.” Effectory, 25 September 2019. Web.

    Pressgrove, Jed. “Centralized vs. Federated: Breaking down IT Structures.” Government Technology, March 2020. Web.

    Sherman, Fraser. “Differences between Organizational Structure and Design.” Bizfluent, 20 September 2019. Web.

    Skelton, Matthew, and Manual Pais. “Team Cognitive Load.” IT Revolution, 19 January 2021. Web.

    Skelton, Matthew, and Manual Pais. Team Topologies. IT Revolution Press, 19 September 2019. Book

    Spencer, Janet, and Michael Watkins. “Why organizational change fails.” TLNT, 26 November 2019. Web.

    Storbakken, Mandy. “The Cloud Operating Model.” VMware, 27 January 2020. Web.

    "The Qualities of Leadership: Leading Change.” Cornelius & Associates, 2010. Web.

    “Understanding Organizational Structures.” SHRM, 31 August 2021. Web.

    "unfix Pattern: Base.” AgilityScales, n.d. Web.

    Walker, Alex. “Half-Life: Alyx helped change Valve’s Approach to Development.” Kotaku, 10 July 2020. Web.

    "Why Change Management.” Prosci, n.d. Web.

    Wittig, Cynthia. “Employees' Reactions to Organizational Change.” OD Practioner, vol. 44, no. 2, 2012. Web.

    Woods, Dan. “How Platforms are neutralizing Conway’s Law.” Forbes, 15 August 2017. Web.

    Worren, Nicolay, Jeroen van Bree, and William Zybach. “Organization Design Challenges. Results from a practitioner survey.” Journal of Organizational Design, vol. 8, 25 July 2019. Web.

    Appendix

    IT Culture Framework

    This framework leverages McLean & Company’s adaptation of Quinn and Rohrbaugh’s Competing Values Approach.

    The image contains a diagram of the IT Culture Framework. The framework is divided into four sections: Competitive, Innovative, Traditional, and Cooperative, each with their own list of descriptors.

    Create a Transparent and Defensible IT Budget

    • Buy Link or Shortcode: {j2store}291|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $29,682 Average $ Saved
    • member rating average days saved: 12 Average Days Saved
    • Parent Category Name: Cost & Budget Management
    • Parent Category Link: /cost-and-budget-management
    • IT struggles to gain budget approval year after year, largely driven by a few key factors:
      • For a long time, IT has been viewed as a cost center whose efficiency needs to be increasingly optimized over time. IT’s relationship to strategy is not yet understood or established in many organizations.
      • IT is one of the biggest areas of cost for many organizations. Often, executives don’t understand or even believe that all that IT spending is necessary to advance the organization’s objectives, let alone keep it up and running.

    Our Advice

    Critical Insight

    Internal and external obstacles beyond IT’s control make these challenges with gaining IT budget approval even harder to overcome:

    • Economic pressures can quickly drive IT’s budgetary focus from strategic back to tactical.
    • Corporate-driven categorizations of expenditure, plus disconnected approval mechanisms for capital vs. operational spend, hide key interdependencies and other aspects of IT’s financial reality.
    • Connecting the dots between IT activities and business benefits rarely forms a straight line.

    Impact and Result

    • CIOs need a straightforward way to create and present an approval-ready budget.
      • Info-Tech recognizes that connecting the dots to demonstrate value is key to budgetary approval.
      • Info-Tech also recognizes that key stakeholders require different perspectives on the IT budget.
      • This blueprint provides a framework, method, and templated exemplars for creating and presenting an IT budget to stakeholders that will speed up the approval process and ensure more of it is approved.

    Create a Transparent and Defensible IT Budget Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a Transparent and Defensible IT Budget Storyboard – A step-by-step guide to developing a proposed IT budget that’s sensitive to stakeholder perspectives and ready to approve.

    This deck applies Info-Tech’s proven ITFM Cost Model to the IT budgeting process and offers five phases that cover the purpose of your IT budget and what it means to your stakeholders, key budgeting resources, forecasting, selecting and fine-tuning your budget message, and delivering your IT budget executive presentation for approval.

    • Create a Transparent and Defensible IT Budget Storyboard

    2. IT Cost Forecasting and Budgeting Workbook – A structured Excel tool that allows you to forecast your IT budget for next fiscal year across four key stakeholder views, analyze it in the context of past expenditure, and generate high-impact visualizations.

    This Excel workbook offers a step-by-step approach for mapping your historical and forecasted IT expenditure and creating visualizations you can use to populate your IT budget executive presentation.

    • IT Cost Forecasting and Budgeting Workbook

    3. Sample: IT Cost Forecasting and Budgeting Workbook – A completed IT Cost Forecasting & Budgeting Workbook to review and use as an example.

    This sample workbook offers a completed example of the “IT Cost Forecasting and Budgeting Workbook” that accompanies the Create a Transparent & Defensible IT Budget blueprint.

    • Sample: IT Cost Forecasting and Budgeting Workbook

    4. IT Budget Executive Presentation – A PowerPoint template and full example for pulling together your proposed IT budget presentation.

    This presentation template offers a recommended structure for presenting your proposed IT budget for next fiscal year to your executive stakeholders for approval. 

    [infographic]

    Workshop: Create a Transparent and Defensible IT Budget

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Get into budget-starting position

    The Purpose

    Understand your IT budget in the context of your organization and key stakeholders, as well as gather your budgeting data and review previous years’ financial performance.

    Key Benefits Achieved

    Understand your organization’s budget process and culture.

    Understand your stakeholders’ priorities and perspectives regarding your IT budget.

    Gain insight into your historical IT expenditure.

    Set next fiscal year’s IT budget targets.

    Activities

    1.1 Review budget purpose. 

    1.2 Understand stakeholders and approvers.

    1.3 Gather your data.

    1.4 Map and review historical financial performance.

    1.5 Rationalize last year’s variances and set next year's budget targets.

    Outputs

    Budget process and culture assessment.

    Stakeholder alignment assessment and pre-selling strategy.

    Data prepared for next steps.

    Mapped historical expenditure.

    Next fiscal year’s budget targets.

    2 Forecast project CapEx

    The Purpose

    Develop a forecast of next fiscal year’s proposed capital IT expenditure driven by your organization’s strategic projects.

    Key Benefits Achieved

    Develop project CapEx forecast according to the four different stakeholder views of Info-Tech’s ITFM Cost Model.

    Ensure that no business projects that have IT implications (and their true costs) are missed.

    Activities

    2.1 Review the ITFM cost model

    2.2 List projects.

    2.3 Review project proposals and costs.

    2.4 Map and tally total project CapEx.

    2.5 Develop and/or confirm project-business alignment, ROI, and cost-benefit statements.

    Outputs

    Confirmed ITFM cost mdel.

    A list of projects.

    Confirmed list of project proposals and costs.

    Forecasted project-based capital expenditure mapped against the four views of the ITFM Cost Model.

    Projects financials in line.

    3 Forecast non-project CapEx and OpEx

    The Purpose

    Develop a forecast of next fiscal year’s proposed “business as usual” non-project capital and operating IT expenditure.

    Key Benefits Achieved

    Develop non-project CapEx and non-project OpEx forecasts according to the four different stakeholder views of Info-Tech’s ITFM Cost Model.

    Make “business as usual” costs fully transparent and rationalized.

    Activities

    3.1 Review non-project capital and costs. 

    3.2 Review non-project operations and costs.

    3.3 Map and tally total non-project CapEx and OpEx.

    3.4 Develop and/or confirm proposed expenditure rationales.

    Outputs

    Confirmation of non-project capital and costs.

    Confirmation of non-project operations and costs.

    Forecasted non-project-based capital expenditure and operating expenditure against the four views of the ITFM Cost Model.

    Proposed expenditure rationales.

    4 Finalize budget and develop presentation

    The Purpose

    Aggregate and sanity-check your forecasts, harden your rationales, and plan/develop the content for your IT budget executive presentation.

    Key Benefits Achieved

    Create a finalized proposed IT budget for next fiscal year that offers different views on your budget for different stakeholders.

    Select content for your IT budget executive presentation that will resonate with your stakeholders and streamline approval.

    Activities

    4.1 Aggregate forecast totals and sanity check.

    4.2 Generate graphical outputs and select content to include in presentation.

    4.3 Fine-tune rationales.

    4.4 Develop presentation and write commentary.

    Outputs

    Final proposed IT budget for next fiscal year.

    Graphic outputs selected for presentation.

    Rationales for budget.

    Content for IT Budget Executive Presentation.

    5 Next steps and wrap-up (offsite)

    The Purpose

    Finalize and polish the IT budget executive presentation.

    Key Benefits Achieved

    An approval-ready presentation that showcases your business-aligned proposed IT budget backed up with rigorous rationales.

    Activities

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Outputs

    Completed IT Budget Executive Presentation.

    Review scheduled.

    Further reading

    Create a Transparent and Defensible IT Budget

    Build in approvability from the start.

    EXECUTIVE BRIEF

    Analyst Perspective

    A budget’s approvability is about transparency and rationale, not the size of the numbers.

    Jennifer Perrier.

    It’s that time of year again – budgeting. Most organizations invest a lot of time and effort in a capital project selection process, tack a few percentage points onto last year’s OpEx, do a round of trimming, and call it a day. However, if you want to improve IT financial transparency and get your business stakeholders and the CFO to see the true value of IT, you need to do more than this.

    Yourcrea IT budget is more than a once-a-year administrative exercise. It’s an opportunity to educate, create partnerships, eliminate nasty surprises, and build trust. The key to doing these things rests in offering a range of budget perspectives that engage and make sense to your stakeholders, as well as providing iron-clad rationales that tie directly to organizational objectives.

    The work of setting and managing a budget never stops – it’s a series of interactions, conversations, and decisions that happen throughout the year. If you take this approach to budgeting, you’ll greatly enhance your chances of creating and presenting a defensible annual budget that gets approved the first time around.

    Jennifer Perrier
    Principal Research Director
    IT Financial Management Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    IT struggles to gain budget approval year after year, largely driven by a few key factors:

    • For a long time, IT has been viewed as a cost center whose efficiency needs to be increasingly optimized over time. IT’s relationship to strategy is not yet understood or established in many organizations.
    • IT is one of the biggest areas of cost for many organizations. Often, executives don’t understand, or even believe, that all that IT spending is necessary to advance the organization’s objectives, let alone keep it running.

    Internal and external obstacles beyond IT’s control make these challenges even harder to overcome:

    • Economic pressures can quickly drive IT’s budgetary focus from strategic back to tactical.
    • Corporate-driven categorizations of expenditure, plus disconnected approval mechanisms for capital vs. operational spend, hide key interdependencies and other aspects of IT’s financial reality.
    • Connecting the dots between IT activities and business benefits rarely forms a straight line.

    CIOs need a straightforward way to create and present an approval-ready budget.

    • Info-Tech recognizes that connecting the dots to demonstrate value is key to budgetary approval.
    • Info-Tech also recognizes that key stakeholders require different perspectives on the IT budget.
    • This blueprint provides a framework, method, and templated exemplars for creating and presenting an IT budget to stakeholders. It will speed the approval process and ensure more of it is approved.

    Info-Tech Insight
    CIOs need a straightforward way to create and present an approval-ready IT budget that demonstrates the value IT is delivering to the business and speaks directly to different stakeholder priorities.

    IT struggles to get budgets approved due to low transparency and failure to engage

    Capability challenges

    Administrative challenges

    Operating challenges

    Visibility challenges

    Relationship challenges

    IT is seen as a cost center, not an enabler or driver of business strategy.

    IT leaders are not seen as business leaders.

    Economic pressures drive knee-jerk redirection of IT’s budgetary focus from strategic initiatives back to operational tactics.

    The vast majority of IT’s
    real-life expenditure is in the form of operating expenses i.e. keeping the lights on.

    Most business leaders don’t know how many IT resources their business units are really consuming.

    Other departments in the organization see IT as a competitor for funding, not a business partner.

    Lack of transparency

    IT and the business aren’t speaking the same language.

    IT leaders don’t have sufficient access to information about, or involvement in, business decisions and objectives.

    Outmoded finance department expenditure categorizations don’t accommodate IT’s real cost categories.

    IT absorbs unplanned spend because business leaders don’t realize or consider the impact of their decisions on IT.

    The business doesn’t understand what IT is, what it does, or what it can offer.

    IT and the business don’t have meaningful conversations about IT costs, opportunities, or investments.

    Defining and demonstrating the value of IT and its investments isn’t straightforward.

    IT leaders may not have the financial literacy or acumen needed to translate IT activities and needs into business terms.

    CapEx and OpEx approval and tracking mechanisms are handled separately when, in reality, they’re highly interdependent.

    IT activities usually have an indirect relationship with revenue, making value calculations more complicated.

    Much of IT, especially infrastructure, is invisible to the business and is only noticed if it’s not working.

    The relationship between IT spending and how it supports achievement of business objectives is not clear.

    Reflect on the numbers…

    The image contains a screenshot of five graphs. The graphs depict Cost and budget management, Cost optimization, Business value, perception of improvement, and intensity of business frustration.

    To move forward, first you need to get unstuck

    Today’s IT budgeting challenges have been growing for a long time. Overcoming these challenges means untangling yourself from the grip of the root causes.

    Principle 1:
    IT and the business are fighting diverging forces. Technology has changed monumentally, while financial management hasn’t changed much at all.

    Principle 2:
    Different stakeholders have different perspectives on your IT budget. Learn and acknowledge what’s important to them so that you can potentially deliver it.

    Principle 3:
    Connecting the dots to clearly demonstrate IT’s value to the organization is the key to budgetary approval. But those connected dots don’t always result in a straight line.

    The three principles above are all about IT’s changing relationship to the business. IT leaders need a systematic and repeatable approach to budgeting that addresses these principles by:

    • Clearly illustrating the alignment between the IT budget and business objectives.
    • Showing stakeholders the overall value that IT investment will bring them.
    • Demonstrating where IT is already realizing efficiencies and economies of scale.
    • Gaining consensus on the IT budget from all parties affected by it.

    “The culture of the organization will drive your success with IT financial management.”

    – Dave Kish, Practice Lead, IT Financial Management Practice, Info-Tech Research Group

    Info-Tech’s approach

    CIOs need a straightforward way to convince approval-granting CFOs, CEOs, boards, and committees to spend money on IT to advance the organization’s strategies.

    IT budget approval cycle

    The image contains a screenshot of the IT budget approval cycle.

    The Info-Tech difference:

    This blueprint provides a framework, method, and templated exemplars for building and presenting your IT budget to different stakeholders. These will speed the approval process and ensure that a higher percentage of your proposed spend is approved.

    Info-Tech’s methodology for how to create a transparent and defensible it budget

    1. Lay Your Foundation

    2. Get Into Budget-Starting Position

    3. Develop Your Forecasts

    4. Build Your Proposed Budget

    5. Create and Deliver Your Budget Presentation

    Phase steps

    1. Understand budget purpose
    2. Know your stakeholders
    3. Continuously pre-sell your budget
    1. Gather your data
    2. Review historical performance
    3. Set budget goals
    1. Develop alternate scenarios
    2. Develop project CapEx forecasts
    3. Develop non-project CapEx and OpEx forecasts
    1. Aggregate your forecasts
    2. Stress-test your forecasts
    3. Challenge and perfect your rationales
    1. Plan your presentation content
    2. Build your budget presentation
    3. Present, finalize, and submit your budget

    Phase outcomes

    An understanding of your stakeholders and what your IT budget means to them.

    Information and goals for planning next fiscal year’s IT budget.

    Completed forecasts for project and non-project CapEx and OpEx.

    A final IT budget for proposal including scenario-based alternatives.

    An IT budget presentation.

    Insight summary

    Overarching insight: Create a transparent and defensible IT budget

    CIOs need a straightforward way to create and present an approval-ready IT budget that demonstrates the value IT is delivering to the business and speaks directly to different stakeholder priorities.

    Phase 1 insight: Lay your foundation

    IT needs to step back and look at it’s budget-creation process by first understanding exactly what a budget is intended to do and learning what the IT budget means to IT’s various business stakeholders.

    Phase 2 Insight: Get into budget-starting position

    Presenting your proposed IT budget in the context of past IT expenditure demonstrates a pattern of spend behavior that is fundamental to next year’s expenditure rationale.

    Phase 3 insight: Develop your forecasts

    Forecasting costs according to a range of views, including CapEx vs. OpEx and project vs. non-project, and then positioning it according to different stakeholder perspectives, is key to creating a transparent budget.

    Phase 4 insight: Build your proposed budget

    Fine-tuning and hardening the rationales behind every aspect of your proposed budget is one of the most important steps for facilitating the budgetary approval process and increasing the amount of your budget that is ultimately approved.

    Phase 5 insight: Create and deliver your budget presentation

    Selecting the right content to present to your various stakeholders at the right level of granularity ensures that they see their priorities reflected in IT’s budget, driving their interest and engagement in IT financial concerns.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    IT Cost Forecasting and Budgeting Workbook

    This Excel tool allows you to capture and work through all elements of your IT forecasting from the perspective of multiple key stakeholders and generates compelling visuals to choose from to populate your final executive presentation.

    The image contains a screenshot of the IT Cost Forecasting and Budgeting Workbook.

    Also download this completed sample:

    Sample: IT Cost Forecasting and Budgeting Workbook

    Key deliverable

    IT Budget Executive Presentation Template

    Phase 5: Create a focused presentation for your proposed IT budget that will engage your audience and facilitate approval.

    The image contains a screenshot of the IT Budget Executive Presentation Template.

    Blueprint benefits

    IT benefits

    Business benefits

    • Improve IT’s overall financial management capability.
    • Streamline the administration of annual IT budget development.
    • Legitimize the true purpose and value of IT operations and associated expenditure.
    • Create visibility on the part of both IT and the business into IT’s mandate, what needs to be in place, and what it costs to fund it.
    • Foster better relationships with business stakeholders by demonstrating IT’s business and financial competency, working in partnership with business leaders on IT investment decisions, and building mutual trust.
    • Better understand the different types of expenditure occurring in IT, including project CapEx, non-project CapEx, and non-project OpEx.
    • Gain insight into the relationship between one-time CapEx on ongoing OpEx and its ramifications.
    • See business priorities and concerns clearly reflected in IT’s budget down to the business-unit level.
    • Receive thorough return on investment calculations and cost-benefit analyses for all aspects of IT expenditure.
    • Understand the direct relationship between IT expenditure and the depth, breadth, and quality of IT service delivery to the business.

    Measure the value of this blueprint

    Ease budgetary approval and improve its accuracy.

    Near-term goals

    • Percentage of budget approved: Target 95%
    • Percentage of IT-driven projects approved: Target 100%
    • Number of iterations/re-drafts required to proposed budget: One iteration

    Long-term goal

    • Variance in budget vs. actuals: Actuals less than budget and within 2%

    In Phases 1 and 2 of this blueprint, we will help you understand what your approvers are looking for and gather the right data and information.

    In Phase 3, we will help you forecast your IT costs it terms of four stakeholder views so you can craft a more meaningful IT budget narrative.

    In Phases 4 and 5, we will help you build a targeted presentation for your proposed IT budget.

    Value you will receive:

    1. Increased forecast accuracy through using a sound cost-forecasting methodology.
    2. Improved budget accuracy by applying more thorough and transparent techniques.
    3. Increased budget transparency and completeness by soliciting input earlier and validating budgeting information.
    4. Stronger alignment between IT and enterprise goals through building a better understanding of the business values and using language they understand.
    5. A more compelling budget presentation by offering targeted, engaging, and rationalized information.
    6. A faster budgeting rework process by addressing business stakeholder concerns the first time.

    An analogy…

    “A budget isn’t like a horse and cart – you can’t get in front of it or behind it like that. It’s more like a river…

    When developing an annual budget, you have a good idea of what the OpEx will be – last year’s with an annual bump. You know what that boat is like and if the river can handle it.

    But sometimes you want to float bigger boats, like capital projects. But these boats don’t start at the same place at the same time. Some are full of holes. And does your river even have the capacity to handle a boat of that size?

    Some organizations force project charters by a certain date and only these are included in the following year’s budget. The project doesn’t start until 8-12 months later and the charter goes stale. The river just can’t float all these boats! It’s a failed model. You have to have a great governance processes and clear prioritization so that you can dynamically approve and get boats on the river throughout the year.”

    – Mark Roman, Managing Partner, Executive Services,
    Info-Tech Research Group and Former Higher Education CIO

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    Phase 1: Lay Your Foundation

    Phase 2: Get Into Budget-Starting Position

    Phase 3: Develop Your Forecasts

    Phase 4: Build Your Proposed Budget

    Phase 5: Create and Deliver Your Budget Presentation

    Call #1: Discuss the IT budget, processes, and stakeholders in the context of your unique organization.

    Call #2: Review data requirements for transparent budgeting.

    Call #3: Set budget goals and process improvement metrics.

    Call #4: Review project CapEx forecasts.

    Call #5: Review non-project CapEx and OpEx forecasts.

    Call #6: Review proposed budget logic and rationales.

    Call #7: Identify presentation inclusions and exclusions.

    Call #8: Review final budget presentation.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5

    Get into budget-starting position

    Forecast project CapEx

    Forecast non-project CapEx and OpEx

    Finalize budget and develop presentation

    Next Steps and
    Wrap-Up (offsite)

    Activities

    1.1 Review budget purpose.

    1.2 Understand stakeholders and approvers.

    1.3 Gather your data.

    1.4 Map and review historical financial performance.

    1.5 Rationalize last year’s variances.

    1.5 Set next year’s budget targets.

    2.1 Review the ITFM Cost Model.

    2.2 List projects.

    2.3 Review project proposals and costs.

    2.4 Map and tally total project CapEx.

    2.5 Develop and/or confirm project-business alignment, ROI, and cost-benefit statements.

    3.1 Review non-project capital and costs.

    3.2 Review non-project operations and costs.

    3.3 Map and tally total non-project CapEx and OpEx.

    3.4 Develop and/or confirm proposed expenditure rationales.

    4.1 Aggregate forecast totals and sanity check.

    4.2 Generate graphical outputs and select content to include in presentation.

    4.3 Fine-tune rationales.

    4.4 Develop presentation and write commentary.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. Budget process and culture assessment.
    2. Stakeholder alignment assessment and pre-selling strategy.
    3. Mapped historical expenditure.
    4. Next fiscal year’s budget targets.
    1. Forecasted project-based capital expenditure mapped against the four views of the ITFM Cost Model.
    1. Forecasted non-project-based capital expenditure and operating expenditure against the four views of the ITFM Cost Model.
    1. Final proposed IT budget for next fiscal year.
    2. Plan and build content for IT Budget Executive Presentation.
    1. Completed IT Budget Executive Presentation.

    Phase 1

    Lay Your Foundation

    Lay Your
    Foundation

    Get Into Budget-Starting Position

    Develop Your
    Forecasts

    Build Your
    Proposed Budget

    Create and Deliver Your Presentation

    1.1 Understand what your budget is
    and does

    1.2 Know your stakeholders

    1.3 Continuously pre-sell your budget

    2.1 Assemble your resources

    2.2 Understand the four views of the ITFM Cost Model

    2.3 Review last year’s budget vs.
    actuals and five-year historical trends

    2.4 Set your high-level goals

    3.1 Develop assumptions and
    alternative scenarios

    3.2 Forecast your project CapEx

    3.3 Forecast your non-project CapEx and OpEx

    4.1 Aggregate your numbers

    4.2 Stress test your forecasts

    4.3 Challenge and perfect your
    rationales

    5.1 Plan your content

    5.2 Build your presentation

    5.3 Present to stakeholders

    5.4 Make final adjustments and submit your IT budget

    This phase will walk you through the following activities:

    • Seeing your budget as a living governance tool
    • Understanding the point of view of different stakeholders
    • Gaining tactics for setting future IT spend expectations

    This phase involves the following participants:

    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Lay Your Foundation

    Before starting any process, you need to understand exactly why you’re doing it.

    This phase is about understanding the what, why, and who of your IT budget.

    • Understand what your budget is and does. A budget isn’t just an annual administrative event – it’s an important governance tool. Understand exactly what a budget is and your budgetary accountabilities as an IT leader.
    • Know your stakeholders. The CFO, CEO, and CXOs in your organization have their own priorities, interests, and professional mandates. Get to know what their objectives are and what IT’s budget means to them.
    • Continuously pre-sell your budget. Identifying, creating, and capitalizing on opportunities to discuss your budget well in advance of its formal presentation will get influential stakeholders and approvers on side, foster collaborations, and avoid unpleasant surprises on all fronts.

    “IT finance is more than budgeting. It’s about building trust and credibility in where we’re spending money, how we’re spending money. It’s about relationships. It’s about financial responsibility, financial accountability. I rely on my entire leadership team to all understand what their spend is. We are a steward of other people’s money.”

    – Rick Hopfer, CIO, Hawaii Medical Service Association

    What does your budget actually do?

    A budget is not just a painful administrative exercise that you go through once a year.

    Most people know what a budget is, but it’s important to understand its true purpose and how it’s used in your organization before you engage in any activity or dialogue about it.

    In strictly objective terms:

    • A budget is a calculated estimate of income vs. expenditure for a period in the future, often one year. Basically, it’s an educated guess about how much money will come into a business entity or unit and how much money will go out of it.
    • A balanced budget is where income and expenditure amounts are equal.
    • The goal in most organizations is for the income component of the budget to match or exceed the expenditure component.
      If it doesn’t, this results in a deficit that may lead to debt.

    Simply put, a budget’s fundamental purpose is to plan and communicate how an organization will avoid deficit and debt and remain financially viable while meeting its various accountabilities and responsibilities to its internal and external stakeholders.

    “CFOs are not thinking that they want to shut down IT spend. Nobody wants to do that. I always looked at things in terms of revenue streams – where the cash inflow is coming from, where it’s going to, and if I can align my cash outflows to my revenue stream. Where I always got suspicious as a CFO is if somebody can’t articulate spending in terms of a revenue stream. I think that’s how most CFOs operate.”

    – Carol Carr, Technical Counselor,
    Info-Tech Research Group and Former CFO

    Put your IT budget in context

    Your IT budget is just one of several budgets across your organization that, when combined, create an organization-wide budget. In this context, IT’s in a tough spot.

    It’s a competition: The various units in your organization are competing for the biggest piece they can get of the limited projected income pie. It’s a zero-sum game. The organization’s strategic and operational priorities will determine how this projected income is divvied up.

    Direct-to-revenue units win: Business units that directly generate revenue often get bigger relative percentages of the organizational budget since they’re integral to bringing in the projected income part of the budget that allows the expenditure across all business units to happen in the first place.

    Indirect-to-revenue units lose: Unlike sales units, for example, IT’s relationship to projected income tends to be indirect, which means that IT must connect a lot more dots to illustrate its positive impact on projected income generation.

    In financial jargon, IT really is a cost center: This indirect relationship to revenue also explains why the focus of IT budget conversations is usually on the expenditure side of the equation, meaning it doesn’t have a clear positive impact on income.

    Contextual metrics like IT spend as a percentage of revenue, IT OpEx as a percentage of organizational OpEx, and IT spend per organizational employee are important baseline metrics to track around your budget, internally benchmark over time, and share, in order to illustrate exactly where IT fits into the broader organizational picture.

    Budgeting isn’t a once-a-year thing

    Yet, many organizations treat it like a “one and done” point of annual administration. This is a mistake that misses out on the real benefits of budgeting.

    Many organizations have an annual budgeting and planning event that takes place during the back half of the fiscal year. This is where all formal documentation around planned projects and proposed spend for the upcoming year is consolidated, culminating in final presentation, adjustment, and approval. It’s basically a consolidation and ranking of organization-wide priorities at the highest level.

    If things are running well, this culmination point in the overall budget development and management process is just a formality, not the beginning, middle, and end of the real work. Ideally:

    • Budgets are actually used: The whole organization uses budgets as tools to actively manage day-to-day operations and guide decision making throughout the year in alignment with priorities as opposed to something that’s put on a shelf or becomes obsolete within a few months.
    • Interdependencies are evident: No discrete area of spend focus is an island – it’s connected directly or indirectly with other areas of spend, both within IT and across the organization. For example, one server interacts with multiple business applications, IT and business processes, multiple IT staff, and even vendors or external managed service providers. Cost-related decisions about that one server – maintain, repurpose, consolidate, replace, discard – will drive other areas of spend up or down.
    • There are no surprises: While this does happen, your budget presentation isn’t a great time to bring up a new point of significant spend for the first time. The items in next year’s proposed budget should be priorities that are already known, vetted, supported, and funded.

    "A well developed and presented budget should be the numeric manifestation of your IT strategy that’s well communicated and understood by your peers. When done right, budgets should merely affirm what’s already been understood and should get approved with minimal pushback.“

    – Patrick Gray, TechRepublic, 2020

    Understand your budgetary responsibilities as the IT leader

    It’s in your job description. For some stakeholders, it’s the most important part of it.

    While not a contract per se, your IT budget is an objective and transparent statement made in good faith that shows:

    • You know what it takes to keep the organization viable.
    • You understand the organization’s accountabilities and responsibilities as well as those of its leaders.
    • You’re willing and able to do your part to meet these accountabilities and responsibilities.
    • You know what your part of this equation is, as well as what parts should and must be played by others.

    When it comes to your budget (and all things financial), your job is to be ethical, careful, and wise:

    1. Be honest. Business ethics matter.
    2. Be as accurate as possible. Your expenditure predictions won’t be perfect, but they need to be best-effort and defensible.
    3. Respect the other players. They have their own roles, motivations, and mandates. Accept and respect these by being a supporter of their success instead of an obstacle to them achieving it.
    4. Connect the dots to income. Always keep the demonstration of business value in your sights. Often, IT can’t draw a straight line to income, but demonstrating how IT expenditure supports and benefits future, current, and past (but still relevant) business goals and strategies, which in turn affect income, is the best course.
    5. Provide alternatives. There are only so many financial levers your organization can pull. An action on one lever will have wanted and unwanted consequences on another. Aim to put financial discussions in terms of risk-focused “what if” stories and let your business partners decide if those risks are satisfactory.

    Budgeting processes tend to be similar – it’s budgeting cultures that drive differences

    The basic rules of good budgeting are the same everywhere. Bad budgeting processes, however, are usually caused by cultural factors and can be changed.

    What’s the same everywhere…

    What’s unchangeable…

    What’s changeable…

    For right or wrong, most budgeting processes follow these general steps:

    There are usually only three things about an organization’s budgeting process that are untouchable and can’t be changed:

    Budgeting processes are rarely questioned. It never occurs to most people to challenge this system, even if it doesn’t work. Who wants to challenge the CFO? No one.

    Review your organization’s budgeting culture to discover the negotiable and non-negotiable constraints. Specifically, look at these potentially-negotiable factors if they’re obstacles to IT budgeting success:

    1. Capital project vetting and selection for the next fiscal year starts three-to-six months before the end of the current fiscal year.
    2. Operational expenditure, including salaries, is looked at later with much less formality and scrutiny with an aim to cut.
    3. Each business unit does a budget presentation and makes directed amendments (usually trimming).
    4. The approved budget numbers are plugged into a standard, sub-optimal budget template provided by Finance.
    1. The legal and regulatory mandates that govern financial funding, accounting, and reporting practices. These are often specific to industries and spend types.
    2. The accounting rules your organization follows, such as GAAP, or IFRS. These too may be legally mandated for government entities and publicly-traded companies.
    3. Hard limits on the projected available income the CFO has to distribute.
    • Timeframes and deadlines
    • Order of operations
    • Areas of focus (CapEx vs. OpEx)
    • Funding sources and ownership
    • Review/approval mechanisms
    • Templates and tools

    1.1 Review your budgeting process and culture

    1 hour

    1. Review the following components of your budget process using the questions provided for each as a guideline.
      1. Legal and regulatory mandates. What are the external rules that govern how we do financial tracking and reporting? How do they manifest in our processes?
      2. Accounting rules used. What rules does our finance department use and why? Do these rules allow for more meaningful representations of IT spend? Are there policies or practices in place that don’t appear to be backed by any external standards?
      3. Timeframes and deadlines. Are we starting the budgeting process too late? Do we have enough time to do proper due diligence? Will expenditures approved now be out of date when we go to execute? Are there mechanisms to update spend plans mid-cycle?
      4. Order of operations. What areas of spend do we always look at first, such as CapEx? Are there any benefits to changing the order in which we do things, such as examining OpEx first?
      5. Areas of focus. Is CapEx taking up most of our budgeting cycle time? Are we spending enough time examining OpEx? Is IT getting enough time from the CFO compared to other units?
      6. Funding sources and ownership. Is IT footing most of the technology bills? Are business unit leaders fronting any technology business case pitches? Is IT appropriately included in business case development? Is there any benefit to implementing show-back or charge-back?
      7. Review/approval mechanisms. Are strategies and priorities used to rank proposed spend clear and well communicated? Are spend approvers objective in their decision making? Do different approvers apply the same standards and tools?
      8. Templates and tools. Are the ones provided by Finance, the PMO, and other groups sufficient to document what we need to document? Are they accessible and easy to use? Are they automated and integrated so we only have to enter data once?
    2. On the slide following these activity instructions, rate how effective each of the above is on a scale of 1-10 (where 10 is very effective) in supporting the budgeting process. Note specific areas of challenge and opportunity for change.

    1.1 Review your budgeting process and culture

    Input Output Materials Participants
    • Organizational knowledge of typical budgeting processes
    • Copies of budgeting policies, procedures, and tools
    • Rated assessment of your organization’s budget process and culture, as well as major areas of challenge and opportunity for change
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Budget process and culture assessment

    Document the outcomes of your assessment. Examples are provided below.

    Budgeting area of assessment

    Rating

    1 = very ineffective

    10 = very effective

    Challenges

    Opportunities for change

    Legal and regulatory mandates

    7

    Significant regulation but compliance steps not clear or supported within departments.

    Create, communicate, and train management on compliance procedures and align the financial management tools accordingly.

    Accounting rules

    6

    IT not very familiar with them.

    Learn more about them and their provisions to see if IT spend can be better represented.

    Timeframes and deadlines

    5

    Finalize capital project plans for next fiscal four months before end of current fiscal.

    Explore flexible funding models that allow changes to budget closer to project execution.

    Order of operations

    3

    Setting CapEx before OpEx leads to paring of necessary OpEx based on CapEx commitments.

    Establish OpEx first as a baseline and then top up to target budget with CapEx.

    Areas of focus

    6

    Lack of focus on OpEx means incremental budgeting – we don’t know what’s in there.

    Perform zero-based budgeting on OpEx every few years to re-rationalize this spend.

    Funding sources and ownership

    4

    IT absorbing unplanned mid-cycle spend due to impact of unknown business actions.

    Implement a show-back mechanism to change behavior or as precursor to limited charge-back.

    Review/approval mechanisms

    8

    CFO is fair and objective with information presented but could demand more evidence.

    Improve business sponsorship/fronting of new initiative business cases and IT partnership.

    Templates and tools

    2

    Finance budget template largely irrelevant and unreflective of IT: only two relevant categories.

    Adjust account buckets over a period of time, starting with SW/HW and cloud breakouts.

    Receptive audiences make communication a lot easier

    To successfully communicate anything, you need to be heard and understood.

    The key to being heard and understood is first to hear and understand the perspective of the people with whom you’re trying to communicate – your stakeholders. This means asking some questions:

    • What context are they operating in?
    • What are their goals and responsibilities?
    • What are their pressures and stresses?
    • How do they deal with novelty and uncertainty?
    • How do they best take in information and learn?

    The next step of this blueprint shows the perspectives of IT’s key stakeholders and how they’re best able to absorb and accept the important information contained in your IT budget. You will:

    • Learn a process for discovering these stakeholders’ IT budget information needs within the context of your organization’s industry, goals, culture, organizational structure, personalities, opportunities, and constraints.
    • Document key objectives and messages when communicating with these various key stakeholders.

    There are certain principles, mandates, and priorities that drive your stakeholders; they’ll want to see these reflected in you, your work, and your budget.

    Your IT budget means different things to different stakeholders

    Info-Tech’s ITFM Cost Model lays out what matters most from various points of view.

    The image contains a screenshot of Info-Tech's ITFM Cost Model.

    The CFO: Understand their role

    The CFO is the first person that comes to mind in dealing with budgets. They’re personally and professionally on the line if anything runs amiss with the corporate purse.

    What are the CFO’s role and responsibilities?

    • Tracking cash flow and balancing income with expenditures.
    • Ensuring fiscal reporting and legal/regulatory compliance.
    • Working with the CEO to ensure financial-strategic alignment.
    • Working with business unit heads to set aligned budgets.
    • Seeing the big picture.

    What’s important to the CFO?

    • Costs
    • Benefits
    • Value
    • Analysis
    • Compliance
    • Risk Management
    • Strategic alignment
    • Control
    • Efficiency
    • Effectiveness
    • Reason
    • Rationale
    • Clarity
    • Objectivity
    • Return on investment

    “Often, the CFO sees IT requests as overhead rather than a need. And they hate increasing overhead.”

    – Larry Clark, Executive Counselor, Info-Tech Research Group and Former CIO

    The CFO carries big responsibilities focused on mitigating organizational risks. It’s not their job to be generous or flexible when so much is at stake. While the CEO appears higher on the organizational chart than the CFO, in many ways the CFO’s accountabilities and responsibilities are on par with, and in some cases greater than, those of the CEO.

    The CFO: What they want from the IT budget

    What they need should look familiar, so do your homework and be an open book.

    Your CFO’s IT budget to-do list:

    Remember to:

    • A review of the previous year financial performance. This demonstrates to the CFO your awareness, savvy, and overall competence in the financial management realm. This is also your opportunity to start laying out the real-life context within which IT has been operating. Information to show includes:
      • Budget vs. actuals, including an overview of factors that led to major variances.
      • Percentage difference in proposed budget versus previous year’s budget, and major contributing factors to those differences (i.e. unanticipated projects, changes, or events).
    • Presentation of information according to Finance’s existing categories. This makes it as easy as possible for them to plug your numbers into their system.
    • Separate views of overall workforce vs. overall vendor spending. This is a traditional view.
    • Separate views of capital expenditure (CapEx) and operating expenditure (OpEx). This also includes information on expected lifespan of proposed new capital assets to inform depreciation/amortization decisions.
    • Explanation of anticipated sources of funding. Specifically, indicate whether the funding required is a brand-new net increase or a reallocation from the existing pool.
    • Details (upon request). Have these available for every aspect of your proposed budget.
    • Avoid being flashy. Exclude proposed expenditures with a lot of bells and whistles that don’t directly tie to concrete business objectives.
    • Be a conservationist. Show how you plan to re-use or extend assets that you already have.
    • Act like a business leader. Demonstrate your understanding of near-term (12-month) realities, priorities, and goals.
    • Think like them. Present reliable and defensible calculations of benefits versus risks as well as projected ROI for major areas of new or different spending.

    The CFO: Budget challenges and opportunities

    Budget season is a great time to start changing the conversation and building trust.

    Potential challenges

    Low trust

    Poor financial literacy and historical sloppiness among business unit leaders means that a CFO may come into budget conversations with skepticism. This can put them on the offensive and put you on the defensive. You have to prove yourself.

    Competition

    You’re not the only department the CFO is dealing with. Everyone is competing for their piece of the pie, and some business unit leaders are persistent. A good CFO will stay out of the politics and not be swayed by sweet talk, but it can be an exhausting experience for them.

    Mismatched buckets

    IT’s spend classes and categories probably won’t match what’s in Finance’s budget template or general ledger. Annual budgeting isn’t the best time to bring this up. Respect Finance’s categories, but plan to tackle permanent changes at a less busy time.

    Potential opportunities

    Build confidence

    Engaging in the budgeting process is your best chance to demonstrate your knowledge about the business and your financial acumen. The more that the CFO sees that you get it and are taking it seriously, the more confidence and trust they’ll have in you.

    Educate

    The CFO will not know as much as you about the role technology could and should play in the organization. Introduce new language around technology focused on capabilities and benefits. This will start to shift the conversation away from costs and toward value.

    Initiate alignment

    An important governance objective is to change the way IT expenditure is categorized and tracked to better reveal and understand what’s really happening. This process should be done gradually over time, but definitely communicate what you want to do and why.

    The CXO: Understand their role

    CXOs are a diverse group who lead a range of business functions including admin, operations, HR, legal, production, sales and service, and marketing, to name a few.

    What are the CXO’s role and responsibilities?

    Like you, the CXO’s job is to help the organization realize its goals and objectives. How each CXO does this is specific to the domain they lead. Variations in roles and responsibilities typically revolve around:

    • Law and regulation. Some functions have compliance as a core mandate, including legal, HR, finance, and corporate risk groups.
    • Finance and efficiency. Other functions prioritize time, money, and process such as finance, sales, customer service, marketing, production, operations, and logistics units.
    • Quality. These functions prioritize consistency, reliability, relationship, and brand such as production, customer service, and marketing.

    What’s important to the CXO?

    • Staffing
    • Skills
    • Reporting
    • Funding
    • Planning
    • Performance
    • Predictability
    • Customers
    • Visibility
    • Inclusion
    • Collaboration
    • Reliability
    • Information
    • Knowledge
    • Acknowledgement

    Disagreement is common between business-function leaders – they have different primary focus areas, and conflict and misalignment are natural by-products of that fact. It’s also hard to make someone care as much about your priorities as you do. Focus your efforts on sharing and partnering, not converting.

    The CXO: What they want from the IT budget

    Focus on their unique part of the organization and show that you see them.

    Your CXO’s IT budget to-do list:

    Remember to:

    • A review of the previous year’s IT expenditure on the business function. This includes:
      • Budget vs. actuals (if available) for the business function, and overview of any situations or factors that led to major variances.
      • Percentage difference in proposed budget for that business function vs. the previous year’s spend, and major contributing factors to those differences, i.e. unanticipated projects, changes, or events.
      • Last year’s IT expenditure per business function employee vs. proposed IT expenditure per business function employee (if available). This is a good metric to use going forward as it’s a fair comparative internal benchmark.
    • Separate views of proposed IT workforce vs. proposed IT vendor spending for the business function. Do a specific breakout of proposed expenditure for the major applications that business unit explicitly uses.
    • Separate views of proposed IT capital expenditure (CapEx) and proposed IT operating expenditure (OpEx) for the business function. Show breakdowns for each capital project,
      as well as summaries for their core applications and portion of shared IT services.
    • Celebrate any collaborative wins from last year. You want to reinforce that working together is in both of your best interests and you’d like to keep it going.
    • Get to the apps fast. Apps are visible, concrete, and relatable – this is what the CXO cares about. Core IT infrastructure, on the other hand, is technobabble about something that’s invisible, boring, and disengaging for most CXOs.
    • Focus on the business function’s actual technology needs and consumption. Show them where they stand in relation to others. This will get their attention and serve as an opportunity to provide some education.

    The CXO: Budget challenges and opportunities

    Seek out your common ground and be the solution for their real problems.

    Potential challenges

    Different priorities

    Other business unit leaders will have bigger concerns than your IT budget. They have their own budget to figure out plus other in-flight issues. The head of sales, for instance, is going to be more concerned with hitting sales goals for this fiscal year than planning for next.

    Perceived irrelevance

    Some business unit leaders may be completely unaware of how they use IT, how much they use, and how they could use it more or differently to improve their performance. They may have a learning curve to tackle before they can start to see your relationship as collaborative.

    Bad track record

    If a business unit has had friction with IT in the past or has historically been underserved, they may be hesitant to let you in, may be married to their own solutions, or perhaps do not know how to express what they need.

    Potential opportunities

    Start collaborating

    You and other business unit leaders have a lot in common. You all share the objective of helping the organization succeed. Focus in on your shared concerns and how you can make progress on them together before digging into your unique challenges.

    Practice perspective taking

    Be genuinely curious about the business unit, how it works, and how they overcome obstacles. See the organization from their point of view. For now, keep your technologies completely out of the discussion – that will come later on.

    Build relationships

    You only need to solve one problem for a business unit to change how they think of you. Just one. Find that one thing that will make a real difference – ideally small but impactful – and work it into your budget.

    The CEO: Understand their role

    A CEO sets the tone for an organization, from its overall direction and priorities to its values and culture. What’s possible and what’s not is usually determined by them.

    What are the CEO’s role and responsibilities?

    • Assemble an effective team of executives and advisors.
    • Establish, communicate, and exemplify the organizations core values.
    • Study the ecosystem within which the organization exists.
    • Identify and evaluate opportunities.
    • Set long-term directions, priorities, goals, and strategies.
    • Ensure ongoing organizational performance, profitability, and growth.
    • Connect the inside organization to the outside world.
    • Make the big decisions no one else can make.

    What’s important to the CEO?

    • Strategy
    • Leadership
    • Vision
    • Values
    • Goals
    • Priorities
    • Performance
    • Metrics
    • Accountability
    • Stakeholders
    • Results
    • Insight
    • Growth
    • Cohesion
    • Context

    Unlike the CFO and CXOs, the CEO is responsible for seeing the big picture. That means they’re operating in the realm of big problems and big ideas – they need to stay out of the weeds. IT is just one piece of that big picture, and your problems and ideas are sometimes small in comparison. Use any time you get with them wisely.

    The CEO: What they want from the IT budget

    The CEO wants what the CFO wants, but at a higher level and with longer-term vision.

    Your CEO’s IT budget to-do list:

    Remember to:

    • A review of the previous year’s financial performance. In addition to last year’s budget vs. actuals vs. proposed budget and any rationales for variances, the CEO’s interest is in seeing numbers in terms of strategic delivery. Focus on performance against last year’s goals and concrete benefits realized.
    • A review of initiatives undertaken to optimize/reduce operating costs. Note overall gains with a specific look at initiatives that had a substantial positive financial impact.
    • A specific summary of the cost landscape for new strategic or capital projects. Ideally, these projects have already been committed to at the executive level. A more fine-tuned analysis of anticipated costs and variables may be required, including high-level projects with long-term impact on operational expenditure. Categorize these expenditures as investments in innovation, growth, or keeping the lights on.
    • Details (upon request). Have these available for every aspect of your proposed budget.
    • Be brief. Hopefully, the CEO is already well versed on the strategic spend plans. Stay high-level, reserve the deep dive for your documentation, and let the CEO decide if they want to hash anything out in more detail.
    • Be strategic. If you can’t tie it to a strategic objective, don’t showcase it.
    • Use performance language. This means citing goals, metrics, and progress made against them.
    • Ensure the CFO can translate. You may not get a direct audience with the CEO – the CFO may be your proxy for that. Ensure that everything is crystal clear so that the CFO can summarize your budget on your behalf.

    The CEO: Budget challenges and opportunities

    Strategically address the big issues, but don’t count on their direct assistance.

    Potential challenges

    Lack of interest

    Your CEO may just not be enthusiastic about technology. For them, IT is strictly a cost center operating on the margins. If they don’t have a strategic vision that includes technology, IT’s budget will always be about efficiency and cost control and not investment.

    Deep hierarchy

    The executive-level CIO role isn’t yet pervasive in every industry. There may be one or more non-IT senior management layers between IT and the office of the CEO, as well as other bureaucratic hurdles, which prohibit your direct access.

    Uncertainty

    What’s happening on the outside will affect what needs to be done on the inside. The CEO has to assess and respond quickly, changing priorities and plans in an instant. An indecisive CEO that’s built an inflexible organization will make it difficult to pivot as needed.

    Potential opportunities

    Grow competency

    Sometimes, IT just needs to wait it out. The biggest shifts in technology interest often come with an outright change in the organization’s leadership. In the meantime, fine-tune your operational excellence, brush up on business skills, and draft out your best ideas on paper.

    Build partnerships

    Other business-function executives may need to be IT’s voice. Investment proposals may be more compelling coming from them anyway. Behind-the-scenes partnerships and high-profile champions are something you want regardless of your degree of CEO access.

    Bake in resilience

    Regardless of who’s at the helm, systematic investment in agile and flexible solutions that can be readily scaled, decoupled, redeployed, or decommissioned is a good strategy. Use recent crises to help make the strategic case for a more resilient posture.

    What about the CIO view on the IT budget?

    IT leaders tend to approach budgeting from an IT services perspective. After all, that’s how their departments are typically organized.

    The CFO expense view, CXO business view, and CEO innovation view represent IT’s stakeholders. The CIO service view, however, represents you, the IT budget creator. This means that the CIO service view plays a slightly different role in developing your IT budget communications.

    An IT team effort…

    A logical starting point

    A supporting view

    Most budget drafts start with internal IT management discussion. These managers are differentially responsible for apps dev and maintenance, service desk and user support, networks and data center, security, data and analytics, and so forth.

    These common organizational units and their managers tend to represent discrete IT service verticals. This means the CIO service view is a natural structural starting point for your budget-building process. Stakeholder views of your budget will be derived from this first view.

    You probably don’t want to lead your budget presentation with IT’s perspective – it won’t make sense to your stakeholders. Instead, select certain impactful pieces of your view to drop in where they provide valued information and augment the IT budget story.

    Things to bring forward…

    Things to hold back…

    • All major application costs
    • Security/compliance costs
    • Strategic project costs
    • End-user support and enablement costs
    • Data and BI initiative costs
    • Minor applications costs
    • Day-to-day network and data center costs
    • Other infrastructure costs
    • IT management and administration costs

    1.2 Assess your stakeholders

    1 hour

    1. Use the “Stakeholder alignment assessment” template slide following this one to document the outcomes of this activity.
    2. As an IT management team, identify your key budget stakeholders and specifically those in an approval position.
    3. Use the information provided in this blueprint about various stakeholder responsibilities, areas of focus, and what’s typically important to them to determine each key stakeholder’s needs regarding the information contained in your IT budget. Note their stated needs, any idiosyncrasies, and IT’s current relationship status with the stakeholder (positive, neutral, or negative).
    4. Assess previous years’ IT budgets to determine how well they targeted each different stakeholder’s needs. Note any gaps or areas for future improvement.
    5. Develop a high-level list of items or elements to stop, start, or continue during your next budgeting cycle.
    Input Output
    • Organizational awareness of key stakeholders and budget approvers
    • Previous years’ budgets
    • Assessment of key stakeholder needs and a list of potential changes or additions to the IT budget/budget process
    Materials Participants
    • Whiteboard/flip charts
    • Stakeholder alignment assessment template (following slide)
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Stakeholder alignment assessment

    Document the outcomes of your assessment below. Examples are provided below.

    Stakeholder

    Relationship status

    Understanding of needs

    Budget changes/additions

    CFO

    Positive

    Wants at least 30% of budget to be CapEx. Needs more detail concerning benefits and tracking of realization.

    Do more detailed breakouts of CapEx vs. OpEx as 30% CapEx not realistic – pre-meet. Talk to Enterprise PMO about improving project benefits statement template.

    VP of Sales

    Negative

    Only concerned with hitting sales targets. Needs to respond/act quickly based on reliable data.

    Break out sales consumption of IT resources in detail focusing on CRM and SFA tool costs. Propose business intelligence enhancement project.

    Director of Marketing

    Neutral

    Multiple manual processes – would benefit from increased automation of campaign management and social media posting.

    Break out marketing consumption of IT resources and publicly share/compare to generate awareness/support for tech investment. Work together to build ROI statements

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Positive/Neutral/Negative]

    [Insert text]

    [Insert text]

    Set your IT budget pre-selling strategy

    Pre-selling is all about ongoing communication with your stakeholders. This is the most game-changing thing you can do to advance a proposed IT budget’s success.

    When IT works well, nobody notices. When it doesn’t, the persistent criticism about IT not delivering value will pop up, translating directly into less funding. Cut this off at the pass with an ongoing communications strategy based on facts, transparency, and perspective taking.

    1. Know your channels
    2. Identify all the communication channels you can leverage including meetings, committees, reporting cycles, and bulletins. Set up new channels if they don’t exist.

    3. Identify partners
    4. Nothing’s better than having a team of supporters when pitch day comes. Quietly get them on board early and be direct about the role each of you will play.

    5. Always be prepared
    6. Have information and materials about proposed initiatives at-the-ready. You never know when you’ll get your chance. But if your facts are still fuzzy, do more homework first.

    7. Don’t be annoying
    8. Talking about IT all the time will turn people off. Plan chats that don’t mention IT at all. Ask questions about their world and really listen. Empathy’s a powerful tool.

    9. Communicate IT initiatives at launch
    10. Describe what you will be doing and how it will benefit the business in language that makes sense to the beneficiaries of the initiative.

    11. Communicate IT successes
    12. Carry the same narrative forward through to the end and tell the whole story. Include comments from stakeholders and beneficiaries about the value they’re receiving.

    Pre-selling with partners

    The thing with pre-selling to partners is not to take a selling approach. Take a collaborative approach instead.

    A partner is an influencer, advocate, or beneficiary of the expenditure or investment you’re proposing. Partners can:

    • Advise you on real business impacts.
    • Voice their support for your funding request.
    • Present the initial business case for funding approval themselves.
    • Agree to fund all or part of an initiative from their own budget.

    When partners agree to pitch or fund an initiative, IT can lose control of it. Make sure you set specific expectations about what IT will help with or do on an ongoing basis, such as:

    • Calculating the upfront and ongoing technology maintenance/support costs of the initiative.
    • Leading the technology vetting and selection process, including negotiating with vendors, setting service-level agreements, and finalizing contracts.
    • Implementing selected technologies and training users.
    • Maintaining and managing the technology, including usage metering.
    • Making sure the bills get paid.

    A collaborative approach tends to result in a higher level of commitment than a selling approach.

    Put yourself in their shoes using their language. Asking “How will this affect you?” focuses on what’s in it for them.

    Example:

    CIO: “We’re thinking of investing in technology that marketing can use to automate posting content to social media. Is that something you could use?”

    CMO: “Yes, we currently pay two employees to post on Facebook and Twitter, so if it could make that more efficient, then there would be cost savings there.”

    Pre-selling with approvers

    The key here is to avoid surprises and ensure the big questions are answered well in advance of decision day.

    An approver is the CFO, CEO, board, council, or committee that formally commits funding support to a program or initiative. Approvers can:

    • Point out factors that could derail realization of intended benefits.
    • Know that a formal request is coming and factor it into their planning.
    • Connect your idea with others to create synergies and efficiencies.
    • Become active advocates.

    When approvers cool to an idea, it’s hard to warm them up again. Gradually socializing an idea well in advance of the formal pitch gives you the chance to isolate and address those cooling factors while they’re still minor. Things you can address if you get an early start with future approvers include:

    • Identify and prepare for administrative, regulatory, or bureaucratic hurdles.
    • Incorporate approvers’ insights about organizational realities and context.
    • Further reduce the technical jargon in your language.
    • Fine tune the relevance and specificity of your business benefits statements.
    • Get a better sense of the most compelling elements to focus on.

    Blindsiding approvers with a major request at a budget presentation could trigger an emotional response, not the rational and objective one you want.

    Make approvers part of the solution by soliciting their advice and setting their expectations well in advance.

    Example:

    CIO: “The underwriting team and I think there’s a way to cut new policyholder approval turnaround from 8 to 10 days down to 3 or 4 using an online intake form. Do you see any obstacles?”

    CFO: “How do the agents feel about it? They submit to underwriting differently and might not want to change. They’d all need to agree on it. Exactly how does this impact sales?”

    1.3 Set your budget pre-selling strategy

    1 hour

    1. Use the “Stakeholder pre-selling strategy” template slide following this instruction slide to document the outcomes of this activity.
    2. Carry forward your previously-generated stakeholder alignment assessment from Step 1.2. As a management team, discuss the following for each stakeholder:
      1. Forums and methods of contact and interaction.
      2. Frequency of interaction.
      3. Content or topics typically addressed during interactions.
    3. Discuss what the outcomes of an ideal interaction would look like with each stakeholder.
    4. List opportunities to change or improve the nature of interactions and specific actions you plan to take.
    InputOutput
    • Stakeholder Alignment Assessment (in-deck template)
    • Stakeholder Pre-selling Strategy
    MaterialsParticipants
    • Stakeholder Pre-selling Strategy (in-deck template)
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Stakeholder pre-selling strategy

    Document the outcomes of your discussion. Examples are provided below.

    Stakeholder

    Current interactions

    Opportunities and actions

    Forum

    Frequency

    Content

    CFO

    One-on-one meeting

    Monthly

    IT expenditure updates and tracking toward budgeted amount.

    Increase one-on-one meeting to weekly. Alternate focus – retrospective update one week, future-looking case development the next. Invite one business unit head to future-looking sessions to discuss their IT needs.

    VP of Sales

    Executive meeting

    Quarterly

    General business update - dominates.

    Set up bi-weekly one-on-one meeting – initially focus on what sales does/needs, not tech. Later, when the relationship has stabilized, bring data that shows Sales’ consumption of IT resources.

    Director of Marketing

    Executive meeting

    Quarterly

    General business update - quiet.

    Set up monthly one-on-one meeting. Temporarily embed BA to better discover/understand staff processes and needs.

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    [Name/Title]

    [Insert text]

    [Insert text]

    [Insert text]

    [Insert text]

    Phase recap: Lay your foundation

    Build in the elements from the start that you need to facilitate budgetary approval.

    You should now have a deeper understanding of the what, why, and who of your IT budget. These elements are foundational to streamlining the budget process, getting aligned with peers and the executive, and increasing your chances of winning budgetary approval in the end.

    In this phase, you have:

    • Reviewed what your budget is and does. Your budget is an important governance and communication tool that reflects organizational priorities and objectives and IT’s understanding of them.
    • Taken a closer look at your stakeholders. The CFO, CEO, and CXOs in your organization have accountabilities of their own to meet and need IT and its budget to help them succeed.
    • Developed a strategy for continuously pre-selling your budget. Identifying opportunities and approaches for building relationships, collaborating, and talking meaningfully about IT and IT expenditure throughout the year is one of the leading things you can do to get on the same page and pave the way for budget approval.

    “Many departments have mostly labor for their costs. They’re not buying a million and a half or two million dollars’ worth of software every year or fixing things that break. They don’t share IT’s operations mindset and I think they get frustrated.”

    – Matt Johnson, IT Director Governance and Business Solutions, Milwaukee County

    Phase 2

    Get Into Budget-Starting Position

    Lay Your
    Foundation

    Get Into Budget-Starting Position

    Develop Your
    Forecasts

    Build Your
    Proposed Budget

    Create and Deliver Your Presentation

    1.1 Understand what your budget is
    and does

    1.2 Know your stakeholders

    1.3 Continuously pre-sell your budget

    2.1 Assemble your resources

    2.2 Understand the four views of the ITFM Cost Model

    2.3 Review last year’s budget vs.
    actuals and five-year historical trends

    2.4 Set your high-level goals

    3.1 Develop assumptions and
    alternative scenarios

    3.2 Forecast your project CapEx

    3.3 Forecast your non-project CapEx and OpEx

    4.1 Aggregate your numbers

    4.2 Stress test your forecasts

    4.3 Challenge and perfect your
    rationales

    5.1 Plan your content

    5.2 Build your presentation

    5.3 Present to stakeholders

    5.4 Make final adjustments and submit your IT budget

    This phase will walk you through the following activities:

    • Putting together your budget team and gather your data.
    • Selecting which views of the ITFM Cost Model you’ll use.
    • Mapping and analyzing IT’s historical expenditure.
    • Setting goals and metrics for the next budgetary cycle.

    This phase involves the following participants:

    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Get into budget-starting position

    Now’s the time to pull together your budgeting resources and decision-making reference points.

    This phase is about clarifying your context and defining your boundaries.

    • Assemble your resources. This includes the people, data, and other information you’ll need to maximize insight into future spend requirements.
    • Understand the four views of the IT Cost Model. Firm up your understanding of the CFO expense view, CIO service view, CXO business view, and CEO innovation view and decide which ones you’ll use in your analysis and forecasting.
    • Review last year’s budget versus actuals. You need last year’s context to inform next year’s numbers as well as demonstrate any cost efficiencies you successfully executed.
    • Review five-year historical trends. This long-term context gives stakeholders and approvers important information about where IT fits into the business big picture and reminds them how you got to where you are today.
    • Set your high-level goals. You need to decide if you’re increasing, decreasing, or holding steady on your budget and whether you can realistically meet any mandates you’ve been handed on this front. Set a target as a reference point to guide your decisions and flag areas where you might need to have some tough conversations.

    “A lot of the preparation is education for our IT managers so that they understand what’s in their budgets and all the moving parts. They can actually help you keep it within bounds.”

    – Trisha Goya, Director, IT Governance & Administration, Hawaii Medical Service Association

    Gather your budget-building team

    In addition to your CFO, CXOs, and CEO, there are other people who will provide important information, insight, and skill in identifying IT budget priorities and costs.

    Role

    Skill set

    Responsibilities

    IT Finance Lead

    • Financial acumen, specifically with cost forecasting and budgeting.
    • Understanding of actual IT costs and service-based costing methods.

    IT finance personnel will guide the building of cost forecasting methodologies for operating and capital costs, help manage IT cash flows, help identify cost reduction options, and work directly with the finance department to ensure they get what they need.

    IT Domain Managers

    • Knowledge of services and their outputs.
    • Understanding of cost drivers for the services they manage.

    They will be active participants in budgeting for their specific domains, act as a second set of eyes, assist with and manage their domain budgets, and engage with stakeholders.

    Project Managers

    • Knowledge of project requirements.
    • Project budgeting.
    • Understanding of project IT-specific costs.

    Project managers will assist in capital and operational forecasting and will review project budgets to ensure accuracy. They will also assist in forecasting the operational impacts of capital projects.

    As the head of IT, your role is as the budgeting team lead. You understand both the business and IT strategies, and have relationships with key business partners. Your primary responsibilities are to guide and approve all budget components and act as a liaison between finance, business units, and IT.

    Set expectations with your budgeting team

    Be clear on your goals and ensure everyone has what they need to succeed.

    Your responsibilities and accountabilities.

    • Budget team lead.
    • Strategic direction.
    • Primary liaison with business stakeholders.
    • Pre-presentation approver and final decision maker.

    Goals and requirements.

    • Idea generation for investment and cost optimization.
    • Cost prioritization and rationale.
    • Skills requirements and sourcing options.
    • Risk assessment and operational impact.
    • Data format and level of granularity.

    Budgeting fundamentals.

    • Review of key finance concepts – CapEx, OpEx, cashflow, income, depreciation, etc.
    • What a budget is, and its component parts.
    • How the budget will be used by IT and the organization.
    • How to calculate cost forecasts.

    Their responsibilities and accountabilities.

    • Data/information collection.
    • Operational knowledge of their services, projects, and staff.
    • Cost forecast development for their respective domains/projects.
    • Review and sanity checking of their peers’ cost forecasts.

    Timeframes and deadlines.

    • Budgeting stages/phases and their deliverables.
    • Internal IT deadlines.
    • External business deadlines.
    • Goals and cadence of future working sessions and meetings.

    Available resources.

    • Internal and external sources of data and information.
    • Tools and templates for tracking information and performing calculations.
    • Individuals who can provide finance concept guidance and support.
    • Repositories for in-progress and final work.

    2.1 Brief and mobilize your IT budgeting team

    2 hours

    1. Download the IT Cost Forecasting and Budgeting Workbook
    2. Organize a meeting with your IT department management team, team leaders, and project managers.
    3. Review their general financial management accountabilities and responsibilities.
    4. Discuss the purpose and context of the budgeting exercise, different budget components, and the organization’s milestones/deadlines.
    5. Identify specific tasks and activities that each member of the team must complete in support of the budgeting exercise.
    6. Set up additional checkpoints, working sessions, or meetings that will take you through to final budget submission.
    7. Document your budget team members, responsibilities, deliverables, and due dates on the “Planning Variables” tab in the IT Cost Forecasting & Budgeting Workbook.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • The organization’s budgeting process and procedures
    • Assignment of IT budgeting team responsibilities
    • A budgeting schedule
    MaterialsParticipants
    • IT Cost Forecasting and Budgeting Workbook
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Leverage the ITFM Cost Model

    Each of the four views breaks down IT costs into a different array of categories so you and your stakeholders can see expenditure in a way that’s meaningful for them.

    You may decide not to use all four views based on your goals, audience, and available time. However, let’s start with how you can use the first two views, the CFO expense view and the CIO service view.

    The image contains a screenshot of the CFO expense view.

    The CFO expense view is fairly traditional – workforce and vendor. However, Info-Tech’s approach breaks down the vendor software and hardware buckets into on-premises and cloud. Making this distinction is increasingly critical given key differences in CapEx vs. OpEx treatment.

    Forecasting this view is mandatory

    These two views provide information that will help you optimize IT costs. They’re designed to allow the CFO and CIO to find a common language that will allow them to collaboratively make decisions about managing IT expenditure effectively.

    The image contains a screenshot of the CIO service view.

    The CIO service view is your view, i.e. it’s how IT tends to organize and manage itself and is often the logical starting point for expenditure planning and analysis. Sub-categories in this view, such as security and data & BI, can also resonate strongly with business stakeholders and their priorities.

    Forecasting this view is recommended

    Extend your dialogue to the business

    Applying the business optimization views of the ITFM Cost Model can bring a level of sophistication to your IT cost analysis and forecasting efforts.

    Some views take a bit more work to map out, but they can be powerful tools for communicating the value of IT to the business. Let’s look at the last two views, the CXO business view and the CEO innovation view.

    The CXO business view looks at IT expenditure business unit by business unit so that each can understand their true consumption of IT resources. This view relies on having a fair and reliable cost allocation formula, such as one based on relative headcount, so it runs the risk of inaccuracy.

    Forecasting this view is recommended

    The image contains a screenshot of the CXO business view.

    These two views provide information that will help you optimize IT support to the business. These views also have a collaborative goal in mind, enabling IT to talk about IT spend in terms that will promote transparency and engage business stakeholders.

    The CEO innovation view is one of the hardest to analyze and forecast since a single spend item may apply to innovation, growth, and keeping the lights on. However, if you have an audience with the CEO and they want IT to play a more strategic or innovative role, then this view is worth mapping.

    Forecasting this view is optional

    The image contains a screenshot of the CEO innovation view.

    2.2 Select the ITFM Cost Model views you plan to complete based on your goals

    30 minutes

    The IT Cost Forecasting and Budgeting Workbook contains standalone sections for each view, as well as rows for each lowest-tier sub-category in a view, so each view can be analyzed and forecasted independently.

    1. Review Info-Tech’s ITFM Cost Model and the expenditure categories and sub-categories each view contains.
    2. Revisit your stakeholder analysis for the budgeting exercise. Plan to:
      1. Complete the CFO expense view regardless.
      2. Complete the CIO service view – consider doing this one first for forecasting purposes as it may be most familiar to you and serve as an easier entry point into the forecasting process.
      3. Complete the CXO business view – consider doing this only for select business units if you have the objective of enhancing awareness of their true consumption of IT resources or if you have (or plan to have) a show-back/chargeback mechanism.
      4. Complete the CEO innovation view only if your data allows it and there’s a compelling reason to discuss the strategic or innovative role of IT in the organization.
    Input Output
    • Stakeholder analysis
    • Info-Tech’s ITFM Cost Model
    • Decision on which views in the ITFM Cost Model you’ll use for historical expenditure analysis and forecasting purposes
    Materials Participants
    • Info-Tech’s ITFM Cost Model
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Gather your budget-building data

    Your data not only forms the content of your budget but also serves as the supporting evidence for the decisions you’ve made.

    Ensure you have the following data and information available to you and your budgeting team before diving in:

    Past data

    • Last fiscal year’s budget.
    • Actuals for the past five fiscal years.
    • Pre-set capital depreciation/amortization amounts to be applied to next fiscal year’s budget.

    Current data

    • Current-year IT positions and salaries.
    • Active vendor contracts with payment schedules and amounts (including active multi-year agreements).
    • Cost projections for remainder of any projects that are committed or in-progress, including projected OpEx for ongoing maintenance and support.

    Future data

    • Estimated market value for any IT positions to be filled next year (both backfill of current vacancies and proposed net-new positions).
    • Pricing data on proposed vendor purchases or contracts.
    • Cost estimates for any capital/strategic projects that are being proposed but not yet committed, including resulting maintenance/support OpEx.
    • Any known pending credits to be received or applied in the next fiscal year.

    If you’re just getting started building a repeatable budgeting process, treat it like any other project, complete with a formal plan/ charter and a central repository for all related data, information, and in-progress and final documents.

    Once you’ve identified a repeatable approach that works for you, transition the budgeting project to a regular operational process complete with policies, procedures, and tools.

    Review last year’s budget vs. actuals

    This is the starting point for building your high-level rationale around what you’re proposing for next fiscal year.

    But first, some quick definitions:

    • Budgeted: What you planned to spend when you started the fiscal year.
    • Actual: What you ended up spending in real life by the end of the fiscal year.
    • Variance: The difference between budgeted expenditure and actual expenditure.

    For last fiscal year, pinpoint the following metrics and information:

    Budgeted and actual IT expenditure overall and by major cost category.

    Categories will include workforce (employees/contractors) and vendors (hardware, software, contracted services) at a minimum.

    Actual IT expenditure as a percentage of organizational revenue.

    This is a widely-used benchmark that your CFO will expect to see.

    The known and likely drivers behind budgeted vs. actual variances.

    Your rationales will affect your perceived credibility. Be straightforward, avoid defending or making excuses, and just show the facts.

    Ask your CFO what they consider acceptable variance thresholds for different cost categories to guide your variance analysis, such as 1% for overall IT expenditure.

    Actual IT CapEx and OpEx.

    CapEx is often more variable than OpEx over time. Separate them so you can see the real trends for each. Consider:

    • Sub-dividing CapEx by strategic projects and non-strategic “business as usual” spend (e.g. laptops, network maintenance gear).
    • Showing overall CapEx and OpEx as percentages of their organization-wide counterparts if that information is available.

    Next, review your five-year historical expenditure trends

    The longer-term pattern of IT expenditure can help you craft a narrative about the overarching story of IT.

    For the previous five fiscal years, focus on the following:

    Actual IT expenditure as a percentage of organizational revenue.

    Again, for historical years 2-5, you can break this down into granular cost categories like workforce, software, and infrastructure like you did for last fiscal year. Avoid getting bogged down and focusing on the past – you ultimately want to redirect stakeholders to the future.

    Percentage expenditure increase/decrease year to year.

    You may choose to show overall IT expenditure amounts, breakdowns by CapEx and OpEx, as well as high-level cost categories.

    As you go back in time, some data may not be available to you, may be unreliable or incomplete, or employ the same cost categories you’re using today. Use your judgement on the level of granularity you want to and can apply when going back two to five years in the past.

    So, what’s the trend? Consider these questions:

    • Is the year-over-year trend on a steady trajectory or are there notable dips and spikes?
    • Are there any one-time capital projects that significantly inflated CapEx and overall spend in a given year or that forced maintenance-and support-oriented OpEx commitments in subsequent years?
    • Does there seem to be an overall change in the CapEx-to-OpEx ratio due to factors like increased use of cloud services, outsourcing, or contract-based staff?

    Take a close look at financial data showcasing the cost-control measures you’ve taken

    Your CFO will look for evidence that you’re gaining efficiencies by controlling costs, which is often a prerequisite for them approving any new funding requests.

    Your objective here is threefold:

    1. Demonstrate IT’s track record of fiscal responsibility and responsiveness to business priorities.
    2. Acknowledge and celebrate your IT-as-cost-center efficiency gains to clear the way for more strategic discussions.
    3. Identify areas where you can potentially source and reallocate recouped funds to bolster other initiatives or business cases for net-new spend.

    This step is about establishing credibility, demonstrating IT value, building trust, and showing the CFO you’re on their team.

    Do the following:

    • List any specific cost-control initiatives and their initial objectives and targets.
    • Identify any changes made to those targets and your approaches due to changing conditions, with rationales for the decisions made. For example:
      • Mid-year, the business decided to allow approximately half the workforce to work from home on a permanent basis.
      • As a result, remote-worker demand on the service desk remained high and actually increased in some areas. You were unable to reduce service desk staff headcount as originally planned.
      • You’re now exploring ways to streamline ticket intake and assignment to increase throughput and speed resolution.
    • Report on completed cost-control initiatives first, including targets, actuals, and related impacts. Include select feedback from business stakeholders and users about the impact of your cost-control measure on them.
    • For in-progress initiatives, report progress made to-date, benefits realized to date, and plans for continuation next fiscal year.

    “Eliminate the things you don’t need. People will give you what you need when you need it if you’re being responsible with what you already have.”

    – Angela Hintz, VP of PMO & Integrated Services,
    Blue Cross and Blue Shield of Louisiana

    2.3 Review your historical IT expenditure

    8 hours

    1. Download the IT Cost Forecasting and Budgeting Workbook.
    2. On Tab 1, “Historical Events & Projects,” note the cost-driving and cost-saving events that occurred last fiscal year that drove any variance between budgeted and actual expenditure. Describe the nature of their impact and current status (ongoing, resolved – temporary impact, or resolved – permanent impact).
    3. Also on Tab 1, “Historical Events & Projects”, summarize the work done on capital or strategic projects, expenditures, and status (in progress, deferred, canceled, or complete).
    4. On Tab 2, “Historical Expenditure”:
      1. Enter the budgeted and actuals data for last fiscal year in columns D-H for the views of the ITFM Cost Model you’re opted to do, i.e. CFO expense view, CIO service view, CXO business view, and CEO innovation view.
      2. Enter a brief rationale for any notable budgeted-versus-actuals variances or other interesting items in column K.
      3. Enter actuals data for the remaining past five fiscal years in columns L-O. Year-over-year comparative metrics will be calculated for you.
      4. Enter FTEs by business function in columns R-AA, rows 34-43.
        Expenditure per FTE and year-over year comparative metrics will be
        calculated for you.
    5. Using Tabs 2, “Historical Expenditure” and 3, “Historical Analysis”, review and analyze the resulting data sets and graphs to identify overall patterns, specifically notable increases or decreases in a particular category of expenditure or where rationales are repeated across categories or views (these are significant).
    6. Finally, flag any data points that help demonstrate achievement of, or progress toward, any cost-control measures you implemented.

    2.3 Review your historical IT expenditure

    InputOutputMaterialsParticipants
    • Budgeted data for the previous fiscal year and actuals data for the previous five fiscal years
    • Mapped budgeted for last fiscal year, mapped actuals for the past five fiscal years, and variance metrics and rationales
    • IT Cost Forecasting and Budgeting Workbook
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Pull historical trends into a present-day context when setting your high-level goals

    What’s happening to your organization and the ecosystem within which it’s operating right now? Review current business concerns, priorities, and strategies.

    Knowing what happened in the past can provide good insights and give you a chance to show stakeholders your money-management track record. However, what stakeholders really care about is “now” and “next”. For them, it’s all about current business context.

    Ask these questions about your current context to assess the relevance of your historical trend data:

    What’s the state of
    the economy and how is
    it affecting your organization?

    What are the
    organization’s stated
    strategic goals and objectives?

    What has the business
    explicitly communicated
    about finance-related targets?

    What’s the business
    executive’s attitude on
    budget increase requests?

    Some industries are very sensitive to economic cycles, causing wild budget fluctuations year to year. This uncertainty can reduce the volume of spend you automatically carry over one year to the next, making past spend patterns less relevant to your current budgeting effort.

    These can change year to year as well, and often manifest on the CapEx side in the form of strategic projects selected. Since this is so variable, using previous years’ CapEx to determine next fiscal’s CapEx isn’t always useful except in regard to multi-year, ongoing capital projects.

    Do your best to honor mandates. However, if cuts are suggested that could jeopardize core service delivery, tread cautiously, and pick your battles. You may be able to halt new capital spend to generate cuts, but these projects may get approved anyway, with IT expected to make cuts to OpEx.

    If the CFO and others rail against even the most necessary inflation-driven increases, you’ll need to take a conservative approach, focus on cost-saving initiatives, and plan to redirect last year’s expenditures instead of pursuing net-new spend.

    Set metrics and targets for some broader budget effectiveness improvement efforts

    Budget goalsetting isn’t limited to CapEx and OpEx targets. There are several effectiveness metrics to track overall improvement in your budgeting process.

    Step back and think about other budget and expenditure goals you have.
    Do you want to:

    • Better align the budget with organizational objectives?
    • Increase cost forecasting accuracy?
    • Increase budget transparency and completeness?
    • Improve the effectiveness of your budget presentation?
    • Reduce the amount of budget rework?
    • Increase the percentage of the budget that’s approved?
    • Reduce variance between what was budgeted and actuals?

    Establish appropriate metrics and targets that will allow you to define success, track progress, and communicate achievement on these higher-level goals.

    Check out some example metrics in the table below.

    Budgeting metric

    Improvement driver

    Current value

    Future target

    Percentage of spend directly tied to an organizational goal.

    Better alignment via increased communication and partnership with the business.

    72%

    90%

    Number of changes to budget prior to final acceptance.

    Better accuracy and transparency via use of zero-based budgeting and enhanced stakeholder views.

    8

    2

    Percentage variance between budgeted vs. actuals.

    Improved forecasting through better understanding of business plans and in-cycle show-back.

    +4%

    +/-2%

    Percentage of budget approved after first presentation.

    Improved business rationales and direct mapping of expenditure to org priorities.

    76%

    95%

    Percentage of IT-driven project budget approved.

    More rigor around benefits, ROI calculation, and quantifying value delivered.

    80%

    100%

    Set your high-level OpEx budget targets

    The high-level targets you set now don’t need to be perfect. Think of them as reference points or guardrails to sanity-check the cost forecasting exercise to come.

    First things first: Zero-based or incremental for OpEx?

    Set your OpEx targets

    Incremental budgeting is the addition of a few percentage onto next year’s budget, assuming the previous year’s OpEx is all re-occurring. The percentage often aligns with rates of inflation.

    • Most organizations take this approach because it’s faster and easier.
    • However, incremental budgeting is less accurate. Non-recurring items are often overlooked and get included in the forecast, resulting in budget bloat. Also, redundant or wasteful items can be entirely missed, undermining any cost optimization efforts.

    Zero-based budgeting involves rebuilding your budget from scratch, i.e. zero. It doesn’t assume that any of last year’s costs are recurring or consistent year to year.

    • This approach is harder because all relevant historical spend data needs to be collected and reviewed, which not only takes time but the data you need may be unlocatable.
    • Every item needs to be re-examined, re-justified, and tied to an asset, service, or project, which means it’s a far more comprehensive and accurate approach.

    Pick a range of percentage change based on your business context and past spend.

    • If economic prospects are negative, start with a 0-3% increase to balance inflation with potential cuts. Don’t set concrete reduction targets at this point, to avoid tunnel vision in the forecasting exercise.
    • If economic prospects are positive, target 3-5% increases for stable scenarios and 6-10% increases for growth scenarios.
    • If CapEx from previous-year projects is switching to steady-state OpEx, then account for these bumps in OpEx.
    • If the benefits from any previous-year efficiency measures will be realized next fiscal year, then account for these as OpEx reductions.

    If cost-cutting or optimization is a priority, then a zero-based approach is the right decision. If doing this every year is too onerous, plan to do it for your OpEx at least every few years to examine what’s actually in there, clean house, and re-set.

    Set your high-level CapEx budget targets

    A lot of IT CapEx is conceived in business projects, so your proposed expenditure here may not be up to you. Exercise as much influence as you can.

    First things first: Is it project CapEx, or “business as usual” CapEx?

    Project CapEx is tied to one-time strategic projects requiring investment in new assets.

    • This CapEx will probably be variable year to year, going up or down depending on the organization’s circumstances or goals.
    • This area of spend is driven largely by the business and not IT. Plan to set project CapEx targets in close partnership with the business and function as a steward of these funds instead of as an owner.

    User-driven “business as usual” CapEx manifests via changes (often increases) in organizational headcount due to growth.

    • Costs here focus on end-user hardware like desktops, laptops, and peripherals.
    • Any new capital software acquisitions you have planned will also be affected in terms of number of licenses required.
    • Get reliable estimates of department-by-department hiring plans for next fiscal year to better account for these in your budget.

    Network/data center-driven “business-as-usual” CapEx is about core infrastructure maintenance.

    • Costs here focus on the purchase of network and data center hardware and other equipment to maintain existing infrastructure services and performance.
    • Increased outsourcing often drives down this area of “business as usual” CapEx by reducing the purchase of new on-premises solutions and eliminating network and data center maintenance requirements.

    Unanticipated hiring and the need to buy end-user hardware is cited as a top cause of budget grief by IT leaders – get ahead of this. Project CapEx, however, is usually determined via business-based capital project approval mechanisms well in advance. And don’t forget to factor in pre-established capital asset depreciation amounts generated by all the above!

    2.4 Set your high-level IT budget targets and metrics

    8 hours

    1. Download the IT Cost Forecasting and Budgeting Workbook to document the outcomes of this activity.
    2. Review the context in which your organization is currently operating and expects to operate in the next fiscal year. Specifically, look at:
      1. The state of the economy.
      2. Stated goals, objectives, and targets.
      3. The executive’s point of view on budget increase requests.
      Document your factors, assessment, rationale, and considerations in the “Business Context Assessment” table on the “Planning Variables” tab in the IT Cost Forecasting and Budgeting Workbook.
    3. Based on the business context, anticipated flips of former CapEx to OpEx, and realization of previous years’ efficiency measures, set a general non-project OpEx target as a percentage increase or decrease for next fiscal year to serve as a guideline in the cost forecasting guideline. Document this in the “Budget Targets & Metrics” table on the “Planning Variables” tab in the IT Cost Forecasting and Budgeting Workbook. sed on known capital projects, changes in headcount, typical “business as usual” equipment expenditure, and pre-established capital asset depreciation amounts, set general project CapEx and non-project CapEx targets. Document these in the “Budget Targets & Metrics” table on the “Planning Variables” tab in the IT Cost Forecasting and Budgeting Workbook.
    4. Finally, set your overarching IT budget process success metrics. Also document these in the “Budget Targets & Metrics” table on the “Planning Variables” tab in the IT Cost Forecasting and Budgeting Workbook.

    Download the IT Cost Forecasting and Budgeting Workbook

    2.4 Set your high-level IT budget targets and metrics

    InputOutputMaterialsParticipants
    • Knowledge of current business context and probable context next fiscal year
    • Analysis of historical IT expenditure patterns
    • High-level project CapEx and non-project CapEx and OpEx targets for the next fiscal year
    • IT budget process success metrics
    • IT Cost Forecasting and Budgeting Workbook
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Phase recap: Get into budget-starting position

    Now you’re ready to do the deep dive into forecasting your IT budget for next year.

    In this phase, you clarified your business context and defined your budgetary goals, including:

    • Assembling your resources. You’ve built and organized your IT budgeting team, as well as gathered the data and information you’ll need to do your historical expenditure analysis and future forecasting
    • Understanding the four views of the IT Cost Model. You’ve become familiar with the four views of the model and have selected which ones you’ll map for historical analysis and forecasting purposes.
    • Reviewing last year’s budget versus actuals and five-year historical trends. You now have the critical rationale-building context to inform next year’s numbers and demonstrate any cost efficiencies you’ve successfully executed.
    • Setting your high-level goals. You’ve established high-level targets for project and non-project CapEx and OpEx, as well as set some IT budget process improvement goals.

    “We only have one dollar but five things. Help us understand how to spend that dollar.”

    – Trisha Goya, Director, IT Governance & Administration, Hawaii Medical Service Association

    Phase 3

    Develop Your Forecasts

    Lay Your
    Foundation

    Get Into Budget-Starting Position

    Develop Your
    Forecasts

    Build Your
    Proposed Budget

    Create and Deliver Your Presentation

    1.1 Understand what your budget is
    and does

    1.2 Know your stakeholders

    1.3 Continuously pre-sell your budget

    2.1 Assemble your resources

    2.2 Understand the four views of the ITFM Cost Model

    2.3 Review last year’s budget vs.
    actuals and five-year historical trends

    2.4 Set your high-level goals

    3.1 Develop assumptions and
    alternative scenarios

    3.2 Forecast your project CapEx

    3.3 Forecast your non-project CapEx and OpEx

    4.1 Aggregate your numbers

    4.2 Stress test your forecasts

    4.3 Challenge and perfect your
    rationales

    5.1 Plan your content

    5.2 Build your presentation

    5.3 Present to stakeholders

    5.4 Make final adjustments and submit your IT budget

    This phase will walk you through the following activities:

    • Documenting the assumptions behind your proposed budget and develop alternative scenarios.
    • Forecasting your project CapEx.
    • Forecasting your non-project CapEx and OpEx.

    This phase involves the following participants:

    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Develop your forecasts

    Start making some decisions.

    This phase focuses on putting real numbers on paper based on the research and data you’ve collected. Here, you will:

    • Develop assumptions and alternative scenarios. The assumptions you make are the logical foundation for your decisions, and your primary and alternative scenarios focus your thinking and demonstrate that you’ve thoroughly examined your organization’s current and future context.
    • Forecast your project CapEx costs. These costs are comprised of all the project-related capital expenditures for strategic or capital projects, including in-house labor.
    • Forecast your non-project CapEx and OpEx costs. These costs are the ongoing “business as usual” expenditures incurred via the day-to-day operations of IT and delivery of IT services.

    “Our April forecast is what really sets the bar for what our increase is going to be next fiscal year. We realized that we couldn’t change it later, so we needed to do more upfront to get that forecast right.

    If we know that IT projects have been delayed, if we know we pulled some things forward, if we know that a project isn’t starting until next year, let’s be really clear on those things so that we’re starting from a better forecast because that’s the basis of deciding two percent, three percent, whatever it’s going to be.”

    – Kristen Thurber, IT Director, Office of the CIO, Donaldson Company

    When pinning down assumptions, start with negotiable and non-negotiable constraints

    Assumptions are things you hold to be true. They may not actually be true, but they are your logical foundation and must be shared with stakeholders so they can follow your thinking.

    Start with understanding your constraints. These are either negotiable (adjustable) or non-negotiable (non-adjustable). However, what is non-negotiable for IT may be negotiable for the organization as a whole, such as its strategic objectives. Consider each of the constraints below, determine how it relates to IT expenditure options, and decide if it’s ultimately negotiable or non-negotiable.

    Organizational

    Legal and Regulatory

    IT/Other

    Example:
    • Strategic goals and priorities
    • Financial and market performance
    • Governance style and methods
    • Organizational policies
    • Organizational culture
    • Regulatory compliance and reporting
    • Data residency and privacy laws
    • Vendor contract terms and conditions
    • Health and safety
    • Compensation and collective bargaining
    • IT funding and fund allocation flexibility
    • Staff/skills availability and capacity
    • Business continuity and IT performance requirements
    • Time and timeframes
    You’re in year one of a three-year vendor contract. All contracts are negotiable, but this one isn’t for two years. This contact should be considered a non-negotiable for current budget-planning purposes.

    Identifying your negotiable and non-negotiable constraints is about knowing what levers you can pull. Government entities have more non-negotiable constraints than private companies, which means IT and the organization as a whole have fewer budgetary levers to pull and a lot less flexibility.

    An un-pullable lever and a pullable lever (and how much you can pull it) have one important thing in common – they are all fundamental assumptions that influence your decisions.

    Brainstorm your assumptions even further

    The tricky thing about assumptions is that they’re taken for granted – you don’t always realize you’ve made them. Consider these common assumptions and test them for validity.

    My current employees will still be here 18 months from now.

    My current vendors aren’t going to discontinue the products we have.

    My organization’s executive team will be the same 18 months from now. My current key vendors will be around for years to come.

    My organization’s departments, divisions, and general structure will be the same 18 months from now.

    IT has to be an innovation leader.

    We won’t be involved in any merger/acquisition activity next fiscal year.

    IT has always played the same role here and that won’t change.

    There won’t be a major natural disaster that takes us offline for days or even weeks.

    We must move everything we can to the cloud.

    We won’t be launching any new products or services next fiscal year.

    Most of our IT expenditure has to be CapEx, as usual.

    You won’t put some of these assumptions into your final budget presentation. It’s simply worthwhile knowing what they are so you can challenge them when forecasting.

    Based on your assumptions, define the primary scenario that will frame your budget

    Your primary scenario is the one you believe is most likely to happen and upon which you’ll build your IT cost forecasts.

    Now it’s time to outline your primary scenario.

    • A scenario is created by identifying the variable factors embedded in your assumptions and manipulating them across the range of possibilities. This manipulation of variables will result in different scenarios, some more likely or feasible than others.
    • Your primary scenario is the one you believe is the most feasible and/or likely to happen (i.e. most probable). This is based on:
      • Your understanding of past events and patterns.
      • Your understanding of your organization’s current context.
      • Your understanding of IT’s current context.
      • Your understanding of the organization’s objectives.
      • Your assessment of negotiable and non-negotiable constraints and other assumptions for both IT and the organization.

    A note on probability…

    • A non-negotiable constraint doesn’t have any variables to manipulate. It’s a 100% probability that must be rigidly accommodated and protected in your scenario. An example is a long-standing industry regulation that shows no signs of being updated or altered and must be complied with in its current state.
    • A negotiable constraint has many more variables in play. Your goal is to identify the different potential values of the variables and determine the degree of probability that one value is more likely to be true or feasible than another. An example is that you’re directed to cut costs, but the amount could be as little as 3% or as much as 20%.
    • And then there are the unknowns. These are circumstances, events, or initiatives that inevitably happen, but you can’t predict when, what, or how much. This is what contingency planning and insurance are for. Examples include a natural disaster, a pandemic, a supply chain crisis, or the CEO simply changing their mind. Its safe to assume something is going to happen, so if you’re able to establish a contingency fund or mechanisms that let you respond, then do it.

    What could or will be your organization’s new current state at the end of next fiscal year?

    Next, explore alternative scenarios, even those that may seem a bit outrageous

    Offering alternatives demonstrates that you weighed all the pertinent factors and that you’ve thought broadly about the organization’s future and how best to support it.

    Primary scenario approval can be helped by putting that scenario alongside alternatives that are less attractive due to their cost, priority, or feasibility. Alternative scenarios are created by manipulating or eliminating your negotiable constraints or treating specific unknowns as knowns. Here are some common alternative scenarios.

    The high-cost scenario: Assumes very positive economic prospects. Characterized by more of everything – people and skills, new or more sophisticated technologies, projects, growth, and innovation. Remember to consider the long-term impact on OpEx that higher capital spend may bring in subsequent years.

    Target 10-20% more expenditure than your primary scenario

    The low-cost scenario: Assumes negative economic prospects or cost-control objectives. Characterized by less of everything, specifically capital project investment, other CapEx, and OpEx. Must assume that business service-level expectations will be down-graded and other sacrifices will be made.

    Target 5-15% less expenditure than your primary scenario

    The dark horse scenario: This is a more radical proposition that challenges the status quo. For example, what would the budget look like if all data specialists in the organization were centralized under IT? What if IT ran the corporate PMO? What if the entire IT function was 100% outsourced?

    No specific target

    Case Study

    INDUSTRY: Manufacturing

    SOURCE: Anonymous

    A manufacturing IT Director gets budgetary approval by showing what the business would have to sacrifice to get the cheap option.

    Challenge

    Solution

    Results

    A manufacturing business had been cutting costs endlessly across the organization, but specifically in IT.

    IT was down to the bone. The IT Director had already been doing zero-based budgeting to rationalize all expenditure, stretching asset lifecycles as long as possible, and letting maintenance work slide.

    There were no obvious options left to reduce costs based on what the business wanted to do.

    The IT Director got creative. He put together three complete budgets:

    1. The budget he wanted.
    2. A budget where everything was entirely outsourced and there would be zero in-house IT staff.
    3. A budget that was not as extreme as the second one, but still tilted toward outsourcing.

    In the budget presentation, he led with the “super cheap” budget where IT was 100% outsourced.

    He proceeded to review the things they wouldn’t have under the extreme outsourced scenario, including the losses in service levels that would be necessary to make it happen.

    The executive was shocked by what the IT Director showed them.

    The executive immediately approved the IT Director’s preferred budget. He was able to defend the best budget for the business by showing them what they stood to lose.

    3.1 Document your assumptions and alternative scenarios

    2 hours

    1. Download the IT Cost Forecasting and Budgeting Workbook and document the outcomes of this activity on Tab 9, “Alternative Scenarios.”
    2. As a management team, identify and discuss your non-negotiable and negotiable constraints. Document these in rows 4 and 5 respectively in the Workbook.
    3. Brainstorm, list, and challenge any other assumptions being made by IT or the organization’s executive in terms of what can and cannot be done.
    4. Identify the most likely or feasible scenario (primary) and associated assumptions. You will base your initial forecasting on this scenario.
    5. Identify alternative scenarios. Document each scenario’s name, description, and key assumptions, and major opportunities in columns B-D on Tab 9, “Alternative Scenarios.” You will do any calculations for these scenarios after you have completed the forecast for your primary scenario.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • Knowledge of organization’s context, culture, and operations
    • A list of assumptions that will form the logical foundation of your forecasting decisions
    • Identification of the primary budget scenario and alternatives
    MaterialsParticipants
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Before diving into actual forecasting, get clear on project and non-project CapEx and OpEx

    Traditional, binary “CapEx vs. OpEx” distinctions don’t seem adequate for showing where expenditure is really going. We’ve added a new facet to help further differentiate one-time project costs from recurring “business as usual” expenses.

    Project CapEx
    Includes all workforce and vendor costs associated with planning and execution of projects largely focused on the acquisition or creation of new capital assets.

    Non-project CapEx
    Includes “business as usual” capital asset acquisition in the interest of managing, maintaining, or supporting ongoing performance of existing infrastructure or services, such as replacement network equipment, end-user hardware (e.g. laptops), or disaster recovery/business continuity redundancies. Also includes ongoing asset depreciation amounts.

    Non-project OpEx
    Includes all recurring, non-CapEx “business as usual” costs such as labor compensation and training, cloud-based software fees, outsourcing costs, managed services fees, subscriptions, and other discretionary spend.

    Depreciation is technically CapEx. However, for practical purposes, most organizations list it under OpEx, which can cause it to get lost in the noise. Here, depreciation is under non-project CapEx to keep its true CapEx nature visible and in the company of other “business as usual” capital purchases that will ultimately join the depreciation ranks.

    Forecast your project CapEx costs

    This process can be simple as far as overall budget forecasting is concerned. If it isn’t simple now, plan to make it simpler next time around.

    What to expect…

    • Ideally, the costs for all projects should have been thoroughly estimated, reviewed, and accepted by a steering committee, your CFO, or other approving entity at the start of the budgeting season, and funding already committed to. In a nutshell, forecasting your project costs should already have been done and will only require plugging in those numbers.
    • If projects have yet to be pitched and rubber stamped, know that your work is cut out for you. Doing things in a rush or without proper due diligence will result in certain costs being missed. This means that you risk going far over budget in terms of actuals next year, or having to borrow from other areas in your budget to cover unplanned or underestimated project costs.

    Key forecasting principles…

    Develop rigorous business cases
    Secure funding approval well in advance
    Tie back costs benefitting business units
    Consider the longer-term OpEx impact

    For more information about putting together sound business cases for different projects and circumstances, see the following Info-Tech blueprints:

    Build a Comprehensive Business Case

    Fund Innovation with a Minimum Viable Business Case

    Reduce Time to Consensus with an Accelerated Business Case

    Apply these project CapEx forecasting tips

    A good project CapEx forecast requires steady legwork, not last-minute fast thinking.

    Tip #1: Don’t surprise your approvers. Springing a capital project on approvers at your formal presentation isn’t a good idea and stands a good chance of rejection, so do whatever you can to lock these costs down well in advance.

    Tip #2: Project costs should be entirely comprised of CapEx if possible. Keep in mind that some of these costs will convert to depreciated non-project CapEx and non-project OpEx as they transition from project costs to ongoing “business as usual” costs, usually in the fiscal year following the year of expenditure. Creating projections for the longer-term impacts of these project CapEx costs on future types of expenditure is a good idea. Remember that a one-time project is not the same thing as a one-time cost.

    Tip #3: Capitalize any employee labor costs on capital projects. This ensures the true costs of projects are not underestimated and that operational staff aren’t being used for free at the expense of their regular duties.

    Tip #4: Capitalizing cloud costs in year one of a formal implementation project is usually acceptable. It’s possible to continue treating cloud costs as CapEx with some vendors via something called reserved instances, but organizations report that this is a lot of work to set up. In the end, most capitalized cloud will convert into non-project OpEx in years two and beyond.

    Tip #5: Build in some leeway. By the time a project is initiated, circumstances may have changed dramatically from when it was first pitched and approved, including business priorities and needs, vendor pricing, and skillset availability. Your costing may become completely out of date. It’s a good practice to work within more general cost ranges than with specific numbers, to give you the flexibility to respond and adapt during actual execution.

    3.2 Forecast your project CapEx

    Time: Depends on size of project portfolio

    1. Download the IT Cost Forecasting and Budgeting Workbook and navigate to Tab 5, “Project CapEx Forecast”. Add more columns as required. Enter the following for all projects:
      • Row 5 – Its name and/or unique identifier.
      • Row 6 – Its known or estimated project start/end dates.
      • Row 7 – Its status (in proposal, committed, or in progress).
    2. Distribute each project’s costs across the categories listed for each view you’ve selected to map. Do not include any OpEx here – it will be mapped separately under non-project OpEx.
    3. Rationalize your values. A running per-project total for each view, as well as totals for all projects combined, are in rows 16, 28, 39, and 43. Ensure these totals match or are very close across all the views you are mapping. If they don’t match, review the views that are lower-end outliers as there’s a good chance something has been overlooked.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • Project proposals and plans, including cost estimations
    • A project CapEx forecast for next fiscal year
    MaterialsParticipants
    • IT Cost Forecasting and Budgeting Workbook
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Forecast your non-project OpEx

    Most of your budget will be non-project OpEx, so plan to spend most of your forecasting effort here.

    What to expect…

    Central to the definition of OpEx is the fact that it’s ongoing. It rarely stops, and tends to steadily increase over time due to factors like inflation, rising vendor prices, growing organizational growth, increases in the salary expectations of employees, and other factors.

    The only certain ways to reduce OpEx are to convert it to capitalizable expenditure, decrease staffing costs, not pursue cloud technologies, or for the organization to simply not grow. For most organizations, none of these approaches are feasible. Smaller scale efficiencies and optimizations can keep OpEx from running amok, but they won’t change its overall upward trajectory over time. Expect it to increase.

    Key forecasting principles…

    Focus on optimization and efficiency.
    Aim for full spend transparency.
    Think about appropriate chargeback options.
    Give it the time it deserves.

    For more information about how to make the most out of your IT OpEx, see the following Info-Tech blueprints:

    Develop Your Cost Optimization Roadmap

    Achieve IT Spend & Staffing Transparency

    Discover the Hidden Costs of Outsourcing

    Apply these non-project OpEx forecasting tips

    A good forecast is in the details, so take a very close look to see what’s really there.

    Tip #1: Consider zero-based budgeting. You don’t have to do this every year, but re-rationalizing your OpEx every few years, or a just a segment of it on a rotational basis, will not only help you readily justify the expenditure but also find waste and inefficiencies you didn’t know existed.

    Tip #2: Capitalize your employee capital project work. While some organizations aren’t allowed to do this, others who can simply don’t bother. Unfortunately, this act can bloat the OpEx side of the equation substantially. Many regular employees spend a significant amount of their time working on capital projects, but this fact is invisible to the business. This is why the business keeps asking why it takes so many people to run IT.

    Tip #3: Break out your cloud vs. on-premises costs. Burying cloud apps costs in a generic software bucket works against any transparency ambitions you may have. If you have anything resembling a cloud strategy, you need to track, report, and plan for these costs separately in order to measure benefits realization. This goes for cloud infrastructure costs, too.

    Tip #4: Spend time on your CIO service view forecast. Completing this view counts as a first step toward service-based costing and is a good starting point for setting up an accurate service catalog. If looking for cost reductions, you’ll want to examine your forecasts in this view as there will likely be service-level reductions you’ll need to propose to hit your cost-cutting goals.

    Tip #5: Budget with consideration for chargeback. chargeback mechanisms for OpEx can be challenging to manage and have political repercussions, but they do shift accountability back to the business, guarantee that the IT bills get paid, and reduce IT’s OpEx burden. Selectively charging business units for applications that only they use may be a good entry point into chargeback. It may also be as far as you want to go with it. Doing the CXO business view forecast will provide insight into your opportunities here.

    Forecast your non-project CapEx

    These costs are often the smallest percentage of overall expenditure but one of the biggest sources of financial grief for IT.

    What to expect…

    • These costs can be hard to predict. Anticipating expenditure on end-user hardware such as laptops depends on knowing how many new staff will be hired by the organization next year. Predicting the need to buy networking hardware depends on knowing if, and when, a critical piece of equipment is going to spontaneously fail. You can never be completely sure.
    • IT often must reallocate funds from other areas of its budget to cover non-project CapEx costs. Unfortunately, keeping the network running and ensuring employees have access to that network is seen exclusively as an IT problem, not a business problem. Plan to change this mindset.

    Key forecasting principles…

    Discuss hiring plans with the business.
    Pay close attention to your asset lifecycles.
    Prepare to advise about depreciation schedules.
    Build in contingency for the unexpected.

    For more information about ensuring IT isn’t left in the lurch when it comes to non-project CapEx, see the following Info-Tech blueprints:

    Manage End-User Devices

    Develop an Availability and Capacity Management Plan

    Modernize the Network

    Apply these non-project CapEx forecasting tips

    A good forecast relies on your ability to accurately predict the future.

    Tip #1: Top up new hire estimations: Talk to every business unit leader about their concrete hiring plans, not their aspirations. Get a number, increase that number by 25% or 20 FTEs (whichever is less), and use this new number to calculate your end-user non-project CapEx.

    Tip #2: Make an arrangement for who’s paying for operational technology (OT) devices and equipment. OT involves specialized devices such as in-the-field sensors, scanners, meters, and other networkable equipment. Historically, operational units have handled this themselves, but this has created security problems and they still rely on IT for support. Sort the financials out now, including whose budget device and equipment purchases appear on, as well as what accommodations IT will need to make in its own budget to support them.

    Tip #3: Evaluate cloud infrastructure and managed services. These can dramatically reduce your non-project CapEx, particularly on the network and data center fronts. However, these solutions aren’t necessarily less expensive and will drive up OpEx, so tread cautiously.

    Tip #4: Definitely do an inventory. If you haven’t invested in IT asset management, put it on your project and budgetary agenda. You can’t manage what you don’t know you have, so asset discovery should be your first order of business. From there, start gathering asset lifecycle information and build in alerting to aid your spend planning.

    Tip #5: Think about retirement: What assets are nearing end of life or the end of their depreciation schedule? What impact is this having on non-project OpEx in terms of maintenance and support? Deciding to retire, replace, or extend an IT operational asset will change your non-project CapEx outlook and will affect costs in other areas.

    Tip #6: Create a contingency fund: You need one to deal with surprises and emergencies, so why wait?

    Document the organization’s projected FTEs by business function

    This data point is usually missing from IT’s budget forecasting data set. Try to get it.

    A powerful metric to share with business stakeholders is expenditure per employee or FTE. It’s powerful because:

    • It’s one of the few metrics that’s intuitively understood by most people
    • It can show changes in IT expenditure over time at both granular and general levels.

    This metric is one of the simplest to calculate. The challenge is in getting your hands on the data in the first place.

    • Most business unit leaders struggle to pin down this number in terms of actuals as they have difficulty determining what an FTE actually is. Does it include contract staff? Part-time staff? Seasonal workers? Volunteers and interns? And if the business unit has high turnover, this number can fluctuate significantly.
    • Encourage your business peers to produce a rational estimate. Unlike the headcount number you’re seeking to forecast for non-project capital expenditure for end-user hardware, this FTE number should strive to be more in the ballpark, as you’re not using it to ensure sufficient funds but comparatively track expenditure year to year.
    • Depending on your industry, employees or FTEs may not be the best measurement. Use what works best for you. Number of unique users is a common one. Other industry-specific examples include per student, per bed, per patient, per account, and per resident.

    Start to build in long-term and short-term forecasting into your budgeting process

    These are growing practices in mature IT organizations that afford significant flexibility.

    Short-term forecasting:

    Long-term forecasting:

    • At Donaldson Company, budgeting is a once-a-year event, but they’ve started formalizing a forecast review three times a year.
    • These mini-forecasts are not as full blown as the annual forecasting process. Rather, they look at specific parts of the budget and update it based on changing realities.

    “It’s a great step in the right direction. We look at
    the current, and then the future. What we’re really pushing is how to keep that outyear spend more in discussion. The biggest thing we’re trying to do when we approve projects is look at what does that approval do to outyear spend? Is it going to increase? Is it going to decrease? Will we be spending more on licensing? On people?”

    – Kristen Thurber, IT Director, Office of the CIO,
    Donaldson Company

    • In 2017, the Hawaii Medical Service Association accepted the fact that they were very challenged with legacy systems. They needed to modernize.
    • They created a multi-year strategic budget -- a five-year investment plan. This plan was a success. They were able to gain approval for a five-year horizon with variable allocations per year, as required.

    “This approach was much better. We now
    have a “guarantee” of funding for five years now – they’ve conceptually agreed. Now we don’t have
    to make that request for new money every time
    if we need more. We can vary the amount every
    year – it doesn’t have to be the same.”

    – Trisha Goya, Director, IT Governance & Administration,
    Hawaii Medical Service Association

    3.4 Forecast your non-project OpEx and CapEx

    Time: Depends on size of vendor portfolio and workforce

    1. Download the IT Cost Forecasting and Budgeting Workbook and navigate to Tab 4, “Business as Usual Forecast”. This tab assumes an incremental budgeting approach. Last year’s actuals have been carried forward for you to build upon.
    2. Enter expected percentage-based cost increases/decreases for next fiscal year for each of the following variables (columns E-I): inflation, vendor pricing, labor costs, service levels, and depreciation. Do this for all sub-categories for the ITFM cost model views you’ve opted to map. Provide rationales for your percentage values in column K.
    3. In columns M and N, enter the anticipated percentage allocation of cost to non-project CapEx versus non-project OpEx.
    4. In column O, rows 29-38, enter the projected FTEs for each business function (if available).
    5. If you choose, make longer-term, high-level forecasts for 2-3 years in the future in columns P-U. Performing longer-term forecasts for at least the CFO expense view categories is recommended.

    Download the IT Cost Forecasting and Budgeting Workbook

    Input Output
    • Last fiscal year’s actuals
    • Knowledge of likely inflation, vendor cost, and salary expectations for next fiscal year
    • Depreciation amounts
    • A non-project OpEx and CapEx forecast for next fiscal year
    Materials Participants
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Case Study

    INDUSTRY: Insurance

    SOURCE: Anonymous

    Challenge

    Solution

    Results

    In his first run at the annual budgeting process, a new CIO received delivery dates from Finance and spent the next three months building the budget for the next fiscal year.

    He discovered that the organization had been underinvesting in IT for a long time. There were platforms without support, no accounting for currency exchange rates on purchases, components that had not be upgraded in 16 years, big cybersecurity risks, and 20 critical incidences a month.

    In his budget, the CIO requested a 22-24% increase in IT expenditure to deal with the critical gaps, and provided a detailed defense of his proposal

    But the new CIO’s team and Finance were frustrated with him. He asked his IT finance leader why. She said she didn’t understand what his direction was and why the budgeting process was taking so long – his predecessor did the budget in only two days. He would add up the contracts, add 10% for inflation, and that’s it.

    Simply put, the organization hadn’t taken budgeting seriously. By doing it right, the new CIO had inadvertently challenged the status quo.

    The CIO ended up under-executing his first budget by 12% but is tracking closer to plan this year. Significantly, he’s been able cut critical incidences from 20 down to only 2-3 per month.

    Some friction persists with the CFO, who sees him as a “big spender,” but he believes that this friction has forced him to be even better.

    Phase recap: Develop your forecasts

    The hard math is done. Now it’s time to step back and craft your final proposed budget and its key messages.

    This phase focused on developing your forecasts and proposed budget for next fiscal year. It included:

    • Developing assumptions and alternative scenarios. These will showcase your understanding of business context as well as what’s most likely to happen (or should happen) next year.
    • Forecasting your project CapEx costs. If these costs weren’t laid out already in formal, approved project proposals or plans, now you know why it’s the better approach for developing a budget.
    • Forecasting your non-project CapEx and OpEx costs. Now you should have more clarity and transparency concerning where these costs are going and exactly why they need to go there.

    “Ninety percent of your projects will get started but a good 10% will never get off the ground because of capacity or the business changes their mind or other priorities are thrown in. There are always these sorts of challenges that come up.”

    – Theresa Hughes, Executive Counselor,
    Info-Tech Research Group
    and Former IT Executive

    Phase 4

    Build Your Proposed Budget

    Lay Your
    Foundation

    Get Into Budget-Starting Position

    Develop Your
    Forecasts

    Build Your
    Proposed Budget

    Create and Deliver Your Presentation

    1.1 Understand what your budget is
    and does

    1.2 Know your stakeholders

    1.3 Continuously pre-sell your budget

    2.1 Assemble your resources

    2.2 Understand the four views of the ITFM Cost Model

    2.3 Review last year’s budget vs.
    actuals and five-year historical trends

    2.4 Set your high-level goals

    3.1 Develop assumptions and
    alternative scenarios

    3.2 Forecast your project CapEx

    3.3 Forecast your non-project CapEx and OpEx

    4.1 Aggregate your numbers

    4.2 Stress test your forecasts

    4.3 Challenge and perfect your
    rationales

    5.1 Plan your content

    5.2 Build your presentation

    5.3 Present to stakeholders

    5.4 Make final adjustments and submit your IT budget

    This phase will walk you through the following activities:

    • Pulling your forecasts together into a comprehensive IT budget for next fiscal year.
    • Double checking your forecasts to ensure they’re accurate.
    • Fine tuning the rationales behind your proposals.

    This phase involves the following participants:

    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Build your proposed budget

    Triple check your numbers and put the finishing touches on your approval-winning rationales.

    This phase is where your analysis and decision making finally come together into a coherent budget proposal. Key steps include:

    • Aggregating your numbers. This step involves pulling together your project CapEx, non-project CapEx, and non-project OpEx forecasts into a comprehensive whole and sanity-checking your expenditure-type ratios.
    • Stress-testing your forecasts. Do some detailed checks to ensure everything’s accounted for and you haven’t overlooked any significant information or factors that could affect your forecasted costs.
    • Challenging and perfecting your rationales. Your ability to present hard evidence and rational explanations in support of your proposed budget is often the difference between a yes or a no. Look at your proposals from different stakeholder perspectives and ask yourself, “Would I say yes to this if I were them?”

    “We don’t buy servers and licenses because we want to. We buy them because we have to. IT doesn’t need those servers out at our data center provider, network connections, et cetera. Only a fraction of these costs are to support us in the IT department. IT doesn’t have control over these costs because we’re not the consumers.”

    – Matt Johnson, IT Director Governance and Business Solutions, Milwaukee County

    Great rationales do more than set you up for streamlined budgetary approval

    Rationales build credibility and trust in your business capabilities. They can also help stop the same conversations happening year after year.

    Any item in your proposed budget can send you down a rabbit hole if not thoroughly defensible.

    You probably won’t need to defend every item, but it’s best to be prepared to do so. Ask yourself:

    • What areas of spend does the CFO come back to year after year? Is it some aspect of OpEx, such as workforce costs or cloud software fees? Is it the relationship between proposed project spend and business benefits? Provide detailed and transparent rationales for these items to start re-directing long-term conversations to more strategic issues.
    • What areas of spend seem to be recurring points of conflict with business unit leaders? Is it surprise spend that comes from business decisions that didn’t include IT? Is it business-unit leaders railing against chargeback? Have frank, information-sharing conversations focused on business applications, service-level requirements, and true IT costs to support them.
    • What’s on the CEO’s mind? Are they focused on entering a new overseas market, which will require capital investment? Are they interested in the potential of a new technology because competitors are adopting it? It may not be the same focus as last year, so ensure you have fresh rationales that show how IT will help deliver on these business goals.

    “Budgets get out of control when one department fails to care for the implications of change within another department's budget. This wastes time, reduces accuracy and causes conflict.”

    – Tara Kinney, Atomic Revenue, LLC.

    Rationalizing costs depends on the intention of the spend

    Not all spending serves the same purpose. Some types require deeper or different justifications than others.

    For the business, there are two main purposes for spend:

    1. Spending that drives revenues or the customer experience. Think in terms of return on investment (ROI), i.e. when will the expenditure pay for itself via the revenue gains it helps create?
    2. Spending that mitigates and manages risk. Think in terms of cost-benefit, i.e. what are the costs of doing something versus doing nothing at all?
    Source: Kris Blackmon, NetSuite Brainyard.

    “Approval came down to ROI and the ability to show benefits realization for years one, two, and three through five.”

    – Duane Cooney, Executive Counselor, Info-Tech Research Group, and Former Healthcare CIO

    Regardless of its ultimate purpose, all expenditure needs statements of assumptions, obstacles, and likelihood of goals being realized behind it.

    • What are the assumptions that went into the calculation?
    • Is the spend new or a reallocation (and from where)?
    • What’s the likelihood of realizing returns or benefits?
    • What are potential obstacles to realizing returns or benefits?

    Rationales aren’t only for capital projects – they can and should be applied to all proposed OpEx and CapEx. Business project rationales tend to drive revenue and the customer experience, demanding ROI calculations. Internal IT-projects and non-project expenditure are often focused on mitigating and managing risk, requiring cost-benefit analysis.

    First, make sure your numbers add up

    There are a lot of numbers flying around during a budgeting process. Now’s the time to get out of the weeds, look at the big picture, and ensure everything lines up.

    Overall

    Non-Project OpEx

    Non-Project CapEx

    Project CapEx

    • Is your proposed budget consistent with previous IT expenditure patterns?
    • Did you account for major known anomalies or events?
    • Is your final total in line with your CFO’s communicated targets and expectations?
    • Are your alternative scenarios realistic and reflective of viable economic contexts that your organization could find itself in in the near term?
    • Are the OpEx-to-CapEx ratios sensible?
    • Does it pass your gut check?
    • Did you research and verify market rates for employees and skill sets?
    • Did you research and verify likely vendor pricing and potential increases?
    • Are cost categories with variances greater than +5% backed up by defensible IT hiring plans or documented operational growth or improvement initiatives?
    • Have you accounted for the absorption of previous capital project costs into day-to-day management, maintenance, and support operations?
    • Do you have accurate depreciation amounts and timeframes for their discontinuation?
    • Are any variances driven by confirmed business plans to increase headcount, necessitating purchase of end-user hardware and on-premises software licenses?
    • Are any variances due to net-new planned/contingency purchases or the retirement of depreciable on-premises equipment?
    • Is funding for all capital projects represented reliable, i.e. has it been approved?
    • Are all in-progress, proposed, or committed project CapEx costs backed up with reliable estimates and full project documentation?
    • Do capital project costs include the capitalizable costs of employees working on those projects, and were these amounts deducted from non-project OpEx?
    • Have you estimated the longer-term OpEx impact of your current capital projects?

    4.1 Aggregate your proposed budget numbers and stress test your forecasts

    2 hours

    1. Download the IT Cost Forecasting and Budgeting Workbook for this activity. If you have been using it thus far, the Workbook will have calculated your numbers for you across the four views of the ITFM Cost Model on Tab 7, “Proposed Budget”, including:
      1. Forecasted non-project OpEx, non-project CapEx (including depreciation values), project CapEx, and total values.
      2. Numerical and percentage variances from the previous year.
    2. Test and finalize your forecasts by applying the questions on the previous slide.
    3. Flag cost categories where large variances from the previous year or large numbers in general appear – you will need to ensure your rationales for these variances are rigorous in the next step.
    4. Make amendments if needed to Tabs 4, “Business as Usual Forecast” and 5, “Project CapEx Forecast” in the IT Cost Forecasting and Budgeting Workbook.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutputMaterialsParticipants
    • Final drafts of all IT cost forecasts
    • A final proposed IT budget
    • IT Cost Forecasting and Budgeting Workbook
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Case Study

    INDUSTRY: Healthcare

    SOURCE: Anonymous

    Challenge

    Solution

    Results

    A senior nursing systems director needed the CIO’s help. She wanted to get a project off the ground, but it wasn’t getting priority or funding.

    Nurses were burning out. Many were staying one to two hours late per shift to catch up on patient notes. Their EHR platform had two problematic workflows, each taking up to about 15 minutes per nurse per patient to complete. These workflows were complex, of no value, and just not getting done. She needed a few million dollars to make the fix.

    The CIO worked with the director to do the math. In only a few hours, they realized that the savings from rewriting the workflows would allow them to hire over 500 full-time nurses.

    The benefits realized would not only help reduce nurse workload and generate savings, but also increase the amount of time spent with patients and number of patients seen overall. They redid the math several times to ensure they were right.

    The senior nursing systems director presented to her peers and leadership, and eventually to the Board of Directors. The Board immediately saw the benefits and promoted the project to first on the list ahead of all other projects.

    This collaborative approach to generating project benefits statements helped the CIO gain trust and pave the way for future budgets.

    The strength of your rationales will determine how readily your budget is approved

    When proposing expenditure, you need to thoroughly consider the organization’s goals, its governance culture, and the overall feasibility of what’s being asked.

    First, recall what budgets are really about.

    The completeness, accuracy, and granularity of your numbers and thorough ROI calculations for projects are essential. They will serve you well in getting the CFO’s attention. However, the numbers will only get you halfway there. Despite what some people think, the work in setting a budget is more about the what, how, and why – that is, the rationale – than about the how much.

    Next, revisit Phase 1 of this blueprint and review:

    • Your organization’s budgeting culture and processes.
    • The typical accountabilities, priorities, challenges, opportunities, and expectations associated with your CFO, CEO, and CXO IT budget stakeholders.
    • Your budgetary mandate as the head of IT.

    Then, look at each component of your proposed budget through each of these three rationale-building lenses.

    Business goals
    What are the organization’s strategic priorities?

    Governance culture
    How constrained is the decision-making process?

    Feasibility
    Can we make it happen?

    Linking proposed spend to strategic goals isn’t just for strategic project CapEx

    Tie in your “business as usual” non-project OpEx and CapEx, as well.

    Business goals

    What are the organization’s strategic priorities?

    Context

    This is all about external factors, namely the broader economic, political, and industry contexts in which the organization operates.

    Lifecycle position

    The stage the organization is at in terms of growth, stability, or decline will drive decisions, priorities, and the ability to spend or invest.

    Opportunities

    Context and lifecycle position determine opportunities, which are often defined in terms of potential cost savings
    or ROI.

    Tie every element in your proposed budget to an organizational goal.

    Non-project OpEx

    • Remember that OpEx is what comes from the realization of past strategic goals. If that past goal is still valid, then the OpEx that keeps that goal alive is, too.
    • Business viability and continuity are often unexpressed goals. OpEx directly supports these goals.
    • Periodically apply zero-based budgeting to OpEx to re-rationalize and identify waste.

    Non-project CapEx

    • Know the impact of any business growth goals on future headcount – this is essential to rationalize laptop/desktop and other end-user hardware spend.
    • Position infrastructure equipment spend in terms of having sufficient capacity to support growth goals as well as ensuring network/system reliability and continuity.
    • Leverage depreciation schedules as backup.

    Project CapEx

    • Challenge business-driven CapEx projects if they don’t directly support stated goals.
    • Ideally, the goal-supporting rationales for software, hardware, and workforce CapEx have been laid out in an already-approved project proposal. Refer to these plans.
    • If pitching a capital project at the last minute, especially an IT-driven one, expect a “no” regardless of how well it ties to goals.

    Your governance culture will determine what you need to show and when you show it

    The rigor of your rationales is entirely driven by “how things are done around here.”

    Governance Culture

    How rigorous/ constrained
    is decision-making?

    Risk tolerance

    This is the organization’s willingness to be flexible, take chances, make change, and innovate. It is often driven by legal and regulatory mandates.

    Control

    Control manifests in the number and nature of rules and how authority and accountability are centralized or distributed in the organization.

    Speed to action

    How quickly decisions are made and executed upon is determined by the amount of consultation and number of approval steps.

    Ensure all parts of your proposed budget align with what’s tolerated and allowed.

    Non-project OpEx

    • Don’t hide OpEx. If it’s a dirty word, put it front and center to start normalizing it.
    • As with business goals, position OpEx as necessary for business continuity and risk mitigation, as well as the thing that keeps long-term strategic goals alive.
    • Focus on efficiency and cost control, both in terms of past and future initiatives, regardless of the governance culture.

    Non-project CapEx

    • Treat non-project CapEx in the same way as you would non-project OpEx.
    • IT must make purchases quickly in this area of spend, but drawn-out procurement processes can make this impossible. Consider including a separate proposal to establish a policy that gives IT the control to make end-user and network/data center equipment purchases faster and easier.

    Project CapEx

    • If your organization is risk-averse, highly centralized, or slow to act, don’t expect IT to win approval for innovative capital projects. Let the business make any pitches and have IT serve in a supporting role.
    • Capital projects are often committed to 6-12 months in advance and can’t be completed within a fiscal year. Nudge the organization toward longer-term, flexible funding.

    No matter which way your goals and culture lean, ground all your rationales in reality

    Objective, unapologetic facts are your strongest rationale-building tool.

    Feasibility

    Can we do it, and what sacrifices will we have to make?

    Funding

    The ultimate determinant of feasibility is the availability, quantity, and reliability of funding next fiscal year and over the long term to support investment.

    Capabilities

    Success hinges on both the availability and accessibility of required skills and knowledge to execute on a spend plan in the required timeframe.

    Risk

    Risk is not just about obstacles to success and what could happen if you do something – it’s also about what could happen if you do nothing at all.

    Vet every part of your proposed budget to ensure what you’re asking for is both realistic and possible.

    Non-project OpEx

    • Point out your operational waste-reduction and efficiency-gaining efforts in hard, numerical terms.
    • Clearly demonstrate that OpEx cannot be reduced without sacrifices on the business side, specifically in terms of service levels.
    • Define OpEx impacts for all CapEx proposals to ensure funding commitments include long-term maintenance and support.

    Non-project CapEx

    • This is a common source of surprise budget overage, and IT often sacrifices parts of its OpEx budget to cover it. Shed light on this problem and define IT’s boundaries.
    • A core infrastructure equipment contingency fund and a policy mandating business units pay for unbudgeted end-user tech due to unplanned or uncommunicated headcount increases are worth pursuing.

    Project CapEx

    • Be sure IT is involved with every capital project proposal that has a technological implication (which is usually all of them).
    • Specifically, IT should take on responsibility for tech vendor evaluation and negotiation. Never leave this up to the business.
    • Ensure IT gains funding for supporting any technologies acquired via a capital planning process, including hiring if necessary.

    Double-check to ensure your bases are covered

    Detailed data and information checklist:

    • I have the following data and information for each item of proposed expenditure:
    • Sponsors, owners, and/or managers from IT and the business.
    • CapEx and OpEx costs broken down by workforce (employees/contract) and vendor (software, hardware, services) at a minimum for both last fiscal year (if continuing spend) and next fiscal year to demonstrate any changes.
    • Projected annual costs for the above, extending two to five years into the future, with dates when new spending will start, known depreciations will end, and CapEx will transition to OpEx.
    • Descriptions of any tradeoffs or potential obstacles.
    • Lifespan information for new, proposed assets informing depreciation scheduling.
    • Sources of funding (especially if new, transferred, or changed).
    • Copies of any research used to inform any of the above.

    High-level rationale checklist:

    • I have done the following thinking and analysis for each item of proposed expenditure:
    • Considered it in the context of my organization’s broader operating environment and the constraints and opportunities this creates.
    • Tied it – directly or indirectly – to the achievement or sustainment of current or past (but still relevant) organizational goals.
    • Understood my organization’s tolerances, how things get done, and whether I can win any battles that I need to fight given these realities.
    • Worked with business unit leaders to fully understand their plans and how IT can support them.
    • Obtained current, verifiable data and information and have a good idea if, when, and how this information may change next year.
    • Assessed benefits, risks, dependencies, and overall feasibility, as well as created ROI statements where needed.
    • Stuck to the facts and am confident they can speak for themselves.

    For more on creating detailed business cases for projects and investments, see Info-Tech’s comprehensive blueprint, Build a Comprehensive Business Case.

    4.2 Challenge and perfect your rationales

    2 hours

    1. Based on your analysis in Phase 1, review your organization’s current and near-term business goals (context, lifecycle position, opportunities), governance culture (risk tolerance, control, speed to action), and feasibility (funding, capabilities, risk) to understand what’s possible, what’s not, and your general boundaries.
    2. Review your proposed budget in its current form and flag items that may be difficult or impossible to sell, given the above.
    3. Systematically go through each item in you proposed budget and apply the detailed data and information and high-level rationale checklists on the previous slide to ensure you have considered it from every angle and have all the information you need to defend it.
    4. Track down any additional information needed to fill gaps and fine-tune your budget based on any discoveries, including eliminating or adding elements if needed.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • Final drafts of all IT cost forecasts, including rationales
    • Fully rationalized proposed IT budget for next fiscal year
    MaterialsParticipants
    • IT Cost Forecasting and Budgeting Workbook
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Phase recap: Build your proposed budget

    You can officially say your proposed IT budget is done. Now for the communications part.

    This phase is where everything came together into a coherent budget proposal. You were able to:

    • Aggregate your numbers. This involved pulling for project and non-project CapEx and OpEx forecasts into a single proposed IT budget total.
    • Stress-test your forecasts. Here, you ensured that all your numbers were accurate and made sense.
    • Challenge and perfect your rationales. Finally, you made sure you have all your evidence in place and can defend every component in your proposed IT budget regardless of who’s looking at it.

    “Current OpEx is about supporting and aligning with past business strategies. That’s alignment. If the business wants to give up on those past business strategies, that’s up to them.”

    – Darin Stahl, Distinguished Analyst and Research Fellow, Info-Tech Research Group

    Phase 5

    Create and Deliver Your Presentation

    Lay Your
    Foundation

    Get Into Budget-Starting Position

    Develop Your
    Forecasts

    Build Your
    Proposed Budget

    Create and Deliver Your Presentation

    1.1 Understand what your budget is
    and does

    1.2 Know your stakeholders

    1.3 Continuously pre-sell your budget

    2.1 Assemble your resources

    2.2 Understand the four views of the ITFM Cost Model

    2.3 Review last year’s budget vs.
    actuals and five-year historical trends

    2.4 Set your high-level goals

    3.1 Develop assumptions and
    alternative scenarios

    3.2 Forecast your project CapEx

    3.3 Forecast your non-project CapEx and OpEx

    4.1 Aggregate your numbers

    4.2 Stress test your forecasts

    4.3 Challenge and perfect your
    rationales

    5.1 Plan your content

    5.2 Build your presentation

    5.3 Present to stakeholders

    5.4 Make final adjustments and submit your IT budget

    This phase will walk you through the following activities:

    • Planning the content you’ll include in your budget presentation.
    • Pulling together your formal presentation.
    • Presenting, finalizing, and submitting your budget.

    This phase involves the following participants:

    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Create and deliver your presentation

    Pull it all together into something you can show your approvers and stakeholders and win IT budgetary approval.

    This phase focuses on developing your final proposed budget presentation for delivery to your various stakeholders. Here you will:

    • Plan your final content. Decide the narrative you want to tell and select the visualizations and words you want to include in your presentation (or presentations) depending on the makeup of your target audience.
    • Build your presentation. Pull together all the key elements in a PowerPoint template in a way that best tells the IT budget story.
    • Present to stakeholders. Deliver your IT budgetary message.
    • Make final adjustments and submit your budget. Address any questions, make final changes, and deconstruct your budget into the account categories mandated by your Finance Department to plug into the budget template they’ve provided.

    “I could have put the numbers together in a week. The process of talking through what the divisions need and spending time with them is more time consuming than the budget itself.”

    – Jay Gnuse, IT Director, Chief Industries

    The content you select to present depends on your objectives and constraints

    Info-Tech classifies potential content according to three basic types: mandatory, recommended, and optional. What’s the difference?

    Mandatory: Just about every CFO or approving body will expect to see this information. Often high level in nature, it includes:

    • A review of last year’s performance.
    • A comparison of proposed budget totals to last year’s actuals.
    • A breakdown of CapEx vs. OpEx.
    • A breakdown of proposed expenditure according to traditional workforce and vendor costs.

    Recommended: This information builds on the mandatory elements, providing more depth and detail. Inclusion of recommended content depends on:

    • Availability of the information.
    • Relevance to a current strategic focus or overarching initiative in the organization.
    • Known business interest in the topic, or the topic’s ability to generate interest in IT budgetary concerns in general.

    Optional: This is very detailed information that provides alternative views and serves as reinforcement of your key messages. Consider including it if:

    • You need to bring fuller transparency to a murky IT spending situation.
    • Your audience is open to it, i.e. it wouldn’t be seen as irrelevant, wasting their time, or a cause of discord.
    • You have ample time during your presentation to dive into it.

    Deciding what to include or exclude depends 100% on your target audience. What will fulfill their basic information needs as well as increase their engagement in IT financial issues?

    Revisit your assumptions and alternative scenarios first

    These represent the contextual framework for your proposal and explain why you made the decisions you did.

    Stating your assumptions and presenting at least two alternative scenarios helps in the following ways:

    1. Identifies the factors you considered when setting budget targets and proposing specific expenditures, and shows that you know what the important factors are.
    2. Lays the logical foundation for all the rationales you will be presenting.
    3. Demonstrates that you’ve thought broadly about the future of the organization and how IT is best able to support that future organization regardless of its state and circumstances.

    Your assumptions and alternative scenarios may not appear back-to-back in your presentation, yet they’re intimately connected in that every unique scenario is based on adjustments to your core assumptions. These tweaks – and the resulting scenarios – reflect the different degrees of probability that a variable is likely to land on a certain value (i.e. an alternative assumption).

    Your primary scenario is the one you believe is most likely to happen and is represented by the complete budget you’re recommending and presenting.

    Target timeframe for presentation: 2 minutes

    Key objectives: Setting context, demonstrating breadth of thought.

    Potential content for section:

    • List of assumptions for the budget being presented (primary target scenario).
    • Two or more alternative scenarios.

    “Things get cut when the business
    doesn’t know what something is,
    doesn’t recognize it, doesn’t understand it. There needs to be an education.”

    – Angie Reynolds, Principal Research Director, ITFM Practice,
    Info-Tech Research Group,

    Select your assumptions and scenarios

    See Tabs “Planning Variables” and 9, “Alternative Scenarios” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Core assumptions

    Primary target scenario

    Alternative scenarios

    Full alternative scenario budgets

    List

    Slide

    Slide

    Budget

    Mandatory: This is a listing of both internal and external factors that are most likely to affect the challenges and opportunities your organization will have and how it can and will operate. This includes negotiable and non-negotiable internal and external constraints, stated priorities, and the expression of known risk factors.

    Mandatory: Emanating from your core assumptions, this scenario is a high-level statement of goals, initial budget targets, and proposed budget based on your core assumptions.

    Recommended: Two alternatives are typical, with one higher spend and one lower spend than your target. The state of the economy and funding availability are the assumptions usually tweaked. More radical scenarios, like the cost and implications of completely outsourcing IT, can also be explored.

    Optional: This is a lot of work, but some IT leaders do it if an alternative scenario is a strong contender or is necessary to show that a proposed direction from the business is costly or not feasible.

    The image contains screenshots of tab Planning Variables and Alternative Scenarios.

    The first major section of your presentation will be a retrospective

    Plan to kick things off with a review of last year’s results, factors that affected what transpired, and longer-term historical IT expenditure trends.

    This retrospective on IT expenditure is important for three reasons:

    1. Clarifying definitions and the different categories of IT expenditure.
    2. Showing your stakeholders how, and how well you aligned IT expenditure with business objectives.
    3. Setting stakeholder expectations about what next year’s budget will look like based on past patterns.

    You probably won’t have a lot of time for this section, so everything you select to share should pack a punch and perform double duty by introducing concepts you’ll need your stakeholders to have internalized when you present next year’s budget details.

    Target timeframe for presentation: 7 minutes

    Key objectives: Definitions, alignment, expectations-setting.

    Potential content for section:

    • Last fiscal year budgeted vs. actuals
    • Expenditure by type
    • Major capital projects completed
    • Top vendor spend
    • Drivers of last year’s expenditures and efficiencies
    • Last fiscal year in in detail (expense view, service view, business view, innovation view)
    • Expenditure trends for the past five years

    “If they don’t know the consequences of their actions, how are they ever going to change their actions?”

    – Angela Hintz, VP of PMO & Integrated Services,
    Blue Cross and Blue Shield of Louisiana

    Start at the highest level

    See Tabs 1 “Historical Events & Projects,” 3 “Historical Analysis,” and 6 “Vendor Worksheet” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Total budgeted vs. total actuals

    Graph

    Mandatory: Demonstrates the variance between what you budgeted for last year and what was actually spent. Explaining causes of variance is key.

    l actuals by expenditure type

    Graph

    Mandatory: Provides a comparative breakdown of last year’s expenditure by non-project OpEx, non-project CapEx, and project CapEx. This offers an opportunity to explain different types of IT expenditure and why they’re the relative size they are.

    Major capital projects completed

    List

    Mandatory: Illustrates progress made toward strategically important objectives.

    Top vendors

    List

    Recommended: A list of vendors that incurred the highest costs, including their relative portion of overall expenditure. These are usually business software vendors, i.e. tools your stakeholders use every day. The number of vendors shown is up to you.

    The image contains screenshots from Tabs 1, 3, and 6 of the IT Cost Forecasting and Budgeting Workbook.

    Describe drivers of costs and savings

    See Tab 1, “Historical Events & Projects” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Cost drivers

    List

    Mandatory: A list of major events, circumstances, business decisions, or non-negotiable factors that necessitated expenditure. Be sure to focus on the unplanned or unexpected situations that caused upward variance.

    Savings drivers

    List

    Mandatory: A list of key initiatives pursued, or circumstances that resulted in efficiencies or savings. Include any deferred or canceled projects.

    The image contains screenshots from Tab 1 of the IT Cost Forecasting and Budgeting Workbook.

    Also calculate and list the magnitude of costs incurred or savings realized in hard financial terms so that the full impact of these events is truly understood by your stakeholders.

    “What is that ongoing cost?
    If we brought in a new platform, what
    does that do to our operating costs?”

    – Kristen Thurber, IT Director, Office of the CIO, Donaldson Company

    End with longer-term five-year trends

    See Tab 3 “Historical Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    IT actual expenditure
    year over year

    Graph

    Mandatory: This is crucial for showing overall IT expenditure patterns, particularly percentage changes up or down year to year, and what the drivers of those changes were.

    IT actuals as a % of organizational revenue

    Graph

    Mandatory: You need to set the stage for the proposed percentage of organizational revenue to come. The CFO will be looking for consistency and an overall decreasing pattern over time.

    IT expenditure per FTE year over year

    Graph

    Optional: This can be a powerful metric as it’s simple and easily to understand.

    The image contains screenshots from Tab 3 of the IT Cost Forecasting and Budgeting Workbook.

    The historical analysis you can do is endless. You can generate many more cuts of the data or go back even further – it’s up to you.

    Keep in mind that you won’t have a lot of time during your presentation, so stick to the high-level, high-impact graphs that demonstrate overarching trends or themes.

    Show different views of the details

    See Tab 3 “Historical Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Budgeted vs. actuals CFO expense view

    Graph

    Mandatory: Showing different types of workforce expenditure compared to different types of vendor expenditure will be important to the CFO.

    Budgeted vs. actuals CIO services view

    Graph

    Optional: Showing the expenditure of some IT services will clarify the true total costs of delivering and supporting these services if misunderstandings exist.

    Budgeted vs. actuals CXO business view

    Graph

    Optional: A good way to show true consumption levels and the relative IT haves and have-nots. Potentially political, so consider sharing one-on-one with relevant business unit leaders instead of doing a big public reveal.

    Budgeted vs. actual CEO innovation view

    Graph

    Optional: Clarifies how much the organization is investing in innovation or growth versus keeping the lights on. Of most interest to the CEO and possibly the CFO, and good for starting conversations about how well funding is aligned with strategic directions.

    The image contains screenshots from Tab 3 of the IT Cost Forecasting and Budgeting Workbook.

    5.1a Select your retrospective content

    30 minutes

    1. Open your copy of the IT Cost Forecasting and Budgeting Workbook.
    2. From Tabs 1, “Historical Events & Projects, 3 “Historical Analysis”, and 6, “Vendor Worksheet,” select the visual outputs (graphs and lists) you plan to include in the retrospective section of your presentation. Consider the following when determining what to include or exclude:
      1. Fundamentals: Elements such as budgeted vs. actual, distribution across expenditure types, and drivers of variance are mandatory.
      2. Key clarifications: What expectations need to be set or common misunderstandings cleared up? Strategically insert visuals that introduce and explain important concepts early.
      3. Your time allowance. Plan for a maximum of seven minutes for every half hour of total presentation time.
    3. Note what you plan to include in your presentation and set aside.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • Data and graphs from the completed IT Cost Forecasting and Budgeting Workbook
    • Selected content and visuals for the historical/ retrospective section of the IT Budget Executive Presentation
    MaterialsParticipants
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Next, transition from past expenditure to your proposal for the future

    Build a logical bridge between what happened in the past to what’s coming up next year using a comparative approach and feature major highlights.

    This transitional phase between the past and the future is important for the following reasons:

    1. It illustrates any consistent patterns of IT expenditure that may exist and be relevant in the near term.
    2. It sets the stage for explaining any deviations from historical patterns that you’re about to propose.
    3. It grounds proposed IT expenditure within the context of commitments made in previous years.

    Consider this the essential core of your presentation – this is the key message and what your audience came to hear.

    Target timeframe for presentation: 10 minutes

    Key objectives: Transition, reveal proposed budget.

    Potential content for section:

    • Last year’s actuals vs. next year’s proposed.
    • Next year’s proposed budget in context of the past five years’ year-over-year actuals.
    • Last year’s actual expenditure type distribution vs. next year’s proposed budget distribution.
    • Major projects to be started next year.

    “The companies...that invest the most in IT aren’t necessarily the best performers.
    On average, the most successful small and medium companies are more frugal when it comes to
    company spend on IT (as long as they do it judiciously).”

    – Source: Techvera, 2023

    Compare next year to last year

    See Tab 8, “Proposed Budget Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Last year’s total actuals vs. next year’s total forecast

    Proposed budget in context: Year-over-year expenditure

    Last year’s actuals vs. next year’s proposed by expenditure type

    Last year’s expenditure per FTE vs. next year’s proposed

    Graph

    Graph

    Graph

    Graph

    Mandatory: This is the most important graph for connecting the past with the future and is also the first meaningful view your audience will have of your proposed budget for next year.

    Mandatory: Here, you will continue the long-term view introduced in your historical data by adding on next year’s projections to your existing five-year historical trend. The percentage change from last year to next year will be the focus.

    Recommended: A double-comparative breakdown of last year vs. next year by non-project OpEx, non-project CapEx, and project CapEx illustrates where major events, decisions, and changes are having their impact.

    Optional: This graph is particularly useful in demonstrating the success of cost-control if the actual proposed budget is higher that the previous year but the IT cost per employee has gone down.

    The image contains screenshots from Tab 8 of the IT Cost Forecasting and Budgeting Workbook.

    Select business projects to profile

    See Tab 5, “Project CapEx Forecast” in your IT Cost Forecasting and Budgeting Workbook for the data and information to create these outputs.

    Major project profile

    Slide

    Mandatory: Focus on projects for which funding is already committed and lean toward those that are strategic or clearly support business goal attainment. How many you profile is up to you, but three to five is suggested.

    Minor project overview

    List

    Optional: List other projects on IT’s agenda to communicate the scope of IT’s project-related responsibilities and required expenditure to be successful. Include in-progress projects that will be completed next year and net-new projects on the roster.

    The image contains screenshots from Tab 5 of the IT Cost Forecasting and Budgeting Workbook.

    You can’t profile every project on the list, but it’s important that your stakeholders see their priorities clearly reflected in your budget; projects are the best way to do this.

    If you’ve successfully pre-sold your budget and partnered with business-unit leaders to define IT initiatives, your stakeholders should already be very familiar with the project summaries you put in front of them in your presentation.

    5.1b Select your transitional past-to-future content

    30 minutes

    1. Open your copy of the IT Cost Forecasting and Budgeting Workbook.
    2. From Tabs 5, “Project CapEx Forecast” and 7, “Proposed Budget Analysis”, select the visual outputs (graphs and lists) you plan to include in the transitional section of your presentation. Consider the following when determining what to include or exclude:
      1. Shift from CapEx to OpEx: If this has been a point of contention or confusion with your CFO in the past, or if your organization has actively committed to greater cloud or outsourcing intensity, you’ll want to show this year-to-year shift in expenditure type.
      2. Strategic priorities: Profile major capital projects that reflect stakeholder priorities. If your audience is already very familiar with these projects, you may be able to skip detailed profiles and simply list them.
      3. Your time allowance. Plan for a maximum of 10 minutes for every half hour of total presentation time.
    3. Note what you plan to include in your presentation and set aside.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • Data and graphs from the completed IT Cost Forecasting and Budgeting Workbook
    • Selected content and visuals for the past-to-future transitional section of the IT Budget Executive Presentation
    MaterialsParticipants
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Finally, carefully select detailed drill-downs that add clarity and depth to your proposed budget

    The graphs you select here will be specific to your audience and any particular message you need to send.

    This detailed phase of your presentation is important because it allows you to:

    1. Highlight specific areas of IT expenditure that often get buried under generalities.
    2. View your proposed budget from different perspectives that are most meaningful to your audience, such as traditional workforce vs. vendor allocations, expenditure by IT service, business-unit consumption, and the allocation of funds to innovation and growth versus daily IT operations.
    3. Get stakeholder attention. For example, laying out exactly how much money will be spent next year in support of the Sales Department compared to other units will get the VP of Sales’ attention…and everyone else’s, for that matter. This kind of transparency is invaluable for enabling meaningful conversations and thoughtful decision-making about IT spend.

    Target timeframe for presentation: 7 minutes, but this phase of the presentation may naturally segue into the final Q&A.

    Key objectives: Transparency, dialogue, buy-in.

    Potential content for section:

    • Allocation across workforce vs. vendors
    • Top vendors by expenditure
    • Allocation across on-premises vs. cloud
    • Allocation across core IT services
    • Allocation across core business units
    • Allocation across business focus area

    “A budget is a quantified version of
    your service-level agreements.”

    – Darin Stahl, Distinguished Analysis & Research Fellow,
    Info-Tech Research Group,

    Start with the expense view details

    See Tab 8, “Proposed Budget Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Proposed budget: Workforce and vendors by expenditure type

    Graph

    Mandatory: This is the traditional CFO’s view, so definitely show it. The compelling twist here is showing it by expenditure type, i.e. non-project OpEx, non-project CapEx, and project CapEx.

    Proposed budget: Cloud vs. on-premises vendor expenditure

    Graph

    Optional: If this is a point of contention or if an active transition to cloud solutions is underway, then show it.

    Top vendors

    Graph

    Recommended: As with last year’s actuals, showing who the top vendors are slated to be next year speaks volumes to stakeholders about exactly where much of their money is going.

    If you have a diverse audience with diverse interests, be very selective – you don’t want to bore them with things they don’t care about.

    The image contains screenshots from Tab 8 of the IT Cost Forecasting and Budgeting Workbook.

    Offer choice details on the other views

    See Tab 8, “Proposed Budget Analysis” in your IT Cost Forecasting and Budgeting Workbook for these outputs.

    Proposed budget: IT services by expenditure type

    Graph

    Optional: Business unit leaders will be most interested in the application services. Proposed expenditure on security and data and BI services may be of particular interest given business priorities. Don’t linger on infrastructure spend unless chargeback is in play.

    Proposed budget: Business units by expenditure type

    Graph

    Optional: The purpose of this data is to show varying business units where they stand in terms of consumption. It may be more appropriate to show this graph in a one-on-one meeting or other context.

    Proposed budget: Business focus by expenditure type

    Graph

    Optional: The CEO will care most about this data. If they’re not in the room, then consider bypassing it and discuss it separately with the CFO.

    Inclusion of these graphs really depends on the makeup of your audience. It’s a good decision to show all of them to your CFO at some point before the formal presentation. Consider getting their advice on what to include and exclude.

    The image contains screenshots from Tab 8 of the IT Cost Forecasting and Budgeting Workbook.

    5.1c Select next year’s expenditure sub-category details

    30 minutes

    1. Open your copy of the IT Cost Forecasting and Budgeting Workbook.
    2. From Tab 8, “Proposed Budget Analysis,” select the visual outputs (graphs) you plan to include in the targeted expenditure sub-category details section of your presentation. Consider the following when determining what to include or exclude:
      1. The presence of important fence-sitters. If there are key individuals who require more convincing, this is where you show them the reality of what it costs to deliver their most business-critical IT services to them.
      2. The degree to which you’ve already gone over the numbers previously with your audience. Again, if you’ve done your pre-selling, this data may be old news and not worth going over again.
      3. Your time allowance. Plan for a maximum of seven minutes for every half hour of total presentation time.
    3. Note what you plan to include in your presentation and set aside.

    Download the IT Cost Forecasting and Budgeting Workbook

    InputOutput
    • Data and graphs from the completed IT Cost Forecasting and Budgeting Workbook
    • Selected content and visuals for the expenditure category details section of the IT Budget Executive Presentation
    MaterialsParticipants
    • Whiteboard/flip charts
    • Head of IT
    • IT Financial Lead
    • Other IT Management

    Finalize your line-up and put your selected content into a presentation template

    This step is about nailing down the horizontal logic of the story you want to tell. Start by ordering and loading the visualizations of your budget data.

    Download Info-Tech’s IT Budget Executive Presentation Template

    The image contains a screenshot of the IT Budget Executive Presentation Template.

    If you prefer, use your own internal presentation standard template instead and Info-Tech’s template as a structural guide.

    Regardless of the template you use, Info-Tech recommends the following structure:

    1. Summary: An overview of your decision-making assumptions, initial targets given the business context, and the total proposed IT budget amount.
    2. Retrospective: An overview of previous years’ performance, with a specific focus on last fiscal year.
    3. Proposed budget overview: A high-level view of the proposed budget for next fiscal year in the context of last year’s performance (i.e. the bridge from past to future), including alternative scenarios considered and capital projects on the roster.
    4. Proposed budget details by category: Detailed views of the proposed budget by expense type, IT service, business unit, and business focus category.
    5. Next steps: Include question-and-answer and itemization of your next actions through to submitting your final budget to the CFO.

    Draft the commentary that describes and highlights your data’s key messages

    This is where the rationales that you perfected earlier come into play.

    Leave the details for the speaker’s notes.
    Remember that this is an executive presentation. Use tags, pointers, and very brief sentences in the body of the presentation itself. Avoid walls of text. You want your audience to be listening to your words, not reading a slide.

    Speak to everything that represents an increase or decrease of more than 5% or that simply looks odd.
    Being transparent is essential. Don’t hide anything. Acknowledge the elephant in the room before your audience does to quickly stop suspicious or doubtful thoughts

    Identify causes and rationales.
    This is why your numbers are as they are. However, if you’re not 100% sure what all driving factors are, don’t make them up. Also, if the line between cause and effect isn’t straight, craft in advance a very simple way of explaining it that you can offer whenever needed.

    Be neutral and objective in your language.
    You need to park strong feelings at the door. You’re presenting rational facts and thoroughly vetted recommendations. The best defense is not to be defensive, or even offensive for that matter. You don’t need to argue, plead, or apologize – let your information speak for itself and allow the audience to arrive at their own logical conclusions.

    Re-emphasize your core themes to create connections.
    If a single strategic project is driving cost increases across multiple cost categories, point it out multiple times if needed to reinforce its importance. If an increase in one area is made possible by a significant offset in another, say so to demonstrate your ongoing commitment to efficiencies. If a single event from last year will continue having cost impacts on several IT services next year, spell this out.

    5.2 Develop an executive presentation

    Duration: 2 hours

    1. Download the IT Budget Executive Presentation PowerPoint template.
    2. Open your working version of the IT Cost Forecasting and Budgeting Workbook and copy and paste your selected graphs and tables into the template. Note: Pasting as an image will preserve graph formatting.
    3. Incorporate observations and insights about your proposed budget and other analysis into the template where indicated.
    4. Conduct an internal review of the final presentation to ensure it includes all the elements you need and is error-free.

    Note: Refer to your organization’s standards and norms for executive-level presentations and either adapt the Info-Tech template accordingly or use your own.

    Download the IT Budget Executive Presentation template

    Input Output
    • Tabular and graphical data outputs in the IT Cost Forecasting and Budgeting Workbook
    • Interpretive commentary based on your analysis
    • Executive presentation summarizing your proposed IT budget
    Materials Participants
    • IT Cost Forecasting and Budgeting Workbook
    • IT Budget Executive Presentation template
    • CIO/IT Directors
    • IT Financial Lead
    • Other IT Management

    Now it’s time to present your proposed IT budget for next fiscal year

    If you’ve done your homework and pre-sold your budget, the presentation itself should be a mere formality with no surprises for anyone, including you.

    Some final advice on presenting your proposed budget…

    Partner up

    If something big in your budget is an initiative that’s for a specific business unit, let that business unit’s leader be the face of it and have IT play the role of supporting partner.

    Use your champions

    Let your advocates know in advance that you’d appreciate hearing their voice during the presentation if you encounter any pushback, or just to reinforce your main messages.

    Focus on the CFO

    The CFO is the most important stakeholder in the room at the end of the day, even more than the CEO in some cases. Their interests should take priority if you’re pressed for time.

    Avoid judgment

    Let the numbers speak for themselves. Do point out highlights and areas of interest but hold off on offering emotion-driven opinions. Let your audience draw their own conclusions.

    Solicit questions

    You do want dialogue. However, keep your answers short and to the point. What does come up in discussion is a good indication of where you’ll need to spend more time in the future.

    The only other thing that can boost your chances is if you’re lucky enough to be scheduled to present between 10:00 and 11:00 on a Thursday morning when people are most agreeable. Beyond that, apply the standard rules of good presentations to optimize your success.

    Your presentation is done – now re-focus on budget finalization and submission

    This final stage tends to be very administrative. Follow the rules and get it done.

    • Incorporate feedback: Follow up on comments from your first presentation and reflect them in your budget if appropriate. This may include:
      • Having follow-up conversations with stakeholders.
      • Further clarifying the ROI projections or business benefits.
      • Adjusting proposed expenditure amounts based on new information or a shift in priorities.
      • Adding details or increasing granularity around specific issues of interest.
    • Trim: Almost every business unit leader will need to make cuts to their initial budget proposal. After all, the CFO has a finite pool of money to allocate. If all’s gone well, it may only be a few percent. Resurrect your less-costly alternative scenario and selectively apply the options you laid out there. Focus on downsizing or deferring capital projects if possible. If you must trim OpEx, remind the CFO about any service-level adjustments that will need to happen to make the less expensive alternatives work.
    • Re-present: It’s not unusual to have to present your budget one more time after you’ve made your adjustments. In some organizations, the first presentation is to an internal executive group while the second one is to a governing board. The same rules apply to this second presentation as to your first one.
    • Submit: Slot your final budget into the list of accounts prescribed in the budget template provided by Finance. These templates often don’t align with IT’s budget categories, but you’ll have to make do.

    Phase recap: Create and deliver your presentation

    You’ve reached the end of the budget creation and approval process. Now you can refocus on using your budget as a living governance tool.

    This phase focused on developing your final proposed budget presentation for delivery to your various stakeholders. Here, you:

    • Planned your final content. You selected the data and visuals to include and highlight.
    • Built your presentation. You pulled everything together into a PowerPoint template and crafted commentary to tell a cohesive IT budget story.
    • Presented to stakeholders. You delivered your proposed IT budget and solicited their comments and feedback.
    • Made final adjustments and submitted your budget. You applied final tweaks, deconstructed your budget to fit Finance’s template, and submitted it for entry into Finance’s system.

    “Everyone understands that there’s never enough money. The challenge is prioritizing the right work and funding it.”

    – Trisha Goya, Director, IT Governance & Administration, Hawaii Medical Service Association

    Next Steps

    “Keep that conversation going throughout the year so that at budgeting time no one is surprised…Make sure that you’re telling your story all year long and keep track of that story.”

    – Angela Hintz, VP of PMO & Integrated Services,
    Blue Cross and Blue Shield of Louisiana

    This final section will provide you with:

    • An overall summary of accomplishment.
    • Recommended next steps.
    • A list of contributors to this research.
    • Some related Info-Tech resources.

    Summary of Accomplishment

    You’ve successfully created a transparent IT budget and gotten it approved.

    By following the phases and steps in this blueprint, you have:

    1. Learned more about what an IT budget does and what it means to your key stakeholders.
    2. Assembled your budgeting team and critical data needed for forecasting and budgeting, as well as set expenditure goals for next fiscal year, and metrics for improving the budgeting process overall.
    3. Forecasted your project and non-project CapEx and OpEx for next fiscal year and beyond.
    4. Fine-tuned your proposed expenditure rationales.
    5. Crafted and delivered an executive presentation and got your budget approved.

    What’s next?

    Use your approved budget as an ongoing IT financial management governance tool and track your budget process improvement metrics.

    If you would like additional support, have our analysts guide you through an Info-Tech full-service engagement or Guided Implementation.

    Contact your account representative for more information.

    1-888-670-8889

    Research Contributors and Experts

    Monica Braun

    Research Director, ITFM Practice

    Info-Tech Research Group

    Carol Carr

    Technical Counselor (Finance)

    Info-Tech Research Group

    Larry Clark

    Executive Counselor

    Info-Tech Research Group

    Duane Cooney

    Executive Counselor

    Info-Tech Research Group

    Lynn Fyhrlund

    Former Chief Information Officer

    Milwaukee County

    Jay Gnuse

    Information Technology Director

    Chief Industries

    Trisha Goya

    Director, IS Client Services

    Hawaii Medical Service Association

    Angela Hintz

    VP of PMO & Integrated Services

    Blue Cross and Blue Shield of Louisiana

    Rick Hopfer

    Chief Information Officer

    Hawaii Medical Service Association

    Theresa Hughes

    Executive Counselor

    Info-Tech Research Group

    Research Contributors and Experts

    Dave Kish

    Practice Lead, IT Financial Management Practice

    Info-Tech Research Group

    Matt Johnson

    IT Director Governance and Business Solutions

    Milwaukee County

    Titus Moore

    Executive Counselor

    Info-Tech Research Group

    Angie Reynolds

    Principal Research Director, IT Financial Management Practice

    Info-Tech Research Group

    Mark Roman

    Managing Partner, Executive Services

    Info-Tech Research Group

    Darin Stahl

    Distinguished Analyst & Research Fellow

    Info-Tech Research Group

    Miguel Suarez

    Head of Technology

    Seguros Monterrey New York Life

    Kristen Thurber

    IT Director, Office of the CIO

    Donaldson Company

    Related Info-Tech Research & Services

    Achieve IT Spend & Staffing Transparency

    • IT spend has increased in volume and complexity, but how IT spend decisions are made has not kept pace.
    • Lay a foundation for meaningful conversations and informed decision making around IT spend by transparently mapping exactly where IT funds are really going.

    IT Spend & Staffing Benchmarking Service

    • Is a do-it-yourself approach to achieving spend transparency too onerous? Let Info-Tech do the heavy lifting for you.
    • Using Info-Tech’s ITFM Cost Model, our analysts will map your IT expenditure to four different stakeholder views – CFO Expense View, CIO Service View, CXO Business View, and CEO Innovation View – so that you clearly show where expenditure is going in terms that stakeholders can relate to and better demonstrate IT’s value to the business.
    • Get a full report that shows how your spend is allocated plus benchmarks that compare your results to those of your industry peers.

    Build Your IT Cost Optimization Roadmap

    • Cost optimization is usually thought about in terms of cuts, when it’s really about optimizing IT’s cost-to-value ratio.
    • Develop a cost-optimization strategy based on your organization’s circumstances and timeline focused on four key areas of IT expenditure: assets, vendors, projects, and workforce.

    Bibliography

    “How Much Should a Company Spend on IT?” Techvera, no date. Accessed 3 Mar. 2023.
    “State of the CIO Study 2023.” Foundry, 25 Jan. 2023. Accessed 3 Mar. 2023.
    Aberdeen Strategy & Research. “The State of IT 2023.” Spiceworks. Ziff Davis, 2022. Accessed 28 Feb. 2023.
    Ainsworth, Paul. “Responsibilities of the Modern CFO - A Function in Transition.” TopTal, LLC., no date. Accessed 15 Feb. 2023.
    Balasaygun, Kaitlin. “For the first time in a long time, CFOs can say no to tech spending.” CNBC CFO Council, 19 Jan. 2023. Accessed 17 Feb. 2023.
    Bashir, Ahmad. “Objectives of Capital Budgeting and factors affecting Capital Budget Decisions.” LinkedIn, 27 May 2017. Accessed 14 Apr. 2023.
    Blackmon, Kris. “Building a Data-Driven Budget Pitch the C-Suite Can't Refuse.” NetSuite Brainyard, 21 Sep. 2021. Accessed 17 Feb. 2023
    Butcher, Daniel. “CFO to CFO: Budgeting to Fund Strategic Plans.” Strategic Finance Magazine/Institute of Management Accountants, 1 Dec. 2021. Accessed 17 Feb. 2023
    Gray, Patrick. “IT Budgeting: A Cheat Sheet.” TechRepublic, 29 Jul. 2020. Accessed 28 Feb. 2023.
    Greenbaum, David. “Budget vs. Actuals: Budget Variance Analysis & Guide.” OnPlan, 15 Mar. 2022. Accessed 22 Mar. 2023.
    Huber, Michael and Joan Rundle. “How to Budget for IT Like a CFO.” Huber & Associates, no date. Accessed 15 Feb. 2023.
    Kinney, Tara. “Executing Your Department Budget Like a CFO.” Atomic Revenue, LLC., no date. Accessed 15 Feb. 2023.
    Lafley, A.G. “What Only the CFO Can Do.” Harvard Business Review, May 2009. Accessed 15 Mar. 2009.
    Moore, Peter D. “IN THE DIGITAL WORLD, IT should be run as a profit center, not a cost center.” Wild Oak Enterprise, 26 Feb. 2020. Accessed 3 Mar. 2023.
    Nordmeyer, Bille. “What Factors Are Going to Influence Your Budgeting Decisions?” bizfluent, 8 May 2019. Accessed 14 Apr. 2023
    Ryan, Vincent. “IT Spending and 2023 Budgets Under Close Scrutiny.” CFO, 5 Dec. 2022. Accessed 3 Mar. 2023.
    Stackpole, Beth. “State of the CIO, 2022: Focus turns to IT fundamentals.” CIO Magazine, 21 Mar. 2022. Accessed 3 Mar. 2023.

    Exploit Disruptive Infrastructure Technology

    • Buy Link or Shortcode: {j2store}298|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Disruptive & Emerging Technologies
    • Parent Category Link: /disruptive-emerging-technologies
    • New technology can hit like a meteor. Not only disruptive to IT, technology provides opportunities for organization-wide advantage.
    • Your role is endangered. If you don’t prepare for the most disruptive technologies, you could be overshadowed. Don’t let the Chief Marketing Officer (CMO) set the technological innovation agenda
    • Predicting the future isn’t easy. Most IT leaders fail to realize how quickly technology increases in capability. Even for the tech savvy, predicting which specific technologies will become disruptive is difficult.
    • Communication is difficult when the sky is falling. Even forward-looking IT leaders struggle with convincing others to devote time and resources to monitoring technologies with a formal process.

    Our Advice

    Critical Insight

    • Establish the core working group, select a leader, and select a group of visionaries to help brainstorm emerging technologies.
    • Brainstorm about creating a better future, begin brainstorming an initial longlist.
    • Train the group to think like futurists.
    • Evaluate the shortlist.
    • Define your PoC list and schedule.
    • Finalize, present the plan to stakeholders and repeat.

    Impact and Result

    • Create a disruptive technology working group.
    • Produce a longlist of disruptive technologies.
    • Evaluate the longlist to produce a shortlist of disruptive technologies.
    • Develop a plan for a proof-of-concept project for each shortlisted technology.

    Exploit Disruptive Infrastructure Technology Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Exploit Disruptive Infrastructure Technology – A guide to help IT leaders make the most of disruptive impacts.

    As a CIO, there is a need to move beyond day-to-day technology management with an ever-increasing need to forecast technology impacts. Not just from a technical perspective but to map out the technical understandings aligned to potential business impacts and improvements. Technology transformation and innovation is moving more quickly than ever before and as an innovation champion, the CIO or CTO should have foresight in specific technologies with the understanding of how the company could be disrupted in the near future.

    • Exploit Disruptive Infrastructure Technology – Phases 1-3

    2. Disruptive Technology Exploitation Plan Template – A guide to develop the plan for exploiting disruptive technology.

    The Disruptive Technology Exploitation Plan Template acts as an implementation plan for developing a long-term strategy for monitoring and implementing disruptive technologies.

    • Disruptive Technology Exploitation Plan Template

    3. Disruptive Technology Look to the Past Tool – A tool to keep track of the missed technology disruption from previous opportunities.

    The Disruptive Technology Look to the Past Tool will assist you to collect reasonability test notes when evaluating potential disruptive technologies.

    • Disruptive Technology Look to the Past Tool

    4. Disruptive Technology Research Database Tool – A tool to keep track of the research conducted by members of the working group.

    The Disruptive Technology Research Database Tool will help you to keep track of the independent research that is conducted by members of the disruptive technology exploitation working group.

    • Disruptive Technology Research Database Tool

    5. Disruptive Technology Shortlisting Tool

    The Disruptive Technology Shortlisting Tool will help you to codify the results of the disruptive technology working group's longlist winnowing process.

    • Disruptive Technology Shortlisting Tool

    6. Disruptive Technology Value-Readiness and SWOT Analysis Tool – A tool to systematize notional evaluations of the value and readiness of potential disruptive technologies.

    The Disruptive Technology Value Readiness & SWOT Analysis Tool will assist you to systematize notional evaluations of the value and readiness of potential disruptive technologies.

    • Disruptive Technology Value-Readiness and SWOT Analysis Tool

    7. Proof of Concept Template – A handbook to serve as a reference when deciding how to proceed with your proposed solution.

    The Proof of Concept Template will guide you through the creation of a minimum-viable proof-of-concept project.

    • Proof of Concept Template

    8. Disruptive Technology Executive Presentation Template – A template to help you create a brief progress report presentation summarizing your project and program progress.

    The Disruptive Technology Executive Presentation Template will assist you to present an overview of the disruptive technology process, outlining the value to your company.

    • Disruptive Technology Executive Presentation Template

    Infographic

    Workshop: Exploit Disruptive Infrastructure Technology

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Pre-work: Establish the Disruptive Tech Process

    The Purpose

    Discuss the general overview of the disruptive technology exploitation process.

    Develop an initial disruptive technology exploitation plan.

    Key Benefits Achieved

    Stakeholders are on board, the project’s goals are outlined, and the working group is selected.

    Activities

    1.1 Get execs and stakeholders on board.

    1.2 Review the process of analyzing disruptive tech.

    1.3 Select members for the working group.

    1.4 Choose a schedule and time commitment.

    1.5 Select a group of visionaries.

    Outputs

    Initialized disruptive tech exploitation plan

    Meeting agenda, schedule, and participants

    2 Hold the Initial Meeting

    The Purpose

    Understand how disruption will affect the organization, and develop an initial list of technologies to explore.

    Key Benefits Achieved

    Knowledge of how to think like a futurist.

    Understanding of organizational processes vulnerable to disruption.

    Outline of potentially disruptive technologies.

    Activities

    2.1 Start the meeting with introductions.

    2.2 Train the group to think like futurists.

    2.3 Brainstorm about disruptive processes.

    2.4 Brainstorm a longlist.

    2.5 Research and brainstorm separate longlists.

    Outputs

    List of disruptive organizational processes

    Initial longlist of disruptive tech

    3 Create a Longlist and Assess Shortlist

    The Purpose

    Evaluate the specific value of longlisted technologies to the organization.

    Key Benefits Achieved

    Defined list of the disruptive technologies worth escalating to the proof of concept stage.

    Activities

    3.1 Converge the longlists developed by the team.

    3.2 Narrow the longlist to a shortlist.

    3.3 Assess readiness and value.

    3.4 Perform a SWOT analysis.

    Outputs

    Finalized longlist of disruptive tech

    Shortlist of disruptive tech

    Value-readiness analysis

    SWOT analysis

    Candidate(s) for proof of concept charter

    4 Create an Action Plan

    The Purpose

    Understand how the technologies in question will impact the organization.

    Key Benefits Achieved

    Understanding of the specific effects of the new technology on the business processes it is intended to disrupt.

    Business case for the proof-of-concept project.

    Activities

    4.1 Build a problem canvas.

    4.2 Identify affected business units.

    4.3 Outline and map the business processes likely to be disrupted.

    4.4 Map disrupted business processes.

    4.5 Recognize how the new technology will impact business processes.

    4.6 Make the case.

    Outputs

    Problem canvas

    Map of business processes: current state

    Map of disrupted business processes

    Business case for each technology

    Further reading

    Analyst Perspective

    The key is in anticipation.

    “We all encounter unexpected changes and our responses are often determined by how we perceive and understand those changes. We react according to the unexpected occurrence. Business organizations are no different.

    When a company faces a major technology disruption in its markets – one that could fundamentally change the business or impact its processes and technology – the way its management perceive and understand the disruption influences how they describe and plan for it. In other words, the way management sets the context of a disruption – the way they frame it – shapes the strategy they adopt. Technology leaders can vastly influence business strategy by adopting a proactive approach to understanding disruptive and innovative technologies by simply adopting a process to review and evaluate technology impacts to the company’s lines of business.”

    This is a picture of Troy Cheeseman

    Troy Cheeseman
    Practice Lead, Infrastructure & Operations Research
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • New technology can hit like a meteor. Not only disruptive to IT, technology provides opportunities for organization-wide advantage.
    • Your role is endangered. If you don’t prepare for the most disruptive technologies, you could be overshadowed. Don’t let the chief marketing officer (CMO) set the technological innovation agenda.

    Common Obstacles

    • Predicting the future isn’t easy. Most IT leaders fail to realize how quickly technology increases in capability. Even for the tech savvy, predicting which specific technologies will become disruptive is difficult.
    • Communication is difficult when the sky is falling. Even forward-looking IT leaders struggle with convincing others to devote time and resources to monitoring technologies with a formal process.

    Info-Tech’s Approach

    • Identify, resolve, and evaluate. Use an annual process as described in this blueprint: a formal evaluation of new technology that turns analysis into action.
    • Lead the analysis from IT. Establish a team to carry out the annual process as a cure for the causes of “airline magazine syndrome” and to prevent it from happening in the future.
    • Train your team on the patterns of progress, track technology over time in a central database, and read Info-Tech’s analysis of upcoming technology.
    • Create your KPIs. Establish your success indicators to create measurable value when presenting to your executive.
    • Produce a comprehensive proof-of-concept plan that will allow your company to minimize risk and maximize reward when engaging with new technology.

    Info-Tech Insight

    Proactively monitoring, evaluating, and exploiting disruptive tech isn’t optional.
    This will protect your role, IT’s role, and the future of the organization.

    A diverse working group maximizes the insight brought to bear.
    An IT background is not a prerequisite.

    The best technology is only the best when it brings immediate value.
    Good technology might not be ready; ready technology might not be good.

    Review

    We help IT leaders make the most of disruptive impacts.

    This research is designed for:

    Target Audience: CIO, CTO, Head of Infrastructure

    This research will help you:

    • Develop a process for anticipating, analyzing, and exploiting disruptive technology.
    • Communicate the business case for investing in disruptive technology.
    • Categorize emerging technologies to decide what to do with them.
    • Develop a plan for taking action to exploit the technology that will most affect your organization.

    Problem statement:

    As a CIO, there is a need to move beyond day-to-day technology management with an ever-increasing need to forecast technology impacts. Not just from a technical perspective but to map out the technical understandings aligned to potential business impacts and improvements. Technology transformation and innovation is moving more quickly than ever before and as an innovation champion, the CIO or CTO should have foresight in specific technologies with the understanding of how the company could be disrupted in the near future. Foresight + Current Technology + Business Understanding = Understanding the Business Disruption. This should be a repeatable process, not an exception or reactionary response.

    Insight Summary

    Establish the core working group, select a leader, and select a group of visionaries to help brainstorm emerging technologies.

    The right team matters. A core working group will keep focus through the process and a leader will keep everyone accountable. Visionaries are out-of-the-box thinkers and once they understand how to think like a "futurists," they will drive the longlist and shortlist actions.

    Train the group to think like futurists

    To keep up with exponential technology growth you need to take a multi-threaded approach.

    Brainstorm about creating a better future; begin brainstorming an initial longlist

    Establish the longlist. The longlist helps create a holistic view of most technologies that could impact the business. Assigning values and quadrant scoring will shortlist the options and focus your PoC option.

    Converge everyone’s longlists

    Long to short...that's the short of it. Using SWOT, value readiness, and quadrant mapping review sessions will focus the longlist, creating a shortlist of potential POC candidates to review and consider.

    Evaluate the shortlist

    There is no such thing as a risk-free endeavor. Use a systematic process to ensure that the risks your organization takes have the potential to produce significant rewards.

    Define your PoC list and schedule

    Don’t be afraid to fail! Inevitably, some proof-of-concept projects will not benefit the organization. The projects that are successful will more than cover the costs of the failed projects. Roll out small scale and minimize losses.

    Finalize, present the plan to stakeholders, and repeat!

    Don't forget the C-suite. Effectively communicate and present the working group’s finding with a well-defined and succinct presentation. Start the process again!

    This is a screenshot of the Thought map for Exploit disruptive infrastructure Technology.
    1. Identify
      • Establish the core working group and select a leader; select a group of visionaries
      • Train the group to think like futurists
      • Hold your initial meeting
    2. Resolve
    • Create and winnow a longlist
    • Assess and create the shortlist
  • Evaluate
    • Create process maps
    • Develop proof of concept charter
  • The Key Is in Anticipation!

    Use Info-Tech’s approach for analyzing disruptive technology in your own disruptive tech working group

    Phase 1: Identify Phase 2: Resolve Phase 3: Evaluate

    Phase Steps

    1. Establish the disruptive technology working group
    2. Think like a futurist (Training)
    3. Hold initial meeting or create an agenda for the meeting
    1. Create and winnow a longlist
    2. Assess shortlist
    1. Create process maps
    2. Develop proof of concept charter

    Phase Outcomes

    • Establish a team of subject matter experts that will evaluate new, emerging, and potentially disruptive technologies.
    • Establish a process for including visionaries from outside of the working group who will provide insight and direction.
    • Introduce the core working group members.
    • Gain a better understanding of how technology advances.
    • Brainstorm a list of organizational processes.
    • Brainstorm an initial longlist.
    • Finalized longlist
    • Finalized shortlist
    • Initial analysis of each technology on the shortlist
    • Finalized shortlist
    • Initial analysis of each technology on the shortlist
    • Business process maps before and after disruption
    • Proof of concept charter
    • Key performance indicators
    • Estimation of required resources
    • Executive presentation

    Four key challenges make it essential for you to become a champion for exploiting disruptive technology

    1. New technology can hit like a meteor. It doesn’t only disrupt IT; technology provides opportunities for organization-wide advantage.
    2. Your role is endangered. If you don’t prepare for the most disruptive technologies, you could be overshadowed. Don’t let the CMO rule technological innovation.
    3. Predicting the future isn’t easy. Most IT leaders fail to realize how quickly technology increases in capability. Even for the tech savvy, predicting which specific technologies will become disruptive is difficult.
    4. Communication is difficult when the sky is falling. Even forward-looking IT leaders struggle with convincing others to devote time and resources to monitoring emerging technologies with a formal process.

    “Look, you have never had this amount of opportunity for innovation. Don’t forget to capitalize on it. If you do not capitalize on it, you will go the way of the dinosaur.”
    – Dave Evans, Co-Founder and CTO, Stringify

    Technology can hit like a meteor

    “ By 2025:

    • 38.6 billion smart devices will be collecting, analyzing, and sharing data.
    • The web hosting services market is to reach $77.8 billion in 2025.
    • 70% of all tech spending is expected to go for cloud solutions.
    • There are 1.35 million tech startups.
    • Global AI market is expected to reach $89.8 billion.”

    – Nick Gabov

    IT Disruption

    Technology disrupts IT by:

    • Affecting the infrastructure and applications that IT needs to use internally.
    • Affecting the technology of end users that IT needs to support and deploy, especially for technologies with a consumer focus.
    • Allowing IT to run more efficiently and to increase the efficiency of other business units.
    • Example: The rise of the smartphone required many organizations to rethink endpoint devices.

    Business Disruption

    Technology disrupts the business by:

    • Affecting the viability of the business.
    • Affecting the business’ standing in relation to competitors that better deal with disruptive technology.
    • Affecting efficiency and business strategy. IT should have a role in technology-related business decisions.
    • Example: BlackBerry failed to anticipate the rise of the apps ecosystem. The company struggled as it was unable to react with competitive products.

    Senior IT leaders are expected to predict disruptions to IT and the business, while tending to today’s needs

    You are expected to be both a firefighter and a forecaster

    • Anticipating upcoming disruptions is part of your job, and you will be blamed if you fail to anticipate future business disruptions because you are focusing on the present.
    • However, keeping IT running smoothly is also part of your job, and you will be blamed if today’s IT environment breaks down because you are focusing on the future.

    You’re caught between the present and the future

    • You don’t have a process that anticipates future disruptions but runs alongside and integrates with operations in the present.
    • You can’t do it alone. Tending to both the present and the future will require a team that can help you keep the process running.

    Info-Tech Insight

    Be prepared when disruptions start coming down, even though it isn’t easy. Use this research to reduce the effort to a simple process that can be performed alongside everyday firefighting.

    Make disruptive tech analysis and exploitation part of your innovation agenda

    A scatter plot graph is depicted, plotting IT Innovative Leadership (X axis), and Satisfaction with IT(Y axis). IT innovative leadership explains 75% of variation in satisfaction with IT

    Organizations without high satisfaction with IT innovation leadership are only 20% likely to be highly satisfied with IT

    “You rarely see a real-world correlation of .86!”
    – Mike Battista, Staff Scientist, Cambridge Brain Sciences, PhD in Measurement

    There is a clear relationship between satisfaction with IT and the IT department’s innovation leadership.

    Prevent “airline magazine syndrome” by proactively analyzing disruptive technologies

    “The last thing the CIO needs is an executive saying ‘I don’t what it is or what it does…but I want two of them!”
    – Tim Lalonde

    Airline magazine syndrome happens to IT leaders caught between the business and IT. It usually occurs in this manner:

    1. While on a flight, a senior executive reads about an emerging technology that has exciting implications for the business in an airline magazine.
    2. The executive returns and approaches IT, demanding that action be taken to address the disruptive technology – and that it should have been (ideally) completed already.

    Without a Disruptive Technology Exploitation Plan:

    “I don’t know”

    With a Disruptive Technology Exploitation Plan:

    “Here in IT, we have already considered that technology and decided it was overhyped. Let me show you our analysis and invite you to join our working group.”

    OR

    “We have already considered that technology and have started testing it. Let me show you our testing lab and invite you to join our working group.”

    Info-Tech Insight

    Airline magazine syndrome is a symptom of a wider problem: poor CEO-CIO alignment. Solve this problem with improved communication and documentation. Info-Tech’s disruptive tech iterative process will make airline magazine syndrome a thing of the past!

    IT leaders who do not keep up with disruptive technology will find their roles diminished

    “Today’s CIO dominion is in a decaying orbit with CIOs in existential threat mode.”
    – Ken Magee

    Protect your role within IT

    • IT is threatened by disruptive technology:
      • Trends like cloud services, increased automation, and consumerization reduce the need for IT to be involved in every aspect of deploying and using technology.
      • In the long term, machines will replace even intellectually demanding IT jobs, such as infrastructure admin and high-level planning.
    • Protect your role in IT by:
      • Anticipating new technology that will disrupt the IT department and your place within it.
      • Defining new IT roles and responsibilities that accurately reflect the reality of technology today.
      • Having a process for the above that does not diminish your ability to keep up with everyday operations that remain a priority today.

    Protect your role against other departments

    • Your role in the business is threatened by disruptive technology:
      • The trends that make IT less involved with technology allow other executives – such as the CMO – to make IT investments.
      • As the CMO gains the power and data necessary to embrace new trends, the CIO and IT managers have less pull.
    • Protect your role in the business by:
      • Being the individual to consult about new technology. It isn’t just a power play; IT leaders should be the ones who know technology thoroughly.
      • Becoming an indispensable part of the entire business’ innovation strategy through proposing and executing a process for exploiting disruptive technology.

    IT leaders who do keep up have an opportunity to solidify their roles as experts and aggregators

    “The IT department plays a critical role in [innovation]. What they can do is identify a technology that potentially might introduce improvements to the organization, whether it be through efficiency, or through additional services to constituents.”
    – Michael Maguire, Management Consultant

    The contemporary CIO is a conductor, ensuring that IT works in harmony with the rest of the business.

    The new CIO is a conductor, not a musician. The CIO is taking on the role of a business engineer, working with other executives to enable business innovation.

    The new CIO is an expert and an aggregator. Conductor CIOs increasingly need to keep up on the latest technologies. They will rely on experts in each area and provide strategic synthesis to decide if, and how, developments are relevant in order to tune their IT infrastructure.

    The pace of technological advances makes progress difficult to predict

    “An analysis of the history of technology shows that technological change is exponential, contrary to the common-sense ‘intuitive linear’ view. So we won’t experience 100 years of progress in the 21st century – it will be more like 20,000 years of progress (at today’s rate).”
    – Ray Kurzweil

    Technology advances exponentially. Rather than improving by the same amount of capability each year, it multiplies in capability each year.

    Think like a futurist to anticipate technology before it goes mainstream.

    Exponential growth happens much faster than linear growth, especially when it hits the knee of the curve. Even those who acknowledge exponential growth underestimate how capabilities can improve.

    To predict new advances, turn innovation into a process

    “We spend 70 percent of our time on core search and ads. We spend 20 percent on adjacent businesses, ones related to the core businesses in some interesting way. Examples of that would be Google News, Google Earth, and Google Local. And then 10 percent of our time should be on things that are truly new.”
    – Eric Schmidt, Google

    • Don’t get caught in the trap of refining your core processes to the exclusion of innovation. You should always be looking for new processes to improve, new technology to pilot, and where possible, new businesses to get into.
    • Devote about 10% of your time and resources to exploring new technology: the potential rewards are huge.

    You and your team need to analyze technology every year to predict where it’s going.

    A bar graph is shown which depicts the proportion of technology use from 2018-2022. the included devices are: Tablets; PCs; TVs; Non-smartphones; Smartphones; M2M
    • Foundational technologies, such as computing power, storage, and networks, are improving exponentially.
    • Disruptive technologies are specific manifestations of foundational advancements. Advancements of greater magnitude give rise to more manifestations; therefore, there will be more disruptive technologies every year.
    • There is a lot of noise to cut through. Remember Google Glasses? As technology becomes ubiquitous and consumerization reigns, everybody is a technology expert. How do you decide which technologies to focus on?

    Protect IT and the business from disruption by implementing a simple, repeatable disruptive technology exploitation process

    “One of the most consistent patterns in business is the failure of leading companies to stay at the top of their industries when technologies or markets change […] Managers must beware of ignoring new technologies that can’t initially meet the needs of their mainstream customers.”
    – Joseph L. Bower and Clayton M. Christensen

    Challenge

    Solution

    New technology can hit like a meteor, but it doesn’t have to leave a crater:

    Use the annual process described in this blueprint to create a formal evaluation of new technology that turns analysis into action.

    Predicting the future isn’t easy, but it can be done:

    Lead the analysis from the office of the CIO. Establish a team to carry out the annual process as a cure for airline magazine syndrome.

    Your role is endangered, but you can survive:

    Train your team on the patterns of progress, track technology over time in a central database, and read Info-Tech’s analysis of upcoming technology.

    Communication is difficult when the sky is falling, so have a simple way to get the message across:

    Track metrics that communicate your progress, and summarize the results in a single, easy-to-read exploitation plan.

    Info-Tech Insight

    Use Info-Tech’s tools and templates, along with this storyboard, to walk you through creating and executing an exploitation process in six steps.

    Create measurable value by using Info-Tech’s process for evaluating the disruptive potential of technology

    This image contains a bar graph with the following Title: Which are the primary benefits you've either realized or expect to realize by deploying hyperconverged infrastructure in the near term.

    No business process is perfect.

    • Use Info-Tech’s Proof of Concept Template to create a disruptive technology proof of concept implementation plan.
    • Harness your company’s internal wisdom to systematically vet new technology. Engage only in calculated risk and maximize potential benefit.

    Info-Tech Insight

    Inevitably, some proof of concept projects will not benefit the organization. The projects that are successful will more than cover the costs of the failed projects. Roll out small scale and minimize losses.

    Establish your key performance indicators (KPIs)

    Key performance indicators allow for rigorous analysis, which generates insight into utilization by platform and consumption by business activity.

    • Brainstorm metrics that indicate when process improvement is actually taking place.
    • Have members of the group pitch KPIs; the facilitator should record each suggestion on a whiteboard.
    • Make sure to have everyone justify the inclusion of each metric: how does it relate to the improvement that the proof of concept project is intended to drive? How does it relate to the overall goals of the business?
    • Include a list of KPIs, along with a description and a target (ensuring that it aligns with SMART metrics).
    Key Performance Indicator Description Target Result

    Number of Longlist technologies

    Establish a range of Longlist technologies to evaluate 10-15
    Number of Shortlist technologies Establish a range of Shortlist technologies to evaluate 5-10
    number of "look to the past" likes/dislikes Minimum number of testing characteristics 6
    Number of POCs Total number of POCs Approved 3-5

    Communicate your plan with the Disruptive Technology Exploitation Plan Template

    Use the Disruptive Technology Exploitation Plan Template to summarize everything that the group does. Update the report continuously and use it to show others what is happening in the world of disruptive technology.

    Section Title Description
    1 Rationale and Summary of Exploitation Plan A summary of the current efforts that exist for exploring disruptive technology. A summary of the process for exploiting disruptive technology, the resources required, the team members, meeting schedules, and executive approval.
    2 Longlist of Potentially Disruptive Technologies A summary of the longlist of identified disruptive technologies that could affect the organization, shortened to six or less that have the largest potential impact based on Info-Tech’s Disruptive Technology Shortlisting Tool.
    3 Analysis of Shortlist Individually analyze each technology placed on the shortlist using Info-Tech’s Disruptive Technology Value-Readiness and SWOT Analysis Tool.
    4 Proof of Concept Plan Use the results from Section 3 to establish a plan for moving forward with the technologies on the shortlist. Determine the tasks required to implement the technologies and decide who will complete them and when.
    5 Hand-off Pass the project along to identified stakeholders with significant interest in its success. Continue to track metrics and prepare to repeat the disruptive technology exploitation process annually.

    Whether you need a process for exploiting disruptive technology, or an analysis of current trends, Info-Tech can help

    Two sets of research make up Info-Tech’s disruptive technology coverage:

    This image contains four screenshots from each of the following Info-Tech Blueprints: Exploit disruptive Infrastructure Technology; Infrastructure & operations priorities 2022

    This storyboard, and the associated tools and templates, will walk you through creating a disruptive technology working group of your own.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Disruptive Technology Exploitation Plan Template

    The Disruptive Technology Exploitation Plan Template acts as an implementation plan for developing a long-term strategy for monitoring and implementing disruptive technologies.

    Proof of Concept Template

    The Proof of Concept Template will guide you through the creation of a minimum-viable proof-of-concept project.

    Executive Presentation

    The Disruptive Technology Executive Presentation Template will assist you to present an overview of the disruptive technology process, outlining the value to your company.

    Disruptive Technology Value Readiness & SWOT Analysis Tool

    The Disruptive Technology Value Readiness & SWOT Analysis Tool will assist you to systematize notional evaluations of the value and readiness of potential disruptive technologies.

    Disruptive Technology Research Database Tool

    The Disruptive Technology Research Database Tool will help you to keep track of the independent research that is conducted by members of the disruptive technology exploitation working group.

    Disruptive Technology Shortlisting Tool

    The Disruptive Technology Shortlisting Tool will help you to codify the results of the disruptive technology working group's longlist winnowing process.

    Disruptive Technology Look to the Past Tool

    The Disruptive Technology Look to the Past Tool will assist you to collect reasonability test notes when evaluating potential disruptive technologies.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Explore the need for a disruptive technology working group.

    Call #3: Review the agenda for the initial meeting.

    Call #5: Review how you’re brainstorming and your sources of information.

    Call #7: Review the final shortlist and assessment.

    Call #9: Review the progress of your team.

    Call #2: Review the team name, participants, and timeline.

    Call #4: Assess the results of the initial meeting.

    Call #6: Review the final longlist and begin narrowing it down.

    Call #8: Review the next steps.

    Call #10: Review the communication plan.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Pre-Work Day 1 Day 2 Day 3 Day 4
    Establish the Disruptive Tech Process Hold Your Initial Meeting Create a Longlist and Assess Shortlist Create Process Maps Develop a Proof of Concept Charter

    Activities

    1.1.a Get executives and stakeholders on board.

    1.1.b Review the process of analyzing disruptive tech.

    1.1.c Select members for the working group.

    1.1.d Choose a schedule and time commitment.

    1.1.e Select a group of visionaries.

    1.2.a Start the meeting with introductions.

    1.2.b Train the group to think like futurists.

    1.2.c Brainstorm about disruptable processes.

    1.2.d Brainstorm a longlist.

    1.2.e Research and brainstorm separate longlists.

    2.1.a Converge the longlists developed by the team.

    2.2.b Narrow the longlist to a shortlist.

    2.2.c Assess readiness and value.

    2.2.d Perform a SWOT analysis.

    3.1.a Build a problem canvas.

    3.1.b Identify affected business units.

    3.1.c Outline and map the business processes likely to be disrupted.

    3.1.d Map disrupted business processes.

    3.1.e Recognize how the new technology will impact business processes.

    3.1.f Make the case.

    3.2.a Develop key performance indicators (KPIs).

    3.2.b Identify key success factors.

    3.2.c Outline project scope.

    3.2.d Identify responsible team.

    3.2.e Complete resource estimation.

    Deliverables

    1. Initialized Disruptive Tech Exploitation Plan
    1. List of Disruptable Organizational Processes
    2. Initial Longlist of Disruptive Tech
    1. Finalized Longlist of Disruptive Tech
    2. Shortlist of Disruptive Tech
    3. Value-Readiness Analysis
    4. SWOT Analysis
    5. Candidate(s) for Proof of Concept Charter
    1. Problem Canvas
    2. Map of Business Processes: Current State
    3. Map of Disrupted Business Processes
    4. Business Case for Each Technology
    1. Completed Proof of Concept Charter

    Exploit Disruptive Infrastructure Technology

    Disrupt or be disrupted.

    Identify

    Create your working group.

    PHASE 1

    Use Info-Tech’s approach for analyzing disruptive technology in your own disruptive tech working group

    1. Identify
      1. Establish the core working group and select a leader; select a group of visionaries
      2. Train the group to think like futurists
      3. Hold your initial meeting
    2. Resolve
      1. Create and winnow a longlist
      2. Assess and create the shortlist
    3. Evaluate
      1. Create process maps
      2. Develop proof of concept charter

    The Key Is in Anticipation!

    Phase 1: Identify

    Create your working group.

    Activities:

    Step 1.1: Establish the core working group and select a leader; select a group of visionaries
    Step 1.2: Train the group to think like futurists
    Step 1.3: Hold the initial meeting

    This step involves the following participants:

    IT Infrastructure Manager

    CIO or CTO

    Potential members and visionaries of the working group

    Outcomes of this step:

    • Establish a team of subject matter experts that will evaluate new, emerging, and potentially disruptive technologies.
    • Establish a process for including visionaries from outside of the working group who will provide insight and direction.
    • Introduce the core working group members.
    • Gain a better understanding of how technology advances.
    • Brainstorm a list of organizational processes.
    • Brainstorm an initial longlist.

    Step 1.1

    Establish the core working group and select a leader; select a group of visionaries.

    Activities:

    • Articulate the long- and short-term benefits and costs to the entire organization
    • Gain support by articulating the long- and short-term benefits and costs to the IT department
    • Gain commitment from key stakeholders and executives
    • Help stakeholders understand what goes into formally exploiting disruptive tech by reviewing this process
    • Establish the core working group and select a leader
    • Create a schedule with a time commitment appropriate to your organization’s size; it doesn’t need to take long
    • Select a group of visionaries external to IT to help the working group brainstorm disruptive technologies

    This step involves the following participants:

    • IT Infrastructure Manager
    • CIO or CTO
    • Potential members and visionaries of the working group

    Outcomes of this step

    • Establish a team of subject matter experts that will evaluate new, emerging, and potentially disruptive technologies.
    • Establish a process for including visionaries from outside of the working group that will provide insight and direction.

    1.1.A Articulate the long- and short-term benefits and costs to the entire organization

    A cost/benefit analysis will give stakeholders a picture of how disruptive technology could affect the business. Use the chart as a starting point and customize it based on your organization.

    Disruptive Technology Affects the Organization

    Benefits Costs

    Short Term

    • First-mover advantage from implementing new technology in the business before competitors – and before start-ups.
    • Better brand image as an organization focused on innovation.
    • Increased overall employee satisfaction by implementing new technology that increases employee capabilities or lowers effort.
    • Possibility of increased IT budget for integrating new technology.
    • Potential for employees to reject wide-scale use of unfamiliar technology.
    • Potential for technology to fail in the organization if it is not sufficiently tested.
    • Executive time required for making decisions about technology recommended by the team.

    Long Term

    • Increased internal business efficiencies from the integration of new technology (e.g. energy efficiency, fewer employees needed due to automation).
    • Better services or products for customers, resulting in increased long-term revenue.
    • Lowered costs of services or products and potential to grow market share.
    • Continued relevance of established organizations in a world changed by disruptive technologies.
    • Technology may not reach the capabilities initially expected, requiring waiting for increased value or readiness.
    • Potential for customers to reject new products resulting from technology.
    • Lack of focus on current core capabilities if technology is massively disruptive.

    1.1.B Gain support by articulating the long- and short-term benefits and costs to the IT department

    A cost/benefit analysis will give stakeholders a picture of how disruptive technology could affect the business. Use the chart as a starting point and customize it based on your organization.

    Disruptive Technology Affects IT

    BenefitsCosts

    Short Term

    • Perception of IT as a core component of business practices.
    • Increase IT’s capabilities to better serve employees (e.g. faster network speeds, better uptime, and storage and compute capacity that meet demands).
    • Cost for acquiring or implementing new technology and updating infrastructure to integrate with it.
    • Cost for training IT staff and end users on new IT technology and processes.
    • Minor costs for initial setup of disruptive technology exploitation process and time taken by members.

    Long Term

    • More efficient and powerful IT infrastructure that capitalizes on emerging trends at the right time.
    • Lower help desk load due to self-service and automation technology.
    • Increased satisfaction with IT due to implementation of improved enterprise technology and visible IT influence on improvements.
    • Increased end-user satisfaction with IT due to understanding and support of consumer technology that affects their lives.
    • New technology may result in lower need for specific IT roles. Cultural disruptions due to changing role of IT.
    • Perception of failure if technology is tested and never implemented.
    • Expectation that IT will continue to implement the newest technology available, even when it has been dismissed as not having value.

    1.1.C Gain commitment from key stakeholders and executives

    Gaining approval from executives and key stakeholders is the final obstacle. Ensure that you cover the following items to have the best chance for project approval.

    • Use a sample deck similar to this section for gaining buy-in, ensuring that you add/remove information to make it specific to your organization. Cover this section, including:
      • Who: Who will lead the team and who will be on it (working group)?
      • What: What resources will be required by the team (costs)?
      • Where/When: How often and where will the team meet (meeting schedule)?
      • Why: Why is there a need to exploit disruptive technology (benefits and examples)?
      • How: How is the team going to exploit disruptive technology (the process)?
    • Go through this blueprint prior to presenting the plan to stakeholders so that you have a strong understanding of the details behind each process and tool.
    • Frame the first iteration of the cycle as a pilot program. Use the completed results of the pilot to establish exploiting disruptive technology as a necessary company initiative.

    Insert the resources required by the disruptive tech exploitation team into Section 1.5 of the Disruptive Technology Exploitation Plan Template. Have executives sign-off on the project in Section 1.6.

    Disruption has undermined some of the most successful tech companies

    “The IT department plays a critical role in [innovation]. What they can do is identify a technology that potentially might introduce improvements to the organization, whether it be through efficiency or through additional services to constituents.”
    - Michael Maguire, Management Consultant

    VoIP’s transformative effects

    Disruptive technology:
    Voice over Internet Protocol (VoIP) is a modern means of making phone calls through the internet by sending voice packets using data, as opposed to the traditional circuit transmissions of the PSTN.

    Who won:
    Organizations that realized the cost savings that VoIP provided for businesses with a steady internet connection saved as much as 60% on telephony expenses. Even in the early stages, with a few more limitations, organizations were able to save a significant amount of money and the technology has continued to improve.

    Who lost?
    Telecom-related companies that failed to realize VoIP was a potential threat to their market, and organizations that lacked the ability to explore and implement the disruptive technology early.

    Digital photography — the new norm

    Disruptive technology:
    Digital photography refers to the storing of photographs in a digital format, as opposed to traditional photography, which exposes light to sensitive photographic film.

    Who won:
    Photography companies and new players that exploited the evolution of data storage and applied it to photography succeeded. Those that were able to balance providing traditional photography and exploiting and introducing digital photography, such as Nikon, left competitors behind. Smartphone manufacturers also benefited by integrating digital cameras.

    Who lost?
    Photography companies, such as Kodak, that failed to respond to the digital revolution found themselves outcompeted and insolvent.

    1.1.D Help stakeholders understand what goes into formally exploiting disruptive tech by reviewing this process

    There are five steps to formally exploiting disruptive technology, each with its own individual outputs and tools to take analysis to the next level.

    Step 1.2:
    Hold Initial Meeting

    Output:

    • Initial list of disruptable processes;
    • Initial longlist

    Step 2.1:

    Brainstorm Longlist

    Output:

    • Finalized longlist;
    • Shortlist

    Step 2.2:

    Assess Shortlist

    Output:

    • Final shortlist;
    • SWOT analysis;
    • Tech categorization

    Step 3.1:
    Create Process Maps

    Output:

    • Completed process maps

    Step 3.2:
    Develop a proof of concept charter

    Output:

    • Proof-of-concept template with KPIs

    Info-Tech Insight

    Before going to stakeholders, complete the entire blueprint to better understand the tools and outputs of the process.

    1.1.E Establish the core working group and select a leader

    • Selecting your core membership for the working group is a critical step to the group’s success. Ensure that you satisfy the following criteria:
      • This is a team of subject matter experts. They will be overseeing the learning and piloting of disruptive technologies. Their input will also be valuable for senior executives and for implementing these technologies.
      • Choose members that can take time away from firefighting tasks to dedicate time to meetings.
      • It may be necessary to reach outside of the organization now or in the future for expertise on certain technologies. Use Info-Tech as a source of information.
    Organization Size Working Group Size
    Small 02-Jan
    Medium 05-Mar
    Large 10-May
    • Once the team is established, you must decide who will lead the group. Ensure that you satisfy the following criteria:
      • A leader should be credible, creative, and savvy in both technology and business.
      • The leader should facilitate, acting as both an expert and an aggregator of the information gathered by the team.

    Choose a compelling name

    The working group needs a name. Be sure to select one with a positive connotation within your organization.

    Section 1.3 of the Disruptive Technology Exploitation Plan Template

    1.1.F Create a schedule with a time commitment appropriate to your organization’s size; it doesn’t need to take long

    Time the disruptive technology working group’s meetings to coincide and integrate with your organization’s strategic planning — at least annually.

    Size Meeting Frequency Time per Meeting Example Meeting Activities
    Small Annually One day A one-day meeting to run through phase 2 of the project (SWOT analysis and shortlist analysis).
    Medium Two days A two-day meeting to run through the project. The additional meeting involves phase 3 of this deck, developing a proof-of-concept plan.
    Large Two+ days Two meetings, each two days. Two days to create and winnow the longlist (phase 2), and two further days to develop a proof of concept plan.

    “Regardless of size, it’s incumbent upon every organization to have some familiarity of what’s happening over the next few years, [and to try] to anticipate what some of those trends may be. […] These trends are going to accelerate IT’s importance in terms of driving business strategy.”
    – Vern Brownell, CEO, D-Wave

    Section 1.4 of the Disruptive Technology Exploitation Plan Template

    1.1.G Select a group of visionaries external to IT to help the working group brainstorm disruptive technologies

    Selecting advisors for your group is an ongoing step, and the roster can change.

    Ensure that you satisfy the following criteria:

    • Look beyond IT to select a team representing several business units.
    • Check for self-professed “geeks” and fans of science fiction that may be happy to join.
    • Membership can be a reward for good performance.

    This group does not have to meet as regularly as the core working group. Input from external advisors can occur between meetings. You can also include them on every second or third iteration of the entire process.

    However, the more input you can get into the group, the more innovative it can become.

    “It is … important to develop design fictions based on engagement with directly or indirectly implicated publics and not to be designed by experts alone.”
    – Emmanuel Tsekleves, Senior Lecturer in Design Interactions, University of Lancaster

    Section 1.3 of the Disruptive Technology Exploitation Plan Template

    The following case study illustrates the innovative potential that is created when you include a diverse group of people

    INDUSTRY - Chip Manufacturing
    SOURCE - Clayton Christensen, Intel

    To achieve insight, you need to collaborate with people from outside of your department.

    Challenge

    • Headquartered in California, through the 1990s, Intel was the largest microprocessor chip manufacturer in the world, with revenue of $25 billion in 1997.
    • All was not perfect, however. Intel faced a challenge from Cyrix, a manufacturer of low-end chips. In 18 months, Cyrix’s share of the low-margin entry-level chip manufacturing business mushroomed from 10% to 70%.

    Solution

    • Troubled by the potential for significant disruption of the microprocessor market, Intel brought in external consultants to hold workshops to educate managers about disruptive innovation.
    • Managers would break into groups and discuss ways Intel could facilitate the disruption of its competitors. In one year, Intel hosted 18 workshops, and 2,000 managers went through the process.

    Results

    • Intel launched the Celeron chip to serve the lower end of the PC market and win market share back from Cyrix (which no longer exists as an independent company) and other competitors like AMD.
    • Within one year, Intel had captured 35% of the market.

    “[The models presented in the workshops] gave us a common language and a common way to frame the problem so that we could reach a consensus around a counterintuitive course of action.” – Andy Grove, then-CEO, Intel Corporation

    Phase 1: Identify

    Create your working group.

    Activities:

    Step 1.1: Establish the core working group and select a leader; select a group of visionaries
    Step 1.2: Train the group to think like futurists
    Step 1.3: Hold the initial meeting

    This step involves the following participants:

    • IT Infrastructure Manager
    • CIO or CTO
    • Potential members and visionaries of the working group

    Outcomes of this phase:

    • Establish a team of subject matter experts that will evaluate new, emerging, and potentially disruptive technologies.
    • Establish a process for including visionaries from outside of the working group who will provide insight and direction.
    • Introduce the core working group members.
    • Gain a better understanding of how technology advances.
    • Brainstorm a list of organizational processes.
    • Brainstorm an initial longlist.

    Step 1.2

    Train the group to think like futurists

    Activities:

    1. Look to the past to predict the future:
      • Step 1: Review the technology opportunities you missed
      • Step 2: Review and record what you liked about the tech
      • Step 3: Review and record your dislikes
      • Step 4: Record and test the reasonability
    2. Crash course on futurology principles
    3. Peek into the future

    This step involves the following participants:

    • IT Infrastructure Manager
    • CIO or CTO
    • Core working group members
    • Visionaries

    Outcomes of this step

    • Team members thinking like futurists
    • Better understanding of how technology advances
    • List of past examples and characteristics

    Info-Tech Insight

    Business buy-in is essential. Manage your business partners by providing a summary of the EDIT methodology and process. Validate the process value, which will allow you create a team of IT and business representatives.

    1.2 Train the group to think like futurists

    1 hour

    Ensure the team understands how technology advances and how they can identify patterns in upcoming technologies.

    1. Lead the group through a brainstorming session.
    2. Follow the next phases and steps.
    3. This session should be led by someone who can facilitate a thought-provoking discussion.
    4. This training deck finishes with a video.

    Input

    • Facilitated creativity
    • Training deck [following slides]

    Output

    • Inspiration
    • Anonymous ideas

    Materials

    • Futurist training “steps”
    • Pen and paper

    Participants

    • Core working group
    • Visionaries
    • Facilitator

    1.2.A Look to the past to predict the future

    30 minutes

    Step 1

    Step 2 Step 3 Step 4

    Review what you missed.

    What did you like?

    What did you dislike?

    Test the reasonability.

    Think about a time you missed a technical disruptive opportunity.

    Start with a list of technologies that changed your business and processes.

    Consider those specifically you could have identified with a repeatable process.

    What were the most impactful points about the technology?

    Define a list of “characteristics” you liked.

    Create a shortlist of items.

    Itemize the impact to process, people, and technology.

    Why did you pass on the tech?

    Define a list of “characteristics” you did not like.

    Create a shortlist of items.

    Itemize the impact to process, people, and technology.

    Avoid the “arm chair quarterback” view.

    Refer to the six positive and negative points.

    Check against your data points at the end of each phase.

    Record the list of missed opportunities

    Record 6 characteristics

    Record 6 characteristics

    Completed “Think like a Futurists” tool

    Use the Disruptive Technology Research Look to the Past Tool to record your output.

    Input

    • Facilitated creativity
    • Speaker’s notes

    Output

    • Inspiration
    • Anonymous ideas
    • Recorded missed opportunities
    • Recorded positive points
    • Recorded dislikes
    • Reasonability test list

    Materials

    • Futurist training “steps”
    • Pen and paper
    • “Look to the Past” tool

    Participants

    • Core working group
    • Visionaries
    • Facilitator

    Understand how the difference between linear and exponential growth will completely transform many organizations in the next decade

    “The last ten years have seen exponential growth in research on disruptive technologies and their impact on industries, supply chains, resources, training, education and employment markets … The debate is still open on who will be the winners and losers of future industries, but what is certain is that change has picked up pace and we are now in a new technology revolution whose impact is potentially greater than the industrial revolution.”
    – Gary L. Evans

    Exponential advancement will ensure that life in the next decade will be very different from life today.

    • Linear growth happens one step at a time.
    • The difference between linear and exponential is hard to notice, at first.
    • We are now at the knee of the curve.

    What about email?

    • Consider the amount of email you get daily
    • Double it
    • Triple it

    Exponential growth happens much faster than linear growth, especially when it hits the knee of the curve. Technology grows exponentially, and we are approaching the knee of the curve.

    This graph is adapted from research by Ray Kurzweil.

    Growth: Linear vs. Exponential

    This image contains a graph demonstrating examples of exponential and linear trends.

    1.2.B Crash course on futurology principles

    1 hour

    “An analysis of the history of technology shows that technological change is exponential, contrary to the common-sense ‘intuitive linear’ view. So we won’t experience 100 years of progress in the 21st century — it will be more like 20,000 years of progress (at today’s rate).”
    - Ray Kurzweil

    Review the differences between exponential and linear growth

    The pace of technological advances makes progress difficult to predict.

    Technology advances exponentially. Rather than improving by the same amount of capability each year, it multiplies in capability each year.

    Think like a futurist to anticipate technology before it goes mainstream.

    Exponential growth happens much faster than linear growth, especially when it hits the knee of the curve. Even those who acknowledge exponential growth underestimate how capabilities can improve.

    The following case study illustrates the rise of social media providers

    “There are 7.7 billion people in the world, with at least 3.5 billion of us online. This means social media platforms are used by one in three people in the world and more than two-thirds of all internet users.”
    – Esteban Ortiz-Ospina

    This graph depicts the trend of the number of people using social media platforms between 2005 and 2019

    The following case study illustrates the rapid growth of Machine to Machine (M2M) connections

    A bar graph is shown which depicts the proportion of technology use from 2018-2022. the included devices are: Tablets; PCs; TVs; Non-smartphones; Smartphones; M2M

    Ray Kurzweil’s Law of Accelerating Returns

    “Ray Kurzweil has been described as ‘the restless genius’ by The Wall Street Journal, and ‘the ultimate thinking machine’ by Forbes. He was ranked #8 among entrepreneurs in the United States by Inc Magazine, calling him the ‘rightful heir to Thomas Edison,’ and PBS included Ray as one of 16 ‘revolutionaries who made America,’ along with other inventors of the past two centuries.”
    Source: KurzweilAI.net

    Growth is linear?

    “Information technology is growing exponentially. That’s really my main thesis, and our intuition about the future is not exponential, it’s really linear. People think things will go at the current pace …1, 2, 3, 4, 5, and 30 steps later, you’re at 30.”

    Better IT strategy enables future business innovation

    “The reality of information technology like computers, like biological technologies now, is it goes exponentially … 2, 4, 8, 16. At step 30, you’re at a billion, and this is not an idle speculation about the future.” [emphasis added]

    “When I was a student at MIT, we all shared a computer that cost tens of millions of dollars. This computer [pulling his smartphone out of his pocket] is a million times cheaper, a thousand times more powerful — that’s a billion-fold increase in MIPS per dollar, bits per dollar… and we’ll do it again in 25 years.”
    Source: “IT growth and global change: A conversation with Ray Kurzweil,” McKinsey & Company

    1.2.C Peak into the future

    1 hour

    Leverage industry roundtables and trend reports to understand the art of the possible

    • Uncover important business and industry trends that can inform possibilities for technology disruption.
    • Market research is critical in identifying factors external to your organization and identifying technology innovation that will provide a competitive edge. It’s important to evaluate the impact each trend or opportunity will have in your organization and market.

    Visit Info-Tech’s Trends & Priorities Research Center

    Visit Info-Tech’s Industry Coverage Research to get started.

    Phase 1: Identify

    Create your working group

    Activities:

    Step 1.1: Establish the core working group and select a leader; select a group of visionaries
    Step 1.2: Train the group to think like futurists
    Step 1.3: Hold the initial meeting

    This step involves the following participants:

    • IT Infrastructure Manager
    • CIO or CTO
    • Potential members and visionaries of the working group

    Outcomes of this phase:

    • Establish a team of subject matter experts that will evaluate new, emerging, and potentially disruptive technologies.
    • Establish a process for including visionaries from outside of the working group who will provide insight and direction.
    • Introduce the core working group members.
    • Gain a better understanding of how technology advances.
    • Brainstorm a list of organizational processes.
    • Brainstorm an initial longlist.

    Info-Tech Insight

    Establish the longlist. The longlist help create a holistic view of most technologies that could impact the business. Assigning values and quadrant scoring will shortlist the options and focus your PoC option.

    Step 1.3

    Hold the initial meeting

    Activities:

    1. Create an agenda for the meeting
    2. Start the kick-off meeting with introductions and a recap
    3. Brainstorm about creating a better future
    4. Begin brainstorming an initial longlist
    5. Have team members develop separate longlists for their next meeting

    This step involves the following participants:

    • IT Infrastructure Manager
    • CIO or CTO
    • Core working group members
    • Visionaries

    Outcomes of this step

    • Introduce the core working group members
    • Gain a better understanding of how technology advances
    • Brainstorm a list of organizational processes
    • Brainstorm an initial longlist

    1.3.A Create an agenda for the meeting

    1 hour

    Kick-off this cycle of the disruptive technology process by welcoming your visionaries and introducing your core working group.

    The purpose of the initial meeting is to brainstorm where new technology will be the most disruptive within the organization. You’ll develop two longlists: one of business processes and one of disruptive technology. These longlists are in addition to the independent research your core working group will perform before Phase 2.

    • Find an outgoing facilitator. Sitting back will let you focus more on ideating, and an engaging presenter will help bring out ideas from your visionaries.
    • The training deck (see step 1.2c) includes presenting a video. We’ve included some of our top choices for you to choose from.
      • Feel free to find your own video or bring in a keynote speaker.
      • The object of the video is to get the group thinking about the future.
      • Customize the training deck as needed.
    • If a cycle has been completed, present your findings and all of the group’s completed deliverables in the first section.
    • This session is the only time you have with your visionaries. Get their ideas on what technologies will be disruptive to start forming a longlist.

    Info-Tech Insight

    The disruptive tech team is prestigious. If your organization is large enough or has the resources, consider having this meeting in an offsite location. This will drive excitement to join the working group if the opportunity arises and incentivize good work.

    Meeting Agenda (Sample)

    Time

    Activity

    8:00am-8:30am Introductions and previous meeting recap
    8:30am-9:30am Training deck
    9:30 AM-10:00am Brainstorming
    10:00am-10:15am Break
    10:15am-10:45am Develop good research techniques
    10:45am-12:00pm Begin compiling your longlist

    Info-Tech Insight

    The disruptive tech team is prestigious. If your organization is large enough or has the resources, consider having this meeting in an offsite location. This will drive excitement to join the working group if the opportunity arises and incentivize good work.

    1.3.B Start the kick-off meeting with introductions and a summary of what work has been done so far

    30 minutes

    1. Start the meeting off with an icebreaker activity. This isn’t an ordinary business meeting – or even group – so we recommend starting off with an activity that will emphasize this unique nature. To get the group in the right mindset, try this activity:
      1. Go around the group and have people present:
      2. Their names and roles
      3. Pose some or all of the following questions/prompts to the group:
        • “Tell me about something you have created.”
        • “Tell me about a time you created a process or program considered risky.”
        • “Tell me about a situation in which you had to come up with several new ideas in a hurry. Were they accepted? Were they successful?”
        • “Tell me about a time you took a risk.”
        • “Tell me about one of your greatest failures and what you learned from it.”
    2. Once everyone has been introduced, present any work that has already been completed.
      1. If you have already completed a cycle, give a summary of each technology that you investigated and the results from any piloting.
      2. If this is the first cycle for the working group, present the information decided in Step 1.1.

    Input

    • Disruptive technology exploitation plan

    Output

    • Networking
    • Brainstorming

    Materials

    • Meeting agenda

    Participants

    • Core working group
    • Visionaries
    • Facilitator

    1.3.C Brainstorm about creating a better future for the company, the stakeholders, and the employees

    30 minutes

    Three sticky notes are depicted, at the top of each note are the following titles: What can we do better; How can we make a better future; How can we continue being successful

    1. Have everyone put up at least two ideas for each chart paper.
    2. Go around the room and discuss their ideas. You may generate some new ideas here.

    These generated ideas are organizational processes that can be improved or disrupted with emerging technologies. This list will be referenced throughout Phases 2 and 3.

    Input

    • Inspiration
    • Anonymous ideas

    Output

    • List of processes

    Materials

    • Chart paper and markers
    • Pen and paper

    Participants

    • Core working group
    • Visionaries

    1.3.D Begin brainstorming a longlist of future technology, and discuss how these technologies will impact the business

    30 minutes

    • Use the Disruptive Technology Research Database Tool to organize technologies and ideas. Longstanding working groups can track technologies here over the course of several years, updating the tool between meetings.
    • Guide the discussion with the following questions, and make sure to focus on the processes generated from Step 1.2.d.

    Focus on

    The Technology

    • What is the technology and what does it do?
    • What processes can it support?

    Experts and Other Organizations

    • What are the vendors saying about the technology?
    • Are similar organizations implementing the technology?

    Your Organization

    • Is the technology ready for wide-scale distribution?
    • Can the technology be tested and implemented now?

    The Technology’s Value

    • Is there any indication of the cost of the technology?
    • How much value will the technology bring?

    Download the Disruptive Technology Database Tool

    Input

    • Inspiration
    • List of processes

    Output

    • Initial longlist

    Materials

    • Chart paper and markers
    • Pen and paper
    • Disruptive Technology Research Database Tool

    Participants

    • Core working group
    • Visionaries

    1.3.E Explore these sources to generate your disruptive technology longlist for the next meeting

    30 Minutes

    There are many sources of information on new and emerging technology. Explore as many sources as you can.

    Science fiction is a valid source of learning. It drives and is influenced by disruptive technology.

    “…the inventor of the first liquid-fuelled rocket … was inspired by H.G. Wells’ science fiction novel War of the Worlds (1898). More recent examples include the 3D gesture-based user interface used by Tom Cruise’s character in Minority Report (2002), which is found today in most touch screens and the motion sensing capability of Microsoft’s Kinect. Similarly, the tablet computer actually first appeared in Stanley Kubrick’s 2001: A Space Odyssey (1968) and the communicator – which we’ve come to refer today as the mobile phone – was first used by Captain Kirk in Star Trek (1966).”
    – Emmanuel Tsekleves, senior lecturer, University of Lancaster

    Right sources: blogs, tech news sites, tech magazines, the tech section of business sites, popular science books about technology, conferences, trade publications, and vendor announcements

    Quantity over quality: early research is not the time to dismiss ideas.

    Discuss with your peers: spark new and innovative ideas

    Insert a brief summary of how independent research is conducted in Section 2.1 of the Disruptive Technology Exploitation Plan Template.

    1.3.E (Cont.) Explore these sources to generate your disruptive technology longlist for the next meeting

    30 Minutes

    There are many sources of information on new and emerging technology. Use this list to kick-start your search.

    Connect with practitioners that are worth their weight in Reddit gold. Check out topic-based LinkedIn groups and subreddits such as r/sysadmin and r/tech. People experienced with technology frequent these groups.

    YouTube is for more than cat videos. Many vendors use YouTube for distributing their previous webinars. There are also videos showcasing various technologies that are uploaded by lecturers, geeks, researchers, and other technology enthusiasts.

    Test your reasonability. Check your “Think Like a Futurist” Tool

    Resolve

    Evaluate Disruptive Technologies

    PHASE 2

    Phase 2: Resolve

    Evaluate disrupted technologies

    Activities:

    Step 2.1: Create and Winnow a Longlist
    Step 2.2: Assess Shortlist

    Info-Tech Insight

    Long to short … that’s the short of it. Using SWOT, value readiness, and quadrant mapping review sessions will focus the longlist, creating a shortlist of potential PoC candidates to review and consider.

    This step involves the following participants:

    • Core working group
    • Infrastructure Management

    Outcomes of this step:

    • Finalized longlist
    • Finalized shortlist
    • Initial analysis of each technology on the shortlist

    Step 2.1

    Create and winnow a longlist

    Activities:

    1. Converge everyone’s longlists
    2. Narrow technologies from the longlist down to a shortlist using Info-Tech’s Disruptive Technology Shortlisting Tool
    3. Use the shortlisting tool to help participants visualize the potential
    4. Input the technologies on your longlist into the Disruptive Technology Shortlisting Tool to produce a shortlist

    This step involves the following participants:

    • Core working group members

    Outcomes of this step:

    • Finalized longlist
    • Finalized shortlist
    • Initial analysis of each technology on the shortlist

    2.1 Organize a meeting with the core working group to combine your longlists and create a shortlist

    1 hour

    Plan enough time to talk about each technology on the list. Each technology was included for a reason.

    • Start with the longlist. Review the longlist compiled at the initial meeting, and then have everyone present the lists that they independently researched.
    • Focus on the company’s context. Make sure that the working group analyzes these disruptive technologies in the context of the organization.
    • Start to compile the shortlist. Begin narrowing down the longlist by excluding technologies that are not relevant.

    Meeting Agenda (Sample)

    TimeActivity
    8:00am-9:30amConverge longlists
    9:30am-10:00amBreak
    10:00am-10:45amDiscuss tech in organizational context
    10:45am-11:15amBegin compiling the shortlist

    Disruptive Technology Exploitation Plan Template

    2.1.A Converge the longlists developed by your team

    90 minutes

    • Start with the longlist developed at the initial meeting. Write this list on the whiteboard.
    • If applicable, have a member present the longlist that was created in the last cycle. Remove technologies that:
      • Are no longer disruptive (e.g. have been implemented or rejected).
      • Have become foundational.
    • Eliminate redundancy: remove items that are very similar.
    • Have members “pitch” items on their lists:
      • Explain why their technologies will be disruptive (2-5 minutes maximum)
      • Add new technologies to the whiteboard
    • Record the following for metrics:
      • Each presented technology
      • Reasons the technology could be disruptive
      • Source of the information
    • Use Info-Tech’s Disruptive Technology Research Database Tool as a starting point.

    Insert the final longlist into Section 2.2 of your Disruptive Technology Exploitation Plan Template.

    Input

    • Longlist developed at first meeting
    • Independent research
    • Previous longlist

    Output

    • Finalized longlist

    Materials

    • Disruptive Technology Research Database Tool
    • Whiteboard and markers
    • Virtual whiteboard

    Participants

    • Core working group

    Review the list of processes that were brainstormed by the visionary group, and ask for input from others

    • IT innovation is most highly valued by the C-suite when it improves business processes, reduces costs, and improves core products and services.
    • By incorporating this insight into your working group’s analysis, you help to attract the attention of senior management and reinforce the group’s necessity.
    • Any input you can get from outside of IT will help your group understand how technology can be disruptive.
      • Visionaries consulted in Phase 1 are a great source for this insight.
    • The list of processes that they helped to brainstorm in Step 1.2 reflects processes that can be impacted by technology.
    • Info-Tech’s research has shown time and again that both CEOs and CIOs want IT to innovate around:
      • Improving business processes
      • Improving core products and services
      • Reducing costs

    Improved business processes

    80%

    Core product and service improvement

    48%

    Reduced costs

    48%

    Increased revenues

    23%

    Penetration into new markets

    21%

    N=364 CXOs & CIOs from the CEO-CIO Alignment Diagnostic Questions were asked on a 7-point scale of 1 = Not at all to 7 = Very strongly. Results are displayed as percentage of respondents selecting 6 or 7.

    Info-Tech Insight

    The disruptive tech team is prestigious. If your organization is large enough or has the resources, consider having this meeting in an offsite location. This will drive excitement to join the working group if the opportunity arises and incentivize good work.

    2.1.B Narrow technologies from the longlist down to a shortlist using Info-Tech’s Disruptive Technology Shortlisting Tool

    90 minutes

    To decide which technology has potential for your organization, have the working group or workshop participants evaluate each technology:

    1. Record each potentially disruptive technology in the longlist on a whiteboard.
    2. Making sure to carefully consider the meaning of the terms, have each member of the group evaluate each technology as “high” or “low” along each of the axes, innovation and transformation, on a piece of paper.
    3. The facilitator collects each piece of paper and inputs the results by technology into the Disruptive Technology Shortlisting Tool.
    Technology Innovation Transformation
    Conversational Commerce High High

    Insert the final shortlist into Section 2.2 of your Disruptive Technology Exploitation Plan Template.

    Input

    • Longlist
    • Futurist brainstorming

    Output

    • Shortlist

    Materials

    • Disruptive Technology Research Database Tool
    • Whiteboard and markers
    • Virtual whiteboard

    Participants

    • Core working group

    Disruptive technologies are innovative and transformational

    Innovation

    Transformation

    • Elements:
      • Creative solution to a problem that is relatively new on the scene.
      • It is different, counterintuitive, or insightful or has any combination of these qualities.
    • Questions to Ask:
      • How new is the technology?
      • How different is the technology?
      • Have you seen anything like it before? Is it counterintuitive?
      • Does it offer an insightful solution to a persistent problem?
    • Example:
      • The sharing economy: Today, simple platforms allow people to share rides and lodgings cheaply and have disrupted traditional services.
    • Elements:
      • Positive change to the business process.
      • Highly impactful: impacts a wide variety of roles in a company in a nontrivial way or impacts a smaller number of roles more significantly.
    • Questions to Ask:
      • Will this technology have a big impact on business operations?
      • Will it add substantial value? Will it change the structure of the company?
      • Will it impact a significant number of employees in the organization?
    • Example:
      • Flash memory improved storage technology incrementally by building on an existing foundation.

    Info-Tech Insight

    Technology can be transformational but not innovative. Not every new technology is disruptive. Even where technology has improved the efficiency of the business, if it does this in an incremental way, it might not be worth exploring using this storyboard.

    2.1.C Use the shortlisting tool to help participants visualize the potential

    1 hour

    Use the Disruptive Technology Shortlisting Tool, tabs 2 and 3.

    Assign quadrants

    • Input group members’ names and the entire longlist (up to 30 technologies) into tab 2 of the Disruptive Technology Shortlisting Tool.
    • On tab 3 of the Disruptive Technology Shortlisting Tool, input the quadrant number that corresponds to the innovation and transformation scores each participant has assigned to each technology.

    Note

    This is an assessment meant to serve as a guide. Use discretion when moving forward with a proof-of-concept project for any potentially disruptive technology.

    Participant Evaluation Quadrant
    High Innovation, High Transformation 1
    High Innovation, Low Transformation 2
    Low Innovation, Low Transformation 3
    Low Innovation, High Transformation 4

    four quadrants are depicted, labeled 1-4. The quadrants are coloured as follows: 1- green; 2- yellow; 3; red; 4; yellow

    2.1.D Use the Disruptive Technology Shortlisting Tool to produce a shortlist

    1 hour

    Use the Disruptive Technology Shortlisting Tool, tabs 3 and 4.

    Use the populated matrix and the discussion list to arrive at a shortlist of four to six potentially disruptive technologies.

    • The tool populates each quadrant based on how many votes it received in the voting exercise.
    • Technologies selected for a particular quadrant by a majority of participants are placed in the quadrant on the graph. Where there was no consensus, the technology is placed in the discussion list.
    • Technologies in the upper right quadrant – high transformation and high innovation – are more likely to be good candidates for a proof-of-concept project. Those in the bottom left are likely to be poor candidates, while those in the remaining quadrants are strong on one of the axes and are unlikely candidates for further systematic evaluation.

    This image contains a screenshot from tab 3 of the Disruptive Technology Shortlisting Tool.

    Input the results of the vote into tab 3 of the Disruptive Technology Shortlisting Tool.

    This image contains a screenshot from tab 4 of the Disruptive Technology Shortlisting Tool.

    View the results on tab 4.

    Phase 2: Resolve

    Evaluate disrupted technologies

    Activities:

    Step 2.1: Create and Winnow a Longlist
    Step 2.2:- Assess Shortlist

    This step involves the following participants:

    • Core working group
    • Infrastructure Management

    Outcomes of this step:

    • Finalized longlist
    • Finalized shortlist
    • Initial analysis of each technology on the shortlist

    Assess Shortlist

    Activities:

    1. Assess the value of each technology to your organization by breaking it down into quality and cost
    2. Investigate the overall readiness of the technologies on the shortlist
    3. Interpret each technology’s value score
    4. Conduct a SWOT analysis for each technology on the shortlist
    5. Use Info-Tech’s disruptive technology shortlist analysis to visualize the tool’s outputs
    6. Select the shortlisted technologies you would like to move forward with

    This step involves the following participants:

    • Core working group members
    • IT Management

    Outcomes of this step:

    • Finalized shortlist
    • Initial analysis of each technology on the shortlist

    2.2 Evaluate technologies based on their value and readiness, and conduct a SWOT analysis for each one

    Use the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    • A technology monitor diagram prioritizes investment in technology by analyzing its readiness and value.
      • Readiness: how close the technology is to being practical and implementable in your industry and organization.
      • Value: how worthwhile the technology is, in terms of its quality and its cost.
    • Value and readiness questionnaires are included in the tool to help determine current and future values for each, and the next four slides explain the ratings further.
    • Categorize technology by its value-readiness score, and evaluate how much potential value each technology has and how soon your company can realize that value.
    • Use a SWOT analysis to qualitatively evaluate the potential that each technology has for your organization in each of the four categories (strengths, weaknesses, opportunities, and threats).

    The technology monitor diagram appears in tab 9 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    This image depicts tab 9 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    2.2.A Assess the value of each technology to your organization by breaking it down into quality and cost

    1 hour

    Update the Disruptive Technology Value-Readiness and SWOT Analysis Tool, tab 4.

    Populate the chart to produce a score for each technology’s overall value to the company conceptualized as the interaction of quality and cost.

    Overall Value

    Quality Cost

    Each technology, if it has a product associated with it, can be evaluated along eight dimensions of quality. Consider how well the product performs, its features, its reliability, its conformance, its durability, its serviceability, its aesthetics, and its perceived quality.

    IT budgets are broken down into capital and operating expenditures. A technology that requires a significant investment along either of these lines is unlikely to produce a positive return. Also consider how much time it will take to implement and operate each technology.

    The value assessment is part of the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    This image contains a screenshot from tab 4 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool.

    Info-Tech Insight

    Watch your costs: Technology that seems cheap at first can actually be expensive over time. Be sure to account for operational and opportunity costs as well.

    2.2.B Investigate the overall readiness of the technologies on the shortlist

    1 hour

    Update the Disruptive Technology Value-Readiness and SWOT Analysis Tool, tab 4.

    Overall Readiness

    Age

    How much time has the technology had to mature? Older technology is more likely to be ready for adoption.

    Venture Capital

    The amount of venture capital gathered by important firms in the space is an indicator of market faith.

    Market Size

    How big is the market for the technology? It is more difficult to break into a giant market than a niche market.

    Market Players

    Have any established vendors (Microsoft, Facebook, Google, etc.) thrown their weight behind the technology?

    Fragmentation

    A large number of small companies in the space indicates that the market has yet to reach equilibrium.

    The readiness assessment is part of the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    This image contains a screenshot of the Readiness Scoring tab of the Disruptive Technology Value-Readiness and SWOT Analysis Tool.

    Use a variety of sources to populate the chart

    Google is your friend: search each shortlisted technology to find details about its development and important vendors.

    Websites like Crunchbase, VentureBeat, and Mashable are useful sources for information on the companies involved in a space and the amount of money they have each raised.

    2.2.C Interpret each technology’s value score

    1 hour

    Insert the result of the SWOT analysis into tab 7 of Info-Tech’s Disruptive Technology Value-Readiness and SWOT Analysis Tool.

    Visualize the results of the quality-cost analysis

    • Quality and cost are independently significant; it is essential to understand how each technology stacks up on the axes.
    • Use tab 6 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool for an illustration of how quality and cost interact to produce each technology’s final position on the tech monitor graph.
    • Remember: the score is notional and reflects the values that you have assigned. Be sure to treat it accordingly.

    This image contains a screenshot of the Value Analysis tab of the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    Green represents a technology that scores extremely high on one axis or the other, or quite high on both. These technologies are the best candidates for proof-of-concept projects from a value perspective.

    Red represents a technology that has scored very low on both axes. These technologies will be expensive, time consuming, and of poor quality.

    Yellow represents the fuzzy middle ground. These technologies score moderately on both axes. Be especially careful when considering the SWOT analysis of these technologies.

    2.2.D Conduct a SWOT analysis for each technology on the shortlist

    1 hour

    Use tab 6 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool.

    A formal process for analyzing disruptive technology is the only way to ensure that it is taken seriously.

    Write each technology as a heading on a whiteboard. Spend 10-15 minutes on each technology conducting a SWOT analysis together.

    Consider four categories for each technology:

    • Strengths: Current uses of the technology or supporting technology and ways in which it helps your organization.
    • Weaknesses: Current limitations of the technology and challenges or barriers to adopting it in your organization.
    • Opportunities: Potential uses of the technology, especially as it advances or improves.
    • Threats: Potential negative disruptions resulting from the technology, especially as it advances or improves.

    The list of processes generated at the cycle’s initial meeting is a great source for opportunities and threats.

    Disruptive Technology Value-Readiness and SWOT Analysis Tool

    This image contains screenshots of the technology tab of the Disruptive Technology Value-Readiness and SWOT Analysis Tool.

    2.2.E Use Info-Tech’s disruptive technology shortlist analysis to visualize the tool’s outputs

    1 hour

    Disruptive Technology Value-Readiness and SWOT Analysis Tool, tab 9

    The tool’s final tab displays the results of the value-readiness analysis and the SWOT analysis in a single location.

    This image contains a screenshot from tab 9 of the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    Insert the shortlist analysis report into Section 3 of your Disruptive Technology Exploitation Plan Template.

    2.2.F Select the shortlisted technologies you would like to move forward with

    1 hour

    Present your findings to the working group.

    • The Disruptive Technology Value-Readiness and SWOT Analysis Tool aggregates your inputs in an easy-to-read, consistent way.
    • Present the tool’s outputs to members of the core working group.
    • Explain the scoring and present the graphic to the group. Go over each technology’s strengths and weaknesses as well as the opportunities and threats it presents/poses to the organization.
    • Go through the proof-of-concept planning phase before striking any technologies from the list.

    This image contains a screenshot of the disruptive technology shortlist analysis from the Disruptive Technology Value-Readiness and SWOT Analysis Tool

    Info-Tech Insight

    A technology’s exceptional value and immediate usability make it the best. A technology can be promising and compelling, but it is unsuitable unless it can bring immediate and exceptional value to your organization. Don’t get caught up in the hype.

    Evaluate

    Create an Action Plan to Exploit Disruptive Technologies

    PHASE 3

    Phase 3: Evaluate

    Create an Action Plan to Exploit Disruptive Technologies

    Activities:

    Step 3.1: Create Process Maps
    Step 3.2: Develop Proof of Concept Charter

    This step involves the following participants:

    • Core working group
    • Infrastructure Management
    • Working group leader
    • CIO

    Outcomes of this step:

    • Business process maps before and after disruption
    • Proof of concept charter
    • Key performance indicators
    • Estimation of required resources

    Step 3.1

    Create Process Maps

    Activities:

    1. Creating a problem canvas by identifying stakeholders, jobs, pains, and gains
    2. Clarify the problem the proof-of-concept project will solve
    3. Identify jobs and stakeholders
    4. Outline how disruptive technology will solve the problem
    5. Map business processes
    6. Identify affected business units
    7. Outline and map the business processes likely to be disrupted
    8. Recognize how the new technology will impact business processes
    9. Make the case: Outline why the new business process is superior to the old

    This step involves the following participants:

    • Working group leader
    • CIO

    Outcomes of this step:

    • Business process maps before and after disruption

    3.1 Create an action plan to exploit disruptive technologies

    Clarify the problem in order to make the case. Fill in section 1.1 of Info-Tech’s Proof of Concept Template to clearly outline the problem each proof of concept is designed to solve.

    Establish roles and responsibilities. Use section 1.2 of the template to outline the roles and responsibilities that fall to each member of the team. Ensure that clear lines of authority are delineated and that the list of stakeholders is exhaustive: include the executives whose input will be required for project approval, all the way to the technicians on the frontline responsible for implementing it.

    Outline the solution to the problem. Demonstrate how each proof-of-concept project provides a solution to the problem outlined in section 1.1. Be sure to clarify what makes the particular technology under investigation a potential solution and record the results in section 1.3.

    This image contains a screenshot of the Proof of concept project template

    Use the Proof of Concept Project Template to track the information you gather throughout Phase 3.

    3.1.A Creating a problem canvas by identifying stakeholders, jobs, pains, and gains

    2 hours

    Instructions:

    1. On a whiteboard, draw the visual canvas supplied below.
    2. Select your issue area, and list jobs, pains, and gains in the associated sections.
    3. Record the pains, jobs, and gains in sections 1.1-1.3 of the Proof of Concept Template.

    Gains

    1. More revenue

    2. Job security

    3. ……

    Jobs

    1. Moving product

    2. Per sale value

    3. ……

    Pains

    1. Clunky website

    2. Bad site navigation

    3. ……

    Input

    • Inspiration
    • Anonymous ideas

    Output

    • List of processes

    Materials

    • Chart paper and markers
    • Pen and paper

    Participants

    • Core working group
    • Visionaries

    3.1.B Clarify the problem the proof-of-concept project will solve

    2 hours

    What is the problem?

    • Every technology is designed to solve a problem faced by somebody somewhere. For each technology that your team has decided to move forward with, identify and clearly state the problem it would solve.
    • A clear problem statement is a crucial part of a new technology’s business case. It is impossible to earn buy-in from the rest of the organization without demonstrating the necessity of a solution.
    • Perfection is impossible to achieve: during the course of their work, everyone encounters pain points. Identify those pain points to arrive at the problem that needs to be solved.

    Example:

    List of pains addressed by conversational commerce:

    • Search functions can be clunky and unresponsive.
    • Corporate websites can be difficult to navigate.
    • Customers are uncomfortable in unfamiliar internet environments.
    • Customers do not like waiting in a long queue to engage with customer service representatives when they have concerns.

    “If I were given one hour to solve a problem, I would spend 59 minutes defining the problem and one minute resolving it.”
    – Albert Einstein

    Input the results of this exercise into Section 1.1 of the Proof of Concept Template.

    3.1.C Identify jobs and stakeholders

    1 hour

    Jobs

    Job: Anything that the “customer” (the target of the solution) needs to get done but that is complicated by a pain.

    Examples:
    The job of the conversational commerce interface is to make selling products easier for the company.
    From the customer perspective, the job of the conversational interface is to make the act of purchasing a product simpler and easier.

    Stakeholders

    Stakeholder: Anyone who is impacted by the new technology and who will end up using, approving, or implementing it.

    Examples:
    The executive is responsible for changing the company’s direction and approving investment in a new sales platform.
    The IT team is responsible for implementing the new technology.
    Marketing will be responsible for selling the change to customers.
    Customers, the end users, will be the ones using the conversational commerce user interface.

    Input the results of this exercise into Section 1.2 of the Proof of Concept Template.

    Info-Tech Insight

    Process deconstruction reveals strengths and weaknesses. Promising technology should improve stakeholders’ abilities to do jobs.

    3.1.D Outline how disruptive technology will solve the problem

    1 hour

    How will the technology in question make jobs easier?

    • How will the disruptive technology you have elected to move forward with create gains for the organization?
    • First, identify the gains that are supposed to come with the project. Consider the benefits that the various stakeholders expect to derive from the jobs identified.
    • Second, make note of how the technology in question facilitates the gains you have noted. Be sure to articulate the exclusive features of the new technology that make it an improvement over the current state.

    Note: The goal of this exercise is to make the case for a particular technology. Sell it!

    Expected Gain: Increase in sales.

    Conversational Commerce’s Contribution: Customers are more likely to purchase products using interfaces they are comfortable with.

    Expected Gain: Decrease in costs.

    Conversational Commerce’s Contribution: Customers who are satisfied with the conversational interface are less likely to interact with live agents, saving labor costs.

    Input the results of this exercise into Section 1.3 of the Proof of Concept Template.

    3.1.E Map business processes

    1 hour

    Map the specific business processes the new technology will impact.

    • Disruptive technologies will impact a wide variety of business processes.
    • Map business processes to visualize what parts of your organization (departments, silos, divisions) will be impacted by the new technology, should it be adopted after the proof of concept.
    • Identify how the disruption will take place.
    • Demonstrate the value of each technology by including the results of the Disruptive Technology Value-Readiness and SWOT Analysis Tool with your process map.

    This image contains a screenshot of the Proof of concept project template

    Use the Proof of Concept Project Template to track the information you gather throughout Phase 3.

    3.1.F Identify affected business units

    30 minutes per technology

    Disruptive technology will impact business units.

    • Using the stakeholders identified earlier in the project, map each technology to the business units that will be affected.
    • Make your list exhaustive. While some technologies will have a limited impact on the business as a whole, others will have ripple effects throughout the organization.
    • Examine affected units at all scales: How will the technology impact operations at the team level? The department level? The division level?

    “The disruption is not just in the technology. Sometimes a good business model can be the disruptor.”
    – Jason Hong, Associate Professor, Carnegie Mellon

    Example:

    • Customer service teams: Conversational commerce will replace some of the duties of the customer service representative. They will have to reorganize to account for this development.
    • IT department: The IT department will be responsible for building/maintaining the conversational interface (or, more likely, they will be responsible for managing the contract with the vendor).
    • Sales analytics: New data from customers in natural language might provide a unique opportunity for the analytics team to develop new initiatives to drive sales growth.

    Input the results of this exercise into Section 2.1 of the Proof of Concept Template.

    3.1.G Outline and map the business processes likely to be disrupted

    15 minutes per technology

    Leverage the insights of the diverse working group.

    • Processes are designed to transform inputs into outputs. All business activities can be mapped into processes.
    • A process map illustrates the sequence of actions and decisions that transform an input into an output.
    • Effective mapping gives managers an “aerial” view of the company’s processes, making it easier to identify inefficiencies, reduce waste, and ultimately, streamline operations.
    • To identify business processes, have group members familiar with the affected business units identify how jobs are typically accomplished within those units.

    “To truly understand a business process, we need information from both the top-down and bottom-up points of view. Informants higher in the organizational hierarchy with a strategic focus are less likely to know process details or problems. But they might advocate and clearly articulate an end-to-end, customer-oriented philosophy that describes the process in an idealized form. Conversely, the salespeople, customer service representatives, order processors, shipping clerks, and others who actually carry out the processes will be experts about the processes, their associated documents, and problems or exception cases they encounter.”
    – Robert J. Glushko, Professor at UC Berkeley and Tim McGrath, Business Consultant

    Info-Tech Insight

    Opinions gathered from a group that reflect the process in question are far more likely to align with your organization’s reality. If you have any questions about a particular process, do not be afraid to go outside of the working group to ask someone who might know.

    3.1.G Outline and map the business processes likely to be disrupted (continued)

    15 minutes per technology

    Create a simple diagram of identified processes.

    • Use different shapes to identify different points in the process.
    • Rectangles represent actions, diamonds represent decisions.
    • On a whiteboard, map out the actions and decisions that take place to transform an input into an output.
    • Input the result into section 2.2 of the Proof of Concept Template.

    This image contains a screenshot of the Software Service Cross-Function Process tab from Edraw Visualization Solutions.

    Source: Edraw Visualization Solutions

    Example: simplified process map

    1. User: visits company website
    2. User: engages search function or browses links
    3. User: selects and purchases product from a menu
    4. Company: ships product to customer

    3.1.H Recognize how the new technology will impact business processes

    15 minutes per technology

    Using the information gleaned from the previous activities, develop a new process map that takes the new technology into account.

    Identify the new actions or decisions that the new technology will affect.

    User: visits company website; User: engages conversational; commerce platform; User: engages search function or browses links; User: makes a natural language query; User: selects and purchases product from a menu</p data-verified=

    User: selects and purchases product from a menu; Company: ships product to customer; Company: ships product to customer">

    Info-Tech Insight

    It’s ok to fail! The only way to know you’re getting close to the “knee of curve" is from multiple failed PoC tests. The more PoC options you have, the more likely it will be that you will have two to three successful results.

    3.1.I Make the case: Outline why the new business process is superior to the old

    15 minutes per technology

    Articulate the main benefits of the new process.

    • Using the revised process map, make the case for each new action.
    • Questions to consider: How does the new technology relieve end-user/customer pains? How does the new technology contribute to the streamlining of the business process? Who will benefit from the new action? What are the implications of those benefits?
    • Record the results of this exercise in section 2.4 of the Proof of Concept Template.

    This image contains an example of an outline comparing the benefits of new and the old business processes.

    Info-Tech Insight

    If you cannot articulate how a new technology will benefit a business process, reconsider moving forward with the proof-of-concept project.

    Phase 3: Evaluate

    Create an Action Plan to Exploit Disruptive Technologies

    Activities:

    Step 3.1: Create Process Maps
    Step 3.2: Develop Proof of Concept Charter

    Develop Proof of Concept Charter

    This step involves the following participants:

    • Core working group
    • Infrastructure Management
    • Working group leader
    • CIO

    Outcomes of this step:

    • Business process maps before and after disruption
    • Proof of concept charter
    • Key performance indicators
    • Estimation of required resources

    Step 3.2

    Develop Proof of Concept Charter

    Activities:

    1. Use SMART success metrics to define your objectives
    2. Develop key performance indicators (KPIs)
    3. Identify key success factors for the project
    4. Outline the project’s scope
    5. Identify the structure of the team responsible for the proof-of-concept project
    6. Estimate the resources required by the project
    7. Be aware of common IT project concerns
    8. Communicate your working group’s findings and successes to a wide audience
    9. Hand off the completed proof-of-concept project plan
    10. Disruption is constant: Repeat the evaluation process regularly to protect the business

    This step involves the following participants:

    • Working group leader
    • CIO

    Outcomes of this step:

    • Proof of concept charter
    • Key performance indicators
    • Estimation of required resources

    3.2 Develop a proof of concept charter

    Keep your proof of concept on track by defining five key dimensions.

    1. Objective: Giving an overview of the planned proof of concept will help to focus and clarify the rest of this section. What must the proof of concept achieve? Objectives should be: specific, measurable, attainable, relevant, and time bound. Outline and track key performance indicators.
    2. Key Success Factors: These are conditions that will positively impact the proof of concept’s success.
    3. Scope: High-level statement of scope. More specifically, state what is in scope and what is out of scope.
    4. Project Team: Identify the team’s structure, e.g. sponsors, subject-matter experts.
    5. Resource Estimation: Identify what resources (time, materials, space, tools, expertise, etc.) will be needed to build and socialize your prototype. How will they be secured?

    Input the results of this exercise into Section 3.0 of the Proof of Concept Template.

    3.2.A Use SMART success metrics to define your objectives

    Specific

    Measurable

    Actionable

    Realistic

    Time Bound

    Make sure the objective is clear and detailed.

    Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective.

    Objectives become actionable when specific initiatives designed to achieve the objective are identified.

    Objectives must be achievable given your current resources or known available resources.

    An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline.

    Who, what, where, why?

    How will you measure the extent to which the goal is met?

    What is the action-oriented verb?

    Is this within my capabilities?

    By when: deadline, frequency?

    Examples:

    1. Increase in sales by $40,000 per month by the end of next quarter.
    2. Immediate increase in web traffic by 600 unique page views per day.
    3. Number of pilots approved per year.
    4. Number of successfully deployed solutions per year.

    Input the results of this exercise into Section 3.0 of the Proof of Concept Template.

    3.2.B Develop key performance indicators (KPIs)

    30 minutes per technology

    Key performance indicators allow for rigorous analysis, which generates insight into utilization by platform and consumption by business activity.

    • Use the process improvements identified in step 3.1 to brainstorm metrics that indicate when process improvement is actually taking place.
    • Have members of the group pitch KPIs; the facilitator should record each suggestion on a whiteboard.
    • Make sure to have everyone justify the inclusion of each metric: How does it relate to the improvement that the proof of concept project is intended to drive? How does it relate to the overall goals of the business?
    • Include a list of KPIs, along with a description and a target (ensuring that it aligns with SMART metrics) in section 3.1 of the Proof of Concept Template.

    “An estimated 70% of performance measurement systems fail after implementation. Carefully select your KPIs and avoid this trap!”
    Source: Collins et al. 2016

    Key Performance Indicator Description Target

    Result

    Conversion rate What percentage of customers who visit the site/open the conversational interface continue on to make a purchase? 40%
    Average order value

    How much does each customer spend per visit to the website?

    $212
    Repeat customer rate What percentage of customers have made more than one purchase over time? 65%
    Lifetime customer value Over the course of their interaction with the company, what is the typical value each customer brings? $1566

    Input the results of this exercise into Section 3.1 of the Proof of Concept Template.

    3.2.C Identify key success factors for the project

    30 minutes per technology

    Effective project management involves optimizing four key success factors (Clarke, 1999)

    • Communication: Communicate the expected changes to stakeholders, making sure that everyone who needs to know does know. Example: Make sure customer service representatives know their duties will be impacted by the conversational UI well before the proof-of-concept project begins.
    • Clarity: All involved in the project should be apprised of what the project is intended to accomplish and what the project is not intended to accomplish. Example: The conversational commerce project is not intended to be rolled out to the entire customer base all at once; it is not intended to disrupt normal online sales.
    • Compartmentalization: The working group should suggest some ways that the project can be broken down to facilitate its effective implementation. Example: Sales provides details of customers who might be amenable to a trial, IT secures a vendor, customer service writes a script.
    • Flexibility: The working group’s final output should not be treated as gospel. Ensure that the document can be altered to account for unexpected events. Example: The conversational commerce platform might drive sales of a particular product more than others, necessitating adjustments at the warehouse and shipping level.

    Input the results of this exercise into Section 3.0 of the Proof of Concept Template.

    3.2.D Outline the project’s scope

    10 minutes per technology

    Create a high-level outline of the project’s scope.

    • Questions to consider: Broadly speaking, what are the project’s goals? What is the desired future state? Where in the company will the project be rolled out? What are some of the company’s goals that the project is not designed to cover?
    • Be sure to avoid scope creep! Remember: The goal of the proof-of-concept project is to produce a minimum case for viability in a carefully defined area. Reserve a detailed accounting of costs and benefits for the post-proof-of-concept stage.
    • Example: The conversational user interface will only be rolled out in an e-commerce setting. Other business units (HR, for example) are beyond the scope of this particular project.

    “Although scope creep is not the only nemesis a project can have, it does tend to have the farthest reach. Without a properly defined project and/or allowing numerous changes along the way, a project can easily go over budget, miss the deadline, and wreak havoc on project success.”
    – University Alliance, Villanova University

    Input the results of this exercise into Section 3.0 of the Proof of Concept Template.

    3.2.E Identify the structure of the team responsible for the proof-of-concept project

    10 minutes per technology

    Brainstorm who will be involved in project implementation.

    • Refer back to the list of stakeholders identified in 3.1.a. Which stakeholders should be involved in implementing the proof-of-concept plan?
    • What business units do they represent?
    • Who should be accountable for the project? At a high level, sketch the roles of each of the participants. Who will be responsible for doing the work? Who will approve it? Who needs to be informed at every stage? Who are the company’s internal subject matter experts?

    Example

    Name/Title Role
    IT Manager Negotiate the contract for the software with vendor
    CMO Promote the conversational interface to customers

    Input the results of this exercise into Section 3.0 of the Proof of Concept Template.

    3.2.F Estimate the resources required by the project

    10 minutes per technology

    Time and Money

    • Recall: Costs can be operational, capital, or opportunity.
    • Revisit the Disruptive Technology Value-Readiness and SWOT Analysis Tool. Record the capital and operational expenses expected to be associated with each technology, and add detail where possible (use exact figures from particular vendors instead of percentages).
    • Write the names and titles of each expected participant in the project on a whiteboard. Next to each name, write the number of hours they are expected to devote to the project and include a rough estimate of the cost of their participation to the company. Use full-time employee equivalent (FTE measures) as a base.
    • Outline how other necessary resources (space, tools, expertise, etc.) will be secured.

    Example: Conversational Commerce

    • OpEx: $149/month + 2.9¢/transaction* (2,000 estimated transactions)
    • CapEx: $0!
    • IT Manager: 5 hours at $100/hour
    • IT Technician: 40 hours at $45/hour
    • CMO: 1 hour at $300/hour
    • Customer Service Representative: 10 hours at $35/hour
    • *Estimated total cost for a one-month proof-of-concept project: $3,157

    *This number is a sample taken from the vendor Rhombus

    Input the results of this exercise into Section 3.0 of the Proof of Concept Template.

    3.2.G Be aware of common IT project concerns

    Of projects that did not meet business expectations or were cancelled, how significant were the following issues?

    A bar graph is depicted, comparing small, medium, and large businesses for the following datasets: Over budget; Project failed to be delivered on time; Breach of scope; Low quality; Failed to deliver expected benefit or value

    This survey data did not specifically address innovation projects.

    • Disruptive technology projects will be under increased scrutiny in comparison to other projects.
    • Be sure to meet deadlines and stay within budget.
    • Be cognizant that your projects can go out of scope, and there will be projects that may have to be cancelled due to low quality. Remember: Even a failed test is a learning opportunity!

    Info-Tech’s CIO-CEO Alignment Survey, N=225

    Organization size was determined by the number of IT employees within the organization

    Small = 10 or fewer IT staff, medium = 11 to 25 IT staff, and large/enterprise = 26 or greater IT staff

    3.2.H Communicate your working group’s findings and successes to a wide audience

    Advertise the group’s successes and help prevent airline magazine syndrome from occurring.

    • Share your group’s results internally:
      • Run your own analysis by senior management and then share it across the organization.
      • Maintain a list of technologies that the working group has analyzed and solicit feedback from the wider organization.
      • Post summaries of the technologies in a publicly available repository. The C-suite may not read it right away, but it will be easy to provide when they ask.
      • If senior management has declined to proceed with a certain technology, avoid wasting time and resources on it. However, include notes about why the technology was rejected.
    • These postings will also act as an advertisement for the group. Use the garnered interest to attract visionaries for the next cycle.
    • These postings will help to reiterate the innovative value of the IT department and help bring you to the decision-making table.

    “Some CIOs will have to battle the bias that they belong in the back office and shouldn’t be included in product architecture planning. CIOs must ‘sell’ IT’s strength in information architecture.”
    – Chris Curran, Chief Technologist, PwC (Curran, 2014)

    Info-Tech Insight

    Cast a wide net. By sharing your results with as many people as possible within your organization, you’ll not only attract more attention to your working group, but you will also get more feedback and ideas.

    3.2.I Hand off the completed proof-of-concept project plan

    The proof of concept template is filled out – now what?

    • The core working group is responsible for producing a vision of the future and outlining new technology’s disruptive potential. The actual implementation of the proof of concept (purchasing the hardware, negotiating the SLA with the vendor) is beyond the working group’s responsibilities.
    • If the proof of concept goes ahead, the facilitator should block some time to evaluate the completed project against the key performance indicators identified in the initial plan.
    • A cure for airline magazine syndrome: Be prepared when executives ask about new technology. Present them with the results of the shortlist analysis and the proof-of-concept plan. A clear accounting of the value, readiness, strengths, weaknesses, opportunities, and threats posed by each technology, along with its impact on business processes, is an invaluable weapon against poor technology choices.

    Use section 3.2.b to identify the decision-making stakeholder who has the most to gain from a successful proof-of-concept project. Self-interest is a powerful motivator – the project is more likely to succeed in the hands of a passionate champion.

    Info-Tech Insight

    Set a date for the first meeting of the new iteration of the disruptive technology working group before the last meeting is done. Don’t risk pushing it back indefinitely.

    3.2.J Hand off the completed proof-of-concept project plan

    Record the results of the proof of concept. Keep track of what worked and what didn’t.

    Repeat the process regularly.

    • Finalize the proof of concept template, but don’t stop there: Keep your ear to the ground; follow tech developments using the sources identified in step 1.2.
    • Continue expanding the potential longlist with independent research: Be prepared to expand your longlist. Remember, the more technologies you have on the longlist, the more potential airline magazine syndrome cures you have access to.
    • Have the results of the previous session’s proof of concept plan on hand: At the start of each new iteration, conduct a review. What technologies were successful beyond the proof of concept phase? Which parts of the process worked? Which parts did not? How could they be improved?

    Info-Tech Insight

    The key is in anticipation. This is not a one-and-done exercise. Technology innovation operates at a faster pace than ever before, well below the Moores Law "18 month" timeline as an example. Success is in making EDIT a repeatable process.

    Related Info-Tech Research

    Define Your Digital Business Strategy
    After a major crisis, find your place in the digital economy.

    Develop a Project Portfolio Management Strategy
    Drive project throughput by throttling resource capacity.

    Adopt Design Thinking in Your Organization
    Innovation needs design thinking.

    Digital Maturity Improvement Service
    Prepare your organization for digital transformation – or risk falling behind.

    Research contributors and experts

    Nitin Babel

    Nitin Babel, Co-Founder, niki.ai

    Nitin Babel, MSc, co-created conversational commerce platform niki.ai in early 2015. Since then, the technology has been featured on the front page of the Economic Times, and has secured the backing of Ratan Tata, former chairman of the Tata Group, one of the largest companies in the world.

    Mark Hubbard

    Mark Hubbard, Senior Vice President, FirstOnSite

    Mark is the SVP for Information Technology in Canada with FirstOnSite, a full service disaster recovery and property restoration company. Mark has over 25 years of technology leadership guiding global organizations through the development of strategic and tactical plans to strengthen their technology platforms and implement business aligned technology strategies.

    Chris Green

    Chris Green, Enterprise Architect, Boston Private
    Chris is an IT architect with over 15 years’ experience designing, building, and implementing solutions. He is a results-driven leader and contributor, skilled in a broad set of methods, tools, and platforms. He is experienced with mobile, web, enterprise application integration, business process, and data design.

    Andrew Kope

    Andrew Kope, Head of Data Analytics
    Big Blue Bubble
    Andrew Kope, MSc, oversees a team that develops and maintains a user acquisition tracking solution and a real-time metrics dashboard. He also provides actionable recommendations to the executive leadership of Big Blue Bubble – one of Canada’s largest independent mobile game development studios.

    Jason Hong

    Jason Hong, Associate Professor, School of Computer Science, Human-Computer Interaction Institute, Carnegie Mellon University

    Jason Hong is a member of the faculty at Carnegie Mellon’s School of Computer Science. His research focus lies at the intersection of human-computer interaction, privacy and security, and systems. He is a New America National Cyber Security Fellow (2015-2017) and is widely published in academic and industry journals.

    Tim Lalonde

    Tim Lalonde, Vice President, Mid-Range

    Tim Lalonde is the VP of Technical Operations at Mid-Range. He works with leading-edge companies to be more competitive and effective in their industries. He specializes in developing business roadmaps leveraging technology that create and support change from within — with a focus on business process re-engineering, architecture and design, business case development and problem-solving. With over 30 years of experience in IT, Tim’s guiding principle remains simple: See a problem, fix a problem.

    Jon Mavor

    Jon Mavor, Co-Founder and CTO, Envelop VR
    Jon Mavor is a programmer and entrepreneur, whose past work includes writing the graphics engine for the PC game Total Annihilation. As Chief Technology Officer of Envelop VR, a virtual reality start-up focused on software for the enterprise, Jon has overseen the launch of Envelop for Windows’s first public beta.

    Dan Pitt

    Dan Pitt, President, Palo Alto Innovation Advisors
    Dan Pitt is a network architect who has extensive experience in both the academy and industry. Over the course of his career, Dan has served as Executive Director of the Open Networking Foundation, Dean of Engineering at Santa Clara University, Vice President of Technology and Academic Partnerships at Nortel, Vice President of the Architecture Lab at Bay Networks, and, currently, as President of Palo Alto Innovation Advisors, where he advises and serves as an executive for technology start-ups in the Palo Alto area and around the world.

    Courtney Smith

    Courtney Smith, Co-Founder, Executive Creative Director
    PureMatter

    Courtney Smith is an accomplished creative strategist, storyteller, writer, and designer. Under her leadership, PureMatter has earned hundreds of creative awards and been featured in the PRINT International Design Annual. Courtney has juried over 30 creative competitions, including Creativity International. She is an invited member of the Academy of Interactive and Visual Arts.

    Emmanuel Tsekleves

    Emmanuel Tsekleves, Senior Lecturer in Design Interactions, University of Lancaster
    Dr. Emmanuel Tsekleves is a senior lecturer and writer based out of the United Kingdom. Emmanuel designs interactions between people, places, and products by forging creative design methods along with digital technology. His design-led research in the areas of health, ageing, well-being, and defence has generated public interest and attracted media attention by the national press, such as the Daily Mail, Daily Mirror, The Times, the Daily Mail, Discovery News, and several other international online media outlets.

    Bibliography

    Airini Ab Rahman. “Emerging Technologies with Emerging Effects; A Review”. Universiti Teknologi Malaysia. PERINTIS eJournal, June 2017. Web.

    Anthony, Scott. “Kodak’s Downfall Wasn’t About Technology.” Harvard Business Review, 15 July 2016. Web.

    ARM. The Intelligent Flexible Cloud. 26 Feb. 2015. Web.

    Association of Computing Machinery. Communications of the ACM, n.d. Web.

    Barnett, Thomas. “Three Mobile Trends to Watch.” Cisco Blogs, 3 Feb. 2015. Web.

    Batelle, John. “The 70 Percent Solution.” CNN, 1 Dec 2005. Web.

    Booz Allen Hamilton. Managing Technological Change: 7 Ways to Talk Tech with Management, n.d. Web.

    Brynjolfsson, Erik, and Andrew McAfee. The Second Machine Age: Work, Progress, and Prosperity in a Time of Brilliant Technologies. W. W. Norton, 2014. Print.

    Christensen, Clayton M. “What is Disruptive Innovation?” Harvard Business Review, Dec 2015. Web.

    Christensen, Clayton M. and James Euchner. “Managing Disruption: An Interview With Clayton Christensen.” Research-Technology Management, 22 Dec 2015. vol. 54, no. 1. Web.

    Christensen, Clayton M., Rory McDonald, and Elizabeth J. Altman. “Disruptive Innovation: An Intellectual History and Directions for Future Research”. Wiley Online Library. Web.

    Christensen, Clayton M., Taddy Hall, Karen Dillon, and David S. Duncan. “Know Your Customers’ Jobs to be Done.” Harvard Business Review, Sept. 2016. Web.

    Cisco. “Cisco Annual Internet Report.” n.d. Web.

    Cisco. Cisco Visual Networking Index: Forecast and Methodology, 2014-2019, 27 May 2015. Web.

    Clark, Steven. “Elon Musk hopes SpaceX will send humans to Mars in 2024.” Spaceflight Now, 2 June 2016. Web.

    Clarke, Angela. “A practical use of key success factors to improve the effectiveness of project management,” International Journal of Project Management, June 1999 (17): 139-145.

    Collins, Andrew L., Patrick Hester, Barry Ezell, and John Horst. “An improvement selection methodology for key performance indicators.” Environmental Systems and Decisions, June 2016, 36 (2): 196-208.

    Computer Sciences Corporation. CSC Global CIO Survey: 2014-2015: CIOs Emerge as Disruptive Innovators: An Annual Barometer of Global CIOs’ Plans, Priorities, Threats, and Opportunities, 2014. Web.

    Constine, John. “Voice is Chat’s Next Battleground.” TechCrunch, 19 Sept. 2016. Web.

    Cressman, Daryl. “Disruptive Innovation and the Idea of Technology”. Maastricht University, June 2019. Web.

    Crown Prosecution Service. A Guide to Process Mapping and Improvement. n.d. Web.

    Curran, Chris. “The CIO’s Role in the Internet of Things.” PwC, 13 Mar. 2014. Web.

    Darbha, Sheta, Mike Shevenell, and Jason Normandin. “Impact of Software-Defined Networking on Infrastructure Management.” CA Technology Exchange, 4.3, Nov. 2013, pp. 33-43. Web.

    Denecken, Sven. Conquering Disruption Through Digital Transformation: Technologies, Leadership Strategies, and Best Practices to Create Opportunities for Innovation. SAP, 2014. Web.

    DHL Trend Research and Cisco Consulting Services. Internet of Things in Logistics: A Collaborative Report by DHL and Cisco on Implications and Use Cases for the Logistics Industry, 2015. Web.

    Dirican, Cüneyt. “The Impacts of Robotics, Artificial Intelligence on Business and Economics.” Procedia: Social and Behavioral Sciences, vol. 195, 2015, pp. 564-573. Web.

    Edraw Visualization Solutions. Examples of Flowcharts, Org Charts and More. “Cross-Function Flowchart Examples – Service Flowchart.”

    Emerson. Data Center 2025: Exploring the Possibilities, 2014. Web.

    Ericsson. Next-Generation Data Center Infrastructure, Feb. 2015. Web.

    Eurotech. Connecting M2M Applications to the Cloud to Bolster Hardware Sales, 2014. Web.

    Evans Gary, Llewellyn. “Disruptive Technology and the Board: The Tip of the Iceberg”. Economics and Business Review, n.d. Web.

    Evans Gary, Llewellyn. “Disruptive Technology and the Board: The Tip of the Iceberg”. Economics and Business Review, n.d. Web.

    Gage, Deborah. “The Venture Capital Secret: 3 Out of 4 Start-Ups Fail.” Wall Street Journal, 20 Sept. 2012. Web.

    Garvin, David A. “Competing on the Eight Dimensions of Quality.” Harvard Business Review, November 1987. Web.

    Gibbs, Colin. Augmented Reality in the Enterprise: Opportunities and Challenges. Gigaom Research, 26 Jan. 2015. Web.

    Glushko, Robert J. and Tim McGrath. Document Engineering: Analyzing and Designing Documents for Business Informatics and Web Services. MIT Press, 2005.

    Hadfield, Tom. “Facebook’s Messenger Bot Store could be the most important launch since the App Store.” TechCrunch, 17 March 2016. Web.

    Healey, Nic. “Microsoft's mixed reality vision: 80 million devices by 2020.” CNET, 1 June 2016. Web.

    Hewlett-Packard. Go Beyond Cost Reduction: Use Robotic Process Automation, Oct. 2015. Web.

    Hewlett-Packard. HP Composable Infrastructure: Bridging Traditional IT with the New Style of Business, June 2015. Web.

    Hewlett-Packard. HP Labs, n.d. Web.

    Hong, Jason. “Inside the Great Wall.” Communications of the ACM, 25 May 2016. Web.

    IBM Institute for Value. Your Cognitive Future: How Next-Gen Computing Changes the Way We Live and Work, 2015. Web.

    IBM. A New Way to Work: Futurist Insights to 2025 and Beyond, Jan. 2015. Web.

    Infinity. The Evolution of the Data Centre [sic], 2015. Web.

    Intel Corporation. Intel Annual Report, 1997. Web.

    Isaac, Mike. “Facebook Bets on Bots for its Messenger App.” New York Times, 12 April 2016. Web.

    ISACA. COBIT 5: Enabling Processes. ISACA, 2012. Print.

    K-12 Blueprint. “Planning a Proof of Concept.” 2014. Web.

    Kaushik Rukmini, Meenakshi. “The Impact of Pandemic COVID -19 in Workplace.” European Journal of Business Management and Research, May 2020. Web.

    Knight, Will. “Conversational Interfaces Powerful speech technology from China’s leading Internet company makes it much easier to use a smartphone.” MIT Technology Review, n.d. Web.

    Kostoff, Ronald N., Robert Boylan, and Gene R. Simons. “Disruptive Technology Roadmaps.” Technological Forecasting and Social Change, 2004. Vol. 71. Web.

    Kurzweil, Ray. “The Accelerating Power of Technology.” TED, Feb. 2005. Web.

    Kurzweil, Ray. Kurzweil: Accelerating Intelligence, 2015. Web.

    MacFarquhar, Larissa. “When Giants Fall: What Business Has Learned From Clayton Christensen,” New Yorker, 14 May 2012. Web.

    McClintock, Cat. “2016: The Year for Augmented Reality in the Enterprise.” PTC, n.d. Web.

    McKinsey & Company. IT Growth and Global Change: A Conversation with Ray Kurzweil. 29 Feb. 2012, YouTube. Web.

    Messina, Chris. “2016 Will be the Year of Conversational Commerce.” Medium, 19 Jan 2016. Web.

    Microsoft. Microsoft Research, n.d. Web.

    Miller, Ron. “Forget the Apple Watch, Think Drones in the Enterprise.” TechCrunch, 10 Sep. 2015. Web.

    Nokia Networks. FutureWorks [sic]: Teaching Networks to be Self-Aware: Technology Vision 2020. 2014. Web.

    Nokia Networks. Internet of Things. n.d. Web.

    O’Reilly, Charles, and Andrew J. M. Binns, “The Three Stages of Disruptive Innovation: Idea Generation, Incubation, and Scaling”. Sage Journals, n.d. Web.

    Pew Research Center. AI, Robotics, and the Future of Jobs: Experts Envision Automation and Intelligent Digital Agents Permeating Vast Areas of Our Work and Personal Lives by 2025, but they are Divided on Whether these Advances will Displace More Jobs than they Create. Aug. 2014. Web.

    Ramiller, Neil. “Airline Magazine Syndrome: Reading a Myth of Mismanagement.” Information Technology & People, Sept 2001. Print.

    Raymond James & Associates. The Internet of Things: A Study in Hype, Reality, Disruption, and Growth. 2014. Web.

    Richter, Felix. “No Growth in Sight for Global PC Market.” Statista, 14 March 2016. Web.

    Roy, Mekhala. “4 Examples of Digital Transformation Success in Business”. TechTarget, n.d. Web.

    Simon Weinreich, “How to Manage Disruptive Innovation - a conceptional methodology for value-oriented portfolio planning,” Sciencedirect. 31st CIRP Design Conference 2021.

    Spice Works. The Devices are Coming! How the “Internet of Things” will affect IT… and why resistance is futile. May 2014. Web.

    Spradlin, Dwayne. “Are You Solving the Right Problem?” Harvard Business Review, Sept. 2012. Web.

    Statista. “Number of smartphones sold to end users worldwide from 2007 to 2015 (in million units).” N.d. Web.

    Statista. “Worldwide tablet shipments from 2nd quarter 2010 to 2nd quarter 2016 (in million units).” N.d. Web.

    Sven Schimpf, “Disruptive Field Study; How Companies Identify, Evaluate, Develop and Implement Disruptive Technologies.” Fraunhofer Group for Innovation Research, 2020. Web.

    Tsekleves, Emmanuel. “Science fiction as fact: how desires drive discoveries.” The Guardian. 13 Aug. 2015. Web.

    Tsekleves, Emmanuel. “Science fiction as fact: how desires drive discoveries.” The Guardian, 13 Aug. 2015. Web.

    United States Department of Transportation. “National Motor Vehicle Crash Causation Survey: Report to Congress.” National Highway Traffic Safety Administration, July 2008. Web.

    United States Department of Transportation. “National Motor Vehicle Crash Causation Survey: Report to Congress.” National Highway Traffic Safety Administration, July 2008. Web.

    University Alliance (Villanova U). Managing Scope Creep in Project Management. N.d. Web.

    Vavoula, Giasemi N., and Mike Sharples. “Future Technology Workshop: A Collaborative Method for the Design of New Learning Technologies and Activities.” International Journal of Computer Supported Collaborative Learning, Dec 2007. Vol. 2 no. 4. Web.

    Walraven Pieter. “It’s Operating Systems Vs. Messaging Apps In The Battle For Tech’s Next Frontier.” TechCrunch, 11 Aug 2015. Web.

    Webb, Amy. “The Tech Trends You Can’t Ignore in 2015.” Harvard Business Review, 5 Jan. 2015. Web.

    Wenger, Albert. “The Great Bot Rush of 2015-16.” Continuations, 16 Dec 2015. Web.

    White, Chris. “IoT Tipping Point Propels Digital Experience Era.” Cisco Blogs, 12 Nov. 2014. Web.

    World Economic Forum and Accenture. Industrial Internet of Things: Unleashing the Potential of Connected Products and Services. 2015. Web.

    Yu Dan and Hang Chang Chieh, "A reflective review of disruptive innovation theory," PICMET '08 - 2008 Portland International Conference on Management of Engineering & Technology, 2008, pp. 402-414, doi: 10.1109/PICMET.2008.4599648.

    Integrate IT Risk Into Enterprise Risk

    • Buy Link or Shortcode: {j2store}195|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $12,599 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • IT risks, when considered, are identified and classified separately from the enterprise-wide perspective.
    • IT is expected to own risks over which they have no authority or oversight.
    • Poor behaviors, such as only considering IT risks when conducting compliance or project due diligence, have been normalized.

    Our Advice

    Critical Insight

    • Stop avoiding risk – integrate it. This provides a holistic view of uncertainty for the organization to drive innovative new approaches to optimize the organization’s ability to respond to risk.

    Impact and Result

    • Understand gaps in the organization’s current approach to risk management practices.
    • Establish a standardized approach for how IT risks impact the enterprise as a whole.
    • Drive a risk-aware organization toward innovation and consider alternative options for how to move forward.
    • Integrate IT risks into the foundational risk practice.

    Integrate IT Risk Into Enterprise Risk Research & Tools

    Integrated Risk Management Capstone – A framework for how IT risks can be integrated into your organization’s enterprise risk management program to enable strategic risk-informed decisions.

    This is a capstone blueprint highlighting the benefits of an integrated risk management program that uses risk information and data to inform strategic decision making. Throughout this research you will gain insight into the five core elements of integrating risk through assessing, governing, defining the program, defining the process, and implementing.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Integrate IT Risk Into Enterprise Risk Capstone
    • Integrated Risk Maturity Assessment
    • Risk Register Tool

    Infographic

    Further reading

    Integrate IT Risk Into Enterprise Risk

    Don’t fear IT risks, integrate them.

    EXECUTIVE BRIEF

    Analyst Perspective

    Having siloed risks is risky business for any enterprise.

    Photo of Valence Howden, Principal Research Director, CIO Practice.
    Valence Howden
    Principal Research Director, CIO Practice
    Photo of Petar Hristov Research Director, Security, Privacy, Risk & Compliance.
    Petar Hristov
    Research Director, Security, Privacy, Risk & Compliance
    Photo of Ian Mulholland Research Director, Security, Risk & Compliance.
    Ian Mulholland
    Research Director, Security, Risk & Compliance
    Photo of Brittany Lutes, Senior Research Analyst, CIO Practice.
    Brittany Lutes
    Senior Research Analyst, CIO Practice
    Photo of Ibrahim Abdel-Kader, Research Analyst, CIO Practice
    Ibrahim Abdel-Kader
    Research Analyst, CIO Practice

    Every organization has a threshold for risk that should not be exceeded, whether that threshold is defined or not.

    In the age of digital, information and technology will undoubtedly continue to expand beyond the confines of the IT department. As such, different areas of the organization cannot address these risks in silos. A siloed approach will produce different ways of identifying, assessing, responding to, and reporting on risk events. Integrated risk management is about embedding IT uncertainty to inform good decision making across the organization.

    When risk is integrated into the organization's enterprise risk management program, it enables a single view of all risks and the potential impact of each risk event. More importantly, it provides a consistent view of the risk event in relation to uncertainty that might have once been seemingly unrelated to IT.

    And all this can be achieved while remaining within the enterprise’s clearly defined risk appetite.

    Executive Summary

    Your Challenge

    Most organizations fail to integrate IT risks into enterprise risks:

    • IT risks, when considered, are identified and classified separately from the enterprise-wide perspective.
    • IT is expected to own risks over which they have no authority or oversight.
    • Poor behaviors, such as only considering IT risks when conducting compliance or project due diligence, have been normalized.

    Common Obstacles

    IT leaders have to overcome these obstacles when it comes to integrating risk:

    • Making business leaders aware of, involved in, and able to respond to all enterprise risks.
    • A lack of data or information being used to support a holistic risk management process.
    • A low level of enterprise risk maturity.
    • A lack of risk management capabilities.

    Info-Tech’s Approach

    By leveraging the Info-Tech Integrated Risk approach, your business can better address and embed risk by:

    • Understanding gaps in the organization’s current approach to risk management practices.
    • Establishing a standardized approach for how IT risks impact the enterprise as a whole.
    • Driving a risk-aware organization toward innovation and considering alternative options for how to move forward.
    • Helping integrate IT risks into the foundational risk practice.

    Info-Tech Insight

    Stop avoiding risk – integrate it. This provides a holistic view of uncertainty for the organization to drive innovative new approaches to optimize its ability to respond to risk.

    What is integrated risk management?

    • Integrated risk management is the process of ensuring all forms of risk information, including information and technology, are considered and included in the enterprise’s risk management strategy.
    • It removes the siloed approach to classifying risks related to specific departments or areas of the organization, recognizing that each of those risks is a threat to the overarching enterprise.
    • Aggregating the different threats or uncertainty that might exist within an organization allows for informed decisions to be made that align to strategic goals and continue to drive value back to the business.
    • By holistically considering the different risks, the organization can make informed decisions on the best course of action that will reduce any negative impacts associated with the uncertainty and increase the overall value.

    Enterprise Risk Management (ERM)

    • IT
    • Security
    • Digital
    • Vendor/Third Party
    • Other

    Enterprise risk management is the practice of identifying and addressing risks to your organization and using risk information to drive better decisions and better opportunities.

    IT risk is enterprise risk

    Multiple types of risk, 'Finance', 'IT', 'People', and 'Digital', funneling into 'ENTERPRISE RISKS'. IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk.

    Your challenge

    Embedding IT risks into the enterprise risk management program is challenging because:

    • Most organizations classify risks based on the departments or areas of the business where the uncertainty is likely to happen.
    • Unnecessary expectations are placed on the IT department to own risks over which they have no authority or oversight.
    • Risks are often only identified when conducting due diligence for a project or ensuring compliance with regulations and standards.

    Risk-mature organizations have a unique benefit in that they often have established an overarching governance framework and embedded risk awareness into the culture.

    35% — Only 35% of organizations had embraced ERM in 2020. (Source: AICPA and NC State Poole College of Management)

    12% — Only 12% of organizations are leveraging risk as a tool to their strategic advantage. (Source: AICPA and NC State Poole College of Management)

    Common obstacles

    These barriers make integrating IT risks difficult to address for many organizations:

    • IT risks are not seen as enterprise risks.
    • The organization’s culture toward risk is not defined.
    • The organization’s appetite and threshold for risk are not defined.
    • Each area of the organization has a different method of identifying, assessing, and responding to risk events.
    • Access to reliable and informative data to support risk management is difficult to obtain.
    • Leadership does not see the business value of integrating risk into a single management program.
    • The organization’s attitudes and behaviors toward risk contradict the desired and defined risk culture.
    • Skills, training, and resources to support risk management are lacking, let alone those to support integrated risk management.

    Integrating risks has its challenges

    62% — Accessing and disseminating information is the main challenge for 62% of organizations maturing their organizational risk management. (Source: OECD)

    20-28% — Organizations with access to machine learning and analytics to address future risk events have 20 to 28% more satisfaction. (Source: Accenture)

    Integrate Risk and Use It to Your Advantage

    Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.

    Risk management is more than checking an audit box or demonstrating project due diligence.

    Risk Drivers
    • Audit & compliance
    • Preserve value & avoid loss
    • Previous risk impact driver
    • Major transformation
    • Strategic opportunities
    Arrow pointing right. Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021) 63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021) Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020) 55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021)
    1. Assess Enterprise Risk Maturity 3. Build a Risk Management Program Plan 4. Establish Risk Management Processes 5. Implement a Risk Management Program
    2. Determine Authority with Governance
    Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020)
    IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability.

    Governance and related decision making is optimized with integrated and aligned risk data.

    List of 'Integrated Risk Maturity Categories': '1. Context & Strategic Direction', '2. Risk Culture and Authority', '3. Risk Management Process', and '4. Risk Program Optimization'. The five types of a risk in Enterprise Risk Management.

    ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types.

    The program plan is meant to consider all the major risk types in a unified approach.

    The 'Risk Process' cycle starting with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report', and back to the beginning. Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action.

    Integrated Risk Mapping — Downside Risk Focus

    A diagram titled 'Risk and Controls' beginning with 'Possible Sources' and a list of sources, 'Control Activities' to prevent, the 'RISK EVENT', 'Recovery Activities' to recover, and 'Possible Repercussions' with a list of ramifications.

    Integrated Risk Mapping — Downside and Upside Risk

    Third-Party Risk Example

    Example of a third-party risk mapped onto the diagram on the previous slide, but with potential upsides mapped out as well. The central risk event is 'Vendor exposes private customer data'. Possible Sources of the downside are 'External Attack' with likelihood prevention method 'Define security standard requirements for vendor assessment' and 'Exfiltration of data through fourth-party staff' with likelihood prevention method 'Ensure data is properly classified'. Possible Sources of the upside are 'Application rationalization' with likelihood optimization method 'Reduce number of applications in environment' and 'Review vendor assessment practices' with likelihood optimization method 'Improve vendor onboarding'. Possible Repercussions on the downside are 'Organization unable to operate in jurisdiction' with impact minimization method 'Engage in-house risk mitigation responses' and 'Fines levied against organization' with impact minimization method 'Report incident to any regulators'. Possible Repercussions on the upside are 'Easier vendor integration and management' with impact utilization method 'Improved vendor onboarding practices' and 'Able to bid on contracts with these requirements' with impact utilization method 'Vendors must provide attestations (e.g. SOC or CMMC)'.

    Insight Summary

    Overarching insight

    Stop fearing risk – integrate it. Integration leads to opportunities for organizations to embrace innovation and new digital technologies as well as reducing operational costs and simplifying reporting.

    Govern risk strategically

    Governance of risk management for information- and technology-related events is often misplaced. Just because it's classified as an IT risk does not mean it shouldn’t be owned by the board or business executive.

    Assess risk maturity

    Integrating risk requires a baseline of risk maturity at the enterprise level. IT can push integrating risks, but only if the enterprise is willing to adopt the attitudes and behaviors that will drive the integrated risk approach.

    Manage risk

    It is not a strategic decision to have different areas of the organization manage the risks perceived to be in their department. It’s the easy choice, but not the strategic one.

    Implement risk management

    Different areas of an enterprise apply risk management processes differently. Determining a single method for identification, assessment, response, and monitoring can ensure successful implementation of enterprise risk management.

    Tactical insight

    Good risk management will consider both the positives and negatives associated with a risk management program by recognizing both the upside and downside of risk event impact and likelihood.

    Integrated risk benefits

    IT Benefits

    • IT executives have a responsibility but not accountability when it comes to risk. Ensure the right business stakeholders have awareness and ability to make informed risk decisions.
    • Controls and responses to risks that are within the “IT” realm will be funded and provided with sufficient support from the business.
    • The business respects and values the role of IT in supporting the enterprise risk program, elevating its role into business partner.

    Business Benefits

    • Business executives and boards can make informed responses to the various forms of risk, including those often categorized as “IT risks.”
    • The compounding severity of risks can be formally assessed and ideally quantified to provide insight into how risks’ ramifications can change based on scenarios.
    • Risk-informed decisions can be used to optimize the business and drive it toward adopting innovation as a response to risk events.
    • Get your organization insured against cybersecurity threats at the lowest premiums possible.

    Measure the value of integrating risk

    • Reduce Operating Costs

      • Organizations can reduce their risk operating costs by 20 to 30% by adopting enterprise-wide digital risk initiatives (McKinsey & Company).
    • Increase Cybersecurity Threat Preparedness

      • Increase the organization’s preparedness for cybersecurity threats. 79% of organizations that were impacted by email threats in 2020 were not prepared for the hit (Diligent)
    • Increase Risk Management’s Impact to Drive Strategic Value

      • Currently, only 3% of organizations are extensively using risk management to drive their unique competitive advantage, compared to 35% of companies who do not use it at all (AICPA & NC State Poole College of Management).
    • Reduce Lost Productivity for the Enterprise

      • Among small businesses, 76% are still not considering purchasing cyberinsurance in 2021, despite the fact that ransomware attacks alone cost Canadian businesses $5.1 billion in productivity in 2020 (Insurance Bureau of Canada, 2021).

    “31% of CIO’s expected their role to expand and include risk management responsibilities.” (IDG “2021 State of the CIO,” 2021)

    Make integrated risk management sustainable

    58%

    Focus not just on the preventive risk management but also the value-creating opportunities. With 58% of organizations concerned about disruptive technology, it’s an opportunity to take the concern and transform it into innovation. (Accenture)

    70%

    Invest in tools that have data and analytics features. Currently, “gut feelings” or “experience” inform the risk management decisions for 70% of late adopters. (Clear Risk)

    54%

    Align to the strategic vision of the board and CEO, given that these two roles account for 54% of the accountability associated with extended enterprise risk management. (Extended Enterprise Risk Management Survey, 2020,” Deloitte)

    63%

    Include IT leaders in the risk committee to help informed decision making. Currently 63% of chief technology officers are included in the C‑suite risk committee. (AICPA & NC State Poole College of Management)

    Successful adoption of integrated risk management is often associated with these key elements.

    Assessment

    Assess your organization’s method of addressing risk management to determine if integrated risk is possible

    Assessing the organization’s risk maturity

    Mature or not, integrated risk management should be a consideration for all organizations

    The first step to integrating risk management within the enterprise is to understand the organization’s readiness to adopt practices that will enable it to successfully integrate information.

    In 2021, we saw enterprise risk management assessments become one of the most common trends, particularly as a method by which the organization can consolidate the potential impacts of uncertainties or threats (Lawton, 2021). A major driver for this initiative was the recognition that information and technology not only have enterprise-wide impacts on the organization’s risk management but that IT has a critical role in supporting processes that enable effective access to data/information.

    A maturity assessment has several benefits for an organization: It ensures there is alignment throughout the organization on why integrated risk is the right approach to take, it recognizes the organization’s current risk maturity, and it supports the organization in defining where it would like to go.

    Pie chart titled 'Organizational Risk Management Maturity Assessment Results' showing just under half 'Progressing', a third 'Established', a seventh 'Emerging', and a very small portion 'Leading or Aspirational'.

    Integrated Risk Maturity Categories

    Semi-circle with colored points indicating four categories.

    1

    Context & Strategic Direction Understand the organization’s main objectives and how risk can support or enhance those objectives.

    2

    Risk Culture and Authority Examine if risk-based decisions are being made by those with the right level of authority and if the organization’s risk appetite is embedded in the culture.

    3

    Risk Management Process Determine if the current process to identify, assess, respond to, monitor, and report on risks is benefitting the organization.

    4

    Risk Program Optimization Consider opportunities where risk-related data is being gathered, reported, and used to make informed decisions across the enterprise.

    Maturity should inform your approach to risk management

    The outcome of the risk maturity assessment should inform how risk management is approached within the organization.

    A row of waves starting light and small and becoming taller and darker in steps. The levels are 'Non-existent', 'Basic', 'Partially Integrated', 'Mostly Integrated', 'Fully Integrated', and 'Optimized'.

    For organizations with a low maturity, remaining superficial with risk will offer more benefits and align to the enterprise’s risk tolerance and appetite. This might mean no integrated risk is taking place.

    However, organizations that have higher risk maturity should begin to integrate risk information. These organizations can identify the nuances that would affect the severity and impact of risk events.

    Integrated Risk Maturity Assessment

    The purpose of the Integrated Risk Maturity Assessment is to assess the organization's current maturity and readiness for integrated risk management (IRM).

    Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.

    Integrated Risk Maturity Assessment

    A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization

    Sample of the Integrated Risk Maturity Assessment deliverable.

    Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organization.

    Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.

    Develop a Security Operations Strategy

    • Buy Link or Shortcode: {j2store}264|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $79,249 Average $ Saved
    • member rating average days saved: 28 Average Days Saved
    • Parent Category Name: Security Processes & Operations
    • Parent Category Link: /security-processes-and-operations
    • There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
    • The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
    • Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of security technology investments.
    • It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
    • There is limited communication between security functions due to a centralized security operations organizational structure.

    Our Advice

    Critical Insight

    1. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
    2. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
    3. If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

    Impact and Result

    • A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
    • This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

    Develop a Security Operations Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should enhance your security operations program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess your current state

    Assess current prevention, detection, analysis, and response capabilities.

    • Develop a Security Operations Strategy – Phase 1: Assess Operational Requirements
    • Security Operations Preliminary Maturity Assessment Tool

    2. Develop maturity initiatives

    Design your optimized state of operations.

    • Develop a Security Operations Strategy – Phase 2: Develop Maturity Initiatives
    • Information Security Requirements Gathering Tool
    • Concept of Operations Maturity Assessment Tool

    3. Define operational interdependencies

    Identify opportunities for collaboration within your security program.

    • Develop a Security Operations Strategy – Phase 3: Define Operational Interdependencies
    • Security Operations RACI Chart & Program Plan
    • Security Operations Program Cadence Schedule Template
    • Security Operations Collaboration Plan
    • Security Operations Metrics Summary Document
    [infographic]

    Workshop: Develop a Security Operations Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Operational Requirements

    The Purpose

    Determine current prevention, detection, analysis, and response capabilities, operational inefficiencies, and opportunities for improvement.

    Key Benefits Achieved

    Determine why you need a sound security operations program.

    Understand Info-Tech’s threat collaboration environment.

    Evaluate your current security operation’s functions and capabilities.

    Activities

    1.1 Understand the benefits of refining your security operations program.

    1.2 Gauge your current prevention, detection, analysis, and response capabilities.

    Outputs

    Security Operations Preliminary Maturity Assessment Tool

    2 Develop Maturity Initiatives

    The Purpose

    Begin developing and prioritizing gap initiatives in order to achieve the optimal state of operations.

    Key Benefits Achieved

    Establish your goals, obligations, scope, and boundaries.

    Assess your current state and define a target state.

    Develop and prioritize gap initiatives.

    Define the cost, effort, alignment, and security benefits of each initiative.

    Develop a security strategy operational roadmap.

    Activities

    2.1 Assess your current security goals, obligations, and scope.

    2.2 Design your ideal target state.

    2.3 Prioritize gap initiatives.

    Outputs

    Information Security Strategy Requirements Gathering Tool

    Security Operations Maturity Assessment Tool

    3 Define Operational Interdependencies

    The Purpose

    Identify opportunities for collaboration.

    Formalize your operational process flows.

    Develop a comprehensive and actionable measurement program.

    Key Benefits Achieved

    Understand the current security operations process flow.

    Define the security operations stakeholders and their respective deliverables.

    Formalize an internal information-sharing and collaboration plan.

    Activities

    3.1 Identify opportunities for collaboration.

    3.2 Formalize a security operations collaboration plan.

    3.3 Define operational roles and responsibilities.

    3.4 Develop a comprehensive measurement program.

    Outputs

    Security Operations RACI & Program Plan Tool

    Security Operations Collaboration Plan

    Security Operations Cadence Schedule Template

    Security Operations Metrics Summary

    Further reading

    INFO-TECH RESEARCH GROUP

    Develop a Security Operations Strategy

    Transition from a security operations center to a threat collaboration environment.

    Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.
    © 1997-2017 Info-Tech Research Group Inc.

    ANALYST PERSPECTIVE

    “A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Protect your assets by preparing for the inevitable; unify your prevention, detection, analysis, and response efforts and provide assurance to your stakeholders that you are making information security a top priority.”

    Phot of Edward Gray, Consulting Analyst, Security, Risk & Compliance, Info-Tech Research Group.

    Edward Gray,
    Consulting Analyst, Security, Risk & Compliance
    Info-Tech Research Group



    Our understanding of the problem

    This Research Is Designed For:
    • Chief Information Officer (CIO)
    • Chief Information Security Officer (CISO)
    • Chief Operating Officer (COO)
    • Security / IT Management
    • Security Operations Director / Security Operations Center (SOC)
    • Network Operations Director / Network Operations Center (NOC)
    • Systems Administrator
    • Threat Intelligence Staff
    • Security Operations Staff
    • Security Incident Responders
    • Vulnerability Management Staff
    • Patch Management
    This Research Will Help You:
    • Enhance your security program by implementing and streamlining next-generation security operations processes.
    • Increase organizational situational awareness through active collaboration between core threat teams, enriching internal security events with external threat intelligence and enhancing security controls.
    • Develop a comprehensive threat analysis and dissemination process: align people, process, and technology to scale security to threats.
    • Identify the appropriate technological and infrastructure-based sourcing decisions.
    • Design a step-by-step security operations implementation process.
    • Pursue continuous improvement: build a measurement program that actively evaluates program effectiveness.
    This Research Will Also Assist:
    • Board / Chief Executive Officer
    • Information Owners (Business Directors/VP)
    • Security Governance and Risk Management
    • Fraud Operations
    • Human Resources
    • Legal and Public Relations
    This Research Will Help Them
    • Aid decision making by staying abreast of cyberthreats that could impact the business.
    • Increase visibility into the organization’s threat landscape to identify likely targets or identify exposed vulnerabilities.
    • Ensure the business is compliant with regularity, legal, and/or compliance requirements.
    • Understand the value and return on investment of security operations offerings.

    Executive summary

    Situation

    • Current security practices are disjointed, operating independently with a wide variety of processes and tools to conduct incident response, network defense, and threat analysis. These disparate mitigations leave organizations vulnerable to the increasing number of malicious events.
    • Threat management has become resource intensive, requiring continuous monitoring, collection, and analysis of massive volumes of security event data, while juggling business, compliance, and consumer obligations.

    Complication

    • There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
    • The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
    • Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of their security technology investments.
    • It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
    • There is limited communication between security functions due to a centralized security operations organizational structure.

    Resolution

    • A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
    • This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

    Info-Tech Insight

    1. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
    2. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
    3. If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

    Data breaches are resulting in major costs across industries

    Horizontal bar chart of 'Per capita cost by industry classification of benchmarked companies', with the highest cost attributed to 'Health', 'Pharmaceutical', 'Financial', 'Energy', and 'Transportation'.

    Average data breach costs per compromised record hit an all-time high of $217 (in 2015); $74 is direct cost (e.g. legal fees, technology investment) and $143 is indirect cost (e.g. abnormal customer churn). (Source: Ponemon Institute, “2015 Cost of Data Breach Study: United States”)

    '% of systems impacted by a data breach', '1% No Impact', '19% 1-10% impacted', '41% 11-30% impacted', '24% 31-50% impacted', '15% more than 50% impacted
    Divider line.
    '% of customers lost from a data breach', '61% Lost <20%', '21% Lost 20-40%', '8% Lost 40-60%', '6% Lost 60-80%', '4% Lost 80-100%'.
    Divider line.
    '% of business opportunity lost from a data breach', '58% Lost <20%', '25% Lost 20-40%', '9% Lost, 40-60%', '5% Lost 60-80%', '4% Lost 80-100%'.
    (Source: The Network, “ Cisco 2017 Security Capabilities Benchmark Study”)

    Persistent issues

    • Organizational barriers separating prevention, detection, analysis, and response efforts.
      Siloed operations limit collaboration and internal knowledge sharing.
    • Lack of knowledgeable security staff.
      Human capital is transferrable between roles and functions and must be cross-trained to wear multiple hats.
    • Failure to evaluate and improve security operations.
      The effectiveness of operations must be frequently measured and (re)assessed through an iterative system of continuous improvement.
    • Lack of standardization.
      Pre-established use cases and policies outlining tier-1 operational efforts will eliminate ad hoc remediation efforts and streamline operations.
    • Failure to acknowledge the auditor as a customer.
      Many compliance and regulatory obligations require organizations to have comprehensive documentation of their security operations practices.

    60% Of organizations say security operation teams have little understanding of each other’s requirements.

    40% Of executives report that poor coordination leads to excessive labor and IT operational costs.

    38-100% Increase in efficiency after closing operational gaps with collaboration.
    (Source: Forbes, “The Game Plan for Closing the SecOps Gap”)

    The solution

    Bar chart of the 'Benefits of Internal Collaboration' with 'Increased Operational Efficiency' and 'Increased Problem Solving' having the highest percentage.

    “Empower a few administrators with the best information to enable fast, automated responses.”
    – Ismael Valenzuela, IR/Forensics Technical Practice Manager, Foundstone® Services, Intel Security)

    Insufficient security personnel resourcing has been identified as the most prevalent challenge in security operations…

    When an emergency security incident strikes, weak collaboration and poor coordination among critical business functions will magnify inefficiencies in the incident response (IR) process, impacting the organization’s ability to minimize damage and downtime.

    The solution: optimize your SOC. Info-Tech has seen SOCs with five analysts outperform SOCs with 25 analysts through tools and process optimization.

    Sources:
    Ponemon. "2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).”
    Syngress. Designing and Building a Security Operations Center.

    Maintain a holistic security operations program

    Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization.
    Venn diagram of 'Next-Gen Security Operations' with four intersecting circles: 'Prevent', 'Detect', 'Analyze', and 'Respond'.

    Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operations, and technology infrastructure on a daily basis.

    Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential. Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs
    Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape. Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort.

    Info-Tech’s security operations blueprint ties together various initiatives

    Stock image 1.

    Design and Implement a Vulnerability Management Program

    Vulnerability Management
    Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.
    Deliverables
    • Vulnerability Tracking Tool
    • Vulnerability Scanning Tool RFP Template
    • Penetration Test RFP Template
    • Vulnerability Mitigation Process Template
    Stock image 2.

    Integrate Threat Intelligence Into Your Security Operations

    Threat Intelligence
    Threat intelligence addresses the collection, analysis, and dissemination of external threat data. Analysts act as liaisons to their peers, publishing actionable threat alerts, reports, and briefings. Threat intelligence proactively monitors and identifies whether threat indicators are impacting your organization.
    • Maturity Assessment Tool
    • Threat Intelligence RACI Tool
    • Management Plan Template
    • Threat Intelligence Policy Template
    • Alert Template
    • Alert and Briefing Cadence Schedule
    Stock image 3.

    Develop Foundational Security Operations Processes

    Operations
    Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. Analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations.
    • Maturity Assessment Tool
    • Event Prioritization Tool
    • Efficiency Calculator
    • SecOps Policy Template
    • In-House vs. Outsourcing Decision-Making Tool
    • SecOps RACI Tool
    • TCO & ROI Comparison Calculator
    Stock image 4.

    Develop and Implement a Security Incident Management Program

    Incident Response
    Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. IR teams coordinate root-cause analysis and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns.
    • Incident Management Policy
    • Maturity Assessment Tool
    • Incident Management RACI Tool
    • Incident Management Plan
    • Incident Runbook Prioritization Tool
    • Various Incident Management Runbooks

    This blueprint will…

    …better protect your organization with an interdependent and collaborative security operations program.

    Phase 01

    Assess your operational requirements.

    Phase 02

    Optimize and further mature your security operations processes

    Phase 3a

    Develop the process flow and specific interaction points between functions

    Phase 3b

    Test your current capabilities with a table top exercise
    Briefly assess your current prevention, detection, analysis, and response capabilities.
    Highlight operational weak spots that should be addressed before progressing.
    Develop a prioritized list of security-focused operational initiatives.
    Conduct a holistic analysis of your operational capabilities.
    Define the operational interaction points between security-focused operational departments.
    Document the results in comprehensive operational interaction agreement.
    Test your operational processes with Info-Tech’s security operations table-top exercise.

    Info-Tech integrates several best practices to create a best-of-breed security framework

    Legend for the 'Information Security Framework' identifying blue best practices as 'In Scope' and white best practices as 'Out of Scope'. Info-Tech's 'Information Security Framework' of best practices with two main categories 'Governance' and 'Management', each with subcategories such as 'Context & Leadership' and 'Prevention', each with a group of best practices color-coded to the associated legend identifying them as 'In Scope' or 'Out of Scope'.

    Benefits of a collaborative and integrated operations program

    Effective security operations management will help you do the following:

    • Improve efficacy
      Develop structured processes to automate activities and increase process consistency across the security program. Expose operational weak points and transition teams from firefighting to an innovator role.
    • Improve threat protection
      Enhance network controls through the hardening of perimeter defenses, an intelligence-driven analysis process, and a streamlined incident remediation process.
    • Improve visibility and information sharing
      Promote both internal and external information sharing to enable good decision making.
    • Create and clarify accountability and responsibility
      Security operations management practices will set a clear level of accountability throughout the security program and ensure role responsibility for all tasks and processes involved in service delivery.
    • Control security costs
      Security operations management is concerned with delivering promised services in the most efficient way possible. Good security operations management practices will provide insight into current costs across the organization and present opportunities for cost savings.
    • Identify opportunities for continuous improvement
      Increased visibility into current performance levels and the ability to accurately identify opportunities for continuous improvement.

    Impact

    Short term:

    • Streamlined security operations program development process.
    • Completed comprehensive list of operational gaps and initiatives.
    • Formalized and structured implementation process.
    • Standardized operational use cases that predefine necessary operational protocol.

    Long term:

    • Enhanced visibility into immediate threat environment.
    • Improved effectiveness of internal defensive controls.
    • Increased operational collaboration between prevention, detection, analysis, and response efforts.
    • Enhanced security pressure posture.
    • Improved communication with executives about relevant security risks to the business.

    Understand the cost of not having a suitable security operations program

    A practical approach, justifying the value of security operations, is to identify the assets at risk and calculate the cost to the company should the information assets be compromised (i.e. assess the damage an attacker could do to the business).

    Cost Structure Cost Estimation ($) for SMB
    (Small and medium-sized business)
    Cost Estimation ($) for LE
    (Large enterprise)
    Security controls Technology investment: software, hardware, facility, maintenance, etc.
    Cost of process implementation: incident response, CMBD, problem management, etc.
    Cost of resource: salary, training, recruiting, etc.
    $0-300K/year $200K-2M/year
    Security incidents
    (if no security control is in place)
    Explicit cost:
    1. Incident response cost:
      • Remediation costs
      • Productivity: (number of employees impacted) × (hours out) × (burdened hourly rate)
      • Extra professional services
      • Equipment rental, travel expenses, etc.
      • Compliance fine
      • Cost of notifying clients
    2. Revenue loss: direct loss, the impact of permanent loss of data, lost future revenues
    3. Financial performance: credit rating, stock price
      Hidden cost:
      • Reputation, customer loyalty, etc.
    $15K-650K/year $270K-11M/year

    Workshop Overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities
    • Kick-off and introductions.
    • High-level overview of weekly activities and outcomes.
    • Activity: Define workshop objectives and current state of knowledge.
    • Understand the threat collaboration environment.
    • Understand the benefits of an optimized security operations.
    • Activity: Review preliminary maturity level.
    • Activity: Assess current people, processes, and technology capabilities.
    • Activity: Assess workflow capabilities.
    • Activity: Begin deep-dive into maturity assessment tool.
    • Discuss strategies to enhance the analysis process (ticketing, automation, visualization, use cases, etc.).
    • Activity: Design ideal target state.
    • Activity: Identify security gaps.
    • Build initiatives to bridge the gaps.
    • Activity: Estimate the resources needed.
    • Activity: Prioritize gap initiatives.
    • Activity: Develop dashboarding and visualization metrics.
    • Activity: Plan for a transition with the security roadmap and action plan.
    • Activity: Define and assign tier 1, 2 & 3 SOC roles and responsibilities.
    • Activity: Assign roles and responsibilities for each security operations initiative.
    • Activity: Develop a comprehensive measurement program.
    • Activity: Develop specific runbooks for your top-priority incidents (e.g. ransomware).
      • Detect the incident.
      • Analyze the incident.
      • Contain the incident.
      • Eradicate the root cause.
      • Recover from the incident.
      • Conduct post-incident analysis and communication.
    • Activity:Conduct attack campaign simulation.
    • Finalize main deliverables.
    • Schedule feedback call.
    Deliverables
    1. Security Operations Maturity Assessment Tool
    1. Target State and Gap Analysis (Security Operations Maturity Assessment Tool)
    1. Security Operations Role & Process Design
    2. Security Operations RACI Chart
    3. Security Operations Metrics Summary
    4. Security Operations Phishing Process Runbook
    5. Attack Campaign Simulation PowerPoint

    All Final Deliverables

    Develop a Security Operations Strategy

    PHASE 1

    Assess Operational Requirements

    1

    Assess Operational Requirements

    2

    Develop Maturity Initiatives

    3

    Define Interdependencies

    This step will walk you through the following activities:

    • Determine why you need a sound security operations program.
    • Understand Info-Tech’s threat collaboration environment.
    • Evaluate your current security operation’s functions and capabilities.

    Outcomes of this step

    • A defined scope and motive for completing this project.
    • Insight into your current security operations capabilities.
    • A prioritized list of security operations initiatives based on maturity level.

    Info-Tech Insight

    Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.

    Warm-up exercise: Why build a security operations program?

    Estimated time to completion: 30 minutes

    Discussion: Why are we pursuing this project?

    What are the objectives for optimizing and developing sound security operations?

    Stakeholders Required:

    • Key business executives
    • IT leaders
    • Security operations team members

    Resources Required

    • Sticky notes
    • Whiteboard
    • Dry-erase markers
    1. Briefly define the scope of security operations
      What people, processes, and technology fall within the security operations umbrella?
    2. Brainstorm the implications of not acting
      What does the status quo have in store? What are the potential risks?
    3. Define the goals of the project
      Clarify from the outset: what exactly do you want to accomplish from this project?
    4. Prioritize all brainstormed goals
      Classify the goals based on relevant prioritization criteria, e.g. urgency, impact, cost.

    Info-Tech Best Practice

    Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.

    Decentralizing the SOC: Security as a function

    Before you begin, remember that no two security operation programs are the same. While the end goal may be similar, the threat landscape, risk tolerance, and organizational requirements will differ from any other SOC. Determine what your DNA looks like before you begin to protect it.

    Security operations must provide several fundamental functions:
    • Real-time monitoring, detecting, and triaging of data from both internal and external sources.
    • In-depth analysis of indicators and incidents, leveraging malware analysis, correlation and rule tweaking, and forensics and eDiscovery techniques.
    • Network/host scanning and vulnerability patch management.
    • Incident response, remediation, and reporting. Security operations must disseminate appropriate information/intelligence to relevant stakeholders.
    • Comprehensive logging and ticketing capabilities that document and communicate events throughout the threat collaboration environment.
    • Tuning and tweaking of technologies to ingest collected data and enhance the analysis process.
    • Enhance overall organizational situational awareness by reporting on security trends, escalating incidents, and sharing adversary tools, tactics, and procedures.
    Venn diagram of 'Security Operations' with four intersecting circles: 'Prevent', 'Detect', 'Analyze', and 'Respond'.
    At its core, a security operations program is responsible for the prevention, detection, analysis, and response of security events.

    Optimized security operations can seamlessly integrate threat and incident management processes with monitoring and compliance workflows and resources. This integration unlocks efficiency.

    Understand the levels of security operations

    Take the time to map out what you need and where you should go. Security operations has to be more than just monitoring events – there must be a structured program.

    Foundational Arrow with a plus sign pointing right. Operational Arrow with a plus sign pointing right. Strategic
    • Intrusion Detection Management
    • Active Device and Event Monitoring
    • Log Collection and Retention
    • Reporting and Escalation Management
    • Incident Management
    • Audit Compliance
    • Vendor Management
    • Ticketing Processes
    • Packet Capture and Analysis
    • SIEM
    • Firewall
    • Antivirus
    • Patch Management
    • Event Analysis and Incident Triage
    • Security Log Management
    • Vulnerability Management
    • Host Hardening
    • Static Malware Analysis
    • Identity and Access Management
    • Change Management
    • Endpoint Management
    • Business Continuity Management
    • Encryption Management
    • Cloud Security (if applicable)
    • SIEM with Defined Use Cases
    • Big Data Security Analytics
    • Threat Intelligence
    • Network Flow Analysis
    • VPN Anomaly Detection
    • Dynamic Malware Analysis
    • Use-Case Management
    • Feedback and Continuous Improvement Management
    • Visualization and Dashboarding
    • Knowledge Portal Ticket Documentation
    • Advanced Threat Hunting
    • Control and Process Automation
    • eDiscovery and Forensics
    • Risk Management
    ——Security Operations Capabilities—–›

    Understand security operations: Establish a unified threat collaboration environment

    Stock image 1.

    Design and Implement a Vulnerability Management Program

    Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address threats impacting the organization’s brand, operations, and technology infrastructure.
    • Managing incident escalation and response.
    • Coordinating root-cause analysis and incident gathering.
    • Facilitating post-incident lessons learned.
    • Managing system patching and risk acceptance.
    • Conducting vulnerability assessment and penetration testing.
    • Monitoring in real-time and triaging of events.
    • Escalating events to incident management team.
    • Tuning and tweaking rules and reporting thresholds.
    • Gathering and analyzing external threat data.
    • Liaising with peers, industry, and government.
    • Publishing threat alerts, reports, and briefings.

    Info-Tech Best Practice

    Ensure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next.

    Stock image 2.

    Integrate Threat Intelligence Into Your Security Operations

    Stock image 3.

    Develop Foundational Security Operations Processes

    Stock image 4.

    Develop and Implement a Security Incident Management Program

    The threat collaboration environment is comprised of three core elements

    Info-Tech Insight

    The value of a SOC can be achieved with fewer prerequisites than you think. While it is difficult to cut back on process and technology requirements, human capital is transferrable between roles and functions and can be cross-trained to satisfy operational gaps.

    Three hexes fitting together with the words 'People', 'Process', and 'Technology'. People. Effective human capital is fundamental to establishing an efficient security operations program, and if enabled correctly, can be the driving factor behind successful process optimization. Ensure you address several critical human capital components:
    • Who is responsible for each respective threat collaboration environment function?
    • What are the required operational roles, responsibilities, and competencies for each employee?
    • Are there formalized training procedures to onboard new employees?
    • Is there an established knowledge transfer and management program?
    Processes. Formal and informal mechanisms that bridge security throughout the collaboration environment and organization at large. Ask yourself:
    • Are there defined runbooks that clearly outline critical operational procedures and guidelines?
    • Is there a defined escalation protocol to transfer knowledge and share threats internally?
    • Is there a defined reporting procedure to share intelligence externally?
    • Are there formal and accessible policies for each respective security operations function?
    • Is there a defined measurement program to report on the performance of security operations?
    • Is there a continuous improvement program in place for all security operations functions?
    • Is there a defined operational vendor management program?
    Technology. The composition of all infrastructure, systems, controls, and tools that enable processes and people to operate and collaborate more efficiently. Determine:
    • Are the appropriate controls implemented to effectively prevent, detect, analyze, and remediate threats? Is each control documented with an assigned asset owner?
    • Can a solution integrate with existing controls? If so, to what extent?
    • Is there a centralized log aggregation tool such as a SIEM?
    • What is the operational cost to effectively manage each control?
    • Is the control the most up-to-date version? Have the most recent patches and configuration changes been applied? Can it be consolidated with or replaced by another control?

    Conduct a preliminary maturity assessment before tackling this project

    Stock image 1.

    Design and Implement a Vulnerability Management Program

    Sample of Info-Tech's Security Operations Preliminary Maturity Assessment

    At a high level, assess your organization’s operational maturity in each of the threat collaboration environment functions. Determine whether the foundational processes exist in order to mature and streamline your security operations.

    Stock image 2.

    Integrate Threat Intelligence Into Your Security Operations

    Stock image 3.

    Develop Foundational Security Operations Processes

    Stock image 4.

    Develop and Implement a Security Incident Management Program

    Assess the current maturity of your security operations program

    Prioritize the component most important to the development of your security operations program.

    Screenshot of a table from the Security Operations Preliminary Maturity Assessment presenting the 'Impact Sub-Weightings' of 'People', 'Process', 'Technology', and 'Policy'.
    Screenshot of a table from the Security Operations Preliminary Maturity Assessment assessing the 'Current State' and 'Target State' of different 'Security Capabilities'.
    Each “security capability” covers a component of the overarching “security function.” Assign a current and target maturity score to each respective security capability. (Note: The CMMI maturity scores are further explained on the following slide.) Document any/all comments for future Info-Tech analyst discussions.

    Assign each security capability a reflective and desired maturity score.

    Your current and target state maturity will be determined using the capability maturity model integration (CMMI) scale. Ensure that all participants understand the 1-5 scale.
    Two-way vertical arrow colored blue at the top and green at the bottom. Ad Hoc
    1 Arrow pointing right. Initial/Ad Hoc: Activity is not well defined and is ad hoc, e.g. no formal roles or responsibilities exist, de facto standards are followed on an individual-by-individual basis.
    2 Arrow pointing right. Developing: Activity is established and there is moderate adherence to its execution, e.g. while no formal policies have been documented, content management is occurring implicitly or on an individual-by-individual basis.
    3 Arrow pointing right. Defined: Activity is formally established, documented, repeatable, and integrated with other phases of the process, e.g. roles and responsibilities have been defined and documented in an accessible policy, however, metrics are not actively monitored and managed.
    4 Arrow pointing right. Managed and Measurable: Activity execution is tracked by gathering qualitative and quantitative feedback, e.g. metrics have been established to monitor the effectiveness of tier-1 SOC analysts.
    5 Arrow pointing right. Optimized: Qualitative and quantitative feedback is used to continually improve the execution of the activity, e.g. the organization is an industry leader in the respective field; research and development efforts are allocated in order to continuously explore more efficient methods of accomplishing the task at hand.
    Optimized

    Notes: Info-Tech seldom sees a client achieve a CMMI score of 4 or 5. To achieve a state of optimization there must be a subsequent trade-off elsewhere. As such, we recommend that organizations strive for a CMMI score of 3 or 4.

    Ensure that your threat collaboration environment is of a sufficient maturity before progressing

    Example report card from the maturity assessment. Functions are color-coded green, yellow, and red. Review the report cards for each of the respective threat collaboration environment functions.
    • A green function indicates that you have exceeded the operational requirements to proceed with the security operations initiative.
    • A yellow function indicates that your maturity score is below the recommended threshold; Info-Tech advises revisiting the attached blueprint. In the instance of a one-off case, the client can proceed with this security operations initiative.
    • A red function indicates that your maturity score is well below the recommended threshold; Info-Tech strongly advises to not proceed with the security operations initiative. Revisit the recommended blueprint and further mature the specific function.

    Are you ready to move on to the next phase?

    Self-Assessment Questions

    • Have you clearly defined the rationale for refining your security operations program?
    • Have you clearly defined and prioritized the goals and outcomes of optimizing your security operations program?
    • Have you assessed your respective people, process, and technological capabilities?
    • Have you completed the Security Operations Preliminary Maturity Assessment Tool?
    • Were all threat collaboration environment functions of a sufficient maturity level?

    If you answered “yes” to the questions, then you are ready to move on to Phase 2: Develop Maturity Initiatives

    Develop a Security Operations Strategy

    PHASE 2

    Develop Maturity Initiatives

    1

    Assess Operational Requirements

    2

    Develop Maturity Initiatives

    3

    Define Interdependencies

    This step will walk you through the following activities:

    • Establish your goals, obligations, scope, and boundaries.
    • Assess your current state and define a target state.
    • Develop and prioritize gap initiatives.
    • Define cost, effort, alignment, and security benefit of each initiative.
    • Develop a security strategy operational roadmap.

    Outcomes of this step

    • A formalized understanding of your business, customer, and regulatory obligations.
    • A comprehensive current and target state assessment.
    • A succinct and consolidated list of gap initiatives that will collectively achieve your target state.
    • A formally documented set of estimated priority variables (cost, effort, business alignment).
    • A fully prioritized security roadmap that is in alignment with business goals and informed by the organization’s needs and limitations.

    Info-Tech Insight

    Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives

    Align your security operations program with corporate goals and obligations

    A common challenge for security leaders is learning to express their initiatives in terms that are meaningful to business executives.

    Frame the importance of your security operations program to
    align with that of the decision makers’ over-arching strategy.

    Oftentimes resourcing and funding is dependent on the
    alignment of security initiatives to business objectives.

    Corporate goals and objectives can be categorized into three major buckets:
    1. BUSINESS OBLIGATIONS
      The primary goals and functions of the organization at large. Examples include customer retention, growth, innovation, customer experience, etc.
    2. CONSUMER OBLIGATIONS
      The needs and demands of internal and external stakeholders. Examples include ease of use (external), data protection (external), offsite access (internal), etc.
    3. COMPLIANCE OBLIGATIONS
      The requirements of the organization to comply with mandatory and/or voluntary standards. Examples include HIPAA, PIPEDA, ISO 27001, etc.
    *Do not approach the above list with a security mindset – take a business perspective and align your security efforts accordingly.

    Info-Tech Best Practice

    Developing a security operations strategy is a proactive activity that enables you to get in front of any upcoming business projects or industry trends rather than having to respond reactively later on. Consider as many foreseeable variables as possible!

    Determine your security operations program scope and boundaries

    It is important to define all security-related areas of responsibility. Upon completion you should clearly understand what you are trying to secure.

    Ask yourself:
    Where does the onus of responsibility stop?

    The organizational scope and boundaries and can be categorized into four major buckets:
    1. PHYSICAL SCOPE
      The physical locations that the security operations program is responsible for. Examples include office locations, remote access, clients/vendors, etc.
    2. IT SYSTEMS
      The network systems that must be protected by the security operations program. Examples include fully owned systems, IaaS, PaaS, remotely hosted SaaS, etc.
    3. ORGANIZATIONAL SCOPE
      The business units, departments, or divisions that will be affected by the security operations program. Examples include user groups, departments, subsidiaries, etc.
    4. DATA SCOPE
      The data types that the business handles and the privacy/criticality level of each. Examples include top secret, confidential, private, public, etc.

    This also includes what is not within scope. For some outsourced services or locations you may not be responsible for security. For some business departments you may not have control of security processes. Ensure that it is made explicit at the outset, what will be included and what will be excluded from security considerations.

    Reference Info-Tech’s security strategy: goals, obligations, and scope activities

    Explicitly understanding how security aligns with the core business mission is critical for having a strategic plan and fulfilling the role of business enabler.

    Download and complete the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication. If previously completed, take the time to review your results.

    GOALS and OBLIGATIONS
    Proceed through each slide and brainstorm the ways that security operations supports business, customer, and compliance needs.

    Goals & Obligations
    Screenshots of slides from the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication.

    PROGRAM SCOPE & BOUNDARIES
    Assess your current organizational environment. Document current IT systems, critical data, physical environments, and departmental divisions.

    If a well-defined corporate strategy does not exist, these questions can help pinpoint objectives:

    • What is the message being delivered by the CEO?
    • What are the main themes of investments and projects?
    • What are the senior leaders measured on?
    Program Scope & Boundaries
    Screenshots of slides from the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication.

    INFO-TECH OPPORTUNITY

    For more information on how to complete the goals & obligations activity please reference Section 1.3 of Info-Tech’s Build an Information Security Strategy blueprint.

    Complete the Information Security Requirements Gathering Tool

    On tab 1. Goals and Obligations:
    • Document all business, customer, and compliance obligations. Ensure that each item is reflective of the over-arching business strategy and is not security focused.
    • In the second column, identify the corresponding security initiative that supports the obligation.
    Screenshot from tab 1 of Info-Tech's Information Security Requirements Gathering Tool. Columns are 'Business obligations', 'Security obligations to support the business (optional)', and 'Notes'.
    On tab 2. Scope and Boundaries:
    • Record all details for what is in and out of scope from physical, IT, organizational, and data perspectives.
    • Complete the affiliated columns for a comprehensive scope assessment.
    • As a discussion guide, refer to the considerations slides prior to this in phase 1.3.
    Screenshot from tab 2 of Info-Tech's Information Security Requirements Gathering Tool. Title is 'Physical Scope', Columns are 'Environment Name', 'Highest data criticality here', 'Is this in scope of the security strategy?', 'Are we accountable for security here?', and 'Notes'.
    For the purpose of this security operations initiative please IGNORE the risk tolerance activities on tab 3.

    Info-Tech Best Practice

    A common challenge for security leaders is expressing their initiatives in terms that are meaningful to business executives. This exercise helps make explicit the link between what the business cares about and what security is trying to do.

    Conduct a comprehensive security operations maturity assessment

    The following slides will walk you through the process below.

    Define your current and target state

    Self-assess your current security operations capabilities and determine your intended state.

    Create your gap initiatives

    Determine the operational processes that must be completed in order to achieve the target state.

    Prioritize your initiatives

    Define your prioritization criteria (cost, effort, alignment, security benefit) based on your organization

    Build a Gantt chart for your upcoming initiatives
    The final output will be a Gantt to action your prioritized initiatives

    Info-Tech Insight

    Progressive improvements provide the most value to IT and your organization. Leaping from pre-foundation to complete optimization is an ineffective goal. Systematic improvements to your security performance delivers value to your organization, each step along the way.

    Optimize your security operations workflow

    Info-Tech consulted various industry experts and consolidated their optimization advice.

    Dashboards: Centralized visibility, threat analytics, and orchestration enable faster threat detection with fewer resources.

    Adding more controls to a network never increases resiliency. Identify technological overlaps and eliminate unnecessary costs.

    Automation: There is shortfall in human capital in contrast to the required tools and processes. Automate the more trivial processes.

    SOCs with 900 employees are just as efficient as those with 35-40. There is an evident tipping point in marginal value.

    There are no plug-and-play technological solutions – each is accompanied by a growing pain and an affiliated human capital cost.

    Planning: Narrow the scope of operations to focus on protecting assets of value.

    Cross-train employees throughout different silos. Enable them to wear multiple hats.

    Practice: None of the processes happen in a vacuum. Make the most of tabletop exercises and other training exercises.

    Define appropriate use cases and explicitly state threat escalation protocol. Focus on automating the tier-1 analyst role.

    Self-assess your current-state capabilities and determine the appropriate target state

    1. Review:
    The heading in blue is the security domain, light blue is the subdomain and white is the specific control.
    2. Determine and Record:
    Ask participants to identify your organization’s current maturity level for each control. Next, determine a target maturity level that meets the requirements of the area (requirements should reflect the goals and obligations defined earlier).
    3.
    In small groups, have participants answer “what is required to achieve the target state?” Not all current/target state gaps will require additional description, explanation, or an associated imitative. You can generate one initiative that may apply to multiple line items.

    Screenshot of a table for assessing the current and target states of capabilities.

    Info-Tech Best Practice

    When customizing your gap initiatives consider your organizational requirements and scope while remaining realistic. Below is an example of lofty vs. realistic initiatives:
    Lofty: Perform thorough, manual security analysis. Realistic: Leverage our SIEM platform to perform more automated security analysis through the use of log information.

    Consolidate related gap initiatives to simplify and streamline your roadmap

    Identify areas of commonality between gap initiative in order to effectively and efficiently implement your new initiatives.

    Steps:
    1. After reviewing and documenting initiatives for each security control, begin sorting controls by commonality, where resources can be shared, or similar end goals and actions. Begin by copying all initiatives from tab 2. Current State Assessment into tab 5. Initiative List of the Security Operations Maturity Assessment Tool and then consolidating them.
    2. Initiatives Consolidated Initiatives
      Document data classification and handling in AUP —› Document data classification and handling in AUP Keep urgent or exceptional initiatives separate so they can be addressed appropriately.
      Document removable media in AUP —› Define and document an Acceptable Use Policy Other similar or related initiatives can be consolidated into one item.
      Document BYOD and mobile devices in AUP —›
      Document company assets in Acceptable Use Policy (AUP) —›

    3. Review grouped initiatives and identify specific initiatives should be broken out and defined separately.
    4. Record your consolidated gap initiatives in the Security Operations Maturity Assessment Tool, tab 6. Initiative Prioritization.

    Understand your organizational maturity gap

    After inputting your current and target scores and defining your gap initiatives in tab 2, review tab 3. Current Maturity and tab 4. Maturity Gap in Info-Tech’s Security Operations Maturity Assessment Tool.

    Automatically built charts and tables provide a clear visualization of your current maturity.

    Presenting these figures to stakeholders and management can help visually draw attention to high-priority areas and contextualize the gap initiatives for which you will be seeking support.

    Screenshot of tabs 3 and 4 from Info-Tech's Security Operations Maturity Assessment Tool. Bar charts titled 'Planning and Direction', 'Vulnerability Management', 'Threat Intelligence', and 'Security Maturity Level Gap Analysis'.

    Info-Tech Best Practice

    Communicate the value of future security projects to stakeholders by copying relevant charts and tables into an executive stakeholder communication presentation (ask an Info-Tech representative for further information).

    Define cost, effort, alignment, and security benefit

    Define low, medium, and high resource allocation, and other variables for your gap initiatives in the Concept of Operations Maturity Assessment Tool. These variables include:
    1. Define initial cost. One-time, upfront capital investments. The low cut-off would be a project that can be approved with little to no oversight. Whereas the high cut-off would be a project that requires a major approval or a formal capital investment request. Initial cost covers items such as appliance cost, installation, project based consulting fees, etc.
    2. Define ongoing cost. This includes any annually recurring operating expenses that are new budgetary costs, e.g. licensing or rental costs. Do not account for FTE employee costs. Generally speaking you can take 20-25% of initial cost as ongoing cost for maintenance and service.
    3. Define initial staffing in hours. This is total time in hours required to complete a project. Note: It is not total elapsed time, but dedicated time. Consider time required to research, document, implement, review, set up, fine tune, etc. Consider all staff hours required (2 staff at 8 hours means 16 hours total).
    4. Define ongoing staffing in hours. This is the ongoing average hours per week required to support that initiative. This covers all operations, maintenance, review, and support for the initiative. Some initiatives will have a week time commitment (e.g. perform a vulnerability scan using our tool once a week) versus others that may have monthly, quarterly, or annual time commitments that need to averaged out per week (e.g. perform annual security review requiring 0.4 hours/week (20 hours total based on 50 working weeks per year).
    Table relating the four definitions on the left, 'Initial Cost', 'Ongoing Cost (annual)', 'Initial Staffing in Hours', and 'Ongoing Staffing in Hours/Week'. Each row header is a definition and has four sub-rows 'High', 'Medium', 'Low', and 'Zero'.

    Info-Tech Best Practice

    When considering these parameters, aim to use already existing resource allocations.

    For example, if there is a dollar value that would require you to seek approval for an expense, this might be the difference between a medium and a high cost category.

    Define cost, effort, alignment, and security benefit

    1. Define Alignment with Business. This variable is meant to capture how well the gap initiative aligns with organizational goals and objectives. For example, something with high alignment usually can be tied to a specific organization initiative and will receive senior management support. You can either:
      • Set low, medium, and high based on levels of support the organization will provide (e.g. High – senior management support, Medium – VP/business unit head support, IT support only)
      • Attribute specific corporate goals or initiatives to the gap initiative (e.g. High – directly supports a customer requirement/key contract requirement; Medium – indirectly support customer requirement/key contract OR enables remote workforce; Low – security best practice).
    2. Define Security Benefit. This variable is meant to capture the relative security benefit or risk reduction being provided by the gap initiative. This can be represented through a variety of factors, such as:
      • Reduces compliance or regulatory risk by meeting a control requirement
      • Reduces availability and operational risk
      • Implements a non-existent control
      • Secures high-criticality data
      • Secures at-risk end users
    Table relating the two definitions on the left, 'Alignment with Business', and 'Security Benefit'. Each row header is a definition and has three sub-rows 'High', 'Medium', and 'Low'.

    Info-Tech Best Practice

    Make sure you consider the value of AND/OR. For either alignment with business or security benefit, the use of AND/OR can become useful thresholds to rank similar importance but different value initiatives.

    Example: with alignment with business, an initiative can indirectly support a key compliance requirement OR meet a key corporate goal.

    Info-Tech Insight

    You cannot do everything – and you probably wouldn’t want to. Make educated decisions about which projects are most important and why.

    Apply your variable criteria to your initiatives

    Identify easy-win tasks and high-value projects worth fighting for.
    Categorize the Initiative
    Select the gap initiative type from the down list. Each category (Must, Should, Could, and Won’t) is considered to be an “execution wave.” There is also a specific order of operations within each wave. Based on dependencies and order of importance, you will execute on some “must-do” items before others.
    Assign Criteria
    For each gap initiative, evaluate it based on your previously defined parameters for each variable.
    • Cost – initial and ongoing
    • Staffing – initial and ongoing
    • Alignment with business
    • Security benefit
    Overall Cost/Effort Rating
    An automatically generated score between 0 and 12. The higher the score attached to the initiative, the more effort required. The must-do, low-scoring items are quick wins and must be prioritized first.
    Screenshot of a table from Info-Tech's Concept of Operations Maturity Assessment Tool with all of the previous table row headers as column headers.

    A financial services organization defined its target security state and created an execution plan

    CASE STUDY
    Industry: Financial Services | Source: Info-Tech Research Group
    Framework Components
    Security Domains & Accompanied Initiatives
    (A portion of completed domains and initiatives)
    CSC began by creating over 100 gap initiatives across Info-Tech’s seven security domains.
    Current-State Assessment Context & Leadership Compliance, Audit & Review Security Prevention
    Gap Initiatives Created 12
    Initiatives
    14
    Initiatives
    45
    Initiatives
    Gap Initiative Prioritization
    Planned Initiative(s)* Initial Cost Ongoing Cost Initial Staffing Ongoing Staffing
    Document Charter Low - ‹$5K Low - ‹$1K Low - ‹1d Low - ‹2 Hour
    Document RACI Low - ‹$5K Low - ‹$1K Low - ‹1d Low - ‹2 Hour
    Expand IR processes Medium - $5K-$50K Low - ‹$1K High - ›2w Low - ‹2 Hour
    Investigate Threat Intel Low - ‹$5K Low - ‹$1K Medium - 1-10d Low - ‹2 Hour
    CSC’s defined low, medium, and high for cost and staffing are specific to the organization.

    CSC then consolidated its initiatives to create less than 60 concise tasks.

    *Initiatives and variables have been changed or modified to maintain anonymity

    Review your prioritized security roadmap

    Review the final Gantt chart to review the expected start and end dates for your security initiatives as part of your roadmap.

    In the Gantt chart, go through each wave in sequence and determine the planned start date and planned duration for each gap initiative. As you populate the planned start dates, take into consideration the resource constraints or dependencies for each project. Go back and revise the granular execution wave to resolve any conflicts you find.

    Screenshot of a 'Gantt Chart for Initiatives', a table with planned and actual start times and durations for each initiative, and beside it a roadmap with the dates from the Gantt chart plugged in.
    Review considerations
    • Does this roadmap make sense for our organization?
    • Do we focus too much on one quarter over others?
    • Will the business be going through any significant changes during the upcoming years that will directly impact this project?
    This is a living management document
    • You can use the same process on a per-case basis to decide where this new project falls in the priority list, and then add it to your Gantt chart.
    • As you make progress, check items off of the list, and periodically use this chart to retroactively update your progress towards achieving your overall target state.

    Consult an Info-Tech Analyst

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to successfully complete your project.
    Photo of TJ Minichillo, Senior Director – Security, Risk & Compliance, Info-Tech Research Group. TJ Minichillo
    Senior Director – Security, Risk & Compliance
    Info-Tech Research Group
    Edward Gray, Consulting Analyst – Security, Risk & Compliance, Info-Tech Research Group. Edward Gray
    Consulting Analyst – Security, Risk & Compliance
    Info-Tech Research Group
    Photo of Celine Gravelines, Research Manager – Security, Risk & Compliance, Info-Tech Research Group. Celine Gravelines
    Research Manager – Security, Risk & Compliance
    Info-Tech Research Group
    If you are not communicating, then you are not secure.

    Call 1-888-670-8889 or email workshops@infotech.com for more information.

    Are you ready to move on to the next phase?

    Self-Assessment Questions

    • Have you identified your organization’s corporate goals along with your obligations?
    • Have you defined the scope and boundaries of your security program?
    • Have you determined your organization’s risk tolerance level?
    • Have you considered threat types your organization may face?
    • Are the above answers documented in the Security Requirements Gathering Tool?
    • Have you defined your maturity for both your current and target state?
    • Do you have clearly defined initiatives that would bridge the gap between your current and target state?
    • Are each of the initiatives independent, specific, and relevant to the associated control?
    • Have you indicated any dependencies between your initiatives?
    • Have you consolidated your gap initiatives?
    • Have you defined the parameters for each of the prioritization variables (cost, effort, alignment, and security benefit)?
    • Have you applied prioritization parameters to each consolidated initiative?
    • Have you recorded your final prioritized roadmap in the Gantt chart tab?
    • Have you reviewed your final Gantt chart to ensure it aligns to your security requirements?

    If you answered “yes” to the questions, then you are ready to move on to Phase 3: Define Operational Interdependencies

    Develop a Security Operations Strategy

    PHASE 3

    Define Operational Interdependencies

    1

    Assess Operational Requirements

    2

    Develop Maturity Initiatives

    3

    Define Interdependencies

    This step will walk you through the following activities:

    • Understand the current security operations process flow.
    • Define the security operations stakeholders and their respective deliverables.
    • Formalize an internal information sharing and collaboration plan.

    Outcomes of this step

    • A formalized security operations interaction agreement.
    • A security operations service and product catalog.
    • A structured operations collection plan.

    Info-Tech Insight

    If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

    Tie everything together with collaboration

    If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

    Define Strategic Needs and Requirements Participate in Information Sharing Communicate Clearly
    • Establish a channel to communicate management needs and requirements and define important workflow activities. Focus on operationalizing those components.
    • Establish a feedback loop to ensure your actions satisfied management’s criteria.
    • Consolidate critical security data within a centralized portal that is accessible throughout the threat collaboration environment, reducing the human capital resources required to manage that data.
    • Participate in external information sharing groups such as ISACs. Intelligence collaboration allows organizations to band together to decrease risk and protect one another from threat actors.
    • Disseminate relevant information in clear and succinct alerts, reports, or briefings.
    • Security operations analysts must be able to translate important technical security issues and provide in-depth strategic insights.
    • Define your audience before presenting information; various stakeholders will interpret information differently. You must present it in a format that appeals to their interests.
    • Be transparent in your communications. Holding back information will only serve to alienate groups and hinder critical business decisions.

    Info-Tech Best Practice

    Simple collaborative activities, such as a biweekly meeting, can unite prevention, detection, analysis, and response teams to help prevent siloed decision making.

    Understand the security operations process flow

    Process standardization and automation is critical to the effectiveness of security operations.

    Process flow for security operations with column headers 'Monitoring', 'Preliminary Analysis (Tier 1)', 'Triage', 'Investigation & Analysis (Tier 2)', 'Response', and 'Advanced Threat Detection (Tier 3)'. All processes begin with elements in the 'Monitoring' column and end up at 'Visualization & Dashboarding'.

    Document your security operations’ capabilities and tasks

    Table of capabilities and tasks for security operations.
    Document your security operations’ functional capabilities and operational tasks to satisfy each capability. What resources will you leverage to complete the specific task/capability? Identify your internal and external collection sources to satisfy the individual requirement. Identify the affiliated product, service, or output generated from the task/capability. Determine your escalation protocol. Who are the stakeholders you will be sharing this information with?
    Capabilities

    The major responsibilities of a specific function. These are the high-level processes that are expected to be completed by the affiliated employees and/or stakeholders.

    Tasks

    The specific and granular tasks that need to be completed in order to satisfy a portion of or the entire capability.

    Download Info-Tech’s Security Operations RACI Chart & Program Plan.

    Convert your results into actionable process flowcharts

    Map each functional task or capability into a visual process-flow diagram.

    • The title should reflect the respective capability and product output.
    • List all involved stakeholders (inputs and threat escalation protocol) along the left side.
    • Ensure all relevant security control inputs are documented within the body of the process-flow diagram.
    • Map out the respective processes in order to achieve the desired outcome.
    • Segment each process within its own icon and tie that back to the respective input.
    Example of a process flow made with sticky notes.

    Title: Output #1 Example of a process flow diagram with columns 'Stakeholders', 'Input Processes', 'Output Processes', and 'Threat Escalation Protocol'. Processes are mapped by which stakeholder and column they fall to.

    Download Info-Tech’s Security Operations RACI Chart & Program Plan.

    Formalize the opportunities for collaboration within your security operations program

    Security Operations Collaboration Plan

    Security operations provides a single pane of glass through which the threat collaboration environment can manage its operations.

    How to customize

    The security operations interaction agreement identifies opportunities for optimization through collaboration and cross-training. The document is composed of several components:

    • Security operations program scope and objectives
    • Operational capabilities and outputs on a per function basis
    • A needs and requirements collection plan
    • Escalation protocol and respective information-sharing guidance (i.e. a detailed cadence schedule)
    • A security operations RACI chart
    Sample of Info-Tech's Security Operations Collaboration Plan.

    Info-Tech Best Practice

    Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.

    Assign responsibilities for the threat management process

    Security Operations RACI Chart & Program Plan

    Formally documenting roles and responsibilities helps to hold those accountable and creates awareness as to everyone’s involvement in various tasks.

    How to customize
    • Customize the header fields with applicable stakeholders.
    • Identify stakeholders that are:
      • Responsible: The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
      • Accountable: The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor.
      • Consulted: The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs).
      • Informed: The person(s) who is updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.
    Sample of Info-Tech's Security Operations Collaboration Plan.

    Download Info-Tech’s Security Operations RACI Chart & Program Plan.

    Identify security operations consumers and their respective needs and requirements

    Ensure your security operations program is constantly working toward satisfying a consumer need or requirement.

    Internal Consumers External Consumers
    • Business Executives & Management (CIO, CISO, COO):
      • Inform business decisions regarding threats and their association with future financial risk, reputational risk, and continuity of operations.
    • Human Resources:
      • Security operations must directly work with HR to enforce tight device controls, develop processes, and set expectations.
    • Legal:
      • Security operations is responsible to notify the legal department of data breaches and the appropriate course of action.
    • Audit and Compliance:
      • Work with the auditing department to define additional audits or controls that must be measured.
    • Public Relations/Marketing Employees:
      • Employees must be educated on prevalent threats and how to avoid or mitigate them.

    Note: Your organization might not be the final target, but it could be a primary path for attackers. If you exist as a third-party partner to another organization, your responsibility in your technology ecosystem extends beyond your own product or service offerings.

    • Third-Party Contractors:
      • Identify relevant threats across industries – security operations is responsible for protecting more than just itself.
    • Commercial Vendors:
      • Identify commercial vendors of control failures and opportunities for operational improvement.
    • Suppliers:
      • Provide or maintain a certain level of security delivery.
      • Meet the same level of security that is expected of business units.
    • All End Users:
      • Be notified of any data breaches and potential violations of privacy.

    Info-Tech Best Practice

    “In order to support a healthy constituency, network operations and security operations should be viewed as equal partners, rather than one subordinate to the other.” (Mitre world-class CISO)

    Define the stakeholders, their respective outputs, and the underlying need

    Security Operations Program Service & Product Catalog

    Create an informal security operations program service and product catalog. Work your way backwards – map each deliverable to the respective stakeholders and functions.

    Action/Output Arrow pointing right. Frequency Arrow pointing right. Stakeholders/Function
    Document the key services and outputs produced by the security operations program. For example:
    • Real-time monitoring
    • Event analysis and incident coordination
    • Malware analysis
    • External information sharing
    • Published alerts, reports, and briefings
    • Metrics
    Define the frequency for which each deliverable or service is produced or conducted. Leverage this activity to establish a state of accountability within your threat collaboration environment. Identify the stakeholders or groups affiliated with each output. Remember to include potential MSSPs.
    • Vulnerability Management
    • Threat Intelligence
    • Tier 1, 2, and 3 Analysts
    • Incident Response
    • MSSP
    • Network Operations
    Remember to include any target-state outputs or services identified in the maturity assessment. Use this exercise as an opportunity to organize your security operations outputs and services.

    Info-Tech Best Practice

    Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment.

    Internal information sharing helps to focus operational efforts

    Organizations must share information internally and through secure external information sharing and analysis centers (ISACs).

    Ensure information is shared in a format that relates to the particular end user. Internal consumers fall into two categories:

    • Strategic Users — Intelligence enables strategic stakeholders to better understand security trends, minimize risk, and make more educated and informed decisions. The strategic intelligence user often lacks technical security knowledge; bridge the communication gap between security and non-technical decision makers by clearly communicating the underlying value and benefits.
    • Operational Users — Operational users integrate information and indicators directly into their daily operations and as a result have more in-depth knowledge of the technical terms. Reports help to identify escalated alerts that are part of a bigger campaign, provide attribution and context to attacks, identify systems that have been compromised, block malicious URLs or malware signatures in firewalls, IDPS systems, and other gateway products, identify patches, reduce the number of incidents, etc.
    Collaboration includes the exchange of:
    • Contextualized threat indicators, threat actors, TTPs, and campaigns.
    • Attribution of the attack, motives of the attacker, victim profiles, and frequent exploits.
    • Defensive and mitigation strategies.
    • Best-practice incident response procedures.
    • Technical tools to help normalize threat intelligence formats or decode malicious network traffic.
    Collaboration can be achieved through:
    • Manual unstructured exchanges such as alerts, reports, briefings, knowledge portals, or emails.
    • Automated centralized platforms that allow users to privately upload, aggregate, and vet threat intelligence. Current players include commercial, government, and open-source information-sharing and analysis centers.
    Isolation prevents businesses from learning from each others’ mistakes and/or successes.

    Define the routine of your security operations program in a detailed cadence schedule

    Security Operations Program Cadence Schedule Template

    Design your meetings around your security operations program’s outputs and capabilities

    How to customize

    Don’t operate in a silo. Formalize a cadence schedule to develop a state of accountability, share information across the organization, and discuss relevant trends. A detailed cadence schedule should include the following:

    • Activity, output, or topic being discussed.
    • Participants and stakeholders involved.
    • Value and purpose of meeting.
    • Duration and frequency of each meeting.
    • Investment per participant per meeting.
    Sample of Info-Tech's Security Operations Program Cadence Schedule Template.

    Info-Tech Best Practice

    Schedule regular meetings composed of key members from different working groups to discuss concerns, share goals, and communicate operational processes pertaining to their specific roles.

    Apply a strategic lens to your security operations program

    Frame the importance of optimizing the security operations program to align with that of the decision makers’ overarching strategy.

    Strategies
    1. Bridge the communication gap between security and non-technical decision makers. Communicate concisely in business-friendly terms.
    2. Quantify the ROI for the given project.
    3. Educate stakeholders – if stakeholders do not understand what a security operations program encompasses, it will be hard for them to champion the initiative.
    4. Communicate the implications, value, and benefits of a security operations program.
    5. Frame the opportunity as a competitive advantage, e.g. proactive security measures as a client acquisition strategy.
    6. Address the increasing prevalence of threat actors. Use objective data to demonstrate the impact, e.g. through case studies, recent media headlines, or statistics.

    Defensive Strategy diagram with columns 'Adversaries', 'Defenses', 'Assets', and priority level.
    (Source: iSIGHT, “ Definitive Guide to Threat Intelligence”)

    Info-Tech Best Practice

    Refrain from using scare tactics such as fear, uncertainty, and doubt (FUD). While this may be a short-term solution, it limits the longevity of your operations as senior management is not truly invested in the initiative.

    Example: Align your strategic needs with that of management.

    Identify assets of value, current weak security measures, and potential adversaries. Demonstrate how an optimized security operations program can mitigate those threats.

    Develop a comprehensive measurement program to evaluate the effectiveness of your security operations

    There are three types of metrics pertaining to security operations:

    1) Operations-focused

    Operations-focused metrics are typically communicated through a centralized visualization such as a dashboard. These metrics guide operational efforts, identifying operational and control weak points while ensuring the appropriate actions are taken to fix them.

    Examples include, but are not limited to:

    • Ticketing metrics (e.g. average ticket resolution rate, ticketing status, number of tickets per queue/analyst).
    • False positive percentage per control.
    • Incident response metrics (e.g. mean time to recovery).
    • CVSS scores per vulnerability.

    2) Business-focused

    The evaluation of operational success from a business perspective.

    Example metrics include:

    • Return on investment.
    • Total cost of ownership (can be segregated by function: prevent, detect, analyze, and respond).
    • Saved costs from mitigated breaches.
    • Security operations budget as a percentage of the IT budget.

    3) Initiative-focused

    The measurement of security operations project progress. These are frequently represented as time, resource, or cost-based metrics.

    Note: Remember to measure end-user feedback. Asking stakeholders about their current expectations via a formal survey is the most effective way to kick-start the continuous improvement process.

    Info-Tech Best Practice

    Operational metrics have limited value beyond security operations – when communicating to management, focus on metrics that are actionable from a business perspective.

    Download Info-Tech’s Security Operations Metrics Summary Document.Sample of Info-Tech's Security Operations Metrics Summary Document.

    Identify the triggers for continual improvement

    Continual Improvement

    • Audits: Check for performance requirements in order to pass major audits.
    • Assessments: Variances in efficiency or effectiveness of metrics when compared to the industry standard.
    • Process maturity: Opportunity to increase efficiency of services and processes.
    • Management reviews: Routine reviews that reveal gaps.
    • Technology advances: For example, new security architecture/controls have been released.
    • Regulations: Compliance to new or changed regulations.
    • New staff or technology: Disruptive technology or new skills that allow for improvement.

    Conduct tabletop exercises with Info-Tech’s onsite workshop

    Assess your security operations capabilities

    Leverage Info-Tech’s Security Operations Tabletop Exercise to guide simulations to validate your operational procedures.

    How to customize
    • Use the templates to document actions and actors.
    • For each new injection, spend three minutes discussing the response as a group. Then spend two minutes documenting each role’s contribution to the response. After the time limit, proceed to the following injection scenario.
    • Review the responses only after completing the entire exercise.
    Sample of Info-Tech's Security Operations Tabletop Exercise.

    This tabletop exercise is available through an onsite workshop as we can help establish and design a tabletop capability for your organization.

    Are you ready to implement your security operations program?

    Self-Assessment Questions

    • Is there a formalized security operations collaboration plan?
    • Are all key stakeholders documented and acknowledged?
    • Have you defined your strategic needs and requirements in a formalized collection plan?
    • Is there an established channel for management to communicate needs and requirements to the security operation leaders?
    • Are all program outputs documented and communicated?
    • Is there an accessible, centralized portal or dashboard that actively aggregates and communicates key information?
    • Is there a formalized threat escalation protocol in order to facilitate both internal and external information sharing?
    • Does your organization actively participate in external information sharing through the use of ISACs?
    • Does your organization actively produce reports, alerts, products, etc. that feed into and influence the output of other functions’ operations?
    • Have you assigned program responsibilities in a detailed RACI chart?
    • Is there a structured cadence schedule for key stakeholders to actively communicate and share information?
    • Have you developed a structured measurement program on a per function basis?
    • Now that you have constructed your ideal security operations program strategy, revisit the question “Are you answering all of your objectives?”

    If you answered “yes” to the questions, then you are ready to implement your security operations program.

    Summary

    Insights

    1. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
    2. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives
    3. If you are not communicating, then you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

    Best Practices

    • Have a structured plan of attack. Define your unique threat landscape, as well as business, regulatory, and consumer obligations.
    • Foster both internal and external collaboration.
    • Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.
    • Do not bite off more than you can chew. Identify current people, processes, and technologies that satisfy immediate problems and enable future expansion.
    • Leverage threat intelligence to create a predictive and proactive security operations analysis process.
    • Formalize escalation procedures with logic and incident management flow.
    • Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.
    • Ensure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next.
    • Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment
    Protect your organization with an interdependent and collaborative security operations program.

    Bibliography

    “2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” Ponemon Institute, June 2016. Web. 10 Nov. 2016.

    Ahmad, Shakeel et al. “10 Tips to Improve Your Security Incident Readiness and Response.” RSA, n.d. Web. 12 Nov. 2016.

    Anderson, Brandie. “ Building, Maturing & Rocking a Security Operations Center.” Hewlett Packard, n.d. Web. 4 Nov. 2016.

    Barnum, Sean. “Standardizing cyber threat intelligence information with the structured threat information expression.” STIX, n.d. Web. 03 Oct. 2016.

    Bidou, Renaud. “Security Operation Center Concepts & Implementation.” IV2-Technologies, n.d. Web. 20 Nov. 2016.

    Bradley, Susan. “Cyber threat intelligence summit.” SANS Institute InfoSec Reading Room, n.d. Web. 03 Oct. 2016.

    “Building a Security Operations Center.” DEF CON Communications, Inc., 2015. Web. 14 Nov. 2016.

    “Building a Successful Security Operations Center.” ArcSight, 2015. Web. 21 Nov. 2016.

    “Building an Intelligence-Driven Security Operations Center.” RSA, June 2014. Web. 25 Nov. 2016.

    Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “Diamond Model of Intrusion Analysis,” Center for Cyber Threat Intelligence and Threat Research, 5 July 2013. Web. 25 Aug. 2016.

    “Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions Organizations Are Taking.” The Network. Cisco, 31 Jan. 2017. Web. 11 Nov. 2017.

    “CITP Training and Education.” Carnegie Mellon University, 2015. Web. 03 Oct. 2016.

    “Creating and Maintaining a SOC.” Intel Security, n.d. Web. 14 Nov. 2016.

    “Cyber Defense.” Mandiant, 2015. Web. 10 Nov. 2016.

    “Cyber Security Operations Center (CSOC).” Northrop Grumman, 2014. Web. 14 Nov. 2016.

    Danyliw, Roman. “Observations of Successful Cyber Security Operations.” Carnegie Mellon, 12 Dec. 2016. Web. 14 Dec. 2016.

    “Designing and Building Security Operations Center.” SearchSecurity. TechTarget, Mar. 2016. Web. 14 Dec. 2016.

    EY. “Managed SOC.” EY, 2015. Web. 14 Nov. 2016.

    Fishbach, Nicholas. “How to Build and Run a Security Operations Center.” Securite.org, n.d. Web. 20 Nov. 2016.

    “Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 12 Feb. 2014. Web.

    Friedman, John, and Mark Bouchard. “Definitive Guide to Cyber Threat Intelligence.” iSIGHT, 2015. Web. 1 June 2015.

    Goldfarb, Joshua. “The Security Operations Hierarchy of Needs.” Securityweek.com, 10 Sept. 2015. Web. 14 Dec. 2016.

    “How Collaboration Can Optimize Security Operations.” Intel, n.d. Web. 2 Nov. 2016.

    Hslatman. “Awesome threat intelligence.” GitHub, 16 Aug. 2016. Web. 03 Oct. 2016.

    “Implementation Framework – Collection Management.” Carnegie Mellon University, 2015. Web.

    “Implementation Framework – Cyber Threat Prioritization.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.

    “Intelligent Security Operations Center.” IBM, 25 Feb. 2015. Web. 15 Nov. 2016.

    Joshi Follow , Abhishek. “Best Practices for Security Operations Center.” LinkedIn, 01 Nov. 2015. Web. 14 Nov. 2016.

    Joshi. “Best Practices for a Security Operations Center.” Cybrary, 18 Sept. 2015. Web. 14 Dec. 2016.

    Kelley, Diana and Ron Moritz. “Best Practices for Building a Security Operations Center.” Information Security Today, 2006. Web. 10 Nov. 2016.

    Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle, and Mark Zajicek. ”Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Carnegie Mellon Software Engineering Institute, Dec. 2003. Carnegie Mellon. Web. 10 Nov. 2016.

    Kindervag , John. “SOC 2.0: Three Key Steps toward the Next-generation Security Operations Center.” SearchSecurity. TechTarget, Dec. 2010. Web. 14 Dec. 2016.

    Kvochko, Elena. “Designing the Next Generation Cyber Security Operations Center.” Forbes Magazine, 14 Mar. 2016. Web. 14 Dec. 2016.

    Lambert, P. “ Security Operations Center: Not Just for Huge Enterprises.” TechRepublic, 31 Jan. 2013. Web. 10 Nov. 2016.

    Lecky, M. and D. Millier. “Re-Thinking Security Operations.” SecTor Security Education Conference. Toronto, 2014.

    Lee, Michael. “Three Elements That Every Advanced Security Operations Center Needs.” CSO | The Resource for Data Security Executives, n.d. Web. 16 Nov. 2016.

    Linch, David and Jason Bergstrom. “Building a Culture of Continuous Improvement in an Age of Disruption.” Deloitte LLP, 2014.

    Lynch, Steve. “Security Operations Center.” InfoSec Institute, 14 May 2015. Web. 14 Dec. 2016.

    Macgregor, Rob. “Diamonds or chains – cyber security updates.” PwC, n.d. Web. 03 Oct. 2016.

    “Make Your Security Operations Center (SOC) More Efficient.” Making Your Data Center Energy Efficient (2011): 213-48. Intel Security. Web. 20 Nov. 2016.

    Makryllos, Gordon. “The Six Pillars of Security Operations.” CSO | The Resource for Data Security Executives, n.d. Web. 14 Nov. 2016.

    Marchany, R. “ Building a Security Operations Center.” Virginia Tech, 2015. Web. 8 Nov. 2016.

    Marty, Raffael. “Dashboards in the Security Operations Center (SOC).” Security Bloggers Network, 15 Jan. 2016. Web. 14 Nov. 2016.

    Minu, Adolphus. “Discovering the Value of Knowledge Portal.” IBM, n.d. Web. 1 Nov. 2016.

    Muniz, J., G. McIntyre, and N. AlFardan. “Introduction to Security Operations and the SOC.” Security Operations Center: Building, Operating, and Maintaining your SOC. Cisco Press, 29 Oct. 2015. Web. 14 Nov. 2016.

    Muniz, Joseph and Gary McIntyre. “ Security Operations Center.” Cisco, Nov. 2015. Web. 14 Nov. 2016.

    Muniz, Joseph. “5 Steps to Building and Operating an Effective Security Operations Center (SOC).” Cisco, 15 Dec. 2015. Web. 14 Dec. 2016.

    Nathans, David. Designing and Building a Security Operations Center. Syngress, 2015. Print.

    National Institute of Standards and Technology. “SP 800-61 Revision 2: Computer Security Incident Handling Guide.” 2012. Web.

    National Institute of Standards and Technology. “SP 800-83 Revision 1.” 2013. Web.

    National Institute of Standards and Technology. “SP 800-86: Guide to Integrating Forensic Techniques into Incident Response.” 2006. Web.

    F5 Networks. “F5 Security Operations Center.” F5 Networks, 2014. Web. 10 Nov. 2016.

    “Next Generation Security Operations Center.” DTS Solution, n.d. Web. 20 Nov. 2016.

    “Optimizing Security Operations.” Intel, 2015. Web. 4 Nov. 2016.

    Paganini, Pierluigi. “What Is a SOC ( Security Operations Center)?” Security Affairs, 24 May 2016. Web. 14 Dec. 2016.

    Ponemon Institute LLC. “Cyber Security Incident Response: Are we as prepared as we think?” Ponemon, 2014. Web.

    Ponemon Institute LLC. “The Importance of Cyber Threat Intelligence to a Strong Security Posture.” Ponemon, Mar. 2015. Web. 17 Aug. 2016.

    Poputa-Clean, Paul. “Automated defense – using threat intelligence to augment.” SANS Institute InfoSec Reading Room, 15 Jan. 2015. Web.

    Quintagroup. “Knowledge Management Portal Solution.” Quintagroup, n.d. Web.

    Rasche, G. “Guidelines for Planning an Integrated Security Operations Center.” EPRI, Dec. 2013. Web. 25 Nov. 2016.

    Rehman, R. “What It Really Takes to Stand up a SOC.” Rafeeq Rehman – Personal Blog, 27 Aug. 2015. Web. 14 Dec. 2016.

    Rothke, Ben. “Designing and Building Security Operations Center.” RSA Conference, 2015. Web. 14 Nov. 2016.

    Ruks, Martyn and David Chismon. “Threat Intelligence: Collecting, Analysing, Evaluating.” MWR Infosecurity, 2015. Web. 24 Aug. 2016.

    Sadamatsu, Takayoshi. “Practice within Fujitsu of Security Operations Center.” Fujitsu, July 2016. Web. 15 Nov. 2016.

    Sanders, Chris. “Three Useful SOC Dashboards.” Chris Sanders, 24 Oct. 2016. Web. 14 Nov. 2016.

    SANS Institute. “Incident Handler's Handbook.” 2011. Web.

    Schilling, Jeff. “5 Pitfalls to Avoid When Running Your SOC.” Dark Reading, 18 Dec. 2014. Web. 14 Nov. 2016.

    Schinagl, Stef, Keith Schoon, and Ronald Paans. “A Framework for Designing a Security Operations Centre (SOC).” 2015 48th Hawaii International Conference on System Sciences. Computer.org, 2015. Web. 20 Nov. 2016.

    “Security – Next Gen SOC or SOF.” InfoSecAlways.com, 31 Dec. 2013. Web. 14 Nov. 2016.

    “Security Operations Center Dashboard.” Enterprise Dashboard Digest, n.d. Web. 14 Dec. 2016.

    “Security Operations Center Optimization Services.” AT&T, 2015. Web. 5 Nov. 2016.

    “Security Operations Centers — Helping You Get Ahead of Cybercrime Contents.” EY, 2014. Web. 6 Nov. 2016.

    Sheikh, Shah. “DTS Solution - Building a SOC (Security Operations Center).” LinkedIn, 4 May 2013. Web. 20 Nov. 2016.

    Soto, Carlos. “ Security Operations Center (SOC) 101.” Tom's IT Pro, 28 Oct. 2015. Web. 14 Dec. 2016.

    “Standardizing and Automating Security Operations.” National Institute of Standards and Technology, 3 Sept. 2006. Web.

    “Strategy Considerations for Building a Security Operations Center.” IBM, Dec. 2013. Web. 5 Nov. 2016.

    “Summary of Key Findings.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.

    “Sustainable Security Operations.” Intel, 2016. Web. 20 Nov. 2016.

    “The Cost of Malware Containment.” Ponemon Institute, Jan. 2015. Web.

    “The Game Plan for Closing the SecOps Gap.” BMC. Forbes Magazine, Jan. 2016. Web. 10 Jan. 2017.

    Veerappa Srinivas, Babu. “Security Operations Centre (SOC) in a Utility Organization.” GIAC, 17 Sept. 2014. Web. 5 Nov. 2016.

    Wang, John. “Anatomy of a Security Operations Center.” NASA, 2015. Web. 2 Nov. 2016.

    Weiss, Errol. “Statement for the Record.” House Financial Services Committee, 1 June 2012. Web. 12 Nov. 2016.

    Wilson, Tim. “SOC 2.0: A Crystal-Ball Glimpse of the Next-Generation Security Operations Center.” Dark Reading, 22 Nov. 2010. Web. 10 Nov. 2016.

    Zimmerman, Carson. “Ten Strategies of a World-Class Cybersecurity Operations Center.” Mitre, 2014. Web. 24 Aug. 2016.

    Set a Strategic Course of Action for the PMO in 100 Days

    • Buy Link or Shortcode: {j2store}356|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $13,744 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Project Management Office
    • Parent Category Link: /project-management-office
    • As a new PMO director, you’ve been thrown into the middle of an unfamiliar organizational structure and a chaotic project environment.
    • The expectations are that the PMO will help improve project outcomes, but beyond that your mandate as PMO director is opaque.
    • You know that the statistics around PMO longevity aren’t good, with 50% of new PMOs closing within the first three years. As early in your tenure as possible, you need to make sure that your stakeholders understand the value that your role could provide to the organization with the right level of buy-in and support.
    • Whether you’re implementing a new PMO or taking over an already existing one, you need to quickly overcome these challenges by rapidly assessing your unfamiliar tactical environment, while at the same time demonstrating confidence and effective leadership to project staff, business stakeholders, and the executive layer.

    Our Advice

    Critical Insight

    • The first 100 days are critical. You have a window of influence where people are open to sharing insights and opinions because you were wise enough to seek them out. If you don’t reach out soon, people notice and assume you’re not wise enough to seek them out, or that you don’t think they are important enough to involve.
    • PMOs most commonly stumble when they shortsightedly provide project management solutions to what are, in fact, more complex, systemic challenges requiring a mix of project management, portfolio management, and organizational change management capabilities. If you fail to accurately diagnose pain points and needs in your first days, you could waste your tenure as PMO leader providing well-intentioned solutions to the wrong project problems.
    • You have diminishing value on your time before skepticism and doubt start to erode your influence. Use your first 100 days to define an appropriate mandate for your PMO, get the right people behind you, and establish buy-in for long-term PMO success.

    Impact and Result

    • Develop an action plan to help leverage your first 100 days on the job. Hit the ground running in your new role with an action plan to achieve realistic goals and milestones in your first 100 days. A results-driven first three months will help establish roots throughout the organization that will continue to feed and grow the PMO beyond your first year.
    • Get to know what you don’t know quickly. Use Info-Tech’s advice and tools to perform a triage of every aspect of PMO accountability as well as harvest stakeholder input to ensure that your PMO meets or exceeds expectations and establishes the right solutions to the organization’s project challenges.
    • Solidify the PMO’s long-term mission. Adopt our stakeholder engagement best practices to ensure that you knock on the right doors early in your tenure. Not only do you need to clarify expectations, but you will ultimately need buy-in from key stakeholders as you move to align the mandate, authority, and resourcing needed for long-term PMO success.

    Set a Strategic Course of Action for the PMO in 100 Days Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how capitalizing on your first 100 days as PMO leader can help ensure the long-term success of your PMO.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Survey the project landscape

    Get up-to-speed quickly on key PMO considerations by engaging PMO sponsors, assessing stakeholders, and taking stock of your PMO inventory.

    • Set a Strategic Course of Action for the PMO in 100 Days – Phase 1: Survey the Project Landscape
    • Mission Identification and Inventory Tool
    • PMO Director First 100 Days Timeline - MS Project
    • PMO Director First 100 Days Timeline - MS Excel

    2. Gather PMO requirements

    Make your first major initiative as PMO director be engaging the wider pool of PMO stakeholders throughout the organization to determine their expectations for your office.

    • Set a Strategic Course of Action for the PMO in 100 Days – Phase 2: Gather PMO Requirements
    • PMO Requirements Gathering Tool
    • PMO Course of Action Stakeholder Interview Guide

    3. Solidify your PPM goals

    Review the organization’s current PPM capabilities in order to identify your ability to meet stakeholder expectations and define a sustainable mandate.

    • Set a Strategic Course of Action for the PMO in 100 Days – Phase 3: Solidify Your PPM Goals
    • Project Portfolio Management Maturity Assessment Workbook
    • Project Management Maturity Assessment Workbook
    • Organizational Change Management Maturity Assessment Workbook
    • PMO Strategic Expectations Glossary

    4. Formalize the PMO’s mandate

    Communicate your strategic vision for the PMO and garner stakeholder buy-in.

    • Set a Strategic Course of Action for the PMO in 100 Days – Phase 4: Formalize the PMO's Mandate
    • PMO Mandate and Strategy Roadmap Template
    • PMO Director Peer Feedback Evaluation Template
    • PMO Director First 100 Days Self-Assessment Tool
    [infographic]

    Workshop: Set a Strategic Course of Action for the PMO in 100 Days

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess the Current Project Ecosystem

    The Purpose

    Quickly develop an on-the-ground view of the organization’s project ecosystem and the PMO’s abilities to effectively serve.

    Key Benefits Achieved

    A comprehensive and actionable understanding of the PMO’s tactical environment

    Activities

    1.1 Perform a PMO SWOT analysis.

    1.2 Assess the organization’s portfolio management, project management, and organizational change management capability levels.

    1.3 Take inventory of the PMO’s resourcing levels, project demand levels, and tools and artifacts.

    Outputs

    Overview of current strengths, weaknesses, opportunities, and threats

    Documentation of your current process maturity to execute key portfolio management, project management, and organizational change management functions

    Stock of the PMO’s current access to PPM personnel relative to total project demand

    2 Analyze PMO Stakeholders

    The Purpose

    Determine stakeholder expectations for the PMO.

    Key Benefits Achieved

    An accurate understanding of others’ expectations to help ensure the PMO’s course of action is responsive to organizational culture and strategy

    Activities

    2.1 Conduct a PMO Mission Identification Survey with key stakeholders.

    2.2 Map the PMO’s stakeholder network.

    2.3 Analyze key stakeholders for influence, interest, and support.

    Outputs

    An understanding of expected PMO outcomes

    A stakeholder map and list of key stakeholders

    A prioritized PMO requirements gathering elicitation plan

    3 Determine Strategic Expectations and Define the Tactical Plan

    The Purpose

    Develop a process and method to turn stakeholder requirements into a strategic vision for the PMO.

    Key Benefits Achieved

    A strategic course of action for the PMO that is responsive to stakeholders’ expectations.

    Activities

    3.1 Assess the PMO’s ability to support stakeholder expectations.

    3.2 Use Info-Tech’s PMO Strategic Expectations glossary to turn raw process and service requirements into specific strategic expectations.

    3.3 Define an actionable tactical plan for each of the strategic expectations in your mandate.

    Outputs

    An understanding of PMO capacity and limits

    A preliminary PMO mandate

    High-level statements of strategy to help support your mandate

    4 Formalize the PMO’s Mandate and Roadmap

    The Purpose

    Establish a final PMO mandate and a process to help garner stakeholder buy-in to the PMO’s long-term vision.

    Key Benefits Achieved

    A viable PMO course of action complete with stakeholder buy-i

    Activities

    4.1 Finalize the PMO implementation timeline.

    4.2 Finalize Info-Tech’s PMO Mandate and Strategy Roadmap Template.

    4.3 Present the PMO’s strategy to key stakeholders.

    Outputs

    A 3-to-5-year implementation timeline for key PMO process and staffing initiatives

    A ready-to-present strategy document

    Stakeholder buy-in to the PMO’s mandate

    Deliver Digital Products at Scale

    • Buy Link or Shortcode: {j2store}156|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $86,499 Average $ Saved
    • member rating average days saved: 53 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Products are the lifeblood of an organization. They provide the capabilities the business needs to deliver value to both internal and external customers and stakeholders.
    • Product organizations are expected to continually deliver evolving value to the overall organization as they grow.
    • You need to clearly convey the direction and strategy of a broad product portfolio to gain alignment, support, and funding from your organization.

    Our Advice

    Critical Insight

    • Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that improve end-user value and enterprise alignment.
    • Your organizational goals and strategy are achieved through capabilities that deliver value. Your product hierarchy is the mechanism to translate enterprise goals, priorities, and constraints down to the product level where changes can be made.
    • Recognize that each product owner represents one of three primary perspectives: business, technical, and operational. Although all share the same capabilities, how they approach their responsibilities is influenced by their perspective.
    • The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.
    • Your product family roadmap and product roadmap tell different stories. The product family roadmap represents the overall connection of products to the enterprise strategy, while the product roadmap focuses on the fulfillment of the product’s vision.
    • Although products can be delivered with any software development lifecycle, methodology, delivery team structure, or organizational design, high-performing product teams optimize their structure to fit the needs of product and product family delivery.

    Impact and Result

    • Understand the importance of product families for scaling product delivery.
    • Define products in your context and organize products into operational families.
    • Use product family roadmaps to align product roadmaps to enterprise goals and priorities.
    • Evaluate the different approaches to improve your product family delivery pipelines and milestones.

    Deliver Digital Products at Scale Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should define enterprise product families to scale your product delivery capability, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Become a product-centric organization

    Define products in your organization’s context and explore product families as a way to organize products at scale.

    • Deliver Digital Products at Scale – Phase 1: Become a Product-Centric Organization
    • Deliver Digital Products at Scale Workbook
    • Digital Product Family Strategy Playbook

    2. Organize products into product families

    Identify an approach to group the inventory of products into one or more product families.

    • Deliver Digital Products at Scale – Phase 2: Organize Products Into Product Families

    3. Ensure alignment between products and families

    Confirm alignment between your products and product families via the product family roadmap and a shared definition of delivered value.

    • Deliver Digital Products at Scale – Phase 3: Ensure Alignment Between Products and Families

    4. Bridge the gap between product families and delivery

    Agree on a delivery approach that best aligns with your product families.

    • Deliver Digital Products at Scale – Phase 4: Bridge the Gap Between Product Families and Delivery
    • Deliver Digital Products at Scale Readiness Assessment

    5. Build your transformation roadmap and communication plan

    Define your communication plan and transformation roadmap for transitioning to delivering products at the scale of your organization.

    • Deliver Digital Products at Scale – Phase 5: Transformation Roadmap and Communication

    Infographic

    Workshop: Deliver Digital Products at Scale

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Become a Product-Centric Organization

    The Purpose

    Define products in your organization’s context and explore product families as a way to organize products at scale.

    Key Benefits Achieved

    An understanding of the case for product practices

    A concise definition of products and product families

    Activities

    1.1 Understand your organizational factors driving product-centric delivery.

    1.2 Establish your organization’s product inventory.

    1.3 Determine your approach to scale product families.

    Outputs

    Organizational drivers and goals for a product-centric delivery

    Definition of product

    Product scaling principles

    Scaling approach and direction

    Pilot list of products to scale

    2 Organize Products Into Product Families

    The Purpose

    Identify a suitable approach to group the inventory of products into one or more product families.

    Key Benefits Achieved

    A scaling approach for products that fits your organization

    Activities

    2.1 Define your product families.

    Outputs

    Product family mapping

    Enabling applications

    Dependent applications

    Product family canvas

    3 Ensure Alignment Between Products and Families

    The Purpose

    Confirm alignment between your products and product families via the product family roadmap and a shared definition of delivered value.

    Key Benefits Achieved

    Recognition of the product family roadmap and a shared definition of value as key concepts to maintain alignment between your products and product families

    Activities

    3.1 Leverage product family roadmaps.

    3.2 Use stakeholder management to improve roadmap communication.

    3.3 Configure your product family roadmaps.

    3.4 Confirm product family to product alignment.

    Outputs

    Current approach for communication of product family strategy

    List of product family stakeholders and a prioritization plan for communication

    Defined key pieces of a product family roadmap

    An approach to confirming alignment between products and product families through a shared definition of business value

    4 Bridge the Gap Between Product Families and Delivery

    The Purpose

    Agree on the delivery approach that best aligns with your product families.

    Key Benefits Achieved

    An understanding of the team configuration and operating model required to deliver value through your product families

    Activities

    4.1 Assess your organization’s delivery readiness.

    4.2 Understand your delivery options.

    4.3 Determine your operating model.

    4.4 Identify how to fund product delivery.

    4.5 Learn how to introduce your digital product family strategy.

    4.6 Communicate changes on updates to your strategy.

    4.7 Determine your next steps.

    Outputs

    Assessment results on your organization’s delivery maturity

    A preferred approach to structuring product delivery

    Your preferred operating model for delivering product families

    Understanding of your preferred approach for product family funding

    Product family transformation roadmap

    Your plan for communicating your roadmap

    List of actionable next steps to start on your journey

    5 Advisory: Next Steps and Wrap-Up (offsite)

    The Purpose

    Implement your communication plan and transformation roadmap for transitioning to delivering products at the scale of your organization.

    Key Benefits Achieved

    New product family organization and supporting product delivery approach

    Activities

    5.1 Execute communication plan and product family changes.

    5.2 Review the pilot family implementation and update the transformation roadmap.

    5.3 Begin advisory calls for related blueprints.

    Outputs

    Organizational communication of product families and product family roadmaps

    Product family implementation and updated transformation roadmap

    Support for product owners, backlog and roadmap management, and other topics

    Further reading

    Deliver Digital Products at Scale

    Deliver value at the scale of your organization through defining enterprise product families.

    Analyst Perspective

    Product families align enterprise goals to product changes and value realization.

    A picture of Info-Tech analyst Banu Raghuraman. A picture of Info-Tech analyst Ari Glaizel. A picture of Info-Tech analyst Hans Eckman

    Our world is changing faster than ever, and the need for business agility continues to grow. Organizations are shifting from long-term project delivery to smaller, iterative product delivery models to be able to embrace change and respond to challenges and opportunities faster.

    Unfortunately, many organizations focus on product delivery at the tactical level. Product teams may be individually successful, but how well are their changes aligned to division and enterprise goals and priorities?

    Grouping products into operationally aligned families is key to delivering the right value to the right stakeholders at the right time.

    Product families translate enterprise goals, constraints, and priorities down to the individual product level so product owners can make better decisions and more effectively manage their roadmaps and backlogs. By scaling products into families and using product family roadmaps to align product roadmaps, product owners can deliver the capabilities that allow organizations to reach their goals.

    In this blueprint, we’ll provide the tools and guidance to help you define what “product” means to your organization, use scaling patterns to build product families, align product and product family roadmaps, and identify impacts to your delivery and organizational design models.

    Banu Raghuraman, Ari Glaizel, and Hans Eckman

    Applications Practice

    Info-Tech Research Group

    Deliver Digital Products at Scale

    Deliver value at the scale of your organization through defining enterprise product families.

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    • Products are the lifeblood of an organization. They deliver the capabilities needed to deliver value to customers, internal users, and stakeholders.
    • The shift to becoming a product organization is intended to continually increase the value you provide to the broader organization as you grow and evolve.
    • You need to clearly convey the direction and strategy of your product portfolio to gain alignment, support, and funding from your organization.

    Common Obstacles

    • IT organizations are traditionally organized to deliver initiatives in specific periods of time. This conflicts with product delivery, which continuously delivers value over the lifetime of a product.
    • Delivering multiple products together creates additional challenges because each product has its own pedigree, history, and goals.
    • Product owners struggle to prioritize changes to deliver product value. This creates a gap and conflict between product and enterprise goals.

    Info-Tech’s Approach

    Info-Tech’s approach will guide you through:

    • Understanding the importance of product families in scaling product delivery.
    • Defining products in your context and organizing products into operational families.
    • Using product family roadmaps to align product roadmaps to enterprise goals and priorities.
    • Evaluating the different approaches to improve your product family delivery pipelines and milestones.

    Info-Tech Insight

    Changes can only be made at the individual product or service level. To achieve enterprise goals and priorities, organizations needed to organize and scale products into operational families. This structure allows product managers to translate goals and constraints to the product level and allows product owners to deliver changes that support enabling capabilities. In this blueprint, we’ll help you define your products, scale them using the best patterns, and align your roadmaps and delivery models to improve throughput and value delivery.

    Info-Tech’s approach

    Operationally align product delivery to enterprise goals

    A flowchart is shown on how to operationally align product delivery to enterprise goals.

    The Info-Tech difference:

    1. Start by piloting product families to determine which approaches work best for your organization.
    2. Create a common definition of what a product is and identify products in your inventory.
    3. Use scaling patterns to build operationally aligned product families.
    4. Develop a roadmap strategy to align families and products to enterprise goals and priorities.
    5. Use products and families to evaluate delivery and organizational design improvements.

    Deliver Digital Products at Scale via Enterprise Product Families

    An infographic on the Enterprise Product Families is shown.

    Product does not mean the same thing to everyone

    Do not expect a universal definition of products.

    Every organization and industry has a different definition of what a product is. Organizations structure their people, processes, and technologies according to their definition of the products they manage. Conflicting product definitions between teams increase confusion and misalignment of product roadmaps.

    “A product [is] something (physical or not) that is created through a process and that provides benefits to a market.”

    - Mike Cohn, Founding Member of Agile Alliance and Scrum Alliance

    “A product is something ... that is created and then made available to customers, usually with a distinct name or order number.”

    - TechTarget

    “A product is the physical object ... , software or service from which customer gets direct utility plus a number of other factors, services, and perceptions that make the product useful, desirable [and] convenient.”

    - Mark Curphey

    Organizations need a common understanding of what a product is and how it pertains to the business. This understanding needs to be accepted across the organization.

    “There is not a lot of guidance in the industry on how to define [products]. This is dangerous because what will happen is that product backlogs will be formed in too many areas. All that does is create dependencies and coordination across teams … and backlogs.”

    – Chad Beier, "How Do You Define a Product?” Scrum.org

    What is a product?

    “A tangible solution, tool, or service (physical or digital) that enables the long-term and evolving delivery of value to customers and stakeholders based on business and user requirements.”

    Info-Tech Insight

    A proper definition of product recognizes three key facts:

    1. Products are long-term endeavors that don’t end after the project finishes.
    2. Products are not just “apps” but can be software or services that drive the delivery of value.
    3. There is more than one stakeholder group that derives value from the product or service.

    Products and services share the same foundation and best practices

    For the purpose of this blueprint, product/service and product owner/service owner are used interchangeably. Product is used for consistency but would apply to services as well.

    Product = Service

    “Product” and “service” are terms that each organization needs to define to fit its culture and customers (internal and external). The most important aspect is consistent use and understanding of:

    • External products
    • Internal products
    • External services
    • Internal services
    • Products as a service (PaaS)
    • Productizing services (SaaS)

    Recognize the different product owner perspectives

    Business:

    • Customer facing, revenue generating

    Technical:

    • IT systems and tools

    Operations:

    • Keep the lights on processes

    Info-Tech Best Practice

    Product owners must translate needs and constraints from their perspective into the language of their audience. Kathy Borneman, Digital Product Owner at SunTrust Bank, noted the challenges of finding a common language between lines of business and IT (e.g. what is a unit?).

    Info-Tech Insight

    Recognize that product owners represent one of three primary perspectives. Although all share the same capabilities, how they approach their responsibilities is influenced by their perspective.

    “A Product Owner in its most beneficial form acts like an Entrepreneur, like a 'mini-CEO'. The Product Owner is someone who really 'owns' the product.”

    – Robbin Schuurman, “Tips for Starting Product Owners”

    Identify the differences between a project-centric and a product-centric organization

    Project

    Product

    Fund projects

    Funding

    Fund products or teams

    Line of business sponsor

    Prioritization

    Product owner

    Makes specific changes to a product

    Product management

    Improve product maturity and support

    Assign people to work

    Work allocation

    Assign work to product teams

    Project manager manages

    Capacity management

    Team manages capacity

    Info-Tech Insight

    Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that support improving end-user value and enterprise alignment.

    Projects can be a mechanism for delivering product changes and improvements

    A flowchart is shown to demonstrate the difference between project lifecycle, hybrid lifecycle and product lifecycle.

    Projects within products

    Regardless of whether you recognize yourself as a product-based or project-based shop, the same basic principles should apply. The purpose of projects is to deliver the scope of a product release. The shift to product delivery leverages a product roadmap and backlog as the mechanism for defining and managing the scope of the release. Eventually, teams progress to continuous integration/continuous delivery (CI/CD) where they can release on demand or as scheduled, requiring org change management.

    Define product value by aligning backlog delivery with roadmap goals

    In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    An image is shown to demonstrate the relationship between the product backlog and the product roadmap.

    Product roadmaps guide delivery and communicate your strategy

    In Deliver on Your Digital Product Vision, we demonstrate how the product roadmap is core to value realization. The product roadmap is your communicated path, and as a product owner, you use it to align teams and changes to your defined goals while aligning your product to enterprise goals and strategy.

    An example of a product roadmap is shown to demonstrate how it is the core to value realization.

    Adapted from: Pichler, "What Is Product Management?""

    Info-Tech Insight

    The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.

    Use Agile DevOps principles to expedite product-centric delivery and management

    Delivering products does not necessarily require an Agile DevOps mindset. However, Agile methods facilitate the journey because product thinking is baked into them.

    A flowchart is shown to demonstrate the product deliery maturity and the Agile DevOps used.
    Based on: Ambysoft, 2018

    Organizations start with Waterfall to improve the predictable delivery of product features.

    Iterative development shifts the focus from delivery of features to delivery of user value.

    Agile further shifts delivery to consider ROI. Often, the highest-value backlog items aren’t the ones with the highest ROI.

    Lean and DevOps improve your delivery pipeline by providing full integration between product owners, development teams, and operations.

    CI/CD reduces time in process by allowing release on demand and simplifying release and support activities.

    Although teams will adopt parts of all these stages during their journey, it isn’t until you’ve adopted a fully integrated delivery chain that you’ve become product centric.

    Scale products into related families to improve value delivery and alignment

    Defining product families builds a network of related products into coordinated value delivery streams.

    A flowchart is shown to demonstrate the relations between product family and the delivery streams.

    “As with basic product management, scaling an organization is all about articulating the vision and communicating it effectively. Using a well-defined framework helps you align the growth of your organization with that of the company. In fact, how the product organization is structured is very helpful in driving the vision of what you as a product company are going to do.”

    – Rich Mironov, Mironov Consulting

    Product families translate enterprise goals into value-enabling capabilities

    A flowchart is shown to demonstrate the relationship between enterprise strategy and enabling capabilities.

    Info-Tech Insight

    Your organizational goals and strategy are achieved through capabilities that deliver value. Your product hierarchy is the mechanism to translate enterprise goals, priorities, and constraints down to the product level where changes can be made.

    Arrange product families by operational groups, not solely by your org chart

    A flowchart is shown to demonstrate how to arrange product families by operational groups.

    1. To align product changes with enterprise goals and priorities, you need to organize your products into operational groups based on the capabilities or business functions the product and family support.

    2. Product managers translate these goals, priorities, and constraints into their product families, so they are actionable at the next level, whether that level is another product family or products implementing enhancements to meet these goals.

    3. The product family manager ensures that the product changes enhance the capabilities that allow you to realize your product family, division, and enterprise goals.

    4. Enabling capabilities realize value and help reach your goals, which then drives your next set of enterprise goals and strategy.

    Approach alignment from both directions, validating by the opposite way

    Defining your product families is not a one-way street. Often, we start from either the top or the bottom depending on our scaling principles. We use multiple patterns to find the best arrangement and grouping of our products and families.

    It may be helpful to work partway, then approach your scaling from the opposite direction, meeting in the middle. This way you are taking advantage of the strengths in both approaches.

    Once you have your proposed structure, validate the grouping by applying the principles from the opposite direction to ensure each product and family is in the best starting group.

    As the needs of your organization change, you may need to realign your product families into your new business architecture and operational structure.

    A top-down alignment example is shown.

    When to use: You have a business architecture defined or clear market/functional grouping of value streams.

    A bottom-up alignment example is shown.

    When to use: You are starting from an Application Portfolio Management application inventory to build or validate application families.

    Leverage patterns for scaling products

    Organizing your products and families is easier when leveraging these grouping patterns. Each is explained in greater detail on the following slides

    Value Stream Alignment

    Enterprise Applications

    Shared Services

    Technical

    Organizational Alignment

    • Business architecture
      • Value stream
      • Capability
      • Function
    • Market/customer segment
    • Line of business (LoB)
    • Example: Customer group > value stream > products
    • Enabling capabilities
    • Enterprise platforms
    • Supporting apps
    • Example: HR > Workday/Peoplesoft > ModulesSupporting: Job board, healthcare administrator
    • Organization of related services into service family
    • Direct hierarchy does not necessarily exist within the family
    • Examples: End-user support and ticketing, workflow and collaboration tools
    • Domain grouping of IT infrastructure, platforms, apps, skills, or languages
    • Often used in combination with Shared Services grouping or LoB-specific apps
    • Examples: Java, .NET, low-code, database, network
    • Used at higher levels of the organization where products are aligned under divisions
    • Separation of product managers from organizational structure no longer needed because the management team owns product management role

    Leverage the product family roadmap for alignment

    It’s more than a set of colorful boxes. It’s the map to align everyone to where you are going.

    Your product family roadmap

      ✓ Lays out a strategy for your product family.

      ✓ Is a statement of intent for your family of products.

      ✓ Communicates direction for the entire product family and product teams.

      ✓ Directly connects to the organization’s goals.

    However, it is not:

      x Representative of a hard commitment.

      x A simple combination of your current product roadmaps.

    Before connecting your family roadmap to products, think about what each roadmap typically presents

    An example of a product family roadmap is shown and how it can be connected to the products.

    Info-Tech Insight

    Your product family roadmap and product roadmap tell different stories. The product family roadmap represents the overall connection of products to the enterprise strategy, while the product roadmap focuses on the fulfillment of the product’s vision.

    Product family roadmaps are more strategic by nature

    While individual product roadmaps can be different levels of tactical or strategic depending on a variety of market factors, your options are more limited when defining roadmaps for product families.

    Product

    TACTICAL

    A roadmap that is technical, committed, and detailed.

    Product Family

    STRATEGIC

    A roadmap that is strategic, goal based, high level, and flexible.

    Info-Tech Insight

    Roadmaps for your product family are, by design, less detailed. This does not mean they aren’t actionable! Your product family roadmap should be able to communicate clear intentions around the future delivery of value in both the near and long term.

    Consider volatility when structuring product family roadmaps

    A roadmap is shown without any changes.

    There is no such thing as a roadmap that never changes.

    Your product family roadmap represents a broad statement of intent and high-level tactics to get closer to the organization’s goals.

    A roadmap is shown with changes.

    All good product family roadmaps embrace change!

    Your strategic intentions are subject to volatility, especially those planned further in the future. The more costs you incur in planning, the more you leave yourself exposed to inefficiency and waste if those plans change.

    Info-Tech Insight

    A good product family roadmap is intended to manage and communicate the inevitable changes as a result of market volatility and changes in strategy.

    Product delivery realizes value for your product family

    While planning and analysis are done at the family level, work and delivery are done at the individual product level.

    PRODUCT STRATEGY

    What are the artifacts?

    What are you saying?

    Defined at the family level?

    Defined at the product level?

    Vision

    I want to...

    Strategic focus

    Delivery focus

    Goals

    To get there we need to...

    Roadmap

    To achieve our goals, we’ll deliver...

    Backlog

    The work will be done in this order...

    Release Plan

    We will deliver in the following ways...

    Typical elements of a product family roadmap

    While there are others, these represent what will commonly appear across most family-based roadmaps.

    An example is shown to highlight the typical elements of a product family roadmap.

    GROUP/CATEGORY: Groups are collections of artifacts. In a product family context, these are usually product family goals, value streams, or products.

    ARTIFACT: An artifact is one of many kinds of tangible by-products produced during the delivery of products. For a product family, the artifacts represented are capabilities or value streams.

    MILESTONE: Points in the timeline when established sets of artifacts are complete. This is a critical tool in the alignment of products in a given family.

    TIME HORIZON: Separated periods within the projected timeline covered by the roadmap.

    Connecting your product family roadmaps to product roadmaps

    Your product and product family roadmaps should be connected at an artifact level that is common between both. Typically, this is done with capabilities, but it can be done at a more granular level if an understanding of capabilities isn’t available.

    An example is shown on how the product family roadmpas can be connected to the product roadmaps.

    Multiple roadmap views can communicate differently, yet tell the same truth

    Audience

    Business/ IT Leaders

    Users/Customers

    Delivery Teams

    Roadmap View

    Portfolio

    Product Family

    Technology

    Objectives

    To provide a snapshot of the portfolio and priority products

    To visualize and validate product strategy

    To coordinate broad technology and architecture decisions

    Artifacts

    Line items or sections of the roadmap are made up of individual products, and an artifact represents a disposition at its highest level.

    Artifacts are generally grouped by product teams and consist of strategic goals and the features that realize those goals.

    Artifacts are grouped by the teams who deliver that work and consist of technical capabilities that support the broader delivery of value for the product family.

    Your communication objectives are linked to your audience; ensure you know your audience and speak their language

    I want to...

    I need to talk to...

    Because they are focused on...

    ALIGN PRODUCT TEAMS

    Get my delivery teams on the same page.

    Architects

    Products Owners

    PRODUCTS

    A product that delivers value against a common set of goals and objectives.

    SHOWCASE CHANGES

    Inform users and customers of product strategy.

    Bus. Process Owners

    End Users

    FUNCTIONALITY

    A group of functionality that business customers see as a single unit.

    ARTICULATE RESOURCE REQUIREMENTS

    Inform the business of product development requirements.

    IT Management

    Business Stakeholders

    FUNDING

    An initiative that those with the money see as a single budget.

    Assess the impacts of product-centric delivery on your teams and org design

    Product delivery can exist within any org structure or delivery model. However, when making the shift toward product management, consider optimizing your org design and product team structure to match your capacity and throughput needs.

    A flowchart is shown to see how the impacts of product-centric delivery can impact team and org designs.

    Determine which delivery team structure best fits your product pipeline

    Four delivery team structures are shown. The four are: functional roles, shared service and resource pools, product or system, and skills and competencies.

    Weigh the pros and cons of IT operating models to find the best fit

    There are many different operating models. LoB/Product Aligned and Hybrid Functional align themselves most closely with how products and product families are typically delivered.

    1. LoB/Product Aligned – Decentralized Model: Line of Business, Geographically, Product, or Functionally Aligned
    2. A decentralized IT operating model that embeds specific functions within LoBs/product teams and provides cross-organizational support for their initiatives.

    3. Hybrid Functional: Functional/Product Aligned
    4. A best-of-both-worlds model that balances the benefits of centralized and decentralized approaches to achieve both customer responsiveness and economies of scale.

    5. Hybrid Service Model: Product-Aligned Operating Model
    6. A model that supports what is commonly referred to as a matrix organization, organizing by highly related service categories and introducing the role of the service owner.

    7. Centralized: Plan-Build-Run
    8. A highly typical IT operating model that focuses on centralized strategic control and oversight in delivering cost-optimized and effective solutions.

    9. Centralized: Demand-Develop-Service
    10. A centralized IT operating model that lends well to more mature operating environments. Aimed at leveraging economies of scale in an end-to-end services delivery model.

    Consider how investment spending will differ in a product environment

    Reward for delivering outcomes, not features

    Autonomy

    Flexibility

    Accountability

    Fund what delivers value

    Allocate iteratively

    Measure and adjust

    Fund long-lived delivery of value through products (not projects).

    Give autonomy to the team to decide exactly what to build.

    Allocate to a pool based on higher-level business case.

    Provide funds in smaller amounts to different product teams and initiatives based on need.

    Product teams define metrics that contribute to given outcomes.

    Track progress and allocate more (or less) funds as appropriate.

    Adapted from Bain, 2019

    Info-Tech Insight

    Changes to funding require changes to product and Agile practices to ensure product ownership and accountability.

    Why is having a common value measure important?

    CIO-CEO Alignment Diagnostic

    A stacked bar graph is shown to demonstrate CIO-CEO Alignment Diagnostic. A bar titled: Business Value Metrics is highlighted. 51% had some improvement necessary and 32% had significant improvement necessary.

    Over 700 Info-Tech members have implemented the Balanced Value Measurement Framework.

    “The cynic knows the price of everything and the value of nothing.”

    – Oscar Wilde

    “Price is what you pay. Value is what you get.”

    – Warren Buffett

    Understanding where you derive value is critical to building solid roadmaps.

    Measure delivery and success

    Metrics and measurements are powerful tools to drive behavior change and decision making in your organization. However, metrics are highly prone to creating unexpected outcomes, so use them with great care. Use metrics judiciously to uncover insights but avoid gaming or ambivalent behavior, productivity loss, and unintended consequences.

    Build good practices in your selection and use of metrics:

    • Choose the metrics that are as close to measuring the desired outcome as possible.
    • Select the fewest metrics possible and ensure they are of the highest value to your team, the safest from gaming behaviors and unintended consequences, and the easiest to gather and report.
    • Never use metrics for reward or punishment; use them to develop your team.
    • Automate as much metrics gathering and reporting as possible.
    • Focus on trends rather than precise metrics values.
    • Review and change your metrics periodically.

    Executive Brief Case Study

    INDUSTRY: Public Sector & Financial Services

    SOURCE: Info-Tech Interviews

    A tale of two product transformations

    Two of the organizations we interviewed shared the challenges they experienced defining product families and the impact these challenges had on their digital transformations.

    A major financial services organization (2,000+ people in IT) had employed a top-down line of business–focused approach and found itself caught in a vicious circle of moving applications between families to resolve cross-LoB dependencies.

    A similarly sized public sector organization suffered from a similar challenge as grouping from the bottom up based on technology areas led to teams fragmented across multiple business units employing different applications built on similar technology foundations.

    Results

    Both organizations struggled for over a year to structure their product families. This materially delayed key aspects of their product-centric transformation, resulting in additional effort and expenditure delivering solutions piecemeal as opposed to as a part of a holistic product family. It took embracing a hybrid top-down and bottom-up approach and beginning with pilot product families to make progress on their transformation.

    A picture of Cole Cioran is shown.

    Cole Cioran

    Practice Lead,

    Applications Practice

    Info-Tech Research Group

    There is no such thing as a perfect product-family structure. There will always be trade-offs when you need to manage shifting demand from stakeholder groups spanning customers, business units, process owners, and technology owners.

    Focusing on a single approach to structure your product families inevitably leads to decisions that are readily challenged or are brittle in the face of changing demand.

    The key to accelerating a product-centric transformation is to build a hybrid model that embraces top-down and bottom-up perspectives to structure and evolve product families over time. Add a robust pilot to evaluate the structure and you have the key to unlocking the potential of product delivery in your organization.

    Info-Tech’s methodology for Deliver Digital Products at Scale

    1. Become a Product-Centric Organization

    2. Organize Products Into Product Families

    3. Ensure Alignment Between Products and Families

    4. Bridge the Gap Between Product Families and Delivery

    5. Build Your Transformation Roadmap and Communication Plan

    Phase Steps

    1.1 Understand the organizational factors driving product-centric delivery

    1.2 Establish your organization’s product inventory

    2.1 Determine your approach to scale product families

    2.2 Define your product families

    3.1 Leverage product family roadmaps

    3.2 Use stakeholder management to improve roadmap communication

    3.3 Configure your product family roadmaps

    3.4 Confirm goal and value alignment of products and their product families

    4.1 Assess your organization’s delivery readiness

    4.2 Understand your delivery options

    4.3 Determine your operating model

    4.4 Identify how to fund product family delivery

    5.1 Introduce your digital product family strategy

    5.2 Communicate changes on updates to your strategy

    5.3 Determine your next steps

    Phase Outcomes
    • Organizational drivers and goals for a product-centric delivery
    • Definition of product
    • Pilot list of products to scale
    • Product scaling principles
    • Scaling approach and direction
    • Product family mapping
    • Enabling applications
    • Dependent applications
    • Product family canvas
    • Approach for communication of product family strategy
    • Stakeholder management plan
    • Defined key pieces of a product family roadmap
    • An approach to confirming alignment between products and product families
    • Assessment of delivery maturity
    • Approach to structuring product delivery
    • Operating model for product delivery
    • Approach for product family funding
    • Product family transformation roadmap
    • Your plan for communicating your roadmap
    • List of actionable next steps to start on your journey

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Deliver Digital Products at Scale Workbook

    Use this supporting workbook to document interim results from a number of exercises that will contribute to your overall strategy.

    A screenshot of the Scale Workbook is shown.

    Deliver Digital Products at Scale Readiness Assessment

    Your strategy needs to encompass your approaches to delivery. Understand where you need to focus using this simple assessment.

    A screenshot of the Scale Readiness Assessment is shown.

    Key deliverable:

    Digital Product Family Strategy Playbook

    Record the results from the exercises to help you define, detail, and deliver digital products at scale.

    A screenshot of the Digital Product Family Strategy Playbook is shown.

    Blueprint benefits

    IT Benefits

    • Improved product delivery ROI.
    • Improved IT satisfaction and business support.
    • Greater alignment between product delivery and product family goals.
    • Improved alignment between product delivery and organizational models.
    • Better support for Agile/DevOps adoption.

    Business Benefits

    • Increased value realization across product families.
    • Faster delivery of enterprise capabilities.
    • Improved IT satisfaction and business support.
    • Greater alignment between product delivery and product family goals.
    • Uniform understanding of product and product family roadmaps and key milestones.

    Measure the value of this blueprint

    Align product family metrics to product delivery and value realization.

    Member Outcome Suggested Metric Estimated Impact

    Increase business application satisfaction

    Satisfaction with business applications (CIO Business Vision diagnostic)

    20% increase within one year after implementation

    Increase effectiveness of application portfolio management

    Effectiveness of application portfolio management (Management & Governance diagnostic)

    20% increase within one year after implementation

    Increase importance and effectiveness of application portfolio

    Importance and effectiveness to business ( Application Portfolio Assessment diagnostic)

    20% increase within one year after implementation

    Increase satisfaction of support of business operations

    Support to business (CIO Business Vision diagnostic.

    20% increase within one year after implementation

    Successfully deliver committed work (productivity)

    Number of successful deliveries; burndown

    20% increase within one year after implementation

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1: Become a Product-Centric Organization

    Phase 2: Organize Products Into Product Families

    Phase 3: Ensure Alignment Between Products and Families

    Phase 4: Bridge the Gap Between Product Families and Delivery

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Define products and product families in your context.

    Call #3: Understand the list of products in your context.

    Call #4: Define your scaling principles and goals.

    Call #5: Select a pilot and define your product families.

    Call #6: Understand the product family roadmap as a method to align products to families.

    Call #7: Define components of your product family roadmap and confirm alignment.

    Call #8: Assess your delivery readiness.

    Call #9: Discuss delivery, operating, and funding models relevant to delivering product families.

    Call #10: Wrap up.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1

    Become a Product-Centric Organization

    Day 2

    Organize Products Into Product Families

    Day 3

    Ensure Alignment Between Products and Families

    Day 4

    Bridge the Gap Between Product Families and Delivery

    Advisory

    Next Steps and Wrap-Up (offsite)

    Activities

    1.1 Understand your organizational factors driving product-centric delivery.

    1.2 Establish your organization’s product inventory.

    2.1 Determine your approach to scale product families.

    2.2 Define your product families.

    3.1 Leverage product family roadmaps.

    3.2 Use stakeholder management to improve roadmap communication.

    3.3 Configure your product family roadmaps.

    3.4 Confirm product family to product alignment.

    4.1 Assess your organization’s delivery readiness.

    4.2 Understand your delivery options.

    4.3 Determine your operating model.

    4.4 Identify how to fund product family delivery.

    5.1 Learn how to introduce your digital product family strategy.

    5.2 Communicate changes on updates to your strategy.

    5.3 Determine your next steps.

    1. Execute communication plan and product family changes.
    2. Review the pilot family implementation and update the transformation roadmap.
    3. Begin advisory calls for related blueprints.

    Key Deliverables

    1. Organizational drivers and goals for a product-centric delivery
    2. Definition of product
    3. Product scaling principles
    4. Scaling approach and direction
    5. Pilot list of products to scale
    1. Product family mapping
    2. Enabling applications
    3. Dependent applications
    4. Product family canvas
    1. Current approach for communication of product family strategy
    2. List of product family stakeholders and a prioritization plan for communication
    3. Defined key pieces of a product family roadmap
    4. An approach to confirming alignment between products and product families through a shared definition of business value
    1. Assessment results on your organization’s delivery maturity
    2. A preferred approach to structuring product delivery
    3. Your preferred operating model for delivering product families
    4. Understanding your preferred approach for product family funding
    5. Product family transformation roadmap
    6. Your plan for communicating your roadmap
    7. List of actionable next steps to start on your journey
    1. Organizational communication of product families and product family roadmaps
    2. Product family implementation and updated transformation roadmap
    3. Support for product owners, backlog and roadmap management, and other topics

    Phase 1

    Become a Product-Centric Organization

    Phase 1Phase 2Phase 3Phase 4Phase 5

    1.1 Understand the organizational factors driving product-centric delivery

    1.2 Establish your organization’s product inventory

    2.1 Determine your approach to scale product families

    2.2 Define your product families

    3.1 Leverage product family roadmaps

    3.2 Use stakeholder management to improve roadmap communication

    3.3 Configure your product family roadmaps

    3.4 Confirm product family to product alignment

    4.1 Assess your organization’s delivery readiness

    4.2 Understand your delivery options

    4.3 Determine your operating model

    4.4 Identify how to fund product family delivery

    5.1 Learn how to introduce your digital product family strategy

    5.2 Communicate changes on updates to your strategy

    5.3 Determine your next steps

    This phase will walk you through the following activities:

    1.1.1 Understand your drivers for product-centric delivery

    1.1.2 Identify the differences between project and product delivery

    1.1.3 Define the goals for your product-centric organization

    1.2.1 Define “product” in your context

    1.2.2 Identify and establish a pilot list of products

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Step 1.1

    Understand the organizational factors driving product-centric delivery

    Activities

    1.1.1 Understand your drivers for product-centric delivery

    1.1.2 Identify the differences between project and product delivery

    1.1.3 Define the goals for your product-centric organization

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Outcomes of this step

    • Organizational drivers to move to product-centric delivery
    • List of differences between project and product delivery
    • Goals for product-centric delivery

    1.1.1 Understand your drivers for product-centric delivery

    30-60 minutes

    1. Identify your pain points in the current delivery model.
    2. What is the root cause of these pain points?
    3. How will a product-centric delivery model fix the root cause?
    4. Record the results in the Deliver Digital Products at Scale Workbook.
    Pain Points Root Causes Drivers
    • Lack of ownership
    • Siloed departments
    • Accountability

    Output

    • Organizational drivers to move to product-centric delivery.

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    1.1.2 Identify the differences between project and product delivery

    30-60 minutes

    1. Consider project delivery and product delivery.
    2. Discuss what some differences are between the two.
    3. Note: This exercise is not about identifying the advantages and disadvantages of each style of delivery. This is to identify the variation between the two.

    4. Record the results in the Deliver Digital Products at Scale Workbook.
    Project Delivery Product Delivery
    Point in time What is changed
    Method of funding changes Needs an owner

    Output

    • List of differences between project and product delivery

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    Identify the differences between a project-centric and a product-centric organization

    Project Product
    Fund projects Funding Fund products or teams
    Line of business sponsor Prioritization Product owner
    Makes specific changes to a product Product management Improves product maturity and support
    Assignment of people to work Work allocation Assignment of work to product teams
    Project manager manages Capacity management Team manages capacity

    Info-Tech Insight

    Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that support improving end-user value and enterprise alignment.

    Projects can be a mechanism for funding product changes and improvements

    A flowchart is shown to demonstrate the difference between project lifecycle, hybrid lifecycle, and product lifecycle.

    Projects within products

    Regardless of whether you recognize yourself as a product-based or project-based shop, the same basic principles should apply.

    The purpose of projects is to deliver the scope of a product release. The shift to product delivery leverages a product roadmap and backlog as the mechanism for defining and managing the scope of the release.

    Eventually, teams progress to continuous integration/continuous delivery (CI/CD) where they can release on demand or as scheduled, requiring org change management.

    Use Agile DevOps principles to expedite product-centric delivery and management

    Delivering products does not necessarily require an Agile DevOps mindset. However, Agile methods facilitate the journey because product thinking is baked into them.

    A flowchart is shown to demonstrate the product delivery maturity and the Agile DevOps used.

    Based on: Ambysoft, 2018

    Organizations start with Waterfall to improve the predictable delivery of product features.

    Iterative development shifts the focus from delivery of features to delivery of user value.

    Agile further shifts delivery to consider ROI. Often, the highest-value backlog items aren’t the ones with the highest ROI.

    Lean and DevOps improve your delivery pipeline by providing full integration between product owners, development teams, and operations.

    CI/CD reduces time in process by allowing release on demand and simplifying release and support activities.

    Although teams will adopt parts of all these stages during their journey, it isn’t until you’ve adopted a fully integrated delivery chain that you’ve become product centric.

    1.1.3 Define the goals for your product-centric organization

    30 minutes

    1. Review your list of drivers from exercise 1.1.1 and the differences between project and product delivery from exercise 1.1.2.
    2. Define your goals for achieving a product-centric organization.
    3. Note: Your drivers may have already covered the goals. If so, review if you would like to change the drivers based on your renewed understanding of the differences between project and product delivery.

    Pain PointsRoot CausesDriversGoals
    • Lack of ownership
    • Siloed departments
    • Accountability
    • End-to-end ownership

    Output

    • Goals for product-centric delivery

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    Step 1.2

    Establish your organization’s product inventory

    Activities

    1.2.1 Define “product” in your context

    1.2.2 Identify and establish a pilot list of products

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Outcomes of this step

    • Your organizational definition of products and services
    • A pilot list of active products

    Product does not mean the same thing to everyone

    Do not expect a universal definition of products.

    Every organization and industry has a different definition of what a product is. Organizations structure their people, processes, and technologies according to their definition of the products they manage. Conflicting product definitions between teams increase confusion and misalignment of product roadmaps.

    “A product [is] something (physical or not) that is created through a process and that provides benefits to a market.”

    - Mike Cohn, Founding Member of Agile Alliance and Scrum Alliance

    “A product is something ... that is created and then made available to customers, usually with a distinct name or order number.”

    - TechTarget

    “A product is the physical object ... , software or service from which customer gets direct utility plus a number of other factors, services, and perceptions that make the product useful, desirable [and] convenient.”

    - Mark Curphey

    Organizations need a common understanding of what a product is and how it pertains to the business. This understanding needs to be accepted across the organization.

    “There is not a lot of guidance in the industry on how to define [products]. This is dangerous because what will happen is that product backlogs will be formed in too many areas. All that does is create dependencies and coordination across teams … and backlogs.”

    – Chad Beier, "How Do You Define a Product?” Scrum.org

    Products and services share the same foundation and best practices

    For the purpose of this blueprint, product/service and product owner/service owner are used interchangeably. Product is used for consistency but would apply to services as well.

    Product = Service

    “Product” and “service” are terms that each organization needs to define to fit its culture and customers (internal and external). The most important aspect is consistent use and understanding of:

    • External products
    • Internal products
    • External services
    • Internal services
    • Products as a service (PaaS)
    • Productizing services (SaaS)

    Recognize the different product owner perspectives

    Business:

    • Customer facing, revenue generating

    Technical:

    • IT systems and tools

    Operations

    • Keep the lights on processes

    Info-Tech Best Practice

    Product owners must translate needs and constraints from their perspective into the language of their audience. Kathy Borneman, Digital Product Owner at SunTrust Bank, noted the challenges of finding a common language between lines of business and IT (e.g. what is a unit?).

    Info-Tech Insight

    Recognize that product owners represent one of three primary perspectives. Although all share the same capabilities, how they approach their responsibilities is influenced by their perspective.

    “A Product Owner in its most beneficial form acts like an Entrepreneur, like a 'mini-CEO'. The Product Owner is someone who really 'owns' the product.”

    – Robbin Schuurman, “Tips for Starting Product Owners”

    Your product definition should include everything required to support it, not just what users see.

    A picture of an iceburg is shown, showing the ice both above and below the water to demonstrate that the product definition should include everything, not just what users see. On top of the picture are various words to go with the product definition. They inlude: funding, external relationships, adoption, product strategy, stakeholder managment. The product defitions that may not be seen include: Product governance, business functionality, user support, managing and governing data, maintenance and enhancement, R-and-D, requirements analysis and design, code, and knowledge management.

    Establish where product management would be beneficial in the organization

    What does not need product ownership?

    • Individual features
    • Transactions
    • Unstructured data
    • One-time solutions
    • Non-repeatable processes
    • Solutions that have no users or consumers
    • People or teams

    Characteristics of a discrete product

    • Has end users or consumers
    • Delivers quantifiable value
    • Evolves or changes over time
    • Has predictable delivery
    • Has definable boundaries
    • Has a cost to produce and operate

    Product capabilities deliver value!

    These are the various facets of a product. As a product owner, you are responsible for managing these facets through your capabilities and activities.

    A flowchart is shown that demonstrates the various facets of a product.

    It is easy to lose sight of what matters when we look at a product from a single point of view. Despite what The Agile Manifesto says, working software is not valuable without the knowledge and support that people need in order to adopt, use, and maintain it. If you build it, they will not come. Product leaders must consider the needs of all stakeholders when designing and building products.

    Define product value by aligning backlog delivery with roadmap goals

    In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    An image is shown to demonstrate the relationship between the product backlog and the product roadmap.

    Product roadmaps guide delivery and communicate your strategy

    In Deliver on Your Digital Product Vision, we demonstrate how the product roadmap is core to value realization. The product roadmap is your communicated path, and as a product owner, you use it to align teams and changes to your defined goals while aligning your product to enterprise goals and strategy.

    An example of a product roadmap is shown to demonstrate how it is the core to value realization.

    Info-Tech Insight

    The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.

    What is a product?

    Not all organizations will define products in the same way. Take this as a general example:

    “A tangible solution, tool, or service (physical or digital) that enables the long-term and evolving delivery of value to customers and stakeholders based on business and user requirements.”

    Info-Tech Insight

    A proper definition of product recognizes three key facts:

    1. Products are long-term endeavors that don’t end after the project finishes.
    2. Products are not just “apps” but can be software or services that drive the delivery of value.
    3. There is more than one stakeholder group that derives value from the product or service.

    1.2.1 Define “product” in your context

    30-60 minutes

    1. Discuss what “product” means in your organization.
    2. Create a common, enterprise-wide definition for “product.”
    3. Record the results in the Deliver Digital Products at Scale Workbook.

    For example:

    • An application, platform, or application family.
    • Discrete items that deliver value to a user/customer.

    Output

    • Your enterprise/organizational definition of products and services

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    1.2.2 Identify and establish a pilot list of products

    1-2 hours

    1. Review any current documented application inventory. If you have these details in an existing document, share it with the team. Select the group of applications for your family scaling pilot.
    2. List your initial application inventory on the Product List tab of the Deliver Digital Products at Scale Workbook.
  • For each of the products listed, add the vision and goals of the product. Refer to Deliver on Your Digital Product Vision to learn more about identifying vision and goals or to complete the product vision canvas.
  • You’ll add business capabilities and vision in Phase 2, but you can add these now if they are available in your existing inventory.
  • Output

    • A pilot list of active products

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    Phase 2

    Organize Products Into Product Families

    Phase 1Phase 2Phase 3Phase 4Phase 5

    1.1 Understand the organizational factors driving product-centric delivery

    1.2 Establish your organization’s product inventory

    2.1 Determine your approach to scale product families

    2.2 Define your product families

    3.1 Leverage product family roadmaps

    3.2 Use stakeholder management to improve roadmap communication

    3.3 Configure your product family roadmaps

    3.4 Confirm product family to product alignment

    4.1 Assess your organization’s delivery readiness

    4.2 Understand your delivery options

    4.3 Determine your operating model

    4.4 Identify how to fund product family delivery

    5.1 Learn how to introduce your digital product family strategy

    5.2 Communicate changes on updates to your strategy

    5.3 Determine your next steps

    This phase will walk you through the following activities:

    2.1.1 Define your scaling principles and goals

    2.1.2 Define your pilot product family areas and direction

    2.2.1 Arrange your applications and services into product families

    2.2.2 Define enabling and supporting applications

    2.2.3 Build your product family canvas

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Step 2.1

    Determine your approach to scale product families

    Activities

    2.1.1 Define your scaling principles and goals

    2.1.2 Define your pilot product family areas and direction

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Outcomes of this step

    • List of product scaling principles
    • Scope of product scaling pilot and target areas
    • Scaling approach and direction

    Use consistent terminology for product and service families

    In this blueprint, we refer to any grouping of products or services as a “family.” Your organization may prefer other terms, such as product/service line, portfolio, group, etc. The underlying principles for grouping and managing product families are the same, so define the terminology that fits best with your culture. The same is true for “products” and “services,” which may also be referred to in different terms.

    An example flowchart is displayed to demonstrate the terminology for product and service families.

    A product family is a logical and operational grouping of related products or services. The grouping provides a scaled hierarchy to translate goals, priorities, strategy, and constraints down the grouping while aligning value realization upwards.

    Group product families by related purpose to improve business value

    Families should be scaled by how the products operationally relate to each other, with clear boundaries and common purpose.

    A product family contains...

    • Vision
    • Goals
    • Cumulative roadmap of the products within the family

    A product family can be grouped by...

    • Function
    • Value stream and capability
    • Customer segments or end-user group
    • Strategic purpose
    • Underlying architecture
    • Common technology or support structures
    • And many more
    A flowchart is shown to demonstrate the product family and product relations.

    Scale products into related families to improve value delivery and alignment

    Defining product families builds a network of related products into coordinated value delivery streams.

    A flowchart is shown to demonstrate the relations between product family and the delivery streams.

    “As with basic product management, scaling an organization is all about articulating the vision and communicating it effectively. Using a well-defined framework helps you align the growth of your organization with that of the company. In fact, how the product organization is structured is very helpful in driving the vision of what you as a product company are going to do.”

    – Rich Mironov, Mironov Consulting

    Product families translate enterprise goals into value-enabling capabilities

    A flowchart is shown to demonstrate the relationship between enterprise strategy and enabling capabilities.

    Info-Tech Insight

    Your organizational goals and strategy are achieved through capabilities that deliver value. Your product hierarchy is the mechanism to translate enterprise goals, priorities, and constraints down to the product level where changes can be made.

    Arrange product families by operational groups, not solely by your org chart

    A flowchart is shown to demonstrate how to arrange product families by operational groups.

    1. To align product changes with enterprise goals and priorities, you need to organize your products into operational groups based on the capabilities or business functions the product and family support.

    2. Product managers translate these goals, priorities, and constraints into their product families, so they are actionable at the next level, whether that level is another product family or products implementing enhancements to meet these goals.

    3. The product family manager ensures that the product changes enhance the capabilities that allow you to realize your product family, division, and enterprise goals.

    4. Enabling capabilities realize value and help reach your goals, which then drives your next set of enterprise goals and strategy.

    Product families need owners with a more strategic focus

    Product Owner

    (More tactical product delivery focus)

    • Backlog management and prioritization
    • Product vision and product roadmap
    • Epic/story definition, refinement in conjunction with business stakeholders
    • Sprint planning with Scrum Master and delivery team
    • Working with Scrum Master to minimize disruption to team velocity
    • Ensuring alignment between business and Scrum teams during sprints
    • Profit and loss (P&L) product analysis and monitoring

    Product Manager

    (More strategic product family focus)

    • Product strategy, positioning, and messaging
    • Product family vision and product roadmap
    • Competitive analysis and positioning
    • New product innovation/definition
    • Release timing and focus (release themes)
    • Ongoing optimization of product-related marketing and sales activities
    • P&L product analysis and monitoring

    Info-Tech Insight

    “Product owner” and “product manager” are terms that should be adapted to fit your culture and product hierarchy. These are not management relationships but rather a way to structure related products and services that touch the same end users. Use the terms that work best in your culture.

    Download Build a Better Product Owner for role support.

    2.1.1 Define your scaling principles and goals

    30-60 minutes

    1. Discuss the guiding principles for your product scaling model. Your guiding principles should consider key business priorities, organizational culture, and division/team objectives, such as improving:
    • Business agility and ability to respond to changes and needs.
    • Alignment of product roadmaps to enterprise goals and priorities.
    • Collaboration between stakeholders and product delivery teams.
    • Resource utilization and productivity.
    • The quality and value of products.
    • Coordination between related products and services.

    Output

    • List of product scaling principles

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    Start scaling with a pilot

    You will likely use a combination of patterns that work best for each product area. Pilot your product scaling with a domain, team, or functional area before organizing your entire portfolio.

    Learn more about each pattern.

    Discuss the pros and cons of each.

    Select a pilot product area.

    Select a pattern.

    Approach alignment from both directions, validating by the opposite way

    Defining your product families is not a one-way street. Often, we start from either the top or the bottom depending on our scaling principles. We use multiple patterns to find the best arrangement and grouping of our products and families.

    It may be helpful to work partway, then approach your scaling from the opposite direction, meeting in the middle. This way you are taking advantage of the strengths in both approaches.

    Once you have your proposed structure, validate the grouping by applying the principles from the opposite direction to ensure each product and family is in the best starting group.

    As the needs of your organization change, you may need to realign your product families into your new business architecture and operational structure.

    A top-down alignment example is shown.

    When to use: You have a business architecture defined or clear market/functional grouping of value streams.

    A bottom-up alignment example is shown.

    When to use: You are starting from an Application Portfolio Management application inventory to build or validate application families.

    Top-down examples: Start with your enterprise structure or market grouping

    A top-down example flowchart is shown.

    Examples:

    Market Alignment
    • Consumer Banking
      • DDA: Checking, Savings, Money Market
      • Revolving Credit: Credit Cards, Line of Credit
      • Term Credit: Mortgage, Auto, Boat, Installment
    Enterprise Applications
    • Human Resources
      • Benefits: Health, Dental, Life, Retirement
      • Human Capital: Hiring, Performance, Training
      • Hiring: Posting, Interviews, Onboarding
    Shared Service
    • End-User Support
      • Desktop: New Systems, Software, Errors
      • Security: Access Requests, Password Reset, Attestations
    Business Architecture
    • Value Stream
      • Capability
        • Applications
        • Services

    Bottom-up examples: Start with your inventory

    Based on your current inventory, start organizing products and services into related groups using one of the five scaling models discussed in the next step.

    A bottom-up example flowchart is shown.

    Examples:

    Technical Grouping
    • Custom Apps: Java, .NET, Python
    • Cloud: Azure, AWS, Virtual Environments
    • Low Code: ServiceNow, Appian
    Functional/Capability Grouping
    • CRM: Salesforce, Microsoft CRM
    • Security Platforms: IAM, SSO, Scanning
    • Workflow: Remedy, ServiceNow
    Shared Services Grouping
    • Workflow: Appian, Pega, ServiceNow
    • Collaboration: SharePoint, Teams
    • Data: Dictionary, Lake, BI/Reporting

    2.1.2 Define your pilot product family areas and direction

    30-60 minutes

    1. Using your inventory of products for your pilot, consider the top-down and bottom-up approaches.
    2. Identify areas where you will begin arranging your product into families.
    3. Prioritize these pilot areas into waves:
      1. First pilot areas
      2. Second pilot areas
      3. Third pilot areas
    4. Discuss and decide whether a top-down or bottom-up approach is the best place to start for each pilot group.
    5. Prioritize your pilot families in the order in which you want to organize them. This is a guide to help you get started, and you may change the order during the scaling pattern exercise.

    Output

    • Scope of product scaling pilot and target areas

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    Step 2.2

    Define your product families

    Activities

    2.2.1 Arrange your applications and services into product families

    2.2.2 Define enabling and supporting applications

    2.2.3 Build your product family canvas

    This step involves the following participants:

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers’
    • Business analysts

    Outcomes of this step

    • Product family mapping
    • Product families
    • Enabling applications
    • Dependent applications
    • Product family canvas

    Use three perspectives to guide scaling pattern selection

    • One size does not fit all. There is no single or static product model that fits all product teams.
    • Structure relationships based on your organizational needs and capabilities.
    • Be flexible. Product ownership is designed to enable value delivery.
    • Avoid structures that promote proxy product ownership.
    • Make decisions based on products and services, not people. Then assign people to the roles.
    Alignment perspectives:

    Value Stream

    Align products based on the defined sources of value for a collection of products or services.

    For example: Wholesale channel for products that may also be sold directly to consumers, such as wireless network service.

    Users/Consumers

    Align products based on a common group of users or product consumers.

    For example: Consumer vs. small business vs. enterprise customers in banking, insurance, and healthcare.

    Common Domain

    Align products based on a common domain knowledge or skill set needed to deliver and support the products.

    For example: Applications in a shared service framework supporting other products.

    Leverage patterns for scaling products

    Organizing your products and families is easier when leveraging these grouping patterns. Each is explained in greater detail on the following slides

    Value Stream AlignmentEnterprise ApplicationsShared ServicesTechnicalOrganizational Alignment
    • Business architecture
      • Value stream
      • Capability
      • Function
    • Market/customer segment
    • Line of business (LoB)
    • Example: Customer group > value stream > products
    • Enabling capabilities
    • Enterprise platforms
    • Supporting apps
    • Example: HR > Workday/Peoplesoft > ModulesSupporting: Job board, healthcare administrator
    • Organization of related services into service family
    • Direct hierarchy does not necessarily exist within the family
    • Examples: End-user support and ticketing, workflow and collaboration tools
    • Domain grouping of IT infrastructure, platforms, apps, skills, or languages
    • Often used in combination with Shared Services grouping or LoB-specific apps
    • Examples: Java, .NET, low-code, database, network
    • Used at higher levels of the organization where products are aligned under divisions
    • Separation of product managers from organizational structure no longer needed because the management team owns product management role

    Select the best family pattern to improve alignment

    A flowchart is shown on how to select the best family pattern to improve alignment.

    Use scenarios to help select patterns

    Top-Down

    Bottom-Up

    We have a business architecture defined.

    (See Document Your Business Architecture and industry reference architectures for help.)

    Start with your business architecture

    Start with market segments

    We want to be more customer first or customer centric.

    Start with market segments

    Our organization has rigid lines of business and organizational boundaries.

    Start with LoB structure

    Most products are specific to a business unit or division. Start with LoB structure

    Products are aligned to people, not how we are operationally organized.

    Start with market or LoB structure

    We are focusing on enterprise or enabling applications.

    1. Start with enterprise app and service team

    2. Align supporting apps

    We already have applications and services grouped into teams but want to evaluate if they are grouped in the best families.

    Validate using multiple patterns

    Validate using multiple patterns

    Our applications and services are shared across the enterprise or support multiple products, value streams, or shared capabilities.

    Our applications or services are domain, knowledge, or technology specific.

    Start by grouping inventory

    We are starting from an application inventory. (See the APM Research Center for help.)

    Start by grouping inventory

    Pattern: Value Stream – Capability

    Grouping products into capabilities defined in your business architecture is recommended because it aligns people/processes (services) and products (tools) into their value stream and delivery grouping. This requires an accurate capability map to implement.

    Example:

    • Healthcare is delivered through a series of distinct value streams (top chevrons) and shared services supporting all streams.
    • Diagnosing Health Needs is executed through the Admissions, Testing, Imaging, and Triage capabilities.
    • Products and services are needed to deliver each capability.
    • Shared capabilities can also be grouped into families to better align capability delivery and maturity to ensure that the enterprise goals and needs are being met in each value stream the capabilities support.
    An example is shown to demonstrate how to group products into capabilities.

    Sample business architecture/ capability map for healthcare

    A sample business architecture/capability map for healthcare is shown.

    Your business architecture maps your value streams (value delivered to your customer or user personas) to the capabilities that deliver that value. A capability is the people, processes, and/or tools needed to deliver each value function.

    Defining capabilities are specific to a value stream. Shared capabilities support multiple value streams. Enabling capabilities are core “keep the lights on” capabilities and enterprise functions needed to run your organization.

    See Info-Tech’s industry coverage and reference architectures.

    Download Document Your Business Architecture

    Pattern: Value Stream – Market

    Market/Customer Segment Alignment focuses products into the channels, verticals, or market segments in the same way customers and users view the organization.

    An example is shown to demonstrate how products can be placed into channels, verticals, or market segments.

    Example:

    • Customers want one stop to solve all their issues, needs, and transactions.
    • Banking includes consumer, small business, and enterprise.
    • Consumer banking can be grouped by type of financial service: deposit accounts (checking, savings, money market), revolving credit (credit cards, lines of credit), term lending (mortgage, auto, installment).
    • Each group of services has a unique set of applications and services that support the consumer product, with some core systems supporting the entire relationship.

    Pattern: Value Stream – Line of Business (LoB)

    Line of Business Alignment uses the operational structure as the basis for organizing products and services into families that support each area.

    An example of the operational structure as the basis is shown.

    Example:

    • LoB alignment favors continuity of services, tools, and skills based on internal operations over unified customer services.
    • A hospital requires care and services from many different operational teams.
    • Emergency services may be internally organized by the type of care and emergency to allow specialized equipment and resources to diagnose and treat the patients, relying on support teams for imaging and diagnostics to support care.
    • This model may be efficient and logical from an internal viewpoint but can cause gaps in customer services without careful coordination between product teams.

    Pattern: Enterprise Applications

    A division or group delivers enabling capabilities, and the team’s operational alignment maps directly to the modules/components of an enterprise application and other applications that support the specific business function.

    An example flowchart is shown with enterprise applications.

    Example:

    • Human resources is one corporate function. Within HR, however, there are subfunctions that operate independently.
    • Each operational team is supported by one or more applications or modules within a primary HR system.
    • Even though the teams work independently, the information they manage is shared with or ties into processes used by other teams. Coordination of efforts helps provide a higher level of service and consistency.

    For additional information about HRMS, please download Get the Most Out of Your HRMS.

    Pattern: Shared Services

    Grouping by service type, knowledge area, or technology allows for specialization while families align service delivery to shared business capabilities.

    An example is shown with the shared services.

    Example:

    • Recommended for governance, risk, and compliance; infrastructure; security; end-user support; and shared platforms (workflow, collaboration, imaging/record retention). Direct hierarchies do not necessarily exist within the shared service family.
    • Service groupings are common for service owners (also known as support managers, operations managers, etc.).
    • End-user ticketing comes through a common request system, is routed to the team responsible for triage, and then is routed to a team for resolution.
    • Collaboration tools and workflow tools are enablers of other applications, and product families might support multiple apps or platforms delivering that shared capability.

    Pattern: Technical

    Technical grouping is used in Shared Services or as a family grouping method within a Value Stream Alignment (Capability, Market, LoB) product family.

    An example of technical grouping is shown.

    Example:

    • Within Shared Services, Technical product grouping focuses on domains requiring specific experience and knowledge not common to typical product teams. This can also support insourcing so other product teams do not have to build their own capacity.
    • Within a Market or LoB team, these same technical groups support specific tools and services within that product family only while also specializing in the business domain.
    • Alignment into tool, platform, or skill areas improves delivery capabilities and resource scalability.

    Pattern: Organizational Alignment

    Eventually in your product hierarchy, the management structure functions as the product management team.

    • When planning your product families, be careful determining when to merge product families into the management team structure.
    • Since the goal of scaling products into families is to align product delivery roadmaps to enterprise goals and enable value realization, the primary focus of scaling must be operational.
    • Alignment to the organizational chart should only occur when the product families report into an HR manager who has ownership for the delivery and value realization for all product and services within that family.
    Am example of organizational alignment is shown.

    Download Build a Better Product Owner for role support.

    2.2.1 Arrange your applications and services into product families

    1-4 hours

    1. (Optional but recommended) Define your value streams and capabilities on the App Capability List tab in the Deliver Digital Products at Scale Workbook.
    2. On the Product Families tab, build your product family hierarchy using the following structure:
    • Value Stream > Capability > Family 3 > Family 2 > Family 1 > Product/Service.
    • If you are not using a Value Stream > Capability grouping, you can leave these blank for now.
    A screenshot of the App Capability List in the Deliver Disital Products at Scale Workbook is shown.
  • If you previously completed an application inventory using one of our application portfolio management (APM) resources, you can paste values here. Do not paste cells, as Excel may create a cell reference or replace the current conditional formatting.
  • Output

    • Product family mapping

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    2.2.2 Define enabling and supporting applications

    1-4 hours

    1. Review your grouping from the reverse direction or with different patterns to validate the grouping. Consider each grouping.
    • Does it operationally align the products and families to best cascade enterprise goals and priorities while validating enabling capabilities?
    • In the next phase, when defining your roadmap strategy, you may wish to revisit this phase and adjust as needed.
  • Select and enter enabling or dependent applications to the right of each product.
  • A screenshot from the Deliver Digitial Products at Scale Workbook is shown.

    Output

    • Product families
    • Enabling applications
    • Dependent applications

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Record the results in the Deliver Digital Products at Scale Workbook.

    Use a product canvas to define key elements of your product family

    A product canvas is an excellent tool for quickly providing important information about a product family.

    Product owners/managers

    Provide target state to align child product and product family roadmaps.

    Stakeholders

    Communicate high-level concepts and key metrics with leadership teams and stakeholders.

    Strategy teams

    Use the canvas as a tool for brainstorming, scoping, and ideation.

    Operations teams

    Share background overview to align operational team with end-user value.

    Impacted users

    Refine communication strategy and support based on user impacts and value realization.

    Download Deliver on Your Digital Product Vision.

    Product Family Canvas: Define your core information

    A screenshot of the product family canvas is shown.

    Problem Statement: The problem or need the product family is addressing

    Business Goals: List of business objectives or goals for the product

    Personas/Customers/Users: List of groups who consume the product/service

    Vision: Vision, unique value proposition, elevator pitch, or positioning statement

    Child Product Families or Products: List of product families or products within this family

    Stakeholders: List of key resources, stakeholders, and teams needed to support the product or service

    Download Deliver on Your Digital Product Vision.

    2.2.3 Build your product family canvas

    30-60 minutes

    1. Complete the following fields to build your product family canvas in your Digital Product Family Strategy Playbook:
      1. Product family name
      2. Product family owner
      3. Parent product family name
      4. Problem that the family is intending to solve (For additional help articulating your problem statement, refer to Deliver on Your Digital Product Vision.)
      5. Product family vision/goals (For additional help writing your vision, refer to Deliver on Your Digital Product Vision..)
      6. Child product or product family name(s)
      7. Primary customers/users (For additional help with your product personas, download and complete Deliver on Your Digital Product Vision..)
      8. Stakeholders (If you aren’t sure who your stakeholders are, fill this in after completing the stakeholder management exercises in phase 3.)

    Output

    • Product family canvas

    Participants

    • Product owners
    • Product managers
    • Development team leads
    • Portfolio managers
    • Business analysts

    Record the results in the Digital Product Family Strategy Playbook.

    A screenshot of the Product Family Canvas is shown.

    Phase 3

    Ensure Alignment Between Products and Families

    Phase 1Phase 2Phase 3Phase 4Phase 5

    1.1 Understand the organizational factors driving product-centric delivery

    1.2 Establish your organization’s product inventory

    2.1 Determine your approach to scale product families

    2.2 Define your product families

    3.1 Leverage product family roadmaps

    3.2 Use stakeholder management to improve roadmap communication

    3.3 Configure your product family roadmaps

    3.4 Confirm product family to product alignment

    4.1 Assess your organization’s delivery readiness

    4.2 Understand your delivery options

    4.3 Determine your operating model

    4.4 Identify how to fund product family delivery

    5.1 Learn how to introduce your digital product family strategy

    5.2 Communicate changes on updates to your strategy

    5.3 Determine your next steps

    This phase will walk you through the following activities:

    • 3.1.1 Evaluate your current approach to product family communication
    • 3.2.1 Visualize interrelationships among stakeholders to identify key influencers
    • 3.2.2 Group stakeholders into categories
    • 3.2.3 Prioritize your stakeholders
    • 3.3.1 Define the communication objectives and audience of your product family roadmaps
    • 3.3.2 Identify the level of detail that you want your product family roadmap artifacts to represent
    • 3.4.1 Validate business value alignment between products and their product families

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Business analysts

    Step 3.1

    Leverage product family roadmaps

    Activities

    3.1.1 Evaluate your current approach to product family communication

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • Understanding of what a product family roadmap is
    • Comparison of Info-Tech’s position on product families to how you currently communicate about product families

    Aligning products’ goals with families

    Without alignment between product family goals and their underlying products, you aren’t seeing the full picture.

    An example of a product roadmap is shown to demonstrate how it is the core to value realization.

    Adapted from: Pichler," What Is Product Management?"

    • Aligning product strategy to enterprise goals needs to happen through the product family.
    • A product roadmap has traditionally been used to express the overall intent and visualization of the product strategy.
    • Connecting the strategy of your products with your enterprise goals can be done through the product family roadmap.

    Leveraging product family roadmaps

    It’s more than a set of colorful boxes.

      ✓ Lays out a strategy for your product family.

      ✓ Is a statement of intent for your family of products.

      ✓ Communicates direction for the entire product family and product teams.

      ✓ Directly connects to the organization’s goals.

    However, it is not:

      x Representative of a hard commitment.

      x A simple combination of your current product roadmaps.

      x A technical implementation plan.

    Product family roadmaps

    A roadmap is shown without any changes.

    There is no such thing as a roadmap that never changes.

    Your product family roadmap represents a broad statement of intent and high-level tactics to get closer to the organization’s goals.

    A roadmap is shown with changes.

    All good product family roadmaps embrace change!

    Your strategic intentions are subject to volatility, especially those planned further in the future. The more costs you incur in planning, the more you leave yourself exposed to inefficiency and waste if those plans change.

    Info-Tech Insight

    A good product family roadmap is intended to manage and communicate the inevitable changes as a result of market volatility and changes in strategy.

    Product family roadmaps are more strategic by nature

    While individual product roadmaps can be different levels of tactical or strategic depending on a variety of market factors, your options are more limited when defining roadmaps for product families.

    An image is displayed to show the relationships between product and product family, and how the roadmaps could be tactical or strategic.

    Info-Tech Insight

    Roadmaps for your product family are, by design, less detailed. This does not mean they aren’t actionable! Your product family roadmap should be able to communicate clear intentions around the future delivery of value in both the near and long term.

    Reminder: Your enterprise vision provides alignment for your product family roadmaps

    Not knowing the difference between enterprise vision and goals will prevent you from both dreaming big and achieving your dream.

    Your enterprise vision represents your “north star” – where you want to go. It represents what you want to do.

    • Your enterprise goals represent what you need to achieve in order to reach your enterprise vision.
    • A key element of operationalizing your vision.
    • Your strategy, initiatives, and features will align with one or more goals.

    Download Deliver on Your Digital Product Vision for support.

    Multiple roadmap views can communicate differently, yet tell the same truth

    Audience

    Business/ IT Leaders

    Users/Customers

    Delivery Teams

    Roadmap View

    Portfolio

    Product Family

    Technology

    Objectives

    To provide a snapshot of the portfolio and priority products

    To visualize and validate product strategy

    To coordinate broad technology and architecture decisions

    Artifacts

    Line items or sections of the roadmap are made up of individual products, and an artifact represents a disposition at its highest level.

    Artifacts are generally grouped by product teams and consist of strategic goals and the features that realize those goals.

    Artifacts are grouped by the teams who deliver that work and consist of technical capabilities that support the broader delivery of value for the product family.

    Typical elements of a product family roadmap

    While there are others, these represent what will commonly appear across most family-based roadmaps.

    An example is shown to highlight the typical elements of a product family roadmap.

    GROUP/CATEGORY: Groups are collections of artifacts. In a product family context, these are usually product family goals, value streams, or products.

    ARTIFACT: An artifact is one of many kinds of tangible by-products produced during the delivery of products. For a product family, the artifacts represented are capabilities or value streams.

    MILESTONE: Points in the timeline when established sets of artifacts are complete. This is a critical tool in the alignment of products in a given family.

    TIME HORIZON: Separated periods within the projected timeline covered by the roadmap.

    3.1.1 Evaluate your current approach to product family communication

    1-2 hours

    1. Write down how you currently communicate your intentions for your products and family of products.
    2. Compare and contrast this to how this blueprint defines product families and product family roadmaps.
    3. Consider the similarities and the key gaps between your current approach and Info-Tech’s definition of product family roadmaps.

    Output

    • Your documented approach to product family communication

    Participants

    • Product owners
    • Stakeholders

    Record the results in the Deliver Digital Products at Scale Workbook.

    Step 3.2

    Use stakeholder management to improve roadmap communication

    Activities

    3.2.1 Visualize interrelationships among stakeholders to identify key influencers

    3.2.2 Group stakeholders into categories

    3.2.3 Prioritize your stakeholders

    Info-Tech Note

    If you have done the stakeholder exercises in Deliver on Your Digital Product Vision or Build a Better Product Owner u don’t need to repeat the exercises from scratch.

    You can bring the results forward and update them based on your prior work.

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • Relationships among stakeholders and influencers
    • Categorization of stakeholders and influencers
    • Stakeholder and influencer prioritization

    Reminder: Not everyone is a user!

    USERS

    Individuals who directly obtain value from usage of the product.

    STAKEHOLDERS

    Represent individuals who provide the context, alignment, and constraints that influence or control what you will be able to accomplish.

    FUNDERS

    Individuals both external and internal that fund the product initiative. Sometimes they are lumped in as stakeholders. However, motivations can be different.

    For more information, see Deliver on Your Digital Product Vision.

    A stakeholder strategy is a key part of product family attainment

    A roadmap is only “good” when it effectively communicates to stakeholders. Understanding your stakeholders is the first step in delivering great product family roadmaps.

    A picture is shown that has 4 characters with puzzle pieces, each repersenting a key to product family attainment. The four keys are: Stakeholder management, product lifecycle, project delivery, and operational support.

    Create a stakeholder network map for product roadmaps and prioritization

    Follow the trail of breadcrumbs from your direct stakeholders to their influencers to uncover hidden stakeholders.

    An example stakeholder network map is displayed.

    Legend

    Black arrows: indicate the direction of professional influence

    Dashed green arrows: indicate bidirectional, informal influence relationships

    Info-Tech Insight

    Your stakeholder map defines the influence landscape your product family operates in. It is every bit as important as the teams who enhance, support, and operate your product directly.

    Use connectors to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have informal yet substantial relationships with your stakeholders.

    3.2.1 Visualize interrelationships among stakeholders to identify key influencers

    60 minutes

    1. List direct stakeholders for your product.
    2. Determine the stakeholders of your stakeholders and consider adding each of them to the stakeholder list.
    3. Assess who has either formal or informal influence over your stakeholders; add these influencers to your stakeholder list.
    4. Construct a diagram linking stakeholders and their influencers together.
    • Use black arrows to indicate the direction of professional influence.
    • Use dashed green arrows to indicate bidirectional, informal influence relationships.

    Output

    • Relationships among stakeholders and influencers

    Participants

    • Product owners
    • Stakeholders

    Record the results in the Deliver Digital Products at Scale Workbook.

    Categorize your stakeholders with a prioritization map

    A stakeholder prioritization map helps product leaders categorize their stakeholders by their level of influence and ownership in the product and/or teams.

    An example stakeholder prioritization map is shown.

    There are four areas in the map, and the stakeholders within each area should be treated differently.

    Players – players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.

    Mediators – mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.

    Noisemakers – noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.

    Spectators – generally, spectators are apathetic and have little influence over or interest in the initiative.

    3.2.2 Group stakeholders into categories

    30-60 minutes

    1. Identify your stakeholders’ interest in and influence on your product as high, medium, or low by rating the attributes below.
    2. Map your results to the model below to determine each stakeholder’s category.
    Level of Influence
    • Power: Ability of a stakeholder to effect change.
    • Urgency: Degree of immediacy demanded.
    • Legitimacy: Perceived validity of stakeholder’s claim.
    • Volume: How loud their “voice” is or could become.
    • Contribution: What they have that is of value to you.
    Level of Interest

    How much are the stakeholder’s individual performance and goals directly tied to the success or failure of the product?

    The example stakeholder prioritization map is shown with the stakeholders grouped into the categories.

    Output

    • Categorization of stakeholders and influencers

    Participants

    • Product owners
    • Stakeholders

    Record the results in the Deliver Digital Products at Scale Workbook.

    Prioritize your stakeholders

    There may be too many stakeholders to be able to manage them all. Focus your attention on the stakeholders that matter most.

    Level of Support

    Stakeholder Category

    Supporter

    Evangelist

    Neutral Blocker

    Player

    Critical

    High

    High

    Critical

    Mediator

    Medium

    Low

    Low

    Medium

    Noisemaker

    High

    Medium

    Medium

    High

    Spectator

    Low

    Irrelevant

    Irrelevant

    Low

    Consider the three dimensions for stakeholder prioritization: influence, interest, and support. Support can be determined by answering the following question: How likely is it that this stakeholder would recommend your product?

    These parameters are used to prioritize which stakeholders are most important and should receive your focused attention.

    3.2.3 Prioritize your stakeholders

    30 minutes

    1. Identify the level of support of each stakeholder by answering the following question: How likely is it that this stakeholder would endorse your product?
    2. Prioritize your stakeholders using the prioritization scheme on the previous slide.

    Stakeholder

    Category

    Level of Support

    Prioritization

    CMO

    Spectator

    Neutral

    Irrelevant

    CIO

    Player

    Supporter

    Critical

    Output

    • Stakeholder and influencer prioritization

    Participants

    • Product owners
    • Stakeholders

    Record the results in the Deliver Digital Products at Scale Workbook.

    Define strategies for engaging stakeholders by type

    An example is shown to demonstrate how to define strategies to engage staeholders by type.

    Type

    Quadrant

    Actions

    Players

    High influence, high interest – actively engage

    Keep them updated on the progress of the project. Continuously involve Players in the process and maintain their engagement and interest by demonstrating their value to its success.

    Mediators

    High influence, low interest – keep satisfied

    They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders.

    Noisemakers

    Low influence, high interest – keep informed

    Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.

    Spectators

    Low influence, low interest – monitor

    They are followers. Keep them in the loop by providing clarity on objectives and status updates.

    Info-Tech Insight

    Each group of stakeholders draws attention and resources away from critical tasks. By properly identifying your stakeholder groups, the product owner can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers, while ensuring the needs of Mediators and Players are met.

    Step 3.3

    Configure your product family roadmaps

    Activities

    3.3.1 Define the communication objectives and audience of your product family roadmaps

    3.3.2 Identify the level of detail that you want your product family roadmap artifacts to represent

    Info-Tech Note

    If you are unfamiliar with product roadmaps, Deliver on Your Digital Product Vision contains more detailed exercises we recommend you review before focusing on product family roadmaps.

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • An understanding of the key communication objectives and target stakeholder audience for your product family roadmaps
    • A position on the level of detail you want your product family roadmap to operate at

    Your communication objectives are linked to your audience; ensure you know your audience and speak their language

    I want to... I need to talk to... Because they are focused on...
    ALIGN PRODUCT TEAMS Get my delivery teams on the same page. Architects Products Owners PRODUCTS A product that delivers value against a common set of goals and objectives.
    SHOWCASE CHANGES Inform users and customers of product strategy. Bus. Process Owners End Users FUNCTIONALITY A group of functionality that business customers see as a single unit.
    ARTICULATE RESOURCE REQUIREMENTS Inform the business of product development requirements. IT Management Business Stakeholders FUNDING An initiative that those with the money see as a single budget.

    3.3.1 Define the communication objectives and audience of your product family roadmaps

    30-60 minutes

    1. Explicitly state the communication objectives and audience of your roadmap.
    • Think of finishing this sentence: This roadmap is designed for … in order to …
  • You may want to consider including more than a single audience or objective.
  • Example:
  • Roadmap

    Audience

    Statement

    Internal Strategic Roadmap

    Internal Stakeholders

    This roadmap is designed to detail the strategy for delivery. It tends to use language that represents internal initiatives and names.

    Customer Strategic Roadmap

    External Customers

    This roadmap is designed to showcase and validate future strategic plans and internal teams to coordinate the development of features and enablers.

    Output

    • Roadmap list with communication objectives and audience

    Participants

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Record the results in the Deliver Digital Products at Scale Workbook.

    The length of time horizons on your roadmap depend on the needs of the underlying products or families

    Info-Tech InsightAn example timeline is shown.

    Given the relationship between product and product family roadmaps, the product family roadmap needs to serve the time horizons of its respective products.

    This translates into product family roadmaps with timelines that, at a minimum, cover the full scope of the respective product roadmaps.

    Based on your communication objectives, consider different ways to visualize your product family roadmap

    Swimline/Stream-Based roadmap example.

    Swimlane/Stream-Based – Understanding when groups of items intend to be delivered.

    An example is shown that has an overall plan with rough intentions around delivery.

    Now, Next, Later – Communicate an overall plan with rough intentions around delivery without specific date ranges.

    An example of a sunrise roadmap is shown.

    Sunrise Roadmap – Articulate the journey toward a given target state across multiple streams.

    Before connecting your family roadmap to products, think about what each roadmap typically presents

    An example of a product family roadmap is shown and how it can be connected to the products.

    Info-Tech Insight

    Your product family roadmap and product roadmap tell different stories. The product family roadmap represents the overall connection of products to the enterprise strategy, while the product roadmap focuses on the fulfillment of the product’s vision.

    Example: Connecting your product family roadmaps to product roadmaps

    Your roadmaps should be connected at an artifact level that is common between both. Typically, this is done with capabilities, but you can do it at a more granular level if an understanding of capabilities isn’t available.

    Example is shown connecting product family roadmaps to product roadmaps.

    3.3.2 Identify the level of detail that you want your product family roadmap artifacts to represent

    30-60 minutes

    1. Consider the different available artifacts for a product family (goals, value stream, capabilities).
    2. List the roadmaps that you wish to represent.
    3. Based on how you currently articulate details on your product families, consider:
    • What do you want to use as the level of granularity for the artifact? Consider selecting something that has a direct connection to the product roadmap itself (for example, capabilities).
    • For some roadmaps you will want to categorize your artifacts – what would work best in those cases?

    Examples

    Level of Hierarchy

    Artifact Type

    Roadmap 1

    Goals

    Capability

    Roadmap 2

    Roadmap 3

    Output

    • Details on your roadmap granularity

    Participants

    • Product owners
    • Product managers
    • Portfolio managers

    Record the results in the Deliver Digital Products at Scale Workbook.

    Step 3.4

    Confirm goal and value alignment of products and their product families

    Activities

    3.4.1 Validate business value alignment between products and their product families

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Business analysts

    Outcomes of this step

    • Validation of the alignment between your product families and products

    Confirming product to family value alignment

    It isn’t always obvious whether you have the right value delivery alignment between products and product families.

    An example is shown to demonstrate product-to-family-alignment.

    Product-to-family alignment can be validated in two different ways:

    1. Initial value alignment
    2. Confirm the perceived business value at a family level is aligned with what is being delivered at a product level.

    3. Value measurement during the lifetime of the product
    4. Validate family roadmap attainment through progression toward the specified product goals.

    For more detail on calculating business value, see Build a Value Measurement Framework.

    To evaluate a product family’s contribution, you need a common definition of value

    Why is having a common value measure important?

    CIO-CEO Alignment Diagnostic

    A stacked bar graph is shown to demonstrate CIO-CEO Alignment Diagnostic. A bar titled Business Value Metrics is highlighted. 51% had some improvement necessary and 32% had significant improvement necessary.

    Over 700 Info-Tech members have implemented the Balanced Value Measurement Framework.

    “The cynic knows the price of everything and the value of nothing.”

    – Oscar Wilde

    “Price is what you pay. Value is what you get.”

    – Warren Buffett

    Understanding where you derive value is critical to building solid roadmaps.

    All value in your product family is not created equal

    Business value is the value of the business outcome the application produces and how effective the product is at producing that outcome. Dissecting value by the benefit type and the value source allows you to see the many ways in which a product or service brings value to your organization. Capture the value of your products in short, concise statements, like an elevator pitch.

    A business value matrix is shown.

    Increase Revenue

    Product or service functions that are specifically related to the impact on your organization’s ability to generate revenue.

    Reduce Costs

    Reduction of overhead. The ways in which your product limits the operational costs of business functions.

    Enhance Services

    Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.

    Reach Customers

    Application functions that enable and improve the interaction with customers or produce market information and insights.

    Financial Benefits vs. Improved Capabilities

    • Financial Benefit refers to the degree to which the value source can be measured through monetary metrics and is often quite tangible.
    • Human Benefit refers to how a product or service can deliver value through a user’s experience.

    Inward vs. Outward Orientation

    • Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations.
    • Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.

    3.4.1 Validate business value alignment between products and their product families

    30-60 minutes

    1. Draw the 2x2 Business Value Matrix on a flip chart or open the Business Value Matrix tab in the Deliver Digital Products at Scale Workbook to use in this exercise.
    2. Brainstorm and record the different types of business value that your product and product family produce on the sticky notes (one item per sticky note).
    3. As a team, evaluate how the product value delivered contributes to the product family value delivered. Note any gaps or differences between the two.

    Download and complete Build a Value Measurement Framework for full support in focusing product delivery on business value–driven outcomes.

    A business value matrix is shown.

    Output

    • Confirmation of value alignment between product families and their respective products

    Participants

    • Product owners
    • Product managers

    Record the results in the Deliver Digital Products at Scale Workbook.

    Example: Validate business value alignment between products and their product families

    An example of a business value matrix is shown.

    Measure product value with metrics tied to your business value sources and objectives

    Assign metrics to your business value sources

    Business Value Category

    Source Examples

    Metric Examples

    Profit Generation

    Revenue

    Customer Lifetime Value (LTV)

    Data Monetization

    Average Revenue per User (ARPU)

    Cost Reduction

    Reduce Labor Costs

    Contract Labor Cost

    Reduce Overhead

    Effective Cost per Install (eCPI)

    Service Enablement

    Limit Failure Risk

    Mean Time to Mitigate Fixes

    Collaboration

    Completion Time Relative to Deadline

    Customer and Market Reach

    Customer Satisfaction

    Net Promoter Score

    Customer Trends

    Number of Customer Profiles

    The importance of measuring business value through metrics

    The better an organization is at using business value metrics to evaluate IT’s performance, the more satisfied the organization is with IT’s performance as a business partner. In fact, those that say they’re effective at business value metrics have satisfaction scores that are 30% higher than those that believe significant improvements are necessary (Info-Tech’s IT diagnostics).

    Assigning metrics to your prioritized values source will allow you to more accurately measure a product’s value to the organization and identify optimization opportunities. See Info-Tech’s Related Research: Value, Delivery Metrics, Estimation blueprint for more information.

    Your product delivery pipeline connects your roadmap with business value realization

    The effectiveness of your product roadmap needs to be evaluated based on delivery capacity and throughput.

    A product roadmap is shown with additional details to demonstrate delivery capacity and throughput.

    When thinking about product delivery metrics, be careful what you ask for…

    As the saying goes “Be careful what you ask for, because you will probably get it.”

    Metrics are powerful because they drive behavior.

    • Metrics are also dangerous because they often lead to unintended negative outcomes.
    • Choose your metrics carefully to avoid getting what you asked for instead of what you intended.

    It’s a cautionary tale that also offers a low-risk path through the complexities of metrics use.

    For more information on the use (and abuse) of metrics, see Select and Use SDLC Metrics Effectively.

    Measure delivery and success

    Metrics and measurements are powerful tools to drive behavior change and decision making in your organization. However, metrics are highly prone to creating unexpected outcomes, so use them with great care. Use metrics judiciously to uncover insights but avoid gaming or ambivalent behavior, productivity loss, and unintended consequences.

    Build good practices in your selection and use of metrics:

    • Choose the metrics that are as close to measuring the desired outcome as possible.
    • Select the fewest metrics possible and ensure they are of the highest value to your team, the safest from gaming behaviors and unintended consequences, and the easiest to gather and report.
    • Never use metrics for reward or punishment; use them to develop your team.
    • Automate as much metrics gathering and reporting as possible.
    • Focus on trends rather than precise metrics values.
    • Review and change your metrics periodically.

    Phase 4

    Bridge the Gap Between Product Families and Delivery

    Phase 1Phase 2Phase 3Phase 4Phase 5

    1.1 Understand the organizational factors driving product-centric delivery

    1.2 Establish your organization’s product inventory

    2.1 Determine your approach to scale product families

    2.2 Define your product families

    3.1 Leverage product family roadmaps

    3.2 Use stakeholder management to improve roadmap communication

    3.3 Configure your product family roadmaps

    3.4 Confirm product family to product alignment

    4.1 Assess your organization’s delivery readiness

    4.2 Understand your delivery options

    4.3 Determine your operating model

    4.4 Identify how to fund product family delivery

    5.1 Learn how to introduce your digital product family strategy

    5.2 Communicate changes on updates to your strategy

    5.3 Determine your next steps

    This phase will walk you through the following activities:

    4.1.1 Assess your organization’s readiness to deliver digital product families

    4.2.1 Consider pros and cons for each delivery model relative to how you wish to deliver

    4.3.1 Understand the relationships between product management, delivery teams, and stakeholders

    4.4.1 Discuss traditional vs. product-centric funding methods

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Delivery managers

    Assess the impacts of product-centric delivery on your teams and org design

    Product delivery can exist within any org structure or delivery model. However, when making the shift toward product management, consider optimizing your org design and product team structure to match your capacity and throughput needs.

    A flowchart is shown to see how the impacts of product-centric delivery can impact team and org designs.

    Info-Tech Note

    Realigning your delivery pipeline and org design takes significant effort and time. Although we won’t solve these questions here, it’s important to identify factors in your current or future models that improve value delivery.

    Step 4.1

    Assess your organization’s delivery readiness

    Activities

    4.1.1 Assess your organization’s readiness to deliver digital product families

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Delivery managers

    Outcomes of this step

    • An understanding of the group’s maturity level when it comes to product delivery

    Maturing product practices enables delivery of product families, not just products or projects

    A flowchart is shown to demonstrate the differences between project lifecycle, hybrid lifecycle, and product lifecycle.

    Just like product owners, product family owners are needed to develop long-term product value, strategy, and delivery. Projects can still be used as the source of funding and change management; however, the product family owner must manage product releases and operational support. The focus of this section will be on aligning product families to one or more releases.

    4.1.1 Assess your organization’s readiness to deliver digital product families

    30-60 minutes

    1. For each question in the Deliver Digital Products at Scale Readiness Assessment, ask yourself which of the five associated maturity statements most closely describes your organization.
    2. As a group, agree on your organization’s current readiness score for each of the six categories.

    A screenshot of the Deliver Digital Products at Scale Readiness Assessment is shown.

    Output

    • Product delivery readiness score

    Participants

    • Product managers
    • Product owners

    Download the Deliver Digital Products at Scale Readiness Assessment.

    Value realization is constrained by your product delivery pipeline

    Value is realized through changes made at the product level. Your pipeline dictates the rate, quality, and prioritization of your backlog delivery. This pipeline connects your roadmap goals to the value the goals are intended to provide.

    An example of a product roadmap is shown with the additional details of the product delivery pipeline being highlighted.

    Product delivery realizes value for your product family

    While planning and analysis are done at the family level, work and delivery are done at the individual product level.

    PRODUCT STRATEGY

    What are the artifacts?

    What are you saying?

    Defined at the family level?

    Defined at the product level?

    Vision

    I want to...

    Strategic focus

    Delivery focus

    Goals

    To get there we need to...

    Roadmap

    To achieve our goals, we’ll deliver...

    Backlog

    The work will be done in this order...

    Release Plan

    We will deliver in the following ways...

    Step 4.2

    Understand your delivery options

    Activities

    4.2.1 Consider pros and cons for each delivery model relative to how you wish to deliver

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Delivery managers

    Outcomes of this step

    • An understanding of the different team configuration options when it comes to delivery and their relevance to how you currently work

    Define the scope of your product delivery strategy

    The goal of your product delivery strategy is to establish streamlined, enforceable, and standardized product management and delivery capabilities that follow industry best practices. You will need to be strategic in how and where you implement your changes because this will set the stage for future adoption. Strategically select the most appropriate products, roles, and areas of your organization to implement your new or enhanced capabilities and establish a foundation for scaling.

    Successful product delivery requires people who are knowledgeable about the products they manage and have a broad perspective of the entire delivery process, from intake to delivery, and of the product portfolio. The right people also have influence with other teams and stakeholders who are directly or indirectly impacted by product decisions. Involve team members who have expertise in the development, maintenance, and management of your selected products and stakeholders who can facilitate and promote change.

    Learn about different patterns to structure and resource your product delivery teams

    The primary goal of any product delivery team is to improve the delivery of value for customers and the business based on your product definition and each product’s demand. Each organization will have different priorities and constraints, so your team structure may take on a combination of patterns or may take on one pattern and then transform into another.

    Delivery Team Structure Patterns

    How Are Resources and Work Allocated?

    Functional Roles

    Teams are divided by functional responsibilities (e.g. developers, testers, business analysts, operations, help desk) and arranged according to their placement in the software development lifecycle (SDLC).

    Completed work is handed off from team to team sequentially as outlined in the organization’s SDLC.

    Shared Service and Resource Pools

    Teams are created by pulling the necessary resources from pools (e.g. developers, testers, business analysts, operations, help desk).

    Resources are pulled whenever the work requires specific skills or pushed to areas where product demand is high.

    Product or System

    Teams are dedicated to the development, support, and management of specific products or systems.

    Work is directly sent to the teams who are directly managing the product or directly supporting the requester.

    Skills and Competencies

    Teams are grouped based on skills and competencies related to technology (e.g. Java, mobile, web) or familiarity with business capabilities (e.g. HR, finance).

    Work is directly sent to the teams who have the IT and business skills and competencies to complete the work.

    See the flow of work through each delivery team structure pattern

    Four delivery team structures are shown. The four are: functional roles, shared service and resource pools, product or system, and skills and competencies.

    Staffing models for product teams

    Functional Roles Shared Service and Resource Pools Product or System Skills and Competencies
    A screenshot of the functional roles from the flow of work example is shown. A screenshot of the shared service and resource pools from the flow of work example is shown. A screenshot of the product or system from the flow of work example is shown. A screenshot of skills and competencies from the flow of work example is shown.
    Pros
      ✓ Specialized resources are easier to staff

      ✓ Product knowledge is maintained

      ✓ Flexible demand/capacity management

      ✓ Supports full utilization of resources

      ✓ Teams are invested in the full life of the product

      ✓ Standing teams enable continuous improvement

      ✓ Teams are invested in the technology

      ✓ Standing teams enable continuous improvement

    Cons
      x Demand on specialists can create bottlenecks

      x Creates barriers to collaboration

      x Unavailability of resources can lead to delays

      x Product knowledge can be lost as resources move

      x Changes in demand can lead to downtime

      x Cross-functional skills make staffing a challenge

      x Technology bias can lead to the wrong solution

      x Resource contention when team supports multiple solutions

    Considerations
      ! Product owners must break requests down into very small components to support Agile delivery as mini-Waterfalls
      ! Product owners must identify specialist requirements in the roadmap to ensure resources are available
      ! Product owners must ensure that there is a sufficient backlog of valuable work ready to keep the team utilized
      ! Product owners must remain independent of technology to ensure the right solution is built
    Use Case
    • When you lack people with cross-functional skills
    • When you have specialists such as those skilled in security and operations who will not have full-time work on the product
    • When you have people with cross-functional skills who can self-organize around the request
    • When you have a significant investment in a specific technology stack

    4.2.1 Consider pros and cons for each delivery model relative to how you wish to deliver

    1. Document your current staffing model for your product delivery teams.
    2. Evaluate the pros and cons of each model, as specified on the previous slide, relative to how you currently work.
    3. What would be the ideal target state for your team? If one model does not completely fit, is there a hybrid option worth considering? For example: Product-Based combined with Shared Service/Resource Pools for specific roles.

    Functional Roles

    Teams are divided by functional responsibilities (e.g. developers, testers, business analysts, operations, help desk) and arranged according to their placement in the software development lifecycle (SDLC).

    Shared Service and Resource Pools

    Teams are created by pulling the necessary resources from pools (e.g. developers, testers, business analysts, operations, help desk).

    Product or System

    Teams are dedicated to the development, support, and management of specific products or systems.

    Skills and Competencies

    Teams are grouped based on skills and competencies related to technology (e.g. Java, mobile, web) or familiarity with business capabilities (e.g. HR, finance).

    Output

    • An understanding of pros and cons for each delivery model and the ideal target state for your team

    Participants

    • Product managers
    • Product owners

    Record the results in the Digital Product Family Strategy Playbook.

    Step 4.3

    Determine your operating model

    Activities

    4.3.1 Understand the relationships between product management, delivery teams, and stakeholders

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Delivery managers

    Outcomes of this step

    • An understanding of the potential operating models and what will work best for your organization

    Reminder: Patterns for scaling products

    The alignment of your product families should be considered in your operating model.

    Value Stream Alignment

    Enterprise Applications

    Shared Services

    Technical

    Organizational Alignment

    • Business architecture
      • Value stream
      • Capability
      • Function
    • Market/customer segment
    • Line of business (LoB)
    • Example: Customer group > value stream > products
    • Enabling capabilities
    • Enterprise platforms
    • Supporting apps
    • Example: HR > Workday/Peoplesoft > ModulesSupporting: Job board, healthcare administrator
    • Organization of related services into service family
    • Direct hierarchy does not necessarily exist within the family
    • Examples: End-user support and ticketing, workflow and collaboration tools
    • Domain grouping of IT infrastructure, platforms, apps, skills, or languages
    • Often used in combination with Shared Services grouping or LoB-specific apps
    • Examples: Java, .NET, low-code, database, network
    • Used at higher levels of the organization where products are aligned under divisions
    • Separation of product managers from organizational structure no longer needed because the management team owns product management role

    Ensure consistency in the application of your design principles with a coherent operating model

    What is an operating model?

    An operating model is an abstract visualization, used like an architect’s blueprint, that depicts how structures and resources are aligned and integrated to deliver on the organization’s strategy. It ensures consistency of all elements in the organizational structure through a clear and coherent blueprint before embarking on detailed organizational design

    The visual should highlight which capabilities are critical to attaining strategic goals and clearly show the flow of work so that key stakeholders can understand where inputs flow in and outputs flow out of the IT organization.

    An example of an operating model is shown.

    For more information, see Redesign Your IT Organizational Structure.

    Weigh the pros and cons of IT operating models to find the best fit

    1. LoB/Product Aligned – Decentralized Model: Line of Business, Geographically, Product, or Functionally Aligned
    2. A decentralized IT operating model that embeds specific functions within LoBs/product teams and provides cross-organizational support for their initiatives.

    3. Hybrid Functional: Functional/Product Aligned
    4. A best-of-both-worlds model that balances the benefits of centralized and decentralized approaches to achieve both customer responsiveness and economies of scale.

    5. Hybrid Service Model: Product-Aligned Operating Model
    6. A model that supports what is commonly referred to as a matrix organization, organizing by highly related service categories and introducing the role of the service owner.

    7. Centralized: Plan-Build-Run
    8. A highly typical IT operating model that focuses on centralized strategic control and oversight in delivering cost-optimized and effective solutions.

    9. Centralized: Demand-Develop-Service
    10. A centralized IT operating model that lends well to more mature operating environments. Aimed at leveraging economies of scale in an end-to-end services delivery model.

    There are many different operating models. LoB/Product Aligned and Hybrid Functional align themselves most closely with how products and product families are typically delivered.

    Decentralized Model: Line of Business, Geographically, Product, or Functionally Aligned

    An example of a decentralized model is shown.

    BENEFITS

    DRAWBACKS

    • Organization around functions (FXN) allows for diversity in approach in how areas are run to best serve specific business units needs.
    • Each functional line exists largely independently, with full capacity and control to deliver service at the committed service level agreements.
    • Highly responsive to shifting needs and demands with direct connection to customers and all stages of the solution development lifecycle.
    • Accelerates decision making by delegating authority lower into the FXN.
    • Promotes a flatter organization with less hierarchy and more direct communication with the CIO.
    • Less synergy and integration across what different lines of business are doing can result in redundancies and unnecessary complexity.
    • Higher overall cost to the IT group due to role and technology duplication across different FXN.
    • Inexperience becomes an issue; requires more competent people to be distributed across the FXN.
    • Loss of sight of the big picture – difficult to enforce standards around people/process/technology with solution ownership within the FXN.

    For more information, see Redesign your IT Organizational Structure.

    Hybrid Model: Functional/Product Aligned

    An example of a hybrid model: functional/product aligned is shown.

    BENEFITS

    DRAWBACKS

    • Best of both worlds of centralization and decentralization; attempts to channel benefits from both centralized and decentralized models.
    • Embeds key IT functions that require business knowledge within functional areas, allowing for critical feedback.
    • Balances a holistic IT strategy and architecture with responsiveness to needs of the organization.
    • Achieves economies of scale where necessary through the delivery of shared services that can be requested by the function.
    • May result in excessive cost through role and system redundancies across different functions
    • Business units can have variable levels of IT competence; may result in different levels of effectiveness.
    • No guaranteed synergy and integration across functions; requires strong communication, collaboration, and steering.
    • Cannot meet every business unit’s needs – can cause tension from varying effectiveness of the IT functions placed within the functional areas.

    For more information, see Redesign your IT Organizational Structure.

    Hybrid Model: Product-Aligned Operating Model

    An example of a hybrid model: product-aligned operating model.

    BENEFITS

    DRAWBACKS

    • Focus is on the full lifecycle of a product – takes a strategic view of how technology enables the organization.
    • Promotes centralized backlog around a specific value creator, rather than traditional project focus, which is more transactional.
    • Dedicated teams around the product family ensure that you have all of the resources required to deliver on your product roadmap.
    • Reduces barriers between IT and business stakeholders, focuses on technology as a key strategic enabler.
    • Delivery is largely done through a DevOps methodology.
    • Significant business involvement is required for success within this model, with business stakeholders taking an active role in product governance and potentially product management as well.
    • Strong architecture standards and practices are required to make this successful because you need to ensure that product families are building in a consistent manner and limiting application sprawl.
    • Introduced the need for practice standards to drive consistency in quality of delivered services.
    • May result in increased cost through role redundancies across different squads.

    For more information, see Redesign your IT Organizational Structure.

    Centralized: Plan-Build-Run

    An example of a centralized: Plan-Build-Run is shown.

    BENEFITS

    DRAWBACKS

    • Effective at implementing long-term plans efficiently, separates maintenance and projects to allow each to have the appropriate focus.
    • More oversight over financials; better suited for fixed budgets.
    • Works across centralized technology domains to better align with the business's strategic objectives – allows for a top-down approach to decision making.
    • Allows for economies of scale and expertise pooling to improve IT’s efficiency.
    • Well suited for a project-driven environment that employs Waterfall or a hybrid project management methodology that is less iterative.
    • Not optimized for unpredictable/shifting project demands, as decision making is centralized in the plan function.
    • Less agility to deliver new features or solutions to the customer in comparison to decentralized models.
    • Build (developers) and run (operations staff) are far removed from the business, resulting in lower understanding of business needs (as well as “passing the buck” – from development to operations).
    • Requires strong hand-off processes to be defined and strong knowledge transfer from build to run functions in order to be successful.

    For more information, see Redesign your IT Organizational Structure.

    Centralized: Demand-Develop-Service

    An example of a centralized: Demand-Develop-Service model is shown.

    BENEFITS

    DRAWBACKS

    • Aligns well with an end-to-end services model; constant attention to customer demand and service supply.
    • Centralizes service operations under one functional area to serve shared needs across lines of business.
    • Allows for economies of scale and expertise pooling to improve IT’s efficiency.
    • Elevates sourcing and vendor management as its own strategic function; lends well to managed service and digital initiatives.
    • Development and operations housed together; lends well to DevOps-related initiatives.
    • Can be less responsive to business needs than decentralized models due to the need for portfolio steering to prioritize initiatives and solutions.
    • Requires a higher level of operational maturity to succeed; stable supply functions (service mgmt., operations mgmt., service desk, security, data) are critical to maintaining business satisfaction.
    • Requires highly effective governance around project portfolio, services, and integration capabilities.
    • Effective feedback loop highly dependent on accurate performance measures.

    For more information, see Redesign your IT Organizational Structure.

    Assess how your product scaling pattern impacts your resource delivery model

    Value Stream Alignment

    Enterprise Applications

    Shared Services

    Technical

    Plan-Build-Run:
    Centralized

    Pro: Supports established and stable families.

    Con: Command-and-control nature inhibits Agile DevOps and business agility.

    Pro: Supports established and stable families.

    Con: Command-and-control nature inhibits Agile DevOps and business agility.

    Pro: Can be used to align high-level families.

    Con: Lacks flexibility at the product level to address shifting priorities in product demand.

    Pro: Supports a factory model.

    Con: Lacks flexibility at the product level to address shifting priorities in product demand.

    Centralized Model 2:
    Demand-Develop-
    Service

    Pro: Supports established and stable families.

    Con: Command-and-control nature inhibits Agile DevOps and business agility.

    Pro: Supports established and stable families.

    Con: Command-and-control nature inhibits Agile DevOps and business agility.

    Pro: Recommended for aligning high-level service families based on user needs.

    Con: Reduces product empowerment, prioritizing demand. Slow.

    Pro: Supports factory models.

    Con: Reduces product empowerment, prioritizing demand. Slow.

    Decentralized Model:
    Line of Business, Product, Geographically, or

    Functionally Aligned

    Pro: Aligns product families to value streams, capabilities, and organizational structure.

    Con: Reduces shared solutions and may create duplicate apps and services.

    Pro: Enterprise apps treated as distinct LoB groups.

    Con: Reduces shared solutions and may create duplicate apps and services.

    Pro: Complements value stream alignment by consolidating shared apps and services.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Fits within other groupings where technical expertise is needed.

    Con: Creates redundancy between localized and shared technical teams.

    Hybrid Model:
    Functional/Product

    Aligned

    Pro: Supports multiple patterns of product grouping.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Supports multiple patterns of product grouping.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Supports multiple patterns of product grouping.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Supports multiple patterns of product grouping.

    Con: Creates redundancy between localized and shared technical teams.

    Hybrid Model:

    Product-Aligned Operating Model

    Pro: Supports multiple patterns of product grouping.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Supports multiple patterns of product grouping.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Supports multiple patterns of product grouping.

    Con: Requires additional effort to differentiate local vs. shared solutions.

    Pro: Supports multiple patterns of product grouping.

    Con: Creates redundancy between localized and shared technical teams.

    4.3.1 Understand the relationships between product management, delivery teams, and stakeholders

    30-60 minutes

    1. Discuss the intake sources of product work.
    2. Trace the flow of requests down to the functional roles of your delivery team (e.g., developer, QA, operations).
    3. Indicate where key deliverables are produced, particularly those that are built in collaboration.
    4. Discuss the five operating models relative to your current operating model choice. How aligned are you?
    5. Review Info-Tech’s recommendation on the best-aligned operating models for product family delivery. Do you agree or disagree?
    6. Evaluate recommendations against how you operate/work.

    Output

    • Understanding of the relationships between key groups
    • A preferred operating model

    Participants

    • Product owners
    • Product managers
    • Delivery managers

    Record the results in the Digital Product Family Strategy Playbook.

    4.3.1 Understand the relationships between product management, delivery teams, and stakeholders

    An example of activity 4.3.1 to understand the relationships between product management, delivery teams, and stakeholders is shown.

    Output

    • Understanding of the relationships between key groups
    • A preferred operating model

    Participants

    • Product owners
    • Product managers
    • Delivery managers

    Step 4.4

    Identify how to fund product family delivery

    Activities

    4.4.1 Discuss traditional vs. product-centric funding methods

    This step involves the following participants:

    • Product owners
    • Product managers
    • Portfolio managers
    • Delivery managers

    Outcomes of this step

    • An understanding of the differences between product-based and traditional funding methods

    Why is funding so problematic?

    We often still think about funding products like construction projects.

    Three models are shown on the various options to fund projects.

    These models require increasing accuracy throughout the project lifecycle to manage actuals vs. estimates.

    "Most IT funding depends on one-time expenditures or capital-funding mechanisms that are based on building-construction funding models predicated on a life expectancy of 20 years or more. Such models don’t provide the stability or flexibility needed for modern IT investments." – EDUCAUSE

    Reminder: Projects don’t go away. The center of the conversation changes.

    A flowchart is shown to demonstrate the difference between project lifecycle, hybrid lifecycle, and product lifecycle.

    Projects within products

    Regardless of whether you recognize yourself as a product-based or project-based shop, the same basic principles should apply.

    The purpose of projects is to deliver the scope of a product release. The shift to product delivery leverages a product roadmap and backlog as the mechanism for defining and managing the scope of the release.

    Eventually, teams progress to continuous integration/continuous delivery (CI/CD) where they can release on demand or as scheduled, requiring org change management.

    Planning and budgeting for products and families

    Reward for delivering outcomes, not features

    AutonomyFlexibilityAccountability
    Fund what delivers valueAllocate iterativelyMeasure and adjust

    Fund long-lived delivery of value through products (not projects).

    Give autonomy to the team to decide exactly what to build.

    Allocate to a pool based on higher-level business case.

    Provide funds in smaller amounts to different product teams and initiatives based on need.

    Product teams define metrics that contribute to given outcomes.

    Track progress and allocate more (or less) funds as appropriate.

    Info-Tech Insight

    Changes to funding require changes to product and Agile practices to ensure product ownership and accountability.

    The Lean Enterprise Funding Model is an example of a different approach

    An example of the lean enterprise funding model is shown.
    From: Implement Agile Practices That Work

    A flexible funding pool akin to venture capital models is maintained to support innovative ideas and fund proofs of concept for product and process improvements.

    Proofs of concept (POCs) are run by standing innovation teams or a reserve of resources not committed to existing products, projects, or services.

    Every product line has funding for all changes and ongoing operations and support.

    Teams are funded continuously so that they can learn and improve their practices as much as possible.

    Budgeting approaches must evolve as you mature your product operating environment

    TRADITIONAL PROJECTS WITH WATERFALL DELIVERY

    TRADITIONAL PROJECTS WITH AGILE DELIVERY

    PRODUCTS WITH AGILE PROJECT DELIVERY

    PRODUCTS WITH AGILE DELIVERY

    WHEN IS THE BUDGET TRACKED?

    Budget tracked by major phases

    Budget tracked by sprint and project

    Budget tracked by sprint and project

    Budget tracked by sprint and release

    HOW ARE CHANGES HANDLED?

    All change is by exception

    Scope change is routine, budget change is by exception

    Scope change is routine, budget change is by exception

    Budget change is expected on roadmap cadence

    WHEN ARE BENEFITS REALIZED?

    Benefits realization after project completion

    Benefits realization is ongoing throughout the life of the project

    Benefits realization is ongoing throughout the life of the product

    Benefits realization is ongoing throughout life of the product

    WHO “DRIVES”?

    Project Manager

    • Project team delivery role
    • Refines project scope, advocates for changes in the budget
    • Advocates for additional funding in the forecast

    Product Owner

    • Project team delivery role
    • Refines project scope, advocates for changes in the budget
    • Advocates for additional funding in the forecast

    Product Manager

    • Product portfolio team role
    • Forecasting new initiatives during delivery to continue to drive value throughout the life of the product

    Product Manager

  • Product family team role
  • Forecasting new initiatives during delivery to continue to drive value throughout the life of the product
  • Info-Tech Insight

    As you evolve your approach to product delivery, you will be decoupling the expected benefits, forecast, and budget. Managing them independently will improve your ability to adapt to change and drive the right outcomes!

    Your strategy must include the cost to build and operate

    Most investment happens after go-live, not in the initial build!

    An example strategy is displayed that incorporates the concepts of cost to build and operate.

    Adapted from: LookFar

    Info-Tech Insight

    While the exact balance point between development or implementation costs varies from application to application, over 80% of the cost is accrued after go-live.

    Traditional accounting leaves software development CapEx on the table

    Software development costs have traditionally been capitalized, while research and operations are operational expenditures.

    The challenge has always been the myth that operations are only bug fixes, upgrades, and other operational expenditures. Research shows that most post-release work on developed solutions is the development of new features and changes to support material changes in the business. While projects could bundle some of these changes into capital expenditure, much of the business-as-usual work that goes on leaves capital expenses on the table because the work is lumped together as maintenance-related OpEx.

    From “How to Stop Leaving Software CapEx on the Table With Agile and DevOps”

    4.4.1 Discuss traditional vs. product-centric funding methods

    30-60 minutes

    1. Discuss how products and product families are currently funded.
    2. Review how the Agile/product funding models differ from how you currently operate.
    3. What changes do you need to consider in order to support a product delivery model?
    4. For each change, identify the key stakeholders and list at least one action to take.
    5. Record the results in the Digital Product Family Strategy Playbook.

    Output

    • Understanding of funding principles and challenges

    Participants

    • Product owners
    • Product managers
    • Delivery managers

    Record the results in the Digital Product Family Strategy Playbook.

    Phase 5

    Build Your Transformation Roadmap and Communication Plan

    Phase 1Phase 2Phase 3Phase 4Phase 5

    1.1 Understand the organizational factors driving product-centric delivery

    1.2 Establish your organization’s product inventory

    2.1 Determine your approach to scale product families

    2.2 Define your product families

    3.1 Leverage product family roadmaps

    3.2 Use stakeholder management to improve roadmap communication

    3.3 Configure your product family roadmaps

    3.4 Confirm product family to product alignment

    4.1 Assess your organization’s delivery readiness

    4.2 Understand your delivery options

    4.3 Determine your operating model

    4.4 Identify how to fund product family delivery

    5.1 Learn how to introduce your digital product family strategy

    5.2 Communicate changes on updates to your strategy

    5.3 Determine your next steps

    This phase will walk you through the following activities:

    5.1.1 Introduce your digital product family strategy

    5.2.1 Define your communication cadence for your strategy updates

    5.2.2 Define your messaging for each stakeholder

    5.3.1 How do we get started?

    This phase involves the following participants:

    • Product owners
    • Product managers
    • Application leaders
    • Stakeholders

    Step 5.1

    Introduce your digital product family strategy

    Activities

    5.1.1 Introduce your digital product family strategy

    This step involves the following participants:

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Outcomes of this step

    • A completed executive summary presenting your digital product strategy

    Product decisions are traditionally made in silos with little to no cross-functional communication and strategic oversight

    Software delivery teams and stakeholders traditionally make plans, strategies, and releases within their silos and tailor their decisions based on their own priorities. Interactions are typically limited to hand-offs (such as feature requests) and routing of issues and defects back up the delivery pipeline. These silos likely came about through well-intentioned training, mandates, and processes, but they do not sufficiently support today’s need to rapidly release and change platforms.

    Siloed departments often have poor visibility into the activities of other silos, and they may not be aware of the ramifications their decisions have on teams and stakeholders outside of their silo.

    • Silos may make choices that are optimal largely for themselves without thinking of the holistic impact on a platform’s structure, strategy, use cases, and delivery.
    • The business may approve platform improvements without the consideration of the delivery team’s current capacity or the system’s complexity, resulting in unrealistic commitments.
    • Quality standards may be misinterpreted and inconsistently enforced across the entire delivery pipeline.

    In some cases, the only way to achieve greater visibility and communication for all roles across a platform’s lifecycle is implementing an overarching role or team.

    “The majority of our candid conversations with practitioners and project management offices indicate that the platform ownership role is poorly defined and poorly executed.”

    – Barry Cousins

    Practice Lead, Applications – Project & Portfolio Management

    Info-Tech Research Group

    Use stakeholder management and roadmap views to improve communication

    Proactive, clear communication with stakeholders, SMEs, and your product delivery team can significantly improve alignment and agreement with your roadmap, strategy, and vision.

    When building your communication strategy, revisit the work you completed in phase 3 developing your:

    • Roadmap types
    • Stakeholder strategy

    Type

    Quadrant

    Actions

    Players

    High influence, high interest – actively engage

    Keep them updated on the progress of the project. Continuously involve Players in the process and maintain their engagement and interest by demonstrating their value to its success.

    Mediators

    High influence, low interest – keep satisfied

    They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders.

    Noisemakers

    Low influence, high interest – keep informed

    Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.

    Spectators

    Low influence, low interest – monitor

    They are followers. Keep them in the loop by providing clarity on objectives and status updates.

    5.1.1 Introduce your digital product family strategy

    30-60 minutes

    This exercise is intended to help you lay out the framing of your strategy and the justification for the effort. A lot of these items can be pulled directly from the product canvas you created in phase 2. This is intended to be a single slide to frame your upcoming discussions.

    1. Update your vision, goals, and values on your product canvas. Determine which stakeholders may be impacted and what their concerns are. If you have many stakeholders, limit to Players and Influencers.
    2. Identify what you need from the stakeholders as a result of this communication.
    3. Keeping in mind the information gathered in steps 1 and 2, describe your product family strategy by answering three questions:
    1. Why do we need product families?
    2. What is in our way?
    3. Our first step will be... ?

    Output

    • An executive summary that introduces your product strategy

    Participants

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Record the results in the Digital Product Family Strategy Playbook.

    Example: Scaling delivery through product families

    Why do we need product families?

    • The growth of our product offerings and our company’s movement into new areas of growth mean we need to do a better job scaling our offerings to meet the needs of the organization.

    What is in our way?

    • Our existing applications and services are so dramatically different we are unsure how to bring them together.

    Our first step will be...

    • Taking a full inventory of our applications and services.

    Step 5.2

    Communicate changes on updates to your strategy

    Activities

    5.2.1 Define your communication cadence for your strategy updates

    5.2.2 Define your messaging for each stakeholder

    This step involves the following participants:

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Outcomes of this step

    • A communication plan for when strategy updates need to be given

    5.2.1 Define your communication cadence for your strategy updates

    30 minutes

    Remember the role of different artifacts when it comes to your strategy. The canvas contributes to the What, and the roadmap addresses the How. Any updates to the strategy are articulated and communicated through your roadmap.

    1. Review your currently defined roadmaps, their communication objectives, update frequency, and updates.
    2. Consider the impacted stakeholders and the strategies required to communicate with them.
    3. Fill in your communication cadence and communication method.

    EXAMPLE:

    Roadmap Name

    Audience/Stakeholders

    Communication Cadence

    External Customer Roadmap

    Customers and External Users

    Quarterly (Website)

    Product Delivery Roadmap

    Development Teams, Infrastructure, Architects

    Monthly (By Email)

    Technology Roadmap

    Development Teams, Infrastructure, Architects

    Biweekly (Website)

    Output

    • Clear communication cadence for your roadmaps

    Participants

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Record the results in the Digital Product Family Strategy Playbook.

    The “what” behind the communication

    Leaders of successful change spend considerable time developing a powerful change message, i.e. a compelling narrative that articulates the desired end state and makes the change concrete and meaningful to staff.

    The change message should:

    • Explain why the change is needed.
    • Summarize what will stay the same.
    • Highlight what will be left behind.
    • Emphasize what is being changed.
    • Explain how change will be implemented.
    • Address how change will affect various roles in the organization.
    • Discuss the staff’s role in making the change successful.

    Five elements of communicating change

    1. What is the change?
    2. Why are we doing it?
    3. How are we going to go about it?
    4. How long will it take us to do it?
    5. What is the role for each department and individual?

    Source: Cornelius & Associates

    How we engage with the message is just as important as the message itself

    Why are we here?

    Speak to what matters to them

    Sell the improvement

    Show real value

    Discuss potential fears

    Ask for their support

    Be gracious

    5.2.2 (Optional) Define your messaging for each stakeholder

    30 minutes

    It’s one thing to communicate the strategy, it’s another thing to send the right message to your stakeholders. Some of this will depend on the kind of news given, but the majority of this is dependent on the stakeholder and the cadence of communication.

    1. From exercise 5.2.1, take the information on the specific roadmaps, target audience, and communication cadence.
    2. Based on your understanding of the audience’s needs, what would the specific update try to get across?
    3. Pick a specific typical example of a change in strategy that you have gone through. (e.g. Product will be delayed by a quarter; key feature is being substituted for another.)

    EXAMPLE:

    Roadmap Name

    Audience/ Stakeholder

    Communication Cadence

    Messaging

    External Customer Roadmap

    Customers and External Users

    Quarterly (Website)

    Output

    • Messaging plan for each roadmap type

    Participants

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Record the results in the Digital Product Family Strategy Playbook.

    Step 5.3

    Determine your next steps

    Activities

    5.3.1 How do we get started?

    This step involves the following participants:

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Outcomes of this step

    • Understanding the steps to get started in your transformation

    Make a plan in order to make a plan!

    Consider some of the techniques you can use to validate your strategy.

    Learning Milestones

    Sprint Zero (AKA Project-before-the-project)

    The completion of a set of artifacts dedicated to validating business opportunities and hypotheses.

    Possible areas of focus:

    Align teams on product strategy prior to build

    Market research and analysis

    Dedicated feedback sessions

    Provide information on feature requirements

    The completion of a set of key planning activities, typically the first sprint.

    Possible areas of focus:

    Focus on technical verification to enable product development alignment

    Sign off on architectural questions or concerns

    An image showing the flowchart of continuous delivery of value is shown.

    Go to your backlog and prioritize the elements that need to be answered sooner rather than later.

    Possible areas of focus:

    Regulatory requirements or questions to answer around accessibility, security, privacy.

    Stress testing any new processes against situations that may occur.

    The “Now, Next, Later” roadmap

    Use this when deadlines and delivery dates are not strict. This is best suited for brainstorming a product plan when dependency mapping is not required.

    Now: What are you going to do now?

    Next: What are you going to do very soon?

    Later: What are you going to do in the future?

    An example of a now, next, later roadmap is shown.

    Source: “Tips for Agile product roadmaps & product roadmap examples,” Scrum.org, 2017

    5.3.1 How do we get started?

    30-60 minutes

    1. Identify what the critical steps are for the organization to embrace product-centric delivery.
    2. Group each critical step by how soon you need to address it:
    • Now: Let’s do this ASAP.
    • Next: Sometime very soon, let’s do these things.
    • Later: Much further off in the distance, let’s consider these things.
  • Record the group results in the Deliver Digital Products at Scale Workbook.
  • Record changes for your product and product family in the Digital Product Family Strategy Playbook.
  • An example of a now, next, later roadmap is shown.

    Source: “Tips for Agile product roadmaps & product roadmap examples,” Scrum.org, 2017

    Output

    • Product family transformation critical steps and basic roadmap

    Participants

    • Product owners and product managers
    • Application leaders
    • Stakeholders

    Record the results in the Digital Product Family Strategy Playbook.

    Record the results in the Deliver Digital Products at Scale Workbook.

    Summary of Accomplishment

    Problem Solved

    The journey to become a product-centric organization is not short or easy. Like with any improvement or innovation, teams need to continue to evolve and mature with changes in their operations, teams, tools, and user needs.You’ve taken a big step completing your product family alignment. This provides a backbone for aligning all aspects of your organization to your enterprise goals and strategy while empowering product teams to find solutions closer to the problem. Continue to refine your model and operations to improve value realization and your product delivery pipelines to embrace business agility. Organizations that are most responsive to change will continue to outperform command-and-control leadership.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Research Contributors and Experts

    Photo of Emily Archer.

    Emily Archer

    Lead Business Analyst,

    Enterprise Consulting, authentic digital agency

    Emily Archer is a consultant currently working with Fortune 500 clients to ensure the delivery of successful projects, products, and processes. She helps increase the business value returned for organizations’ investments in designing and implementing enterprise content hubs and content operations, custom web applications, digital marketing, and e-commerce platforms.

    Photo of David Berg

    Founder & CTO

    Strainprint Technologies Inc.

    David Berg is a product commercialization expert that has spent the last 20 years of his career delivering product management and business development services across a broad range of industries. Early in his career, David worked with product management and engineering teams to build core network infrastructure products that secure and power the internet we benefit from today. David’s experience also includes working with clean technologies in the area of clean power generation, agritech, and Internet of Things infrastructure. Over the last five years, David has been focused on his latest venture, Strainprint Technologies, a data and analytics company focused on the medical cannabis industry. Strainprint has built the largest longitudinal medical cannabis dataset in the world with the goal to develop an understanding of treatment behavior, interactions, and chemical drivers to guide future product development.

    Kathy Borneman

    Digital Product Owner, SunTrust Bank

    Kathy Borneman is a senior product owner who helps people enjoy their jobs again by engaging others in end-to-end decision making to deliver software and operational solutions that enhance the client experience and allow people to think and act strategically.

    Photro of Charlie Campbell

    Charlie Campbell

    Product Owner, Merchant e-Solutions

    Charlie Campbell is an experienced problem solver with the ability to quickly dissect situations and recommend immediate actions to achieve resolution, liaise between technical and functional personnel to bridge the technology and communication gap, and work with diverse teams and resources to reach a common goal.

    Photo of Yarrow Diamond

    Yarrow Diamond

    Sr. Director, Business Architecture

    Financial Services

    Yarrow Diamond is an experienced professional with expertise in enterprise strategy development, project portfolio management, and business process reengineering across financial services, healthcare and insurance, hospitality, and real estate environments. She has a master’s in Enterprise Architecture from Penn State University, LSSMBB, PMP, CSM, ITILv3.

    Photo of Cari J. Faanes-Blakey

    Cari J. Faanes-Blakey, CBAP, PMI-PBA

    Enterprise Business Systems Analyst,

    Vertex, Inc.

    Cari J. Faanes-Blakey has a history in software development and implementation as a Business Analyst and Project Manager for financial and taxation software vendors. Active in the International Institute of Business Analysis (IIBA), Cari participated on the writing team for the BA Body of Knowledge 3.0 and the certification exam.

    Photo of Kieran Gobey

    Kieran Gobey

    Senior Consultant Professional Services

    Blueprint Software Systems

    Kieran Gobey is an IT professional with 24 years of experience, focused on business, technology, and systems analysis. He has split his career between external and internal customer-facing roles, and this has resulted in a true understanding of what is required to be a Professional Services Consultant. His problem-solving skills and ability to mentor others have resulted in successful software implementations. Kieran’s specialties include deep system troubleshooting and analysis skills, facilitating communications to bring together participants effectively, mentoring, leadership, and organizational skills.

    Photo of Rupert Kainzbauer

    Rupert Kainzbauer

    VP Product, Digital Wallets

    Paysafe Group

    Rupert Kainzbauer is an experienced senior leader with a passion for defining and delivering products that deliver real customer and commercial benefit. Together with a team of highly experienced and motivated product managers, he has successfully led highly complex, multi-stakeholder payments initiatives, from proposition development and solution design through to market delivery. Their domain experience is in building online payment products in high-risk and emerging markets, remittance, prepaid cards, and mobile applications.

    Photo of Saeed Khan

    Saeed Khan

    Founder,

    Transformation Labs

    Saeed Khan has been working in high tech for 30 years in both Canada and the US and has held a number of leadership roles in Product Management over that time. He speaks regularly at conferences and has been writing publicly about technology product management since 2005. Through Transformation Labs, Saeed helps companies accelerate product success by working with product teams to improve their skills, practices, and processes. He is a cofounder of ProductCamp Toronto and currently runs a Meetup group and global Slack community called Product Leaders; the only global community of senior level product executives.

    Photo of Hoi Kun Lo

    Hoi Kun Lo

    Product Owner

    Nielsen

    Hoi Kun Lo is an experienced change agent who can be found actively participating within the IIBA and WITI groups in Tampa, FL and a champion for Agile, architecture, diversity, and inclusion programs at Nielsen. She is currently a Product Owner in the Digital Strategy team within Nielsen Global Watch Technology.

    Photo of Abhishek Mathur

    Abhishek Mathur

    Sr Director, Product Management

    Kasisto, Inc.

    Abhishek Mathur is a product management leader, an artificial intelligence practitioner, and an educator. He has led product management and engineering teams at Clarifai, IBM, and Kasisto to build a variety of artificial intelligence applications within the space of computer vision, natural language processing, and recommendation systems. Abhishek enjoys having deep conversations about the future of technology and helping aspiring product managers enter and accelerate their careers.

    Photo of Jeff Meister

    Jeff Meister

    Technology Advisor and Product Leader

    Jeff Meister is a technology advisor and product leader. He has more than 20 years of experience building and operating software products and the teams that build them. He has built products across a wide range of industries and has built and led large engineering, design, and product organizations. Jeff most recently served as Senior Director of Product Management at Avanade, where he built and led the product management practice. This involved hiring and leading product managers, defining product management processes, solution shaping and engagement execution, and evangelizing the discipline through pitches, presentations, and speaking engagements. Jeff holds a Bachelor’s of Applied Science (Electrical Engineering) and a Bachelor’s of Arts from the University of Waterloo, an MBA from INSEAD (Strategy), and certifications in product management, project management, and design thinking.

    Photo of Vincent Mirabelli

    Vincent Mirabelli

    Principal,

    Global Project Synergy Group

    With over 10 years of experience in both the private and public sectors, Vincent Mirabelli possesses an impressive track record of improving, informing, and transforming business strategy and operations through process improvement, design and re-engineering, and the application of quality to business analysis, project management, and process improvement standards.

    Photo of Oz Nazili

    Oz Nazili

    VP, Product & Growth

    TWG

    Oz Nazili is a product leader with a decade of experience in both building products and product teams. Having spent time at funded startups and large enterprises, he thinks often about the most effective way to deliver value to users. His core areas of interest include Lean MVP development and data-driven product growth.

    Photo of Mark Pearson

    Mark Pearson

    Principal IT Architect, First Data Corporation

    Mark Pearson is an executive business leader grounded in the process, data, technology, and operations of software-driven business. He knows the enterprise software landscape and is skilled in product, technology, and operations design and delivery within information technology organizations, outsourcing firms, and software product companies.

    Photo of Brenda Peshak

    Brenda Peshak

    Product Owner,

    Widget Industries, LLC

    Brenda Peshak is skilled in business process, analytical skills, Microsoft Office Suite, communication, and customer relationship management (CRM). She is a strong product management professional with a Master’s focused in Business Leadership (MBL) from William Penn University.

    Photo of Mike Starkey

    Mike Starkey

    Director of Engineering

    W.W. Grainger

    Mike Starkey is a Director of Engineering at W.W. Grainger, currently focusing on operating model development, digital architecture, and building enterprise software. Prior to joining W.W. Grainger, Mike held a variety of technology consulting roles throughout the system delivery lifecycle spanning multiple industries such as healthcare, retail, manufacturing, and utilities with Fortune 500 companies.

    Photo of Anant Tailor

    Anant Tailor

    Cofounder & Head of Product

    Dream Payments Corp.

    Anant Tailor is a cofounder at Dream Payments where he currently serves as the COO and Head of Product, having responsibility for Product Strategy & Development, Client Delivery, Compliance, and Operations. He has 20+ years of experience building and operating organizations that deliver software products and solutions for consumers and businesses of varying sizes. Prior to founding Dream Payments, Anant was the COO and Director of Client Services at DonRiver Inc, a technology strategy and software consultancy that he helped to build and scale into a global company with 100+ employees operating in seven countries. Anant is a Professional Engineer with a Bachelor’s degree in Electrical Engineering from McMaster University and a certificate in Product Strategy & Management from the Kellogg School of Management at Northwestern University.

    Photo of Angela Weller

    Angela Weller

    Scrum Master, Businessolver

    Angela Weller is an experienced Agile business analyst who collaborates with key stakeholders to attain their goals and contributes to the achievement of the company’s strategic objectives to ensure a competitive advantage. She excels when mediating or facilitating teams.

    Related Info-Tech Research

    Product Delivery

    Deliver on Your Digital Product Vision

    • Build a product vision your organization can take from strategy through execution.

    Build a Better Product Owner

    • Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

    Build Your Agile Acceleration Roadmap

    • Quickly assess the state of your Agile readiness and plan your path forward to higher value realization.

    Implement Agile Practices That Work

    • Improve collaboration and transparency with the business to minimize project failure.

    Implement DevOps Practices That Work

    • Streamline business value delivery through the strategic adoption of DevOps practices.

    Extend Agile Practices Beyond IT

    • Further the benefits of Agile by extending a scaled Agile framework to the business.

    Build Your BizDevOps Playbook

    • Embrace a team sport culture built around continuous business-IT collaboration to deliver great products.

    Embed Security Into the DevOps Pipeline

    • Shift security left to get into DevSecOps.

    Spread Best Practices With an Agile Center of Excellence

    • Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Enable Organization-Wide Collaboration by Scaling Agile

    • Execute a disciplined approach to rolling out Agile methods in the organization.

    Application Portfolio Management

    APM Research Center

    • See an overview of the APM journey and how we can support the pieces in this journey.

    Application Portfolio Management for Small Enterprises

    • There is no one-size-fits-all rationalization. Tailor your framework to meet your goals.

    Streamline Application Maintenance

    • Effective maintenance ensures the long-term value of your applications.

    Build an Application Rationalization Framework

    • Manage your application portfolio to minimize risk and maximize value.

    Modernize Your Applications

    • Justify modernizing your application portfolio from both business and technical perspectives.

    Review Your Application Strategy

    • Ensure your applications enable your business strategy.

    Discover Your Applications

    • Most application strategies fail. Arm yourself with the necessary information and team structure for a successful application portfolio strategy.

    Streamline Application Management

    • Move beyond maintenance to ensuring exceptional value from your apps.

    Optimize Applications Release Management

    • Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Embrace Business-Managed Applications

    • Empower the business to implement their own applications with a trusted business-IT relationship.

    Value, Delivery Metrics, Estimation

    Build a Value Measurement Framework

    • Focus product delivery on business value–driven outcomes.

    Select and Use SDLC Metrics Effectively

    • Be careful what you ask for, because you will probably get it.

    Application Portfolio Assessment: End User Feedback

    • Develop data-driven insights to help you decide which applications to retire, upgrade, re-train on, or maintain to meet the demands of the business.

    Create a Holistic IT Dashboard

    • Mature your IT department by measuring what matters.

    Refine Your Estimation Practices With Top-Down Allocations

    • Don’t let bad estimates ruin good work.

    Estimate Software Delivery With Confidence

    • Commit to achievable software releases by grounding realistic expectations.

    Reduce Time to Consensus With an Accelerated Business Case

    • Expand on the financial model to give your initiative momentum.

    Optimize Project Intake, Approval, and Prioritization

    • Deliver more projects by giving yourself the voice to say “no” or “not yet” to new projects.

    Enhance PPM Dashboards and Reports

    • Facilitate ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    Org Design and Performance

    Redesign Your IT Organizational Structure

    • Focus product delivery on business value–driven outcomes.

    Build a Strategic Workforce Plan

    • Have the right people, in the right place, at the right time.

    Implement a New Organizational Structure

    • Reorganizations are inherently disruptive. Implement your new structure with minimal pain for staff while maintaining IT performance throughout the change.

    Improve Employee Engagement to Drive IT Performance

    • Don’t just measure engagement, act on it.

    Set Meaningful Employee Performance Measures

    • Set holistic measures to inspire employee performance.

    Master Organizational Change Management Practices

    • PMOs, if you don't know who is responsible for org change, it's you.

    Bibliography (Product Management)

    “12th Annual State of Agile Report.” VersionOne, 9 April 2018. Web.

    A, Karen. “20 Mental Models for Product Managers.” Product Management Insider, Medium, 2 Aug. 2018. Web.

    Adams, Paul. “Product Teams: How to Build & Structure Product Teams for Growth.” Inside Intercom, 30 Oct. 2019. Web.

    Agile Alliance. “Product Owner.” Agile Alliance. n.d. Web.

    Ambysoft. “2018 IT Project Success Rates Survey Results.” Ambysoft. 2018. Web.

    Banfield, Richard, et al. “On-Demand Webinar: Strategies for Scaling Your (Growing) Enterprise Product Team.” Pluralsight, 31 Jan. 2018. Web.

    Berez, Steve, et al. “How to Plan and budget for Agile at Scale.” Bain & Company, 08 Oct 2019. Web

    Blueprint. “10 Ways Requirements Can Sabotage Your Projects Right From the Start.” Blueprint. 2012. Web.

    Breddels, Dajo, and Paul Kuijten. “Product Owner Value Game.” Agile2015 Conference, Agile Alliance 2015. Web.

    Cagan, Martin. “Behind Every Great Product.” Silicon Valley Product Group. 2005. Web.

    Cohn, Mike. “What Is a Product?” Mountain Goat Software. 6 Sept. 2016. Web.

    Connellan, Thomas K. Inside the Magic Kingdom, Bard Press, 1997.

    Curphey, Mark. “Product Definition.” SlideShare, 25 Feb. 2007. Web.

    “Delegation Poker Product Image.” Management 3.0, n.d. Web.

    Distel, Dominic, et al. “Finding the sweet spot in product-portfolio management.’ McKinsey, 4 Dec. 2020. Web

    Eringa, Ron. “Evolution of the Product Owner.” RonEringa.com, 12 June 2016. Web.

    Fernandes, Thaisa. “Spotify Squad Framework - Part I.” PM101, Medium, 6 Mar. 2017. Web.

    Galen, Robert. “Measuring Product Ownership – What Does ‘Good’ Look Like?” RGalen Consulting, 5 Aug. 2015. Web.

    Halisky, Merland, and Luke Lackrone. “The Product Owner’s Universe.” Agile2016 Conference, Agile Alliance, 2016. Web.

    Kamer, Jurriaan. “How to Build Your Own ‘Spotify Model’.” The Ready, Medium, 9 Feb. 2018. Web.

    Kendis Team. “Exploring Key Elements of Spotify’s Agile Scaling Model.” Scaled Agile Framework, Medium, 23 Jul. 2018. Web.

    Lindstrom, Lowell. “7 Skills You Need to Be a Great Product Owner.” Scrum Alliance, n.d. Web.

    Lukassen, Chris. “The Five Belts Of The Product Owner.” Xebia.com, 20 Sept. 2016. Web.

    McCloskey, Heather. “Scaling Product Management: Secrets to Defeating Common Challenges.” ProductPlan, 12 July 2019. Web.

    McCloskey, Heather. “When and How to Scale Your Product Team.” UserVoice, 21 Feb. 2017. Web.

    Mironov, Rich. “Scaling Up Product Manager/Owner Teams.” Rich Mironov's Product Bytes, Mironov Consulting, 12 Apr. 2014 . Web.

    Overeem, Barry. “A Product Owner Self-Assessment.” Barry Overeem, 6 Mar. 2017. Web.

    Overeem, Barry. “Retrospective: Using the Team Radar.” Barry Overeem, 27 Feb. 2017. Web.

    Pichler, Roman. “How to Scale the Scrum Product Owner.” Roman Pichler, 28 June 2016 . Web.

    Pichler, Roman. “Product Management Framework.” Pichler Consulting Limited, 2014. Web.

    Pichler, Roman. “Sprint Planning Tips for Product Owners.” LinkedIn, 4 Sept. 2018. Web.

    Pichler, Roman. “What Is Product Management?” Pichler Consulting Limited, 26 Nov. 2014. Web.

    Radigan, Dan. “Putting the ‘Flow' Back in Workflow With WIP Limits.” Atlassian, n.d. Web.

    Rouse, Margaret. “Definition: product.” TechTarget, Sept. 2005. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on (Business) Value.” Scrum.org, 30 Nov. 2017. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on Agile Product Management.” Scrum.org, 28 Nov. 2017. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on Product Backlog Management.” Scrum.org, 5 Dec. 2017. Web.

    Schuurman, Robbin. “10 Tips for Product Owners on the Product Vision.” Scrum.org, 29 Nov. 2017. Web.

    Schuurman, Robbin. “Tips for Starting Product Owners.” Scrum.org, 27 Nov. 2017. Web.

    Sharma, Rohit. “Scaling Product Teams the Structured Way.” Monetary Musings, 28 Nov. 2016. Web.

    Shirazi, Reza. “Betsy Stockdale of Seilevel: Product Managers Are Not Afraid To Be Wrong.” Austin Voice of Product, 2 Oct. 2018. Web.

    Steiner, Anne. “Start to Scale Your Product Management: Multiple Teams Working on Single Product.” Cprime, 6 Aug. 2019. Web.

    “The Qualities of Leadership: Leading Change.” Cornelius & Associates, 2016. Web.

    “The Standish Group 2015 Chaos Report.” The Standish Group. 2015. Web.

    Theus, Andre. “When Should You Scale the Product Management Team?” ProductPlan, 7 May 2019. Web.

    Tolonen, Arto. “Scaling Product Management in a Single Product Company.” Smartly.io, 26 Apr. 2018. Web.

    Ulrich, Catherine. “The 6 Types of Product Managers. Which One Do You Need?” Medium, 19 Dec. 2017. Web.

    Verwijs, Christiaan. “Retrospective: Do The Team Radar.” The Liberators, Medium, 10 Feb. 2017. Web.

    Vlaanderen, Kevin. “Towards Agile Product and Portfolio Management”. Academia.edu. 2010. Web.

    Bibliography (Roadmap)

    Bastow, Janna. “Creating Agile Product roadmaps Everyone Understands.” ProdPad, 22 Mar. 2017. Accessed Sept. 2018.

    Bastow, Janna. “The Product Tree Game: Our Favorite Way To Prioritize Features.” ProdPad, 21 Feb. 2016. Accessed Sept. 2018.

    Chernak, Yuri. “Requirements Reuse: The State of the Practice.” 2012 IEEE International Conference, 12 June 2012, Herzliya, Israel. Web.

    Fowler, Martin. “Application Boundary.” MartinFowler.com, 11 Sept. 2003. Accessed 20 Nov. 2017.

    Harrin, Elizabeth. “Learn What a Project Milestone Is.” The Balance Careers, 10 May 2018. Accessed Sept. 2018.

    “How to create a product roadmap.” Roadmunk, n.d. Accessed Sept. 2018.

    Johnson, Steve. “How to Master the 3 Horizons of Product Strategy.” Aha!, 24 Sept. 2015. Accessed Sept. 2018.

    Johnson, Steve. “The Product Roadmap vs. the Technology Roadmap.” Aha!, 23 June 2016. Accessed Sept. 2018

    Juncal, Shaun. “How Should You Set Your Product Roadmap Timeframes?” ProductPlan, Web. Sept. 2018.

    Leffingwell, Dean. “SAFe 4.0.” Scaled Agile, 2017. Web.

    Maurya, Ash. “What is a Minimum Viable Product (MVP).” Leanstack, 12 June 2017. Accessed Sept. 2018.

    Pichler, Roman. “10 Tips for Creating an Agile Product Roadmap.” Roman Pichler, 20 July 2016. Accessed Sept. 2018.

    Pichler, Roman. Strategize: Product Strategy and Product Roadmap Practices for the Digital Age. Pichler Consulting, 2016.

    “Product Roadmap Contents: What Should You Include?” ProductPlan, n.d. Accessed 20 Nov. 2017.

    Saez, Andrea. “Why Your Roadmap Is Not a Release Plan.” ProdPad, 23 October 2015. Accessed Sept. 2018.

    Schuurman, Robbin. “Tips for Agile product roadmaps & product roadmap examples.” Scrum.org, 7 Dec. 2017. Accessed Sept. 2018.

    Bibliography (Vision and Canvas)

    Adams, Paul. “The Future Product Canvas.” Inside Intercom, 10 Jan. 2014. Web.

    “Aligning IT Funding Models to the Pace of Technology Change.” EDUCAUSE, 14 Dec. 2015. Web.

    Altman, Igor. “Metrics: Gone Bad.” OpenView, 10 Nov. 2009. Web.

    Barry, Richard. “The Product Vision Canvas – a Strategic Tool in Developing a Successful Business.” Polymorph, 2019. Web.

    “Business Canvas – Business Models & Value Propositions.” Strategyzer, 2019. Web.

    “Business Model Canvas.” Wikipedia: The Free Encyclopedia, 4 Aug. 2019. Web.

    Charak, Dinker. “Idea to Product: The Working Model.” ThoughtWorks, 13 July 2017. Web.

    Charak, Dinker. “Product Management Canvas - Product in a Snapshot.” Dinker Charak, 29 May 2017. Web.

    Chudley, James. “Practical Steps in Determining Your Product Vision (Product Tank Bristol, Oct. 2018).” LinkedIn SlideShare. Uploaded by cxpartners, 2 Nov. 2018. Web.

    Cowan, Alex. “The 20 Minute Business Plan: Business Model Canvas Made Easy.” COWAN+, 2019. Web.

    Craig, Desiree. “So You've Decided To Become A Product Manager.” Start it up, Medium, 2 June 2019. Web.

    Create an Aha! Business Model Canvas Strategic Model.” Aha! Support, 2019. Web.

    Eick, Stephen. “Does Code Decay? Assessing the Evidence from Change Management Data.” IEEE Transactions on Software Engineering, vol. 27, no. 1, Jan. 2001, pp. 1-12. Web.

    Eriksson, Martin. “The next Product Canvas.” Mind the Product, 22 Nov. 2013. Web.

    “Experience Canvas: a Lean Approach: Atlassian Team Playbook.” Atlassian, 2019. Web.

    Freeman, James. “How to Make a Product Canvas – Visualize Your Product Plan.” Edraw, 23 Dec. 2019. Web.

    Fuchs, Danny. “Measure What Matters: 5 Best Practices from Performance Management Leaders.” OpenGov, 8 Aug. 2018. Web.

    Gorisse, Willem. “A Practical Guide to the Product Canvas.” Mendix, 28 Mar. 2017. Web.

    Gothelf, Jeff. “The Lean UX Canvas.” Jeff Gothelf, 15 Dec. 2016. Web.

    Gottesdiener, Ellen. “Using the Product Canvas to Define Your Product: Getting Started.” EBG Consulting, 15 Jan. 2019. Web.

    Gottesdiener, Ellen. “Using the Product Canvas to Define Your Product's Core Requirements.” EBG Consulting, 4 Feb. 2019. Web.

    Gray, Mark Krishan. “Should I Use the Business Model Canvas or the Lean Canvas?” Emergn, 2019. Web.

    Hanby, Jeff. "Software Maintenance: Understanding and Estimating Costs." LookFar, 21 Oct. 2016. Web.

    “How do you define a product?” Scrum.org, 4 Apr 2017, Web

    Juncal, Shaun. “How to Build a Product Roadmap Based on a Business Model Canvas.” ProductPlan, 19 June 2019. Web.

    “Lean Canvas Intro - Uber Example.” YouTube, uploaded by Railsware Product Academy, 12 Oct. 2018. Web.

    “Lesson 6: Product Canvas.” ProdPad Help Center, 2019. Web.

    Lucero, Mario. “The Product Canvas.” Agilelucero.com, 22 June 2015. Web.

    Maurya, Ash. “Create a New Lean Canvas.” Canvanizer, 2019. Web.

    Maurya, Ash. “Don't Write a Business Plan. Create a Lean Canvas Instead.” LEANSTACK, 2019. Web.

    Maurya, Ash. “Why Lean Canvas vs Business Model Canvas?” Medium, 27 Feb. 2012. Web.

    Mirabelli, Vincent. “The Project Value Canvas.” Vincent Mirabelli, 2019. Web.

    Mishra, LN. “Business Analysis Canvas – The Ultimate Enterprise Architecture.” BA Times, 19 June 2019. Web.

    Muller. Jerry Z. “Why performance metrics isn’t always the best way to judge performance.” Fast Company, 3 April 2019. Web.

    Perri, Melissa. “What Is Good Product Strategy?” Melissa Perri, 14 July 2016. Web.

    Pichler, Roman. “A Product Canvas for Agile Product Management, Lean UX, Lean Startup.” Roman Pichler, 16 July 2012. Web.

    Pichler, Roman. “Introducing the Product Canvas.” JAXenter, 15 Jan. 2013. Web.

    Pichler, Roman. “Roman's Product Canvas: Introduction.” YouTube, uploaded by Roman Pichler, 3 Mar. 2017. Web.

    Pichler, Roman. “The Agile Vision Board: Vision and Product Strategy.” Roman Pichler, 10 May 2011. Web.

    Pichler, Roman. “The Product Canvas – Template.” Roman Pichler, 11 Oct. 2016. Web.

    Pichler, Roman. “The Product Canvas Tutorial V1.0.” LinkedIn SlideShare. Uploaded by Roman Pichler, 14 Feb. 2013. Web.

    Pichler, Roman. “The Product Vision Board: Introduction.” YouTube uploaded by Roman Pichler, 3 Mar. 2017. Web.

    “Product Canvas PowerPoint Template.” SlideModel, 2019. Web.

    Product Canvas.” SketchBubble, 2019, Web.

    “Product Canvas.” YouTube, uploaded by Wojciech Szramowski, 18 May 2016. Web.

    “Product Roadmap Software to Help You Plan, Visualize, and Share Your Product Roadmap.” Productboard, 2019. Web.

    Roggero, Giulio. “Product Canvas Step-by-Step.” LinkedIn SlideShare, uploaded by Giulio Roggero, 18 May 2013. Web.

    Royce, Dr. Winston W. “Managing the Development of Large Software Systems.” Scf.usc.edu, 1970. Web.

    Ryan, Dustin. “The Product Canvas.” Qdivision, Medium, 20 June 2017. Web.

    Snow, Darryl. “Product Vision Board.” Medium, 6 May 2017. Web.

    Stanislav, Shymansky. “Lean Canvas – a Tool Your Startup Needs Instead of a Business Plan.” Railsware, 12 Oct. 2018. Web.

    Stanislav, Shymansky. “Lean Canvas Examples of Multi-Billion Startups.” Railsware, 20 Feb. 2019. Web.

    “The Product Vision Canvas.” YouTube, Uploaded by Tom Miskin, 20 May 2019. Web.

    Tranter, Leon. “Agile Metrics: the Ultimate Guide.” Extreme Uncertainty, n.d. Web.

    “Using Business Model Canvas to Launch a Technology Startup or Improve Established Operating Model.” AltexSoft, 27 July 2018. Web.

    Veyrat, Pierre. “Lean Business Model Canvas: Examples + 3 Pillars + MVP + Agile.” HEFLO BPM, 10 Mar. 2017. Web.

    “What Are Software Metrics and How Can You Track Them?” Stackify, 16 Sept. 2017. Web

    “What Is a Product Vision?” Aha!, 2019. Web.

    Prepare for Cognitive Service Management

    • Buy Link or Shortcode: {j2store}335|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: 10 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design
    • The evolution of natural language processing and machine learning applications has led to specialized AI-assisted toolsets that promise to improve the efficiency and timeliness of IT operations.

    Our Advice

    Critical Insight

    • These are early days. These AI-assisted toolsets are generating a considerable amount of media attention, but most of them are relatively untested. Early adopters willing to absorb experimentation costs are in the process of deploying the first use cases. Initial lessons are showing that IT operations in most organizations are not yet mature enough to take advantage of AI-assisted toolsets.
    • Focus on the problem, not the tool. Explicit AI questions should be at the end of the list. Start by asking what business problem you want to solve.
    • Get your house in order. The performance of AI-assisted tools depends on mature IT operations processes and reliable data sets. Standardize service management processes and build a knowledgebase of structured content to prepare for AI-assisted IT operations.

    Impact and Result

    • Don’t fall prey to the AI-bandwagon effect. AI-assisted innovations will support shift-left service support strategies through natural language processing and machine learning applications. However, the return on your AI investment will depend on whether it helps you meet an actual business goal.
    • AI-assisted tools presuppose the existence of mature IT operations functions, including standardized processes, high-quality structured content focused on the incidents and requests that matter, and a well-functioning ITSM web portal.
    • The success of AI ITSM projects hinges on adoption. If your vision is to power end-user interactions with chatbots and deploy intelligent agents on tickets coming through the web portal, be sure to develop a self-service culture that empowers end users to help themselves and experiment with new tools and technologies. Without end-user adoption, the promised benefits of AI projects will not materialize.

    Prepare for Cognitive Service Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should prepare for cognitive service management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Review emerging AI technology

    Get an overview of emerging AI applications to understand how they will strengthen a shift-left service support strategy.

    2. Sort potential IT operations AI use cases

    Review potential use cases for AI applications to prioritize improvement initiatives and align them to organizational goals.

    • Disruptive Technology Shortlisting Tool
    • Disruptive Technology Value-Readiness and SWOT Analysis Tool

    3. Prepare for a cognitive service management project

    Develop an ITSM AI strategy to prepare your organization for the coming of cognitive service management, and build a roadmap for implementation.

    • Customer Journey Map (PDF)
    • Customer Journey Map (Visio)
    • Infrastructure Roadmap Technology Assessment Tool
    • Strategic Infrastructure Roadmap Tool
    [infographic]

    Marketing Management Suite Software Selection Guide

    • Buy Link or Shortcode: {j2store}552|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Selecting and implementing the right MMS platform – one that aligns with your requirements is a significant undertaking.
    • Despite the importance of selecting and implementing the right MMS platform, many organizations struggle to define an approach to picking the most appropriate vendor and rolling out the solution in an effective and cost-efficient manner.
    • IT often finds itself in the unenviable position of taking the fall for an MMS platform that doesn’t deliver on the promise of the MMS strategy.

    Our Advice

    Critical Insight

    • MMS platform selection must be driven by your overall customer experience management strategy. Link your MMS selection to your organization’s CXM framework.
    • Determine what exactly you require from your MMS platform; leverage use cases to help guide selection.
    • Ensure strong points of integration between your MMS and other software such as CRM and POS. Your MMS solution should not live in isolation; it must be part of a wider ecosystem.

    Impact and Result

    • An MMS platform that effectively meets business needs and delivers value.
    • Reduced costs during MMS vendor platform selection and faster time to results after implementation.

    Marketing Management Suite Software Selection Guide Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Marketing Management Suite Software Selection Guide – A deck that walks you through the process of building your business case and selecting the proper MMS platform.

    This blueprint will help you build a business case for selecting the right MMS platform, define key requirements, and conduct a thorough analysis and scan of the current state of the ever-evolving MMS market space.

    • Marketing Management Suite Software Selection Guide Storyboard
    [infographic]

    Further reading

    Marketing Management Suite Software Selection Guide

    Streamline your organizational approach to selecting a right-sized marketing management platform.

    Analyst perspective

    A robustly configured and comprehensive MMS platform is a crucial ingredient to help kick-start your organization's cross-channel and multichannel marketing management initiatives.

    Modern marketing management suites (MMS) are imperative given today's complex, multitiered, and often non-standardized marketing processes. Relying on isolated methods such as lead generation or email marketing techniques for executing key cross-channel and multichannel marketing initiatives is not enough to handle the complexity of contemporary marketing management activities.

    Organizations need to invest in highly customizable and functionally extensive MMS platforms to provide value alongside the marketing value chain and a 360-degree view of the consumer's marketing journey. IT needs to be rigorously involved with the sourcing and implementation of the new MMS tool, and the necessary business units also need to own the requirements and be involved from the initial stages of software selection.

    To succeed with MMS implementation, consider drafting a detailed roadmap that outlines milestone activities for configuration, security, points of integration, and data migration capabilities and provides for ongoing application maintenance and support.

    This is a picture of Yaz Palanichamy

    Yaz Palanichamy
    Senior Research Analyst, Customer Experience Strategy
    Info-Tech Research Group

    Executive summary

    Your Challenge

    • Many organizations struggle with taking a systematic and structured approach to selecting a right-sized marketing management suite (MMS) – an indispensable part of managing an organization's specific and nuanced marketing management needs.
    • Organizations must define a clear-cut strategic approach to investing in a new MMS platform. Exercising the appropriate selection and implementation rigor for a right-sized MMS tool is a critical step in delivering concrete business value to sustain various marketing value chains across the organization.

    Common Obstacles

    • An MMS vendor that is not well aligned to marketing requirements wastes resources and causes an endless cascade of end-user frustration.
    • The MMS market is rapidly evolving, making it difficult for vendors to retain a competitive foothold in the space.
    • IT managers and/or marketing professionals often find themselves in the unenviable position of taking the fall for MMS platforms that fail to deliver on the promise of the overarching marketing management strategy.

    Info-Tech's Approach

    • MMS platform selection must be driven by your overall marketing management strategy. Email marketing techniques, social marketing, and/or lead management strategies are often not enough to satisfy the more sophisticated use cases demanded by increasingly complex customer segmentation levels.
    • For organizations with a large audience or varied product offerings, a well-integrated MMS platform enables the management of various complex campaigns across many channels, product lines, customer segments, and marketing groups throughout the enterprise.

    Info-Tech Insight

    IT must collaborate with marketing professionals and other key stakeholder groups to define a unified vision and holistic outlook for a right-sized MMS platform.

    Info-Tech's methodology for selecting a right-sized marketing management suite platform

    1. Understand Core MMS Features

    2. Build the Business Case & Streamline Requirements

    3. Discover the MMS Market Space & Prepare for Implementation

    Phase Steps

    1. Define MMS Platforms
    2. Classify Table Stakes & Differentiating Capabilities
    3. Explore Trends
    1. Build the Business Case
    2. Streamline the Requirements Elicitation Process for a New MMS Platform
    3. Develop an Inclusive RFP Approach
    1. Discover Key Players in the Vendor Landscape
    2. Engage the Shortlist & Select Finalist
    3. Prepare for Implementation

    Phase Outcomes

    1. Consensus on scope of MMS and key MMS platform capabilities
    1. MMS platform selection business case
    2. Top-level use cases and requirements
    3. Procurement vehicle best practices
    1. Market analysis of MMS platforms
    2. Overview of shortlisted vendors
    3. Implementation considerations

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Understand what a marketing management suite is. Discuss core capabilities and key trends.

    Call #2: Build the business case
    to select a right-sized MMS.

    Call #3: Define your core
    MMS requirements.

    Call #4: Build and sustain procurement vehicle best practices.

    Call #5: Evaluate the MMS vendor landscape and short-list viable options.


    Call #6: Review implementation considerations.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    The MMS procurement process should be broken into segments:

    1. Create a vendor shortlist using this buyer's guide.
    2. Define a structured approach to selection.
    3. Review the contract.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    EXECUTIVE BRIEF

    What are marketing management suite platforms?

    Our Definition: Marketing management suite (MMS) platforms are core enterprise applications that provide a unified set of marketing processes for a given organization and, typically, the capability to coordinate key cross-channel marketing initiatives.

    Key product capabilities for sophisticated MMS platforms include but are not limited to:

    • Email marketing
    • Lead nurturing
    • Social media management
    • Content curation and distribution
    • Marketing reporting and analytics
    • Consistent brand messaging

    Using a robust and comprehensive MMS platform equips marketers with the appropriate tools needed to make more informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention initiatives. Moreover, such tools can help bolster effective revenue generation and ensure more viable growth initiatives for future marketing growth enablement strategies.

    Info-Tech Insight

    Feature sets are rapidly evolving over time as MMS offerings continue to proliferate in this market space. Ensure that you focus on core components such as customer conversion rates and new lead captures through maintaining well- integrated multichannel campaigns.

    Marketing Management Suite Software Selection Buyer's Guide

    Info-Tech Insight

    A right-sized MMS software selection and procurement decision should involve comprehensive requirements and needs analysis by not just Marketing but also other organizational units such as IT, in conjunction with input suppled from the internal vendor procurement team.

    MMS Software Selection & Vendor Procurement Journey. The three main steps are: Envision the Art of the Possible; Elicit Granular Requirements; Contextualize the MMS Vendor Market Space

    Phase 1

    Understand Core MMS Features

    Phase 1

    Phase 2

    Phase 3

    1.1 Define MMS Platforms

    1.2 Classify Table Stakes & Differentiating Capabilities

    1.3 Explore Trends

    2.1 Build the Business Case

    2.2 Streamline Requirements Elicitation

    2.3 Develop an Inclusive RFP Approach

    3.1 Discover Key Players in the Vendor Landscape

    3.2 Engage the Shortlist & Select Finalist

    3.3 Prepare for Implementation

    This phase will walk you through the following activities:

    • Level-set an understanding of MMS technology.
    • Define which MMS features are table stakes (standard) and which are key differentiating functionalities.
    • Identify the art of the possible in a modern MMS platform from sales, marketing, and service lenses.

    This phase involves the following participants:

    • CMO
    • Digital Marketing Project Manager
    • Marketing Data Analytics Analyst
    • Marketing Management Executive

    What are marketing management suite platforms?

    Our Definition: Marketing management suite (MMS) platforms are core enterprise applications that provide a unified set of marketing processes for a given organization and, typically, the capability to coordinate key cross-channel marketing initiatives.

    Key product capabilities for sophisticated MMS platforms include but are not limited to:

    • Email marketing
    • Lead nurturing
    • Social media management
    • Content curation and distribution
    • Marketing reporting and analytics
    • Consistent brand messaging

    Using a robust and comprehensive MMS platform equips marketers with the appropriate tools needed to make more informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention initiatives. Moreover, such tools can help bolster effective revenue generation and ensure more viable growth initiatives for future marketing growth enablement strategies.

    Info-Tech Insight

    Feature sets are rapidly evolving over time as MMS offerings continue to proliferate in this market space. Ensure that you focus on core components such as customer conversion rates and new lead captures through maintaining well- integrated multichannel campaigns.

    Marketing through the ages

    Tracing the foundational origins of marketing management practices

    Initial traction for marketing management strategies began with the need to holistically understand the effects of advertising efforts and how the media mix could be best optimized.

    1902

    1920s-1930s

    1942

    1952-1964

    1970s-1990s

    Recognizing the increasing need for focused and professional marketing efforts, the University of Pennsylvania offers the first marketing course, dubbed "The Marketing of Products."

    As broadcast media began to peak, marketers needed to manage a greater number of complex and interspersed marketing channels.

    The introduction of television ads in 1942 offered new opportunities for brands to reach consumers across a growing media landscape. To generate the highest ROI, marketers sought to understand the consumer and focus on more tailored messaging and product personalization. Thus, modern marketing practices were born.

    Following the introduction of broadcast media, marketers had to develop strategies beyond traditional spray-and-pray methods. The first modern marketing measurement concept, "marketing mix," was conceptualized in 1952 and popularized in 1964 by Neil Borden.

    This period marked the digital revolution and the new era of marketing. With the advent of new communications technology and the modern internet, marketing management strategies reached new heights of sophistication. During the early 1990s, search engines emerged to help users navigate the web, leading to early forms of search engine optimization and advertising.

    Where it's going: the future state of marketing management

    1. Increasing Complexity Driving Consumer Purchasing Decisions
      • "The main complexity is dealing with the increasing product variety and changing consumer demands, which is forcing marketers to abandon undifferentiated marketing strategies and even niche marketing strategies and to adopt a mass customization process interacting one-to-one with their customers." – Complexity, 2019
    2. Consumers Seeking More Tailored Brand Personalization
      • Financial Services marketers lead all other industries in AI application adoption, with 37% currently using them (Salesforce, 2019).
    3. The Inclusion of More AI-Enabled Marketing Strategies
      • According to a 2022 Nostro report, 70% of consumers say it is important that brands continue to offer personalized consumer experiences.
    4. Green Marketing
      • Recent studies have shown that up to 80% of all consumers are interested in green marketing strategies (Marketing Schools, 2020).

    Marketing management by the numbers

    Key trends

    6%

    As a continuously growing discipline, marketing management roles are predicted to grow faster than average, at a rate of 6% over the next decade.

    Source: U.S. Bureau of Labor Statistics, 2021

    17%

    While many marketing management vendors offer A/B testing, only 17% of marketers are actively using A/B testing on landing pages to increase conversion rates.

    Source: Oracle, 2022

    70%

    It is imperative that technology and SaaS companies begin to use marketing automation as a core component of their martech strategy to remain competitive. About 70% of technology and SaaS companies are employing integrated martech tools.

    Source: American Marketing Association, 2021

    Understand MMS table stakes features

    Organizations can expect nearly all MMS vendors to provide the following functionality

    Email Marketing

    Lead Nurturing

    Reporting, Analytics, and Marketing KPIs

    Marketing Campaign Management

    Integrational Catalog

    The use of email alongside marketing efforts to promote a business' products and services. Email marketing can be a powerful tool to maintain connections with your audience and ensure sustained brand promotion.

    The process of developing and nurturing relationships with key customer contacts at every major touchpoint in their customer journey. MMS platforms can use automated lead-nurturing functions that are triggered by customer behavior.

    The use of well-defined metrics to help curate, gather, and analyze marketing data to help track performance and improve the marketing department's future marketing decisions and strategies.

    Tools needed for the planning, execution, tracking, and analysis of direct marketing campaigns. Such tools are needed to help gauge your buyers' sentiments toward your company's product offerings and services.

    MMS platforms should generally have a comprehensive open API/integration catalog. Most MMS platforms should have dedicated integration points to interface with various tools across the marketing landscape (e.g. social media, email, SEO, CRM, CMS tools, etc.).

    Identify differentiating MMS features

    While not always deemed must-have functionality, these features may be the deciding factor when choosing between two MMS-focused vendors.

    Digital Asset Management (DAM)

    A DAM can help manage digital media asset files (e.g. photos, audio files, video).

    Customer Data Management

    Customer data management modules help your organization track essential customer information to maximize your marketing results.

    Text-Based Marketing

    Text-based marketing strategy is ideal for any organization primarily focused on coordinating structured and efficient marketing campaigns.

    Customer
    Journey Orchestration

    Customer journey orchestration enables users to orchestrate customer conversations and journeys across the entire marketing value chain.

    AI-Driven Workflows

    AI-powered workflows can help eliminate complexities and allow marketers to automate and optimize tasks across the marketing spectrum.

    Dynamic Segmentation

    Dynamic segmentation to target audience cohorts based on recent actions and stated preferences.

    Advanced Email Marketing

    These include capabilities such as A/B testing, spam filter testing, and detailed performance reporting.

    Ensure you understand the art of the possible across the MMS landscape

    Understanding the trending feature sets that encompass the broader MMS vendor landscape will best equip your organization with the knowledge needed to effectively match today's MMS platforms with your organization's marketing requirements.

    Holistically examine the potential of any MMS solution through three main lenses:

    Data-Driven
    Digital Advertising

    Adapt innovative techniques such as conversational marketing to help collect, analyze, and synthesize crucial audience information to improve the customer marketing experience and pre-screen prospects in a more conscientious manner.

    Next Best Action Marketing

    Next best action marketing (NBAM) is a customer-centric paradigm/marketing technique designed to capture specific information about customers and their individual preferences. Predicting customers' future actions by understanding their intent during their purchasing decisions stage will help improve conversion rates.

    AI-Driven Customer
    Segmentation

    The use of inclusive and innovative AI-based forecast modeling techniques can help more accurately analyze customer data to create more targeted segments. As such, marketing messages will be more accurately tailored to the customer that is reading them.

    Art of the possible: data-driven digital advertising

    CONVERSATIONAL MARKETING INTELLIGENCE

    Are you curious about the measures needed to boost engagement among your client base and other primary target audience groups? Conversational marketing intelligence metrics can help collect and disseminate key descriptive data points across a broader range of audience information.

    AI-DRIVEN CONVERSATIONAL MARKETING DEVICES

    Certain social media channels (e.g. LinkedIn and Facebook) like to take advantage of click-to-Messenger-style applications to help drive meaningful conversations with customers and learn more about their buying preferences. In addition, AI-driven chatbot applications can help the organization glean important information about the customer's persona by asking probing questions about their marketing purchase behaviors and preferences.

    METAVERSE- DRIVEN BRANDING AND ADVERTISING

    One of the newest phenomena in data-driven marketing technology and digital advertising techniques is the metaverse, where users can represent themselves and their brand via virtual avatars to further gamify their marketing strategies. Moreover, brands can create immersive experiences and engage with influencers and established communities and collect a wealth of information about their audience that can help drive customer retention and loyalty.

    Case study

    This is the logos for Gucci and Roblox.

    Metaverse marketing extends the potential for commercial brand development and representation: a deep dive into Gucci's metaverse practice

    INDUSTRY: Luxury Goods Apparel
    SOURCE: Vogue Business

    Challenge

    Beginning with a small, family-owned leather shop known as House of Gucci in Florence, Italy, businessman and fashion designer Guccio Gucci sold saddles, leather bags, and other accessories to horsemen during the 1920s. Over the years, Gucci's offerings have grown to include various other personal luxury goods.

    As consumer preferences have evolved over time, particularly with the younger generation, Gucci's professional marketing teams looked to invest in virtual technology environments to help build and sustain better brand awareness among younger consumer audiences.

    Solution

    In response to the increasing presence of metaverse-savvy gamers on the internet, Gucci began investing in developing its online metaverse presence to bolster its commercial marketing brand there.

    A recent collaboration with Roblox, an online gaming platform that offers virtual experiences, provided Gucci the means to showcase its fashion items using the Gucci Garden – a virtual art installation project for Generation Z consumers, powered by Roblox's VR technology. The Gucci Garden virtual system featured a French-styled garden environment where players could try on and buy Gucci virtual fashion items to dress up their blank avatars.

    Results

    Gucci's disruptive, innovative metaverse marketing campaign project with Roblox is proof of its commitment to tapping new marketing growth channels to showcase the brand to engage new and prospective consumers (e.g. Roblox's player base) across more unique sandboxed/simulation environments.

    The freedom and flexibility in the metaverse environments allows brands such as Gucci to execute a more flexible digital marketing approach and enables them to take advantage of innovative metaverse-driven technologies in the market to further drive their data-driven digital marketing campaigns.

    Art of the possible: next best action marketing (NBAM)

    NEXT BEST ACTION PREDICTIVE MODELING

    To improve conversion propensity, next best action techniques can use predictive modeling methods to help build a dynamic overview of the customer journey. With information sourced from actionable marketing intelligence data, MMS platforms can use NBAM techniques to identify customer needs based on their buying behavior, social media interactions, and other insights to determine what unique set of actions should be taken for each customer.

    MACHINE LEARNING–BASED RECOMMENDER SYSTEMS

    Rules-based recommender systems can help assign probabilities of purchasing behaviors based on the patterns in touchpoints of a customer's journey and interaction with your brand. For instance, a large grocery chain company such as Walmart or Whole Foods will use ML-based recommender systems to decide what coupons they should offer to their customers based on their purchasing history.

    Art of the possible: AI-driven customer segmentation

    MACHINE/DEEP LEARNING (ML/DL) ALGORITHMS

    The inclusion of AI in data analytics helps make customer targeting more accurate
    and meaningful. Organizations can analyze customer data more thoroughly and generate in-depth contextual and descriptive information about the targeted segments. In addition, they can use this information to automate the personalization of marketing campaigns for a specific target audience group.

    UNDERSTANDING CUSTOMER SENTIMENTS

    To greatly benefit from AI-powered customer segmentation, organizations must deploy specialized custom AI solutions to help organize qualitative comments into quantitative data. This approach requires companies to use custom AI models and tools that will analyze customer sentiments and experiences based on data extracted from various touchpoints (e.g. CRM systems, emails, chatbot logs).

    Phase 2

    Build the Business Case and Streamline Requirements

    Phase 1

    Phase 2

    Phase 3

    1.1 Define MMS Platforms

    1.2 Classify Table Stakes & Differentiating Capabilities

    1.3 Explore Trends

    2.1 Build the Business Case

    2.2 Streamline Requirements Elicitation

    2.3 Develop an Inclusive RFP Approach

    3.1 Discover Key Players in the Vendor Landscape

    3.2 Engage the Shortlist & Select Finalist

    3.3 Prepare for Implementation

    This phase will walk you through the following activities:

    • Define and build the business case for the selection of a right-sized MMS platform.
    • Elicit and prioritize granular requirements for your MMS platform.

    This phase involves the following participants:

    • CMO
    • Technical Marketing Analyst
    • Digital Marketing Project Manager
    • Marketing Data Analytics Analyst
    • Marketing Management Executive

    Software Selection Engagement

    5 Advisory Calls over a 5-Week Period to Accelerate Your Selection Process

    Expert analyst guidance over 5 weeks on average to select software and negotiate with the vendor.

    Save money, align stakeholders, speed up the process and make better decisions.

    Use a repeatable, formal methodology to improve your application selection process.

    Better, faster results, guaranteed, included in your membership.

    This is an image of the plan for five advisory calls over a five-week period.

    CLICK HERE to book your Selection Engagement

    Elicit and prioritize granular requirements for your marketing management suite (MMS) platform

    Understanding business needs through requirements gathering is the key to defining everything you need from your software. However, it is an area where people often make critical mistakes.

    Poorly scoped requirements

    Best practices

    • Fail to be comprehensive and miss certain areas of scope.
    • Focus on how the solution should work instead of what it must accomplish.
    • Have multiple levels of detail within the requirements, causing inconsistency and confusion.
    • Drill all the way down to system-level detail.
    • Add unnecessary constraints based on what is done today rather than focusing on what is needed for tomorrow.
    • Omit constraints or preferences that buyers think are obvious.
    • Get a clear understanding of what the system needs to do and what it is expected to produce.
    • Test against the principle of MECE – requirements should be "mutually exclusive and collectively exhaustive."
    • Explicitly state the obvious and assume nothing.
    • Investigate what is sold on the market and how it is sold. Use language that is consistent with that of the market and focus on key differentiators – not table stakes.
    • Contain the appropriate level of detail – the level should be suitable for procurement and sufficient for differentiating vendors.

    Info-Tech Insight
    Poor requirements are the number one reason projects fail. Review Info-Tech's Improve Requirements Gathering blueprint to learn how to improve your requirements analysis and get results that truly satisfy stakeholder needs.

    Info-Tech's approach

    Develop an inclusive and thorough approach to the RFP process

    Identity Need; Define Business requirements; Gain Business Authorization; Perform RFI/RFP; Negotiate Agreement; Purchase Goods and Services; Assess and Measure Performance.

    Info-Tech Insight

    Review Info-Tech's process and understand how you can prevent your organization from leaking negotiation leverage while preventing vendors from taking control of your RFP.

    The Info-Tech difference:

    1. The secret to managing an RFP is to make it as manageable and as thorough as possible. The RFP process should be like any other aspect of business – by developing a standard process. With a process in place, you are better able to handle whatever comes your way, because you know the steps you need to follow to produce a top-notch RFP.
    2. The business then identifies the need for more information about a product/service or determines that a purchase is required.
    3. A team of stakeholders from each area impacted gather all business, technical, legal, and risk requirements. What are the expectations of the vendor relationship post-RFP? How will the vendors be evaluated?
    4. Based on the predetermined requirements, either an RFI or an RFP is issued to vendors with a due date.

    Leverage Info-Tech's Contract Review Service to level the playing field with your shortlisted vendors

    You may be faced with multiple products, services, master service agreements, licensing models, service agreements, and more.
    Use Info-Tech's Contract Review Service to gain insights on your agreements:

    1. Are all key terms included?
    2. Are they applicable to your business?
    3. Can you trust that results will be delivered?
    4. What questions should you be asking from an IT perspective?

    Validate that a contract meets IT's and the business' needs by looking beyond the legal terminology. Use a practical set of questions, rules, and guidance to improve your value for dollar spent.

    This is an image of three screenshots from Info-Tech's Contract Review Service.

    CLICK to BOOK The Contract Review Service

    CLICK to DOWNLOAD Master Contract Review and Negotiation for Software Agreements

    Phase 3

    Discover the MMS Market Space and Prepare for Implementation

    Phase 1

    Phase 2

    Phase 3

    1.1 Define MMS Platforms

    1.2 Classify Table Stakes & Differentiating Capabilities

    1.3 Explore Trends

    2.1 Build the Business Case

    2.2 Streamline Requirements Elicitation

    2.3 Develop an Inclusive RFP Approach

    3.1 Discover Key Players in the Vendor Landscape

    3.2 Engage the Shortlist & Select Finalist

    3.3 Prepare for Implementation

    This phase will walk you through the following activities:

    • Dive into the key players of the MMS vendor landscape.
    • Understand best practices for building a vendor shortlist.
    • Understand key implementation considerations for MMS.

    This phase involves the following participants:

    • CMO
    • Marketing Management Executive
    • Applications Manager
    • Digital Marketing Project Manager
    • Sales Executive
    • Vendor Outreach and Partnerships Manager

    Review your use cases to start your shortlist

    Your Info-Tech analysts can help you narrow down the list of vendors that will meet your requirements.

    Next steps will include:

    1. Reviewing your requirements.
    2. Checking out SoftwareReviews.
    3. Shortlisting your vendors.
    4. Conducting demos and detailed proposal reviews.
    5. Selecting and contracting with a finalist!

    Get to know the key players in the MMS landscape

    The following slides provide a top-level overview of the popular players you will encounter in your MMS shortlisting process.

    This is a series of images of the logos for the companies which will be discussed later in this blueprint.

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews

    This is an image of two screenshots from the Data Quadrant Report.

    The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

    Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

    This is an image of two screenshots from the Emotional Footprint Report.

    The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

    Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Speak with category experts to dive deeper into the vendor landscape

    SoftwareReviews

    • Fact-based reviews of business software from IT professionals.
    • Product and category reports with state-of-the-art data visualization.
    • Top-tier data quality backed by a rigorous quality assurance process.
    • User-experience insight that reveals the intangibles of working with a vendor.

    CLICK HERE to ACCESS

    Comprehensive software reviews
    to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today's technology. Combined with the insight of our expert analysts, our members receive unparalleled support in their buying journey.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Advanced Campaign Management
    • Email Marketing Automation
    • Multichannel Integration

    Areas to Improve:

    • Mobile Marketing Management
    • Advanced Data Segmentation
    • Pricing Sensitivity and Implementation Support Model

    This is an image of SoftwareReviews analysis for Adobe Experience Cloud.

    history

    This is the Logo for Adobe Experience Cloud

    "Adobe Experience Cloud (AEC), formerly Adobe Marketing Cloud (AMC), provides a host of innovative multichannel analytics, social, advertising, media optimization, and content management products (just to name a few). The Adobe Marketing Cloud package allows users with valid subscriptions to download the entire collection and use it directly on their computer with open access to online updates. Organizations that have a deeply ingrained Adobe footprint and have already reaped the benefits of Adobe's existing portfolio of cloud services products (e.g. Adobe Creative Cloud) will find the AEC suite a functionally robust and scalable fit for their marketing management and marketing automation needs.

    However, it is important to note that AEC's pricing model is expensive when compared to other competitors in the space (e.g. Sugar Market) and, therefore, is not as affordable for smaller or mid-sized organizations. Moreover, there is the expectation of a learning curve with the AEC platform. Newly onboarded users will need to spend some time learning how to navigate and work comfortably with AEC's marketing automaton modules. "
    - Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Adobe Experience Cloud Platform pricing is opaque.
    Request a demo.*

    *Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.

    2021

    Adobe Experience Platform Launch is integrated into the Adobe Experience Platform as a suite of data collection technologies (Experience League, Adobe).

    November 2020

    Adobe announces that it will spend $1.5 billion to acquire Workfront, a provider of marketing collaboration software (TechTarget, 2020).

    September 2018

    Adobe acquires marketing automation software company Marketo (CNBC, 2018).

    June 2018

    Adobe buys e-commerce services provider Magento Commerce from private equity firm Permira for $1.68 billion (TechCrunch, 2018).

    2011

    Adobe acquires DemDex, Inc. with the intention of adding DemDex's audience-optimization software to the Adobe Online Marketing Suite (Adobe News, 2011).

    2009

    Adobe acquires online marketing and web analytics company Omniture for $1.8 billion and integrates its products into the Adobe Marketing Cloud (Zippia, 2022).

    Adobe platform launches in December 1982.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Marketing Workflow Management
    • Advanced Data Segmentation
    • Marketing Operations Management

    Areas to Improve:

    • Email Marketing Automation
    • Marketing Asset Management
    • Process of Creating and/or Managing Marketing Lists

    This is an image of SoftwareReviews analysis for Dynamics 365

    history

    This is the logo for Dynamics 365

    2021

    Microsoft Dynamics 365 suite adds customer journey orchestration as a viable key feature (Tech Target, 2021)

    2019

    Microsoft begins adding to its Dynamics 365 suite in April 2019 with new functionalities such as virtual agents, fraud detection, new mixed reality (Microsoft Dynamics 365 Blog, 2019).

    2017

    Adobe and Microsoft expand key partnership between Adobe Experience Manager and Dynamics 365 integration (TechCrunch, 2017).

    2016

    Microsoft Dynamics CRM paid seats begin growing steadily at more than 2.5x year-over-year (TechCrunch, 2016).

    2016

    On-premises application, called Dynamics 365 Customer Engagement, contains the Dynamics 365 Marketing Management platform (Learn Microsoft, 2023).

    Microsoft Dynamics 365 product suite is released on November 1, 2016.

    "Microsoft Dynamics 365 for Marketing remains a viable option for organizations that require a range of innovative MMS tools that can provide a wealth of functional capabilities (e.g. AI-powered analytics to create targeted segments, A/B testing, personalizing engagement for each customer). Moreover, Microsoft Dynamics 365 for Marketing offers trial options to sandbox their platform for free for 30 days to help users familiarize themselves with the software before buying into the product suite.

    However, ensure that you have the time to effectively train users on implementing the MS Dynamics 365 platform. The platform does not score high on customizability in SoftwareReviews reports. Developers have only a limited ability to modify the core UI, so organizations need to be fully equipped with the knowledge needed to successfully navigate MS-based applications to take full advantage of the platform. For organizations deep in the Microsoft stack, D365 Marketing is a compelling option."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Dynamics 365
    Marketing

    Dynamics 365
    Marketing (Attachment)

    • Starts from $1,500 per tenant/month*
    • Includes 10,000 contacts, 100,000 interactions, and 1,000 SMS messages
    • For organizations without any other Dynamics 365 application
    • Starts from $750 per tenant/month*
    • Includes 10,000 contacts, 100,000 interactions, and 1,000 SMS messages
    • For organizations with a qualifying Dynamics 365 application

    * Pricing correct as of October 2022. Listed in USD and absent discounts. See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Marketing Analytics
    • Marketing Workflow Management
    • Lead Nurturing

    Areas to Improve:

    • Advanced Campaign Management
    • Email Marketing Automation
    • Marketing Segmentation

    This is an image of SoftwareReviews analysis for HubSpot

    history

    This is an image of the Logo for HubSpot

    2022

    HubSpot Marketing Hub releases Campaigns 2.0 module for its Marketing Hub platform (HubSpot, 2022).

    2018


    HubSpot announces the launch of its Marketing Hub Starter platform, a new offering that aims to give growing teams the tools they need to start marketing right (HubSpot Company News, 2018).

    2014

    HubSpot celebrates its first initial public offering on the NYSE market (HubSpot Company News, 2014).

    2013

    HubSpot opens its first international office location in Dublin, Ireland
    (HubSpot News, 2013).

    2010

    Brian Halligan and Dharmesh Shah write "Inbound Marketing," a seminal book that focuses on inbound marketing principles (HubSpot, n.d.).

    HubSpot opens for business in Cambridge, MA, USA, in 2005.

    "HubSpot's Marketing Hub software ranks consistently high in scores across SoftwareReviews reports and remains a strong choice for organizations that want to run successful inbound marketing campaigns that make customers interested and engaged with their business. HubSpot Marketing Hub employs comprehensive feature sets, including the option to streamline ad tracking and management, perform various audience segmentation techniques, and build personalized and automated marketing campaigns.

    However, SoftwareReviews reports indicate end users are concerned that HubSpot Marketing Hub's platform may be slightly overpriced in recent years and not cost effective for smaller and mid-sized companies that are working with a limited budget. Moreover, when it comes to mobile user accessibility reports, HubSpot's Marketing Hub does not directly offer data usage reports in relation to how mobile users navigate various web pages on the customer's website."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    HubSpot Marketing Hub (Starter Package)

    HubSpot Marketing Hub (Professional Package)

    HubSpot Marketing Hub (Enterprise Package)

    • Starts from $50/month*
    • Includes 1,000 marketing contacts
    • All non-marketing contacts are free, up to a limit of 15 million overall contacts (marketing contacts + non-marketing contracts)
    • Starts from $890/month*
    • Includes 2,000 marketing contacts
    • Onboarding is required for a one-time fee of $3,000
    • Starts from $3600/month*
    • Includes 10,000 marketing contacts
    • Onboarding is required for a one-time fee of $6,000

    *Pricing correct as of October 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Email Marketing Automation
    • Customer Journey Mapping
    • Contacts Management

    Areas to Improve:

    • Pricing Model Flexibility
    • Integrational API Support
    • Antiquated UI/CX Design Elements

    This is an image of SoftwareReviews analysis for Maropost

    history

    This is an image of the Logo for MAROPOST Marketing Cloud

    2022

    Maropost acquires Retail Express, leading retail POS software in Australia for $55M (PRWire, 2022).

    2018


    Maropost develops innovative product feature updates to its marketing cloud platform (e.g. automated social campaign management, event segmentation for mobile apps) (Maropost, 2019).

    2015

    US-based communications organization Success selects Maropost Marketing Cloud for marketing automation use cases (Apps Run The World, 2015).

    2017

    Maropost is on track to become one of Toronto's fastest-growing companies, generating $30M in annual revenue (MarTech Series, 2017).

    2015

    Maropost is ranked as a "High Performer" in the Email Marketing category in a G2 Crowd Grid Report (VentureBeat, 2015).

    Maropost is founded in 2011 as a customer-centric ESP platform.

    Maropost Marketing Cloud – Essential

    Maropost
    Marketing Cloud –Professional

    Maropost
    Marketing Cloud –Enterprise

    • Starts from $279/month*
    • Includes baseline features such as email campaigns, A/B campaigns, transactional emails, etc.
    • Starts from $849/month*
    • Includes additional system functionalities of interest (e.g. mobile keywords, more journeys for marketing automation use cases)
    • Starts from $1,699/month*
    • Includes unlimited number of journeys
    • Upper limit for custom contact fields is increased by 100-150

    *Pricing correct as of October 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Advanced Data Segmentation
    • Marketing Analytics
    • Multichannel Integration

    Areas to Improve:

    • Marketing Operations
      Management
    • Marketing Asset Management
    • Community Marketing Management

    This is an image of SoftwareReviews analysis for Oracle Marketing Cloud.

    history

    This is an image of the Logo for Oracle Marketing Cloud

    2021

    New advanced intelligence capabilities within Oracle Eloqua Marketing Automation help deliver more targeted and personalized messages (Oracle, Marketing Automation documentation).

    2015


    Oracle revamps its marketing cloud with new feature sets, including Oracle ID Graph for cross-platform identification of customers, AppCloud Connect, etc. (Forbes, 2015).

    2014

    Oracle announces the launch of the Oracle Marketing Cloud (TechCrunch, 2014).

    2005

    Oracle acquires PeopleSoft, a company that produces human resource management systems, in 2005 for $10.3B (The Economic Times, 2016).

    1982

    Oracle becomes the first company to sell relational database management software (RDBMS). In 1982 it has revenue of $2.5M (Encyclopedia.com).

    Relational Software, Inc (RSI) – later renamed Oracle Corporation – is founded in 1977.

    "Oracle Marketing Cloud offers a comprehensive interwoven and integrated marketing management solution that can help end users launch cross-channel marketing programs and unify all prospect and customer marketing signals within one singular view. Oracle Marketing Cloud ranks consistently high across our SoftwareReviews reports and sustains top scores in overall customer experience rankings at a factor of 9.0. The emotional sentiment of users interacting with Oracle Marketing Cloud is also highly favorable, with Oracle's Emotional Footprint score at +93.

    Users should be aware that some of the reporting mechanisms and report-generation capabilities may not be as mature as those of some of its competitors in the MMS space (e.g. Salesforce, Adobe). Data exportability also presents a challenge in Oracle Marketing Cloud and requires a lot of internal tweaking between end users of the system to function properly. Finally, pricing sensitivity may be a concern for small and mid-sized organizations who may find Oracle's higher-tiered pricing plans to be out of reach. "
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Oracle Marketing Cloud pricing is opaque.
    Request a demo.*

    *Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Marketing Analytics
    • Advanced Campaign Management
    • Email Marketing Automation
    • Social Media Marketing Management

    Areas to Improve:

    • Community Marketing Management
    • Marketing Operations Management
    • Pricing Sensitivity and Vendor Support Model

    This is an image of SoftwareReviews analysis for Salesforce

    history

    This is an image of the Logo for Salesforce Marketing Cloud

    2022

    Salesforce announces sustainability as a core company value (Forbes, 2022).

    2012



    Salesforce unveils Salesforce Marketing Cloud during Dreamforce 2012, with 90,000 registered attendees (Dice, 2012).

    2009

    Salesforce launches Service Cloud, bringing customer service and support automation features to the market (TechCrunch, 2009).

    2003


    The first Dreamforce event is held at the Westin St. Francis hotel in downtown San Francisco
    (Salesforce, 2020).

    2001


    Salesforce delivers $22.4M in revenue for the fiscal year ending January 31, 2002 (Salesforce, 2020).

    Salesforce is founded in 1999.

    "Salesforce Marketing Cloud is a long-term juggernaut of the marketing management software space and is the subject of many Info-Tech member inquiries. It retains strong composite and customer experience (CX) scores in our SoftwareReviews reports. Some standout features of the platform include marketing analytics, advanced campaign management functionalities, email marketing automation, and customer journey management capabilities. In recent years Salesforce has made great strides in improving the overall user experience by investing in new product functionalities such as the Einstein What-If Analyzer, which helps test how your next email campaign will impact overall customer engagement, triggers personalized campaign messages based on an individual user's behavior, and uses powerful real-time segmentation and sophisticated AI to deliver contextually relevant experiences that inspire customers to act.

    On the downside, we commonly see Salesforce's solutions as costlier than competitors' offerings, and its commercial/sales teams tend to be overly aggressive in marketing its solutions without a distinct link to overarching business requirements. "
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Marketing Cloud Basics

    Marketing Cloud Pro

    Marketing Cloud Corporate

    Marketing Cloud Enterprise

    • Starts at $400*
    • Per org/month
    • Personalized promotional email marketing
    • Starts at $1,250*
    • Per org/month
    • Personalized marketing automation with email solutions
    • Starts at $3,750*
    • Per org/month
    • Personalized cross-channel strategic marketing solutions

    "Request a Quote"

    *Pricing correct as of October 2022. Listed in USD and absent discounts. See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Email Marketing Automation
    • Marketing Workflow Management
    • Marketing Analytics

    Areas to Improve:

    • Mobile Marketing Management
    • Marketing Operations Management
    • Advanced Data Segmentation

    This is an image of SoftwareReviews analysis for SAP

    history

    This is an image of the Logo for SAP

    2022

    SAP announces the second cycle of the 2022 SAP Customer Engagement Initiative. (SAP Community Blog, 2022).

    2020

    SAP acquires Austrian cloud marketing company Emarsys (TechCrunch, 2020).

    2015

    SAP Digital for Customer Engagement launches in May 2015 (SAP News, 2015).

    2009

    SAP begins branching out into three markets of the future (mobile technology, database technology, and cloud). SAP acquires some of its competitors (e.g. Ariba, SuccessFactors, Business Objects) to quickly establish itself as a key player in those areas (SAP, n.d.).

    1999

    SAP responds to the internet and new economy by launching its mysap.com strategy (SAP, n.d.).

    SAP is founded In 1972.

    "Over the years, SAP has positioned itself as one of the usual suspects across the enterprise applications market. While SAP has a broad range of capabilities within the CRM and customer experience space, it consistently underperforms in many of our user-driven SoftwareReviews reports for MMS and adjacent areas, ranking lower in MMS product feature capabilities such as email marketing automation and advanced campaign management than other mainstream MMS vendors, including Salesforce Marketing Cloud and Adobe Experience Cloud. The SAP Customer Engagement Marketing platform seems decidedly a secondary focus for SAP, behind its more compelling presence across the enterprise resource planning space.

    If you are approaching an MMS selection from a greenfield lens and with no legacy vendor baggage for SAP elsewhere, experience suggests that your needs will be better served by a vendor that places greater primacy on the MMS aspect of their portfolio."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    SAP Customer Engagement Marketing pricing is opaque:
    Request a demo.*

    *Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Social Media Automation
    • Email Marketing Automation
    • Marketing Analytics

    Areas to Improve:

    • Ease of Data Integration
    • Breadth of Features
    • Marketing Workflow Management

    b

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Campaign Management
    • Segmentation
    • Email Delivery

    Areas to Improve:

    • Mobile Optimization
    • A/B Testing
    • Content Authoring

    This is an image of SoftwareReviews analysis for ZOHO Campaigns.

    history

    This is an image of the Logo for ZOHO Campaigns

    2021

    Zoho announces CRM-Campaigns sync (Zoho Campaigns Community Learning, 2021).

    2020

    Zoho reaches more than 50M customers in January ( Zippia, n.d.).

    2017

    Zoho launches Zoho One, a comprehensive suite of 40+ applications (Zoho Blog, 2017).

    2012

    Zoho releases Zoho Campaigns (Business Wire, 2012).

    2007

    Zoho expands into the collaboration space with the release of Zoho Docs and Zoho Meetings (Zoho, n.d.).

    2005

    Zoho CRM is released (Zoho, n.d.).

    Zoho platform is founded in 1996.

    "Zoho maintains a long-running repertoire of end-to-end software solutions for business development purposes. In addition to its flagship CRM product, the company also offers Zoho Campaigns, which is an email marketing software platform that enables contextually driven marketing techniques via dynamic personalization, email interactivity, A/B testing, etc. For organizations that already maintain a deep imprint of Zoho solutions, Zoho Campaigns will be a natural extension to their immediate software environment.

    Zoho Campaigns is a great ecosystem play in environments that have a material Zoho footprint. In the absence of an existing Zoho environment, it's prudent to consider other affordable products as well."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Free Version

    Standard

    Professional

    • Starts at $0*
    • Per user/month billed annually
    • Up to 2,000 contacts
    • 6,000 emails/month
    • Starts at $3.75*
    • Per user/month billed annually
    • Up to 100,000 contacts
    • Advanced email templates
    • SMS marketing
    • Starts at $6*
    • Per user/month billed annually
    • Advanced segmentation
    • Dynamic content

    *Pricing correct as of October 2022. Listed in USD and absent discounts.

    See pricing on vendor's website for latest information.

    Leverage Info-Tech's research to plan and execute your MMS implementation

    Use Info-Tech's three-phase implementation process to guide your planning:

    1. Assess

    2. Prepare

    3. Govern & Course Correct

    Download Info-Tech's Governance and Management of Enterprise Software Implementation
    Establish and execute an end-to-end, agile framework to succeed with the implementation of a major enterprise application.

    Ensure your implementation team has a high degree of trust and communication

    If external partners are needed, dedicate an internal resource to managing the vendor and partner relationships.

    Communication

    Teams must have some type of communication strategy. This can be broken into:

    • Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
    • Ceremonies: Injecting awards and continually emphasizing delivery of value to encourage relationship building and constructive motivation.
    • Escalation: Voicing any concerns and having someone responsible for addressing them.

    Proximity

    Distributed teams create complexity as communication can break down. This can be mitigated by:

    • Location: Placing teams in proximity to eliminate the barrier of geographical distance and time zone differences.
    • Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
    • Communication Tools: Having the right technology (e.g. video conference) to help bring teams closer together virtually.

    Trust

    Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:

    • Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.
    • Role Clarity: Having a clear definition of what everyone's role is.

    Selecting a right-sized MMS platform

    This selection guide allows organizations to execute a structured methodology for picking an MMS platform that aligns with their needs. This includes:

    • Alignment and prioritization of key business and technology drivers for an MMS selection business case.
    • Identification of key use cases and requirements for a right-sized MMS platform.
    • A comprehensive market scan of key players in the MMS market space.

    This formal MMS selection initiative will drive business-IT alignment, identify pivotal sales and marketing automation priorities, and thereby allow for the rollout of a streamlined MMS platform that is highly likely to satisfy all stakeholder needs.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Summary of accomplishment

    Knowledge Gained

    • What marketing management is
    • Historical origins of marketing management
    • The future of marketing management
    • Key trends in marketing management suites

    Processes Optimized

    • Requirements gathering
    • RFPs and contract reviews
    • Marketing management suite vendor selection
    • Marketing management platform implementation

    Marketing Management

    • Adobe Experience Cloud
    • Microsoft Dynamics 365 for Marketing
    • HubSpot Marketing Hub
    • Maropost Marketing Cloud
    • Oracle Marketing Cloud

    Vendors Analyzed

    • Salesforce Marketing Cloud
    • SAP
    • Sugar Market
    • Zoho Campaigns

    Related Info-Tech Research

    Select a Marketing Management Suite

    Many organizations struggle with taking a systematic approach to selection that pairs functional requirements with specific marketing workflows, and as a result they choose a marketing management suite (MMS) that is not well aligned to their needs, wasting resources and causing end-user frustration.

    Get the Most Out of Your CRM

    Customer relationship management (CRM) application portfolios are often messy,
    with multiple integration points, distributed data, and limited ongoing end-user training. A properly optimized CRM ecosystem will reduce costs and increase productivity.

    Customer Relationship Management Platform Selection Guide

    Speed up the process to build your business case and select your CRM solution. Despite the importance of CRM selection and implementation, many organizations struggle to define an approach to picking the right vendor and rolling out the solution in an effective and cost-efficient manner.

    Bibliography

    "16 Biggest Tech Acquisitions in History." The Economic Times, 28 July 2016. Web.
    "Adobe Acquires Demdex – Brings Audience Optimization to $109 Billion Global Online Ad Market." Adobe News, 18 Jan 2011. Accessed Nov 2022.
    "Adobe Company History Timeline." Zippia, 9 Sept 2022. Accessed Nov 2022.
    "Adobe to acquire Magento for $1.68B." TechCrunch, 21 May 2018. Accessed Dec 2022.
    Anderson, Meghan Keaney. "HubSpot Launches European Headquarters." HubSpot Company News, 3 Mar 2013.
    Arenas-Gaitán, Jorge, et al. "Complexity of Understanding Consumer Behavior from the Marketing Perspective." Journal of Complexity, vol. 2019, 8 Jan 2019. Accessed Sept 2022.
    Bureau of Labor Statistics. "Advertising, Promotions, and Marketing Managers." Occupational Outlook Handbook. U.S. Department of Labor, 8 Sept 2022. Accessed 1 Nov 2022.
    "Campaigns." Marketing Hub, HubSpot, n.d. Web.
    Conklin, Bob. "Adobe report reveals best marketing practices for B2B growth in 2023 and beyond." Adobe Experience Cloud Blog, 23 Sept 2022. Web.
    "Consumer Behavior Stats 2021: The Post-Pandemic Shift in Online Shopping Habit" Nosto.com, 7 April 2022. Accessed Oct 2022.
    "Data Collection Overview." Experience League, Adobe.com, n.d. Accessed Dec 2022.
    Duduskar, Avinash. "Interview with Tony Chen, CEO at Channel Factory." MarTech Series, 16 June 2017. Accessed Nov 2022.
    "Enhanced Release of SAP Digital for Customer Engagement Helps Anyone Go Beyond CRM." SAP News, 8 Dec. 2015. Press release.
    Fang, Mingyu. "A Deep Dive into Gucci's Metaverse Practice." Medium.com, 27 Feb 2022. Accessed Oct 2022.
    Flanagan, Ellie. "HubSpot Launches Marketing Hub Starter to Give Growing Businesses the Tools They Need to Start Marketing Right." HubSpot Company News, 17 July 2018. Web.
    Fleishman, Hannah. "HubStop Announces Pricing of Initial Public Offering." HubSpot Company News, 8 Oct. 204. Web.
    Fluckinger, Don. "Adobe to acquire Workfront for $1.5 billion." TechTarget, 10 Nov 2020. Accessed Nov 2022.
    Fluckinger, Don. "Microsoft Dynamics 365 adds customer journey orchestration." TechTarget, 2 March 2021. Accessed Nov 2022.
    Green Marketing: Explore the Strategy of Green Marketing." Marketing Schools, 19 Nov 2020. Accessed Oct 2022.
    Ha, Anthony. "Oracle Announces Its Cross-Platform Marketing Cloud." TechCrunch, 30 April 2014. Web.
    Heyd, Kathrin. "Partners Welcome – SAP Customer Engagement Initiative 2022-2 is open for your registration(s)!" SAP Community Blog, 21 June 2022. Accessed Nov 2022.
    HubSpot. "Our Story." HubSpot, n.d. Web.
    Jackson, Felicia. "Salesforce Tackles Net Zero Credibility As It Adds Sustainability As A Fifth Core Value." Forbes, 16 Feb. 2022. Web.
    Kolakowski, Nick. "Salesforce CEO Marc Benioff Talks Social Future." Dice, 19 Sept. 2012. Web.
    Lardinois, Frederic. "Microsoft's Q4 earnings beat Street with $22.6B in revenue, $0.69 EPS." TechCrunch, 19 July 2016. Web.
    Levine, Barry. "G2 Crowd report finds the two email marketing tools with the highest user satisfaction." Venture Beat, 30 July 2015. Accessed Nov 2022.
    Looking Back, Moving Forward: The Evolution of Maropost for Marketing." Maropost Blog, 21 May 2019. Accessed Oct 2022.
    Maher, Sarah. "What's new with HubSpot? Inbound 2022 Feature Releases." Six & Flow, 9 July 2022. Accessed Oct 2022.
    Marketing Automation Provider, Salesfusion, Continues to Help Marketers Achieve Their Goals With Enhanced User Interface and Powerful Email Designer Updates." Yahoo Finance, 10 Dec 2013. Accessed Oct 2022.
    "Maropost Acquires Retail Express for $55 Million+ as it Continues to Dominate the Global Commerce Space." Marapost Newsroom, PRWire.com, 19 Jan 2022. Accessed Nov 2022.
    McDowell, Maghan. "Inside Gucci and Roblox's new virtual world." Vogue Business, 17 May 2021. Web.
    Miller, Ron. "Adobe and Microsoft expand partnership with Adobe Experience Manager and Dynamics 265 Integration." TechCrunch, 3 Nov 2017. Accessed Nov 2022.
    Miller, Ron. "Adobe to acquire Magento for $1.68B" TechCrunch, 21 May 2018. Accessed Nov 2022.
    Miller, Ron. "SAP continues to build out customer experience business with Emarys acquisition." TechCrunch, 1 Oct. 2020. Web.
    Miller, Ron. "SugarCRM moves into marketing automation with Salesfusion acquisition." TechCrunch, 16 May 2019.
    Novet, Jordan. "Adobe confirms it's buying Marketo for $4.75 billion." CNBC, 20 Sept 2018. Accessed Dec 2022.
    "Oracle Corp." Encyclopedia.com, n.d. Web.
    Phillips, James. "April 2019 Release launches with new AI, mixed reality, and 350+ feature updates." Microsoft Dynamics 365 Blog. Microsoft, 2 April 2019. Web.
    S., Aravindhan. "Announcing an important update to Zoho CRM-Zoho Campaigns integration." Zoho Campaigns Community Learning, Zoho, 1 Dec. 2021. Web.
    Salesforce. "The History of Salesforce." Salesforce, 19 March 2020. Web.
    "Salesfusion Integrates With NetSuite CRM to Simplify Sales and Marketing Alignment" GlobeNewswire, 6 May 2016. Accessed Oct 2022. Press release.
    "Salesfusion Integrates With NetSuite CRM to Simplify Sales and Marketing Alignment." Marketwired, 6 May 2016. Web.
    "Salesfusion is Now Sugar Market: The Customer FAQ." SugarCRM Blog, 31 July 2019. Web.
    "Salesfusion's Marketing Automation Platform Drives Awareness and ROI for Education Technology Provider" GlobeNewswire, 25 June 2015. Accessed Nov 2022. Press release.
    SAP. "SAP History." SAP, n.d. Web.
    "State of Marketing." 5th Edition, Salesforce, 15 Jan 2019. Accessed Oct 2022.
    "Success selects Maropost Marketing Cloud for Marketing Automation." Apps Run The World, 10 Jan 2015. Accessed Nov 2022.
    "SugarCRM Acquires SaaS Marketing Automation Innovator Salesfusion." SugarCRM, 16 May 2019. Press release.
    Sundaram, Vijay. "Introducing Zoho One." Zoho Blog, 25 July 2017. Web.
    "The State of MarTech: Is you MarTech stack working for you?" American Marketing Association, 29 Nov 2021. Accessed Oct 2022.
    "Top Marketing Automation Statistics for 2022." Oracle, 15 Jan 2022. Accessed Oct 2022.
    Trefis Team. "Oracle Energizes Its Marketing Cloud With New Features." Forbes, 7 April 2015. Accessed Oct 2022.
    Vivek, Kumar, et al. "Microsoft Dynamics 365 Customer Engagement (on-premises) Help, version 9.x." Learn Dynamics 365, Microsoft, 9 Jan 2023. Web.
    "What's new with HubSpot? Inbound 2022 feature releases" Six and Flow, 9 July 2022. Accessed Nov 2022.
    Widman, Jeff. "Salesforce.com Launches The Service Cloud,, A Customer Service SaaS Application." TechCrunch, 15 Jan. 2009. Web.
    "Zoho History." Zippia, n.d. Web.
    "Zoho Launches Zoho Campaigns." Business Wire, 14 Aug. 2012. Press release.
    Zoho. "About Us." Zoho, n.d. Web.

    Need hands-on assistance?

    Engage Info-Tech for a Software Selection Workshop!

    40 Hours of Advisory Assistance Delivered On-Line or In-Person

    Select Better Software, Faster.

    40 Hours of Expert Analyst Guidance
    Project & Stakeholder Management Assistance
    Save money, align stakeholders, Speed up the process & make better decisions.
    Better, faster results, guaranteed, $25K standard engagement fee

    This is an image of the plan for five advisory calls over a five week period.

    CLICK HERE to book your Workshop Engagement

    Master the Public Cloud IaaS Acquisition Models

    • Buy Link or Shortcode: {j2store}228|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $3,820 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Understanding the differences in IaaS platform agreements, purchasing options, associated value, and risks. What are your options for:

    • Upfront or monthly payments
    • Commitment discounts
    • Support options
    • Migration planning and support

    Our Advice

    Critical Insight

    IaaS platforms offer similar technical features, but they vary widely on their procurement model. By fully understanding the procurement differences and options, you will be able to purchase wisely, save money both long and short term, and mitigate investment risk.

    Most vendors have similar processes and options to buy. Finding a transparent explanation and summary of each platform in a side-by-side review is difficult.

    • Are vendor reps being straight forward?
    • What are the licensing requirements?
    • What discounts or incentives can I negotiate?
    • How much do I have to commit to and for how long?

    Impact and Result

    This project will provide several benefits for both IT and the business. It includes:

    • Best IaaS platform to support current and future procurement requirements.
    • Right-sized cloud commitment tailored to the organization’s budget.
    • Predictable and controllable spend model.
    • Flexible and reliable IT infrastructure that supports the lines of business.
    • Reduced financial and legal risk.

    Master the Public Cloud IaaS Acquisition Models Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to learn how the public cloud IaaS procurement models compare. Review Info-Tech’s methodology and understand the top three platforms, features, and benefits to support and inform the IaaS vendor choice.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Educate

    Learn the IaaS basics, terminologies, purchasing options, licensing requirements, hybrid options, support, and organization requirements through a checklist process.

    • Master the Public Cloud IaaS Acquisition Models – Phase 1: Educate
    • Public Cloud Procurement Checklist
    • Microsoft Public Cloud Licensing Guide

    2. Evaluate

    Review and understand the features, downsides, and differences between the big three players.

    • Master the Public Cloud IaaS Acquisition Models – Phase 2: Evaluate
    • Public Cloud Procurement Comparison Summary

    3. Execute

    Decide on a primary vendor that meets requirements, engage with a reseller, negotiate pricing incentives, migration costs, review, and execute the agreement.

    • Master the Public Cloud IaaS Acquisition Models – Phase 3: Execute
    • Public Cloud Acquisition Executive Summary Template

    Infographic

    Business Process Controls and Internal Audit

    • Buy Link or Shortcode: {j2store}37|cart{/j2store}
    • Related Products: {j2store}37|crosssells{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security and Risk
    • Parent Category Link: security-and-risk
    Establish an Effective System of Internal IT Controls to Mitigate Risks.

    Develop Your Value-First Business Process Automation Strategy

    • Buy Link or Shortcode: {j2store}236|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Optimization
    • Parent Category Link: /optimization

    Business process automation (BPA) has gained momentum, especially as pilots result in positive outcomes such as improved customer experience, efficiencies, and cost savings. Stakeholders want to invest more in BPA solutions and scale initial successes across different business and IT functions.

    But it’s critical to get it right and not fall into the hype so that the costs don’t outweigh the benefits.

    Ultimately, all BPA initiatives should align with a common vision.

    Build the right BPA strategy – smarter, not faster

    Organizations should adopt a methodical approach to growing their BPA, taking cost, talent availability, and goals into account.

    1. Recognize the true value of automation. Successful BPA improves more than cost savings and revenue generation. Employee satisfaction, organizational reputation, brand, and better-performing products and services are other sought-after benefits.
    2. Consider all relevant factors as you build a strategy. Take into account the impact BPA initiatives will have on users, risk and change appetites, customer satisfaction, and business priorities.
    3. Mature your practice as you scale your BPA technologies. Develop skills, resources, and governance practices as you scale your automation tools. Deploy BPA with quality in mind, then continuously monitor, review, and maintain the automation for success.
    4. Learn from your initial automations. Maximize what you learn from your minimum viable automations (MVA) and use that knowledge to build and scale your automation implementation across the organization.

    Develop Your Value-First Business Process Automation Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Business Process Automation Strategy Deck – A step-by-step document that walks you through how to position business process automation as a key capability and assess the organization’s readiness for its adoption.

    This blueprint helps you develop a strategy justify the scaling and maturing of your business process automation (BPA) practices and capabilities to fulfill your business priorities.

    • Develop Your Value-First Business Process Automation Strategy – Phases 1-4

    2. Business Process Automation Strategy Template – A template to help you build a clear and compelling strategy document for stakeholders.

    Document your business process automation strategy in the language your stakeholders understand. Tailor this document to fit your BPA objectives and initiatives.

    • Business Process Automation Strategy Template

    3. Business Process Automation Maturity Assessment Tool – A tool to help gauge the maturity of your BPA practice.

    Evaluate the maturity of the key capabilities of your BPA practice to determine its readiness to support complex and scaled BPA solutions.

    • Business Process Automation Maturity Assessment Tool

    Infographic

    Workshop: Develop Your Value-First Business Process Automation Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand the Context

    The Purpose

    Understand the business priorities and your stakeholders' needs that are driving your business process automation initiatives while abiding by the risk and change appetite of your organization.

    Key Benefits Achieved

    Translate business priorities to the context of business process automation.

    Arrive at a common definition of business value.

    Come to an understanding of the needs, concerns, and problems of BPA stakeholders.

    Discover organizational risk and change tolerance and appetite.

    Activities

    1.1 Set the Business Context

    1.2 Understand Your Stakeholder Needs

    1.3 Build Your Risk & Change Profile

    Outputs

    Business problem, priorities, and business value definition

    Customer and end-user assessment (e.g. personas, customer journey)

    Risk and change profile

    2 Define Your BPA Objectives and Opportunities

    The Purpose

    Set reasonable and achievable expectations for your BPA initiatives and practices, and select the right BPA opportunities to meet these expectations.

    Key Benefits Achieved

    Align BPA objectives and metrics to your business priorities.

    Create guiding principles that support your organization’s and team’s culture.

    Define a vision of your target-state BPA practice

    Create a list of BPA opportunities that will help build your practice and meet business priorities.

    Activities

    2.1 Define Your BPA Expectations

    2.2 List Your Guiding Principles

    2.3 Envision Your BPA Target State

    2.4 Build Your Opportunity Backlog

    Outputs

    BPA problem statement, objectives, and metrics

    BPA guiding principles

    Desired scaled BPA target state

    Prioritized BPA opportunities

    3 Assess Your BPA Maturity

    The Purpose

    Evaluate the current state of your BPA practice and its readiness to support scaled and complex BPA solutions.

    Key Benefits Achieved

    List key capabilities to implement and optimize to meet the target state of your BPA practice.

    Brainstorm solutions to address the gaps in your BPA capabilities.

    Activities

    3.1 Assess Your BPA Maturity

    Outputs

    BPA maturity assessment

    4 Roadmap Your BPA Initiatives

    The Purpose

    Identify high-priority key initiatives to support your BPA objectives and goals, and establish the starting point of your BPA strategy.

    Key Benefits Achieved

    Create an achievable roadmap of BPA initiatives designed to deliver good practices and valuable automations.

    Perform a risk assessment of your BPA initiatives and create mitigations for high-priority risks.

    Find the starting point in the development of your BPA strategy.

    Activities

    4.1 Roadmap Your BPA Initiatives

    4.2 Assess and Mitigate Your Risks

    4.3 Complete Your BPA Strategy

    Outputs

    List of BPA initiatives and roadmap

    BPA initiative risk assessment

    Initial draft of your BPA strategy

    Define Requirements for Outsourcing the Service Desk

    • Buy Link or Shortcode: {j2store}493|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • In organizations where technical support is viewed as non-strategic, many see outsourcing as a cost-effective way to provide this support. However, outsourced projects often fall short of their goals in terms of cost savings and the quality of support. 
    • Significant administrative work and up-front costs are required to outsource the service desk, and poor planning often results in project failure and a decrease of end-user satisfaction.
    • A complete turnover of the service desk can result in lost knowledge and control over processes, and organizations without an exit strategy can struggle to bring their service desk back in house and return the confidence of end users.

    Our Advice

    Critical Insight

    • Outsourcing is easy. Realizing the expected cost, quality, and focus benefits is hard. Successful outsourcing without being directly involved in service desk management is almost impossible.
    • You don’t need to standardize before you outsource, but you still need to conduct your due diligence. If you outsource without thinking about how you want the future to work, you will likely be unsatisfied with the result.
    • If cost is your only driver for outsourcing, understand that it comes at a cost. Customer service quality will likely be less, and your outsourcer may not add on frills such as Continual Improvement. Be careful that your specialists don’t end up spending more time working on incidents and service requests.

    Impact and Result

    • First decide if outsourcing is the correct step; there may be more preliminary work to do beforehand.
    • Assess requirements and make necessary adjustments before developing an outsource RFP.
    • Clearly define the project and produce an RFP to provide to vendors.
    • Plan for long-term success, not short-term gain.
    • Prepare to retain some of the higher-level service desk work.

    Define Requirements for Outsourcing the Service Desk Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define Requirements for Outsourcing the Service Desk Deck – A step-by-step document to walk you through building a strategy for efficient service desk outsourcing.

    This storyboard will help you craft a project charter, create an RFP, and outline strategies to build a long-term relationship with the vendor.

    • Define Requirements for Outsourcing the Service Desk – Storyboard
    • Service Desk Outsourcing Requirements Database Library

    2. Service Desk Outsourcing Project Charter Template and Requirements Library – Best-of-breed templates to help you determine processes and build a strategy to outsource them.

    These templates will help you determine your service desk requirements and document your proposed service desk outsourcing strategy.

    • Service Desk Outsourcing Project Charter Template

    3. Service Desk Outsourcing RFP Template – A structured document to help you outline expectations and communicate requirements to managed service providers.

    This template will allow you to create a detailed RFP for your outsourcing agreement, document the statement of work, provide service overview, record exit conditions, and document licensing model and estimated pricing.

    • Service Desk Outsourcing RFP Template

    4. Service Desk Outsourcing Reference Interview Template and Scoring Tool – Materials to help you conduct efficient briefings and select the best vendor to fulfill your service desk requirements.

    Use the Reference Interview Template to outline a list of questions for interviewing current/previous customers of your candidate vendors. These interviews will help you with unbiased vendor scoring. The RFP Vendor Scoring Tool will help you facilitate vendor briefings with your list of questions and score candidate vendors efficiently through quantifying evaluations.

    • Service Desk Outsourcing Reference Interview Template
    • Service Desk Outsourcing RFP Scoring Tool

    Infographic

    Further reading

    Define Requirements for Outsourcing the Service Desk

    Prepare your RFP for long-term success, not short-term gains

    Define Requirements for Outsourcing the Service Desk

    Prepare your RFP for long-term success, not short-term gains

    EXECUTIVE BRIEF

    Analyst Perspective

    Outsource services with your eyes wide open.

    Cost reduction has traditionally been an incentive for outsourcing the service desk. This is especially the case for organizations that don't have minimal processes in place and those that need resources and skills to fill gaps.

    Although cost reduction is usually the main reason to outsource the service desk, in most cases service desk outsourcing increases the cost in a short run. But without a proper model, you will only outsource your problems rather than solving them. A successful outsourcing strategy follows a comprehensive plan that defines objectives, assigns accountabilities, and sets expectations for service delivery prior to vendor outreach.

    For outsourcing the service desk, you should plan ahead, work as a group, define requirements, prepare a strong RFP, and contemplate tension metrics to ensure continual improvement. As you build a project charter to outline your strategy for outsourcing your IT services, ensure you focus on better customer service instead of cost optimization. Ensure that the outsourcer can support your demands, considering your long-term achievement.

    Think about outsourcing like a marriage deed. Take into account building a good relationship before beginning the contract, ensure to include expectations in the agreement, and make it possible to exit the agreement if expectations are not satisfied or service improvement is not achieved.

    This is a picture of Mahmoud Ramin, PhD, Senior Research Analyst, Infrastructure and Operations, Info-Tech Research Group

    Mahmoud Ramin, PhD
    Senior Research Analyst
    Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    In organizations where technical support is viewed as non-strategic, many see outsourcing as a cost-effective way to provide this support. However, outsourcing projects often fall short of their goals in terms of cost savings and quality of support.

    Common Obstacles

    Significant administrative work and up-front costs are required to outsource the service desk, and poor planning often results in project failure and the decrease of end-user satisfaction.

    A complete turnover of the service desk can result in lost knowledge and control over processes, and organizations without an exit strategy can struggle to bring their service desk back in house and reestablish the confidence of end users.

    Info-Tech's Approach

    • First decide if outsourcing is the correct step; there may be more preliminary work to do beforehand.
    • Assess requirements and make necessary adjustments before developing an outsource RFP.
    • Clearly define the project and produce an RFP to provide to vendors.
    • Plan for long-term success, not short-term gains.
    • Prepare to retain some of the higher-level service desk work.

    Info-Tech Insight

    Outsourcing is easy. Realizing all of the expected cost, quality, and focus benefits is hard. Successful outsourcing without being directly involved in service desk management is almost impossible.

    Your challenge

    This research is designed to help organizations that need to:

    • Outsource the service desk or portions of service management to improve service delivery.
    • Improve and repatriate existing outsourcing outcomes by becoming more engaged in the management of the function. Regular reviews of performance metrics, staffing, escalation, knowledge base content, and customer satisfaction are critical.
    • Understand the impact that outsourcing would have on the service desk.
    • Understand the potential benefits that outsourcing can bring to the organization.

    This image contains a donut chart with the following information: Salaries and Benefits - 68.50%; Technology - 9.30%; Office Space and Facilities Expense - 14.90%; Travel, Training, and Office Supplies - 7.30%

    Source: HDI 2017

    About 68.5% of the service desk fund is allocated to agent salaries, while only 9.3% of the service desk fund is spent on technology. The high ratio of salaries and expenses over other expense drives organizations to outsource their service desk without taking other considerations into account.

    Info-Tech Insight

    The outsourcing contract must preserve your control, possession, and ownership of the intellectual property involved in the service desk operation. From the beginning of the process, repatriation should be viewed as a possibility and preserved as a capability.

    Your challenge

    This research helps organizations who would like to achieve these goals:

    • Determine objectives and requirements to outsource the service desk.
    • Develop a project charter and build an outsourcing strategy to efficiently define processes to reduce risk of failure.
    • Build an outsourcing RFP and conduct interviews to identify the best candidate for service delivery.
    • Build a long-term relationship with an outsourcing vendor, making sure the vendor is able to satisfy all requirements.
    • Include a continual improvement plan in the outsourcing strategy and contain the option upon service delivery dissatisfaction.

    New hires require between 10 and 80 hours of training (Forward Bpo Inc., 2019).

    A benchmark study by Zendesk from 45,000 companies reveals that timely resolution of issues and 24/7 service are the biggest factors in customer service experience.

    This image contains a bar graph with the following data: Timely issue resolution; 24/7 support; Friendly agent; Desired contact method; Not to repeat info; Proactive support; Self-serve; Call back; Rewards & freebies

    These factors push many businesses to consider service desk outsourcing to vendors that have capabilities to fulfill such requirements.

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • In most cases, organizations must perform significant administrative work before they can make a move. Those that fail to properly prepare impede a smooth transition, the success of the vendor, and the ability to repatriate.
    • Successful outsourcing comes from the recognition that an organization is experiencing complete turnover of its service desk staff. These organizations engage the vendor to transition knowledge and process to ensure continuity of quality.
    • IT realizes the most profound hidden costs of outsourcing when the rate of ticket escalation increases, diminishing the capacity of senior technical staff for strategic project work.

    Many organizations may not get the value they expect from outsourcing in their first year.

    Common Reasons:

    • Overall lack of due diligence in the outsourcing process
    • Unsuitable or unclear service transition plan
    • Poor service provider selection and management

    Poor transition planning results in delayed benefits and a poor relationship with your outsourcing service provider. A poor relationship with your service provider results in poor communication and knowledge transfer.

    Key components of a successful plan:

    1. Determine goals and identify requirements before developing an RFP.
    2. Finalize your outsourcing project charter and get ready for vendor evaluation.
    3. Assess and select the most appropriate provider; manage the transition and vendor relationship.

    Outsource the service desk properly, and you could see a wide range of benefits

    Service Desk Outsourcing: Ability to scale up/down; Reduce fixed costs; Refocus IT efforts on core activities; Access to up-to-date technology; Adhere to  ITSM best practices; Increased process optimization; Focus IT efforts on advanced expertise; Reframe to shift-left;

    Info-Tech Insight

    In your service desk outsourcing strategy, rethink downsizing first-level IT service staff. This can be an opportunity to reassign resources to more valuable roles, such as asset management, development or project backlog. Your current service desk staff are most likely familiar with the current technology, processes, and regulations within IT. Consider the ways to better use your existing resources before reducing headcount.

    Info-Tech's Approach

    Determine Goals

    Conduct activities in the blueprint to pinpoint your current challenges with the service desk and find out objectives to outsource customer service.

    Define Requirements

    You need to be clear about the processes that will be outsourced. Considering your objectives, we'll help you discover the processes to outsource, to help you achieve your goals.

    Develop RFP

    Your expectations should be documented in a formal proposal to help vendors provide solid information about how they will satisfy your requirements and what their plan is.

    Build Long-Term Relationship

    Make sure to plan for continual improvement by setting expectations, tracking the services with proper metrics, and using efficient communication with the provider. Think about the rainy day and include exit conditions for ending the relationship if needed.

    Info-Tech's methodology

    1. Define the Goal

    2. Design an Outsourcing Strategy

    3. Develop an RFP and Make a Long-Term Relationship

    Phase Steps

    1.1 Identify goals and objectives

    1.2 Assess outsourcing feasibility

    2.1 Identify project stakeholders

    2.2 Outline potential risks and constraints

    3.1 Prepare service overview and responsibility matrix

    3.2 Define approach to vendor relationship management

    3.3 Manage the outsource relationship

    Phase Outcomes

    Service Desk Outsourcing Vision and Goals

    Service Desk Processes to Outsource

    Outsourcing Roles and Responsibilities

    Outsourcing Risks and Constraints

    Service Desk Outsourcing Project Charter

    Service Desk Outsourcing RFP

    Continual Improvement Plan

    Exit Strategy

    This is an image of the strategy which you will use to build your requirements for outsourcing the service desk.  it includes: 1. Define the Goal; 2. Design an Outsourcing Strategy; 3. Develop RFP and long-term relationship.

    Insight summary

    Focus on value

    Outsourcing is easy. Realizing all of the expected cost, quality, and focus benefits is hard. Successful outsourcing without being directly involved in service desk management is almost impossible.

    Define outsourcing requirements

    You don't need to standardize before you outsource, but you still need to conduct your due diligence. If you outsource without thinking about how you want the future to work, you will likely be unsatisfied with the result.

    Don't focus on cost

    If cost is your only driver for outsourcing, understand that there will be other challenges. Customer service quality will likely be less, and your outsourcer may not add on frills such as Continual Improvement. Be careful that your specialists don't end up spending more time working on incidents and service requests.

    Emphasize on customer service

    A bad outsourcer relationship will result in low business satisfaction with IT overall. The service desk is the face of IT, and if users are dissatisfied with the service desk, then they are much likelier to be dissatisfied with IT overall.

    Vendors are not magicians

    They have standards in place to help them succeed. Determine ITSM best practices, define your requirements, and adjust process workflows accordingly. Your staff and end users will have a much easier transition once outsourcing proceeds.

    Plan ahead to guarantee success

    Identify outsourcing goals, plan for service and system integrations, document standard incidents and requests, and track tension metrics to make sure the vendor does the work efficiently. Aim for building a long-term relationship but contemplate potential exit strategy.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    This is a screenshot from the Service Desk Outsourcing Requirements Database Library

    Service Desk Outsourcing Requirements Database Library

    Use this library to guide you through processes to outsource

    This is a screenshot from the Service Desk Outsourcing RFP Template

    Service Desk Outsourcing RFP Template

    Use this template to craft a proposal for outsourcing your service desk

    This is a screenshot from the Service Desk Outsourcing Reference Interview Template

    Service Desk Outsourcing Reference Interview Template

    Use this template to verify vendor claims on service delivery with pervious or current customers

    This is a screenshot from the Service Desk Outsourcing Vendor Proposal Scoring Tool

    Service Desk Outsourcing Vendor Proposal Scoring Tool

    Use this tool to evaluate RFP submissions

    Key deliverable:

    This is a screenshot from the key deliverable, Service Desk Outsourcing Project Charter

    Service Desk Outsourcing Project Charter

    Document your project scope and outsourcing strategy in this template to organize the project for efficient resource and requirement allocation

    Blueprint benefits

    IT Benefits

    Business Benefits

    • Determine current challenges with the service desk and identify services to outsource.
    • Make the project charter for an efficient outsourcing strategy that will lead to higher satisfaction from IT.
    • Select the best outsource vendor that will satisfy most of the identified requirements.
    • Reduce the risk of project failure with efficient planning.
    • Understand potential feasibility of service desk outsourcing and its possible impact on business satisfaction.
    • Improve end-user satisfaction through a better service delivery.
    • Conduct more efficient resource allocation with outsourcing customer service.
    • Develop a long-term relationship between the enterprise and vendor through a continual improvement plan.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1Phase 2Phase 3

    Call #1: Scope your specific challenges and objectives

    Call #3: Identify project stakeholders, and potential risks and constraints

    Call #5: Create a detailed RFP

    Call #6: Identify strategy risks.

    Call #2: Assess outsourcing feasibility and processes to outsourceCall #4: Create a list of metrics to ensure efficient reporting

    Call #7: Prepare for vendor briefing and scoring each vendor

    Call #8: Build a communication plan

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 10 calls over the course of 4 to 6 months.

    Phase 1

    Define the goal

    Define the goal

    Design an outsourcing strategy

    Develop an RFP and make a long-term relationship

    1.1 Identify goals and objectives

    1.2 Assess outsourcing feasibility

    2.1 Identify project stakeholders

    2.2 Outline potential risks and constraints

    3.1 Prepare a service overview and responsibility matrix

    3.2 Define your approach to vendor relationship management

    3.3 Manage the outsource relationship

    This phase will walk you through the following activities:

    • Analysis outsourcing objectives
    • Assess outsourcing feasibility
    • Identify services and processes to outsource

    This phase involves the following participants:

    • Service Desk Team
    • IT Leadership

    Define requirements for outsourcing service desk support

    Step 1.1

    Identify goals and objectives

    Activities

    1.1.1 Find out why you want to outsource your service desk

    1.1.2 Document the benefits of outsourcing your service desk

    1.1.3 Identify your outsourcing vision and goals

    1.1.4 Prioritize service desk outsourcing goals to help structure your mission statement

    1.1.5 Craft a mission statement that demonstrates your decision to reach your outsourcing objectives

    Define the goal

    This step requires the following inputs:

    • List of strengths and weaknesses of the service desk
    • Challenges with the service desk

    This step involves the following participants:

    • CIO
    • IT Leadership
    • Service Desk Manager
    • IT Managers

    Outcomes of this step

    • Service desk outsourcing vision and goals
    • Benefits of outsourcing the service desk
    • Mission statement

    What is your rationale to outsource the service desk?

    Potential benefits of outsourcing the service desk:

    • Bring in the expertise and knowledge to manage tickets according to best-practice guidelines
    • Reduce the timeline to response and resolution
    • Improve IT productivity
    • Enhance IT services and improve performance
    • Augment relationship between IT and business through service-level improvement
    • Free up the internal team and focus IT on complex projects and higher priority tasks
    • Speed up service desk optimization
    • Improve end-user satisfaction through efficient IT services
    • Reduce impact of incidents through effective incident management
    • Increase service consistency via turnover reduction
    • Expand coverage hour and access points
    • Expand languages to service different geographical areas

    1.1.1 Find out why you want to outsource your service desk

    1 hour

    Service desk is the face of IT. Service desk improvement increases IT efficiency, lowers operation costs, and enhances business satisfaction.

    Common challenges that result in deciding to outsource the service desk are:

    Participants: IT Director, Service Desk Manager, Service Desk Team

    ChallengeExample
    Lack of tier 1 supportStartup does not have a dedicated service desk to handle incidents and provide services to end users.
    Inefficient ticket handlingMTTR is very high and end users are frustrated with their issues not getting solved quickly. Even if they call service desk, they are put on hold for a long time. Due to these inefficiencies, their daily work is greatly impacted.
    Restricted service hoursCompany headquartered in Texas does not have resources to provide 24/7 IT service. When users in the East Asia branch have a laptop issue, they must wait until the next day to get response from IT. This has diminished their satisfaction.
    Restricted languagesCompany X is headquartered in New York. An end user not fluent in English from Madrid calls in for support. It takes five minutes for the agent to understand the issue and log a ticket.
    Ticket backlogIT is in firefighting mode, very busy with taking care of critical incidents and requests from upper management. Almost no one is committed to the SLA because of their limited availability.

    Brainstorm your challenges with the service desk. Why have you decided to outsource your service desk? Use the above table as a sample.

    1.1.2 Document benefits of outsourcing your service desk

    1 hour

    1. Review the challenges with your current service desk identified in activity 1.1.1.
    2. Discuss possible ways to tackle these challenges. Be specific and determine ways to resolve these issues if you were to do it internally.
    3. Determine potential benefits of outsourcing the service desk to IT, business, and end users.
    4. For each benefit, describe dependencies. For instance, to reduce the number of direct calls (benefit), users should have access to service desk as a single point of contact (dependency).
    5. Document this activity in the Service Desk Outsourcing Project Charter Template.

    Download the Project Charter Template

    Input

    • List of challenges with the current service desk from activity 1.1.1

    Output

    • Benefits of outsourcing the service desk

    Materials

    • Whiteboard/flip charts
    • Markers
    • Sticky notes
    • Laptops

    Participants

    • IT Director/CIO
    • Service Desk Manager
    • Service Desk Team
    • IT Managers

    Why should you not consider cost reduction as a primary incentive to outsourcing the service desk?

    Assume that some of the costs will not go away with outsourcing

    When you outsource, the vendor's staff tend to gradually become less effective as:

    • They are managed by metrics to reduce costs by escalating sooner, reducing talk time, and proposing questionable solutions.
    • Turnover results in new employees that get insufficient training.

    You must actively manage the vendor to identify and resolve these issues. Many organizations find that service desk management takes more time after they outsource.

    You need to keep spending on service desk management, and you may not get away from technology infrastructure spending.

    Info-Tech Insight

    In their first year, almost 42% of Info-Tech's clients do not get the real value of outsourcing services as expected. This iss primarily because of misalignment of organizational goals with outcomes of the outsourced services.

    Consider the hidden costs of outsourcing

    Expected Costs

    Unexpected Costs

    Example

    Transition CostsSeverance and staff retention
    • Cost to adapt to vendor standards
    • Training cost of vendor staff
    • Lost productivity
    • Format for requirements
    • Training report developers to work with vendor systems
    FeesPrice of the engagement
    • Extra fees for additional services
    • Extra charges for uploading data to cloud storage
    • Portal access
    Management CostsTime directing account
    • Time directly managing vendor staff
    • Checking deliverables for errors
    • Disputing penalty amounts
    Rework CostsDowntime, defect rate, etc. (quality metrics measured in SLAs)
    • Time spent adapting deliverables for unanticipated requirements
    • Time spent assuring the quality and usefulness of deliverables
    • Completing quality assurance and updating knowledgebase articles
    • Adapting reporting for presentation to stakeholders

    Determine strategies to avoid each hidden cost

    Costs related to transitioning into the engagementAdapting to standards and training costs

    Adapting to standards: Define the process improvements you will need to work with each potential vendor.

    Training costs for vendor staff: Reduce training costs by keeping the same vendor staff on all of your projects.

    Fee-related costs

    Fees for additional services (that you thought were included)

    Carefully review each proposed statement of work to identify and reduce extra fees. Understand why extra fees occur in the SLA, the contract, and the proposed statement of work, and take steps to protect yourself and the vendor.

    Management-related costs

    Direct management of vendor staff and dispute resolution

    Direct management of vendor staff: Avoid excessive management costs by defining a two-tier management structure on both sides of the engagement.

    Time spent resolving disputes: Avoid prolonged resolution costs by defining terms of divorce for the engagement up front.

    Rework costs

    Unanticipated requirements and integration with existing systems

    Unanticipated requirements: Use a two-stage process to define requirements, starting with business people and then with review by technical staff.

    Integration with existing systems: Obtain a commitment from vendors that deliverables will conform to standards at points of integration with your systems.

    Your outsourcing strategy should address the reasons you decided to outsource

    A clear vision of strategic objectives prior to entering an outsourcing agreement will allow you to clearly communicate these objectives to the Managed Service Provider (MSP) and use them as a contracted basis for the relationship.

    • Define the business' overall approach to outsourcing along with the priorities, rules, and principles that will drive the outsourcing strategy and every subsequent outsourcing decision and activity.
    • Define specific business, service, and technical goals for the outsourcing project and relevant measures of success.

    "People often don't have a clear direction around what they're trying to accomplish. The strategic goals should be documented. Is this a cost-savings exercise? Is it because you're deficient in one area? Is it because you don't have the tools or expertise to run the service desk yourself? Figure out what problem you're trying to solve by outsourcing, then build your strategy around that.
    – Jeremy Gagne, Application Support Delivery Manager, Allegis Group

    Most organizations are driven to consider outsourcing their service desk hoping to improve the following:

    • Ability to scale (train people and acquire skills)
    • Focus on core competencies
    • Decrease capital costs
    • Access latest technology without large investment
    • Resolve labor force constraints
    • Gain access to special expertise without paying a full salary
    • Save money overall

    Info-Tech Insight

    Use your goals and objectives as a management tool. Clearly outline your desired project outcomes to both your in-house team and the vendor during implementation and monitoring. It will allow a common ground to unite both parties as the project progresses.

    Mitigate pitfalls that lay in the way of desired outcomes of outsourcing

    Desired outcomePitfalls to overcome
    IT can focus on core competencies and strategic initiatives rather than break-fix tasks.Escalation to second- and third-level support usually increases when the first level has been outsourced. Outsourcers will have less experience with your typical incidents and will give up on trying to solve some issues more quickly than your internal level-one staff.
    Low outsourcing costs compared to the costs needed to employ internal employees in the same role. Due to lack of incentive to decrease ticket volume, costs are likely to increase. As a result, organizations often find themselves paying more overall for an outsourced service desk than if they had a few dedicated IT service desk employees in-house.
    Improved employee morale as a result of being able to focus on more interesting tasks.Management often expects existing employee morale to increase as a result of shifting their focus to core and strategic tasks, but the fear of diminished job security often spreads to the remaining non-level-one employees.

    1.1.3 Identify outsourcing vision and goals

    Identify the goals and objectives of outsourcing to inform your strategy.

    Participants: IT Director, Service Desk Manager, Service Desk Team

    1-2 hours

    1. Meet with key business stakeholders and the service desk staff who were involved in the decision to outsource.
    2. As a group, review the results from activity 1.1.1 (challenges with current service desk operations) and identify the goals and objectives of the outsourcing initiative.
    3. Determine the key performance indicator (KPI) for each goal.
    4. Identify the impacted stakeholder/s for each goal.
    5. Discuss checkpoint schedule for each goal to make sure the list stays updated.

    Use the sample table as a starting point:

    1. Document your table in the Service Desk Outsourcing Project Charter Template.
    IDGoal DescriptionKPIImpacted StakeholdersCheckpoint Schedule
    1Provide capacity to take calls outside of current service desk work hours
    • Decreased in time to response
    • Decreased time to resolve
    • IT Entire organization
    • Every month
    2Take calls in different languages
    • Improved service delivery in different geographical regions
    • Improved end-user satisfaction
    • End users
    • Every month
    3Provide field support at remote sites with no IT presence without having to fly out an employee
    • 40% faster incident resolution and request fulfillment
    • Entire organization
    • Every month
    4Improve ease of management by vendor helping with managing and optimizing service desk tasks
    • Improved service management efficiency
    • Entire organization
    • Every 3 months

    Download the Project Charter Template

    Evaluate organizational demographics to assess outsourcing rationale

    The size, complexity, and maturity of your organization are good indicators of service desk direction with regards to outsourcing.

    Organization Size

    • As more devices, applications, systems, and users are added to the mix, vendor costs will increase but their ability to meet business needs will decrease.
    • Small organizations are often either rejected by vendors for being too small or locked into a contract that is overkill for their actual needs (and budget).

    Complexity

    • Highly customized environments and organizations with specialized applications or stringent regulatory requirements are very difficult to outsource for a reasonable cost and acceptable quality.
    • In these cases, the vendor is required to train skilled support or ends up escalating more tickets back to second- and third-level support.

    Requirements

    • Organizations looking to outsource must have defined outsourcing requirements before looking at vendors.
    • Without a requirement assessment, the vendor won't have guidelines to follow and you won't be able to measure their adherence.

    Info-Tech Insight

    Although less adherence to service desk best practices can be one of the main incentives to outsourcing the service desk, IT should have minimal processes in place to be able to set expectations with targeting vendors.

    1.1.4 Prioritize service desk outsourcing goals to help structure mission statement

    0.5-1 hour

    The evaluation process for outsourcing the service desk should be done very carefully. Project leaders should make sure they won't panic internal resources and impact their performance through the transition period.

    If the outsourcing process is rushed, it will result in poor evaluation, inefficient decision making, and project failure.

    1. Refer to results in activity 1.1.3. Discuss the service desk outsourcing goals once again.
    2. Brainstorm the most important objectives. Use sticky notes to prioritize the items from the most important to the least important.
    3. Edit the order accordingly.

    Input

    • Project goals from activity 1.1.3

    Output

    • Prioritized list of outsourcing goals

    Materials

    • Whiteboard/flip charts
    • Markers
    • Sticky notes
    • Laptops

    Participants

    • IT Director/CIO
    • Service Desk Manager
    • Service Desk Team
    • IT Managers

    Download the Project Charter Template

    1.1.5 Craft a mission statement that demonstrates your decision to reach outsourcing objectives

    Participants: IT Director, Service Desk Manager

    0.5-1 hour

    The IT mission statement specifies the function's purpose or reason for being. The mission should guide each day's activities and decisions. The mission statement should use simple and concise terminology and speak loudly and clearly, generating enthusiasm for the organization.

    Strong IT mission statements:

    • Articulate the IT function's purpose and reason for existence
    • Describe what the IT function does to achieve its vision
    • Define the customers of the IT function
    • Can be described as:
      • Compelling
      • Easy to grasp
      • Sharply focused
      • Inspirational
      • Memorable
      • Concise

    Sample mission statements:

    • To help fulfill organizational goals, IT has decided to empower business stakeholders with outsourcing the service desk.
    • To support efficient IT service provision, better collaboration, and effective communication, [Company Name] has decided to outsource the service desk.
    • [Company Name] plans to outsource the service desk so it can identify bottlenecks and inefficiencies with current service desk processes and enable [Company Name] to innovate and support business growth.
    • Considering the goals and benefits determined in the previous activities, outline a mission statement.
    • Document your outsourcing mission statement in the "Project Overview" section of the Project Charter Template.

    Download the Project Charter Template

    Step 1.2

    Assess outsourcing feasibility

    Activities

    1.2.1 Create a baseline of customer experience

    1.2.2 Identify service desk processes to outsource

    1.2.3 Design an outsourcing decision matrix for service desk processes and services

    1.2.4 Discuss if you need to outsource only service desk or if additional services would benefit from outsourcing too

    Define the goal

    This step requires the following inputs:

    • List of service desk tasks and responsibilities

    This step involves the following participants:

    • CIO
    • IT Leadership
    • Service Desk Manager
    • Infrastructure Manager

    Outcomes of this step

    • End-user satisfaction with the service desk
    • List of processes and services to outsource

    1.2.1 Create a baseline of customer experience

    Solicit targeted department feedback on IT's core service capabilities, communications, and business enablement from end users. Use this feedback to assess end-user satisfaction with each service, broken down by department and seniority level.

    1. Complete an end-user satisfaction survey to define the current state of your IT services, including service desk (timeliness and effectiveness). With Info-Tech's end-user satisfaction program, an analyst will help you set up the diagnostic and will go through the report with you.
    2. Evaluate survey results.
    3. Communicate survey results with team leads and discuss the satisfaction rates and comments of the end users.
    4. Schedule to launch another survey one year after outsourcing the service desk.
    5. Your results will be compared to the following year's results to analyze the overall success/failure of your outsourcing project.

    A decrease of business and end-user satisfaction is a big drive to outsourcing the service desk. Conduct a customer service survey to discover your end-user experience prior to and after outsourcing the service desk.

    Don't get caught believing common misconceptions: outsourcing doesn't mean sending away all the work

    First-time outsourcers often assume they are transferring most of the operations over to the vendor, but this is often not the case.

    1. Management of performance, SLAs, and customer satisfaction remain the responsibility of your organization.
    2. Service desk outsource vendors provide first-line response. This includes answering the phones, troubleshooting simple problems, and redirecting requests that are more complex.
    3. The vendor is often able to provide specialized support for standard applications (and for customized applications if you'll pay for it). However, the desktop support still needs someone onsite, and that service is very expensive to outsource.
    4. Tickets that are focused on custom applications and require specialized or advanced support are escalated back to your organization's second- and third-level support teams.

    Switching to a vendor won't necessarily improve your service desk maturity

    You should have minimal requirements before moving.

    Whether managing in-house or outsourcing, it is your job to ensure core issues have been clarified, processes defined, and standards maintained. If your processes are ad-hoc or non-existent right now, outsourcing won't fix them.

    You must have the following in place before looking to outsource:

    • Defined reporting needs and plans
    • Formalized skill-set requirements
    • Problem management and escalation guidelines
    • Ticket templates and classification rules
    • Workflow details
    • Knowledge base standards

    Info-Tech Insight

    If you expect your problems to disappear with outsourcing, they might just get worse.

    Define long-term requirements

    Anticipate growth throughout the lifecycle of your outsourcing contract and build that into the RFP

    • Most outsourcing agreements typically last three to five years. In that time, you risk outgrowing your service provider by neglecting to define your long-term service desk requirements.
    • Outgrowing your vendor before your contract ends can be expensive due to high switching costs. Managing multiple vendors can also be problematic.
    • It is crucial to define your service desk requirements before developing a request for proposal to make sure the service you select can meet your organization's needs.
    • Make sure that the business is involved in this planning stage, as the goals of IT need to scale with the growth strategy of the business. You may select a vendor with no additional capacity despite the fact that your organization has a major expansion planned to begin two years from now. Assessing future requirements also allows you to culture match with the vendor. If your outlooks and practices are similar, the match will likely click.

    Info-Tech Insight

    Don't select a vendor for what your company is today – select a vendor for what your company will be years from now. Define your future service desk requirements in addition to your current requirements and leave room for growth and development.

    You can't outsource everything

    Manage the things that stay in-house well or suffer the consequences.

    "You can't outsource management; you can only outsource supervision." Barry Cousins, Practice Lead, Info-Tech Research Group

    What can be the vendor in charge of?

    What stays in-house?

    • Call and email answering
    • Ongoing daily ticket creation and tracking
    • Tier 1 support
    • Internal escalation to Level 2 support
    • External escalation to specialized Level 2 and Level 3 support
    • Knowledge base article creation
    • Service desk-related hardware acquisition and maintenance
    • Service desk software acquisition and maintenance
    • Security and access management
    • Disaster recovery
    • Staff acquisition
    • Facilities
    • The role of the Service Desk Manager
    • Skills and training standards
    • Document standardization
    • Knowledge base quality assurance and documentation standardization
    • Self-service maintenance, promotion, and ownership
    • Short and long-term tracking of vendor performance

    Info-Tech Insight

    The need for a Service Desk Manager does not go away when you outsource. In fact, the need becomes even stronger and never diminishes.

    Assess current service desk processes before outsourcing

    Process standards with areas such as documentation, workflow, and ticket escalation should be in place before the decision to outsource has been made.

    Every effective service desk has a clear definition of the services that they are performing for the end user. You can't provide a service without knowing what the services are.

    MSPs typically have their own set of standards and processes in play. If your service desk is not at a similar level of maturity, outsourcing will not be pleasant.

    Make sure that your metrics are reported consistently and that they tell a story.

    "Establish baseline before outsourcing. Those organizations that don't have enough service desk maturity before outsourcing should work with the outsourcer to establish the baseline."
    – Yev Khobrenkov, Enterprise Consultant, Solvera Solutions

    Info-Tech Insight

    Outsourcing vendors are not service desk builders; they're service desk refiners. Switching to a vendor won't improve your maturity; you must have a certain degree of process maturity and standardization before moving.

    Case Study

    INDUSTRY: Cleaning Supplies

    SOURCE: PicNet

    Challenge

    • Reckitt Benckiser of Australia determined that its core service desk needed to be outsourced.
    • It would retain its higher level service desk staff to work on strategic projects.
    • The MSP needed to fulfill key requirements outlined by Reckitt Benckiser.

    Solution

    • Reckitt Benckiser recognized that its rapidly evolving IT needs required a service desk that could fulfill the following tasks:
    • Free up internal IT staff.
    • Provide in-depth understanding of business apps.
    • Offer efficient, cost-effective support onsite.
    • Focus on continual service improvement (CSI).

    Results

    • An RFP was developed to support the outsourcing strategy.
    • With the project structure outlined and the requirements of the vendor for the business identified, Reckitt Benckiser could now focus on selecting a vendor that met its needs.

    1.2.1 Identify service desk processes to outsource

    2-3 hours

    Review your prioritized project goals from activity 1.1.4.

    Brainstorm requirements and use cases for each goal and describe each use case. For example: To improve service desk timeliness, IT should improve incident management, to resolve incidents according to the defined SLA and based on ticket priority levels.

    Discuss if you're outsourcing just incident management or both incident management and request fulfillment. If both, determine what level of service requests will be outsourced? Will you ask the vendor to provide a service catalog? Will you outsource self-serve and automation?

    Document your findings in the service desk outsourcing requirements database library.

    Input

    • Outsourcing project goals from activity 1.1.4

    Output

    • List of processes to outsource

    Materials

    • Sticky notes
    • Markers
    • Whiteboard/flip charts
    • Laptops

    Participants

    • IT Director/CIO
    • Service Desk Manager
    • Service Desk Team

    Download the Requirements Database Library

    1.2.2 Design an outsourcing decision matrix for service desk processes and services

    Participants: IT Director, Service Desk Manager, Infrastructure manager

    2-3 hours

    Most successful service desk outsourcing engagements have a primary goal of freeing up their internal resources to work on complex tasks and projects. The key outsourcing success factor is to find out internal services and processes that are standardized or should be standardized, and then determine if they can be outsourced.

    1. Review the list of identified service desk processes from activity 1.2.1.
    2. Discuss the maturity level of each process (low, medium, high) and document under the maturity column of the Outsource the Service Desk Requirements Database Library.
    3. Use the following decision matrix for each process. Discuss which tasks are important to strategic objectives, which ones provide competitive advantage, and which ones require specialized in-house knowledge.
    4. Identify processes that receive high vendor's performance advantage. For instance, access to talent, lower cost at scale, and access to technology.
    5. In your outsourcing assessment, consider a narrow scope of engagement and a broad view of what is important to business outcome.
    6. Based on your findings, determine the priority of each process to be outsourced. Document results in the service desk outsourcing requirements database library, and section 4.1 of the service desk outsourcing project charter.
    • Important to strategic objectives
    • Provides competitive advantage
    • Specialized in-house knowledge required

    This is an image of a quadrant analysis, where the X axis is labeled Vendor's Performance Advantage, and the Y axis is labeled Importance to Business Outcomes.

    • Talent/access to skills
    • Economies of scale/lower cost at scale
    • Access to technology

    Download the Requirements Database Library

    Download the Project Charter Template

    Maintain staff and training: you need to know who is being hired, how, and why

    Define documentation rules to retain knowledge

    • Establish a standard knowledge article template and list of required information.
    • Train staff on the requirements of knowledge base creation and management. Help them understand the value of the time spent recording their work.
    • It is your responsibility to assure the quality of each knowledge article. Outline accountabilities for internal staff and track for performance evaluations.

    For information on better knowledge management, refer to Info-Tech's blueprint Optimize the Service Desk With a Shift-Left Strategy.

    Expect to manage stringent skills and training standards

    • Plan on being more formal about a Service Manager position and spending more time than you allocated previously.
    • Complete a thorough assessment of the skills you need to keep the service desk running smoothly.
    • Don't forget to account for any customized or proprietary systems. How will you train vendor staff to accommodate your needs? What does their turnaround look like: would it be more likely that you acquire a dependable employee in-house?
    • Staffing requirements need to be actively monitored to ensure the outsourcer doesn't have degradation of quality or hiring standards. Don't assume that things run well – complete regular checks and ask for access to audit results.
    • Are the systems and data being accessed by the vendor highly sensitive or subject to regulatory requirements? If so, it is your job to ensure that vendor staff are being screened appropriately.

    Does your service desk need to integrate to other IT services?

    A common challenge when outsourcing multiple services to more than one vendor is a lack of collaboration and communication between vendors.

    • Leverage SIAM capabilities to integrate service desk tasks to other IT services, if needed.
    • "Service Integration and Management (SIAM) is a management methodology that can be applied in an environment that includes services sourced from a number of service providers" (Scopism Limited, 2020).
    • SIAM supports cross-functional integrations. Organizations that look for a single provider will be less likely to get maximum benefits from SIAM.

    There are three layers of entities in SIAM:

    • Customer Organization: The customer who receives services, who defines the relationship with service providers.
    • Service Integrator: End-to-end service governance and integration is done at this layer, making sure all service providers are committed to their services.
    • Service Provider: Responsible party for service delivery according to contract. It can be combination of internal provider, managed by internal agreements, and external provider, managed by SLAs between providers and customer organization.

    Use SIAM to obtain better results from multiple service providers

    In the SIAM model, the customer organization keeps strategic, governance, and business activities, while integrating other services (either internally or externally).

    This is an image of the SIAM model

    SIAM Layers. Source: SIAM Foundation BoK

    Utilize SIAM to obtain better results from multiple service providers

    SIAM reduces service duplication and improves service delivery via managing internal and external service providers.

    To utilize the SIAM model, determine the following components:

    • Service providers
    • Service consumers
    • Service outcomes
    • Service obstacles and boundaries
    • Service dependencies
    • Technical requirements and interactions for each service
    • Service data and information including service levels

    To learn more about adopting SIAM, visit Scopism.

    1.2.3 Discuss if you need to outsource only service desk or if additional services would benefit from outsourcing too

    1-2 hours

    • Discuss principles and goals of SIAM and how integrating other services can apply within your processes.
    • Review the list of service desk processes and tasks to be outsourced from activities 1.2.1 and 1.2.2.
    • Brainstorm a list of other services that are outsourced/need to be outsourced.
    • Determine providers of each service (both internal and external). Document the other services to be integrated in the project charter template and requirements database library.

    Input

    • SIAM objectives
    • List of service desk processes to outsource

    Output

    • List of other services to outsource and integrate in the project

    Materials

    • Sticky notes
    • Markers
    • Whiteboard/flip charts
    • Laptops

    Participants

    • IT Director/CIO
    • Service Desk Manager
    • Service Desk Team

    Download the Requirements Database Library

    Download the Project Charter Template

    Establish requirements for problem management in the outsourcing plan

    Your MSP should not just fulfill SLAs – they should be a proactive source of value.

    Problem management is a group effort. Make sure your internal team is assisted with sufficient and efficient data by the outsourcer to conduct a better problem management.

    Clearly state your organization's expectations for enabling problem management. MSPs may not necessarily need, and cannot do, problem management; however, they should provide metrics to help you discover trends, define recurring issues, and enable root cause analysis.

    For more information on problem management, refer to Info-Tech's blueprint Improve Incident and Problem Management.

    PROBLEM MANAGEMENT

    INCIDENT MANAGEMENT

    INTAKE: Ticket data from incident management is needed for incident matching to identify problems. Critical Incidents are also a main input to problem management.

    EVENT MANAGEMENT

    INTAKE: SMEs and operations teams monitoring system health events can identify indicators of potential future issues before they become incidents.

    APPLICATION, INFRASTRUCTURE, and SECURITY TEAMS

    ACTION: Problem tickets require investigation from relevant SMEs across different IT teams to identify potential solutions or workarounds.

    CHANGE MANAGEMENT

    OUTPUT: Problem resolution may need to go through Change Management for proper authorization and risk management.

    Outline problem management protocols to gain value from your service provider

    • For example, with a deep dive into ticket trend analysis, your MSP should be able to tell you that you've had a large number of tickets on a particular issue in the past month, allowing you to look into means to resolve the issue and prevent it from reoccurring.
    • A proactive MSP should be able to help your service levels improve over time. This should be built into the KPIs and metrics you ask for from the outsourcer.

    Sample Scenario

    Your MSP tracks ticket volume by platform.

    There are 100 network tickets/month, 200 systems tickets/month, and 5,000 end-user tickets/month.

    Tracking these numbers is a good start, but the real value is in the analysis. Why are there 5,000 end-user tickets? What are the trends?

    Your MSP should be providing a monthly root-cause analysis to help improve service quality.

    Outcomes:

    1. Meeting basic SLAs tells a small part of the story. The MSP is performing well in a functional sense, but this doesn't shed any insight on what kind of knowledge or value is being added.
    2. The MSP should provide routine updates on ticket trends and other insights gained through data analysis.
    3. A commitment to continual improvement will provide your organization with value throughout the duration of the outsourcing agreement.

    Phase 2

    Design an Outsourcing Strategy

    Define the goal

    Design an outsourcing strategy

    Develop an RFP and make a long-term relationship

    1.1 Identify goals and objectives

    1.2 Assess outsourcing feasibility

    2.1 Identify project stakeholders

    2.2 Outline potential risks and constraints

    3.1 Prepare a service overview and responsibility matrix

    3.2 Define your approach to vendor relationship management

    3.3 Manage the outsource relationship

    This phase will walk you through the following activities:

    • Identify roles and responsibilities
    • Determine potential risks of outsourcing the service desk
    • Build a list of metrics

    This phase involves the following participants:

    • Service Desk Team
    • IT Leadership

    Define requirements for outsourcing service desk support

    Step 2.1

    Identify project stakeholders

    Activity

    2.1.1 Identify internal outsourcing roles and responsibilities

    Design an Outsourcing Strategy

    This step requires the following inputs:

    • List of service desk roles
    • Service desk outsourcing goals

    This step involves the following participants:

    • IT Managers
    • Project Team
    • Service Desk Manager

    Outcome of this step

    • Outsourcing roles and responsibilities

    Design an outsourcing strategy to capture the vision of your service desk

    An outsourcing strategy is crucial to the proper accomplishment of an outsourcing project. By taking the time to think through your strategy beforehand, you will have a clear idea of your desired outcomes. This will make your RFP of higher quality and will result in a much easier negotiation process.

    Most MSPs are prepared to offer a standard proposal to clients who do not know what they want. These are agreements that are doomed to fail. A clearly defined set of goals (discussed in Phase 1), risks, and KPIs and metrics (covered in this phase) makes the agreement more beneficial for both parties in the long run.

    1. Identify goals and objectives
    2. Determine mission statement
    3. Define roles and responsibilities
    4. Identify risks and constraints
    5. Define KPIs and metrics
    6. Complete outsourcing strategy

    A successful outsourcing initiative depends on rigorous preparation

    Outsourcing is a garbage in, garbage out initiative. You need to give your service provider the information they need to provide an effective product.

    • Data quality is critical to your outsourcing initiative's success.
    • Your vendor will be much better equipped to help you and to better price its services if it has a thorough understanding of your IT environment.
    • This means more than just building a catalog of your hardware and software. You will need to make available documented policies and processes so you and your vendor can understand where they fit in.
    • Failure to completely document your environment can lead to a much longer time to value as your provider will have to spend much more time (and thus much more money) getting their service up and running.

    "You should fill the gap before outsourcing. You should make sure how to measure tickets, how to categorize, and what the cost of outsourcing will be. Then you'll be able to outsource the execution of the service. Start your own processes and then outsource their execution."
    – Kris Krishan, Head of IT and business systems, Waymo

    Case Study

    Digital media company built an outsourcing strategy to improve customer satisfaction

    INDUSTRY: Digital Media

    SOURCE: Auxis

    Challenge

    A Canadian multi-business company with over 13,000 employees would like to maintain a growing volume of digital content with their endpoint management.

    The client operated a tiered model service desk. Tier 1 was outsourced, and tier 2 tasks were done internally, for more complex tasks and projects.

    As a result of poor planning and defining goals, the company had issues with:

    • Low-quality ticket handling
    • High volume of tickets escalated to tier 2, restraining them from working on complex tickets
    • High turn over and a challenge with talent retention
    • Insufficient documentation to train external tier 1 team
    • Long resolution time and low end-user satisfaction

    Solution

    The company structured a strategy for outsourcing service desk and defined their expectations and requirements.

    They engaged with another outsourcer that would fulfill their requirements as planned.

    With the help of the outsourcer's consulting team, the client was able to define the gaps in their existing processes and system to:

    • Implement a better ticketing system that could follow best-practices guidelines
    • Restructure the team so they would be able to handle processes efficiently

    Results

    The proactive planning led to:

    • Significant improvement in first call resolution (82%).
    • MTTR improvement freed tier 2 to focus on business strategic objectives and allowed them to work on higher-value activities.
    • With a better strategy around outsourcing planning, the company saved 20% of cost compared to the previous outsourcer.
    • As a result of this partnership, the company is providing a 24/7 structure in multiple languages, which is aligned with the company's growth.
    • Due to having a clear strategy built for the project, the client now has better visibility into metrics that support long-term continual improvement plans.

    Define roles and responsibilities for the outsourcing transition to form the base of your outsourcing strategy

    There is no "I" in outsource; make sure the whole team is involved

    Outsourcing is a complete top-to-bottom process that involves multiple levels of engagement:

    • Management must make high-level decisions about staffing and negotiate contract details with the vendor.
    • Service desk employees must execute on the documentation and standardization of processes in an effort to increase maturity.
    • Roles and responsibilities need to be clearly defined to ensure that all aspects of the transition are completed on time.
    • Implement a full-scale effort that involves all relevant staff. The most common mistake is to have the project design follow the same top-down pattern as the decision-making process.

    Info-Tech Insight

    The service desk doesn't operate in isolation. The service desk interfaces with many other parts of the organization (such as finance, purchasing, field support, etc.), so it's important to ensure you engage stakeholders from other departments as well. If you only engage the service desk staff in your discussions around outsourcing strategy and RFP development, you may miss requirements that will come up when it's too late.

    2.1.1 Identify internal outsourcing roles and responsibilities

    2 hours

    1. The sample RACI chart in section 5 of the Project Charter Template outlines which positions are responsible, accountable, consulted, and informed for each major task within the outsourcing project.
    2. Responsible, is the group that is responsible for the execution and oversight of activities for the project. Accountable is the owner of the task/process, who is accountable for the results and outcomes. Consulted is the subject matter expert (SME) who is actively involved in the task/process and consulted on decisions. Informed is not actively involved with the task/process and is updated about decisions around the task/process.
    3. Make sure that you assign only one person as accountable per process. There can be multiple people responsible for each task. Consulted and Informed are optional for each task.
    4. Complete the RACI chart with recommended participants, and document in your service desk outsourcing project charter, under section 5.

    Input

    • RACI template
    • Org chart

    Output

    • List of roles and responsibilities for outsource project

    Materials

    • Whiteboard/flip charts
    • Markers
    • Laptops

    Participants

    • IT Director/CIO
    • Service Desk Manager
    • Service Desk Team

    Download the Project Charter Template

    Step 2.2

    Outline potential risks and constraints

    Activities

    2.2.1 Identify potential risks and constraints that may impact achievement of objectives

    2.2.2 Arrange groups of tension metrics to balance your reporting

    Design an Outsourcing Strategy

    This step will walk you through the following activities:

    • Outsourcing objectives
    • Potential risks

    This step involves the following participants:

    • IT Managers
    • Project Team
    • Service Desk Manager

    Outcomes of this step

    • Mitigation strategy for each risk
    • Service desk metrics

    Know your constraints to reduce surprises during project implementation

    No service desk is perfect; know your limits and plan accordingly

    Define your constraints to outsourcing the service desk.

    Consider all types of constraints and opportunities, including:

    • Business forces
    • Economic cycles
    • Disruptive tech
    • Regulation and compliance issues
    • Internal organizational issues

    Within the scope of a scouring decision, define your needs and objectives, measure those as much as possible, and compare them with the "as-is" situation.

    Start determining what alternative approaches/scenarios the organization could use to fill the gaps. Start a comparison of scenarios against drivers, goals, and risks.

    Constraints

    Goals and objectives

    • Budget
    • Maturity
    • Compliance
    • Regulations
    • Outsourcing Strategy

    Plan ahead for potential risks that may impede your strategy

    Risk assessment must go hand-in-hand with goal and objective planning

    Risk is inherent with any outsourcing project. Common outsourcing risks include:

    • Lack of commitment to the customer's goals from the vendor.
    • The distraction of managing the relationship with the vendor.
    • A perceived loss of control and a feeling of over-dependence on your vendor.
    • Managers may feel they have less influence on the development of strategy.
    • Retained staff may feel they have become less skilled in their specialist field.
    • Unanticipated expenses that were assumed to be offered by the vendor.
    • Savings only result from high capital investment in new projects on the part of the customer.

    Analyze the risks associated with a specific scenario. This analysis should identify and understand the most common sourcing and vendor risks using a risk-reward analysis for selected scenarios. Use tools and guidelines to assess and manage vendor risk and tailor risk evaluation criteria to the types of vendors and products.

    Info-Tech Insight

    Plan for the worst to prevent it from happening. Evaluating risk should cover a wide variety of scenarios including the worst possible cases. This type of thinking will be crucial when developing your exit strategy in a later exercise.

    2.2.1 Identify potential risks and constraints that may impact achievement of objectives

    1-3 hours

    1. Brainstorm any potential risks that may arise through the outsourcing project. Describe each risk and categorize both its probability of occurring and impact on the organization as high (H), medium (M), or low (L), using the table below:
    Risk Description

    Probability(H/M/L)

    Impact(H/M/L)Planned Mitigation
    Lack of documentationMMUse cloud-based solution to share documents.
    Knowledge transferLMDetailed knowledge-sharing agreement in place in the RFP.
    Processes not followedLHClear outline and definition of current processes.
    1. Identify any constraints for your outsourcing strategy that may restrict, limit, or place certain conditions on the outsourcing project.
      • This may include budget restrictions or staffing limitations.
      • Identifying constraints will help you be prepared for risks and will lessen their impact.
    2. Document risks and constraints in section 6 of the Service Desk Outsourcing Project Charter Template.

    Input

    • RACI template
    • Org chart

    Output

    • List of roles and responsibilities for outsource project

    Materials

    • Whiteboard/flip charts
    • Markers

    Participants

    • IT Director/CIO
    • Service Desk Manager
    • Service Desk Team

    Download the Project Charter Template

    Define service tiers and roles to develop clear vendor SLAs

    Management of performance, SLAs, and customer satisfaction remain the responsibility of your organization.

    Define the tiers and/or services that will be the responsibility of the MSP, as well as escalations and workflows across tiers. A sample outsourced structure is displayed here:

    External Vendor

    Tickets beyond the scope of the service desk staff need to be escalated back to the vendor responsible for the affected system.

    Tier 3

    Tickets that are focused on custom applications and require specialized or advanced support are escalated back to your organization's second- and third-level support teams.

    Tier 2

    The vendor is often able to provide specialized support for standard applications. However, the desktop support still needs someone onsite as that service is very expensive to outsource.

    Tier 1

    Service desk outsource vendors provide first-line response. This includes answering the phones, troubleshooting simple problems, and redirecting requests that are more complex.

    Info-Tech Insight

    If you outsource everything, you'll be at the mercy of consultancy or professional services shops later on. You won't have anyone in-house to help you deploy anything; you're at the mercy of a consultant to come in and tell you what to do and how much to spend. Keep your highly skilled people in-house to offset what you'd have to pay for consultancy. If you need to repatriate your service desk later on, you will need skills in-house to do so.

    Don't become obsessed with managing by short-term metrics – look at the big picture

    "Good" metric results may simply indicate proficient reactive fixing; long-term thinking involves implementing proactive, balanced solutions.

    KPIs demonstrate that you are running an effective service desk because:

    • You close an average of 300 tickets per week
    • Your first call resolution is above 90%
    • Your talk time is less than five minutes
    • Surveys reveal clients are satisfied

    While these results may appear great on the surface, metrics don't tell the whole story.

    The effort from any support team seeks to balance three elements:

    FCR: Time; Resources; Quality

    First-Contact Resolution (FCR) Rate

    Percentage of tickets resolved during first contact with user (e.g. before they hang up or within an hour of submitting ticket). Could be measured as first-contact, first-tier, or first-day resolution.

    End-User Satisfaction

    Perceived value of the service desk measured by a robust annual satisfaction survey of end users and/or transactional satisfaction surveys sent with a percentage of tickets.

    Ticket Volume and Cost Per Ticket

    Monthly operating expenses divided by average ticket volume per month. Report ticket volume by department or ticket category, and look at trends for context.

    Average Time to Resolve (incidents) or Fulfill (service requests)

    Time elapsed from when a ticket is "open" to "resolved." Distinguish between ticket resolution vs. closure, and measure time for incidents and service requests separately.

    Focus on tension metrics to achieve long-term success

    Tension metrics help create a balance by preventing teams from focusing on a single element.

    For example, an MSP built incentives around ticket volume for their staff, but not the quality of tickets. As a result, the MSP staff rushed through tickets and gamed the system while service quality suffered.

    Use metrics to establish baselines and benchmarking data:

    • If you know when spikes in ticket volumes occur, you can prepare to resource more appropriately for these time periods
    • Create KB articles to tackle recurring issues and assist tier 1 technicians and end users.
      • Employ a root cause analysis to eliminate recurring tickets.

    "We had an average talk time of 15 minutes per call and I wanted to ensure they could handle those calls in 15 minutes. But the behavior was opposite, [the vendor] would wrap up the call, transfer prematurely, or tell the client they'd call them back. Service levels drive behavior so make sure they are aligned with your strategic goals with no unintended consequences."
    – IT Services Manager, Banking

    Info-Tech Insight

    Make sure your metrics work cooperatively. Metrics should be chosen that cause tension on one another. It's not enough to rely on a fast service desk that doesn't have a high end-user satisfaction rate or runs at too high a cost; there needs to be balance.

    2.2.2 Arrange groups of tension metrics to balance your reporting

    1-3 hours

    1. Define KPIs and metrics that will be critical to service desk success.
    2. Distribute sticky notes of different colors to participants around the table.
    3. Select a space to place the sticky notes – a table, whiteboard, flip chart, etc. – and divide it into three zones.
    4. Refer to your defined list of goals and KPIs from activity 1.1.3 and discuss metrics to fulfill each KPI. Note that each goal (critical success factor, CSF) may have more than one KPI. For instance:
      1. Goal 1: Increase end-user satisfaction; KPI 1: Improve average transactional survey score. KPI 2: Improve annual relationship survey score.
      2. Goal 2: Improve service delivery; KPI 1: Reduce time to resolve incidents. KPI 2: Reduce time to fulfill service requests.
    5. Recall that tension metrics must form a balance between:
      1. Time
      2. Resources
      3. Quality
    6. Record the results in section 7 of the Service Desk Outsourcing Project Charter Template.

    Input

    • Service desk outsourcing goals
    • Service desk outsourcing KPIs

    Output

    • List of service desk metrics

    Materials

    • Whiteboard/flip charts
    • Sticky notes
    • Markers
    • Laptops

    Participants

    • Project Team
    • Service Desk Manager

    Download the Project Charter Template

    Phase 3

    Develop an RFP and make a long-term relationship

    Define the goal

    Design an outsourcing strategy

    Develop an RFP and make a long-term relationship

    1.1 Identify goals and objectives

    1.2 Assess outsourcing feasibility

    2.1 Identify project stakeholders

    2.2 Outline potential risks and constraints

    3.1 Prepare a service overview and responsibility matrix

    3.2 Define your approach to vendor relationship management

    3.3 Manage the outsource relationship

    This phase will walk you through the following activities:

    • Build your outsourcing RFP
    • Set expectations with candidate vendors
    • Score and select your vendor
    • Manage your relationship with the vendor

    This phase involves the following participants:

    • CIO
    • Service Desk Manager
    • IT Managers
    • Project Managers

    Define requirements for outsourcing service desk support

    Step 3.1

    Prepare a service overview and responsibility matrix

    Activities

    3.1.1 Evaluate your technology, people, and process requirements

    3.1.2 Outline which party will be responsible for which service desk processes

    This step requires the following inputs:

    • Service desk processes and requirements

    This step involves the following participants:

    • CIO
    • Service Desk Manager
    • IT Managers
    • Project Managers

    Outcomes of this step

    • Knowledge management and technology requirements
    • Self-service requirements

    Develop an RFP and make a long-term relationship

    Create a detailed RFP to ensure your candidate vendor will fulfill all your requirements

    At its core, your RFP should detail the outcomes of your outsourcing strategy and communicate your needs to the vendor.

    The RFP must cover business needs and the more detailed service desk functions required. Many enterprises only consider the functionality they need, while ignoring operational and selection requirements.

    Negotiate a supply agreement with the preferred outsourcer for delivery of the required services. Ensure your RFP covers:

    1. Service specification
    2. Service levels
    3. Roles and responsibilities
    4. Transition period and acceptance
    5. Prices, payment, and duration
    6. Agreement administration
    7. Outsourcing issues

    In addition to defining your standard requirements, don't forget to take into consideration the following factors when developing your RFP:

    • Employee onboarding and hardware imaging for new users
    • Applications you need current and future support for
    • Reporting requirements
    • Self-service options
    • Remote support needs and locations

    Although it may be tempting, don't throw everything over the wall at your vendor in the RFP. Evaluate your service desk functions in terms of quality, cost effectiveness, and the value provided from the vendor. Organizations should only outsource functions that the vendor can operate better, faster, or cheaper.

    Info-Tech Insight

    Involve the right stakeholders in developing your RFP, not just service desk. If only service desk is involved in RFP discussion, the connection between tier 1 and specialists will be broken, as some processes are not considered from IT's point of view.

    Identify ITSM solution requirements

    Your vendor probably uses a different tool to manage their processes; make sure its capabilities align with the vision of your service desk.

    Your service desk and outsourcing strategy were both designed with your current ITSM solution in mind. Before you hand the reins to an MSP, it is crucial that you outline how your current ITSM solution is being used in terms of functionality.

    Find out if it's better to have the MSP use their own ITSM tools or your ITSM solution.

    Benefits of operating within your own ITSM while outsourcing the service desk:

    Disadvantages of using your own ITSM while outsourcing the service desk:

    • If you provide the service catalog, it's easier to control your ITSM tool yourself.
    • Using your own ITSM and giving access to the outsourcer will allow you to build your dashboard and access your operational metrics rather than relying on the MSP to provide you with metrics.
    • Usage of the current tool may be extended across multiple departments, so it may be in the best interest of your business to have the vendor adopt usage of the current tool.
    • While many ITSM solutions have similar functions, innate differences do exist between them. Outsourcers mostly want to operate in their own ticketing solution. As other departments besides IT may be using the service management tool, you will need to have the same tool across the organization. This makes purchasing the new ITSM license very expensive, unless you operate in the same ITSM as the outsourcer.
    • You need your vendor to be able to use the system you have in order to meet your requirements, which will limit your options in the market.
    • If the outsourcer is using your ITSM, you should provide training to them.

    Info-Tech Insight

    Defining your tool requirements can be a great opportunity to get the tool functionality you always wanted. Many MSPs offer enterprise-level ITSM tools and highly mature processes that may tempt you to operate within their ITSM environment. However, first define your goals for such a move, as well as pros and cons of operating in their service management tool to weigh if its benefits overweigh its downfalls.

    Case Study

    Lone Star College learned that it's important to select a vendor whose tool will work with your service desk

    INDUSTRY: Education

    SOURCE: ServiceNow

    Challenge

    Lone Star College has an end-user base of over 100,000 staff and students.

    The college has six campuses across the state of Texas, and each campus was using its own service desk and ITSM solution.

    Initially, the decision was to implement a single ITSM solution, but organizational complexity prevented that initiative from succeeding.

    A decision was made to outsource and consolidate the service desks of each of the campuses to provide more uniform service to end users.

    Solution

    Lone Star College selected a vendor that implemented FrontRange.

    Unfortunately, the tool was not the right fit for Lone Star's service and reporting needs.

    After some discussion, the outsourcing vendor made the switch to ServiceNow.

    Some time later, a hybrid outsourced model was implemented, with Lone Star and the vendor combining to provide 24/7 support.

    Results

    The consolidated, standardized approach used by Lone Star College and its vendor has created numerous benefits:

    • Standardized reporting
    • High end-user satisfaction
    • All SLAs are being met
    • Improved ticket resolution times
    • Automated change management.

    Lone Star outsourced in order to consolidate its service desks quickly, but the tools didn't quite match.

    It's important to choose a tool that works well with your vendor's, otherwise the same standardization issues can persist.

    Design your RFP to help you understand what the vendor's standard offerings are and what it is capable of delivering

    Your RFP should be worded in a way that helps you understand what your vendor's standard offerings are because that's what they're most capable of delivering. Rather than laying out all your requirements in a high level of detail, carefully craft your questions in a probing way. Then, understand what your current baseline is, what your target requirements are, and assess the gap.

    Design the RFP so that responses can easily be compared against one another.

    It is common to receive responses that are very different – RFPs don't provide a response framework. Comparing vastly different responses can be like comparing apples to oranges. Not only are they immensely time consuming to score, their scores also don't end up accurately reflecting the provider's capabilities or suitability as a vendor.

    If your RFP is causing a ten minute printer backlog, you're doing something wrong.

    Your RFP should not be hundreds of pages long. If it is, there is too much detail.

    Providing too much detail can box your responses in and be overly limiting on your responses. It can deter potentially suitable provider candidates from sending a proposal.

    Request
    For
    Proposal

    "From bitter experience, if you're too descriptive, you box yourself in. If you're not descriptive enough, you'll be inundated with questions or end up with too few bidders. We needed to find the best way to get the message across without putting too much detail around it."
    – Procurement Manager, Utilities

    Info-Tech's Service Desk Outsourcing RFP Template contains nine sections

    1. Statement of work
      • Purpose, coverage, and participation ààInsert the purpose and goals of outsourcing your service desk, using steps 1.1 findings in this blueprint as reference.
    2. General information
      • Information about the document, enterprise, and schedule of events ààInsert the timeline you developed for the RFP issue and award process in this section.
    3. Proposal preparation instructions
      • The vendor's understanding of the RFP, good faith statement, points of contact, proposal submission, method of award, selection and notification.
    4. Service overview
      • Information about organizational perspective, service desk responsibility matrix, vendor requirements, and service level agreements (SLAs).
    5. Scope of work, specifications and requirements
      • Technical and functional requirements à Insert the requirements gathered in Phase 1 in this section of the RFP. Remember to include both current and future requirements.
    6. Exit conditions
      • Overview of exit strategy and transition process.
    7. Vendor qualifications and references
    8. Account management and estimated pricing
    9. Vendor certification
    This is a screenshot of the Service Desk Outsourcing RFP Template.

    The main point of focus in this document is defining your requirements (discussed in Phase 1) and developing proposal preparation instructions.

    The rest of the RFP consists mostly of standard legal language. Review the rest of the RFP template and adapt the language to suit your organization's standards. Check with your legal departments to make sure the RFP adheres to company policies.

    3.1.1 Evaluate your technology, people, and process requirements

    1-2 hours

    1. Review the outsourcing goals you identified in Phase 1 (activity 1.1.3).
    2. For each goal, divide the defined requirements from your requirements database library (activity 1.2.1) into three areas:
      1. People Requirements
      2. Process Requirements
      3. Technical Requirements
    3. Group your requirements based on characteristics (e.g. recovery capabilities, engagement methodology, personnel, etc.).
    4. Validate these requirements with the relevant stakeholders.
    5. Document your results in section 4 of the Service Desk Outsourcing RFP Template.

    Input

    • Identified key requirements

    Output

    • Refined requirements to input into the RFP

    Materials

    • Whiteboard/flip charts
    • Markers
    • Laptops

    Participants

    • IT Director/CIO
    • Service Desk Manager
    • IT Managers

    Download the Service Desk Outsourcing RFP Template

    Assess knowledge management and technology requirements to enable the outsourcer with higher quality work

    Retain ownership of the knowledgebase to foster long-term growth of organizational intelligence

    With end users becoming more and more tech savvy, organizational intelligence is becoming an increasingly important aspect of IT support. Modern employees are able and willing to troubleshoot on their own before calling into the service desk. The knowledgebase and FAQs largely facilitate self-serve trouble shooting, both of which are not core concerns for the outsource vendor.

    Why would the vendor help you empower end users and decrease ticket volume when it will lead to less revenue in the future? Ticket avoidance is not simply about saving money by removing support. It's about the end-user community developing organizational intelligence so that it doesn't need as much technical support.

    Organizational intelligence occurs when shared knowledge and insight is used to make faster, better decisions.

    When you outsource, the flow of technical insight to your end-user community slows down or stops altogether unless you proactively drive it. Retain ownership of the knowledgebase and ensure that the content is:

    1. Validated to ensure it accurately describes the best solution.
    2. Actionable to ensure it prescribes repeatable, verifiable steps.
    3. Contextual to ensure the reader knows when NOT to apply the knowledge.
    4. Maintained to ensure the solution remains current.
    5. Applied, since knowledge is a cost with no benefit unless you apply it and turn it into organizational intelligence.

    Info-Tech Insight

    Include knowledge management process in your ticket handling workflows to make sure knowledge is transferred to the MSP and end users. For more information on knowledge management, refer to Info-Tech's Standardize the Service Desk and Optimize the Service Desk With a Shift-Left Strategy blueprints.

    Assess self-service requirements in your outsourcing plan

    When outsourcing the service desk, determine who will take ownership of the self-service portal.

    Nowadays, outsourcers provide innovative services such as self-serve options. However, bear in mind that the quality of such services is a differentiating factor. A well-maintained portal makes it easy to:

    • Report incidents efficiently via use-case-based forms
    • Place requests via a business-oriented service catalog
    • Automate request processes
    • Give visibility on ticket status
    • Access knowledgebase articles
    • Provide status on critical systems
    • Look for services by both clicking service lists and searching them
    • Provide 24/7 service via interactive communication with live agent and AI-powered machine
    • Streamline business process in multiple departments rather than only IT

    In the outsourcing process, determine your expectations from your vendor on self-serve options and discuss how they will fulfill these requirements. Similar to other processes, work internally to define a list of services your organization is providing that you can pass over to the outsourcer to convert to a service catalog.

    Use Info-Tech's Sample Enterprise Services document to start determining your business's services.

    Assess admin rights in your outsourcing plan to give access to the outsourcer while you keep ownership

    Provide accessibility to account management to improve self-service, which enables:

    • Group owners to be named who can add or remove people from their operating units
    • Users to update attributes such as photos, address, phone number
    • Synchronization with HRIS (Human Resource Information Systems) to enable two-way communication on attribute updates
    • Password reset self-service

    Ensure the vendor has access rights to execute regular clean up to help:

    • Find stale and inactive user and computer accounts (inactive, expired, stale, never logged in)
    • Bulk move and disable capabilities
    • Find empty groups and remove
    • Find and assess NTFS permissions
    • Automated tasks to search and remediate

    Give admin rights to outsourcer to enable reporting and auditing capabilities, such as:

    • Change tracking and notifications
    • Password reset attempts, account unlocks, permission and account changes
    • Anomaly detection and remediation
    • Privilege abuse, such as password sharing

    Info-Tech Insight

    Provide your MSP with access rights to enable the service desk to have account management without giving too much authentication. This way you'll enable moving tickets to the outsourcer while you keep ownership and supervision.

    3.1.2 Outline which party will be responsible for which service desk processes

    1-2 hours

    This activity is an expansion to the outcomes of activity 1.2.1, where you determined the outsourcing requirements and the party to deliver each requirement.

    1. Add your identified tasks from the requirements database library to the service desk responsibility matrix (section 4.2 of the Service Desk Outsourcing RFP Template).
    2. Break each task down into more details. For instance, incident management may include tier 1, tier 2/3, KB creation and update, reporting, and auditing.
    3. Refer to section 4.1 of your Project Charter to review the responsible party for each use case.
    4. Considering the use cases, assess whether your organization, the MSP, or both parties will be responsible for the task.
    5. Document the results in section 4.2 of the RFP.

    Input

    • Identified key requirements

    Output

    • Responsible party to deliver each task

    Materials

    • Whiteboard/flip charts
    • Markers
    • Laptops

    Participants

    • IT Director/CIO
    • Service Desk Manager
    • IT Managers

    Download the Service Desk Outsourcing RFP Template

    Step 3.2

    Define your approach to vendor relationship management

    Activities

    3.2.1 Define your SLA requirements

    3.2.2 Score each vendor to mitigate the risk of failure

    3.2.3 Score RFP responses

    3.2.4 Get referrals, conduct reference interviews and evaluate responses for each vendor

    Develop an RFP and make a long-term relationship

    This step requires the following inputs:

    • Service desk outsourcing RFP
    • List of service desk outsourcing requirements

    This step involves the following participants:

    • CIO
    • Service Desk Manager
    • IT Managers
    • Project Managers

    Outcomes of this step

    • Service desk SLA
    • RFP scores

    Don't rush to judgment; apply due diligence when selecting your vendor

    The most common mistake in vendor evaluation is moving too quickly. The process leading to an RFP evaluation can be exhausting, and many organizations simply want to be done with the whole process and begin outsourcing.

    The most common mistake in vendor evaluation is moving too quickly. The process leading to an RFP evaluation can be exhausting, and many organizations simply want to be done with the whole process and begin outsourcing.

    1. Call around to get referrals for each vendor
    2. Create a shortlist
    3. Review SLAs and contract terms
    4. Select your vendor

    Recognize warning signs in the MSP's proposal to ensure a successful negotiation

    Vendors often include certain conditions in their proposals that masquerade as appealing but may spell disaster. Watch for these red flags:

    1. Discounted Price
      • Vendors know the market value of their competitors' services. Price is not what sets them apart; it's the type of services offered as well as the culture present.
      • A noticeably low price is often indicative of a desperate organization that is not focused on quality managed services.
    2. No Pushback
      • Vendors should work to customize their proposal to suit both their capabilities and your needs. No pushback means they are not invested in your project as deeply as they should be.
      • You should be prepared for and welcome negotiations; they're a sign that both sides are reaching a mutually beneficial agreement.
    3. Continual SLA Improvement
      • Continual improvement is a good quality that your vendor should have, but it needs to have some strategic direction.
      • Throwing continual SLA improvement into the deal may seem great, but make sure that you'll benefit from the value-added service. Otherwise, you'll be paying for services that you don't actually need.

    Clearly define core vendor qualities before looking at any options

    Vendor sales and marketing people know just what to say to sway you: don't talk to them until you know what you're looking for.

    Geography

    Do you prefer global or local data centers? Do you need multiple locations for redundancy in case of disaster? Will language barriers be a concern?

    Contract Length

    Ensure you can terminate a poor arrangement by having shorter terms with optional renewals. It's better to renew and renegotiate if one side is losing in the deal in order to keep things fair. Don't assume that proposed long-term cost savings will provide a satisfactory service.

    Target Market

    Vendors are aiming at different business segments, from startups to large enterprises. Some will accept existing virtual machines, and others enforce compliance to appeal to government and health agencies.

    SLA

    A robust SLA strengthens a vendor's reliability and accountability. Agencies with special needs should have room in negotiations for customization. Providers should also account for regular SLA reviews and updates. Vendors should be tracking call volume and making projections that should translate directly to SLAs.

    Support

    Even if you don't need a vendor with 24/7 availability, vendors who cannot support this timing should be eliminated. You may want to upgrade later and will want to avoid the hassle of switching.

    Maturity

    Vendors must have the willingness and ability to improve processes and efficiencies over time. Maintaining the status-quo isn't acceptable in the constantly evolving IT world.

    Cost

    Consider which model makes the most sense: will you go with per call or per user pricing? Which model will generate vendor motivation to continually improve and meet your long-term goals? Watch out for variable pricing models.

    Define your SLA requirements so your MSP can create a solution that fits

    SLAs ensure accountability from the service provider and determine service price

    SLAs define the performance of the service desk and clarify what the provider and customer can expect in their outsourcing relationship.

    • Service categories
    • The acceptable range of end-user satisfaction
    • The scope of what functions of the service desk are being measured (availability, time to resolve, time to respond, etc.)
    • Credits and penalties for achieving or missing targets
    • Frequency of measurement/reporting
    • Provisions and penalties for ending the contractual relationship early
    • Management and communication structure
    • Escalation protocol for incidents relating to tiers 2 or 3

    Each MSP's RFP response will help you understand their basic SLA terms and enhanced service offerings. You need to understand the MSP's basic SLA terms to make sure they are adequate enough for your requirements. A well-negotiated SLA will balance the requirements of the customer and limit the liability of the provider in a win/win scenario.

    For more information on defining service level requirements, refer to Info-Tech's blueprint Reduce Risk With Rock-Solid Service-Level Agreements.

    3.2.1 Define your SLA requirements

    2-3 hours

    • As a team, review your current service desk SLA for the following items:
      • Response time
      • Resolution time
      • Escalation time
      • End-user satisfaction
      • Service availability
    • Use the sample table as a starting point to determine your current incident management SLA:
    • Determine your SLA expectations from the outsourcer.
    • Document your SLA expectations in section 4.4 of the RFP template.

    Participants: IT Managers, Service Desk Manager, Project Team

    Response
    PriorityResponse SLOResolution SLOEscalation Time
    T1
    Severity 1CriticalWithin 10 minutes4 hours to resolveImmediate
    Severity 2HighWithin 1 business hour8 business hours to resolve20 minutes
    Severity 3MediumWithin 4 business hours24 business hours to resolveAfter 20 minutes without progress
    Severity 4LowSame day (8 hours)72 business hours to resolve After 1 hour without progress
    SLO ResponseTime it takes for service desk to respond to service request or incident. Target response is 80% of SLO
    SLO ResolutionTime it takes to resolve incident and return business services to normal. Target resolution is 80% of SLO

    Download the Service Desk Outsourcing RFP Template

    Get a detailed plan from your selected vendor before signing a contract

    Build a standard process to evaluate candidate vendors

    Use section 5 of Info-Tech's Service Desk Outsourcing RFP Template for commonly used questions and requirements for outsourcing the service desk. Ask the right questions to secure an agreement that meets your needs. If you are already in a contract with an MSP, tale the opportunity of contract renewal to improve the contract and service.

    This is a screenshot of the Service Desk Outsourcing RFP Template.

    Download the Service Desk Outsourcing RFP Template

    Add your finalized assessment questions into Info-Tech's Service Desk Outsourcing RFP Scoring Tool to aggregate responses in one repository for comparison. Since the vendors are asked to respond in a standard format, it is easier to bring together all the responses to create a complete view of your options.

    This is an image of the Service Desk Vendor Proposal Scoring Tool

    Download the Service Desk Vendor Proposal Scoring Tool

    3.2.2 Score each vendor to mitigate the risk of failure

    1-2 hours

    Include the right requirements for your organization and analyze candidate vendors on their capability to satisfy them.

    1. Use section 5 of the RFP template to convert your determined requirements into questions to address in vendor briefings.
    2. Review the questions in the context of near- and long-term service desk outsourcing needs. In the template, we have separated requirements into 7 categories:
      • Vendor Requirements (VR)
      • Vendor Qualifications/Engagement/Administration Capabilities (VQ)
      • Service Operations (SO)
      • Service Support (SS)
      • Service Level Agreement (SLA)
      • Transition Processes (TP)
      • Account Management (AM)
    3. Define the priority for each question:
      • Required
      • Desired
      • Optional
    4. Leave the compliance and comments to when you brief with vendors.

    Input

    • Technical and functional requirements

    Output

    • Priority level for each requirement
    • Completed list of requirement questions

    Materials

    • Whiteboard/flip charts
    • Markers
    • Laptops

    Participants

    • IT Director/CIO
    • Service Desk Manager
    • IT Managers

    Download the Service Desk Outsourcing RFP Template

    3.2.3 Score RFP responses

    2-3 hours

    1. Enter the requirements questions into the RFP Scoring Tool and use it during vendor briefings.
    2. Copy the Required and Desired priority requirements from the previous activity into the RFP Questions column.
    3. Evaluate each RFP response against the RFP criteria based on the scoring scale.
    4. The Results section in the tool shows the vendor ranking based on their overall scores.
    5. Compare potential outsourcing partners considering scores on individual requirements categories and based on overall scores.

    Input

    • Completed list of requirement questions
    • Priority level for each requirement

    Output

    • List of top vendors for outsourcing the service desk

    Materials

    • Service Desk Vendor Proposal Scoring Tool

    Participants

    • Service Desk Manager
    • IT Managers
    • Project Managers
    • IT Director/CIO

    Download the Service Desk Vendor Proposal Scoring Tool

    3.2.3 Get referrals, conduct reference interviews, and evaluate responses for each vendor

    1. Outline a list of questions to conduct reference interviews with past/present clients of your candidate vendors.
    2. Use the reference interview template as a starting point. As a group review the questions and edit them to a list that will fulfill your requirements.
    3. Ask your candidate vendors to provide you with a list of three to five clients that have/had used their services. Make sure that vendors enforce the interview will be kept anonymous and names and results won't be disclosed.
    4. Ask vendors to book a 20-30 minute call with you and their client.
    5. Document your interview comments in your updated reference interview template.
    6. Update the RFP scoring tool accordingly.

    Input

    • List of top vendors for outsourcing the service desk

    Output

    • Updated list of top vendors for outsourcing the service desk

    Materials

    • Service Desk Outsourcing Reference Interview Template
    • Service Desk Vendor Proposal Scoring Tool

    Participants

    • Service Desk Manager
    • IT Managers
    • Project Managers

    Download the Service Desk Vendor Proposal Scoring Tool

    Compare pricing models of outsourcing services

    It's a common sales tactic to use a low price as an easy solution. Carefully evaluate the vendors on your short-list and ensure that SLAs, culture, and price all match to your organization.

    Research different pricing models and accurately assess which model fits your organization. Consider the following pricing models:

    Pay per technician

    In this model, a flat rate is allocated to agents tackling your service desk tickets. This is a good option for building long-term relationship with outsourcer's agents and efficient knowledge transfer to the external team; however, it's not ideal for small organizations that deal with few tickets. This is potentially an expensive model for small teams.

    Pay per ticket

    This model considers the number of tickets handled by the outsourcer. This model is ideal if you only want to pay for your requirement. Although the internal team needs to have a close monitoring strategy to make sure the outsourcer's efficiency in ticket resolution.

    Pay per call

    This is based on outbound and inbound calls. This model is proper for call centers and can be less expensive than the other models; however, tracking is not easy, as you should ensure service desk calls result in efficient resolution rather than unnecessary follow-up.

    Pay per time (minutes or hours)

    The time spent on tickets is considered in this model. With this model, you pay for the work done by agents, so that it may be a good and relatively cheap option. As quicker resolution SLA is usually set by the organization, customer satisfaction may drop, as agents will be driven to faster resolution, not necessarily quality of work.

    Pay per user

    This model is based on number of all users, or number of users for particular applications. In this model, correlation between number of users and number of tickets should be taken into account. This is an ideal model if you want to deal with impact of staffing changes on service price. Although you should first track metrics such as mean time to resolve and average number of tickets so you can prevent unnecessary payment based on number of users when most users are not submitting tickets.

    Step 3.3

    Manage the outsource relationship

    Activities

    3.3.1 Analyze your outsourced service desk for continual improvement

    3.3.2 Make a case to either rehabilitate your outsourcing agreement or exit

    3.3.3 Develop an exit strategy in case you need to end your contract early

    Develop an RFP and make a long-term relationship

    This step requires the following inputs:

    • Service desk SLA
    • List of impacted stakeholder groups
    • List of impacts and benefits of the outsourced service desk

    This step involves the following participants:

    • CIO
    • Service Desk Manager
    • IT Managers
    • Project Managers

    Outcomes of this step

    • Communication plan
    • Vendor management strategy

    Ensure formality of your vendor management practice

    A service desk outsourcing project is an ongoing initiative. Build a relationship plan to make sure the outsourcer complies with the agreement.

    This is an iamge of the cycle of relationship management and pre-contract management.

    Monitor Vendor Performance

    Key Activity:

    Measure performance levels with an agreed upon standard scorecard.

    Manage Vendor Risk

    Key Activity:

    Periodical assessment of the vendors to ensure they are meeting compliance standards.

    Manage Vendor Contracts and Relationships

    Key Activity:
    Manage the contracts and renewal dates, the level of demand for the services/products provided, and the costs accrued.

    COMPLETE Identify and Evaluate Vendors

    Key Activity:
    Develop a plan with procurement and key internal stakeholders to define clear, consistent, and stable requirements.

    COMPLETE Select a Vendor

    Key Activity:
    Develop a consistent and effective process for selecting the most appropriate vendor.

    Manage Vendor Contracts and Relationships

    Key Activity:
    Contracts are consistently negotiated to ensure the vendor and the client have a documented and consistent understanding of mutual expectations.

    Expect the vendor to manage processes according to your standards

    You need this level of visibility into the service desk process, whether in-house or outsourced

    Each of these steps requires documentation – either through standard operating procedures, SLAs, logs, or workflow diagrams.

    • Define key operating procedures and workflows
    • Record, classify, and prioritize tickets
    • Verify, approve, and fulfill tickets
    • Investigate, diagnose, and allocate tickets
    • Resolve, recover, and close tickets
    • Track and report

    "Make sure what they've presented to you is exactly what's happening."
    – Service Desk Manager, Financial Services

    Manage the vendor relationship through regular communication

    Regular contact with your MSP provides opportunities to address issues that emerge

    Designate a relationship manager to act as a liaison at the business to be a conduit between the business and the MSP.

    • The relationship manager will take feedback from the MSP and relate it back to you to bridge the technical and business gap between the two.

    Who should be involved

    • Routine review meetings should involve the MSP and your relationship manager.
    • Technical knowledge may be needed to address specific issues, but business knowledge and relationship management skills are absolutely required.
    • Other stakeholders and people who are deeply invested in the vendor relationship should be invited or at least asked to contribute questions and concerns.

    What is involved

    • Full review of the service desk statistics, escalations, staffing changes, process changes, and drivers of extra billing or cost.
    • Updates to key documentation for the issues listed above and changes to the knowledgebase.
    • Significant drivers of customer satisfaction and dissatisfaction.
    • Changes that have/are being proposed that can impact any of the above.

    Communicate changes to end users to avoid push back and get buy-in

    Top-down processes for outsourcing will leave end users in the dark

    • Your service desk staff has been involved in the outsourcing process the entire time, but end users are affected all the same.
    • The service desk is the face of IT. A radical shift in service processes and points of contact can be detrimental to not only the service desk, but all of IT.
    • Communicating the changes early to end users will both help them cope with the change and help the MSP achieve better results.
      • An internal communication plan should be rolled out in order to inform and educate end users about the changes associated with outsourcing the service desk.
    • Your relationship manager should be tasked with communicating the changes to end users. The focus should be on addressing questions or concerns about the transition while highlighting the value gained through outsourcing to an MSP.
    • Service quality is a two-way street; the end user needs to be informed of proper protocols and points of contact so that the service desk technicians can fulfill their duties to the best of their ability.

    "When my company decided to outsource, I performed the same role but for a different company. There was a huge disruption to the business flow and a lack of communication to manage the change. The transition took weeks before any end users figured out what the new processes were for submitting a ticket and who to ask for help, and from a personal side, it became difficult to maintain relationships with colleagues."
    – IT Specialist for a financial institution

    Info-Tech Insight

    Educate the enterprise on expectations and processes that are handled by the MSP. Identify stakeholder groups affected by the outsourced processes then build a communication plan on what's been changed, what the benefits are, and how they will be impacted. Determine a timeline for communicating these initiatives and how these announcements will be made. Use InfoTech's Sample Communication Plan as a starting point.

    Build a continual improvement plan to make sure your MSP is efficiently delivering services according to expectations

    Ensure that your quality assurance program is repeatable and applicable to the outsourced services

    1. Design a QA scorecard that can help you assess steps the outsourcer agents should follow. Keep the questionnaire high level but specific to your environment. The scorecard should include questions that follow the steps to take considering your intake channels. For instance, if end users can reach the service desk via phone, chat, and email, build your QA around assessing customer service for call, chat, and ticket quality.
    2. Build a training program for agents: Develop an internal monitoring plan to relay detailed feedback to your MSP. Assess performance and utilize KBs as training materials for coaching agents on challenging transactions.
    3. Everything that goes to your service desk has to be documented; there will be no organic transfer of knowledge and experience.
    4. You need to let your MSP know how their efforts are impacting the performance of your organization. Measure your internal performance against the external performance of your service desk.
    5. Constant internal check-ins ensure that your MSP is meeting the SLAs outlined in the RFP.
    6. Routine reporting of metrics and ticket trends allow you to enact problem management. Otherwise, you risk your MSP operating your service desk with no internal feedback from its owner.
    7. Use metrics to determine the service desk functionality.

    Consider the success story of your outsourced service desk

    Build a feedback program for your outsourced services. Utilize transactional surveys to discover and tell outsourcing success to the impacted stakeholders.

    Ensure you apply steps for providing feedback to make sure processes are handled as expected. Service desk is the face of IT. Customer satisfaction on ticket transactions reflects satisfaction with IT and the organization.

    Build customer satisfaction surveys and conduct them for every transaction to get a better sense of outsourced service desk functionality. Collaborate with the vendor to make sure you build a proper strategy.

    • Build a right list of questions. Multiple and lengthy questions may lead to survey taking fatigue. Make sure you ask the right questions and give an option to the customer to comment any additional notes.
    • Give the option to users to rate the transaction. Make the whole process very seamless and doable in a few seconds.
    • Ensure to follow-up on negative feedback. This will help you find gaps in services and provide training to improve customer service.

    3.3.1 Analyze your outsourced service desk for continual improvement

    1 hour

    1. In this project, you determined the KPIs based on your service desk objectives (activity 2.2.2).
    2. Refer to your list of metrics in section 7 of the Service Desk Outsourcing Project Charter.
    3. Think about what story you want to tell and determine what factors will help move the narrative.
    4. Discuss how often you would like to track these metrics. Determine the audience for each metric.
    5. Provide the list to the MSP to create reports with auto-distribution.

    Input

    • Determined CSFs and KPIs

    Output

    • List of metrics to track, including frequency to report and audience to report to

    Materials

    • Service Desk Outsourcing Project Charter

    Participants

    • Service Desk Manager
    • IT Managers
    • Project Managers

    Download the Project Charter Template

    Reward the MSP for performance instead of "punishing" them for service failure

    Turn your vendor into a true partner by including an "earn back" condition in the contract

    MSPs often offer clients credit requests (service credits) for their service failures, which are applied to the previous month's monthly recurring charge. They are applied to the last month's MRC (monthly reoccurring charges) at the end of term and then the vendor pays out the residual.

    However, while common, service credits are not always perceived to be a strong incentive for the provider to continually focus on improvement of mean-time-to-respond/mean-time-to-resolve.

    • Engage the vendor as a true partner within a relationship only based upon Service Credits.
    • Suggest the vendor include a minor change to the non-performance processes within the final agreement: the vendor implements an "earn back" condition in the agreement.
    • Where a bank of service credits exists because of non-performance, if the provider exceeds the SLA performance metrics for a number of consecutive months (two is common), then an amount of any prior credits received by client is returned to the provider as an earn back for improved performance.
    • This can be a useful mechanism to drive improved performance.

    Measure the outsourced service desk ROI constantly to drive efficient decisions for continual improvement or an exit plan

    Efficient outsourced service desk causes positive impacts on business satisfaction. To address the true value of the services outsourced, you should evaluate the return on investment (ROI) in these areas: Emotional ROI, Time ROI, Financial ROI

    Emotional ROI

    Service desk's main purpose should be to provide topnotch services to end users. Build a customer experience program and leverage transactional surveys and relationship surveys to constantly analyze customer feedback on service quality.

    Ask yourself:

    • How have the outsourced services improved customer satisfaction?
    • How has the service desk impacted the business brand?
    • Have these services improved agents' job satisfaction?
    • What is the NPS score of the service desk?
    • What should we do to reduce the detractor rate and improve satisfaction leveraging the outsourced service desk?

    Time ROI

    Besides customer satisfaction, SLA commitment is a big factor to consider when conducting ROI analysis.

    Ask these questions:

    • Have we had improvement in FCR?
    • What are the mean time to resolve incidents and mean time to fulfill requests?
    • Is the cost incurred to outsourced services worth improvement in such metrics?

    Financial ROI

    As already mentioned in Phase 1, the main motivation for outsourcing the service desk should not be around cost reduction, but to improve performance. Regardless, it's still important to understand the financial implications of your decision.

    To evaluate the financial impact of your outsourced service desk, ask these questions:

    • How much have the outsourced services impacted our business financially?
    • How much are we paying compared to when it was done internally?
    • Considering the emotional, time, and effort factors, is it worth bringing the services in house or changing the vendor?

    3.3.2 Make a case to either rehabilitate your outsourcing agreement or exit

    3-4 hours

    1. Refer to the results of activity 2.2.2. for the list of metrics and the metrics dashboard over the past quarter.
    2. Consider emotional and time ROI, assess end-user satisfaction and SLA, and run a report comparison with the baseline that you built prior to outsourcing the service desk.
    3. Estimate the organization's IT operating expenses over the next five years if you stay with the vendor.
    4. Estimate the organization's IT operating expenses over the next five years if you switch the vendor.
    5. Estimate the organization's IT operating expenses over the next five years if you repatriate the service desk.
    6. Estimate the non-recurring costs associated with the move, such as the penalty for early contract termination, data center moving costs, and cost of potential business downtime during the move. Sum them to determine the investment.
    7. Calculate the return on investment. Discuss and decide whether the organization should consider rehabilitating the vendor agreement or ending the partnership.

    Input

    • Outsourced service desk metrics
    • Operating expenses

    Output

    • Return on investment

    Materials

    • List of metrics
    • Laptop
    • Markers
    • Flip chart/whiteboard

    Participants

    • IT Director/CIO
    • Service Desk Manager
    • IT Managers

    For more information on conducting this activity, refer to InfoTech's blueprint Terminate the IT Infrastructure Outsourcing Relationship

    Define exit conditions to complete your contract with your MSP

    The end of outsourcing is difficult. Your organization needs to maintain continuity of service during the transition. Your MSP needs to ensure that its resources can be effectively transitioned to the next deployment with minimal downtime. It is crucial to define your exit conditions so that both sides can prepare accordingly.

    • Your exit conditions must be clearly laid out in the contract. Create a list of service desk functions and metrics that are important to your organization's success. If your MSP is not meeting those needs or performance levels, you should terminate your services.
    • Most organizations accomplish this through a clear definition of hard and measurable KPIs and metrics that must be achieved and what will happen in the case these metrics are not being regularly met. If your vendor doesn't meet these requirements as defined in your contract, you then have a valid reason and the ability to leave the agreement.

    Examples of exit conditions:

    • Your MSP did not meet their SLAs on priority 1 or 2 tickets two times within a month.
    • If they didn't meet the SLA twice in that 30 days, you could terminate the contract penalty-free.

    Info-Tech Insight

    If things start going south with your MSP, negotiate a "get well plan." Outline your problems to the MSP and have them come back to you with a list of how they're going to fix these problems to get well before you move forward with the contract.

    Try to rehabilitate before you repatriate

    Switching service providers or ending the contract can be expensive and may not solve your problems. Try to rehabilitate your vendor relationship before immediately ending it.

    You may consider terminating your outsourcing agreement if you are dissatisfied with the current agreement or there has been a change in circumstances (either the vendor has changed, or your organization has changed).

    Before doing so, consider the challenges:

    1. It can be very expensive to switch providers or end a contract.
    2. Switching vendors can be a large project involving transfer of knowledge, documentation, and data.
    3. It can be difficult to maintain service desk availability, functionality, and reliability during the transition.

    Diagnose the cause of the problem before assuming it's the MSP's fault. The issue may lie with poorly defined requirements and processes, lack of communication, poor vendor management, or inappropriate SLAs. Re-assess your strategy and re-negotiate your contract if necessary.

    Info-Tech Insight

    There are many reasons why outsourcing relationships fail, but it's not always the vendor's fault.

    Clients often think their MSP isn't doing a great job, but a lot of the time the reason comes back to the client. They may not have provided sufficient documentation on processes, were not communicating well, didn't have a regular point of contact, and weren't doing regular service reviews. Before exiting the relationship, evaluate why it's not working and try to fix things first.

    Don't stop with an exit strategy, you also need to develop a transition plan

    Plan out your transition timeline, taking into account current contract terms and key steps required. Be prepared to handle tickets immediately upon giving notice.

    • Review your outsourcing contract with legal counsel to identify areas of concern for lock-in or breech.
    • Complete a cost/benefit analysis.
    • Bring intellectual property (including ticket data, knowledge base articles, and reports) back in-house (if you'd like to repatriate the service desk) or transfer to the next service desk vendor (if you're outsourcing to another MSP).
    • Review and update service desk standard processes (escalation, service levels, ticket templates, etc.).
    • Procure service desk software, licenses, and necessary hardware as needed.
    • Train the staff (internal for repatriating the service desk, or external for the prospective MSP).
    • Communicate the transition plan and be prepared to start responding to tickets immediately.

    Info-Tech Insight

    Develop a transition plan about six months before the contract notice date. Be proactive by constantly tracking the MSP, running ROI analyses and training staff before moving the services to the internal team or the next MSP. This will help you manage the transition smoothly and handle intake channels so that upon potential exit, users won't be disrupted.

    3.3.3 Develop an exit strategy in case you need to end your contract early

    3-4 hours

    Create a plan to be prepared in case you need to end your contract with the MSP early.

    Your exit strategy should encompass both the conditions under which you would need to end your contract with the MSP and the next steps you will take to transition your services.

    1. Define the exit conditions you plan to negotiate into your contract with the MSP:
      • Identify the performance levels you will require your MSP to meet.
      • Identify the actions you expect the MSP to take if they fail to meet these performance levels.
      • Identify the conditions under which you would leave the contract early.
    2. Develop a strategy for transitioning services in the event you need to leave your contract with the MSP:
      • Will you hand the responsibility to a new MSP or repatriate the service desk back in-house?
      • How will you maintain services through the transition?
    3. Document your exit strategy in section 6 of the Service Desk Outsourcing RFP Template.

    Input

    • Outsourced service desk metrics
    • Operating expenses

    Output

    • Return on investment

    Materials

    • List of metrics
    • Laptop
    • Markers
    • Flip chart/whiteboard

    Participants

    • IT Director/CIO
    • Service Desk Manager
    • IT Managers

    Download the Service Desk Outsourcing RFP Template

    Summary of Accomplishment

    Problem Solved

    You have now re-envisioned your service desk by building a solid strategy for outsourcing it to a vendor. You first analyzed your challenges with the current service desk and evaluated the benefits of outsourcing services. Then you went through requirements assessment to find out which processes should be outsourced. Thereafter, you developed an RFP to communicate your proposal and evaluate the best candidates.

    You have also developed a continual improvement plan to ensure the outsourcer provides services according to your expectations. Through this plan, you're making sure to build a good relationship through incentivizing the vendor for accomplishments rather than punishing for service failures. However, you've also contemplated an exit plan in the RFP for potential consistent service failures.

    Ideally, this blueprint has helped you go beyond requirements identification and served as a means to change your mindset and strategy for outsourcing the service desk efficiently to gain long-term benefits.

    if you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

    Contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.

    This is a picture of Info-Tech analyst Mahmoud Ramin

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    This is a screenshot of activity 1.2.1 found in this blueprint

    Identify Processes to Outsource
    Identify service desk tasks that will provide the most value upon outsourcing.

    This is a screenshot of activity 3.2.2 found in this blueprint

    Score Candidate Vendors
    Evaluate vendors on their capabilities for satisfying your service desk requirements.

    Related Info-Tech Research

    Standardize the Service Desk

    • Improve customer service by driving consistency in your support approach and meeting SLAs.

    Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery

    • There are very few IT infrastructure components you should be housing internally – outsource everything else.

    Terminate the IT Infrastructure Outsourcing Relationship

    • There must be 50 ways to leave your vendor.

    Research Contributors and Experts

    Yev Khovrenkov; Enterprise Consultant, Solvera Solutions

    Kamil Salagan; I&O Manager, Bartek Ingredients

    Satish Mekerira; VP of IT, Coherus BioSciences

    Kris Krishan; Head of IT and Business Systems, Waymo

    Kris Arthur; Infra & Security Director, SEKO Logistics

    Valance Howden; Principal Research Advisor, Info-Tech Research Group

    Sandi Conrad; Principal Research Director, Info-Tech Research Group

    Graham Price; Senior Director of Executive Services, Info-Tech Research Group

    Barry Cousins; Practice Lead, Info-Tech Research Group

    Mark Tauschek; VP of I&O Research, Info-Tech Research Group

    Darin Stahl; Principal Research Advisor, Info-Tech Research Group

    Scott Yong; Principal Research Advisor, Info-Tech Research Group

    A special thank-you to five anonymous contributors

    Bibliography

    Allnutt, Charles. "The Ultimate List of Outsourcing Statistics." MicroSourcing, 2022. Accessed July 2022.
    "Considerations for outsourcing the service desk. A guide to improving your service desk and service delivery performance through outsourcing." Giva. Accessed May 2022.
    Hurley, Allison. "Service Desk Outsourcing | Statistics, Challenges, & Benefits." Forward BPO Inc., 2019. Accessed June 2022.
    Mtsweni, Patricia, et al. "The impact of outsourcing information technology services on business operations." South African Journal of Information Management, 2021, Accessed May 2022.
    "Offshore, Onshore or Hybrid–Choosing the Best IT Outsourcing Model." Calance, 2021. Accessed June 2022. Web.
    "Service Integration and Management (SIAM) Foundation Body of Knowledge." Scopism, 2020. Accessed May 2022.
    Shultz, Aaron. "IT Help Desk Outsourcing Pricing Models Comparison." Global Help Desk Services. Accessed June 2022. Web.
    Shultz, Aaron. "4 Steps to Accurately Measure the ROI of Outsourced Help Desk Services" Global Help Desk Services, Accessed June 2022. Web.
    Sunberg, John. "Great Expectations: What to Look for from Outsourced Service Providers Today." HDI. Accessed June 2022. Web.
    Walters, Grover. "Pivotal Decisions in outsourcing." Muma Case Review, 2019. Accessed May 2022.
    Wetherell, Steve. "Outsourced IT Support Services: 10 Steps to Better QA" Global Held Desk Services. Accessed May 2022. Web.

    2020 Security Priorities Report

    • Buy Link or Shortcode: {j2store}245|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting

    Use this deck to learn what projects security practitioners are prioritizing for 2020. Based on a survey of 460 IT security professionals, this report explains what you need to know about the top five priorities, including:

    • Signals and drivers
    • Benefits
    • Critical uncertainties
    • Case study
    • Implications

    While the priorities should in no way be read as prescriptive, this research study provides a high-level guide to understand that priorities drive the initiatives, projects, and responsibilities that make up organizations' security strategies.

    Our Advice

    Critical Insight

    There is always more to do, and if IT leaders are to grow with the business, provide meaningful value, and ascend the ladder to achieve true business partner and innovator status, aggressive prioritization is necessary. Clearly, security has become a priority across organizations, as security budgets have continued to increase over the course of 2019. 2020’s priorities highlight that data security has become the thread that runs through all other security priorities, as data is now the currency of the modern digital economy. As a result, data security has reshaped organizations’ priorities to ensure that data is always protected.

    Impact and Result

    Ultimately, understanding how changes in technology and patterns of work stand to impact the day-to-day lives of IT staff across seniority and industries will allow you to evaluate what your priorities should be for 2020. Ensure that you’re spending your time right. Use data to validate. Prioritize and implement.

    2020 Security Priorities Report Research & Tools

    Start here – read the Executive Brief

    This storyboard will help you understand what projects security practitioners are prioritizing for 2020.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Data security

    Data security often rubs against other organizational priorities like data quality, but organizations need to understand that the way they store, handle, and dispose of data is now under regulatory oversight.

    • 2020 Security Priorities Report – Priority 1: Data Security

    2. Cloud security

    Cloud security means that organizations can take advantage of automation tools not only for patching and patch management but also to secure code throughout the SDLC. It is clear that cloud will transform how security is performed.

    • 2020 Security Priorities Report – Priority 2: Cloud Security

    3. Email security

    Email security is critical, since email continues to be one of the top points of ingress for cyberattacks from ransomware to business email compromise.

    • 2020 Security Priorities Report – Priority 3: Email Security

    4. Security risk management

    Security risk management requires organizations to make decisions based on their individual risk tolerance on such things as machine learning and IoT devices.

    • 2020 Security Priorities Report – Priority 4: Security Risk Management

    5. Security awareness and training

    Human error continues to be a security issue. In 2020, organizations should tailor their security awareness and training to their people so that they are more secure not only at work but also in life.

    • 2020 Security Priorities Report – Priority 5: Security Awareness and Training
    [infographic]

    Master Your Security Incident Response Communications Program

    • Buy Link or Shortcode: {j2store}321|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $2,339 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • When a significant security incident is discovered, usually very few details are known for certain. Nevertheless, the organization will need to say something to affected stakeholders.
    • Security incidents tend to be ongoing situations that last considerably longer than other types of crises, making communications a process rather than a one-time event.
    • Effective incident response communications require collaboration from: IT, Legal, PR, and HR – groups that often speak “different languages.”

    Our Advice

    Critical Insight

    • There’s no such thing as successful incident response communications; strive instead for effective communications. There will always be some fallout after a security incident, but it can be effectively mitigated through honesty, transparency, and accountability.
    • Effective external communications begin with effective internal communications. Security Incident Response Team members come from departments that don’t usually work closely with each other. This means they often have different ways of thinking and speaking about issues. Be sure they are familiar with each other before a crisis occurs.
    • You won’t save face by withholding embarrassing details. Lying only makes a bad situation worse, but coming clean and acknowledging shortcomings (and how you’ve fixed them) can go a long way towards restoring stakeholders’ trust.

    Impact and Result

    • Effective and efficient management of security incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities: communications must be integrated into each of these phases.
    • Understand that prior planning helps to take the guesswork out of incident response communications. By preparing for several different types of security incidents, the communications team will get used to working with each other, as well as learning what strategies are and are not effective. Remember, the communications team contains diverse members from various departments, and each may have different ideas about what information is important to release.

    Master Your Security Incident Response Communications Program Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement a security incident response communications plan, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Dive into communications planning

    This phase addresses the benefits and challenges of incident response communications and offers advice on how to assemble a communications team and develop a threat escalation protocol.

    • Master Your Security Incident Response Communications Program – Phase 1: Dive Into Communications Planning
    • Security Incident Management Plan

    2. Develop your communications plan

    This phase focuses on creating an internal and external communications plan, managing incident fallout, and conducting a post-incident review.

    • Master Your Security Incident Response Communications Program – Phase 2: Develop Your Communications Plan
    • Security Incident Response Interdepartmental Communications Template
    • Security Incident Communications Policy Template
    • Security Incident Communications Guidelines and Templates
    • Security Incident Metrics Tool
    • Tabletop Exercises Package
    [infographic]

    Document Business Goals and Capabilities for Your IT Strategy

    • Buy Link or Shortcode: {j2store}77|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • As a strategic driver, IT needs to work with the business. Yet, traditionally IT has not worked hand-in-hand with the business. IT does not know what information it needs from the business to execute on its initiatives.
    • A faster time to new investment decisions mean that IT needs a repeatable and efficient process to understand what the business needs.
    • CIOs must execute strategic initiatives to create an IT function that can support the business. Most CIOs fail because of low business support.

    Our Advice

    Critical Insight

    • Understanding the business context is a must for all strategic IT initiatives. At its core, each strategic IT project requires answers to a specific set of questions regarding the business.
    • An effective CIO understands which part of the business context applies to which strategic IT project and, in turn, what questions to ask to uncover those insights.

    Impact and Result

    • Uncover what IT knows and needs to know about the business context. This is a necessary first step to begin each of Info-Tech’s strategic IT initiatives, which any CIO should complete.
    • Conduct efficient and repeatable business context discovery activities to uncover business context gaps.
    • Document the business context you have uncovered and streamline the process for executing on Info-Tech’s strategic CIO blueprints.

    Document Business Goals and Capabilities for Your IT Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should define the business context, review Info-Tech’s methodology, and understand how we can support you in completing key CIO strategic initiatives.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and document the business needs of the organization

    Define the business context needed to complete strategic IT initiatives.

    • Document Business Goals and Capabilities for Your IT Strategy – Storyboard
    • Business Context Discovery Tool
    • Business Context Discovery Record Template
    • PESTLE Analysis Template
    • Strategy Alignment Map Template
    [infographic]

    Workshop: Document Business Goals and Capabilities for Your IT Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify the Missing Business Context (pre-work)

    The Purpose

    Conduct analysis and facilitate discussions to uncover business needs for IT.

    Key Benefits Achieved

    A baseline understanding of what business needs mean for IT

    Activities

    1.1 Define the strategic CIO initiatives our organization will pursue.

    1.2 Complete the Business Context Discovery Tool.

    1.3 Schedule relevant interviews.

    1.4 Select relevant Info-Tech diagnostics to conduct.

    Outputs

    Business context scope

    Completed Business Context Discovery Tool

    Completed Info-Tech diagnostics

    2 Uncover and Document the Missing Context

    The Purpose

    Analyze the outputs from step 1 and uncover the business context gaps.

    Key Benefits Achieved

    A thorough understanding of business needs and why IT should pursue certain initiatives

    Activities

    2.1 Conduct group or one-on-one interviews to identify the missing pieces of the business context.

    Outputs

    Documentation of answers to business context gaps

    3 Uncover and Document the Missing Context

    The Purpose

    Analyze the outputs from step 1 and uncover the business context gaps.

    Key Benefits Achieved

    A thorough understanding of business needs and why IT should pursue certain initiatives

    Activities

    3.1 Conduct group or one-on-one interviews to identify the missing pieces of the business context.

    Outputs

    Documentation of answers to business context gaps

    4 Review Business Context and Next Steps

    The Purpose

    Review findings and implications for IT’s strategic initiative.

    Key Benefits Achieved

    A thorough understanding of business needs and how IT’s strategic initiatives addresses those needs

    Activities

    4.1 Review documented business context with IT team.

    4.2 Discuss next steps for strategic CIO initiative execution.

    Outputs

    Finalized version of the business context

    Implement Your Negotiation Strategy More Effectively

    • Buy Link or Shortcode: {j2store}225|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Forty-eight percent of CIOs believe their budgets are inadequate.
    • CIOs and IT departments are getting more involved with negotiations to reduce costs and risk.
    • Not all negotiators are created equal, and the gap between a skilled negotiator and an average negotiator is not always easy to identify objectively.
    • Skilled negotiators are in short supply.

    Our Advice

    Critical Insight

    • Preparation is critical for the success of your negotiation, but you cannot prepare for every eventuality.
    • Communication is the heart and soul of negotiations, but what is being “said” is only part of the picture.
    • Skilled negotiators separate themselves based on skillsets, and outcomes alone may not provide an accurate assessment of a negotiator.

    Impact and Result

    Addressing and managing critical negotiation elements helps:

    • Improve negotiation skills.
    • Implement your negotiation strategy more effectively.
    • Improve negotiation results.

    Implement Your Negotiation Strategy More Effectively Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create and follow a scalable process for preparing to negotiate with vendors, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. During

    Throughout this phase, ten essential negotiation elements are identified and reviewed.

    • Implement Your Negotiation Strategy More Effectively – Phase 1: During
    • During Negotiations Tool
    [infographic]

    Workshop: Implement Your Negotiation Strategy More Effectively

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 12 Steps to Better Negotiation Preparation

    The Purpose

    Improve negotiation skills and outcomes.

    Understand how to use the Info-Tech During Negotiations Tool.

    Key Benefits Achieved

    A better understanding of the subtleties of the negotiation process and an identification of where the negotiation strategy can go awry.

    The During Negotiation Tool will be reviewed and configured for the customer’s environment (as applicable).

    Activities

    1.1 Manage six key items during the negotiation process.

    1.2 Set the right tone and environment for the negotiation.

    1.3 Focus on improving three categories of intangibles.

    1.4 Improve communication skills to improve negotiation skills.

    1.5 Customize your negotiation approach to interact with different personality traits and styles.

    1.6 Maximize the value of your discussions by focusing on seven components.

    1.7 Understand the value of impasses and deadlocks and how to work through them.

    1.8 Use concessions as part of your negotiation strategy.

    1.9 Identify and defeat common vendor negotiation ploys.

    1.10 Review progress and determine next steps.

    Outputs

    Sample negotiation ground rules

    Sample vendor negotiation ploys

    Sample discussion questions and evaluation matrix

    Define Your Virtual and Hybrid Event Requirements

    • Buy Link or Shortcode: {j2store}64|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications

    Your organization is considering holding an event online, or has been, but:

    • The organization (both on the business and IT sides) may not have extensive experience hosting events online.
    • It is not immediately clear how your formerly in-person event’s activities translate to a virtual environment.
    • Like the work-from-home transformation, bringing events online instantly expands IT’s role and responsibilities.

    Our Advice

    Critical Insight

    If you don't begin with strategy, you will fit your event to technology, instead of the other way around.

    Impact and Result

    To determine your requirements:

    • Determine the scope of the event.
    • Narrow down your list of technical requirements.
    • Use Info-Tech’s Rapid Application Selection Framework to select the right software solution.

    Define Your Virtual and Hybrid Event Requirements Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define Your Virtual and Hybrid Event Requirements Storyboard – Use this storyboard to work through key decision points involved in creating digital events.

    This deck walks you through key decision points in creating virtual or hybrid events. Then, begin the process of selecting the right software by putting together the first draft of your requirements for a virtual event software solution.

    • Define Your Virtual and Hybrid Event Requirements Storyboard

    2. Virtual Events Requirements Tool – Use this tool to begin selecting your requirements for a digital event solution.

    The business should review the list of features and select which ones are mandatory and which are nice to have or optional. Add any features not included.

    • Virtual/Hybrid Event Software Feature Analysis Tool
    [infographic]

    Further reading

    Define Your Virtual and Hybrid Event Requirements

    Accelerate your event scoping and software selection process.

    Analyst Perspective

    When events go virtual, IT needs to cover its bases.

    The COVID-19 pandemic imposed a dramatic digital transformation on the events industry. Though event ticket and registration software, mobile event apps, and onsite audio/visual technology were already important pieces of live events, the total transformation of events into online experiences presented major challenges to organizations whose regular business operations involve at least one annual mid-sized to large event (association meetings, conferences, trade shows, and more).

    Many organizations worked to shift to online, or virtual events, in order to maintain business continuity. As time went on, and public gatherings began to restart, a shift to “hybrid” events began to emerge—events that accommodate both in-person and virtual attendance. Regardless of event type, this pivot to using virtual event software, or digital event technology, brings events more closely into IT’s areas of responsibility. If you don't begin with strategy, you risk fitting your event to technology, instead of the other way around.

    If virtual and hybrid events are becoming standard forms of delivering content in your organization, use Info-Tech’s material to help define the scope of the event and your requirements, and to support your software selection process.

    Photo of Emily Sugerman
    Emily Sugerman
    Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    The organization (both on the business and IT sides) may not have extensive experience hosting events online.

    It is not immediately clear how a formerly in-person event’s activities translate to a virtual environment.

    Like the work-from-home transformation, bringing events online expands IT’s role and responsibilities.

    Common Obstacles

    It is not clear what technological capabilities are needed for the event, which capabilities you already own, and what you may need to purchase.

    Though virtual events remove some barriers to attendance (distance, travel), it introduces new complications and considerations for planners.

    Hybrid events introduce another level of complexity.

    Info-Tech’s Approach

    In order to determine your requirements:

    Determine the scope of the event.

    Narrow down your list of technical requirements.

    Use Info-Tech’s Rapid Application Selection Framework to select the right software solution.

    Info-Tech Insight

    If you don't begin with strategy, you will fit your event to technology, instead of the other way around.

    Your challenge

    The solution you have been using for online events does not meet your needs.

    Though you do have some tools that support large meetings, it is not clear if you require a larger and more comprehensive virtual event solution. There is a need to determine what type of technology you might need to purchase versus leveraging what you already have.

    It is difficult to quickly and practically identify core event requirements and how they translate into technical capabilities.

    Maintaining or improving audience engagement is a perpetual challenge for virtual events.

    38%
    of event professionals consider virtual event technology “a tool for reaching a wider audience as part of a hybrid strategy.”

    21%
    consider it “a necessary platform for virtual events, which remain my go-to event strategy.”

    40%
    prioritize “mid-budget all-in-one event tech solution that will prevent remote attendees from feeling like second-class participants.”

    Source: Virtual Event Tech Guide, 2022

    Common obstacles

    These barriers make this challenge difficult to address for many organizations.

    Events with networking objectives are not always well served by webinars, which are traditionally more limited in their interactive elements.

    Events that include the conducting of organizational/association business (like voting) may have bylaws that make selecting a virtual solution more challenging.

    Maintaining attendee engagement is more challenging in a virtual environment.

    Prior to the pandemic, your organization may not have been as experienced in putting on fully virtual events, putting more responsibility in your corner as IT. Navigating virtual events can also require technological competencies that your attendee userbase may not universally possess.

    Technological limitations and barriers to access can exclude potential attendees just as much as bringing events online can open up attendance to new audiences.

    Opportunity: Virtual events can significantly increase an event’s reach

    Events held virtually during the pandemic noted significant increases in attendees.

    “We had 19,000 registrations from all over the world, almost 50 times the number of people we had expected to host in Amsterdam. . . . Most of this year’s [2020] attendees would not have been able to participate in a physical GrafanaCon in Amsterdam. That was a huge win.” – Raj Dutt, Grafana Labs CEO[5]

    Event In-person Online 2022
    Microsoft Build 2019: 6,000 attendees 2020: 230,000+ registrants[1] The 2022 conference was also held virtually[3]
    Stanford Institute for Human-Centered Artificial Intelligence A few hundred attendees expected for the original (cancelled) 2020 in-person conference 2020: 30,000 attendees attended the “COVID-19 and AI” virtual conference[2] The 2022 Spring Conference was a hybrid event[4]

    [1] Kelly, 2020; [2] Price, 2020; [3] Stanford Digital Economy Lab, 2022; [4] Warren, 2022; [5] Fast Company, 2020

    Info-Tech’s methodology for defining virtual/hybrid event requirements

    A diagram that shows defining event scope, creating list of requirements, and selecting software.

    Event planning phases

    Apply project management principles to your virtual/hybrid event planning process.

    Online event planning should follow the same established principles as in-person event planning.
    Align the event’s concept and objectives with organizational goals.

    A diagram of event planning phases
    Source: Adapted from Event Management Body of Knowledge, CC BY 4.0

    Gather inputs to the planning processes

    Acquire as much of this information as possible before you being the planning process.

    Budget: Determine your organization’s budget for this event to help decide the scope of the event and the purchasing decisions you make as you plan.

    Internal human resources: Identify who in your organization is usually involved in the organization of this event and if they are available to organize this one.

    List of communication and collaboration tools: Acquire the list of the existing communication and collaboration tools you are currently licensed for. Ensure you know the following information about each tool:

    • Type of license
    • License limitations (maximum number of users)
    • Internal or external-facing tool (or capable of both)
    • Level of internal training and competency on the tool

    Decision point: Relate event goals to organizational goals

    What is driving the event?

    Your organization may hold a variety of in-person events that you now wish, for various reasons, to hold fully or partially online. Each event likely has a slightly different set of goals.

    Before getting into the details of how to transition your event online, return to the business/organizational goals the event is serving.

    Ensure each event (and each component of each event) maps back to an organizational goal.

    If a component of the event does not align to an organizational goal, assess whether it should remain as part of the event.

    Common organizational goals

    • Increase revenue
    • Increase productivity
    • Attract and retain talent
    • Improve change management
    • Carry out organizational mission
    • Identify new markets
    • Increase market share
    • Improve customer service
    • Launch new product/service

    Common event goals

    • Education/training
    • Knowledge transfer
    • Decision making
    • Professional development
    • Sales/lead generation
    • Fundraising
    • Entertainment
    • Morale boosting
    • Recognition of achievement

    Decision point: Identify your organization’s digital event vision

    What do you want the outcome of this event to be?

    Attendee goals: Who are your attendees? Why do they attend this event? What attendee needs does your event serve? What is your event’s value proposition? Are they intrinsically or extrinsically motivated to attend?

    Event goals: From the organizer perspective, why do you usually hold this event? Who are your stakeholders?

    Organizational goals: How do the event goals map to your organizational goals? Is there a clear understanding of what the event’s larger strategic purpose is.

    Common attendee goals

    Education: our attendees need to learn something new that they cannot learn on their own.
    Networking: our attendees need to meet people and make new professional connections.
    Professional development: our attendees have certain obligations to keep credentials updated or to present their work publicly to advance their careers.
    Entertainment: our attendees need to have fun.
    Commerce: our attendees need to buy and sell things.

    Decision point: Level of external event production

    Will you be completely self-managed, reliant on external event production services, or somewhere in the middle?

    You can review this after working through the other decision points and the scope becomes clearer.

    A diagram that shows Level of external event production, comparing Completely self-managed vs Fully externally-managed.

    Decision point: Assign event planning roles

    Who will be involved in planning the event? Fill/combine these roles as needed.

    Planning roles Description
    Project manager Shepherd event planning until completion while ensuring project remains on schedule and on budget.
    Event manager Correspond with presenters during leadup to event, communicate how to use online event tools/platform, perform tests with presenters/exhibitors, coordinate digital event staff/volunteers.
    Program planner Select the topics, speakers, activity types, content, streams.
    Designer and copywriter Design the event graphics; compose copy for event website.
    Digital event technologist Determine event technology requirements; determine how event technology fits together; prepare RFP, if necessary, for new hardware/software.
    Platform administrator Set up registration system/integrate registrations into platform(s) of choice; upload video files and collateral; add livestream links; add/delete staff roles and set controls and permissions; collect statistics and recordings after event.
    Commercial partner liaison Recruit sponsors and exhibitors (offer sponsorship packages); facilitate agreement/contract between commercial partners and organization; train commercial partners on how to use event technology; retrieve lead data.
    Marketing/social media Plan and execute promotional campaigns (email, social media) in the lead up to, and during, the event. Post-event, send follow-up communications, recording files, and surveys.

    Decision point: Assign event production roles

    Who will be involved in running the event?

    Event production roles Description
    Hosts/MCs Address attendees at beginning and end of event, and in-between sessions
    Provide continuity throughout event
    Introduce sessions
    Producers Prepare presenters for performance
    Begin and end sessions
    Use controls to share screens, switch between feeds
    Send backchannel messages to presenters (e.g., "Up next," "Look into webcam")
    Moderators Admit attendees from waiting room
    Moderate incoming questions from attendees
    Manage slides
    Pass questions to host/panelists to answer
    Moderate chat
    IT support Manage event technology stack
    Respond to attendee technical issues
    Troubleshoot network connectivity problems
    Ensure audio and video operational
    Start and stop session recording
    Save session recordings and files (chat, Q&As)

    Decision point: Map attendee goals to event goals to organizational goals

    Input: List of attendee benefits, List of event goals, List of organizational goals
    Output: Ranked list of event goals as they relate to attendee needs and organizational goals
    Materials: Whiteboard/flip charts
    Participants: Planning team

    1. Define attendee benefits:
      1. List the attendee benefits derived from your event (as many as possible).
      2. Rank attendee benefits from most to least important.
    2. Define event goals:
      1. List your event goals (as many as possible).
      2. Draw a connecting line to your ranked list of attendee benefits.
      3. Identify if any event goals exist with no clear relationship to attendee benefits. Discuss whether this event goal needs to be re-envisioned. If it connects to no discernible attendee benefits, consider removing it. Otherwise, figure out what attendee benefits the event goal provides.
    3. Define organizational goals:
      1. Acquire a list of your organization’s main strategic goals.
      2. Draw a connecting line from each event goal to the organizational goal it supports.
      3. If most of your event goals do not immediately seem to support an organizational goal, discuss why this is. Try to find the connection. If you cannot, discuss whether the event should proceed or be rethought.

    Decision point: Break down your event into its constituent components

    Identify your event archetype

    Decompose the event into its component parts

    Identify technical requirements that help meet event goals

    Benefits:

    • Clarify how formerly in-person events map to virtual archetypes.
    • Ensure your virtual event planning is anchored to organizational goals from the outset.
    • Streamline your virtual event tech stack planning later.

    Decision point: Determine your event archetype

    Analyze your event’s:

    • Main goals.
    • The components and activities that support those goals.
    • How these components and activities fall into people- vs. content-centric activities, and real-time vs. asynchronous activities.
    1. Conference
    2. Trade show
    3. Annual general meeting
    4. Department meeting
    5. Town hall
    6. Workshop

    A diagram that shows people- vs. content-centric activities, and real-time vs. asynchronous activities

    Info-Tech Insight

    Begin the digital event planning process by understanding how your event’s content is typically consumed. This will help you make decisions later about how best to deliver the content virtually.

    Conference

    Goals: Education/knowledge transfer; professional advancement; networking.

    Major content

    • Call for proposals/circulation of abstracts
    • Keynotes or plenary address: key talk addressed to large audience
    • Panel sessions: multiple panelists deliver address on common theme
    • Poster sessions: staffed/unstaffed booths demonstrate visualization of major research on a poster
    • Association meetings (see also AGM archetype): professional associations hold AGM as one part of a larger conference agenda

    Community

    • Formal networking (happy hours, social outings)
    • Informal networking (hallway track, peer introductions)
    • Business card exchange
    • Pre- and post-event correspondence

    Commercial Partners

    • Booth reps: Publishing or industry representatives exhibit products/discuss collaboration

    A quadrants matrix of conference

    Trade show

    Objectives: Information transfer; sales; lead generation.

    Major content

    • Live booth reps answer questions
    • Product information displayed
    • Promotional/information material distributed
    • Product demonstrations at booths or onstage
    • Product samples distributed to attendees

    Community interactions

    • Statements of intent to buy
    • Lead generation (badge scanning) of booth visitors
    • Business card exchange
    • Pre- and post-event correspondence

    A quadrants matrix of Trade show

    Annual general meeting

    Objectives: Transparently update members; establish governance and alignment.

    Meeting events

    • Updates provided to members on organization’s activities/finances
    • Decisions made regarding organization’s direction
    • Governance over organization established (elections)
    • Speakers addressing large audience from stage
    • In-camera sessions
    • Translation of proceedings
    • Real-time weighted voting
    • Minutes taken during meeting

    Administration

    • Notice given of meeting within mandated time period
    • Agenda circulated prior to meeting
    • Distribution of proxy material
    • Minutes distributed

    A quadrants matrix of Annual general meeting

    Department meeting

    Objectives: Information transfer of company agenda/initiatives; group decision making.

    Major content

    • Agenda circulated prior to meeting
    • Updates provided from senior management/leadership to employees on organization’s initiatives and direction
    • Employee questions and feedback addressed
    • Group decision making
    • Minutes taken during meeting
    • Minutes or follow-up circulated

    A quadrants matrix of department meeting

    Town hall meeting

    Objectives: Update public; answer questions; solicit feedback.

    Major content

    • Public notice of meeting announced
    • Agenda circulated prior to meeting
    • Speakers addressing large audience from stage
    • Presentation of information pertinent to public interest
    • Audience members line up to ask questions/provide feedback
    • Translation of proceedings
    • Recording of meeting archived

    A quadrants matrix of Town hall meeting

    Workshop

    Objectives: Make progress on objective; achieve consensus; knowledge transfer.

    Major content

    • Scheduling of workshop
    • Agenda circulated prior to meeting
    • Facilitator leads group activities
    • Participants develop alignment on project
    • Progress achieved on workshop project
    • Feedback on workshop shared with facilitator

    A quadrants matrix of Workshop

    Decision point: Analyze your event’s purpose and value

    Use the event archetypes to help you identify your event’s core components and value proposition.

    1. Attendee types: Who typically attends your event? Exclusively internal participants? External participants? A mix of the two?
    2. Communication: How do participants usually communicate with each other during this event? How do they communicate with the event organizers? Include both formal types of communication (listening to panel sessions) and informal (serendipitous conversations in the hallway).
    3. Connection: What types of connections do your attendees need to experience? (networking with peers; interactions with booth reps; consensus building with colleagues).
    4. Exchange of material: What kind of material is usually exchanged at this event and between whom? (Pamphlets, brochures, business cards, booth swag).
    5. Engagement: How do you usually retain attendees' attention and make sure they remain engaged throughout the event?
    6. Length: How long does the event typically last?
    7. Location and setup: Where does the event usually take place and who is involved in its setup?
    8. Success metrics: How do you usually measure your event's success?

    Info-Tech Insight

    Avoid trying to exactly reproduce the formerly in-person event online. Instead, identify the value proposition of each event component, then determine what its virtual expression could be.

    Example: Trade show

    Goals: Information transfer; sales; lead generation.

    1. Identify event component(s)
    2. Document its face-to-face expression(s)
    3. Identify the expression’s value proposition
    4. Translate the value proposition to a virtual component that facilitates overall event goal

    Event component

    Face-to-face expression

    Value proposition of component

    Virtual expression

    Attendee types Paying attendees Revenue for event organizer; sales and lead generation for booth rep Access to virtual event space
    Attendee types Booth rep Revenue for event organizer; information source for paying attendees Access to virtual event space
    Communication/connection Conversation between booth rep and attendee Lead generation for booth rep; information to inform decision making for attendee Ability to enter open video breakout session staffed by booth reps OR

    Ability to schedule meeting times with booth rep

    Multiple booth reps on hand to monitor different elements of the booth (one person to facilitate the discussion over video, another to monitor chat and Q&A)
    Communication/connection Serendipitous conversation between attendees Increased attendee contacts; fun Multiple attendees can attend the booth’s breakout session simultaneously and participate in web conferencing, meeting chat, or submit questions to Q&A
    Communication/connection Badges scanned at booth/email sign-up sheets filled out at table Lead generation for exhibitors List of visitors to booth shared with exhibitor (if consent given by attendees)

    Ability for attendees to request to be contacted for more information
    Exchange of material Catering (complimentary coffee, pastries) Obviate the need for attendees to leave the event for refreshments N/A: not included in virtual event
    Exchange of material Pamphlets, product literature, swag Portable information for attendee decision making Downloadable files (pdf)
    Location Responsibility of both the organizers (tables, chairs, venue) and booth reps (posters, handouts) Booth reps need a dedicated space where they can be easily found by attendees and advertise themselves Booth reps need access to virtual platform to upload files, images, provide booth description
    Engagement Attendees able to visit all booths by strolling through space Event organizers have a captive audience who is present in the immediacy of the event site Attendees motivated to stay in the event space and attend booths through gamification strategies (points awarded for number of booths visited or appointments booked)
    Length of event 2 full days Attendees travel to event site and spend the entire 2 days at the event, allowing them to be immersed in the event and absorb as much information in as little time as possible Exhibitors’ visiting hours will be scheduled so they work for both attendees attending in Eastern Standard Time and Pacific Time
    Metrics for success -Positive word of mouth
    -Number of registrations
    These metrics can be used to advertise to future exhibitors and attendees Number of virtual booths visited

    Number of file downloads

    Survey sent to attendees after event (favorite booths, preferred way to interact with exhibitors, suggestions for improvement, most valuable part of experience)

    Plan your metrics

    Use the analytics and reporting features available in your event technology toolset to capture the data you want to measure. Decide how each metric will impact your planning process for the next event.

    Examples of metrics:

    • Number of overall participants/registrants: Did you have more or fewer registrants/attendees than previous iterations of the event? What is the difference between number of registrants and number of real attendees?
    • Locations of participants: Where are people participating from? How many are attending for the first time? Are there new audiences you can pursue next time?
    • Most/least popular sessions: How long did people stay in the sessions and the event overall?
    • Most/least popular breakout rooms and discussion boards: Which topics should be repeated/skipped next time?
    • Social media mentions: Which topics received the most engagement on social media?
    • Surveys: What do participants report enjoying most? Least?
    • Technical failures: Can your software report on failures? Identify what technical problems arose and prepare a plan to mitigate them next time.

    Ensure the data you capture feeds into better planning for the next event

    Determine compliance requirements

    A greater event reach also means new data privacy considerations, depending on the location of your guests.

    General Data Protection Regulation (GDPR)

    Concerns over the collection of personal electronic data may not have previously been a part of your event planning considerations. However, now that your event is online, it’s wise to explore which data protection regulations apply to you. Remember, even if your organization is not located in the EU, if any of your attendees are European data subjects you may still be required to comply with GDPR, which involves the notification of data collected, allowing for opt-out options and the right to have data purged. The data must be collected for a specific purpose; if that purpose is expired, it can no longer be retained. You also have an obligation to report any breaches.

    Accessibility requirements

    What kind of accessibility laws are you subject to (AODA, WCAG2)? Regardless of compliance requirements, it is a good idea to ensure the online event follows accessibility best practices.

    Decision point: Set event policies

    What event policies need to be documented?
    How will you communicate them to attendees?

    Code of conduct

    One trend in the large event and conference space in recent years has been the development of codes of conduct that attendees are required to abide by to continue participating in the event.
    Now that your event is online, consider whether your code of conduct requires updating. Are there new types of appropriate/inappropriate online behavior that you need to define for your attendees?

    Harassment reporting

    If your organization has an event harassment reporting process, determine how this process will transfer over to the digital event.
    Ensure the reporting process has an owner and a clear methodology to follow to deal with complaints, as well as a digital reporting channel (a dedicated email or form) that is only accessed by approved staff to protect sensitive information.

    Develop a risk management plan

    Plan for how you will mitigate technical risks during your virtual event
    Provide presenters with a process to follow if technical problems arise.

    • Presenter’s internet connection cuts out
    • Attendees cannot log in to event platform
    • Attendees cannot hear/see video feed
    • What process will be followed when technical problems occur: ticketing system; chatbot; generic email accessible by all IT support assigned

    Testing/Rehearsal

    Test audio hardware: Ensure speakers use headphones/earbuds and mics (they do not have to be fancy/expensive). Relying on the computer/laptop mic can lead to more ambient noise and potential feedback problems.

    Check lighting: Avoid backlighting. Reposition speakers so they are not behind windows. Ask them to open/close shades. Add lamps as needed.

    Prevent interruptions: Before the event, ask panelists to turn phone and computer notifications to silent. Put a sign on the door saying Do not Disturb.

    Control audience view of screenshare: If your presenters will be sharing their screens, teach them how this works on the platform they are using. Advise them to exit out of any other application that is not part of their presentation, so they do not share the wrong screen unintentionally. Advise them to remove anything from the desktop that they do not want the audience to see, in case their desktop becomes visible at any point.

    Control audience view of physical environment: Before the event, advise participants to turn their cameras on and examine their backgrounds. Remove anything the audience should not be able to see.

    Test network connectivity: Send the presenters a link to a speed test and check their internet speed.

    Emergency contact: Exchange cell phone numbers for emergency backchannel conversations if problems arise on the day of the event.

    Set expectations: Presenting to an online audience feels very different to a live crowd. Prepare presenters for a lack of applause and lack of ability to see their audience, and that this does not mean the presentation was unsuccessful.

    Identify requirements

    To determine what kind of technical requirements you need to build the virtual expression of your event, consult the Virtual Event Platform Requirements Tool.

    1. If you have determined that the requirements you wish to use for the event exceed the capabilities of your existing communication and collaboration toolset, identify whether these gaps tip the scale toward purchasing a new tool. Use the requirement gaps to make the business case for purchasing a new tool.
    2. Use the Virtual Event Platform Requirements Tool to create a list of requirements.
    3. Consult the Software Reviews category for Virtual Event Platform Data Quadrant and Emotional Footprint reports.
    4. Assemble your documentation for approvals and the Rapid Application Selection Process.

    A photo of Detailed Feature Analysis Worksheet.

    Download the Virtual/Hybrid Event Software Feature Analysis Tool

    Rapid Application Selection Framework and Contract Review

    A photo of Rapid Application Selection Framework
    Launch Info-Tech’s Rapid Application Selection Framework.

    Using the requirements you’ve just gathered as a base, use Info-Tech’s complete framework to improve the efficiency and effectiveness of software selection.

    Once you’ve selected a vendor(s), review the contract. Does it define an exit strategy? Does it define when your data will be deleted? Does it set service-level agreements that you find acceptable? Leverage Info-Tech’s contract review service once you have selected the virtual event solution and have received a contract from the vendor.

    Further research

    Photo of Run Better Meetings
    Run Better Meetings

    Bibliography

    Dutt, Raj. “7 Lessons from This Company’s First-Ever Virtual Conference.” Fast Company, 29 Jul 2020. Web.

    Kelly, Samantha Murphy. “Microsoft Build Proves Splashy Tech Events Can Thrive Online.” CNN, 21 May 2020. Web.

    “Phases.” Event Management Body of Knowledge (EMBOK), n.d. Web.

    Price, Michael. “As COVID-19 Forces Conferences Online, Scientists Discover Upsides of Virtual Format.” Science, 28 Apr 2020. Web.

    “Stanford HAI Spring Conference - Key Advances in Artificial Intelligence.” Stanford Digital Economy Lab, 2022. Web.

    “Virtual Event Tech Guide 2022.” Skift Meetings, April 2022. Web.

    Warren, Tom. “Microsoft Build 2022 Will Take Place May 24th–26th.” The Verge, 30 March 2022. Web.

    Contributors

    6 anonymous contributors

    IT Metrics and Dashboards During a Pandemic

    • Buy Link or Shortcode: {j2store}118|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement

    The ways you measure success as a business are based on the typical business environment, but during a crisis like a pandemic, the business environment is rapidly changing or significantly different.

    • How do you assess the scope of the risk?
    • How do you quickly align your team to manage new risks?
    • How do you remain flexible enough to adapt to a rapidly changing situation?

    Our Advice

    Critical Insight

    Measure what you have the data for and focus on managing the impacts to your employees, customers, and suppliers. Be willing to make decisions based on imperfect data. Don’t forget to keep an eye on the long-term objectives and remember that how you act now can reflect on your business for years to come.

    Impact and Result

    Use Info-Tech’s approach to:

    • Quickly assess the risk and identify critical items to manage.
    • Communicate what your decisions are based on so teams can either quickly align or challenge conclusions made from the data.
    • Quickly adjust your measures based on new information or changing circumstances.
    • Use the tools you already have and keep it simple.

    IT Metrics and Dashboards During a Pandemic Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to develop your temporary crisis dashboard.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Consider your organizational goals

    Identify the short-term goals for your organization and reconsider your long-term objectives.

    • Crisis Temporary Measures Dashboard Tool

    2. Build a temporary data collection and dashboard method

    Determine your tool for data collection and your data requirements and collect initial data.

    3. Implement a cadence for review and action

    Determine the appropriate cadence for reviewing the dashboard and action planning.

    [infographic]

    z-Series Modernization and Migration

    • Buy Link or Shortcode: {j2store}114|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    Under the best of circumstances, mainframe systems are complex, expensive, and difficult to scale. In today’s world, applications written for mainframe legacy systems also present significant operational challenges to customers compounded by the dwindling pool of engineers who specialize in these outdated technologies. Many organizations want to migrate their legacy applications to the cloud but to do so they need to go through a lengthy migration process that is made more challenging by the complexity of mainframe applications.

    Our Advice

    Critical Insight

    The most common tactic is for the organization to better realize their z/Series options and adopt a strategy built on complexity and workload understanding. To make the evident, obvious, the options here for the non-commodity are not as broad as with commodity server platforms and the mainframe is arguably the most widely used and complex non-commodity platform on the market.

    Impact and Result

    This research will help you:

    • Evaluate the future viability of this platform.
    • Assess the fit and purpose, and determine TCO
    • Develop strategies for overcoming potential challenges.
    • Determine the future of this platform for your organization.

    z/Series Modernization and Migration Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. z/Series Modernization and Migration Guide – A brief deck that outlines key migration options and considerations for the z/Series platform.

    This blueprint will help you assess the fit, purpose, and price; develop strategies for overcoming potential challenges; and determine the future of z/Series for your organization.

    • z/Series Modernization and Migration Storyboard

    2. Scale Up vs. Scale Out TCO Tool – A tool that provides organizations with a framework for TCO.

    Use this tool to play with the pre-populated values or insert your own amounts to compare possible database decisions, and determine the TCO of each. Note that common assumptions can often be false; for example, open-source Cassandra running on many inexpensive commodity servers can actually have a higher TCO over six years than a Cassandra environment running on a larger single expensive piece of hardware. Therefore, calculating TCO is an essential part of the database decision process.

    • Scale Up vs. Scale Out TCO Tool
    [infographic]

    Further reading

    z/Series Modernization and Migration

    The biggest migration is yet to come.

    Executive Summary

    Info-Tech Insight

    “A number of market conditions have coalesced in a way that is increasingly driving existing mainframe customers to consider running their application workloads on alternative platforms. In 2020, the World Economic Forum noted that 42% of core skills required to perform existing jobs are expected to change by 2022, and that more than 1 billion workers need to be reskilled by 2030.” – Dale Vecchio

    Your Challenge

    It seems like anytime there’s a new CIO who is not from the mainframe world there is immediate pressure to get off this platform. However, just as there is a high financial commitment required to stay on System Z, moving off is risky and potentially more costly. You need to truly understand the scale and complexity ahead of the organization.

    Common Obstacles

    Under the best of circumstances, mainframe systems are complex, expensive, and difficult to scale. In today’s world, applications written for mainframe legacy systems also present significant operational challenges to customers compounded by the dwindling pool of engineers who specialize in these outdated technologies. Many organizations want to migrate their legacy applications to the cloud, but to do so they need to go through a lengthy migration process that is made more challenging by the complexity of mainframe applications.

    Info-Tech Approach

    The most common tactic is for the organization to better realize its z/Series options and adopt a strategy built on complexity and workload understanding. To make the evident, obvious: the options here for the non-commodity are not as broad as with commodity server platforms and the mainframe is arguably the most widely used and complex non-commodity platform on the market.

    Review

    We help IT leaders make the most of their z/Series environment

    Problem statement:

    The z/Series remains a vital platform for many businesses and continues to deliver exceptional reliability and performance and play a key role in the enterprise. With the limited and aging resources at hand, CIOs and the like must continually review and understand their migration path with the same regard as any other distributed system roadmap.

    This research is designed for:

    IT strategic direction decision makers.

    IT managers responsible for an existing z/Series platform.

    Organizations evaluating platforms for mission critical applications.

    This research will help you:

    1. Evaluate the future viability of this platform.
    2. Assess the fit and purpose, and determine TCO.
    3. Develop strategies for overcoming potential challenges.
    4. Determine the future of this platform for your organization.

    Analyst Perspective

    Good Luck.

    Darin Stahl.

    Modernize the mainframe … here we go again.

    Prior to 2020, most organizations were muddling around in “year eleven of the four-year plan” to exit the mainframe platform where a medium-term commitment to the platform existed. Since 2020, it appears the appetite for the mainframe platform changed. Again. Discussions mostly seem to be about what the options are beyond hardware outsourcing or re-platforming to “cloud” migration of workloads – mostly planning and strategy topics. A word of caution: it would appear unwise to stand in front of the exit door for fear of being trampled.

    Hardware expirations between now and 2025 are motivating hosting deployments. Others are in migration activities, and some have already decommissioned and migrated but now are trying to rehab the operations team now lacking direction and/or structure.

    There is little doubt that modernization and “digital transformation” trends will drive more exit traffic, so IT leaders who are still under pressure to get off the platform need to assess their options and decide. Being in a state of perpetually planning to get off the mainframe handcuffs your ability to invest in the mainframe, address deficiencies, and improve cost-effectiveness.

    Darin Stahl
    Principal Research Advisor, Infrastructure & Operations Research
    Info-Tech Research Group

    The mainframe “fidget spinner”

    Thinking of modernizing your mainframe can cause you angst so grab a fidget spinner and relax because we have you covered!

    External Business Pressures:

    • Digital transformation
    • Modernization programs
    • Compliance and regulations
    • TCO

    Internal Considerations:

    • Reinvest
    • Migrate to a new platform
    • Evaluate public and vendor cloud alternatives
    • Hosting versus infrastructure outsourcing

    Info-Tech Insight

    With multiple control points to be addressed, care must be taken to simplify your options while addressing all concerns to ease operational load.

    The analyst call review

    “Who has Darin talked with?” – Troy Cheeseman

    Dating back to 2011, Darin Stahl has been the primary z/Series subject matter expert within the Infrastructure & Operations Research team. Below represents the percentage of calls, per industry, where z/Series advisory has been provided by Darin*:

    37% - State Government

    19% - Insurance

    11% - Municipality

    8% - Federal Government

    8% - Financial Services

    5% - Higher Education

    3% - Retail

    3% - Hospitality/Resort

    3% - Logistics and Transportation

    3% - Utility

    Based on the Info-Tech call history, there is a consistent cross section of industry members who not only rely upon the mainframe but are also considering migration options.

    Note:

    Of course, this only represents industries who are Info-Tech members and who called for advisory services about the mainframe.

    There may well be more Info-Tech members with mainframes who have no topic to discuss with us about the mainframe specifically. Why do we mention this?

    We caution against suggesting things like, ”somewhat less than 50% of mainframes live in state data centers” or any other extrapolated inference from this data.

    Our viewpoint and discussion is based on the cases and the calls that we have taken over the years.

    *37+ enterprise calls were reviewed and sampled.

    Scale out versus scale up

    For most workloads “scale out" (e.g. virtualized cloud or IaaS ) is going to provide obvious and quantifiable benefits.

    However, with some workloads (extremely large analytics or batch processing ) a "scale up" approach is more optimal. But the scale up is really limited to very specific workloads. Despite some assumptions, the gains made when moving from scale up to scale out are not linear.

    Obviously, when you scale out from a performance perspective you experience a drop in what a single unit of compute can do. Additionally, there will be latency introduced in the form of network overhead, transactions, and replication into operations that were previously done just bypassing object references within a single frame.

    Some applications or use cases will have to be architected or written differently (thinking about the high-demand analytic workloads at large scale). Remember the “grid computing” craze that hit us during the early part of this century? It was advantageous for many to distribute work across a grid of computing devices for applications but the advantage gained was contingent on the workload able to be parsed out as work units and then pulled back together through the application.

    There can be some interesting and negative consequences for analytics or batch operations in a large scale as mentioned above. Bottom line, as experienced previously with Microfocus mainframe ports to x86, the batch operations simply take much longer to complete.

    Big Data Considerations*:

    • Value: Data has no inherent value until it’s used to solve a business problem.
    • Variety: The type of data being produced is increasingly diverse and ranges from email and social media to geo-spatial and photographic data. This data may be difficult to process using a structured data model.
    • Volume: The sheer size of the datasets is growing exponentially, often ranging from terabytes to petabytes. This is complicating traditional data management strategies.
    • Velocity: The increasing speed at which data is being collected and processed is also causing complications. Big data is often time sensitive and needs to be captured in real time as it is streaming into the enterprise.

    *Build a Strategy for Big Data Platforms

    Consider your resourcing

    Below is a summary of concerns regarding core mainframe skills:

    1. System Management (System Programmers): This is the most critical and hard-to-replace skill since it requires in-depth low-level knowledge of the mainframe (e.g. at the MVS level). These are skills that are generally not taught anymore, so there is a limited pool of experienced system programmers.
    2. Information Management System (IMS) Specialists: Requires a combination of mainframe knowledge and data analysis skills, which makes this a rare skill set. This is becoming more critical as business intelligence takes on an ever-increasing focus in most organizations.
    3. Application Development: The primary concern here is a shortage of developers skilled in older languages such as COBOL. It should be noted that this is an application issue; for example, this is not solved by migrating off mainframes.
    4. Mainframe Operators: This is an easier skill set to learn, and there are several courses and training programs available. An IT person new to mainframes could learn this position in about six weeks of on-the-job training.
    5. DB2 Administration: Advances in database technology have simplified administration (not just for DB2 but also other database products). As a result, as with mainframe operators, this is a skill set that can be learned in a short period of time on the job.

    The Challenge

    An aging workforce, specialized skills, and high salary expectations

    • Mainframe specialists, such as system programmers and IMS specialists, are typically over 50, have a unique skill set, and are tasked with running mission-critical systems.

    The In-House Solution:

    Build your mentorship program to create a viable succession plan

    • Get your money’s worth out of your experienced staff by having them train others.
    • Operator skills take about six weeks to learn. However, it takes about two years before a system programmer trainee can become fully independent. This is similar to the learning curve for other platforms; however, this is a more critical issue for mainframes since organizations have far fewer mainframe specialists to fall back on when senior staff retire or move on.

    Understand your options

    Migrate to another platform

    Use a hosting provider

    Outsource

    Re-platform (cloud/vendors)

    Reinvest

    There are several challenges to overcome in a migration project, from finding an appropriate alternative platform to rewriting legacy code. Many organizations have incurred huge costs in the attempt, only to be unsuccessful in the end, so make this decision carefully.

    Organizations often have highly sensitive data on their mainframes (e.g. financial data), so many of these organizations are reluctant to have this data live outside of their four walls. However, the convenience of using a hosting provider makes this an attractive option to consider.

    The most common tactic is for the organization to adopt some level of outsourcing for the non-commodity platform, retaining the application support/development in-house.

    A customer can “re-platform” the non-commodity workload into public cloud offerings or in a few offerings
    “re-host.”

    If you’re staying with the mainframe and keeping it in-house, it’s important to continue to invest in this platform, keep it current, and look for opportunities to optimize its value.

    Migrate

    Having perpetual plans to migrate handcuffs your ability to invest in your mainframe, extend its value, and improve cost effectiveness.

    If this sounds like your organization, it’s time to do the analysis so you can decide and get clarity on the future of the mainframe in your organization.

    1. Identify current performance, availability, and security requirements. Assess alternatives based on this criteria.
    2. Review and use Info-Tech’s Mainframe TCO Comparison Tool to compare mainframe costs to the potential alternative platform.
    3. Assess the business risks and benefits. Can the alternative deliver the same performance, reliability, and security? If not, what are the risks? What do you gain by migrating?
    4. If migration is still a go, evaluate the following:
    • Do you have the expertise or a reliable third party to perform the migration, including code rewrites?
    • How long will the migration take? Can the business function effectively during this transition period?
    • How much will the migration cost? Is the value you expect to gain worth the expense?

    *3 of the top 4 challenges related to shortfalls of alternative platforms

    The image contains a bar graph that demonstrates challenges related to shortfalls of alternative platforms.

    *Source: Maximize the Value of IBM Mainframes in My Business

    Hosting

    Using a hosting provider is typically more cost-effective than running your mainframe in-house.

    Potential for reduced costs

    • Hosting enables you to reduce or eliminate your mainframe staff.
    • Economies of scale enable hosting providers to reduce software licensing costs. They also have more buying power to negotiate better terms.
    • Power and cooling costs are also transferred to the hosting provider.

    Reliable infrastructure and experienced staff

    • A quality hosting provider will have 24/7 monitoring, full redundancy, and proven disaster recovery capabilities.
    • The hosting provider will also have a larger mainframe staff, so they don’t have the same risk of suddenly being without those advanced critical skills.

    So, what are the risks?

    • A transition to a hosting provider usually means eliminating or significantly reducing your in-house mainframe staff. With that loss of in-house expertise, it will be next to impossible to bring the mainframe back in-house, and you become highly dependent on your hosting provider.

    Outsourcing

    The most common tactic is for the organization to adopt some level of outsourcing for the non-commodity platform, retaining the application support/development in-house.

    The options here for the non-commodity (z/Series, IBM Power platforms, for example) are not as broad as with commodity server platforms. More confusingly, the term “outsourcing” for these can include:

    Traditional/Colocation – A customer transitions their hardware environment to a provider’s data center. The provider can then manage the hardware and “system.”

    Onsite Outsourcing – Here a provider will support the hardware/system environment at the client’s site. The provider may acquire the customer’s hardware and provide software licenses. This could also include hiring or “rebadging” staff supporting the platform. This type of arrangement is typically part of a larger services or application transformation. While low risk, it is not as cost-effective as other deployment models.

    Managed Hosting – A customer transitions their legacy application environment to an off-prem hosted multi-tenanted environment. It will provide the most cost savings following the transition, stabilization, and disposal of existing environment. Some providers will provide software licensing, and some will also support “Bring Your Own,” as permitted by IBM terms for example.

    Info-Tech Insight

    Technical debt for non-commodity platforms isn’t only hardware based. Moving an application written for the mainframe onto a “cheaper” hardware platform (or outsourced deployment) leaves the more critical problems and frequently introduces a raft of new ones.

    Re-platform – z/Series COBOL Cloud

    Re-platforming is not trivial.

    While the majority of the coded functionality (JCLs, programs, etc.) migrate easily, there will be a need to re-code or re-write objects – especially if any object, code, or location references are not exactly the same in the new environment.

    Micro Focus has solid experience in this but if consider it within the context of an 80/20 rule (the actual metrics might be much better than that), meaning that some level of rework would have to be accomplished as an overhead to the exercise.

    Build that thought into your thinking and business case.

    AWS Cloud

    • Astadia (an AWS Partner) is re-platforming mainframe workloads to AWS. With its approach you reuse the original application source code and data to AWS services. Consider reviewing Amazon’s “Migrating a Mainframe to AWS in 5 Steps.”

    Azure Cloud

    Micro Focus COBOL (Visual COBOL)

    • Micro Focus' Visual COBOL also supports running COBOL in Docker containers and managing and orchestrating the containers with Kubernetes. I personally cannot imagine what sort of drunken bender decision would lead me to move COBOL into Docker and then use Kubernetes to run in GCP but there you are...if that's your Jam you can do it.

    Re-platform – z/Series (Non-COBOL)

    But what if it's not COBOL?

    Yeah, a complication for this situation is the legacy code.

    While re-platforming/re-hosting non-COBOL code is not new, we have not had many member observations compared to the re-platforming/re-hosting of COBOL functionality initiatives.

    That being said, there are a couple of interesting opportunities to explore.

    NTT Data Services (GLOBAL)

    • Most intriguing is the re-hosting of a mainframe environment into AWS. Not sure if the AWS target supports NATURAL codebase; it does reference Adabas however (Re-Hosting Mainframe Applications to AWS with NTT DATA Services). Nevertheless, NTT has supported re-platforming and NATURAL codebase environments previously.

    ModernSystems (or ModSys) has relevant experience.

    • ModSys is the resulting entity following a merger between BluePhoenix and ATERAS a number of years ago. ATERAS is the entity I find references to within my “wayback machine” for member discussions. There are also a number of published case studies still searchable about ATERAS’ successful re-platforming engagements, including the California Public Employees Retirement System (CalPERS) most famously after the Accenture project to rewrite it failed.

    ATOS, as a hosting vendor mostly referenced by customers with global locations in a short-term transition posture, could be an option.

    Lastly, the other Managed Services vendors with NATURAL and Adabas capabilities:

    Reinvest

    By contrast, reducing the use of your mainframe makes it less cost-effective and more challenging to retain in-house expertise.

    • For organizations that have migrated applications off the mainframe (at least partly to reduce dependency on the platform), inevitably there remains a core set of mission critical applications that cannot be moved off for reasons described on the “Migrate” slide. This is when the mainframe becomes a costly burden:
      • TCO is relatively high due to low utilization.
      • In-house expertise declines as workload declines and current staffing allocations become harder to justify.
    • Organizations that are instead adding capacity and finding new ways to use this platform have lower cost concerns and resourcing challenges. The charts below illustrate this correlation. While some capacity growth is due to normal business growth, some is also due to new workloads, and it reflects an ongoing commitment to the platform.

    *92% of organizations that added capacity said TCO is lower than for commodity servers (compared to 50% of those who did not add capacity)

    *63% of organizations that added capacity said finding resources is not very difficult (compared to 42% of those who did not add capacity)

    The image contains a bar graph as described in the above text. The image contains a bar graph as described in the above text.

    *Maximize the Value of IBM Mainframes in My Business

    An important thought about data migration

    Mainframe data migrations – “VSAM, IMS, etc.”

    • While the application will be replaced and re-platformed, there is the historical VIN data remaining in the VSAM files and access via the application. The challenge is that a bulk conversion can add upfront costs and delay the re-platforming of the application functionality. Some shops will break the historical data migration into a couple of phases.
    • While there are technical solutions to accessing VSAM data stores, what I have observed with other members facing a similar scenario is a need to “shrink” the data store over time. The technical accesses to historical VSAM records would also have a lifespan, and rather than kicking the can down the road indefinitely, many have turned to a process-based solution allowing them to shrink the historical data store over time. I have observed three approaches to the handling or digitization of historical records like this:

    Temporary workaround. This would align with a technical solution allowing the VASM files to be accessed using platforms other than on mainframe hardware (Micro Focus or other file store trickery). This can be accomplished relatively quickly but does run the risk of technology obsolesce for the workaround at some point in the future.

    Bulk conversion. This method would involve the extract/transform/load of the historical records into the new application platform. Often the order of the conversion is completed on work newest to oldest (the idea is that the newest historical records would have the highest likelihood of an access need), but all files would be converted to the new application and the old data store destroyed.

    Forward convert, which would have files undergo the extract/transform/load conversion into the new application as they are accessed or reopened. This method would keep historical records indefinitely or until they are converted – or the legal retention schedule allows for their destruction (hopefully no file must be kept forever). This could be a cost-efficient approach since the historical files remaining on the VSAM platform would be shrunk over time based on demand from the district attorney process. The conversion process could be automated and scripted, with a QR step allowing for the records to be deleted from the old platform.

    Info-Tech Insight

    It is not usual for organizations to leverage options #2 and #3 above to move the functionality forward while containing the scope creep and costs for the data conversions.

    Enterprise class job scheduling

    Job scheduling or data center automation?

    • Enterprise class job scheduling solutions enable complex unattended batched programmatically conditioned task/job scheduling.
    • Data center automation (DCIM) software automates and orchestrates the processes and workflow for infrastructure operations including provisioning, configuring, patching of physical, virtual, and cloud servers, and monitoring of tasks involved in maintaining the operations of a data center or Infrastructure environment.
    • While there maybe some overlap and or confusion between data center automation and enterprise class job scheduling solutions, data center automation (DCIM) software solutions are least likely to have support for non-commodity server platforms and lack robust scheduling functionality.

    Note: Enterprise job scheduling is a topic with low member interest or demand. Since our published research is driven by members’ interest and needs, the lack of activity or member demand would obviously be a significant influence into our ability to aggregate shared member insight, trends, or best practices in our published agenda.

    Data Center Automation (DCIM) Software

    Orchestration/Provisioning Software

    Enterprise class job scheduling features

    The feature set for these tools is long and comprehensive. The feature list below is not exhaustive as specific tools may have additional product capabilities. At a minimum, the solutions offered by the vendors in the list below will have the following capabilities:

    • Automatic restart and recovery
    • File management
    • Integration with security systems such as AD
    • Operator alerts
    • Ability to control spooling devices
    • Cross-platform support
    • Cyclical scheduling
    • Deadline scheduling
    • Event-based scheduling / triggers
    • Inter-dependent jobs
    • External task monitoring (e.g. under other sub-systems)
    • Multiple calendars and time-zones
    • Scheduling of packaged applications (such as SAP, Oracle, JD Edwards)
    • The ability to schedule web applications (e.g. .net, java-based)
    • Workload analysis
    • Conditional dependencies
    • Critical process monitoring
    • Event-based automation (“self-healing” processes in response to common defined error conditions)
    • Graphical job stream/workflow visualization
    • Alerts (job failure notifications, task thresholds (too long, too quickly, missed windows, too short, etc.) via multiple channels
    • API’s supporting programmable scheduler needs
    • Virtualization support
    • Workload forecasting and workload planning
    • Logging and message data supporting auditing capabilities likely to be informed by or compliant with regulatory needs such as Sarbanes, Gramme-Leach
    • Historical reporting
    • Auditing reports and summaries

    Understand your vendors and tools

    List and compare the job scheduling features of each vendor.

    • This is not presented as an exhaustive list.
    • The list relies on observations aggregated from analyst engagements with Info-Tech Research Group members. Those member discussions tend to be heavily tilted toward solutions supporting non-commodity platforms.
    • Nothing is implied about a solution suitability or capability by the order of presentation or inclusion or absence in this list.

    ✓ Advanced Systems Concepts

    ✓ BMC

    ✓ Broadcom

    ✓ HCL

    ✓ Fortra

    ✓ Redwood

    ✓ SMA Technologies

    ✓ StoneBranch

    ✓ Tidal Software

    ✓ Vinzant Software

    Info-Tech Insight

    Creating vendor profiles will help quickly filter the solution providers that directly meet your z/Series needs.

    Advanced Systems Concepts

    ActiveBatch

    Workload Management:

    Summary

    Founded in 1981, ASCs ActiveBatch “provides a central automation hub for scheduling and monitoring so that business-critical systems, like CRM, ERP, Big Data, BI, ETL tools, work order management, project management, and consulting systems, work together seamlessly with minimal human intervention.”*

    URL

    advsyscon.com

    Coverage:

    Global

    Amazon EC2

    Hadoop Ecosystem

    IBM Cognos

    DataStage

    IBM PureData (Netezza)

    Informatica Cloud

    Microsoft Azure

    Microsoft Dynamics AX

    Microsoft SharePoint

    Microsoft Team Foundation Server

    Oracle EBS

    Oracle PeopleSoft

    SAP

    BusinessObjects

    ServiceNow

    Teradata

    VMware

    Windows

    Linux

    Unix

    IBM i

    *Advanced Systems Concepts, Inc.


    BMC

    Control-M

    Workload Management:

    Summary

    Founded in 1980, BMCs Control-M product “simplifies application and data workflow orchestration on premises or as a service. It makes it easy to build, define, schedule, manage, and monitor production workflows, ensuring visibility, reliability, and improving SLAs.”*

    URL

    bmc.com/it-solutions/control-m.html

    Coverage:

    Global

    AWS

    Azure

    Google Cloud Platform

    Cognos

    IBM InfoSphere

    DataStage

    SAP HANA

    Oracle EBS

    Oracle PeopleSoft

    BusinessObjects

    ServiceNow

    Teradata

    VMware

    Windows

    Linux

    Unix

    IBM i

    IBM z/OS

    zLinux

    *BMC

    Broadcom

    Atomic Automation

    Autosys Workload Automation

    Workload Management:

    Summary

    Broadcom offers Atomic Automation and Autosys Workload Automation which ”gives you the agility, speed and reliability required for effective digital business automation. From a single unified platform, Atomic centrally provides the orchestration and automation capabilities needed accelerate your digital transformation and support the growth of your company.”*

    URL

    broadcom.com/products/software/automation/automic-automation

    broadcom.com/products/software/automation/autosys

    Coverage:

    Global


    Windows

    MacOS

    Linux

    UNIX

    AWS

    Azure

    Google Cloud Platform

    VMware

    z/OS

    zLinux

    System i

    OpenVMS

    Banner

    Ecometry

    Hadoop

    Oracle EBS

    Oracle PeopleSoft

    SAP

    BusinessObjects

    ServiceNow

    Teradata

    VMware

    Windows

    Linux

    Unix

    IBM i

    *Broadcom

    HCL

    Workload Automation

    Workload Management:

    Summary

    “HCL Workload Automation streamlined modelling, advanced AI and open integration for observability. Accelerate the digital transformation of modern enterprises, ensuring business agility and resilience with our latest version of one stop automation platform. Orchestrate unattended and event-driven tasks for IT and business processes from legacy to cloud and kubernetes systems.”*

    URL

    hcltechsw.com/workload-automation

    Coverage:

    Global


    Windows

    MacOS

    Linux

    UNIX

    AWS

    Azure

    Google Cloud Platform

    VMware

    z/OS

    zLinux

    System i

    OpenVMS

    IBM SoftLayer

    IBM BigInsights

    IBM Cognos

    Hadoop

    Microsoft Dynamics 365

    Microsoft Dynamics AX

    Microsoft SQL Server

    Oracle E-Business Suite

    PeopleSoft

    SAP

    ServiceNow

    Apache Oozie

    Informatica PowerCenter

    IBM InfoSphere DataStage

    Salesforce

    BusinessObjects BI

    IBM Sterling Connect:Direct

    IBM WebSphere MQ

    IBM Cloudant

    Apache Spark

    *HCL Software

    Fortra

    JAMS Scheduler

    Workload Management:

    Summary

    Fortra’s “JAMS is a centralized workload automation and job scheduling solution that runs, monitors, and manages jobs and workflows that support critical business processes.

    JAMS reliably orchestrates the critical IT processes that run your business. Our comprehensive workload automation and job scheduling solution provides a single pane of glass to manage, execute, and monitor jobs—regardless of platforms or applications.”*

    URL

    jamsscheduler.com

    Coverage:

    Global


    OpenVMS

    OS/400

    Unix

    Windows

    z/OS

    SAP

    Oracle

    Microsoft

    Infor

    Workday

    AWS

    Azure

    Google Cloud Compute

    ServiceNow

    Salesforce

    Micro Focus

    Microsoft Dynamics 365

    Microsoft Dynamics AX

    Microsoft SQL Server

    MySQL

    NeoBatch

    Netezza

    Oracle PL/SQL

    Oracle E-Business Suite

    PeopleSoft

    SAP

    SAS

    Symitar

    *JAMS

    Redwood

    Redwood SaaS

    Workload Management:

    Summary

    Founded in 1993 and delivered as a SaaS solution, ”Redwood lets you orchestrate securely and reliably across any application, service or server, in the cloud or on-premises, all inside a single platform. Automation solutions are at the core of critical business operations such as forecasting, replenishment, reconciliation, financial close, order to cash, billing, reporting, and more. Enterprises in every industry — from manufacturing, utility, retail, and biotech to healthcare, banking, and aerospace.”*

    URL

    redwood.com

    Coverage:

    Global


    OpenVMS

    OS/400

    Unix

    Windows

    z/OS

    SAP

    Oracle

    Microsoft

    Infor

    Workday

    AWS

    Azure

    Google Cloud Compute

    ServiceNow

    Salesforce

    Github

    Office 365

    Slack

    Dropbox

    Tableau

    Informatica

    SAP BusinessObjects

    Cognos

    Microsoft Power BI

    Amazon QuickSight

    VMware

    Xen

    Kubernetes

    *Redwood

    Fortra

    Robot Scheduler

    Workload Management:

    Summary

    “Robot Schedule’s workload automation capabilities allow users to automate everything from simple jobs to complex, event-driven processes on multiple platforms and centralize management from your most reliable system: IBM i. Just create a calendar of when and how jobs should run, and the software will do the rest.”*

    URL

    fortra.com/products/job-scheduling-software-ibm-i

    Coverage:

    Global


    IBM i (System i, iSeries, AS/400)

    AIX/UNIX

    Linux

    Windows

    SQL/Server

    Domino

    JD Edwards EnterpriseOne

    SAP

    Automate Schedule (formerly Skybot Scheduler)

    *Fortra

    SMA Technologies

    OpCon

    Workload Management:

    Summary

    Founded in1980, SMA offers to “save time, reduce error, and free your IT staff to work on more strategic contributions with OpCon from SMA Technologies. OpCon offers powerful, easy-to-use workload automation and orchestration to eliminate manual tasks and manage workloads across business-critical operations. It's the perfect fit for financial institutions, insurance companies, and other transactional businesses.”*

    URL

    smatechnologies.com

    Coverage:

    Global

    Windows

    Linux

    Unix

    z/Series

    IBM i

    Unisys

    Oracle

    SAP

    Microsoft Dynamics AX

    Infor M3

    Sage

    Cegid

    Temenos

    FICS

    Microsoft Azure Data Management

    Microsoft Azure VM

    Amazon EC2/AWS

    Web Services RESTful

    Docker

    Google Cloud

    VMware

    ServiceNow

    Commvault

    Microsoft WSUS

    Microsoft Orchestrator

    Java

    JBoss

    Asysco AMT

    Tuxedo ART

    Nutanix

    Corelation

    Symitar

    Fiserv DNA

    Fiserv XP2

    *SMA Technologies

    StoneBranch

    Universal Automation Center (UAC)

    Workload Management:

    Summary

    Founded in 1999, ”the Stonebranch Universal Automation Center (UAC) is an enterprise-grade business automation solution that goes beyond traditional job scheduling. UAC's event-based workload automation solution is designed to automate and orchestrate system jobs and tasks across all mainframe, on-prem, and hybrid IT environments. IT operations teams gain complete visibility and advanced control with a single web-based controller, while removing the need to run individual job schedulers across platforms.”*

    URL

    stonebranch.com/it-automation-solutions/enterprise-job-scheduling

    Coverage:

    Global

    Windows

    Linux

    Unix

    z/Series

    Apache Kafka

    AWS

    Databricks

    Docker

    GitHub

    Google Cloud

    Informatica

    Jenkins

    Jscape

    Kubernetes

    Microsoft Azure

    Microsoft SQL

    Microsoft Teams

    PagerDuty

    PeopleSoft

    Petnaho

    RedHat Ansible

    Salesforce

    SAP

    ServiceNow

    Slack

    SMTP and IMAP

    Snowflake

    Tableau

    VMware

    *Stonebranch

    Tidal Software

    Workload Automation

    Workload Management:

    Summary

    Founded in 1979, Tidal’s Workload Automation will “simplify management and execution of end-to-end business processes with our unified automation platform. Orchestrate workflows whether they're running on-prem, in the cloud or hybrid environments.”*

    URL

    tidalsoftware.com

    Coverage:

    Global

    CentOS

    Linux

    Microsoft Windows Server

    Open VMS

    Oracle Cloud

    Oracle Enterprise Linux

    Red Hat Enterprise Server

    Suse Enterprise

    Tandem NSK

    Ubuntu

    UNIX

    HPUX (PA-RISC, Itanium)

    Solaris (Sparc, X86)

    AIX, iSeries

    z/Linux

    z/OS

    Amazon AWS

    Microsoft Azure

    Oracle OCI

    Google Cloud

    ServiceNow

    Kubernetes

    VMware

    Cisco UCS

    SAP R/3 & SAP S/4HANA

    Oracle E-Business

    Oracle ERP Cloud

    PeopleSoft

    JD Edwards

    Hadoop

    Oracle DB

    Microsoft SQL

    SAP BusinessObjects

    IBM Cognos

    FTP/FTPS/SFTP

    Informatica

    *Tidal

    Vinzant Software

    Global ECS

    Workload Management:

    Summary

    Founded in 1987, Global ECS can “simplify operations in all areas of production with the GECS automation framework. Use a single solution to schedule, coordinate and monitor file transfers, database operations, scripts, web services, executables and SAP jobs. Maximize efficiency for all operations across multiple business units intelligently and automatically.”*

    URL

    vinzantsoftware.com

    Coverage:

    Global

    Windows

    Linux

    Unix

    iSeries

    SAP R/3 & SAP S/4HANA

    Oracle, SQL/Server

    *Vizant Software

    Activity

    Scale Out or Scale Up

    Activities:

    1. Complete the Scale Up vs. Scale Out TCO Tool.
    2. Compare total lifecycle costs to determine TCO.

    This activity involves the following participants:

    IT strategic direction decision makers

    IT managers responsible for an existing z/Series platform

    Organizations evaluating platforms for mission critical applications

    Outcomes of this step:

    • Completed Scale Up vs. Scale Out TCO Tool

    Info-Tech Insight

    This checkpoint process creates transparency around agreement costs with the business and gives the business an opportunity to re-evaluate its requirements for a potentially leaner agreement.

    Scale out versus scale up activity

    The Scale Up vs. Scale Out TCO Tool provides organizations with a framework for estimating the costs associated with purchasing and licensing for a scale-up and scale-out environment over a multi-year period.

    Use this tool to:

    • Compare the pre-populated values.
    • Insert your own amounts to contrast possible database decisions and determine the TCO of each.
    The image contains screenshots of the Scale Up vs. Scale Out TCO Tool.

    Info-Tech Insight

    Watch out for inaccurate financial information. Ensure that the financials for cost match your maintenance and contract terms.

    Use the Scale Up vs. Scale Out TCO Tool to determine your TCO options.

    Related Info-Tech Research

    Effectively Acquire Infrastructure Services

    Acquiring a service is like buying an experience. Don’t confuse the simplicity of buying hardware with buying an experience.

    Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery

    There are very few IT infrastructure components you should be housing internally – outsource everything else.

    Build Your Infrastructure Roadmap

    Move beyond alignment: Put yourself in the driver’s seat for true business value.

    Define Your Cloud Vision

    Make the most of cloud for your organization.

    Document Your Cloud Strategy

    Drive consensus by outlining how your organization will use the cloud.

    Build a Strategy for Big Data Platforms

    Know where to start and where to focus attention in the implementation of a big data strategy.

    Create a Better RFP Process

    Improve your RFPs to gain leverage and get better results.

    Research Authors

    Darin Stahl.

    Darin Stahl, Principal Research Advisor, Info-Tech Research Group

    Darin is a Principal Research Advisor within the Infrastructure Practice, and leveraging 38+ years of experience, his areas of focus include: IT Operations Management, Service Desk, Infrastructure Outsourcing, Managed Services, Cloud Infrastructure, DRP/BCP, Printer Management, Managed Print Services, Application Performance Monitoring/ APM, Managed FTP, non-commodity servers (z/Series, mainframe, IBM i, AIX, Power PC).

    Troy Cheeseman.

    Troy Cheeseman, Practice Lead, Info-Tech Research Group

    Troy has over 25 years of IT management experience and has championed large enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT Operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) start-ups.

    Bibliography

    “AWS Announces AWS Mainframe Modernization.” Business Wire, 30 Nov. 2021.
    de Valence, Phil. “Migrating a Mainframe to AWS in 5 Steps with Astadia?” AWS, 23 Mar. 2018.
    Graham, Nyela. “New study shows mainframes still popular despite the rise of cloud—though times are changing…fast?” WatersTechnology, 12 Sept. 2022.
    “Legacy applications can be revitalized with API.” MuleSoft, 2022.
    Vecchio, Dale. “The Benefits of Running Mainframe Applications on LzLabs Software Defined Mainframe® & Microsoft Azure.” LzLabs Sites, Mar. 2021.

    Security Priorities 2022

    • Buy Link or Shortcode: {j2store}244|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Ransomware activities and the cost of breaches are on the rise.
    • Cybersecurity talent is hard to find, and an increasing number of cybersecurity professionals are considering leaving their jobs.
    • Moving to the digital world increases the risk of a breach.

    Our Advice

    Critical Insight

    • The pandemic has fundamentally changed the technology landscape. Security programs must understand how their threat surface is now different and adapt their controls to meet the challenge.
    • The upside to the upheaval in 2021 is new opportunities to modernize your security program.

    Impact and Result

    • Use the report to ensure your plan in 2022 addresses what’s important in cybersecurity.
    • Understand the current situation in the cybersecurity space.

    Security Priorities 2022 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Security Priorities 2022 – A report that describes priorities and recommendations for CISOs in 2022.

    Use this report to understand the current situation in the cybersecurity space and inform your plan for 2022. This report includes sections on protecting against and responding to ransomware, acquiring and retaining talent, securing a remote workforce, securing digital transformation, and adopting zero trust.

    • Security Priorities for 2022 Report

    Infographic

    Further reading

    Security Priorities 2022

    The pandemic has changed how we work

    disruptions to the way we work caused by the pandemic are here to stay.

    The pandemic has introduced a lot of changes to our lives over the past two years, and this is also true for various aspects of how we work. In particular, a large workforce moved online overnight, which shifted the work environment rapidly.

    People changed how they communicate, how they access company information, and how they connect to the company network. These changes make cybersecurity a more important focus than ever.

    Although changes like the shift to remote work occurred in response to the pandemic, they are largely expected to remain, regardless of the progression of the pandemic itself. This report will look into important security trends and the priorities that stemmed from these trends.

    30% more professionals expect transformative permanent change compared to one year ago.

    47% of professionals expect a lot of permanent change; this remains the same as last year. (Source: Info-Tech Tech Trends 2022 Survey; N=475)

    The cost of a security breach is rising steeply

    The shift to remote work exposes organizations to more costly cyber incidents than ever before.

    $4.24 million

    Average cost of a data breach in 2021
    The cost of a data breach rose by nearly 10% in the past year, the highest rate in over seven years.

    $1.07 million

    More costly when remote work involved in the breach

    The average cost of breaches where remote work is involved is $1.07 million higher than breaches where remote work is not involved.

    The ubiquitous remote work that we saw in 2021 and continue to see in 2022 can lead to more costly security events. (Source: IBM, 2021)

    Remote work is here to stay, and the cost of a breach is higher when remote work is involved.

    The cost comes not only directly from payments but also indirectly from reputational loss. (Source: IBM, 2021)

    Security teams can participate in the solution

    The numbers are clear: in 2022, when we face a threat environment like WE’VE never EXPERIENCED before, good security is worth the investment

    $1.76 million

    Saved when zero trust is deployed facing a breach

    Zero trust controls are realistic and effective controls.

    Organizations that implement zero trust dramatically reduce the cost of an adverse security event.

    35%

    More costly if it takes more than 200 days to identify and contain a breach

    With increased BYOD and remote work, detection and response is more challenging than ever before – but it is also highly effective.

    Organizations that detect and respond to incidents quickly will significantly reduce the impact. (Source: IBM, 2021)

    Breaches are 34% less costly when mature zero trust is implemented.

    A fully staffed and well-prepared security team could save the cost through quick responses. (Source: IBM, 2021)

    Top security priorities and constraints in 2022

    Survey results

    As part of its research process for the 2022 Security Priorities Report, Info-Tech Research Group surveyed security and IT leaders (N=97) to ask their top security priorities as well as their main obstacles to security success in 2022:

    Top Priorities
    A list of the top three priorities identified in the survey with their respective percentages, 'Acquiring and retaining talent, 30%', 'Protecting against and responding to ransomware, 23%', and 'Securing a remote workforce, 23%'.

    Survey respondents were asked to force-rank their security priorities.

    Among the priorities chosen most frequently as #1 were talent management, addressing ransomware threats, and securing hybrid/remote work.

    Top Obstacles
    A list of the top three obstacles identified in the survey with their respective percentages, 'Staffing constraints, 31%', 'Demand of ever-changing business environment, 23%', and 'Budget constraints, 15%'.

    Talent management is both the #1 priority and the top obstacle facing security leaders in 2022.

    Unsurprisingly, the ever-changing environment in a world emerging from a pandemic and budget constraints are also top obstacles.

    We know the priorities…

    But what are security leaders actually working on?

    This report details what we see the world demanding of security leaders in the coming year.

    Setting aside the demands – what are security leaders actually working on?

    A list of 'Top security topics among Info-Tech members' with accompanying bars, 'Security Strategy', 'Security Policies', 'Security Operations', 'Security Governance', and 'Security Incident Response'.

    Many organizations are still mastering the foundations of a mature cybersecurity program.

    This is a good idea!

    Most breaches are still due to gaps in foundational security, not lack of advanced controls.

    We know the priorities…

    But what are security leaders actually working on?

    A list of industries with accompanying bars representing their demand for security. The only industry with a significant positive percentage is 'Government'. Security projects included in annual plan relative to industry.

    One industry plainly stands out from the rest. Government organizations are proportionally much more active in security than other industries, and for good reason: they are common targets.

    Manufacturing and professional services are proportionally less interested in security. This is concerning, given the recent targeting of supply chain and personal data holders by ransomware gangs.

    5 Security Priorities for 2022 Logo for Info-Tech. Logo for ITRG.

    People

    1. Acquiring and Retaining Talent
      Create a good working environment for existing and potential employees. Invest time and effort into talent issues to avoid being understaffed.
    2. Securing a Remote Workforce
      Create a secure environment for users and help your people build safe habits while working remotely.

    Process

    1. Securing Digital Transformation
      Build in security from the start and check in frequently to create agile and secure user experiences.

    Technology

    1. Adopting Zero Trust
      Manage access of sensitive information based on the principle of least privilege.
    2. Protecting Against and Responding to Ransomware
      Put in your best effort to build defenses but also prepare for a breach and know how to recover.

    Main Influencing Factors

    COVID-19 Pandemic
    The pandemic has changed the way we interact with technology. Organizations are universally adapting their business and technology processes to fit the post-pandemic paradigm.
    Rampant Cybercrime Activity
    By nearly every conceivable metric, cybercrime is way up in the past two years. Cybercriminals smell blood and pose a more salient threat than before. Higher standards of cybersecurity capability are required to respond to this higher level of threat.
    Remote Work and Workforce Reallocation
    Talented IT staff across the globe enabled an extraordinarily fast shift to remote and distance work. We must now reckon with the security and human resourcing implications of this huge shift.

    Acquire and Retain Talent

    Priority 01

    Security talent was in short supply before the pandemic, and it's even worse now.

    Executive summary

    Background

    Cybersecurity talent has been in short supply for years, but this shortage has inflected upward since the pandemic.

    The Great Resignation contributed to the existing talent gap. The pandemic has changed how people work as well as how and where they choose work. More and more senior workers are retiring early or opting for remote working opportunities.

    The cost to acquire cybersecurity talent is huge, and the challenge doesn’t end there. Retaining top talent can be equally difficult.

    Current situation

    • A 2021 survey by ESG shows that 76% of security professional agree it’s difficult to recruit talent, and 57% said their organization is affected by this talent shortage.
    • (ISC)2 reports there are 2.72 million unfilled job openings and an increasing workforce gap (2021).

    2.72 million unfilled cybersecurity openings (Source: (ISC)2, 2021)

    IT leaders must do more to attract and retain talent in 2022

    • Over 70% of IT professionals are considering quitting their jobs (TalentLMS, 2021). Meanwhile, 51% of surveyed cybersecurity professionals report extreme burnout during the last 12 months and many of them have considered quitting because of it (VMWare, 2021).
    • Working remotely makes it easier for people to look elsewhere, lowering the barrier to leaving.
    • This is a big problem for security leaders, as cybersecurity talent is in very short supply. The cost of acquiring and retaining quality cybersecurity staff in 2022 is significant, and many organizations are unwilling or unable to pay the premium.
    • Top talent will demand flexible working conditions – even though remote work comes with security risk.
    • Most smart, talented new hires in 2022 are demanding to work remotely most of the time.
    Top reasons for resignations in 2021
    Burnout 30%
    Other remote opportunities 20%
    Lack of growth opportunities 20%
    Poor culture 20%
    Acquisition concerns 10%
    (Source: Survey of West Coast US cybersecurity professionals; TechBeacon, 2021)

    Talent will be 2022’s #1 strength and #1 weakness

    Staffing obstacles in 2022:

    “Attracting and retaining talent is always challenging. We don’t pay as well and my org wants staff in the office at least half of the time. Most young, smart, talented new hires want to work remotely 100 percent of the time.“

    “Trying to grow internal resources into security roles.”

    “Remote work expectations by employees and refusal by business to accommodate.”

    “Biggest obstacle: payscales that are out of touch with cybersecurity market.”

    “Request additional staff. Obtaining funding for additional position is most significant obstacle.”

    (Info-Tech Tech Security Priorities Survey 2022)
    Top obstacles in 2022:

    As you can see, respondents to our security priorities survey have strong feelings on the challenges of staffing a cybersecurity team.

    The growth of remote work means local talent can now be hired by anybody, vastly increasing your competition as an employer.

    Hiring local will get tougher – but so will hiring abroad. People who don’t want to relocate for a new job now have plenty of alternatives. Without a compelling remote work option, you will find non-local prospects unwilling to move for a new job.

    Lastly, many organizations are still reeling at the cost of experienced cybersecurity talent. Focused internal training and development will be the answer for many organizations.

    Recommended Actions

    Provide career development opportunities

    Many security professionals are dissatisfied with their unclear career development paths. To improve retention, organizations should provide their staff with opportunities and clear paths for career and skills advancement.

    Be open-minded when hiring

    To broaden the candidate pool, organizations should be open-minded when considering who to hire.

    • Enable remote work.
    • Do not fixate on certificates and years of experience; rather, be open to developing those who have the right interest and ability.
    • Consider using freelance workers.
    Facilitate work-life balance

    Many security professionals say they experience burnout. Promoting work-life balance in your organization can help retain critical skills.

    Create inclusive environment

    Hire a diverse team and create an inclusive environment where they can thrive.

    Talent acquisition and retention plan

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Address a top priority and a top obstacle with a plan to attract and retain top organizational and cybersecurity talent.

    Initiative Description:

    • Provide secure remote work capabilities for staff.
    • Work with HR to refine a hiring plan that addresses geographical and compensation gaps with cybersecurity and general staff.
    • Survey staff engagement to identify points of friction and remediate where needed.
    • Define a career path and growth plan for staff.
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing down.
    Reduction in costs due to turnover and talent loss

    Other Expected Business Benefits:

    Arrow pointing up.
    Productivity due to good morale/ engagement
    Arrow pointing up.
    Improved corporate culture
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Big organizational and cultural changes
    • Increased attack surface of remote/hybrid workforce

    Related Info-Tech Research:

    Secure a Remote Workforce

    Priority 02

    Trends suggest remote work is here to stay. Addressing the risk of insecure endpoints can no longer be deferred.

    Executive summary

    Remote work poses unique challenges to cybersecurity teams. The personal home environment may introduce unauthorized people and unknown network vulnerabilities, and the organization loses nearly all power and influence over the daily cyber hygiene of its users.

    In addition, the software used for enabling remote work itself can be a target of cybersecurity criminals.

    Current situation

    • 70% of workers in technical services work from home.
    • Employees of larger firms and highly paid individuals are more likely to be working outside the office.
    • 80% of security and business leaders find that remote work has increased the risk of a breach.
    • (Source: StatCan, 2021)

    70% of tech workers work from home (Source: Statcan, 2021)

    Remote work demands new security solutions

    The security perimeter is finally gone

    The data is outside the datacenter.
    The users are outside the office.
    The endpoints are … anywhere and everywhere.

    Organizations that did not implement digital transformation changes following COVID-19 experience higher costs following a breach, likely because it is taking nearly two months longer, on average, to detect and contain a breach when more than 50% of staff are working remotely (IBM, 2021).

    In 2022 the cumulative risk of so many remote connections means we need to rethink how we secure the remote/hybrid workforce.

    Security
    • Distributed denial of service
    • DNS hijacking
    • Weak VPN protocols
    Identity
    • One-time verification allowing lateral movement
    Colorful tiles representing the surrounding security solutions. Network
    • Risk perimeter stops at corporate network edge
    • Split tunneling
    Authentication
    • Weak authentication
    • Weak password
    Access
    • Man-in-the-middle attack
    • Cross-site scripting
    • Session hijacking

    Recommended Actions

    Mature your identity management

    Compromised identity is the main vector to breaches in recent years. Stale accounts, contractor accounts, misalignment between HR and IT – the lack of foundational practices leads to headline-making breaches every week.
    Tighten up identity control to keep your organization out of the newspaper.

    Get a handle on your endpoints

    Work-from-home (WFH) often means unknown endpoints on unknown networks full of other unknown devices…and others in the home potentially using the workstation for non-work purposes. Gaining visibility into your endpoints can help to keep detection and resolution times short.

    Educate users

    Educate everyone on security best practices when working remotely:

    • Apply secure settings (not just defaults) to the home network.
    • Use strong passwords.
    • Identify suspicious email.
    Ease of use

    Many workers complain that the corporate technology solution makes it difficult to get their work done.

    Employees will take productivity over security if we force them to choose, so IT needs to listen to end users’ needs and provide a solution that is nimble and secure.

    Roadmap to securing remote/hybrid workforce

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    The corporate network now extends to the internet – ensure your security plan has you covered.

    Initiative Description:

    • Reassess enterprise security strategy to include the WFH attack surface (especially endpoint visibility).
    • Ensure authentication requirements for remote workers are sufficient (e.g. MFA, strong passwords, hardware tokens for high-risk users/connections).
    • Assess the value of zero trust networking to minimize the blast radius in the case of a breach.
    • Perform penetration testing annually.
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing down.


    Reduced cost of security incidents/reputational damage

    Other Expected Business Benefits:

    Arrow pointing up.
    Improved ability to attract and retain talent
    Arrow pointing up.
    Increased business adaptability
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Potential disruption to traditional working patterns
    • Cost of investing in WFH versus risk of BYOD

    Related Info-Tech Research:

    Secure Digital Transformation

    Priority 03

    Digital transformation could be a competitive advantage…or the cause of your next data breach.

    Executive summary

    Background

    Digital transformation is occurring at an ever-increasing rate these days. As Microsoft CEO Satya Nadella said early in the pandemic, “We’ve seen two years’ worth of digital transformation in two months.”

    We have heard similar stories from Info-Tech members who deployed rollouts that were scheduled to take months over a weekend instead.

    Microsoft’s own shift to rapidly expand its Teams product is a prime example of how quickly the digital landscape has changed. The global adaption to a digital world has largely been a success story, but rapid change comes with risk, and there is a parallel story of rampant cyberattacks like we have never seen before.

    Insight

    There is an adage that “slow is smooth, and smooth is fast” – the implication being that fast is sloppy. In 2022 we’ll see a pattern of organizations working to catch up their cybersecurity with the transformations we all made in 2020.

    $1.78 trillion expected in digital transformation investments (Source: World Economic Forum, 2021)

    An ounce of security prevention versus a pound of cure

    The journey of digital transformation is a risky one.

    Digital transformations often rely heavily on third-party cloud service providers, which increases exposure of corporate data.

    Further, adoption of new technology creates a new threat surface that must be assessed, mitigations implemented, and visibility established to measure performance.

    However, digital transformations are often run on slim budgets and without expert guidance.

    Survey respondents report as much: rushed deployments, increased cloud migration, and shadow IT are the top vulnerabilities reported by security leaders and executives.

    In a 2020 Ponemon survey, 82% of IT security and C-level executives reported experiencing at least one data breach directly resulting from a digital transformation they had undergone.

    Scope creep is inevitable on any large project like a digital transformation. A small security shortcut early in the project can have dire consequences when it grows to affect personal data and critical systems down the road.

    Recommended Actions

    Engage the business early and often

    Despite the risks, organizations engage in digital transformations because they also have huge business value.

    Security leaders should not be seeking to slow or stop digital transformations; rather, we should be engaging with the business early to get ahead of risks and enable successful transformation.

    Establish a vendor security program

    Data is moving out of datacenters and onto third-party environments. Without security requirements built into agreements, and clear visibility into vendor security capabilities, that data is a major source of risk.

    A robust vendor security program will create assurance early in the process and help to reinforce the responsibility of securing data with other parts of the organization.

    Build/revisit your security strategy

    The threat surface has changed since before your transformation. This is the right time to revisit or rebuild your security strategy to ensure that your control set is present throughout the new environment – and also a great opportunity to show how your current security investments are helping secure your new digital lines of business!

    Educate your key players

    Only 16% of security leaders and executives report alignment between security and business processes during digital transformation.

    If security is too low a priority, then key players in your transformation efforts are likely unaware of how security risks impact their own success. It will be incumbent upon the CISO to start that conversation.

    Securing digital transformation

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Ensure your investment in digital transformation is appropriately secured.

    Initiative Description:

    • Engage security with digital transformation and relevant governance structures (steering committees) to ensure security considerations are built into digital transformation planning.
    • Incorporate security stage gates in project management procedures.
    • Establish a vendor security assessment program.
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing up.


    Increased likelihood of digital transformation success

    Other Expected Business Benefits:

    Arrow pointing up.
    Ability to make informed decisions for the field rep strategy
    Arrow pointing down.
    Reduced long-term cost of digital transformation
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Potential increased up front cost (reduced long-term cost)
    • Potential slowed implementation with security stage gates in project management

    Related Info-Tech Research:

    Adopt Zero Trust

    Priority 04

    Governments are recognizing the importance of zero trust strategies. So should your organization.

    Why now for zero trust?

    John Kindervag modernized the concept of zero trust back in 2010, and in the intervening years there has been enormous interest in cybersecurity circles, yet in 2022 only 30% of organizations report even beginning to roll out zero trust capabilities (Statista, 2022).

    Why such little action on a revolutionary and compelling model?

    Zero trust is not a technology; it is a principle. Zero trust adoption takes concerted planning, effort, and expense, for which the business value has been unclear throughout most of the last 10 years. However, several recent developments are changing that:

    • Securing technology has become very hard! The size, complexity, and attack surface of IT environments has grown significantly – especially since the pandemic.
    • Cyberattacks have become rampant as the cost to deploy harmful ransomware has become lower and the impact has become higher.
    • The shift away from on-premises datacenters and offices created an opening for zero trust investment, and zero trust technology is more mature than ever before.

    The time has come for zero trust adoption to begin in earnest.

    97% will maintain or increase zero trust budget (Source: Statista, 2022)

    Traditional perimeter security is not working

    Zero trust directly addresses the most prevalent attack vectors today

    A hybrid workforce using traditional VPN creates an environment where we are exposed to all the risks in the wild (unknown devices at any location on any network), but at a stripped-down security level that still provides the trust afforded to on-premises workers using known devices.

    What’s more, threats such as ransomware are known to exploit identity and remote access vulnerabilities before moving laterally within a network – vectors that are addressed directly by zero trust identity and networking. Ninety-three percent of surveyed zero trust adopters state that the benefits have matched or exceeded their expectations (iSMG, 2022).

    Top reasons for building a zero trust program in 2022

    (Source: iSMG, 2022)

    44%

    Enforce least privilege access to critical resources

    44%

    Reduce attacker ability to move laterally

    41%

    Reduce enterprise attack surface

    The business case for zero trust is clearer than ever

    Prior obstacles to Zero Trust are disappearing

    A major obstacle to zero trust adoption has been the sheer cost, along with the lack of business case for that investment. Two factors are changing that paradigm in 2022:

    The May 2021 US White House Executive Order for federal agencies to adopt zero trust architecture finally placed zero trust on the radar of many CEOs and board members, creating the business interest and willingness to consider investing in zero trust.

    In addition, the cost of adopting zero trust is quickly being surpassed by the cost of not adopting zero trust, as cyberattacks become rampant and successful zero trust deployments create a case study to support investment.

    Bar chart titled 'Cost to remediate a Ransomware attack' with bars representing the years '2021' and '2020'. 2021's cost sits around $1.8M while 2020's was only $750K The cost to remediate a ransomware attack more than doubled from 2020 to 2021. Widespread adoption of zero trust capabilities could keep that number from doubling again in 2022. (Source: Sophos, 2021)

    The cost of a data breach is on average $1.76 million less for organizations with mature zero trust deployments.

    That is, the cost of a data breach is 35% reduced compared to organizations without zero trust controls. (Source: IBM, 2021)

    Recommended Actions

    Start small

    Don’t put all your eggs in one basket by deploying zero trust in a wide swath. Rather, start as small as possible to allow for growing pains without creating business friction (or sinking your project altogether).

    Build a sensible roadmap

    Zero trust principles can be applied in a myriad of ways, so where should you start? Between identities, devices, networking, and data, decide on a use case to do pilot testing and then refine your approach.

    Beware too-good-to-be-true products

    Zero trust is a powerful buzzword, and vendors know it.

    Be skeptical and do your due diligence to ensure your new security partners in zero trust are delivering what you need.

    Zero trust roadmap

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Develop a practical roadmap that shows the business value of security investment.

    Initiative Description:

    • Define desired business and security outcomes from zero trust adoption.
    • Assess zero trust readiness.
    • Build roadmaps for zero trust:
      1. Identity
      2. Networking
      3. Devices
      4. Data
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing up.


    Increased security posture and business agility

    Other Expected Business Benefits:

    Arrow pointing down.
    Reduced impact of security events
    Arrow pointing down.
    Reduced cost of managing complex control set
    Arrow pointing up.
    More secure business transformation (i.e. cloud/digital)
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Learning curve of implementation (start small and slow)
    • Transition from current control set to zero trust model

    Related Info-Tech Research:

    Protect Against and Respond to Ransomware

    Priority 05

    Ransomware is still the #1 threat to the safety of your data.

    Executive summary

    Background

    • Ransomware attacks have transformed in 2021 and show no sign of slowing in 2022. There is a new major security breach every week, despite organizations spending over $150 billion in a year on cybersecurity (Nasdaq, 2021).
    • Ransomware as a service (RaaS) is commonplace, and attackers are doubling down by holding encrypted data ransom and also demanding payment under threat to disclose exfiltrated data – and they are making good on their threats.
    • The global cost of ransomware is expected to rise to $265 billion by 2031 (Cybersecurity Ventures, 2021).
    • We expect to see an increase in ransomware incidents in 2022, both in severity and volume – multiple attacks and double extortion are now the norm.
    • High staff turnover increases risk because new employees are unfamiliar with security protocols.

    150% increase ransomware attacks in 2020 (Source: ENISA)

    This is a new golden age of ransomware

    What is the same in 2022

    Unbridled ransomware attacks make it seem like attackers must be using complex new techniques, but prevalent ransomware attack vectors are actually well understood.

    Nearly all modern variants are breaching victim systems in one of three ways:

    • Email phishing
    • Software vulnerabilities
    • RDP/Remote access compromise
    What is new in 2022
    The sophistication of victim targeting

    Victims often find themselves asking, “How did the attackers know to phish the most security-oblivious person in my staff?” Bad actors have refined their social engineering and phishing to exploit high-risk individuals, meaning your chain is only as strong as the weakest link.

    Ability of malware to evade detection

    Modern ransomware is getting better at bypassing anti-malware technology, for example, through creative techniques such as those seen in the MedusaLocker variant and in Ghost Control attacks.

    Effective anti-malware is still a must-have control, but a single layer of defense is no longer enough. Any organization that hopes to avoid paying a ransom must prepare to detect, respond, and recover from an attack.

    Many leaders still don’t know what a ransomware recovery would look like

    Do you know what it would take to recover from a ransomware incident?

    …and does your executive leadership know what it would take to recover?

    The organizations that are most likely to pay a ransom are unprepared for the reality of recovering their systems.

    If you have not done a tabletop or live exercise to simulate a true recovery effort, you may be exposed to more risk than you realize.

    Are your defenses sufficiently hardened against ransomware?

    Organizations with effective security prevention are often breached by ransomware – but they are prepared to contain, detect, and eradicate the infection.

    Ask yourself whether you have identified potential points of entry for ransomware. Assume that your security controls will fail.

    How well are your security controls layered, and how difficult would it be for an attacker to move east/west within your systems?

    Recommended Actions

    Be prepared for a breach

    There is no guarantee that an organization will not fall victim to ransomware, so instead of putting all their effort into prevention, organizations should also put effort into planning to respond to a breach.

    Security awareness training/phishing detection

    Phishing continues to be the main point of entry for ransomware. Investing in phishing awareness and detection among your end users may be the most impactful countermeasure you can implement.

    Zero trust adoption

    Always verify at every step of interaction, even when access is requested by internal users. Manage access of sensitive information based on the principle of least privilege access.

    Encrypt and back up your data

    Encrypt your data so that even if there is a breach, the attackers don’t have a copy of your data. Also, keep regular backups of data at a separate location so that you still have data to work with after a breach occurs.

    You never want to pay a ransom. Being prepared to deal with an incident is your best chance to avoid paying!

    Prevent and respond to ransomware

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Determine your current readiness, response plan, and projects to close gaps.

    Initiative Description:

    • Execute a systematic assessment of your current security and ransomware recovery capabilities.
    • Perform tabletop activities and live recoveries to test data recovery capabilities.
    • Train staff to detect suspicious communications and protect their identities.
    Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing up.


    Improved productivity and brand protection

    Other Expected Business Benefits:

    Arrow pointing down.
    Reduced downtime and disruption
    Arrow pointing down.
    Reduced cost due to incidents (ransom payments, remediation)
    Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Friction with existing staff

    Related Info-Tech Research:

    Deepfakes: Dark-horse threat for 2022

    Deepfake video

    How long has it been since you’ve gone a full workday without having a videoconference with someone?

    We have become inherently trustful that the face we see on the screen is real, but the technology required to falsify that video is widely available and runs on commercially available hardware, ushering in a genuinely post-truth online era.

    Criminals can use deepfakes to enhance social engineering, to spread misinformation, and to commit fraud and blackmail.

    Deepfake audio

    Many financial institutions have recently deployed voiceprint authentication. TD describes its VoicePrint as “voice recognition technology that allows us to use your voiceprint – as unique to you as your fingerprint – to validate your identity” over the phone.

    However, hackers have been defeating voice recognition for years already. There is ripe potential for voice fakes to fool both modern voice recognition technology and the accounts payable staff.

    Bibliography

    “2021 Ransomware Statistics, Data, & Trends.” PurpleSec, 2021. Web.

    Bayern, Macy. “Why 60% of IT security pros want to quit their jobs right now.” TechRepublic, 10 Oct. 2018. Web.

    Bresnahan, Ethan. “How Digital Transformation Impacts IT And Cyber Risk Programs.” CyberSaint Security, 25 Feb. 2021. Web.

    Clancy, Molly. “The True Cost of Ransomware.” Backblaze, 9 Sept. 2021.Web.

    “Cost of a Data Breach Report 2021.” IBM, 2021. Web.

    Cybersecurity Ventures. “Global Ransomware Damage Costs To Exceed $265 Billion By 2031.” Newswires, 4 June 2021. Web.

    “Digital Transformation & Cyber Risk: What You Need to Know to Stay Safe.” Ponemon Institute, June 2020. Web.

    “Global Incident Response Threat Report: Manipulating Reality.” VMware, 2021.

    Granger, Diana. “Karmen Ransomware Variant Introduced by Russian Hacker.” Recorded Future, 18 April 2017. Web.

    “Is adopting a zero trust model a priority for your organization?” Statista, 2022. Web.

    “(ISC)2 Cybersecurity Workforce Study, 2021: A Resilient Cybersecurity Profession Charts the Path Forward.” (ISC)2, 2021. Web.

    Kobialka, Dan. “What Are the Top Zero Trust Strategies for 2022?” MSSP Alert, 10 Feb. 2022. Web.

    Kost, Edward. “What is Ransomware as a Service (RaaS)? The Dangerous Threat to World Security.” UpGuard, 1 Nov. 2021. Web.

    Lella, Ifigeneia, et al., editors. “ENISA Threat Landscape 2021.” ENISA, Oct. 2021. Web.

    Mello, John P., Jr. “700K more cybersecurity workers, but still a talent shortage.” TechBeacon, 7 Dec. 2021. Web.

    Naraine, Ryan. “Is the ‘Great Resignation’ Impacting Cybersecurity?” SecurityWeek, 11 Jan. 2022. Web.

    Oltsik, Jon. “ESG Research Report: The Life and Times of Cybersecurity Professionals 2021 Volume V.” Enterprise Security Group, 28 July 2021. Web.

    Osborne, Charlie. “Ransomware as a service: Negotiators are now in high demand.” ZDNet, 8 July 2021. Web.

    Osborne, Charlie. “Ransomware in 2022: We’re all screwed.” ZDNet, 22 Dec. 2021. Web.

    “Retaining Tech Employees in the Era of The Great Resignation.” TalentLMS, 19 Oct. 2021. Web.

    Rubin, Andrew. “Ransomware Is the Greatest Business Threat in 2022.” Nasdaq, 7 Dec. 2021. Web.

    Samartsev, Dmitry, and Daniel Dobrygowski. “5 ways Digital Transformation Officers can make cybersecurity a top priority.“ World Economic Forum, 15 Sept. 2021. Web.

    Seymour, John, and Azeem Aqil. “Your Voice is My Passport.” Presented at black hat USA 2018.

    Solomon, Howard. “Ransomware attacks will be more targeted in 2022: Trend Micro.” IT World Canada, 6 Jan. 2022. Web.

    “The State of Ransomware 2021.” Sophos, April 2021. Web.

    Tarun, Renee. “How The Great Resignation Could Benefit Cybersecurity.” Forbes Technology Council, Forbes, 21 Dec. 2021. Web.

    “TD VoicePrint.” TD Bank, n.d. Web.

    “Working from home during the COVID-19 pandemic, April 202 to June 2021.” Statistics Canada, 4 Aug. 2021. Web.

    “Zero Trust Strategies for 2022.” iSMG, Palo Alto Networks, and Optiv, 28 Jan. 2022. Web.

    Agile Enterprise Architecture Operating Model

    • Buy Link or Shortcode: {j2store}581|cart{/j2store}
    • member rating overall impact (scale of 10): 9.6/10 Overall Impact
    • member rating average dollars saved: $31,106 Average $ Saved
    • member rating average days saved: 33 Average Days Saved
    • Parent Category Name: Strategy & Operating Model
    • Parent Category Link: /strategy-and-operating-model

    Establish an enterprise architecture practice that:

    • Leverages an operating model that promotes/supports agility within the organization.
    • Embraces business, data, application, and technology architectures in an optimal mix.
    • Is Agile in itself and will be sustainable and reactive to business needs, staying relevant and “profitable” – continuously delivering business value.

    Our Advice

    Critical Insight

    • Use your business and EA strategy and design principles to right-size standardized operating models to fit your EA organization’s needs.
    • You need to define a sound set of design principles before commencing with the design of your EA organization.
    • The EA operating model structure should be rigid but pliable enough to fit the needs of the stakeholders it provides services to.
    • A phased approach and a good communication strategy is key to the success of the new EA organization.
    • Start with one group and work out the hurdles before rolling it out organization-wide.
    • Make sure that you communicate regularly on wins but also on hurdles and how to overcome them.

    Impact and Result

    • The organization design approach proposed will aim to provide twofold agility: the ability to stretch and shrink depending on business requirements and the promotion of agility in architecture delivery.
    • By recognizing that agility comes in different flavors, organizations using more traditional design patterns will also benefit from the approach advocated by this blueprint.

    Agile Enterprise Architecture Operating Model Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out create an Agile EA operating model to execute the EA function, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Design your EA operating model

    You need to define a sound set of design principles before commencing with the design of your EA organization.

    • Agile EA Operating Model Communication Deck
    • Agile EA Operating Model Workbook
    • Business Architect
    • Application Architect
    • Data Architect
    • Enterprise Architect

    2. Define your EA organizational structure

    The EA operating model structure should be rigid but pliable enough to fit the needs of the stakeholders it provide services to.

    • EA Views Taxonomy
    • EA Operating Model Template
    • Architecture Board Charter Template
    • EA Policy Template
    • EA Compliance Waiver Form Template

    3. Implement the EA operating model

    A phased approach and a good communications strategy are key to the success of the new EA organization.

    • EA Roadmap
    • EA Communication Plan Template
    [infographic]

    Workshop: Agile Enterprise Architecture Operating Model

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 EA Function Design

    The Purpose

    Identify how EA looks within the organization and ensure all the necessary skills are accounted for within the function.

    Key Benefits Achieved

    EA is designed to be the most appropriately placed and structured for the organization.

    Activities

    1.1 Place the EA department.

    1.2 Define roles for each team member.

    1.3 Find internal and external talent.

    1.4 Create job descriptions with required proficiencies.

    Outputs

    EA organization design

    Role-based skills and competencies

    Talent acquisition strategy

    Job descriptions

    2 EA Engagement Model

    The Purpose

    Create a thorough engagement model to interact with stakeholders.

    Key Benefits Achieved

    An understanding of each process within the engagement model.

    Create stakeholder interaction cards to plan your conversations.

    Activities

    2.1 Define each engagement process for your organization.

    2.2 Document stakeholder interactions.

    Outputs

    EA Operating Model Template

    EA Stakeholder Engagement Model Template

    3 EA Governance

    The Purpose

    Develop EA boards, alongside a charter and policies to effectively govern the function.

    Key Benefits Achieved

    Governance that aids the EA function instead of being a bureaucratic obstacle.

    Adherence to governace.

    Activities

    3.1 Outline the architecture review process.

    3.2 Position the architecture review board.

    3.3 Create a committee charter.

    3.4 Make effective governance policy.

    Outputs

    Architecture Board Charter Template

    EA Policy Template

    4 Architecture Development Framework

    The Purpose

    Create an operating model that is influenced by universal standards including TOGAF, Zachmans, and DoDAF.

    Key Benefits Achieved

    A thoroughly articulated development framework.

    Understanding of the views that influence each domain.

    Activities

    4.1 Tailor an architecture development framework to your organizational context.

    Outputs

    EA Operating Model Template

    Enterprise Architecture Views Taxonomy

    5 Operational Plan

    The Purpose

    Create a change management and communication plan or roadmap to execute the operating model.

    Key Benefits Achieved

    Build a plan that takes change management and communication into consideration to achieve the wanted benefits of an EA program.

    Effectively execute the roadmap.

    Activities

    5.1 Create a sponsorship action plan.

    5.2 Outline a communication plan.

    5.3 Execute a communication roadmap.

    Outputs

    Sponsorship Action Plan

    EA Communication Plan Template

    EA Roadmap

    Avoid Project Management Pitfalls

    • Buy Link or Shortcode: {j2store}374|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Program & Project Management
    • Parent Category Link: /program-and-project-management
    • IT organizations seem to do everything in projects, yet fewer than 15% successfully complete all deliverables on time and on budget.
    • Project managers seem to succumb to the relentless pressure from stakeholders to deliver more, more quickly, with fewer resources, and with less support than is ideal.
    • To achieve greater likelihood that your project will stay on track, watch out for the four big pitfalls: scope creep, failure to obtain stakeholder commitment, inability to assemble a team, and failure to plan.

    Our Advice

    Critical Insight

    • While many project managers worry about proper planning as the key to project success, skilled management of the political factors around a project has a much greater impact on success.
    • Alone, combating scope creep can improve your likelihood of success by a factor of 2x.
    • A strong project sponsor will be key to fighting the inevitable battles to control scope and obtain resources.

    Impact and Result

    • Take steps to avoid falling into common project pitfalls.
    • Assess which pitfalls threaten your project in its current state and take appropriate steps to avoid falling into them.
    • Avoiding pitfalls will allow you to deliver value on time and on budget, creating the perception of success in users’ and managers’ eyes.

    Avoid Project Management Pitfalls Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Learn about common PM pitfalls and the strategies to avoid them

    Consistently meet project goals through enhanced PM knowledge and awareness.

    • Storyboard: Avoid Project Management Pitfalls
    • None

    2. Detect project pitfalls

    Take action and mitigate a pitfall before it becomes a problem.

    • Project Pitfall Detection & Mitigation Tool

    3. Document and report PM issues

    Learn from issues encountered to help map PM strategies for future projects.

    • Project Management Pitfalls Issue Log
    [infographic]

    Streamline Application Management

    • Buy Link or Shortcode: {j2store}403|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $64,272 Average $ Saved
    • member rating average days saved: 40 Average Days Saved
    • Parent Category Name: Maintenance
    • Parent Category Link: /maintenance
    • Today’s rapidly scaling and increasingly complex products create mounting pressure on delivery teams to release new features and changes quickly and with sufficient quality.
    • Many organizations lack the critical management capabilities to balance maintenance with new development and ensure high product value.
    • Application management is often viewed as a support function rather than an enabler of business growth. Focus and investments are only placed on management when it becomes a problem.
    • The lack of governance and practice accountability leaves application management in a chaotic state: politics take over, resources are not strategically allocated, and customers are frustrated.

    Our Advice

    Critical Insight

    • New features, fixes, and enhancements are all treated the same and managed in a single backlog. Teams need to focus on prioritizing their efforts on what is valuable to the organization, not to a single department.
    • Business integration is not optional. The business (i.e. product owners) must be represented in guiding delivery efforts and performing ongoing validation and verification of new features and changes.

    Impact and Result

    • Justify the necessity to optimize application management. Gain a grounded understanding of stakeholder objectives and validate their achievability against the current maturity of application management.
    • Strengthen backlog management practices. Obtain a holistic picture of the business and technical impacts, risks, value, complexity, and urgency of each backlog item in order to justify its priority and relevance. Apply the appropriate management approach to each software product according to its criticality and value to the business.
    • Establish and govern a repeatable process. Develop a management process with well-defined steps, quality controls, and roles and responsibilities, and instill good practices to improve the success of delivery.

    Streamline Application Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should sustain your application management practice, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define your priorities

    State the success criteria of your application management practice through defined objectives and metrics. Assess your maturity.

    • Streamline Application Management – Phase 1: Define Your Priorities
    • Application Management Strategy Template
    • Application Management Maturity Assessment Tool

    2. Govern application management

    Structure your application management governance model with the right process and roles. Inject product ownership into your practice.

    • Streamline Application Management – Phase 2: Govern Application Management

    3. Build your optimization roadmap

    Build your application management optimization roadmap to achieve your target state.

    • Streamline Application Management – Phase 3: Build Your Optimization Roadmap
    [infographic]

    Workshop: Streamline Application Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Your Priorities

    The Purpose

    State the success criteria of your application management practice through defined objectives and metrics.

    Assess your maturity.

    Key Benefits Achieved

    Grounded stakeholder expectations

    Application management maturity and identification of optimization opportunities

    Activities

    1.1 Set your objectives.

    1.2 Assess your maturity.

    Outputs

    Application management objectives and metrics

    Application management maturity and optimization opportunities

    2 Govern Application Management

    The Purpose

    Structure your application management governance model with the right process and roles.

    Inject product ownership into your practice.

    Key Benefits Achieved

    Management approach aligned to product value and criticality

    Management techniques to govern the product backlog

    Target-state application management process and roles

    Activities

    2.1 Select your management approach.

    2.2 Manage your single product backlog.

    2.3 Optimize your management process.

    2.4 Define your management roles.

    Outputs

    Application management approach for each application

    Product backlog management practices

    Application management process

    Application management roles and responsibilities and communication flow

    3 Build Your Optimization Roadmap

    The Purpose

    Build your application management optimization roadmap to achieve your target state.

    Key Benefits Achieved

    Optimization opportunities

    Application management optimization roadmap

    Activities

    3.1 Build your optimization roadmap.

    Outputs

    Application management optimization roadmap

    Equip Managers to Effectively Manage Virtual Teams

    • Buy Link or Shortcode: {j2store}600|cart{/j2store}
    • member rating overall impact (scale of 10): 9.7/10 Overall Impact
    • member rating average dollars saved: $20,240 Average $ Saved
    • member rating average days saved: 4 Average Days Saved
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • Virtual team members must rely upon collaboration technology to communicate and collaborate.
    • Management practices and approaches that work face to face do not always translate effectively in virtual contexts.
    • Managers cannot rely upon spontaneous social interactions that happen organically when people are colocated to build meaningful and trusting relationships. Space and time need to be created in a virtual environment for this to happen.
    • Observing an employee’s performance or development can be more difficult, and relying on others’ feedback becomes more critical for managing performance and development.

    Our Advice

    Critical Insight

    • Managing virtual teams does not require developing new manager competencies. Instead, managers need to “dial up” competencies they already have and adjust their approaches.
    • Setting clear expectations with virtual teams creates the foundation needed to manage them effectively.
    • Virtual employees crave more meaningful interactions about performance and development with their managers.

    Impact and Result

    • Create a solid foundation for managing virtual teams by setting clear expectations and taking a more planful approach to managing performance and employee development.
    • Dial up key management competencies that you already have. Managers do not need to develop new competencies; they just need to adjust and refocus their approaches.

    Equip Managers to Effectively Manage Virtual Teams Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Equip managers to effectively manage virtual teams

    Equip managers to become more effective with managing remote teams.

    The workbook serves as a reference guide participants will use to support formal training.

    • Training Deck: Equip Managers to Effectively Manage Virtual Teams
    • Workbook: Equip Managers to Effectively Manage Virtual Teams
    • Standard Participant Training Session Evaluation Template

    2. Additional Resources

    Many organizations are developing plans to allow employees more flexible work options, including remote work. Use these resources to help managers and employees make the most of remote work arrangements.

    • Work-From-Home Tips for Managers
    • Work-From-Home Tips for Employees
    • Health & Safety at Home Infographic
    • Wellness and Working From Home
    • Ergonomic Workspaces Infographic
    [infographic]

    Further reading

    Equip Managers to Effectively Manage Virtual Teams

    Learning objectives

    Describe the benefits of virtual teams.

    Create a plan for adopting effective management practices and setting clear expectations with virtual teams.

    Identify potential solutions to the challenges of managing performance and developing members of virtual teams.

    Create an action plan to increase effectiveness in managing virtual teams.

    Target audience

    People managers who manage or plan to manage virtual teams.

    Training length

    Two three-hour sessions

    Training material

    • Use the speaker’s notes in the notes pane section of each slide to plan and practice the training session.
    • Activity slides are scattered throughout this training deck and are clearly numbered in the slide title.
    • Notes in italics are written to the facilitator and are not meant to be read aloud.
    • Download the Workbook for participants to use.

    Suggested materials for activities:

    • Index cards or sticky notes
    • Markers
    • Whiteboard/large table space/flip chart

    Agenda & activities

    Section 1

    Section 2

    10 min

    Welcome: Overview & Introductions

    • Introductions
    10 min

    Welcome: Overview & Introductions

    • Session 1 Review
    • Session 2 Overview
    50 min

    1.1 Introduction to virtual teams

    • What kind of virtual team do you lead?
    • Virtual team benefits and challenges
    55 min

    2.1 Managing wellbeing in a virtual team context

    • Share current practices and challenges regarding wellbeing in virtual teams
    • Identify and discuss proposed solutions
    • Develop draft action plan for managing wellbeing in a virtual team context
    5 min

    Break

    5 min Break
    45 min

    1.2 Laying the foundation for a virtual team

    • Identify behaviors to better inform, interact with, and involve team members
    60 min

    2.2 Managing performance in a virtual team context

    • Share current performance management practices for virtual teams
    • Identify challenges of current practices and propose solutions
    • Develop draft action plan for managing performance in a virtual team context
    10 min

    Break

    10 min Break
    55 min

    1.2 Laying the foundation for a virtual team

    • Identify and share ways you prefer to communicate for different activities
    • Develop draft action plan for laying the foundation for a virtual team
    40 min

    Action planning & conclusion

    • Refine consolidated action plan (three parts) and commit to implementing it
    • Key takeaways
    5 min

    Session 1 Wrap-Up

    Recommended Customization

    Review all slides and adjust the language or content as needed to suit your organizational context and culture.

    The pencil icon to the left denotes slides requiring customization of the slide and/or the speaker’s notes, e.g. adding in an organization-specific process.

    Customization instructions are found in the notes pane.

    Tips

    • Adjust the speaker’s notes on the slides before (or after) any slides you modify or delete to ensure logical transitions between slides.
    • Update the agenda to reflect new timings if major modifications are made.
    • Even seasoned leaders need to be reminded of the basics now and again. Rather than delete more basic slides, cut back on the amount of time spent covering them and frame the content as a refresher.
    • Participant Workbooks
    • Relevant organization-specific documents (see side panel)
    • Training Session Feedback Form

    Required Information

    • Communication guidelines for managers (e.g. cadence of manager interactions)
    • Performance management process and guidelines
    • Employee development guidelines
    • List of available resources (e.g. social collaboration tools)

    Effectively Manage Virtual Teams

    Section 1.1

    Practical foundations for managing teams in a remote environment

    Feasibility of virtual IT teams

    Most organizations are planning some combination of remote and onsite work in 2022.

    This is an image of a bar graph demonstrating the percentage of companies who have the following plans for return to work: Full work-from-home (All employees WFH permanently) - 4% ; No work-from-home permitted	9% ; Partial work-from-home team (Eligible employees can WFH for a certain portion of their work week)	23% ; Balanced work-from-home team (All employees can WFH for a certain portion of their work week)	28% ; Hybrid work-from-home team (Eligible employees WFH on a full-time basis)	37%

    Source: IT Talent Trends, 2022; n=199

    Speaker’s Notes:

    Most organizations are planning some combination of remote and onsite work in 2022 – the highest reported plans for WFH were hybrid, balanced, and partial work-from-home. This builds on our findings in the IT Talent Trends 2022 report.

    Feasibility of virtual IT teams

    What percentage of roles in IT are capable of being performed remotely permanently?

    Approximately what percentage of roles in IT are capable of being performed remotely permanently?

    0% to less than 10%: 3%; 10% to less than 25%: 5%; 25% to less than 50%: 12%; 50% to less than 75%: 30%; 75% to 100%L 50%.

    IT Talent Trends, 2022; n=207

    Speaker’s Notes:

    80% of respondents estimated that 50 to 100% of IT roles can be performed remotely.

    Virtual teams take all kinds of forms

    A virtual team is any team that has members that are not colocated and relies on technology for communications.

    This image depicts the three levels of virtual teams, Municipal; National; Global.

    Speaker’s Notes:

    Before we start, it will be useful to review what we mean by the term “virtual team.” For our purposes we will be defining a virtual team as any team that has members that are not colocated and relies on technology for communications.

    There are a wide variety of virtual work arrangements and a variety of terms used to describe them. For example, some common terms include:

    • “Flexible work arrangements”: Employees have the option to work where they see fit (within certain constraints). They may choose to work from the office, home, a shared office space, the road, etc.
    • “Remote work,” “work from home,” and “telecommuting”: These are just various ways of describing how or where people are working virtually. They all share the idea that these kinds of employees are not colocated.
    • “Multi-office team”: the team members all work in office environments, but they may not always be in the same office as their team members or manager.

    Our definition of virtual work covers all of these terms. It is also distance neutral, meaning that it applies equally to teams that are dispersed globally or regionally or even those working in the same cities but dispersed throughout different buildings. Our definition also applies whether virtual employees work full time or part time.

    The challenges facing managers arise as soon as some team members are not colocated and have to rely on technology to communicate and coordinate work. Greater distances between employees can complicate challenges (e.g. time zone coordination), but the core challenges of managing virtual teams are the same whether those workers are merely located in different buildings in the same city or in different buildings on different continents.

    1.1 What kind of virtual team do you lead?

    15 Minutes

    Working on your own, take five minutes to figure out what kind of virtual team you lead.

    1. How many people on your team work virtually (all, most, or a small percentage)?
    2. How often and how regularly do they tend to work virtually (full time, part time regularly, or part time as needed)?
    3. What kinds of virtual work arrangements are there on your team (multi-site, work from home, mobile employees)?
    4. Where do your workers tend to be physically located (different offices but in the same city/region or globally dispersed)?
    5. Record this information in your workbook.
    6. Discuss as a group.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Size of virtual team
    • Current remote work practices

    Output

    • Documented list of current state of remote work

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Advantages

    Benefits to the organization

    Benefits to employees

    Operational continuity in disaster situations that prevent employees from coming into the office.

    Cost savings: Employees who WFH half the time can save $2,500 to $4,000 per year (Global Workplace Analytics, 2021).

    Cost savings: Organizations save ~$11,000 annually per employee working from home half the time (Global Workplace Analytics, 2021).

    Time savings: Employees who WFH half the time save on average 11 workdays per year (Global Workplace Analytics, 2021).

    Increased attraction: 71% of employees would likely choose one employer over another based on WFH offerings (Owl Labs, 2021).

    Improved wellbeing:

    83% employees agree that WFH would make them happier.

    80% agree that WFH would decrease their stress.

    81% agree that WFH would improve their ability to manage their work-life balance.

    (Owl Labs, 2021)

    Increased retention: 74% of employees would be less likely to leave their employer if they could WFH (Owl Labs, 2021).

    Increased flexibility: 32% of employees rated the “ability to have a flexible schedule” as the biggest benefit of WFH (OWL Labs, 2021).

    Increased productivity: 50% of employees report they would maintain or increase their productivity while working from home (Glassdoor Team, 2020).

    Increased engagement: Offsite employees tend to have higher overall engagement than onsite employees (McLean & Company Engagement Survey, 2020).

    Speaker’s Notes:

    Remote work arrangements are becoming more and more common, and for good reason: there are a lot of benefits to the organization – and to employees.

    #1: Save Money

    Perhaps one of the most common reasons for opting for remote-work arrangements is the potential cost savings. One study found that organizations could save about $11,000 per employee working from home half the time (Global Workplace Analytics, 2021).

    #2 Increased Attraction

    In addition, supporting remote-work arrangements can attract employees. One study found that 71% of employees would likely choose one employer over another based on WFH offerings (Owl Labs, 2019).

    #3 Improve productivity.

    There are also improvements to productivity. Fifty percent of employees report they would maintain or increase their productivity while working from home (Glassdoor Team, 2020).

    Remote work also has benefits to employees.

    #1: Save Money

    As with organizations, employees also benefit financially from remote work arrangements, saving between $2,500 and $4,000 and on average 11 working days while working from home half of the time.

    #2: Improved Wellbeing

    Most employees agree that working from home makes them happier, reduces stress, and provides an improved work-life balance through increased flexibility.

    Challenges

    Organizations

    • Concerns that WFH may stifle innovation (Scientific American, 2021), likely due to the potential lack of collaboration and knowledge sharing.
    • Fewer organic opportunities for informal interaction between employees working from home means active efforts are required to foster organizational culture.

    Leaders

    • 42% of managers believe that monitoring the productivity of their direct reports is a top challenge of WFH (Ultimate Software, 2019).
    • The lack of in-person supervision compounded with a lack of trust in employees leads many leaders to believe that WFH will result in a drop in productivity.

    Employees

    • 20% of employees report collaboration/communication as their top struggle with WFH (Owl Labs, 2021).
    • Employees often experience burnout from working longer hours due to the lack of commute, blurring of work and home life, and the perceived need to prove their productivity.

    Many of these barriers can be addressed by changing traditional mindsets and finding alternative ways of working, but the traditional approach to work is so entrenched that it has been hard to make the shift.

    Speaker’s Notes:

    Many organizations are still grappling with the challenges of remote work. Some are just perceived challenges, while others are quite real.

    Limited innovation and a lack of informal interaction are a potential consequence of failing to properly adapt to the remote-work environment.

    Leaders also face challenges with remote work. Losing in-person supervision has led to the lack of trust and a perceived drop in productivity.

    A study conducted 2021 asked remote workers to identify their biggest struggle with working remotely. The top three struggles remote workers report facing are unplugging after work, loneliness, and collaborating and/or communicating.

    Seeing the struggles remote workers identify is a good reminder that these employees have a unique set of challenges. They need their managers to help them set boundaries around their work; create feelings of connectedness to the organization, culture, and team; and be expert communicators.

    1.2 Virtual teams: benefits and challenges

    20 Minutes

    1. Discuss and list:
      1. Any positives you’ve experienced since managing virtual employees.
      2. Any challenges you’ve had to manage connected to managing virtual employees.
    2. Record information in the workbook.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Personal experiences managing remote teams

    Output

    • List of benefits and challenges of remote work

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Effectively Manage Virtual Teams

    Section 1.2

    Laying the foundations for a virtual team

    The 3i’s: Inform, interact, and involve your way to effective management:

    Inform

    Interact Involve

    ↓ Down

    Connect

    ↑ Up

    Tell employees the whys

    Get to know employees

    Solicit input from employees

    Speaker’s Notes:

    Effectively managing a virtual team really comes down to adopting management approaches that will engage virtual employees.

    Managing a virtual team does not actually require a new management style. The basics of effective management are the same in both colocated and virtual teams; however, the emphasis on certain behaviors and actions we take often differs. Managing a virtual team requires much more thoughtfulness and planning in our everyday interactions with our teams as we cannot rely on the relative ease of face-to-face interactions available to colocated teams.

    The 3i’s Engaging Management Model is useful when interacting with all employees and provides a handy framework for more planful interactions with virtual employees.

    Think of your management responsibilities in these three buckets – they are the most important components of being an effective manager. We’re first going to look at inform and involve before moving on to interact.

    Inform: Relay information down from senior management and leaders to employees. Communicate the rationale behind decisions and priorities, and always explain how they will directly affect employees.

    Why is this important? According to McLean & Company’s Engagement Survey data, employees who say their managers keep them well informed about decisions that affect them are 3.4 times more likely to be engaged (Source: McLean & Company, 2020; N=77,363). Your first reaction to this might be “I already do this,” which may very well be the case. Keep in mind, though, we sometimes tend to communicate on a “need-to-know basis,” especially when we are stressed or short on time. Engaging employees takes more. Always focus on explaining the “why?” or the rationale behind business decisions.

    It might seem like this domain should be the least affected, since important company announcements probably continue in a remote environment. But remember that information like that also flows informally. And even in formal settings, there are question-and-answer opportunities. Or maybe your employee might come to your office to ask for more details. Virtual team members can’t gather around the watercooler. They don’t have the same opportunities to hear information in passing as people who are colocated do, so managers need to make a concerted effort to share information with virtual team members in a clear and timely way.

    Swinging over to the other end, we have involve: Involve your employees. Solicit information and feedback from employees and collaborate with them.

    However, it’s not enough to just solicit their feedback and input; you also need to act on it.

    Make sure you involve your employees in a meaningful way. Such collaboration makes employees feel like a valued part of the team. Not to mention that they often have information and perspectives that can help make your decisions stronger!

    Employees who say their department leaders act on feedback from them are 3.9 times more likely to be engaged than those whose leaders don’t. (Source: McLean & Company, 2020; N=59,779). That is a huge difference!

    Keeping virtual employees engaged and feeling connected and committed to the organization requires planful and regular application of the 3i’s model.

    Finally, Interact: Connect with employees on a personal level; get to know them and understand who they are on a personal and professional level.

    Why? Well, over and above the fact that it can be rewarding for you to build stronger relationships with your team, our data shows that human connection makes a significant difference with employees. Employees who believe their managers care about them as a person are 3.8 times more likely to be engaged than those who do not (Source: McLean & Company, 2017; N=70,927).

    And you might find that in a remote environment, this is the area that suffers the most, since a lot of these interactions tend to be unscripted, unscheduled, and face to face.

    Typically, if we weren’t in the midst of a pandemic, we’d emphasize the importance of allocating some budget to travel and get some face-to-face time with your staff. Meeting and interacting with team members face to face is crucial to building trusting relationships, and ultimately, an effective team, so given the context of our current circumstances, we recommend the use of video when interacting with your employees who are remote.

    Relay information down from senior management to employees.

    Ensure they’ve seen and understand any organization-wide communication.

    Share any updates in a timely manner.

    Connect with employees on a personal level.
    Ask how they’re doing with the new work arrangement.
    Express empathy for challenges (sick family member, COVID-19 diagnosis, etc.).
    Ask how you can support them.
    Schedule informal virtual coffee breaks a couple of times a week and talk about non-work topics.

    Get information from employees and collaborate with them.
    Invite their input (e.g. have a “winning remotely” brainstorming session).
    Escalate any challenges you can’t address to your VP.
    Give them as much autonomy over their work as possible – don’t micromanage.

    1.3 Identify behaviors to inform, interact with, and involve team members

    20 Minutes

    Individually:

    1. Identify one behavior for each of Inform, Interact, and Involve to improve.
    2. Record information in the workbook.

    As a group:

    1. Discuss behaviors to improve for each of Inform, Interact, and Involve and record new ideas to incorporate into your leadership practice.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • 3i's Model
    • Current leadership behaviors to improve

    Output

    • List of behaviors to better inform, interact, and involve team members

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Laying the foundation: Set clear expectations

    Tasks

    • What are the daily and weekly team activities? How do they affect one another?

    Goals

    • Clarify any adjustments to strategy based on the situation; clarify metrics.

    Communication

    • How often and when will you check in? What should they come to you for? What modalities will you use and when?

    Roadblocks

    • Involve your team in deciding how to handle roadblocks and challenges.

    Speaker’s Notes:

    Clear expectations are important in any environment, remote or not. But it is much harder to do in a remote environment. The barrier to seeking clarification is so much higher (For example, email vs. catching someone in hallway, or you can’t notice that a colleague is struggling without them asking).

    Communication – This is one area where the importance actually changes in a remote context. We’ve been talking about a lot of practices that are the same in importance whether you’re in an office or remote, and maybe you just enact them differently. But clarity around communication processes is actually tremendously more important in a remote environment.

    Adopt a five-step process to set specific and documented expectations

    1. Check in with how your team member is doing on a daily basis. Don’t forget to ask how they are doing personally.
    2. Follow up on previously set expectations. Ask how things are going. Discuss if priorities or expectations have changed and update expectations accordingly.
    3. Ask if they are experiencing any roadblocks and collaborate to find solutions.
    4. Provide feedback and recognition as appropriate.
    5. Document newly set expectations – either through a collaboration tool or through email.

    Speaker’s Notes:

    Suggested best practices: Hold daily team check-ins and hold separate individual check-ins. Increase frequency of these.

    During Check-in
    1. Set up a running Teams chat for your team.
    • This is your community. You must be the biggest cheerleader and keep the team feeling like they are contributing. Make sure everyone is involved.
  • Start each workday with a video scrum to discuss what’s coming today for your team.
    • Ask: What are you planning to work on today? Are there any roadblocks I can help with? Technology working OK?
  • Right after your team meeting, set up an “every morning video call” one-on-one meeting with each team member (5-10 minutes max).
    • Ask: What are you working on today? What will your momentum metrics be? What do you need from me?
  • Set up a separate video call at the end of the afternoon to review what everyone did (5 minutes max).
    • Ask: What went well? What went poorly? How can we improve?
  • After a Check-in
    1. Be accessible:
      • Ensure your team knows the best way to get in touch with you.
      • Email is not ideal for informal, frequent contact – use messaging instead.
    2. Be available:
      • Keep a running conversation going in Teams.
      • Respond in a timely manner; address issues quickly so that your team has what they need to succeed.
      • Let your team know if you’ll be away/offline for longer than an hour during the workday and ask them to do the same (e.g. for an appointment).
      • Help address roadblocks, answer questions, clarify priorities, etc.

    Define communication requirements

    • Set up an ongoing communication with your team.
      • E.g. a running conversation on Slack or Teams
    • Schedule daily virtual meetings and check-ins.
      • This can help to maintain a sense of normalcy and conduct a pulse check on your team.
    • Use video for important conversations.
      • Video chat creates better rapport, shows body language, and lessens feelings of isolation, but it can be taxing.
    • Set expectations about communication.
      • Differentiate between day-to-day communication and updates on the state of events.
    • Clearly communicate the collaboration toolkit.
      • What do we have available? What is the purpose of each?

    Speaker’s Notes:

    With organizational expectations set, we need to establish team expectations around how we collaborate and communicate.

    Today there is no lack of technology available to support our virtual communication. We can use the phone, conference calls, videoconferencing, Skype, instant messaging, [insert organization-specific technological tools.], etc.

    However, it is important to have a common understanding of which tools are most appropriate when and for what.

    What are some of the communication channel techniques you’ve found useful in your informal interactions with employees or that you’ve seen work well between employees?

    [Have participants share any technological tools they find useful and why.]

    Check in with your team on communication requirements

    • Should we share our calendars, hours of availability, and/or IM status?
    • How often should we meet as a team and one on one? Should we institute a time when we should not communicate virtually?
    • Which communication channel should we use in what context? How should we decide which communication method to use?
    • Should I share guidelines for email and meeting etiquette (or any other communication methods)?
    • Should we establish a new team charter?
    • What feedback does the team have regarding how we’ve been communicating?

    Speaker’s Notes:

    Whenever we interact, we make the following kinds of social exchanges. We exchange:

    • Information: Data or opinions
    • Emotions: Feelings and evaluations about the data or opinions
    • Motivations: What we feel like doing in response to data or opinions

    We need to make sure that these exchanges are happening as each team member intends. To do this, we have to be sensitive to what information is being conveyed, what emotions are involved in the interaction, and how we are motivating each other to act through the interaction. Every interaction will have intended and unintended effects on others. No one can pay attention to all of these aspects of communication all the time, but if we develop habits that are conducive to successful exchanges in all three areas, we can become more effective.

    In addition to being mindful of the exchange in our communication, as managers it is critical to build trusting relationships and rapport with employees as we saw in the 3i's model. However, in virtual teams we cannot rely on running into someone in the kitchen or hallway to have an informal conversation. We need to be thoughtful and deliberate in our interactions with employees. We need to find alternative ways to build these relationships with and between employees that are both easy and accepted by ourselves and employees. Because of that, it is important to set communication norms and really understand each other’s preferences. For example:

    • Timing of responses. Set the expectation that emails should be responded to within X hours/days unless otherwise noted in the actual email.
    • When it’s appropriate to send an email vs. using instant messaging.
    • A team charter – the team’s objectives, individual roles and responsibilities, and communication and collaboration guidelines.

    1.4 Identify and share ways you prefer to communicate for different activities

    20 Minutes

    1. Brainstorm and list the different types of exchanges you have with your virtual employees and they have with each other.
    2. List the various communication tools in use on your team.
    3. Assign a preferred communication method for each type of exchange

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Current types of exchanges on team
    • Communication methods used

    Output

    • Defined ways to communicate for each communication method

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Effectively Manage Virtual Teams

    Section 2.1
    Balancing wellbeing and performance in a virtual team context

    The pandemic has taken a significant toll on employees’ mental wellbeing

    44% of employees reported declined mental wellbeing since the start of the pandemic.

    • 44% of those who work from home.
    • 34% of those who have other work arrangements (i.e. onsite).
      (Qualtrics, 2020)

    "If one of our colleagues were to fall, break their leg, and get a cast, colleagues would probably rally around that person signing their cast. But, really, we don’t view the health of our brain the same as we do the health of our body."
    – Centre for Addiction and Mental Health (CAMH) Employee

    Speaker’s Notes:

    Despite being over two years into the pandemic, we are still seeing its effect on the physical and mental health of employees.

    The mental health aspect has been often overlooked by organizations, but in order to have a safe, happy, and productive team, you need to give mental health the same level of focus as physical heath. This requires a change in mindset in order for you as a leader to support your team's mental wellbeing during the pandemic and beyond.

    Employees are reporting several key mental wellbeing challenges

    Stress: 67%

    Employees report increasingly high levels of stress from the onset of COVID-19, stating that it has been the most stressful time in their careers.
    (Qualtrics, 2020)

    Anxiety: 57%

    Similarly, employees’ anxiety levels have peaked because of the pandemic and the uncertainty it brings.
    (Qualtrics, 2020)

    Four main themes surrounding stress & anxiety

    • Fear of contracting COVID-19
    • Financial pressures
    • Job security and uncertainty
    • Loneliness caused by social isolation

    Speaker’s Notes:

    The stress and uncertainty about the future caused by the pandemic and its fallout are posing the biggest challenges to employees.

    Organizations shutting down operations, moving to fully remote, or requiring some of their employees to be on site based on the current situation causes a lot of anxiety as employees are not able to plan for what is coming next.

    Adding in the loss of social networks and in-person interactions exacerbates the problem employees are facing. As leaders, it is your job to understand and mitigate these challenges wherever possible.

    Re-examine your workplace barriers to mental wellbeing

    New Barriers

    Old Barriers

    • Childcare/eldercare responsibilities
    • Fear of workplace health risks
    • Work location
    • Lost support networks
    • Changed work schedules
    • Social distancing
    • Workload
    • Fear of stigma
    • Benefits limits
    • Limits to paid time off
    • Lack of manager knowledge

    Key considerations:

    • Work Environment
      • Accessibility of mental wellbeing programs and initiatives
    • Organizational Culture
      • Modeling of wellbeing
      • Paid time off
      • Discussions around mental wellbeing
    • Total Rewards
      • Benefits coverage
      • Employee assistance programs (EAPs)
      • Manager knowledge

    Speaker’s Notes:

    Organizational barriers to mental wellbeing are sadly not new. Workloads, stigma around mental health, lack of sick days, and limits to benefits for mental health supports were challenges before the pandemic. Adding in the new barriers can very easily result in a tipping point for many employees who are simply not equipped to deal with or supported in dealing with the added burden of remote work in a post-pandemic world.

    To provide the needed support to your employees, it’s important to be mindful of the key considerations.

    Holistic employee wellbeing has never been more critical than it is right now

    Employee Wellbeing

    Physical

    The physical body; ensuring a person has the freedom, opportunities, and resources needed to sustainably maintain bodily health.

    Mental

    The psychological ability to cope with information, emotions, desires, and stressors (e.g. change, threats, etc.) in a healthy and balanced way. Essential for day-to-day living and functioning.

    Social

    The state of personal and professional relationships, including personal and community engagement. The capability for genuine, authentic, and mutually affirming interactions with others.

    Financial

    The state of a person’s finances; ensuring that a person feels capable to handle their financial situation and behaviors. The ability to live productively without the weight of financial stress.

    Speaker’s Notes:

    As a manager, you need to be mindful of all of these. Create an atmosphere where people are able to come to you for help if they are struggling in one of these areas. For example, some people might be more comfortable raising physical safety or comfort concerns (personal protective equipment, ergonomics) than concerns about mental health. Or they might feel like their feelings of loneliness are not appropriate to bring into their professional life.

    Wellbeing is a delicate subject, and most of the time, people are reluctant to talk about it. It requires vulnerability. And here’s the thing about it: Your staff will not drive a change in your team around making these topics more acceptable. It has to be the manager. You have to be the one to not just tell but show them that it’s OK to talk about this

    Encourage human-centered workplace behaviors

    Promote empathy as a focus value

    • Listen and show compassion.
    • Allow room for emotions.

    Encourage social connection

    • Leverage networks.
    • Infuse fun where possible.
    • Encourage community and sense of joint purpose.

    Cultivate a growth mindset

    • Encourage mindfulness and resilience.
    • Express gratitude.

    Empower others

    • Ask employees what they need and co-create solutions.
    • Integrate needs of personal and family life with work life.
    • Be clear on accountability.

    Speaker’s Notes:

    As a leader, your focus should be on encouraging the right behaviors on your team and in yourself.
    Show empathy; allowing room for emotion and showing you are willing and able to listen goes a long way to establishing trust.

    A growth mindset applies to resilience too. A person with a growth mindset is more likely to believe that even though they’re struggling now, they will get through it.

    Infuse fun – schedule social check-ins. This is not wasted time, or time off work – it is an integral part of the workday. We have less of it now organically, so you must bring it back deliberately. Remember that theme? We are deliberately reinfusing important organic elements into the workday.

    The last item, empowerment, is interesting – being clear on accountability. Have clear performance expectations. It might sound like telling people what to do would be disempowering, but it’s the opposite. By clarifying the goals of what they need to achieve, you empower them to invent their own “how,” because you and they are both sure they will arrive at the place that you agreed on. We will talk more about this in performance management.

    Emphasize the importance of wellbeing by setting the tone for the team

    Managers must…

    • LEAD BY EXAMPLE
      • Employees look to their managers for cues about how to react in a crisis. If the manager reacts with stress and fear, the team will follow.
    • ENCOURAGE OPEN COMMUNICATION
      • Frequent check-ins and transparent communication are essential during a time of crisis, especially when working remotely.
    • ACKNOWLEDGE THE SITUATION
      • Recognizing the stress that teams may be facing and expressing confidence in them goes a long way.
    • PROMOTE WELLBEING
      • Managers who take care of themselves can better support their teams and encourage them to practice good self-care too.
    • REDUCE STIGMA
      • Reducing stigma around mental health encourages people to come forward with their struggles and get the support they need.

    Speaker’s Notes:

    Emphasize the importance of wellbeing with what you do. If you do not model self-care behavior, people will follow what you do, not what you say.

    Lead by example – Live the behaviors you want to see in your employees. If you show confidence, positivity, and resiliency, it will filter down to your team.

    Encourage open communication – Have regular meetings where your team is able to set the agenda, or allow one-on-ones to be guided by the employee. Make sure these are scheduled and keep them a priority.

    Acknowledge the situation – Pretending things are normal doesn’t help the situation. Talk about the stress that the team is facing and express confidence that you will get through it together.

    Promote wellbeing – Take time off, don’t work when you’re sick, and you will be better able to support your team!

    Reduce stigma – Call it out when you see it and be sure to remind people of and provide access to any supports that the organization has.

    Conduct dedicated conversations around wellbeing

    1. Check in with how each team member is doing frequently and ask how they are doing personally.
    2. Discuss how things are going. Ask: “How is your work situation working out for you so far? Do you feel supported? How are you taking care of yourself in these circumstances?”
    3. Ask if there are any stressors or roadblocks that they have experienced and collaborate to find solutions.
    4. Provide reassurance of your support and confidence in them.
    5. Document the plan for managing stressors and roadblocks – either through a collaboration tool or through email.

    Speaker’s Notes:

    Going back to the idea of a growth mindset – this may be uncomfortable for you as a manager. So here’s a step-by-step guide that over time you can morph into your own style.

    With your team – be prepared to share first and to show it is OK to be vulnerable and address wellbeing seriously.

    1. Make sure you make time for the personal. Ask about their lives and show compassion.
    2. Give opportunities for them to bring up things that might stay hidden otherwise. Ask questions that show you care.
    3. Help identify areas they are struggling with and work with them to move past those areas.
    4. Make sure they feel supported in what they are going through and reassured of their place on the team.
    5. Roll wellbeing into your planning process. This signals to team that you see wellbeing as important, not just a checklist to cover during a team meeting, and are ready to follow through on it.

    Recognize when professional help is needed

    SIGNS OF BURNOUT: Overwhelmed; Frequent personal disclosure; Trouble sleeping and focusing; Frequent time off; Strained relationships; Substance abuse; Poor work performance

    Speaker’s Notes:

    As a leader, it is important to be on the lookout for warning signs of burnout and know when to step in and direct individuals to professional help.

    Poor work performance – They struggle to maintain work performance, even after you’ve worked with them to create coping strategies.

    Overwhelmed – They repeatedly tell you that they feel overwhelmed, very stressed, or physically unwell.

    Frequent personal disclosure – They want to discuss their personal struggles at length on a regular basis.

    Trouble sleeping and focusing – They tell you that they are not sleeping properly and are unable to focus on work.

    Frequent time off – They feel the need to take time off more frequently.

    Strained relationships – They have difficulty communicating effectively with coworkers; relationships are strained.

    Substance abuse – They show signs of substance abuse (e.g. drunk/high while working, social media posts about drinking during the day).

    Keeping an eye out for these signs and being able to step in before they become unmanageable can mean the difference between keeping and losing an employee experiencing burnout.

    Remember: Managers also need support

    • Added burden
    • Lead by example
    • Self-care

    Speaker’s Notes:

    If you’ve got managers under you, be mindful of their unique stressors. Don’t forget to check in with them, too.

    If you are a manager, remember to take care of yourself and check in with your own manager about your own wellbeing.

    2.1 Balance wellbeing and performance in a virtual team context

    30 Minutes

    1. Brainstorm and list current practices and challenges connected to wellbeing on your teams.
    2. Choose one or two wellbeing challenges that are most relevant for your team.
    3. Discuss as a group and identify one solution for each challenge that you can put into action with your own virtual team. Document this under “Action plan to move forward” on the workbook slide “2.1 Balancing wellbeing and performance in a virtual team context.”

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Current practices and challenges connected to wellbeing

    Output

    • Action plan for each challenge listed

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Effectively Manage Virtual Teams

    Section 2.2

    Managing performance in a virtual team context

    Virtual employees are craving more meaningful interactions with their managers

    A survey indicated that, overall, remote employees showed less satisfaction with manager interactions compared to other non-remote employees.

    1. 16% less likely to strongly agree their manager involves them in setting goals at work.
    2. 28% less likely to strongly agree they continually work with their manager to clarify work priorities.
    3. 29% less likely to strongly agree they have reviewed their greatest successes with their manager in the last six months.
    4. 30% less likely to strongly agree they have talked with their manager about progress toward goals in the last six months.

    Speaker’s Notes:

    In many cases, we have put people into virtual roles because they are self-directed and self-motivated workers who can thrive with the kind of autonomy and flexibility that comes with virtual work. As managers, we should expect many of these workers to be proactively interested in how they are performing and in developing their careers.

    It would be a mistake to take a hands-off approach when managing virtual workers. A recent survey indicated that, overall, remote employees showed less satisfaction with manager interactions compared to other non-remote employees. It was also one of the aspects of their work experience they were least satisfied with overall (Gallup, State of the American Workplace, 2017). Simply put, virtual employees are craving more meaningful conversations with their managers.

    While conversations about performance and development are important for all employees (virtual or non-virtual), managers of remote teams can have a significant positive impact on their virtual employees’ experience and engagement at work by making efforts to improve their involvement and support in these areas.

    During this module we will work together to identify ways that each of us can improve how we manage the performance of our virtual employees. At the end of the module everyone will create an action plan that they can put in place with their own teams. In the next module, we go through a similar set of activities to create an action plan for our interactions with employees about their development.

    Building blocks of performance management

    • Goal Setting

    • Setting Expectations

    • Measuring Progress

    • Feedback & Coaching

    Speaker’s Notes:

    [Include a visualization of your existing performance management process in the slide. Walk the participants through the process to remind them of what is expected. While the managers participating in the training should know this, there may be different understandings of it, or it might just be the case that it’s been a while since people looked at the official process. The intention here is merely to ensure everyone is on the same page for the purposes of the activities that follow.]

    Now that we’ve reviewed performance management at a high level, let’s dive into what is currently happening with the performance management of virtual teams.

    I know that you have some fairly extensive material at your organization around how to manage performance. This is fantastic. And we’re going to focus mainly on how things change in a virtual context.

    When measuring progress, how do you as a manager make sure that you are comfortable not seeing your team physically at their desks? This is the biggest challenge for remote managers.

    2.2 Share current performance management practices for virtual teams

    30 Minutes

    1. Brainstorm and list current high-level performance management practices connected to each building block. Record in your workbook.
    2. Discuss current challenges connected to implementing the building blocks with virtual employees.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Current performance management practices
    • Challenges surrounding performance management

    Output

    • Current state of virtual performance management defined

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Communicate the “why”: Cascade organizational goals

    This image depicts the Cascade of Why- organizational goals. Organizational Mission; Organizational Values; Organizational Goals; Department Goals; Team Goals; Individual Goals

    Speaker’s Notes:

    When assisting your employees with their goals, think about the organization’s overall mission and goals to help you determine team and individual goals.

    • Organizational goals: Employee goals should align with organizational goals. Goals may cascade down through the organization.
    • Department or team goals: Create a clear strategy based on high-level goals for the year so employees can link short-term goals to the larger picture.
    • Individual goals: Employees should draw on their individual development plan to help set performance goals.

    Sometimes it’s difficult to get employees thinking about goals and they need assistance from managers. It’s also important to be clear on team goals to help guide employees in setting individual ones.

    The basic idea is to show people how their individual day-to-day work contributes to the overall success of the organization. It gives them a sense of purpose and a rationale, which translates to motivation. And also helps them problem solve with more autonomy.

    You’re giving people a sense of the importance of their own contribution.

    How to set clear expectations for job performance

    Ensure employees have a clear understanding of what’s expected for their role:

    1. Review their metrics so they understand how they’re being evaluated.
    2. Outline daily, weekly, monthly, and quarterly goals.
    3. If needed, help them plan when and how each part of their job should be done and what to prioritize.
    4. Ask them to come to you early if they experience a roadblock so that you can help rather than having them flounder on their own.
    5. Document instances where employees aren’t meeting role or performance expectations.

    Speaker’s Notes:

    Tailor performance goals to address any root causes of poor performance.

    For example:

    • If personal factors are getting in the way, work with the employee (and HR if necessary) to create a strategy to address any impediments to performing in the role.

    Tips for managing performance remotely

    • Reflect on one key question: What needs to happen for my direct reports to continue their work while working remotely?
    • Manage for results – not employee visibility at the office.
    • Use metrics to measure performance. If you don’t have any, define tasks and deliverables as clearly as possible and conduct regular check-ins.
    • Work with the employee to set goals and metrics to measure progress.

    Focus on results: Be flexible about how and when work gets done, as long as team members are hitting their targets.

    • For example, if they have childcare duties from 3 to 5pm during school closures and want to work later in the evening to make up the time, that’s fine – as long as the work gets done.
    • Set clear expectations about which work must be done during normal work hours (e.g. attend team meetings, client calls) and which can be done at other hours.
    • Team members must arrange with you any nonstandard working hours before they start using an altered schedule. It is your responsibility to keep track of hours and any alternate arrangements.
    • Don’t make team members feel constantly monitored (i.e. “Where were you from 10 to 11am?”); trust them until you have reason not to.

    Encourage your team members to unplug: If they’re sending you emails late at night and they haven’t made an alternate work hours agreement with you, encourage them to take time away from work.

    • It’s harder to unplug when working at home, and everyone needs a break to stay productive.

    Avoid micromanagement with holistic performance measures

    Quality

    How well tasks are accomplished

    Behavior

    Related to specific employee actions, skills, or attitudes

    Quantity

    How much work gets done

    Holistic measures demonstrate all the components required for optimal performance. This is the biggest driver in having comfort as a manager of a remote team and avoiding micromanagement. Typically these are set at the organizational level. You may need to adjust for individual roles, etc.

    Speaker's Notes:

    Metrics come in different types. One way to ensure your metrics capture the full picture is to use a mix of different kinds of metrics.

    Some metrics are quantitative: they describe quantifiable or numerical aspects of the goal. This includes timeliness. On the other hand, qualitative metrics have to do with the final outcome or product. And behavioral metrics have to do with employees' actions, skills, or attitudes. Using different kinds of metrics together helps you set holistic measures, which capture all the components of optimal performance toward your goal and prevent gaming the system.

    Let's take an example:

    A courier might have an objective to do a good job delivering packages. An example of a quantitative measure might be that the courier is required to deliver X number of packages per day on time. The accompanying metrics would be the number of packages delivered per day and the ratio of packages delivered on time vs. late.

    Can you see a problem if we use only these quantitative measures to evaluate the courier's performance?

    Wait to see if anyone volunteers an answer. Discuss suggestions.

    That's right, if the courier's only goal is to deliver more packages, they might start to rush, may ruin the packages, and may offer poor customer service. We can help to guard against this by implementing qualitative and behavioral measures as well. For example, a qualitative measure might be that the courier is required to deliver the packages in mint condition. And the metric would be the number of customer complaints about damaged packages or ratings on a satisfaction survey related to package condition.

    For the behavioral aspect, the courier might be required to provide customer-centric service with a positive attitude. The metrics could be ratings on customer satisfaction surveys related to the courier's demeanor or observations by the manager.

    Managing poor performance virtually: Look for key signs

    It’s crucial to acknowledge that an employee might have an “off week” or need time to balance work and life – things that can be addressed with performance management (PM) techniques. Managers should move into the process for performance improvement when:

    1. Performance fluctuates frequently or significantly.
    2. Performance has dropped for an extended period of time.
    3. Expectations are consistently not being met.

    Key signs to look for:

    • PM data/performance-related assessments
    • Continual absences
    • Decreased quality or quantity of output
    • Frequent excuses (e.g. repeated internet outages)
    • Lack of effort or follow-through
    • Missed deadlines
    • Poor communication or lack of responsiveness
    • Failure to improve

    Speaker’s notes:

    • Let’s talk more about identifying low performance.
    • Everybody has off days or weeks. And what if they are new to the role or new to working remotely? Their performance may be low because they need time to adjust. These sort of situations should be managed, but they don’t require moving into the process for performance improvement.
    • When managing employees who are remote or working in a hybrid situation, it is important to be alert to these signs and check in with your employees on a regular basis. Aim to identify and work with employees on addressing performance issues as they arise rather than waiting until it’s too late. Depending on your availability, the needs of the employee, and the complexity of their role, check-ins could occur daily, weekly, and/or monthly. As I mentioned, for remote employees, it’s often better to check-in more frequently but for a shorter period of time.
    • You want to be present in their work life and available to help them manage through roadblocks and stay on track, but try to avoid over-monitoring employees. Micromanaging can impact the manager-employee relationship and lead to the employee feeling that there is a lack of trust. Remember, the employee needs to be responsible for their own performance and improvement.
    • Check-ins should not just be about the work either. Take some time to check in personally. This is particularly important when managing remotely. It enables you to build a personal relationship with the employee and also keeps you aware if there are other personal issues at play that are impacting their work.
    • So, how do you know what does require performance improvement? There are three key things that you should look for that are clear signals that performance improvement is necessary:
      1. Their performance is fluctuating frequently or significantly.
      2. Their performance has dropped for an extended period of time.
      3. Expectations are consistently not being met.
    • What do you think are some key signs to look for that indicate a performance issue is occurring?

    Managing poor performance virtually: Conducting remote performance conversations

    Video calling

    Always use video calls instead of phone calls when possible so that you don’t lose physical cues and body language.

    Meeting invitations

    Adding HR/your leader to a meeting invite about performance may cause undue stress. Think through who needs to participate and whether they need to be included in the invite itself.

    Communication

    Ensure there are no misunderstandings by setting context for each discussion and having the employee reiterate the takeaways back to you.

    Focus on behavior

    Don’t assume the intent behind the behavior(s) being discussed. Instead, just focus on the behavior itself.

    Policies

    Be sure to adhere to any relevant HR policies and support systems. Working with HR throughout the process will ensure none are overlooked.

    Speaker’s notes:

    There are a few best practices you should follow when having performance conversations:

    • First, if you are in a different work environment than your employee, always use video calls instead of phone calls whenever possible so that you don’t miss out on physical cues and body language. If videoconferencing isn’t the norm, encourage them to turn on their video. Be empathic that it can feel awkward but explain the benefits, and you will both have an easier time communicating and understanding each other.
    • As I’ve mentioned, be considerate of the environment they are in. If they are in the office and you are working remotely, be sure to book a private meeting room for them to go to for the conversation. If they are working from home, be sure to check that they are prepared and able to focus on the conversation.
    • Next, carefully consider who you are adding to the meeting invite and whether it’s necessary for them to be there. Adding HR or your leader to a meeting invite may cause undue stress for the employee.
    • Consider the timing of the invite. Don’t send it out weeks in advance. When a performance problem exists, you’ll want to address it as soon as possible. A day or two of notice would be an ideal approach because it gives them a heads up but will not cause them extended stress or worrying.
    • Be considerate about the timing of the meeting and what else they may have scheduled. For example, a Friday afternoon before they are heading off on vacation or right before they are leading an important client call would not be appropriate timing.
    • As we just mentioned clear communication is critical. Ensure there are no misunderstandings by setting context for each discussion and having the employee reiterate takeaways back to you.
    • Focus on the behavior and don’t assume their intent. It can be tempting to say, “I know you didn’t mean to miss the deadline,” but you don’t know what they intended. Often people are not aware of the impact their behavior can have on others.
    • Lastly, be sure to adhere to any relevant HR policies and support systems. Working with HR throughout the process will ensure nothing is overlooked.

    2.3 Identify challenges of current practices and propose solutions

    30 Minutes

    1. Select one or two challenges from the previous activity.
    2. Identify one solution for each challenge that you can put into action with your own virtual team. Document in the workbook.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Current performance management practices
    • Challenges surrounding performance management

    Output

    • Action plan to move forward

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Effectively Manage Virtual Teams

    Optional Section

    Employee development in a virtual team setting

    There are three main development approaches for both colocated and virtual employees

    Formal Training; Relational Learning; Experimental Learning

    Speaker’s Notes:

    As we have seen, our virtual employees crave more meaningful interactions with their managers. In addition to performance conversations, managers should also be having regular discussions with their employees about their employee development plans. One key component of these discussions is career planning. Whether you are thinking shorter term – how to become better at their current role – or longer term – how to advance beyond their current role – discussions about employee development are a great way to engage employees. Employees are ultimately responsible for creating and executing their own development plans, but managers are responsible for making sure that employees have thought through these plans and helping employees identify opportunities for executing those plans.

    To help us think about our own employee development practices, identify challenges they pose when working with virtual employees, and create solutions to these challenges, it is useful to think about employee development opportunities according to three types:

    1. The first kind of development opportunity is formal training. Formal training is organized and has a clearly defined curriculum and desired outcome. It usually takes the form of a group training session (like this one) or training videos or materials that employees can watch individually and on their own time. These opportunities usually end with a test or assignment that can be used to evaluate the degree to which the participant achieved the desired learning outcomes.
    2. The second kind of development opportunity is relational learning. Perhaps the most common form of this type of learning is coaching or mentoring. By establishing a long-term work relationship, checking in with employees about their daily work and development goals, and sharing their own experiences and knowledge, mentors help employees reflect and draw out learning from everyday, on-the-job development activities. Other examples include a peer support group or communities of practice. In these group settings peers share best practices and work together to overcome challenges.
    3. The third kind of development opportunity is experiential learning. This kind of opportunity provides employees the chance to work on real work problems, and the output of the development work can directly benefit the organization. Most people learn best by doing. On-the-job experiences that are challenging or new can force people to use and develop new skills and knowledge based on what worked effectively and what failed. Examples of experiential learning are on-the-job learning for new hires, stretch assignments, or special projects that take the employee beyond their daily routine and allow them to try new activities and develop competencies that they would not have the chance to develop as part of their regular job.

    According to McLean & Company, organizations should use the “70-20-10” rule as a rough guideline when working with employees to create their development plans: 10% of the plan should be dedicated to formal training opportunities, 20% to relational learning, and 70% to experiential learning. Managers should work with employees to identify their performance and career goals, ensure that their development plans are aligned with these goals, and include an appropriate mixture of all three kinds of development opportunities.

    To help identify challenges and solutions, think about how virtual work arrangements will impact the employee’s ability to leverage each type of opportunity at our organization.

    Here are some examples that can help us start thinking about the kinds of challenges virtual employees on our team face:

    Career Planning

    • One challenge can be identifying a career path that is consistent with working virtually. If switching from a virtual arrangement to an onsite arrangement is not a viable option for an employee, some career paths may not feasibly be open to them (at least as the company is currently organized). For example, if an employee would eventually like to be promoted to a senior leadership role in their business function but all senior leaders are required to work onsite at corporate headquarters, the employee will need to consider whether such a move is possible for them. In some cases employees may be willing to do this, but in others they may not. The important thing is to have these conversations with virtual employees and avoid the assumption that all career paths can be done virtually, since that might not be the case

    Formal Training

    • This is probably the least problematic form of employee development for virtual employees. In many cases this kind of training is scheduled well in advance, so virtual employees may be able to join non-virtual employees in person for some group training. When this is not possible (due to distance, budget, or time zone), many forms of group training can be recorded and watched by virtual employees later. Training videos and training materials can also easily be shared with virtual employees using existing collaboration software.

    Relational Learning

    • One major challenge here is developing a mentoring relationship virtually. As we discussed in the module on performance management, developing relationships virtually can be challenging because people cannot rely upon the kind of informal and spontaneous interactions that occur when people are located in the same office. Mentors and mentees will have to put in more effort and planning to get to know each other and they will have to schedule frequent check-ins so that employees can reflect upon their progress and experience (with the help of their mentors) more often.
    • Time zones and technology may pose potential barriers for certain candidates to be mentors. In some cases, employees that are best qualified to be mentors may not be as comfortable with collaborative software as other mentors or their mentees. If there are large time zone differences, some people who would otherwise be interested in acting as a mentor may be dissuaded. Managers need to take this into consideration if they are connecting employees with mentors or if they are thinking of taking on the mentor role themselves.

    Experiential Learning

    • Virtual employees risk being overlooked for special projects due to the “out of sight, out of mind” bias: When special projects come up, the temptation is to look around the room and see who is the best fit. The problem is, however, that in some cases the highest performers or best fit may not physically be in the room. In these cases it is important for managers to take on an advocate role for their employees and remind other managers that they have good virtual employees on their team that should be included or contacted. It is also important for managers to keep their team informed about these opportunities as often as possible.
    • Sometimes certain projects or certain kinds of work just cannot be done virtually in a company for a variety of reasons. The experiential learning opportunities will not be open to virtual employees. If such opportunities are open to the majority of other workers in this role (potentially putting virtual employees’ career development at a disadvantage relative to their peers), managers should work with their virtual employees to identify alternative experiences. Managers may also want to consider advocating for more or for higher quality experiential learning opportunities at the organization.

    Now that we have considered some general examples of challenges and solutions, let’s look at our own employee development practices and think about the practical steps we can take as managers to improve employee development for our virtual employees.

    Employee development basics

    • Career planning & performance improvement
    • Formal training
    • Relational learning
    • Experiential learning

    Speaker’s Notes:

    [Customize this slide according to your organization’s own policies and processes for employee development. Provide useful images that outline this on the slide, and in these notes describe the processes/policies that are in place. Note: In some cases policies or processes may not be designed with virtual employees or virtual teams in mind. That is okay for the purposes of this training module. In the following activities participants will discuss how they apply these policies and processes with their virtual teams. If your organization is interested in adapting its policies/processes to better support virtual workers, it may be useful to record those conversations to supplement existing policies later.]

    Now that we have considered some general examples of challenges and solutions, let’s look at our own employee development practices and think about the practical steps we can take as managers to improve employee development for our virtual employees.

    2.4 Share current practices for developing employees on a virtual team

    30 Minutes

    1. Brainstorm and list current high-level employee development practices. Record in your workbook.
    2. Discuss current challenges connected to developing virtual employees. Record in your workbook.
    3. Identify one solution for each challenge that you can put into action with your own virtual team.
    4. Discuss as a group.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Current employee development practices
    • Challenges surrounding employee development

    Output

    • Action plan to move forward

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Refine Action Plans

    2.5 Refine your action plan and commit to implementing it

    30 Minutes

    1. Review your action plans for consistency and overlap. Highlight any parts you may struggle to complete.
    2. Meeting with your group, summarize your plans to each other. Provide feedback and discuss each other’s action plans.
    3. Discuss how you can hold each other accountable.

    Download the Workbook: Equip Managers to Effectively Manage Virtual Teams

    Input

    • Action items from previous activities.

    Output

    • Action plan to move forward

    Materials

    • Workbook: Equip Managers to Effectively Manage Virtual Teams

    Participants

    • All managers with direct reports working virtually

    Summary of Accomplishment

    • We do not need to go out and learn a new set of manager responsibilities to better manage our virtual teams; rather, we have to “dial up” certain responsibilities we already have or adjust certain approaches that we already take.
    • It is important to set clear expectations. While managers are ultimately responsible for making sure expectations are set and are clearly communicated, they are not the only ones with responsibilities. Employees and managers need to work together to overcome the challenges that virtual work involves.
    • Virtual employees crave meaningful interactions with their managers and team. Managers must take charge in fostering an atmosphere of openness around wellbeing and establish effective performance management strategies. By being proactive with our virtual teams’ wellness and mindful of our performance management habits, we can take significant steps toward keeping these employees engaged and productive.
    • Effective management in virtual contexts requires being more deliberate than is typical in non-virtual contexts. By working as a group to identify challenges and propose solutions, we have helped each other create action plans that we can use going forward to continually improve our management practices.

    If you would like additional support, have our analysts guide you through an info-tech workshop or guided implementation.

    Contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Speaker’s Notes:

    First, let’s take a moment to summarize the key things we have learned today:

    1. We do not need to go out and learn a new set of manager competencies to better manage our virtual teams; rather, we have to “dial up” certain competencies we already have or adjust certain approaches that we already take. In many cases we just need to be more aware of the challenges that virtual communication poses and be more planful in our approaches.
    2. It is important to set clear expectations. While managers are ultimately responsible for making sure expectations are set and clearly communicated, they are not the only ones with responsibilities. Employees and managers need to work together to overcome the challenges that virtual work involves. Making sure that teams have meaningful conversations about expectations, come to a shared understanding of them, and record them will create a firm foundation for all other interactions on the virtual team.
    3. Virtual employees crave meaningful interactions with their managers related to performance and employee development. By creating action plans for improving these kinds of interactions with our teams, we can take significant steps toward keeping these employees engaged and productive.
    4. Effective performance management and employee development in virtual contexts require more planfulness than is required in non-virtual contexts. By working as a group to identify challenges and propose solutions, we have helped each other create action plans that we can use going forward to continually improve our management practices.

    Is there anything that anyone has learned that is not on this list and that they would like to share with the group?

    Finally, were there any challenges identified today that were not addressed?

    [Note to facilitator: Take note of any challenges not addressed and commit to getting back to the participants with some suggested solutions.]

    Additional resources

    Manager Training: Lead Through Change

    Train managers to navigate the interpersonal challenges associated with change management and develop their communication and leadership skills. Upload this LMS module into your learning management system to enable online training.

    Manager Training: Build a Better Manager: Manage Your People

    Management skills training is needed, but organizations are struggling to provide training that makes a long-term difference in the skills managers use in their day to day.

    Many training programs are ineffective because they offer the wrong content, deliver it in a way that is not memorable, and are not aligned with the IT department’s business objectives.

    Blueprint: Manage Poor Performance While Working From Home

    Assess and improve remote work performance with our ready-to-use tools.

    Works Cited

    April, Richard. “10 KPIs Every Sales Manager Should Measure in 2019.” HubSpot, 24 June 2019. Web.

    Banerjea, Peter. “5 Powerful Strategies for Managing a Remote Sales Team.” Badger - Maps for field sales, n.d. Web.

    Bibby, Adrianne. “5 Employers’ Awesome Quotes about Work Flexibility.” FlexJobs, 9 January 2017. Web.

    Brogie, Frank. “The 14 KPIs every field sales rep should strive to improve.” Repsly, 2018. Web.

    Dunn, Julie. “5 smart tips for leading field sales teams.” LevelEleven, March 2015. Web.

    Edinger, Scott. “How great sales leaders coach.” Forbes, 2013. Web.

    “Employee Outlook: Employee Views on Working Life.” CIPD, April 2016. Web.

    Hall, Becki. “The 5 biggest challenges facing remote workers (and how to solve them).” interact, 7 July 2017. Web.

    Hofstede, Geert. “National Cultural Dimensions.” Hofstede Insights, 2012. Web.

    “Inventory of U.S. Greenhouse Gas Emissions and Sinks: 1990-2014 (EPA 430-R-16-002).” Environmental Protection Agency (EPA), 15 April 2016.

    “Latest Telecommuting Statistics.” Global Workplace Analytics, June 2021. Web.

    Knight, Rebecca. “How to manage remote direct reports.” Harvard Business Review, 2015. Web.

    “Rewards and Recognition: 5 ways to show remote worker appreciation.” FurstPerson, 2019. Web.

    Palay, Jonathan. "How to build your sales management cadence." CommercialTribe, 22 March 2018. Web.

    “Sales Activity Management Matrix.” Asian Sales Guru, 2019. Web.

    Smith, Simone. “9 Things to Consider When Recognizing Remote Employees.” hppy, 2018. Web.

    “State of Remote Work 2017.” OWL Labs, 2021. Web.

    “State of the American Workplace.” Gallup, 2017. Web.

    “Telework Savings Potential.” Global Workplace Analytics, June 2021. Web.

    “The Future of Jobs Employment Trends.” World Economic Forum, 2016. Web.

    “The other COVID-19 crisis: Mental health.” Qualtrics, 14 April 2020. Web.

    Thompson, Dan. “The straightforward truth about effective sales leadership.” Sales Hacker, 2017. Web.

    Tsipursky, Gleb. “Remote Work Can Be Better for Innovation Than In-Person Meetings.” Scientific American, 14 Oct. 2021. Web.

    Walsh, Kim. “New sales manager? Follow this guide to crush your first quarter.” HubSpot, May 2019. Web.

    “What Leaders Need to Know about Remote Workers: Surprising Differences in Workplace Happiness and Relationships.” TINYpulse, 2016.

    Zenger, Jack, and Joe Folkman. “Feedback: The Leadership Conundrum.” Talent Quarterly: The Feedback Issue, 2015.

    Contributors

    Anonymous CAMH Employee

    Document Your Cloud Strategy

    • Buy Link or Shortcode: {j2store}468|cart{/j2store}
    • member rating overall impact (scale of 10): 8.9/10 Overall Impact
    • member rating average dollars saved: $35,642 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy

    Despite the universally agreed-upon benefit of formulating a coherent strategy, several obstacles make execution difficult:

    • Inconsistent understanding of what the cloud means
    • Inability to come to a consensus on key decisions
    • Ungoverned decision-making
    • Unclear understanding of cloud roles and responsibilities

    Our Advice

    Critical Insight

    A cloud strategy might seem like a big project, but it’s just a series of smaller conversations. The methodology presented here is designed to facilitate those conversations, using a curated list of topics, prompts, participant lists, and sample outcomes. We have divided the strategy into four key areas:

    • Vision and alignment
    • People
    • Governance
    • Technology

    Impact and Result

    • A shared understanding of what is necessary to succeed in the cloud
    • An end to ad hoc deployments that solve small problems and create larger ones
    • A unified approach and set of principles that apply to governance, architecture, integration, skills, and roles (and much, much more).

    Document Your Cloud Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Document Your Cloud Strategy – a phased guide to identifying, validating, and recording the steps you’ll take, the processes you’ll leverage, and the governance you’ll deploy to succeed in the cloud.

    This storyboard comprises four phases, covering mission and vision, people, governance, and technology, and how each of these areas requires forethought when migrating to the cloud.

    • Document Your Cloud Strategy – Phases 1-4

    2. Cloud Strategy Document Template – a template that allows you to record the results of the cloud strategy exercise in a clear, readable way.

    Each section of Document Your Cloud Strategy corresponds to a section in the document template. Once you’ve completed each exercise, you can record your results in the document template, leaving you with an artifact you can share with stakeholders.

    • Cloud Strategy Document Template
    [infographic]

    Workshop: Document Your Cloud Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Document Your Vision and Alignment

    The Purpose

    Understand and document your cloud vision and its alignment with your other strategic priorities.

    Key Benefits Achieved

    A complete understanding of your strategy, vision, alignment, and a list of success metrics that will help you find your way.

    Activities

    1.1 Record your cloud mission and vision.

    1.2 Document your cloud strategy’s alignment with other strategic plans.

    1.3 Record your cloud guiding principles.

    Outputs

    Documented strategy, vision, and alignment.

    Defined success metrics.

    2 Record Your People Strategy

    The Purpose

    Define how people, skills, and roles will contribute to the broader cloud strategy.

    Key Benefits Achieved

    Sections of the strategy that highlight skills, roles, culture, adoption, and the creation of a governance body.

    Activities

    2.1 Outline your skills and roles strategy.

    2.2 Document your approach to culture and adoption

    2.3 Create a cloud governing body.

    Outputs

    Documented people strategy.

    3 Document Governance Principles

    The Purpose

    This section facilitates governance in the cloud, developing principles that apply to architecture, integration, finance management, and more.

    Key Benefits Achieved

    Sections of the strategy that define governance principles.

    Activities

    3.1 Conduct discussion on architecture.

    3.2 Conduct discussion on integration and interoperability.

    3.3 Conduct discussion on operations management.

    3.4 Conduct discussion on cloud portfolio management.

    3.5 Conduct discussion on cloud vendor management.

    3.6 Conduct discussion on finance management.

    3.7 Conduct discussion on security.

    3.8 Conduct discussion on data controls.

    Outputs

    Documented cloud governance strategy.

    4 Formalize Your Technology Strategy

    The Purpose

    Creation of a formal cloud strategy relating to technology around provisioning, monitoring, and migration.

    Key Benefits Achieved

    Completed strategy sections of the document that cover technology areas.

    Activities

    4.1 Formalize organizational approach to monitoring.

    4.2 Document provisioning process.

    4.3 Outline migration processes and procedures.

    Outputs

    Documented cloud technology strategy.

    Further reading

    Document Your Cloud Strategy

    Get ready for the cloudy future with a consistent, proven strategy.

    Analyst perspective

    Any approach is better than no approach

    The image contains a picture of Jeremy Roberts

    Moving to the cloud is a big, scary transition, like moving from gas-powered to electric cars, or from cable to streaming, or even from the office to working from home. There are some undeniable benefits, but we must reorient our lives a bit to accommodate those changes, and the results aren’t always one-for-one. A strategy helps you make decisions about your future direction and how you should respond to changes and challenges. In Document Your Cloud Strategy we hope to help you accomplish just that: clarifying your overall mission and vision (as it relates to the cloud) and helping you develop an approach to changes in technology, people management, and, of course, governance. The cloud is not a panacea. Taken on its own, it will not solve your problems. But it can be an important tool in your IT toolkit, and you should aim to make the best use of it – whatever “best” happens to mean for you.

    Jeremy Roberts

    Research Director, Infrastructure and Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    The cloud is multifaceted. It can be complicated. It can be expensive. Everyone has an opinion on the best way to proceed – and in many cases has already begun the process without bothering to get clearance from IT. The core challenge is creating a coherent strategy to facilitate your overall goals while making the best use of cloud technology, your financial resources, and your people.

    Common Obstacles

    Despite the universally agreed-upon benefit of formulating a coherent strategy, several obstacles make execution difficult:

    • Inconsistent understanding of what the cloud means
    • Inability to come to a consensus on key decisions
    • Ungoverned decision making
    • Unclear understanding of cloud roles and responsibilities

    Info-Tech’s Approach

    A cloud strategy might seem like a big project, but it’s just a series of smaller conversations. The methodology presented here is designed to facilitate those conversations, using a curated list of topics, prompts, participant lists, and sample outcomes. We have divided the strategy into four key areas:

    1. Vision and alignment
    2. People
    3. Governance
    4. Technology

    The answers might be different, but the questions are the same

    Every organization will approach the cloud differently, but they all need to ask the same questions: When will we use the cloud? What forms will our cloud usage take? How will we manage governance? What will we do about people? How will we incorporate new technology into our environment? The answers to these questions are as numerous as there are people to answer them, but the questions must be asked.

    Your challenge

    This research is designed to help organizations that are facing these challenges or looking to:

    • Ensure that the cloud strategy is complete and accurately reflects organizational goals and priorities.
    • Develop a consistent and coherent approach to adopting cloud services.
    • Design an approach to mitigate risks and challenges associated with adopting cloud services.
    • Create a shared understanding of the expected benefits of cloud services and the steps required to realize those benefits.

    Grappling with a cloud strategy is a top initiative: 43% of respondents report progressing on a cloud-first strategy as a top cloud initiative.

    Source: Flexera, 2021.

    Definition: Cloud strategy

    A document providing a systematic overview of cloud services, their appropriate use, and the steps that an organization will take to maximize value and minimize risk.

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • The cloud means different things to different people, and creating a strategy that is comprehensive enough to cover a multitude of use cases while also being written to be consumable by all stakeholders is difficult.
    • The incentives to adopt the cloud differ based on the expected benefit for the individual customer. User-led decision making and historically ungoverned deployments can make it difficult to reset expectation and align with a formal strategy.
    • Getting all the right people in a room together to agree on the key components of the strategy and the direction undertaken for each one is often difficult.

    Info-Tech’s approach

    Define Your Cloud Vision

    Vision and alignment

    • Mission and vision
    • Alignment to other strategic plans
    • Guiding principles
    • Measuring success

    Technology

    • Monitoring
    • Provisioning
    • Migration

    Governance

    • Architecture
    • Integration and interoperability
    • Operations management
    • Cloud portfolio management
    • Cloud vendor management
    • Finance management
    • Security
    • Data controls

    People

    • Skills and roles
    • Culture and adoption
    • Governing bodies

    Info-Tech’s approach

    Your cloud strategy will comprise the elements listed under “vision and alignment,” “technology,” “governance,” and “people.” The Info-Tech methodology involves breaking the strategy down into subcomponents and going through a three-step process for each one. Start by reviewing a standard set of questions and understanding the goal of the exercise: What do we need to know? What are some common considerations and best practices? Once you’ve had a chance to review, discuss your current state and any gaps: What has been done? What still needs to be done? Finally, outline how you plan to go forward: What are your next steps? Who needs to be involved?

    Review

    • What questions do we need to answer to complete the discussion of this strategy component? What does the decision look like?
    • What are some key terms and best practices we must understand before deciding?

    Discuss

    • What steps have we already taken to address this component?
    • Does anything still need to be done?
    • Is there anything we’re not sure about or need further guidance on?

    Go forward

    • What are the next steps?
    • Who needs to be involved?
    • What questions still need to be asked/answered?
    • What should the document’s wording look like?

    Info-Tech’s methodology for documenting your cloud strategy

    1. Document your vision and alignment

    2. Record your people strategy

    3. Document governance principles

    4. Formalize your technology strategy

    Phase Steps

    1. Record your cloud mission and vision
    2. Document your cloud strategy’s alignment with other strategic plans
    3. Record your cloud guiding principles
    4. Define success
    1. Outline your skills and roles strategy
    2. Document your approach to culture and adoption
    3. Create a cloud governing body

    Document official organizational positions in these governance areas:

    1. Architecture
    2. Integration and interoperability
    3. Operations management
    4. Cloud portfolio management
    5. Cloud vendor management
    6. Finance management
    7. Security
    8. Data controls
    1. Formalize organizational approach to monitoring
    2. Document provisioning process
    3. Outline migration processes and procedures

    Phase Outcomes

    Documented strategy: vision and alignment

    Documented people strategy

    Documented cloud governance strategy

    Documented cloud technology strategy

    Insight summary

    Separate strategy from tactics

    Separate strategy from tactics! A strategy requires building out the framework for ongoing decision making. It is meant to be high level and achieve a large goal. The outcome of a strategy is often a sense of commitment to the goal and better communication on the topic.

    The cloud does not exist in a vacuum

    Your cloud strategy flows from your cloud vision and should align with the broader IT strategy. It is also part of a pantheon of strategies and should exist harmoniously with other strategies – data, security, etc.

    People problems needn’t preponderate

    The cloud doesn’t have to be a great disruptor. If you handle the transition well, you can focus your people on doing more valuable work – and this is generally engaging.

    Governance is a means to an end

    Governing your deployment for its own sake will only frustrate your end users. Articulate the benefits users and the organization can expect to see and you’re more likely to receive the necessary buy-in.

    Technology isn’t a panacea

    Technology won’t solve all your problems. Technology is a force multiplier, but you will still have to design processes and train your people to fully leverage it.

    Key deliverable

    Cloud Strategy Document template

    Inconsistency and informality are the enemies of efficiency. Capture the results of the cloud strategy generation exercises in the Cloud Strategy Document template.

    The image contains a screenshot of the Cloud Strategy Document Template.
    • Record the results of the exercises undertaken as part of this blueprint in the Cloud Strategy Document template.
    • It is important to remember that not every cloud strategy will look exactly the same, but this template represents an amalgamation of best practices and cloud strategy creation honed over several years of advisory service in the space.
    • You know your audience better than anyone. If you would prefer a strategy delivered in a different way (e.g. presentation format) feel free to adapt the Cloud Vision Executive Presentation into a longer strategy presentation.
    • Emphasis is an area where you should exercise discretion as well. A cost-oriented cloud strategy, or one that prioritizes one type of cloud (e.g. SaaS) at the exclusion of others, may benefit from more focus on some areas than others, or the introduction of relevant subcategories. Include as many of these as you think will be relevant.
    • Parsimony is king – if you can distill a concept to its essence, start there. Include additional detail only as needed. You want your cloud strategy document to be read. If it’s too long or overly detailed, you’ll encounter readability issues.

    Blueprint benefits

    IT benefits

    Business benefits

    • A consistent, well-defined approach to the cloud
    • Consensus on key strategy components, including security, architecture, and integration
    • A clear path forward on skill development and talent acquisition/retention
    • A comprehensive resource for information about the organization’s approach to key strategy components
    • Predictable access to cloud services
    • A business-aligned approach to leveraging the resources available in the cloud
    • Efficient and secure consumption of cloud resources where appropriate to do so
    • Answers to questions about the cloud and how it will be leveraged in the environment

    Measure the value of this blueprint

    Don’t take our word for it:

    • Document Your Cloud Strategy has been available for several years in various forms as both a workshop and as an analyst-led guided implementation.
    • After each engagement, we send a survey that asks members how they benefited from the experience. Those who have worked through Info-Tech’s cloud strategy material have given overwhelmingly positive feedback.
    • Additionally, members reported saving between 10 and 20 days and an average of $46,499.
    • Measure the value by calculating the time saved as a result of using Info-Tech’s framework vs. a home-brewed cloud strategy alternative and by comparing the overall cost of a guided implementation or workshop with the equivalent offering from another firm. We’re confident you’ll come out ahead.

    8.8/10 Average reported satisfaction

    13 Days Average reported time savings

    $46,499 Average cost savings

    Executive Brief Case Study

    INDUSTRY: Pharmaceuticals

    SOURCE: Info-Tech workshop

    Pharmaceutical company

    The unnamed pharmaceutical company that is the subject of this case study was looking to make the transition to the cloud. In the absence of a coherent strategy, the organization had a few cloud deployments with no easily discernable overall approach. Representatives of several distinct functions (legal, infrastructure, data, etc.) all had opinions on the uses and abuses of cloud services, but it had been difficult to round everyone up and have the necessary conversations. As a result, the strategy exercise had not proceeded in a speedy or well-governed way. This lack of strategic readiness presented a roadblock to moving forward with the cloud strategy and to work with the cloud implementation partner, tasked with execution.

    Results

    The company engaged Info-Tech for a four-day workshop on cloud strategy documentation. Over the course of four days, participants drawn from across the organization discussed the strategic components and generated consensus statements and next steps. The team was able to formalize the cloud strategy and described the experience as saving 10 days.

    Example output: Document your cloud strategy workshop exercise

    The image contains an example of Document your cloud streatgy workshop exercise.

    Anything in green, the team was reasonably sure they had good alignment and next steps. Those yellow flags warranted more discussion and were not ready for documentation.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Document your vision and alignment

    Record your people strategy

    Document governance principles

    Formalize your technology strategy

    Call #1: Review existing vision/strategy documentation.

    Call #2: Review progress on skills, roles, and governance bodies.

    Call #3: Work through integration, architecture, finance management, etc. based on reqs. (May be more than one call.)

    Call #4: Discuss challenges with monitoring, provisioning, and migration as-needed.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is 4 to 6 calls over the course of 1 to 3 months

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Answer
    “so what?”

    Define the
    IT target state

    Assess the IT
    current state

    Bridge the gap and
    create the strategy

    Next steps and
    wrap-up (offsite)

    Activities

    1.1 Introduction

    1.2 Discuss cloud mission and vision

    1.3 Discuss alignment with other strategic plans

    1.4 Discuss guiding principles

    1.5 Define success metrics

    2.1 Discuss skills and roles

    2.2 Review culture and adoption

    2.3 Discuss a cloud governing body

    2.4 Review architecture position

    2.5 Discuss integration and interoperability

    3.1 Discuss cloud operations management

    3.2 Review cloud portfolio management

    3.3 Discuss cloud vendor management

    3.4 Discuss cloud finance management

    3.5 Discuss cloud security

    4.1 Review and formalize data controls

    4.2 Design a monitoring approach

    4.3 Document the workload provisioning process

    4.4 Outline migration processes and procedures

    5.1 Populate the Cloud Strategy Document

    Deliverables

    Formalized cloud mission and vision, along with alignment with strategic plans, guiding principles, and success metrics

    Position statement on skills and roles, culture and adoption, governing bodies, architecture, and integration/interoperability

    Position statements on cloud operations management, portfolio management, vendor management, finance management, and cloud security

    Position statements on data controls, monitoring, provisioning, and migration

    Completed Cloud Strategy Document

    Phase 1

    Document Your Vision and Alignment

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Document your mission and vision

    1.2 Document alignment to other strategic plans

    1.3 Document guiding principles

    1.4 Document success metrics

    2.1 Define approach to skills and roles

    2.2 Define approach to culture and adoption

    2.3 Define cloud governing bodies

    3.1 Define architecture direction

    3.2 Define integration approach

    3.3 Define operations management process

    3.4 Define portfolio management direction

    3.5 Define vendor management direction

    3.6 Document finance management tactics

    3.7 Define approach to cloud security

    3.8 Define data controls in the cloud

    4.1 Define cloud monitoring strategy

    4.2 Define cloud provisioning strategy

    4.3 Define cloud migration strategy

    This phase will walk you through the following activities:

    1. Record your cloud mission and vision
    2. Document your cloud strategy’s alignment with other strategic plans
    3. Record your cloud guiding principles
    4. Define success

    This phase has the following outcome:

    • Documented strategy: vision and alignment

    Record your mission and vision

    Build on the work you’ve already done

    Before formally documenting your cloud strategy, you should ensure that you have a good understanding of your overall cloud vision. How do you plan to leverage the cloud? What goals are you looking to accomplish? How will you distribute your workloads between different cloud service models (SaaS, PaaS, IaaS)? What will your preferred delivery model be (public, private, hybrid)? Will you support your cloud deployment internally or use the services of various consultants or managed service providers?

    The answers to these questions will inform the first section of your cloud strategy. If you haven’t put much thought into this or think you could use a deep dive on the fundamentals of your cloud vision and cloud archetypes, consider reviewing Define Your Cloud Vision, the companion blueprint to this one.

    Once you understand your cloud vision and what you’re trying to accomplish with your cloud strategy, this phase will walk you through aligning the strategy with other strategic initiatives. What decisions have others made that will impact the cloud strategy (or that the cloud strategy will impact)? Who must be involved/informed? What callouts must be involved at what point? Do users have access to the appropriate strategic documentation (and would they understand it if they did)?

    You must also capture some guiding principles. A strategy by its nature provides direction, helping readers understand the decisions they should make and why those decisions align with organizational interests. Creating some top-level principles is a useful exercise because those principles facilitate comprehension and ensure the strategy’s applicability.

    Finally, this phase will walk you through the process of measuring success. Once you know where you’d like to go, the principles that underpin your direction, and how your cloud strategy figures into the broader strategic pantheon, you should record what success actually means. If you’re looking to save money, overall cost should be a metric you track. If the cloud is all about productivity, generate appropriate productivity metrics. If you’re looking to expand into new technology or close a datacenter, you will need to track output specific to those overall goals.

    Review: mission and vision

    The overall organizational mission is a key foundational element of the cloud strategy. If you don’t understand where you’re going, how can you begin the journey to get there? This section of the strategy has four key parts that you should understand and incorporate into the beginning of the strategy document. If you haven’t already, review Define Your Cloud Vision for instructions on how to generate these elements.

    1. Cloud vision statement: This is a succinct encapsulation of your overall perspective on the suitability of cloud services for your environment – what you hope to accomplish. The ideal statement includes a scope (who/what does the strategy impact?), a goal (what will it accomplish?), and a key differentiator (what will make it happen?). This is an example: “[Organization] will leverage public cloud solutions and retire existing datacenter and colocation facilities. This transition will simplify infrastructure administration, support and security, while modernizing legacy infrastructure and reducing the need for additional capital expenditure.” You might also consider reviewing your overall cloud archetype (next slide) and including the output of that exercise in the document

    2. Service model decision framework: Services can be provided as software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS), or they can be colocated or remain on premises. Not all cloud service models serve the same purpose or provide equal value in all circumstances. Understanding how you plan to take advantage of these distinct service models is an important component of the cloud strategy. In this section of the strategy, a rubric that captures the characteristics of the ideal workload for each of the named service models, along with some justification for the selection, is essential. This is a core component of Define Your Cloud Vision, and if you would like to analyze individual workloads, you can use the Cloud Vision Workbook for that purpose.

    3. Delivery model decision framework: Just as there are different cloud service models that have unique value propositions, there are several unique cloud delivery models as well, distinguished by ownership, operation, and customer base. Public clouds are the purview of third-party providers who make them available to paying customers. Private clouds are built for the exclusive use of a designated organization or group of organizations with internal clients to serve. Hybrid clouds involve the use of multiple, interoperable delivery models (interoperability is the key term here), while multi-cloud deployment models incorporate multiple delivery and service models into a single coherent strategy. What will your preferred delivery model be? Why?

    4. Support model decision framework: Once you have a service model nailed down and understand how you will execute on the delivery, the question then becomes about how you will support your cloud deployment going forward. Broadly speaking, you can choose to manage your deployment in house using internal resources (e.g. staff), to use managed service providers for ongoing support, or to hire consultants to handle specific projects/tasks. Each approach has its strengths and weaknesses, and many cloud customers will deploy multiple support models across time and different workloads. A foundational perspective on the support model is a key component of the cloud vision and should appear early in the strategy.

    Understand key cloud concepts: Archetype

    Once you understand the value of the cloud, your workloads’ general suitability for the cloud, and your proposed risks and mitigations, the next step is to define your cloud archetype. Your organization’s cloud archetype is the strategic posture that IT adopts to best support the organization’s goals. Info-Tech’s model recognizes seven archetypes, divided into three high-level archetypes. After consultation with your stakeholders, and based on the results of the suitability and risk assessment activities, define your archetype. The archetype feeds into the overall cloud vision and provides simple insight into the cloud future state for all stakeholders. The cloud vision itself is captured in a “vision statement,” a short summary of the overall approach that includes the overall cloud archetype.

    The image contains an arrow facing vertically up. The pointed end of the arrow is labelled more cloud, and the bottom of the arrow is labelled less cloud.

    We can best support the organization’s goals by:

    Cloud-Focused

    Cloud-Centric

    Providing all workloads through cloud delivery.

    Cloud-First

    Using the cloud as our default deployment model. For each workload, we should ask “why NOT cloud?”

    Cloud-Opportunistic

    Hybrid

    Enabling the ability to transition seamlessly between on-premises and cloud resources for many workloads.

    Integrated

    Combining cloud and traditional infrastructure resources, integrating data and applications through APIs or middleware.

    Split

    Using the cloud for some workloads and traditional infrastructure resources for others.

    Cloud-Averse

    Cloud-Light

    Using traditional infrastructure resources and limiting our use of the cloud to when it is absolutely necessary.

    Anti-Cloud

    Using traditional infrastructure resources and avoiding the use of cloud wherever possible.

    Enable Product Delivery – Executive Leadership Workshop

    • Buy Link or Shortcode: {j2store}353|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Development
    • Parent Category Link: /development
    • You need to clearly convey the direction and strategy of your product portfolio to gain alignment, support, and funding from your organization.
    • IT organizations are traditionally organized to deliver initiatives in specific periods of time. This conflicts with product delivery, which continuously delivers value over the lifetime of a product.
    • Delivering multiple products together creates additional challenges because each product has its own pedigree, history, and goals.

    Our Advice

    Critical Insight

    • Empowered product managers and product owners are the key to ensuring your delivery teams are delivering the right value at the right time to the right stakeholders.
    • Establishing operationally aligned product families helps bridge the gap between enterprise priorities and product enhancements.
    • Leadership must be aligned to empower and support Agile values and product teams to unlock the full value realization within your organization.

    Impact and Result

    • Common understanding of product management and Agile delivery.
    • Commitment to support and empower product teams.

    Enable Product Delivery – Executive Leadership Workshop Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Enabling Product Delivery – Executive workshop to align senior leadership with their transition to product management and delivery.

    • Enabling Product Delivery – Executive Workshop Storyboard

    2. Enabling Product Delivery –Executive Workshop Outcomes.

    • Enabling Product Delivery – Executive Workshop Outcomes
    [infographic]

    Workshop: Enable Product Delivery – Executive Leadership Workshop

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understanding Your Top Challenges

    The Purpose

    Understand the drivers for your product transformation.

    Key Benefits Achieved

    Define the drivers for your transition to product-centric delivery.

    Activities

    1.1 What is driving your organization to become product focused?

    Outputs

    List of challenges and drivers

    2 Transitioning From Projects to Product-Centric Delivery

    The Purpose

    Understand the product transformation journey and differences.

    Key Benefits Achieved

    Identify the cultural, behavioral, and leadership changes needed for a successful transformation.

    Activities

    2.1 Define the differences between projects and product delivery

    Outputs

    List of differences

    3 Enterprise Agility and the Value of Change

    The Purpose

    Understand why smaller iterations increase value realization and decrease accumulated risk.

    Key Benefits Achieved

    Leverage smaller iterations to reduce time to value and accumulated risk to core operations.

    Activities

    3.1 What is business agility?

    Outputs

    Common understanding about the value of smaller iterations

    4 Defining Products and Product Management in Your Context

    The Purpose

    Establish an organizational starting definition of products.

    Key Benefits Achieved

    Tailor product management to meet the needs and vision of your organization.

    Activities

    4.1 What is a product? Who are your consumers?

    4.2 Identify enablers and blockers of product ownership

    4.3 Define a set of guiding principles for product management

    Outputs

    Product definition

    List of enablers and blockers of product ownership

    Set of guiding principles for product management

    5 Connecting Product Management to Agile Practices

    The Purpose

    Understand the relationship between product management and product delivery.

    Key Benefits Achieved

    Optimize product management to prioritize the right changes for the right people at the right time.

    Activities

    5.1 Discussions

    Outputs

    Common understanding

    6 Commit to Empowering Agile Product Teams

    The Purpose

    Personalize and commit to supporting product teams.

    Key Benefits Achieved

    Embrace leadership and cultural changes needed to empower and support teams.

    Activities

    6.1 Your management culture

    6.2 Personal Cultural Stop, Start, and Continue

    6.3 Now, Next, Later to support product owners

    Outputs

    Your management culture map

    Personal Cultural Stop, Start, and Continue list

    Now, Next, Later roadmap

    Further reading

    Enable Product Delivery – Executive Leadership Workshop

    Strengthen product management in your organization through effective executive leadership by focusing on product teams, core capabilities, and proper alignment.

    Objective of this workshop

    To develop a common understanding and foundation for product management so we, as leaders, better understand how to lead product owners, product managers, and their teams.

    Enable Product Delivery - Executive Leadership Workshop

    Learn how enterprise agility can provide lasting value to the organization

    Clarify your role in supporting your teams to deliver lasting value to stakeholders and customers

    1. Understanding Your Top Challenges
      • Define your challenges, goals, and opportunities Agile and product management will impact.
    2. Transitioning from Projects to Product-centric Delivery
      • Understand the shift from fixed delivery to continuous improvement and delivery of value.
    3. Enterprise Agility and the Value of Change
      • Organizations need to embrace change and leverage smaller delivery cycles.
    4. Defining Your "Products" and Product Management
      • Define products in your culture and how to empower product delivery teams.
    5. Connecting Product Management to Agile Practices
      • Use product ownership to drive increased ROI into your product delivery teams and lifecycles.
    6. Commit to Empowering Agile Product Teams
      • Define the actions and changes you must make for this transformation to be successful.

    Your Product Transformation Journey

    1. Make the Case for Product Delivery
      • Align your organization with the practices to deliver what matters most
    2. Enable Product Delivery – Executive Workshop
      • One-day executive workshop – align and prepare your leadership
      • Audience: Senior executives and IT leadership.
        Size: 8-16 people
        Time: 6 hours
    3. Deliver on Your Digital Product Vision
      • Enhance product backlogs, roadmapping, and strategic alignment
      • Audience: Product Owners/Mangers
        Size: 10-20 people
        Time: 3-4 days
    4. Deliver Your Digital Products at Scale
      • Scale Product Families to Align Enterprise Goals
      • Audience: Product Owners/Mangers
        Size: 10-20 people
        Time: 3-4 days
    5. Mature and Scale Product Ownership
      • Align and mature your product owners
      • Audience: Product Owners/Mangers
        Size: 8-16 people
        Time: 2-4 days

    Repeat workshops with different companies, operating units, departments, or teams as needed.

    What is a workshop?

    We WILL ENGAGE in discussions and activities:

    • Flexible, to accommodate the needs of the group.
    • Open forum for discussion and questions.
    • Share your knowledge, expertise, and experiences (roadblocks and success stories).
    • Everyone is part of the process.
    • Builds upon itself.

    This workshop will NOT be:

    • A lecture or class.
    • A monologue that never ends.
    • Technical training.
    • A presentation.
    • Us making all the decisions.

    Roles within the workshop

    We each have a role to play to make our workshop successful!

    Facilitators

    • Introduce the best practice framework used by Info-Tech.
    • Ask questions about processes, procedures, and assumptions.
    • Guide for the methodology.
    • Liaison for any other relevant Info-Tech research or services.

    Participants

    • Contribute and speak out as much as needed.
    • Provide expertise on the current processes and technology.
    • Ask questions.
    • Provide feedback.
    • Collaborate and work together to produce solutions.

    Understanding Your Top Challenges

    • Understanding Your Top Challenges
    • Transitioning From Projects to Product-Centric Delivery
    • Enterprise Agility and the Value of Change
    • Defining Your Products and Product Management
    • Connecting Product Management to Agile Practices
    • Commit to Empowering Agile Product Teams
    • Wrap-Up and Retrospective

    Executive Summary

    Your Challenge

    • Products are the lifeblood of an organization. They deliver the capabilities needed to deliver value to customers, internal users, and stakeholders.
    • The shift to becoming a product organization is intended to continually increase the value you provide to the broader organization as you grow and evolve.
    • You need to clearly convey the direction and strategy of your product portfolio to gain alignment, support, and funding from your organization.

    Common Obstacles

    • IT organizations are traditionally organized to deliver initiatives in specific periods of time. This conflicts with product delivery, which continuously delivers value over the lifetime of a product.
    • Delivering multiple products together creates additional challenges because each product has its own pedigree, history, and goals.
    • Product owners struggle to prioritize changes to deliver product value. This creates a gap and conflict between product and enterprise goals.

    Info-Tech's Approach

    Info-Tech's approach will guide you through:

    • Understanding the top challenges driving your product initiative.
    • Improving your transitioning from projects to product-centric delivery.
    • Enhancing enterprise agility and the value of change.
    • Defining products and product management in your context.
    • Connecting product management to Agile practices.
    • Committing to empowering Agile Product teams.
    This is an image of an Info-Tech Thought Map for Accelerate Your Transition to Product Delivery
    This is an image of an Info-Tech Thought Map for Delier on your Digital Product Vision
    This is an image of an Info-Tech Thought Map for Deliver Digital Products at Scale via Enterprise Product Families.
    This is an image of an Info-Tech Thought Map for What We Mean by an Applcation Department Strategy.

    What is driving your organization to become product focused?

    30 minutes

    • Team introductions:
      • Share your name and role
      • What are the key challenges you are looking to solve around product management?
      • What blockers or challenges will we need to overcome?

    Capture in the Enable Product Delivery – Executive Leadership Workshop Outcomes and Next Steps.

    Input

    • Organizational knowledge
    • Goals and challenges

    Output

    • List of key challenges
    • List of workshop expectations
    • Parking lot items

    Transitioning From Projects to Product-Centric Delivery

    • Understanding Your Top Challenges
    • Transitioning From Projects to Product-Centric Delivery
    • Enterprise Agility and the Value of Change
    • Defining Your Products and Product Management
    • Connecting Product Management to Agile Practices
    • Commit to Empowering Agile Product Teams
    • Wrap-Up and Retrospective

    Define the differences between projects and product delivery

    30 minutes

    • Consider project delivery and product delivery.
    • Discussion:
      • What are some differences between the two?

    Capture in the Enable Product Delivery – Executive Leadership Workshop Outcomes and Next Steps.

    Input

    • Organizational knowledge
    • Internal terms and definitions

    Output

    • List of differences between projects and product delivery

    Define the differences between projects and product delivery

    15 minutes

    Project Delivery

    vs

    Product Delivery

    Point in time

    What is changed

    Method of funding changes

    Needs an owner

    Input

    • Organizational knowledge
    • Internal terms and definitions

    Output

    • List of differences between projects and product delivery

    Capture in the Enable Product Delivery – Executive Leadership Workshop Outcomes and Next Steps.

    Identify the differences between a project-centric and a product-centric organization

    Project

    Product

    Fund Projects

    Funding

    Fund Products or Teams

    Line of Business Sponsor

    Prioritization

    Product Owner

    Makes Specific Changes
    to a Product

    Product Management

    Improve Product Maturity
    and Support

    Assign People to Work

    Work Allocation

    Assign Work
    to Product Teams

    Project Manager Manages

    Capacity Management

    Team Manages Capacity

    Info-Tech Insight

    Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that support improving end user value and enterprise alignment.

    Projects can be a mechanism for funding product changes and improvements

    This is an image showing the relationship between the project lifecycle, a hybrid lifecycle, and a product lifecycle.

    Projects within products

    Regardless of whether you recognize yourself as a "product-based" or "project-based" shop, the same basic principles should apply.

    You go through a period or periods of project-like development to build a version of an application or product.

    You also have parallel services along with your project development, which encompass the more product-based view. These may range from basic support and maintenance to full-fledged strategy teams or services like sales and marketing.

    While Agile and product are intertwined, they are not the same!

    Delivering products does not necessarily require an Agile mindset. However, Agile methods help facilitate the journey because product thinking is baked into them.

    This image shows the product delivery maturity process from waterfall to continuous integration and delivery.

    Product roadmaps guide delivery and communicate your strategy

    In Deliver on Your Digital Product Vision, we demonstrate how the product roadmap is core to value realization. The product roadmap is your communicated path, and as a product owner, you use it to align teams and changes to your defined goals while aligning your product to enterprise goals and strategy.

    This is an image adapted from Pichler, What is Product Management.

    Adapted from: Pichler, "What Is Product Management?"

    Info-Tech Insight

    The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.

    The First 100 Days as CISO

    • Buy Link or Shortcode: {j2store}248|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: 50 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Make a good first impression at your new job.
    • Obtain guidance on how you should approach the first 100 days.
    • Assess the current state of the security program and recommend areas of improvement and possible solutions.
    • Develop a high-level security strategy in three months.

    Our Advice

    Critical Insight

    • Every CISO needs to follow Info-Tech’s five-step approach to truly succeed in their new position. The meaning and expectations of a CISO role will differ from organization to organization and person to person, however, the approach to the new position will be relatively the same.
    • Eighty percent of your time will be spent listening. The first 100 days of the CISO role is an information gathering exercise that will involve several conversations with different stakeholders and business divisions. Leverage this collaborative time to understand the business, its internal and external operations, and its people. Unequivocally, active listening will build company trust and help you to build an information security vision that reflects that of the business strategy.
    • Start “working” before you actually start the job. This involves finding out as much information about the company before officially being an employee. Investigate the company website and leverage available organizational documents and initial discussions to better understand your employer’s leadership, company culture ,and business model.

    Impact and Result

    • Hit the ground running with Info-Tech’s ready-made agenda vetted by CISO professionals to impress your colleagues and superiors.
    • Gather details needed to understand the organization (i.e. people, process, technology) and determine the current state of the security program.
    • Track and assess high-level security gaps using Info-Tech’s diagnostic tools and compare yourself to your industry’s vertical using benchmarking data.
    • Deliver an executive presentation that shows key findings obtained from your security evaluation.

    The First 100 Days as CISO Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why the first 100 days of being a CISO is a crucial time to be strategic. Review Info-Tech’s methodology and discover our five-step approach to CISO success.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare

    Review previous communications to prepare for your first day.

    • CISO Diary
    • Introduction Sheet

    2. Build relationships

    Understand how the business operates and develop meaningful relationships with your sphere of influence.

    3. Inventory components of the business

    Inventory company assets to know what to protect.

    4. Assess security posture

    Evaluate the security posture of the organization by leveraging Info-Tech’s IT Security diagnostic program.

    • Diagnostic Benchmarks: Security Governance & Management Scorecard
    • Diagnostic Benchmarks: Security Business Satisfaction Report

    5. Deliver plan

    Communicate your security vision to business stakeholders.

    • The First 100 Days as CISO Executive Presentation Template
    • The First 100 Days as CISO Executive Presentation Example
    [infographic]

    Data Architecture

    • Buy Link or Shortcode: {j2store}17|cart{/j2store}
    • Related Products: {j2store}17|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.5/10
    • member rating average dollars saved: $30,159
    • member rating average days saved: 5
    • Parent Category Name: Data and Business Intelligence
    • Parent Category Link: /data-and-business-intelligence
    Enable the business to achieve operational excellence, client intimacy, and product leadership with an innovative, agile, and fit-for-purpose data architecture practice

    Cost-Reduction Planning for IT Vendors

    • Buy Link or Shortcode: {j2store}73|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $12,733 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Cost & Budget Management
    • Parent Category Link: /cost-and-budget-management
    • Unprecedented health and economic conditions are putting extreme pressure and controls on expense management.
    • IT needs to implement proactive measures to reduce costs with immediate results.
    • IT must sustain these reductions beyond the near term since no one knows how long the current conditions will last.

    Our Advice

    Critical Insight

    • Proactively initiating a “War on Waste” (WoW) to reduce the expenses and costs in areas that do not impact operational capabilities of IT is an easy way to reduce IT expenditures.
    • This is accomplished by following the principle “Stop Doing Stupid Stuff” (SDSS), which many organizations deemphasize or overlook during times of growth and prosperity.
    • Initiating a WoW and SDSS program with passion, creativity, and urgency will deliver short-term cost reductions.

    Impact and Result

    • Pinpoint and implement tactical countermeasures and savings opportunities to reduce costs immediately (Reactive: <3 months).
    • Identify and deploy proven practices to capture and sustain expense reduction throughout the mid-term (Proactive: 3-12months).
    • Create a long-term strategy to improve flexibility, make changes more swiftly, and quickly generate cost-cutting opportunities (Strategic: >12 months).
    • Use Info-Tech’s 4 R’s Framework (Required, Removed, Rescheduled, and Reduced) and guiding principles to develop your cost-reduction roadmap.

    Cost-Reduction Planning for IT Vendors Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Start here – read the Storyboard

    Read our concise Executive Brief to find out how you can reduce your IT cost in the short term while establishing a foundation for long-term sustainment of IT cost containment.

    • Cost-Reduction Planning for IT Vendors Storyboard
    • Cost-Cutting Classification and Prioritization Tool
    [infographic]

    Design and Build an Effective Contract Lifecycle Management Process

    • Buy Link or Shortcode: {j2store}214|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $5,039 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Your vendor contracts are unorganized and held in various cabinets and network shares. There is no consolidated list or view of all the agreements, and some are misplaced or lost as coworkers leave.
    • The contract process takes a long time to complete. Coworkers are unsure who should be reviewing and approving them.
    • You are concerned that you are not getting favorable terms with your vendors and not complying with your agreement commitments.
    • You are unsure what risks your organization could be exposed to in your IT vendor contacts. These could be financial, legal, or security risks and/or compliance requirements.

    Our Advice

    Critical Insight

    • Focus on what’s best for you. There are two phases to CLM. All stages within those phases are important, but choose to improve the phase that can be most beneficial to your organization in the short term. However, be sure to include reviewing risk and monitoring compliance.
    • Educate yourself. Understand the stages of CLM and how each step can rely on the previous one, like a stepping-stone model to success.
    • Consider the overall picture. Contract lifecycle management is the sum of many processes designed to manage contracts end to end while reducing corporate risk, improving financial savings, and managing agreement obligations. It can take time to get CLM organized and working efficiently, but then it will show its ROI and continuously improve.

    Impact and Result

    • Understand how to identify and mitigate risk to save the organization time and money.
    • Gain the knowledge required to implement a CLM that will be beneficial to all business units.
    • Achieve measurable savings in contract time processing, financial risk avoidance, and dollar savings.
    • Effectively review, store, manage, comply with, and renew agreements with a collaborative process

    Design and Build an Effective Contract Lifecycle Management Process Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how a contract management system will save money and time and mitigate contract risk, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Master the operational framework of contract lifecycle management.

    Understand how the basic operational framework of CLM will ensure cost savings, improved collaboration, and constant CLM improvement.

    • Design and Build an Effective Contract Lifecycle Management Process – Phase 1: Master the Operational Framework of CLM
    • Existing CLM Process Worksheet
    • Contract Manager

    2. Understand the ten stages of contract lifecycle management.

    Understand the two phases of CLM and the ten stages that make up the entire process.

    • Design and Build an Effective Contract Lifecycle Management Process – Phase 2: Understand the Ten Stages of CLM
    • CLM Maturity Assessment Tool
    • CLM RASCI Diagram
    [infographic]

    Workshop: Design and Build an Effective Contract Lifecycle Management Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review Your CLM Process and Learn the Basics

    The Purpose

    Identify current CLM processes.

    Learn the CLM operational framework.

    Key Benefits Achieved

    Documented overview of current processes and stakeholders.

    Activities

    1.1 Review and capture your current process.

    1.2 Identify current stakeholders.

    1.3 Learn the operational framework of CLM.

    1.4 Identify current process gaps.

    Outputs

    Existing CLM Process Worksheet

    2 Learn More and Plan

    The Purpose

    Dive into the two phases of CLM and the ten stages of a robust system.

    Key Benefits Achieved

    A deep understanding of the required components/stages of a CLM system.

    Activities

    2.1 Understand the two phases of CLM.

    2.2 Learn the ten stages of CLM.

    2.3 Assess your CLM maturity state.

    2.4 Identify and assign stakeholders.

    Outputs

    CLM Maturity Assessment

    CLM RASCI Diagram

    Further reading

    Design and Build an Effective Contract Lifecycle Management Process

    Mitigate risk and drive value through robust best practices for contract lifecycle management.

    Our understanding of the problem

    This Research Is Designed For:

    • The CIO who depends on numerous key vendors for services
    • The CIO or Project Manager who wants to maximize the value delivered by vendors
    • The Director or Manager of an existing IT procurement or vendor management team
    • The Contracts Manager or Legal Counsel whose IT department holds responsibility for contracts, negotiation, and administration

    This Research Will Help You:

    • Implement and streamline the contract management process, policies, and procedures
    • Baseline and benchmark existing contract processes
    • Understand the importance and value of contract lifecycle management (CLM)
    • Minimize risk, save time, and maximize savings with vendor contracts

    This Research Will Also Assist

    • IT Service Managers
    • IT Procurement
    • Contract teams
    • Finance and Legal departments
    • Senior IT leadership

    This Research Will Help Them

    • Understand the required components of a CLM
    • Establish the current CLM maturity level
    • Implement a new CLM process
    • Improve on an existing or disparate process

    ANALYST PERSPECTIVE

    "Contract lifecycle management (CLM) is a vital process for small and enterprise organizations alike. Research shows that all organizations can benefit from a contract management process, whether they have as few as 25 contracts or especially if they have contracts numbering in the hundreds.

    A CLM system will:

    • Save valuable time in the entire cycle of contract/agreement processes.
    • Save the organization money, both hard and soft dollars.
    • Mitigate risk to the organization.
    • Avoid loss of revenue.

    If you’re not managing your contracts, you aren’t capitalizing on your investment with your vendors and are potentially exposing your organization to contract and monetary risk."

    - Ted Walker
    Principal Research Advisor, Vendor Management Practice
    Info-Tech Research Group

    Executive Summary

    Situation

    • Most organizations have vendor overload and even worse, no defined process to manage the associated contracts and agreements. To manage contracts, some vendor management offices (VMOs) use a shared network drive to store the contracts and a spreadsheet to catalog and manage them. Yet other less-mature VMOs may just rely on a file cabinet in Procurement and a reminder in someone’s calendar about renewals. These disparate processes likely cost your organization time spent finding, managing, and renewing contracts, not to mention potential increases in vendor costs and risk and the inability to track contract obligations.

    Complication

    • Contract lifecycle management (CLM) is not an IT buzzword, and it’s rarely on the top-ten list of CIO concerns in most annual surveys. Until a VMO gets to a level of maturity that can fully develop a CLM and afford the time and costs of doing so, there can be several challenges to developing even the basic processes required to store, manage, and renew IT vendor contracts. As is always an issue in IT, budget is one of the biggest obstacles in implementing a standard CLM process. Until senior leadership realizes that a CLM process can save time, money, and risk, getting mindshare and funding commitment will remain a challenge.

    Resolution

    • Understand the immediate benefits of a CLM process – even a basic CLM implementation can provide significant cost savings to the organization; reduce time spent on creating, negotiating, and renewing contracts; and help identify and mitigate risks within your vendor contracts.
    • Budgets don’t always need to be a barrier to a standard CLM process. However, a robust CLM system can provide significant savings to the organization.

    Info-Tech Insight

    • If you aren’t managing your contracts, you aren’t capitalizing on your investments.
    • Even a basic CLM process with efficient procedures will provide savings and benefits.
    • Not having a CLM process may be costing your organization money, time, and exposure to unmitigated risk.

    What you can gain from this blueprint

    Why Create a CLM

    • Improved contract organization
    • Centralized and manageable storage/archives
    • Improved vendor compliance
    • Risk mitigation
    • Reduced potential loss of revenue

    Knowledge Gained

    • Understanding of the value and importance of a CLM
    • How CLM can impact many departments within the organization
    • Who should be involved in the CLM steps and processes
    • Why a CLM is important to your organization
    • How to save time and money by maximizing IT vendor contracts
    • How basic CLM policies and procedures can be implemented without costly software expenditure

    The Outcome

    • A foundation for a CLM with best-practice processes
    • Reduced exposure to potential risks within vendor contracts
    • Maximized savings with primary vendors
    • Vendor compliance and corporate governance
    • Collaboration, transparency, and integration with business units

    Contract management: A case study

    CASE STUDY
    Industry Finance and Banking
    Source Apttus

    FIS Global

    The Challenge

    FIS’ business groups were isolated across the organization and used different agreements, making contract creation a long, difficult, and manual process.

    • Customers frustrated by slow and complicated contracting process
    • Manual contract creation and approval processes
    • Sensitive contract data that lacked secure storage
    • Multiple agreements managed across divisions
    • Lack of central repository for past contracts
    • Inconsistent and inaccessible

    The Solution: Automating and Streamlining the Contract Management Process

    A robust CLM system solved FIS’ various contract management needs while also providing a solution that could expand into full quote-to cash in the future.

    • Contract lifecycle management (CLM)
    • Intelligent workflow approvals (IWA)
    • X-Author for Excel

    Customer Results

    • 75% cycle time reduction
    • $1M saved in admin costs per year
    • 49% increase in sales proposal volume
    • Automation on one standard platform and solution
    • 55% stronger compliance management
    • Easy maintenance for various templates
    • Ability to quickly absorb new contracts and processes via FIS’s ongoing acquisitions

    Track the impact of CLM with these metrics

    Dollars Saved

    Upfront dollars saved

    • Potential dollars saved from avoiding unfavorable terms and conditions
    • Incentives that encourage the vendor to act in the customer’s best interest
    • Secured commitments to provide specified products and services at firm prices
    • Cost savings related to audits, penalties, and back support
    • Savings from discounts found

    Time Saved

    Time saved, which can be done in several areas

    • Defined and automated approval flow process
    • Preapproved contract templates with corporate terms
    • Reduced negotiation times
    • Locate contracts in minutes

    Pitfalls Avoided

    Number of pitfalls found and avoided, such as

    • Auto-renewal
    • Inconsistencies between sections and documents
    • Security and data not being deleted upon termination
    • Improper licensing

    The numbers are compelling

    71%

    of companies can’t locate up to 10% of their contracts.

    Source: TechnologyAdvice, 2019

    9.2%

    of companies’ annual revenue is lost because of poor contract management practices.

    Source: IACCM, 2019

    60%

    still track contracts in shared drives or email folders.

    Source: “State of Contract Management,” SpringCM, 2018

    CLM blueprint objectives

    • To provide a best-practice process for managing IT vendor contract lifecycles through a framework that organizes from the core, analyzes each step in the cycle, has collaboration and governance attached to each step, and integrates with established vendor management practices within your organization.
    • CLM doesn’t have to be an expensive managed database system in the cloud with fancy dashboards. As long as you have a defined process that has the framework steps and is followed by the organization, this will provide basic CLM and save the organization time and money over a short period of time.
    • This blueprint will not delve into the many vendors or providers of CLM solutions and their methodologies. However, we will discuss briefly how to use our framework and contract stages in evaluating a potential solution that you may be considering.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Design and Build an Effective CLM Process – project overview

    1. Master the Operational Framework

    2. Understand the Ten Stages of CLM

    Best-Practice Toolkit

    1.1 Understand the operational framework components.

    1.2 Review your current framework.

    1.3 Create a plan to implement or enhance existing processes.

    2.1 Understand the ten stages of CLM.

    2.2 Review and document your current processes.

    2.3 Review RASCI chart and assign internal ownership.

    2.4 Create an improvement plan.

    2.5 Track changes for measurable ROI.

    Guided Implementations
    • Review existing processes.
    • Understand what CLM is and why the framework is essential.
    • Create an implementation or improvement plan.
    • Review the ten stages of CLM.
    • Complete CLM Maturity Assessment.
    • Create a plan to target improvement.
    • Track progress to measure savings.
    Onsite Workshop

    Module 1: Review and Learn the Basics

    • Review and capture your current processes.
    • Learn the basic operational framework of contract management.

    Module 2 Results:

    • Understand the ten stages of effective CLM.
    • Create an improvement or implementation plan.
    Phase 1 Outcome:
    • A full understanding of what makes a comprehensive contract management system.
    Phase 2 Outcome:
    • A full understanding of your current CLM processes and where to focus your efforts for improvement or implementation.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2
    Activities

    Task – Review and Learn the Basics

    Task – Learn More and Plan

    1.1 Review and capture your current process.

    1.2 Identify current stakeholders.

    1.3 Learn the operational framework of contract lifecycle management.

    1.4 Identify current process gaps.

    2.1 Understand the two phases of CLM.

    2.2 Learn the ten stages of CLM.

    2.3 Assess your CLM maturity.

    2.4 Identify and assign stakeholders.

    2.5 Discuss ROI.

    2.6 Summarize and next steps.

    Deliverables
    1. Internal interviews with business units
    2. Existing CLM Process Worksheet
    1. CLM Maturity Assessment
    2. RASCI Diagram
    3. Improvement Action Plan

    PHASE 1

    Master the Operational Framework of Contract Lifecycle Management

    Design and Build an Effective CLM Process

    Phase 1: Master the Operational Framework of Contract Lifecycle Management

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of
    2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Master the Operational Framework of Contract Lifecycle Management
    Proposed Time to Completion: 1-4 weeks

    Step 1.1: Document your Current CLM Process

    Step 1.2: Read and Understand the Operational Framework

    Step 1.3: Review Solution Options

    Start with an analyst kick-off call:

    • Understand what your current process(es) is for each stage
    • Do a probative review of any current processes
    • Interview stakeholders for input

    Review findings with analyst:

    • Discuss the importance of the framework as the core of your plan
    • Review the gaps in your existing process
    • Understand how to prioritize next steps towards a CLM

    Finalize phase deliverable:

    • Establish ownership of the framework
    • Prioritize improvement areas or map out how your new CLM will look

    Then complete these activities…

    • Document the details of your process for each stage of CLM

    With these tools & templates:

    • Existing CLM Process Worksheet

    Phase 1 Results:

    • A full understanding of what makes a comprehensive contract management system.

    What Is Contract Lifecycle Management?

    • Every contract has a lifecycle, from creation to time and usage to expiration. Organizations using a legacy or manual contract management process usually ask, “What is contract lifecycle management and how will it benefit my business?”
    • Contract lifecycle management (CLM) creates a process that manages each contract or agreement. CLM eases the challenges of managing hundreds or even thousands of important business and IT contracts that affect the day-to-day business and could expose the organization to vendor risk.
    • Managing a few contracts is quite easy, but as the number of contracts grows, managing each step for each contract becomes increasingly difficult. Ultimately, it will get to a point where managing contracts properly becomes very difficult or seemingly impossible.

    That’s where contract lifecycle management (CLM) comes in.

    CLM can save money and improve revenue by:

    • Improving accuracy and decreasing errors through standardized contract templates and approved terms and conditions that will reduce repetitive tasks.
    • Securing contracts and processes through centralized software storage, minimizing risk of lost or misplaced contracts due to changes in physical assets like hard drives, network shares, and file cabinets.
    • Using policies and procedures that standardize, organize, track, and optimize IT contracts, eliminating time spent on creation, approvals, errors, and vendor compliance.
    • Reducing the organization’s exposure to risks and liability.
    • Having contracts renewed on time without penalties and with the most favorable terms for the business.

    The Operational Framework of Contract Lifecycle Management

    Four Components of the Operational Framework

    1. Organization
    2. Analysis
    3. Collaboration and Governance
    4. Integration/Vendor Management
    • By organizing at the core of the process and then analyzing each stage, you will maximize each step of the CLM process and ensure long-term contract management for the organization.
    • Collaboration and governance as overarching policies for the system will provide accountability to stakeholders and business units.
    • Integration and vendor management are encompassing features in a well-developed CLM that add visibility, additional value, and savings to the entire organization.

    Info-Tech Best Practice

    Putting a contract manager in place to manage the CLM project will accelerate the improvements and provide faster returns to the organizations. Reference Info-Tech’s Contract Manager Job Description template as needed.

    The operational framework is key to the success, return on investment (ROI), cost savings, and customer satisfaction of a CLM process.

    This image depicts Info-Tech's Operational Framework.  It consists of a series of five concentric circles, with each circle a different colour.  On the outer circle, is the word Integration.  The next outermost circle has the words Collaboration and Governance.  The next circle has no words, the next circle has the word Analysis, and the very centre circle has the word Organization.

    1. Organization

    • Every enterprise needs to organize its contract documents and data in a central repository so that everyone knows where to find the golden source of contractual truth.
    • This includes:
      • A repository for storing and organizing contract documents.
      • A data dictionary for describing the terms and conditions in a consistent, normalized way.
      • A database for persistent data storage.
      • An object model that tracks changes to the contract and its prevailing terms over time.

    Info-Tech Insight

    Paper is still alive and doing very well at slowing down the many stages of the contract process.

    2. Analysis

    Most organizations analyze their contracts in two ways:

    • First, they use reporting, search, and analytics to reveal risky and toxic terms so that appropriate operational strategies can be implemented to eliminate, mitigate, or transfer the risk.
    • Second, they use process analytics to reveal bottlenecks and points of friction as contracts are created, approved, and negotiated.

    3. Collaboration

    • Throughout the contract lifecycle, teams must collaborate on tasks both pre-execution and post-execution.
    • This includes document collaboration among several different departments across an enterprise.
    • The challenge is to make the collaboration smooth and transparent to avoid costly mistakes.
    • For some contracting tasks, especially in regulated industries, a high degree of control is required.
    • In these scenarios, the organization must implement controlled systems that restrict access to certain types of data and processes backed up with robust audit trails.

    4. Integration

    • For complete visibility into operational responsibilities, relationships, and risk, an organization must integrate its golden contract data with other systems of record.
    • An enterprise contracts platform must therefore provide a rich set of APIs and connectors so that information can be pushed into or pulled from systems for enterprise resource planning (ERP), customer relationship management (CRM), supplier relationship management (SRM), document management, etc.

    This is the ultimate goal of a robust contract management system!

    Member Activity: Document Current CLM Processes

    1.1 Completion Time: 1-5 days

    Goal: Document your existing CLM processes (if any) and who owns them, who manages them, etc.

    Instructions

    Interview internal business unit decision makers, stakeholders, Finance, Legal, CIO, VMO, Sales, and/or Procurement to understand what’s currently in place.

    1. Use the Existing CLM Process Worksheet to capture and document current CLM processes.
    2. Establish what processes, procedures, policies, and workflows, if any, are in place for pre-execution (Phase 1) contract stages.
    3. Do the same for post-execution (Phase 2) stages.
    4. Use this worksheet as reference for assessments and as a benchmark for improvement review six to 12 months later.
    This image contains a screenshot of Info-Tech's Existing CLM Process Discovery Worksheet

    INPUT

    • Internal information from all CLM stakeholders

    OUTPUT

    • A summary of processes and owners currently in place

    Materials

    • Existing CLM processes from interviews

    Participants

    • Finance, Legal, CIO, VMO, Sales, Procurement

    PHASE 2

    Understand the Ten Stages of Contract Lifecycle Management

    Design and Build an Effective CLM Process

    Phase 1: Master the Operational Framework of Contract Lifecycle Management

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of
    2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Understand the Ten Stages of Contract Lifecycle Management

    Proposed Time to Completion: 1-10 weeks

    Step 2.1: Assess CLM Maturity

    Step 2.2: Complete a RASCI Diagram

    Start with an analyst kick-off call:

    • Review the importance of assessing the maturity of your current CLM processes
    • Discuss interview process for internal stakeholders
    • Use data from the Existing CLM Process Worksheet

    Review findings with analyst:

    • Review your maturity results
    • Identify stages that require immediate improvement
    • Prioritize improvement or implementation of process

    Then complete these activities…

    • Work through the maturity assessment process
    • Answer the questions in the assessment tool
    • Review the summary tab to learn where to focus improvement efforts

    Then complete these activities…

    • Using maturity assessment and existing process data, establish ownership for each process stage
    • Fill in the RASCI Chart based on internal review or existing processes

    With these tools & templates:

    • CLM Maturity Assessment Tool

    With these tools & templates:

    • CLM RASCI Diagram

    Phase 2 Results & Insights:

    • A full understanding of your current CLM process and where improvement is required
    • A mapping of stakeholders for each stage of the CLM process

    The Ten Stages of Contract Lifecycle Management

    There are ten key stages of contract lifecycle management.

    The steps are divided into two phases, pre-execution and post-execution.

      Pre-Execution (Phase 1)

    1. Request
    2. Create
    3. Review Risk
    4. Approve
    5. Negotiate
    6. Sign
    7. Post-Execution (Phase 2)

    8. Capture
    9. Manage
    10. Monitor Compliance
    11. Optimize

    Ten Process Stages Within the CLM Framework

    This image contains the CLM framework from earlier in the presentation, with the addition of the following ten steps: 1. Request; 2. Create Contract; 3. Review Risk; 4. Approve; 5. Negotiate; 6. Sign; 7. Capture; 8. Manage; 9. Monitor Compliance; 10. Optimize.

    Stage 1: Request or Initiate

    Contract lifecycle management begins with the contract requesting process, where one party requests for or initiates the contracting process and subsequently uses that information for drafting or authoring the contract document. This is usually the first step in CLM.

    Requests for contracts can come from various sources:

    • Business units within the organization
    • Vendors presenting their contract, including renewal agreements
    • System- or process-generated requests for renewal or extension

    At this stage, you need to validate if a non-disclosure agreement (NDA) is currently in place with the other party or is required before moving forward. At times, adequate NDA components could be included within the contract or agreement to satisfy corporate confidentiality requirements.

    Stage 1: Request or Initiate

    Stage Input

    • Information about what the contract needs to contain, such as critical dates, term length, coverage, milestones, etc.
    • Some organizations require that justification and budget approval be provided at this stage.
    • Request could come from a vendor as a pre-created contract.
    • Best practices recommend that a contract request form or template is used to standardize all required information.

    Stage Output

    • Completed request form, stored or posted with all details required to move forward to risk review and contract creation.
    • Possible audit trails.

    Stage 2: Create Contract

    • At the creation or drafting stage, the document is created, generated, or provided by the vendor. The document will contain all clauses, scope, terms and conditions, and pricing as required.
    • In some cases, a vendor-presented contract that is already prepared will go through an internal review or redlining process by the business unit and/or Legal.
    • Both internal and external review and redlining are included in this stage.
    • Also at this stage, the approvers and signing authorities are identified and added to the contract. In addition, some audit trail features may be added.

    Info-Tech Best Practice

    For a comprehensive list of terms and conditions, see our Software Terms & Conditions Evaluation Tool within Master Contract Review and Negotiation for Software Agreements.

    Stage 2: Create Contract

    Stage Input

    • Contract request form, risk review/assessment.
    • Vendor- or contractor-provided contract/agreement, either soft copy, electronic form, or more frequently, “clickwrap” web-posted document.
    • Could also include a renewal notification from a vendor or from the CLM system or admin.

    Stage Output

    • Completed draft contract or agreement, typically in a Microsoft Word or Adobe PDF format with audit trail or comment tracking.
    • Redlined document for additional revision and or acceptance.
    • Amendment or addendum to existing contract.

    Stage 3: Review Risk 1 of 2

    The importance of risk review can not be understated. The contract or agreement must be reviewed by several stakeholders who can identify risks to the organization within the contract.

    Three important definitions:

    1. Risk is the potential for a negative outcome. A risk is crossing the street while wearing headphones and selecting the next track to play on your smartphone. A negative outcome is getting hit by an oncoming person who, unremarkably, was doing something similar at the same time.
    2. Risk mitigation is about taking the steps necessary to minimize both the likelihood of a risk occurring – look around both before and while crossing the street – and its impact if it does occur – fall if you must, but save the smartphone!
    3. Contract risk is about any number of situations that can cause a contract to fail, from trivially – the supplier delivers needed goods late – to catastrophically – the supplier goes out of business without having delivered your long-delayed orders.

    Stage 3: Review Risk 2 of 2

    • Contracts must be reviewed for business terms and conditions, potential risk situations from a financial or legal perspective, business commitments or obligations, and any operational concerns.
    • Mitigating contract risk requires a good understanding of what contracts are in place, how important they are to the success of the organization, and what data they contain.

    Collectively, this is known as contract visibility.

    • Risk avoidance and mitigation are also a key component in the ROI of a CLM system and should be tracked for analysis.
    • Risk-identifying forms or templates can be used to maintain consistency with corporate standards.

    Stage 3: Review Risk

    Stage Input

    • All details of the proposed contract so that a proper risk analysis can be done as well as appropriate review with stakeholders, including:
      • Finance
      • Legal
      • Procurement
      • Security
      • Line-of-business owner
      • IT stakeholders

    Stage Output

    • A list of identified concerns that could expose the business unit or organization.
    • Recommendations to minimize or eliminate identified risks.

    Stage 4: Approve

    The approval stage can be a short process if policies and procedures are already in place. Most organizations will have defined delegation of authority or approval authority depending on risk, value of the contract, and other corporate considerations.

    • Defined approval levels should be known within the organization and can be applied to the approval workflow, expediting the approval of drafted terms, conditions, changes, and cost/spend within the contract internally.
    • Tracking and flexibility needs to considered in the approval process.
    • Gates need to be in place to ensure that a required approver has approved the contract before it moves to the next approver.
    • Flexibility is needed in some situations for ad hoc approval tasks and should include audit trail as required.
    • Approvers can include business units, Finance, Legal, Security, and C-level leaders

    Stage 4: Approve

    Stage Input

    • Complete draft contract with all terms and conditions (T&Cs) and approval trail.
    • Amendment or addendum to existing contract.

    Stage Output

    • Approved draft contract ready to move to the next step of negotiating with the vendor.
    • Approved amendment or addendum to existing or renewal agreement.

    Stage 5: Negotiate

    • At this stage, there should be an approved draft of the contract that can be presented to the other party or vendor for review.
    • Typically organizations will negotiate their larger deals for terms and conditions with the goal of balancing the contractual allocation of risk with the importance of the vendor or agreement and its value to the business.
    • Several people on either side are typically involved and will discuss legal and commercial terms of the contract. Throughout the process, negotiators may leverage a variety of tools, including playbooks with preferred and fallback positions, clause libraries, document redlines and comparisons, and issue lists.
    • Audit trails or tracking of changes and acceptances is an important part of this stage. Tracking will avoid duplication and lost or missed changes and will speed up the entire process.
    • A final, clean document is created at this point and readied for execution.

    Stage 5: Negotiate

    Stage Input

    • Approved draft contract ready to move to the next step of negotiating with the vendor.
    • Approved amendment or addendum to existing or renewal agreement.

    Stage Output

    • A finalized and approved contract or amendment with agreed-upon terms and conditions ready for signatures.

    Info-Tech Insight

    Saving the different versions of a contract during negotiations will save time, provide reassurance of agreed terms as you move through the process, and provide reference for future negotiations with the vendor.

    Stage 6: Sign or Execute

    • At this stage in the process, all the heavy lifting in a contract’s creation is complete. Now it’s signature time.
    • To finalize the agreement, both parties need to the sign the final document. This can be done by an in-person wet ink signature or by what is becoming more prevalent, digital signature through an e-signature process.
    • Once complete, the final executed documents are exchanged or received electronically and then retained by each party.

    Stage 6: Sign or Execute

    Stage Input

    • A finalized and approved contract or amendment with agreed-upon terms and conditions ready for signatures.

    Stage Output

    • An executed contract or amendment ready to move to the next stage of CLM, capturing in the repository.

    Info-Tech Best Practice

    Process flow provisions should made for potential rejection of the contract by signatories, looping the contract back to the appropriate stage for rework or revision.

    Stage 7: Capture in Database/Repository 1 of 2

    • This is one of the most important stages of a CLM process. Executed agreements need to be stored in a single manageable, searchable, reportable, and centralized repository.
    • All documents should to be captured electronically, reviewed for accuracy, and then posted to the CLM repository.
    • The repository can be in various formats depending on the maturity, robustness, and budget of the CLM program.

    Most repositories are some type of database:

    • An off-the-shelf product
    • A PaaS cloud-based solution
    • A homegrown, internally developed database
    • An add-on module to your ERP system

    Stage 7: Capture in Database/Repository 2 of 2

    Several important features of an electronic repository should be considered:

    • Consistent metadata tagging of clauses, terms, conditions, dates, etc.
    • Centralized summary view of all contracts
    • Controlled access for those who need to review and manage the contracts

    Establishing an effective repository will be key to providing measurable value to the organization and saving large amounts of time for the business unit.

    Info-Tech Insight

    Planning for future needs by investing a little more money into a better, more robust repository could pay bigger dividends to the VMO and organization while providing a higher ROI over time as advanced functionality is deployed.

    Stage 8: Manage

    • Once an agreement is captured in the repository, it needs to be managed from both an operational and a commitment perspective.
    • Through a summary view or master list, contracts need to be operationally managed for end dates and renewals, vendor performance, discounts, and rebates.
    • Managing contracts for commitment and compliance will ensure all contract requirements, rights, service-level agreements (SLAs), and terms are fulfilled. This will eliminate the high costs of missed SLAs, potential breaches, or missed renewals.
    • Managing contracts can be improved by adding metadata to the records that allow for easier search and retrieval of contracts or even proactive notification.
    • The repository management features can and should be available to business stakeholders, or reporting from a CLM admin can also alert stakeholders to renewals, pricing, SLAs, etc.
    • Also important to this stage is reporting. This can be done by an admin or via a self-serve feature for stakeholders, or it could even be automated.

    Stage 9: Monitor Compliance 1 of 2

    • At this stage, the contracts or agreements need to be monitored for the polices within them and the purpose for which they were signed.
    • This is referred to as obligation management and is a key step to providing savings to the organization and mitigating risk.
    • Many contracts contain commitments by each party. These can include but are not limited to SLAs, service uptime targets, user counts, pricing threshold discounts and rebates, renewal notices to vendors, and training requirements.
    • All of these obligations within the contracts should be summarized and monitored to ensure that all commitments are delivered on. Managing obligations will mitigate risks, maximize savings and rebates to the organization, and minimize the potential for a breach within the contract.

    Stage 9: Monitor Compliance 2 of 2

    • Monitoring and measuring vendor commitments and performance will also be a key factor in maximizing the benefits of the contract through vendor accountability.
    • Also included in this stage is renewal and/or disposition of the contract. If renewal is due, it should go back to the business unit for submission to the Stage 1: Request process. If the business unit is not going to renew the contract, the contract must be tagged and archived for future reference.

    Stage 10: Optimize

    • The goal of this stage is to improve the other stages of the process as well as evaluate how each stage is integrating with the core operational framework processes.
    • With more data and improved insight into contractual terms and performance, a business can optimize its portfolio for better value, greater savings, and lower-risk outcomes.
    • For high-performance contract teams, the goal is a continuous feedback loop between the contract portfolio and business performance. If, for example, the data shows that certain negotiation issues consume a large chunk of time but yield no measurable difference in risk or performance, you may tweak the playbook to remedy those issues quickly.

    Additional optimization tactics:

    • Streamlining contract renewals with auto-renew
    • Predefined risk review process or template, continuous review/improvement of negotiation playbook
    • Better automation or flow of approval process
    • Better signature delegation process if required
    • Improving repository search with metadata tagging
    • Automating renewal tracking or notice process
    • Tracking the time a contract spends in each stage

    Establish Your Current CLM Maturity Position

    • Sometimes organizations have a well-defined pre-execution process but have a poor post-signature process.
    • Identifying your current processes or lack thereof will provide you with a starting point in developing a plan for your CLM. It’s possible that most of the stages are there and just need some improvements, or maybe some are missing and need to be implemented.
    • It’s not unusual for organizations to have a manual pre-execution process and an automated backend repository with compliance and renewal notices features.

    Info-Tech Best Practice

    Use the CLM Maturity Assessment Tool to outline where your organization is at each stage of the process.

    Member Activity: Assess Current CLM Maturity

    2.1 Completion Time 1-2 days

    Goal: Identify and measure your existing CLM processes, if any, and provide a maturity value to each stage. The resulting scores will provide a maturity assessment of your CLM.

    Instructions

    1. Use the Existing CLM Process Worksheet to document current CLM processes.
    2. Using the CLM worksheet info, answer the questions in the CLM Maturity Assessment Tool.
    3. Review the results and scores on Tab 3 to see where you need to focus your initial improvements.
    4. Save the initial assessment for future reference and reassess in six to 12 months to measure progress.

    This image contains a screenshot from Info-Tech's CLM Maturity Assessment Tool.

    INPUT

    • Internal information from all CLM stakeholders

    OUTPUT

    • A summary of processes and owners currently in place in the organization

    Materials

    • Existing CLM processes from interviews

    Participants

    • Finance, Legal, CIO, VMO, Sales, Procurement

    Member Activity: Complete RASCI Chart

    2.2 Completion Time 2-6 hours

    Goal: Identify who in your organization is primarily accountable and involved in each stage of the CLM process.

    Instructions

    Engage internal business unit decision makers, stakeholders, Finance, Legal, CIO, VMO, Sales, and Procurement as required to validate who should be involved in each stage.

    1. Using the information collected from internal reviews, assign a level in the CLM RASCI Diagram to each team member.
    2. Use the resulting RASCI diagram to guide you through developing or improving your CLM stages.

    This image contains a screenshot from Info-Tech's CLM RASCI Diagram.

    INPUT

    • Internal interview information

    OUTPUT

    • Understanding of who is involved in each CLM stage

    Materials

    • Interview data
    • RASCI Diagram

    Participants

    • Finance, Legal, CIO, VMO, Sales, Procurement

    Applying CLM Framework and Stages to Your Organization

    • Understand what CLM process you currently do or do not have in place.
    • Review implementation options: automated, semi-automated, and manual solutions.
    • If you are improving an existing process, focus on one phase at a time, perfect it, and then move to the other phase. This can also be driven by budget and time.
    • Create a plan to start with and then move to automating or semi-automating the stages.
    • Building onto or enhancing an existing system or processes can be a cost-effective method to produce near-term measurable savings
    • Focus on one phase at a time, then move on to the other phase.
    • While reviewing implementation of or improvements to CLM stages, be sure to track or calculate the potential time and cost savings and risk mitigation. This will help in any required business case for a CLM.

    CLM: An ROI Discussion 1 of 2

    • ROI can be easier to quantify and measure in larger organizations with larger CLM, but ROI metrics can be obtained regardless of the company or CLM size.
    • Organizations recognize their ROI through gains in efficiency across the entire business as well as within individual departments involved in the contracting process. They also do so by reducing the risk associated with decentralized and insecure storage of and access to their contracts, failure to comply with terms of their contracts, and missing deadlines associated with contracts.

    Just a few of the factors to consider within your own organization include:

    • The number of people inside and outside your company that touch your contracts.
    • The number of hours spent weekly, monthly, and annually managing contracts.
    • Potential efficiencies gained in better managing those contracts.
    • The total number of contracts that exist at any given time.
    • The average value and total value of those contract types.
    • The potential risk of being in breach of any of those contracts.
    • The number of places contracts are stored.
    • The level of security that exists to prevent unauthorized access.
    • The potential impact of unauthorized access to your sensitive contract data.

    CLM: An ROI Discussion 2 of 2

    Decision-Maker Apprehensions

    Decision-maker concerns arise from a common misunderstanding – that is, a fundamental failure to appreciate the true source of contract management value. This misunderstanding goes back many years to the time when analysts first started to take an interest in contract management and its automation. Their limited experience (primarily in retail and manufacturing sectors) led them to think of contract management as essentially an administrative function, primarily focused on procurement of goods. In such environments, the purpose of automation is focused on internal efficiency, augmented by the possibility of savings from reduced errors (e.g. failing to spot a renewal or expiry date) or compliance (ensuring use of standard terms).

    Today’s CLM systems and processes can provide ROI in several areas in the business.

    Info-Tech Insight

    Research on ROI of CLM software shows significant hard cost savings to an organization. For example, a $10 million company with 300 contracts valued at $3 million could realize savings of $83,400 and avoid up to $460,000 in lost revenues. (Derived from: ACCDocket, 2018)

    Additional Considerations 1 of 2

    Who should own and/or manage the CLM process within an organization? Legal, VMO, business unit, Sales?

    This is an often-discussed question. Research suggests that there is no definitive answer, as there are several variables.

    Organizations needs to review what makes the best business sense for them based on several considerations and then decide where CLM belongs.

    • Business unit budgets and time management
    • Available Administration personnel and time
    • IT resources
    • Security and access concerns
    • Best fit based on organizational structure

    35% of law professionals feel contract management is a legal responsibility, while 45% feel it’s a business responsibility and a final 20% are unsure where it belongs. (Source: “10 Eye-Popping Contract Management Statistics,” Apttus, 2018)

    Additional Considerations 2 of 2

    What type of CLM software or platform should we use?

    This too is a difficult question to answer definitively. Again, there are several variables to consider. As well, several solutions are available, and this is not a one-size-fits-all scenario.

    As with who should own the CLM process, organizations must review the various CLM software solutions available that will meet their current and future needs and then ask, “What do we need the system to do?”

    • Do you build a “homegrown” solution?
    • Should it be an add-on module to the current ERP or CRM system?
    • Is on-premises more suitable?
    • Is an adequate off-the-shelf (OTS) solution available?
    • What about the many cloud offerings?
    • Is there a basic system to start with that can expand as you grow?

    Info-Tech Insight

    When considering what type of solution to choose, prioritize what needs to been done or improved. Sometimes solutions can be deployed in phases as an “add-on” type modules.

    Summary of Accomplishment

    Knowledge Gained

    • Documented current CLM process
    • Core operational framework to build a CLM process on
    • Understanding of best practices required for a sustainable CLM

    Processes Optimized

    • Internal RASCI process identified
    • Existing internal stage improvements
    • Internal review process for risk mitigation

    Deliverables Completed

    • Existing CLM Processes Worksheet
    • CLM Maturity Assessment
    • CLM RASCI Chart
    • CLM improvement plan

    Project Step Summary

    Client Project: CLM Assessment and Improvement Plan

    1. Set your goals – what do you want to achieve in your CLM project?
    2. Assess your organization’s current CLM position in relation to CLM best practices and stages.
    3. Map your organization’s RASCI structure for CLM.
    4. Identify opportunities for stage improvements or target all low stage assessments.
    5. Prioritize improvement processes.
    6. Track ROI metrics.
    7. Develop a CLM implementation or improvement plan.

    Info-Tech Insight

    This project can fit your organization’s schedule:

    • Do-it-yourself with your team.
    • Remote delivery (Info-Tech Guided Implementation).

    CLM Blueprint Summary and Conclusion

    • Contract management is a vital component of a responsible VMO that will benefit all business units in an organization, save time and money, and reduce risk exposure.
    • A basic well-deployed and well-managed CLM will provide ROI in the short term.
    • Setting an improvement plan with concise improvements and potential cost savings based on process improvements will help your business case for CLM get approval and leadership buy-in.
    • Educating and aligning all business units and stakeholders to any changes to CLM processes will ensure that cost savings and ROI are achieved.
    • When evaluating a CLM software solution, use the operational framework and the ten process stages in this blueprint as a reference guide for CLM vendor functionality and selection.

    Related Info-Tech Research

    Master Contract Review and Negotiation

    Optimize spend with significant cost savings and negotiate from a position of strength.

    Manage Your Vendors Before They Manage You

    Maximize the value of vendor relationships.

    Bibliography

    Burla, Daniel. “The Must Know Of Transition to Dynamics 365 on Premise.” Sherweb, 14 April 2017. Web.

    Anand, Vishal, “Strategic Considerations in Implementing an End-to-End Contract Lifecycle Management Solution.” DWF Mindcrest, 20 Aug. 2016. Web.

    Alspaugh, Zach. “10 Eye-Popping Contract Management Statistics from the General Counsel’s Technology Report.” Apttus, 23 Nov. 2018. Web.

    Bishop, Randy. “Contract Management is not just a cost center.” ContractSafe, 9 Sept. 2019. Web.

    Bryce, Ian. “Contract Management KPIs - Measuring What Matters.” Gatekeeper, 2 May 2019. Web.

    Busch, Jason. “Contract Lifecycle Management 101.” Determine. 4 Jan. 2018. Web.

    “Contract Management Software Buyer's Guide.” TechnologyAdvice, 5 Aug. 2019. Web.

    Dunne, Michael. “Analysts Predict that 2019 will be a Big Year for Contract Lifecycle Management.” Apttus, 19 Nov. 2018. Web.

    “FIS Case Study.” Apttus, n.d. Web.

    Gutwein, Katie. “3 Takeaways from the 2018 State of Contract Management Report.” SpringCM, 2018. Web.

    “IACCM 2019 Benchmark Report.” IAACM, 4 Sept. 2019. Web.

    Linsley, Rod. “How Proverbial Wisdom Can Help Improve Contract Risk Mitigation.” Gatekeeper, 2 Aug. 2019. Web.

    Mars, Scott. “Contract Management Data Extraction.” Exari, 20 June 2017. Web.

    Rodriquez, Elizabeth. “Global Contract Life-Cycle Management Market Statistics and Trends 2019.” Business Tech Hub, 17 June 2017. Web.

    “State of Contract Management Report.” SpringCM, 2018. Web.

    Teninbaum, Gabriel, and Arthur Raguette. “Realizing ROI from Contract Management Technology.” ACCDocket.com, 29 Jan. 2018. Web.

    Wagner, Thomas. “Strategic Report on Contract Life cycle Management Software Market with Top Key Players- IBM Emptoris, Icertis, SAP, Apttus, CLM Matrix, Oracle, Infor, Newgen Software, Zycus, Symfact, Contract Logix, Coupa Software.” Market Research, 21 June 2019. Web.

    “What is Your Contract Lifecycle Management (CLM) Persona?” Spend Matters, 19 Oct. 2017. Web.

    Develop a Plan to Pilot Enterprise Service Management

    • Buy Link or Shortcode: {j2store}279|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • Many business groups in the organization are siloed and have disjointed services that lead to a less than ideal customer experience.
    • Service management is too often process-driven and is implemented without a holistic view of customer value.
    • Businesses get caught up in the legacy of their old systems and find it difficult to move with the evolving market.

    Our Advice

    Critical Insight

    • Customer experience is the new battleground. Parity between products is creating the need to differentiate via customer experience.
    • Don’t forget your employees! Enterprise service management (ESM) is also about delivering exceptional experiences to your employees so they can deliver exceptional services to your customers.
    • ESM is not driven by tools and processes. Rather, ESM is about pushing exceptional services to customers by pulling from organizational capabilities.

    Impact and Result

    • Understand ESM concepts and how they can improve customer service.
    • Use Info-Tech’s advice and tools to perform an assessment of your organization’s state for ESM, identify the gaps, and create an action plan to move towards an ESM pilot.
    • Increase business and customer satisfaction by delivering services more efficiently.

    Develop a Plan to Pilot Enterprise Service Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should move towards ESM, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand ESM and get buy-in

    Understand the concepts of ESM, determine the scope of the ESM program, and get buy-in.

    • Develop a Plan to Pilot Enterprise Service Management – Phase 1: Understand ESM and Get Buy-in
    • Enterprise Service Management Executive Buy-in Presentation Template
    • Enterprise Service Management General Communications Presentation Template

    2. Assess the current state for ESM

    Determine the current state for ESM and identify the gaps.

    • Develop a Plan to Pilot Enterprise Service Management – Phase 2: Assess the Current State for ESM
    • Enterprise Service Management Assessment Tool
    • Enterprise Service Management Assessment Tool Action Plan Guide
    • Enterprise Service Management Action Plan Tool

    3. Identify ESM pilot and finalize action plan

    Create customer journey maps, identify an ESM pilot, and finalize the action plan for the pilot.

    • Develop a Plan to Pilot Enterprise Service Management – Phase 3: Identify ESM Pilot and Finalize Action Plan
    • Enterprise Service Management Customer Journey Map Template
    [infographic]

    Workshop: Develop a Plan to Pilot Enterprise Service Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand ESM and Get Buy-In

    The Purpose

    Understand what ESM is and how it can improve customer service.

    Determine the scope of your ESM initiative and identify who the stakeholders are for this program.

    Key Benefits Achieved

    Understanding of ESM concepts.

    Understanding of the scope and stakeholders for your ESM initiative.

    Plan for getting buy-in for the ESM program.

    Activities

    1.1 Understand the concepts and benefits of ESM.

    1.2 Determine the scope of your ESM program.

    1.3 Identify your stakeholders.

    1.4 Develop an executive buy-in presentation.

    1.5 Develop a general communications presentation.

    Outputs

    Executive buy-in presentation

    General communications presentation

    2 Assess the Current State for ESM

    The Purpose

    Assess your current state with respect to culture, governance, skills, and tools.

    Identify your strengths and weaknesses from the ESM assessment scores.

    Key Benefits Achieved

    Understanding of your organization’s current enablers and constraints for ESM.

    Determination and analysis of data needed to identify strengths or weaknesses in culture, governance, skills, and tools.

    Activities

    2.1 Understand your organization’s mission and vision.

    2.2 Assess your organization’s culture, governance, skills, and tools.

    2.3 Identify the gaps and determine the necessary foundational action items.

    Outputs

    ESM assessment score

    Foundational action items

    3 Define Services and Create Custom Journey Maps

    The Purpose

    Define and choose the top services at the organization.

    Create customer journey maps for the chosen services.

    Key Benefits Achieved

    List of prioritized services.

    Customer journey maps for the prioritized services.

    Activities

    3.1 Make a list of your services.

    3.2 Prioritize your services.

    3.3 Build customer journey maps.

    Outputs

    List of services

    Customer journey maps

    Implement Crisis Management Best Practices

    • Buy Link or Shortcode: {j2store}415|cart{/j2store}
    • member rating overall impact (scale of 10): 9.7/10 Overall Impact
    • member rating average dollars saved: $50,532 Average $ Saved
    • member rating average days saved: 42 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • There’s a belief that you can’t know what crisis will hit you next, so you can’t prepare for it. As a result, resilience planning stops at more-specific planning such as business continuity planning or IT disaster recovery planning.
    • Business contingency and IT disaster recovery plans focus on how to resume normal operations following an incident. The missing piece is the crisis management plan – the overarching plan that guides the organization’s initial response, assessment, and action.
    • Organizations without a crisis management plan are far less able to minimize the impact of other crises such as a security breach, health & safety incident, or attacks on their reputation.

    Our Advice

    Critical Insight

    • Effective crisis management has a long-term demonstrable impact on your organization, long after the crisis is resolved. While all organizations can expect a short-term negative impact when a crisis hits, if the crisis is managed well, the research shows that your market capitalization can actually increase long term.
    • Crisis communication is more science than art and should follow a structured approach. Crisis communication is about more than being a good writer or having a social media presence. There are specific messages that must be included, and specific audiences to target, to get the results you need.
    • IT has a critical role in non-IT crises (as well as IT crises). Many crises are IT events (e.g. security breach). For non-IT events, IT is critical in supporting crisis communication and the operational response (e.g. COVID-19 and quickly ramping up working-from-home).

    Impact and Result

    • You can anticipate the types of crisis your organization may face in the future and build flexible plans that can be adapted in a crisis to meet the needs of the moment.
    • Identify potential crises that present a high risk to your organization.
    • Document emergency response and crisis response plans that provide a framework for addressing a range of crises.
    • Establish crisis communication guidelines to avoid embarrassing and damaging communications missteps.

    Implement Crisis Management Best Practices Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement crisis management best practices, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify potential crises and your crisis management team

    Identify, analyze, and prioritized potential crises based on risk to the organization. Set crisis management team roles and responsibilities. Adopt a crisis management framework.

    • Example Crisis Management Process Flowcharts (Visio)
    • Example Crisis Management Process Flowcharts (PDF)
    • Business Continuity Teams and Roles Tool

    2. Document your emergency and crisis response plans

    Document workflows for notification, situational assessment, emergency response, and crisis response.

    • Emergency Response Plan Checklist
    • Emergency Response Plan Summary
    • Emergency Response Plan Staff Instructions
    • Pandemic Response Plan Example
    • Pandemic Policy

    3. Document crisis communication guidelines

    Develop and document guidelines that support the creation and distribution of crisis communications.

    • Crisis Communication Guidelines and Templates

    4. Complete and maintain your crisis management plan

    Summarize your crisis management and response plans, create a roadmap to implement potential improvement projects, develop training and awareness initiatives, and schedule maintenance to keep the plan evergreen.

    • Crisis Management Plan Summary Example
    • BCP Project Roadmap Tool
    • Organizational Learning Guide
    [infographic]

    Workshop: Implement Crisis Management Best Practices

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Potential Crises and Your Crisis Management Team

    The Purpose

    Identify and prioritize relevant potential crises.

    Key Benefits Achieved

    Enable crisis management pre-planning and identify gaps in current crisis management plans.

    Activities

    1.1 Identify high-risk crises.

    1.2 Assign roles and responsibilities on the crisis management team.

    1.3 Review Info-Tech’s crisis management framework.

    Outputs

    List of high-risk crises.

    CMT membership and responsibilities.

    Adopt the crisis management framework and identify current strengths and gaps.

    2 Document Emergency Response and Crisis Management Plans

    The Purpose

    Outline emergency response and crisis response plans.

    Key Benefits Achieved

    Develop and document procedures that enable rapid, effective, and reliable crisis and emergency response.

    Activities

    2.1 Develop crisis notification and assessment procedures.

    2.2 Document your emergency response plans.

    2.3 Document crisis response plans for potential high-risk crises.

    Outputs

    Documented notification and assessment workflows.

    Emergency response plans and checklists.

    Documented crisis response workflows.

    3 Document Crisis Communication Guidelines

    The Purpose

    Define crisis communication guidelines aligned with an actionable crisis communications framework.

    Key Benefits Achieved

    Document workflows and guidelines support crisis communications.

    Activities

    3.1 Establish the elements of baseline crisis communications.

    3.2 Identify audiences for the crisis message.

    3.3 Modify baseline communication guidelines based on audience and organizational responsibility.

    3.4 Create a vetting process.

    3.5 Identify communications channels.

    Outputs

    Baseline communications guidelines.

    Situational modifications to crisis communications guidelines.

    Documented vetting process.

    Documented communications channels

    4 Complete and Maintain Your Crisis Management Plan

    The Purpose

    Summarize the crisis management plan, establish an organizational learning process, and identify potential training and awareness activities.

    Key Benefits Achieved

    Plan ahead to keep your crisis management practice evergreen.

    Activities

    4.1 Review the CMP Summary Template.

    4.2 Create a project roadmap to close gaps in the crisis management plan.

    4.3 Outline an organizational learning process.

    4.4 Schedule plan reviews, testing, and updates.

    Outputs

    Long-term roadmap to improve crisis management capabilities.

    Crisis management plan maintenance process and awareness program.

    Audit the Project Portfolio

    • Buy Link or Shortcode: {j2store}442|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • As a CIO you know you should audit your portfolio, but you don’t know where to start.
    • There is a lack of portfolio and project visibility.
    • Projects are out of scope, over budget, and over schedule.

    Our Advice

    Critical Insight

    • Organizations establish processes and assume people are following them.
    • There is a dilution of practices from external influences and rapid turnover rates.
    • Many organizations build their processes around existing frameworks. These frameworks are great resources but they’re often missing context and clear links to tools, templates, and fiduciary duty.

    Impact and Result

    • The best way to get insight into your current state is to get an objective set of observations of your processes.
    • Use Info-Tech’s framework to audit your portfolios and projects:
      • Triage at a high level to assess the need for an audit by using the Audit Standard Triage Tool to assess your current state and the importance of conducting a deeper audit.
      • Complete Info-Tech’s Project Portfolio Audit Tool:
        • Validate the inputs.
        • Analyze the data.
        • Review the findings and create your action plan.

    Audit the Project Portfolio Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should audit the project portfolio, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess readiness

    Understand your current state and determine the need for a deeper audit.

    • Audit the Project Portfolio – Phase 1: Assess Readiness
    • Info-Tech Audit Standard for Project Portfolio Management
    • Audit Glossary of Terms
    • Audit Standard Triage Tool

    2. Perform project portfolio audit

    Audit your selected projects and portfolios. Understand the gaps in portfolio practices.

    • Audit the Project Portfolio – Phase 2: Perform Project Portfolio Audit
    • Project Portfolio Audit Tool

    3. Establish a plan

    Document the steps you are going to take to address any issues that were uncovered in phase 2.

    • Audit the Project Portfolio – Phase 3: Establish a Plan
    • PPM Audit Timeline Template
    [infographic]

    Workshop: Audit the Project Portfolio

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Portfolio Audit

    The Purpose

    An audit of your portfolio management practices.

    Key Benefits Achieved

    Analysis of audit results.

    Activities

    1.1 Info-Tech’s Audit Standard/Engagement Context

    1.2 Portfolio Audit

    1.3 Input Validation

    1.4 Portfolio Audit Analysis

    1.5 Start/Stop/Continue

    Outputs

    Audit Standard and Audit Glossary of Terms

    Portfolio and Project Audit Tool

    Start/Stop/Continue

    2 Project Audit

    The Purpose

    An audit of your project management practices.

    Key Benefits Achieved

    Analysis of audit results.

    Activities

    2.1 Project Audit

    2.2 Input Validation

    2.3 Project Audit Analysis

    2.4 Start/Stop/Continue

    Outputs

    Portfolio and Project Audit Tool

    Start/Stop/Continue

    3 Action Plan

    The Purpose

    Create a plan to start addressing any vulnerabilities.

    Key Benefits Achieved

    A plan to move forward.

    Activities

    3.1 Action Plan

    3.2 Key Takeaways

    Outputs

    Audit Timeline Template

    Manage Exponential Value Relationships

    • Buy Link or Shortcode: {j2store}210|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Implementing exponential IT will require businesses to work with external vendors to facilitate the rapid adoption of cutting-edge technologies such as generative artificial intelligence. IT leaders must:

    These challenges require new skills which build trust and collaboration among vendors.

    Our Advice

    Critical Insight

    Outcome-based relationships require a higher degree of trust than traditional vendor relationships. Build trust by sharing risks and rewards.

    Impact and Result

    • Assess your readiness to take on the new types of vendor relationships that will help you succeed.
    • Identify where you need to build your capabilities in order to successfully manage relationships.
    • Successfully manage outcomes, financials, risk, and relationships in complex vendor relationships.

    Manage Exponential Value Relationships Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Manage Exponential Value Relationships Storyboard – Learn about the new era of exponential vendor relationships and the capabilities needed to succeed.

    This research walks you through how to assess your capabilities to undertake a new model of vendor relationships and drive exponential IT.

    • Manage Exponential Value Relationships Storyboard

    2. Exponential Relationships Readiness Assessment – Assess your readiness to engage in exponential vendor partnerships.

    This tool will facilitate your readiness assessment.

    • Exponential Relationships Readiness Assessment
    [infographic]

    Further reading

    Manage Exponential Value Relationships

    Are you ready to manage outcome-based agreements?

    Analyst Perspective

    Outcome-based agreements require a higher degree of mutual trust.

    Kim Osborne Rodriguez

    Exponential IT brings with it an exciting new world of cutting-edge technology and increasingly accelerated growth of business and IT. But adopting and driving change through this paradigm requires new capabilities to grow impactful and meaningful partnerships with external vendors who can help implement technologies like artificial intelligence and virtual reality.

    Building outcome-based partnerships involves working very closely with vendors who, in many cases, will have just as much to lose as the organizations implementing these new technologies. This requires a greater degree of trust between parties than a standard vendor relationship. It also drastically increases the risks to both organizations; as each loses some control over data and outcomes, they must trust that the other organization will follow through on commitments and obligations.

    Outcome-based partnerships build upon traditional vendor management practices and create the potential for organizations to embrace emerging technology in new ways.

    Kim Osborne Rodriguez
    Research Director, CIO Advisory
    Info-Tech Research Group

    Executive Summary

    Exponential IT drives change

    Vendor relationships must evolve

    To deliver exponential value

    Implementing exponential IT will require businesses to work with external vendors to facilitate the rapid adoption of cutting-edge technologies such as generative artificial intelligence. IT leaders must:

    • Build strategic relationships with external entities to support the autonomization of the enterprise.
    • Procure, operate, and manage contracts and performance in outcome-based relationships.
    • Build relationships with new vendors.

    These challenges require new skills which build trust and collaboration with vendors.

    Traditional vendor management approaches are still important for organizations to develop and maintain. But exponential relationships bring new challenges:

    • A shift from managing technology service agreements to managing business capability agreements
    • Increased vendor access to intellectual property, confidential information, and customers

    IT leaders must adapt traditional vendor management capabilities to successfully lead this change.

    Outcome-based relationships should not be undertaken lightly as they can significantly impact the risk profile of the organization. Use this research to:

    • Assess your foundational vendor management capabilities as well as the transformative capabilities you need to manage outcome-based relationships.
    • Identify where you need to build your capabilities in order to successfully manage relationships.
    • Successfully manage outcomes, financials, risk, and relationships in complex vendor partnerships.

    Exponential value relationships will help drive exponential IT and autonomization of the enterprise.

    Info-Tech Insight

    Outcome-based partnerships require a higher degree of trust than traditional vendor relationships. Build trust by sharing risks and rewards.

    Vendor relationships can be worth billions of dollars

    Positive vendor relationships directly impact the bottom line, sometimes to the tune of billions of dollars annually.

    • Organizations typically spend 40% to 80% of their total budget on external suppliers.
    • Greater supplier trust translates directly to greater business profits, even in traditional vendor relationships.1
    • Based on over a decade of data from vehicle manufacturers, greater supplier relationships nearly doubled the unit profit margin on vehicles, contributing over $20 billion to Toyota’s annual profits based on typical sales volume.2
    • Having positive vendor relationships can be instrumental in times of crisis – when scarcity looms, vendors often choose to support their best customers.3,4 For example, Toyota protected itself from the losses many original equipment manufacturers (OEMs) faced in 2020 and showed improved profitability that year due to increased demand for vehicles which it was able to supply as a result of top-ranked vendor relationships.
    1 PR Newswire, 2022.
    2 Based on 10 years of data comparing Toyota and Nissan, every 1-point increase in the company’s Working Relations Index was correlated with a $15.77 net profit increase per unit. Impact on Toyota annual profits is based on 10.5 million units sold in 2021 and 2022.
    3 Interview with Renee Stanley, University of Texas at Arlington. Conducted 17 May 2023.
    4 Plante Moran, 2020.

    Supplier Trust Impacts OEM Profitability

    Sources: Macrotrends, Plante Moran 2022, Nissan 2022 and 2023, and Toyota 2022. Profit per car is based on total annual profit divided by total annual sales volume.

    Outcome-based relationships are a new paradigm

    In a new model where organizations are procuring autonomous capabilities, outcomes will govern vendor relationships.

    An outcome-based relationship requires a higher level of mutual trust than traditional vendor relationships. This requires shared reward and shared risk.

    Don’t forget about traditional vendor management relationships! Not all vendor relationships can (or should) be outcome-based.

    Managing Exponential Value Relationships.

    Case study

    INDUSTRY: Technology

    SOURCE: Press Release

    Microsoft and OpenAI partner on Azure, Teams, and Microsoft Office suite

    In January 2023, Microsoft announced a $10 billion investment in OpenAI, allowing OpenAI to continue scaling its flagship large language model, ChatGPT, and giving Microsoft first access to deploy OpenAI’s products in services like GitHub, Microsoft Office, and Microsoft Teams.

    Shared risk

    Issues with OpenAI’s platforms could have a debilitating effect on Microsoft’s own reputation – much like Google’s $100 billion stock loss following a blunder by its AI platform Bard – not to mention the financial loss if the platform does not live up to the hype.

    Shared reward

    This was a particularly important strategic move by Microsoft, as its main competitors develop their own AI models in a race to the top. This investment also gave OpenAI the resources to continue scaling and evolving its services much faster than it would be capable of on its own. If OpenAI’s products succeed, there is a significant upside for both companies.

    The image contains a graph that demonstrates time to reach 1 million users.

    Adapt your approach to vendor relationships

    Both traditional vendors and exponential relationships are important.

    Traditional

    procurement

    Vendor

    management

    Exponential vendor relationships

    • Ideal for procuring a product or service
    • Typically evaluates vendors based on their capabilities and track record of success
    • Focuses on metrics, KPIs, and contracts to deliver success to the organization purchasing the product or service
    • Vendors typically only have access to company data showing what is required to deliver their product or service
    • Ideal for managing vendors supplying products or services
    • Typically evaluates vendors based on the value and the criticality of a vendor to drive VM-resource allocation
    • External vendors do not generally participate in sharing of risks or rewards outside of payment for services or incentives/penalties
    • Vendors typically have limited access to company data
    • Ideal for procuring an autonomous capability
    • Typically evaluated based on the total possible value creation for both parties
    • External vendors share in substantial portions of the risks and rewards of the relationship
    • Vendors typically have significant access to company data, including proprietary methods, intellectual property, and customer lists

    Use this research to successfully
    manage outcome-based relationships.

    Use Info-Tech’s research to Jump Start Your Vendor Management Initiative.

    Common obstacles

    Exponential relationships require new approaches to vendor management as businesses autonomize:

    • Autonomization refers to the shift toward autonomous business capabilities which leverage technologies such as AI and quantum computing to operate independently of human interaction.
    • The speed and complexity of technology advancement requires that businesses move quickly and confidently to develop strong relationships and deliver value.
    • We are seeing businesses shift from procuring products and services to procuring autonomous business capabilities (sometimes called “as a service,” or aaS). This shift can drive exponential value but also increases complexity and risk.
    • Exponential IT requires a shift in emphasis toward more mature relationship and risk management strategies, compared to traditional vendor management.

    The shift from technology service agreements to business capability agreements needs a new approach

    Eighty-seven percent of organizations are currently experiencing talent shortages or expect to within a few years.

    Source: McKinsey, “Mind the [skills] gap”, 2021.

    Sixty-three percent of IT leaders plan to implement AI in their organizations by the end of 2023.

    Source: Info-Tech Research Group survey, 2022

    Insight summary

    Build trust

    Successfully managing exponential relationships requires increased trust and the ability to share both risks and rewards. Outcome-based vendors typically have greater access to intellectual property, customer data, and proprietary methods, which can pose a risk to the organization if this information is used to benefit competitors. Build mutual trust by sharing both risks and rewards.

    Manage risk

    Outcome-based relationships with external vendors can drastically affect an organization’s risk profile. Carefully consider third-party risk and shared risk, including ESG risk, as well as the business risk of losing control over capabilities and assets. Qualified risk specialists (such as legal, regulatory, contract, intellectual property law) should be consulted before entering outcome-based relationships.

    Drive outcomes

    Fostering strategic relationships can be instrumental in times of crisis, when being the customer of choice for key vendors can push your organization up the line from the vendor’s side – but be careful about relying on this too much. Vendor objectives may not align with yours, and in the end, everyone needs to protect themselves.

    Assess your readiness for exponential value relationships

    Key deliverable:

    Exponential Relationships Readiness Assessment

    Determine your readiness to build exponential value relationships.

    Measure the value of this blueprint

    Save thousands of dollars by leveraging this research to assess your readiness, before you lose millions from a relationship gone bad.

    Our research indicates that most organizations would take months to prepare this type of assessment without using our research. That’s over 80 person-hours spent researching and gathering data to support due diligence, for a total cost of thousands of dollars. Doesn’t your staff have better things to do?

    Start by answering a few brief questions, then return to this slide at the end to see how much your answers have changed.

    Establish Baseline Metrics

    Use Info-Tech’s research to Exponential Relationships Readiness Assessment.

    Estimated time commitment without Info-Tech’s research (person-hours)

    Establish a baseline

    Gauge the effectiveness of this research by asking yourself the following questions before and after completing your readiness assessment:

    Questions

    Before

    After

    To what extent are you satisfied with your current vendor management approach?

    How many of your current vendors would you describe as being of strategic importance?

    How much do you spend on vendors annually?

    How much value do you derive from your vendor relationships annually?

    Do you have a vendor management strategy?

    What outcomes are you looking to achieve through your vendor relationships?

    How well do you understand the core capabilities needed to drive successful vendor management?

    How well do you understand your current readiness to engage in outcome-based vendor relationships?

    Do you feel comfortable managing the risks when working with organizations to implement artificial intelligence and other autonomous capabilities?

    How to use this research

    Five tips to get the most out of your readiness assessment.

    1. Each category consists of five competencies, with a maximum of five points each. The maximum score on this assessment is 100 points.
    2. Effectiveness levels range from basic (level 1) to advanced (level 5). Level 1 is generally considered the baseline for most effectively operating organizations. If your organization is struggling with level 1 competencies, it is recommended to improve maturity in those areas before pursuing exponential relationships.
    3. This assessment is qualitative; complete the assessment to the best of your ability, based on the scoring rubric provided. If you fall between levels, use the lower one in your assessment.
    4. The scoring rubric may not perfectly fit the processes and practices within every organization. Consider the spirit of the description and score accordingly.
    5. Other industry- and region-specific competencies may be required to succeed at exponential relationships. The competencies in this assessment are a starting point, and internal validation and assessments should be conducted to uncover additional competencies and skills.

    Financial management

    Manage your budget and spending to stay on track throughout your relationship.

    “Most organizations underestimate the amount of time, money, and skill required to build and maintain a successful relationship with another organization. The investment in exponential relationships is exponential in itself – as are the returns.”

    – Jennifer Perrier, Principal Research Director,
    Info-Tech Research Group

    This step involves the following participants:

    • Executive leadership team, including CIO
    • CFO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage scope and budget in exponential IT relationships.

    Successfully manage complex finances

    Stay on track and keep your relationship running smoothly.

    Why is this important?

    • Finance is at the core of most business – it drives decision making, acts as a constraint for innovation and optimization, and plays a key role in assessing options (such as return on investment or payback period).
    • Effectively managing finances is a critical success factor in developing strong relationships. Each organization must be able to manage their own budget and spending in order to balance the risk and reward in the relationship. Often, these risks and rewards will come in the form of profit and loss or revenue and spend.

    Build it into your practice:

    1. Ensure your financial decision-making practices are aligned with the organizational and relationship strategy. Do metrics and criteria reflect the organization’s goals?
    2. Develop strong accounting and financial analysis practices – this includes the ability to conduct financial due diligence on potential vendors.
    3. Develop consistent methodology to track and report on the desired outcomes on a regular basis.

    Build your ability to manage finances

    The five competencies needed to manage finances in exponential value relationships are:

    Budget procedures

    Financial alignment

    Adaptability

    Financial analysis

    Reporting & compliance

    Clearly articulate and communicate budgets, with proactive analysis and reporting.

    There is a strong, direct alignment between financial outcomes and organizational strategy and goals.

    Financial structures can manage many different types of relationships and structures without major overhaul.

    Proactive financial analysis is conducted regularly, with actionable insights.

    This exceeds legal requirements and includes proactive and actionable reporting.

    Relationship management

    Drive exponential value by becoming a customer of choice.

    “The more complex the business environment becomes — for instance, as new technologies emerge or as innovation cycles get faster — the more such relationships make sense. And the better companies get at managing individual relationships, the more likely it is that they will become “partners of choice” and be able to build entire portfolios of practical and value-creating partnerships.”

    (“Improving the management of complex business partnerships.” McKinsey, 2019)

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage relationships in exponential IT relationships.

    Take your relationships to the next level

    Maintaining positive relationships is key to building trust.

    Why is this important?

    • All relationships will experience challenges, and the ability to resolve these issues will rely heavily on the relationship management skills and soft skills of the leadership within each organization.
    • Based on a 20-year study of vendor relationships in the automotive sector, business-to-business trust is a function of reasonable demands, follow-through, and information sharing.
    (Source: Plante Moran, 2020)

    Build it into your practice:

    1. Develop the soft skills necessary to promote psychological safety, growth mindset, and strong and open communication channels.
    2. Be smart about sharing information – you don’t need to share everything, but being open about relevant information will enhance trust.
    3. Both parties need to work hard to develop trust necessary to build a true relationship. This will require increased access to decision-makers, clearly defined guardrails, and the ability for unsatisfied parties to leave.

    Build your ability to manage relationships

    The five competencies needed to manage relationships in exponential partnerships are:

    Strategic alignment

    Follow-through

    Information sharing

    Shared risk & rewards

    Communication

    Work with vendors to create roadmaps and strategies to drive mutual success.

    Ensure demands are reasonable and consistently follow through on commitments.

    Proactively and freely share relevant information between parties.

    Equitably share responsibility for outcomes and benefits from success.

    Ensure clear, proactive, and frequent communication occurs between parties.

    Performance management

    Outcomes management focuses on results, not methods.

    According to Jennifer Robinson, senior editor at Gallup, “This approach focuses people and teams on a concrete result, not the process required to achieve it. Leaders define outcomes and, along with managers, set parameters and guidelines. Employees, then, have a high degree of autonomy to use their own unique talents to reach goals their own way.” (Forbes, 2023)

    In the context of exponential relationships, vendors can be given a high degree of autonomy provided they meet their objectives.

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage outcomes in exponential IT relationships.

    Manage outcomes to drive mutual success

    Build trust by achieving shared objectives.

    Why is this important?

    • Relationships are based on shared risk and shared reward for all parties. In order to effectively communicate the shared rewards, you must first understand and communicate your objectives for the relationship, then measure outcomes to ensure all parties are benefiting.
    • Effectively managing outcomes reduces the risk that one party will choose to leave based on a perception of benefits not being achieved. Parties may still leave the agreement, but decisions should be based on shared facts and issues should be communicated and addressed early.

    Build it into your practice:

    1. Clearly articulate what you hope to achieve by entering an outcome-based relationship. Each party should outline and agree to the goals, objectives, and desired outcomes from the relationship.
    2. Document how rewards will be shared among parties. What type of rewards are anticipated? Who will benefit and how?
    3. Develop consistent methodology to track and report on the desired outcomes on a regular basis. This might consist of a vendor scorecard or a monthly meeting.

    Build your ability to manage outcomes

    The five competencies needed to manage outcomes in exponential value relationships are:

    Goal setting

    Negotiation

    Performance tracking

    Issue
    resolution

    Scope management

    Set specific, measurable and actionable goals, and communicate them with stakeholders.

    Clearly articulate and agree upon measurable outcomes between all parties.

    Proactively track progress toward goals/outcomes and discuss results with vendors regularly.

    Openly discuss potential issues and challenges on a regular basis. Find collaborative solutions to problems.

    Proactively manage scope and discuss with vendors on a regular basis.

    Risk management

    Exponential IT means exponential risk – and exponential rewards.

    One of the key differentiators between traditional vendor relationships and exponential relationships is the degree to which risk is shared between parties. This is not possible in all industries, which may limit companies’ ability to participate in this type of exponential relationship.

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Risk management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage risk in exponential IT relationships.

    Relationships come with a lot of hidden risks

    Successfully managing complex risks can be the difference between a spectacular success and company-ending failure.

    Why is this important?

    • Relationships inherently involve a loss of control. You are relying on another party to fulfill their part of the agreement, and you depend on the success of the outcome. Loss of control comes with significant risks.
    • Sharing in risk is what differentiates an outcome-based relationship from a traditional vendor relationship; vendors must have skin in the game.
    • Organizations must consider many different types of risk when considering a relationship with a vendor: fraud, security, human rights, labor relations, ESG, and operational risks. Remember that risk is not inherently bad; some risk is necessary.

    Build it into your practice:

    1. Build or hire the necessary risk expertise needed to properly assess and evaluate the risks of potential vendor relationships. This includes intellectual property, ESG, legal/regulatory, cybersecurity, data security, and more.
    2. Develop processes and procedures which clearly communicate and report on risk on a regular basis.

    Info-Tech Insight

    Some highly regulated industries (such as finance) are prevented from transferring certain types of risk. In these industries, it may be much more difficult to form vendor relationships.

    Don’t forget about third-party ESG risk

    Customers care about ESG. You should too.

    Protect yourself against third-party ESG risks by considering the environmental and social impacts of your vendors.

    Third-party ESG risks can include the following:

    • Environmental risk: Vendors with unsustainable practices such as carbon emissions or waste generation of natural resource depletion can negatively impact the organization’s environmental goals.
    • Social risk: Unsafe or illegal labor practices, human rights violations, and supply chain management issues can reflect negatively on organizations that choose to work with vendors who engage in such practices.
    • Governance risk: Vendors who engage in illegal or unethical behaviors, including bribery and corruption or data and privacy breaches can impact downstream customers.

    Working with vendors that have a poor record of ESG carries a very real reputational risk for organizations who do not undertake appropriate due diligence.

    A global survey of nearly 14,000 customers revealed that…

    Source: EY Future Consumer Index, 2021

    Seventy-seven percent of customers believe companies have a responsibility to manufacture sustainably.

    Sixty-eight percent of customers believe businesses should ensure their suppliers meet high social and environmental standards.

    Fifty-five percent of customers consider the environmental impact of production in their purchasing decisions.

    Build your ability to manage risk

    The five competencies needed to manage risk in exponential value relationships are:

    Third-party risk

    Value chain

    Data management

    Regulatory & compliance

    Monitoring & reporting

    Understand and assess third-party risk, including ESG risk, in potential relationships.

    Assess risk throughout the value chain for all parties and balance risk among parties.

    Proactively assess and manage potential data risks, including intellectual property and strategic data.

    Manage regulatory and compliance risks, including understanding risk transfer and ultimate risk holder.

    Proactive and open monitoring and reporting of risks, including regular communication among stakeholders.

    Contract management

    Contract management is a critical part of vendor management.

    Well-managed contracts include clearly defined pricing, performance-based outcomes, clear roles and responsibilities, and appropriate remedies for failure to meet requirements. In outcome-based relationships, contracts are generally used as a secondary method of enforcing performance, with relationship management being the primary method of addressing challenges and ensuring performance.

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Risk management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Assess your ability to manage risk in exponential IT relationships.

    Build your ability to manage contracts

    The five competencies needed to manage contracts in exponential value relationships are:

    Pricing

    Performance outcomes

    Roles and responsibilities

    Remedies

    Payment

    Pricing is clearly defined in contracts so that the total cost is understood including all fees, optional pricing, and set caps on increases.

    Contracts are performance-based whenever possible, including deliverables, milestones, service levels, due dates, and outcomes.

    Each party's roles and responsibilities are clearly defined in the contract documents with adequate detail.

    Contracts contain appropriate remedies for a vendor's failure to meet SLAs, due dates, and other obligations.

    Payment is made after performance targets are met, approved, or accepted.

    Activity 1: Assess your readiness for exponential relationships

    1-3 hours

    1. Gather key stakeholders from across your organization to participate in the readiness assessment exercise.
    2. As a group, review the core competencies from the previous four sections and determine where your organization’s effectiveness lies for each competency. Record your responses in the Exponential Relationships Readiness Assessment tool.

    Download the Exponential Relationships Readiness Assessment tool.

    Input Output
    • Core competencies
    • Knowledge of internal processes and capabilities
    • Readiness assessment
    Materials Participants
    • Exponential
      Relationships Readiness Assessment
      tool
    • Whiteboard/flip charts
    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Understand your assessment

    This step involves the following participants:

    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Activities:

    • Create an action plan.

    Understand the results of your assessment

    Consider the following recommendations based on your readiness assessment scores:

    • The chart to the right shows sample results. The bars indicate the recommended scores, and the line indicates the readiness score.
    • Three or more categories below the recommended scores, or any categories more than five points below the recommendation: outcome-based relationships are not recommended at this time.
    • Two or more categories below the recommended scores: Proceed with caution and limit outcome-based relationships to low-risk areas. Continue to mature capabilities.
    • One category below the recommended scores: Evaluate the risks and benefits before engaging in higher-risk vendor relationships. Continue to mature capabilities.
    • All categories at or above the recommended scores: You have many of the core capabilities needed to succeed at exponential relationships! Continue to evaluate and refine your vendor relationships strategy, and identify any additional competencies needed based on your industry or region.

    Acme Corp Exponential Relationships Readiness.

    Activity 2: Create an action plan

    1 hour

    1. Gather the stakeholders who participated in the readiness assessment exercise.
    2. As a group, review the results of the readiness assessment. Where there any surprise? Do the results reflect your understanding of the organization’s maturity?
    3. Determine which areas are likely to limit the organization’s relationship capability, based on lowest scoring areas and relative importance to the organization.
    4. Break out into groups and have each group identify three actions the organization could take to mature the lowest scoring areas.
    5. Bring the group back together and prioritize the actions. Note who will be accountable for each next step.
    InputOutput
    • Readiness assessment
    • Action plan to improve maturity of capabilities
    MaterialsParticipants
    • Exponential
      Relationship Readiness Assessment
      tool
    • Whiteboard/flip charts
    • Executive leadership team, including CIO
    • Vendor management leader
    • Other internal stakeholders of vendor relationships

    Related Info-Tech Research

    Jump Start Your Vendor Management Initiative
    Create and implement a vendor management framework to begin obtaining measurable results in 90 days.

    Elevate Your Vendor Management Initiative
    Transform your VMI from tactical to strategic to maximize its impact and value

    Evaluate Your Vendor Account Team to Optimize Vendor Relations
    Understand the value of knowing your account team’s influence in the organization, and your influence, to drive results.

    Related Info-Tech Research

    Build an IT Risk Management Program
    Mitigate the IT risks that could negatively impact your organization.

    Build an IT Budget
    Effective IT budgets are more than a spreadsheet. They tell a story.

    Adopt an Exponential IT Mindset
    Thrive through the next paradigm shift..

    Author

    Kim Osborne Rodriguez

    Kim Osborne Rodriguez
    Research Director, CIO Advisory
    Info-Tech Research Group

    Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach, with a track record of supporting successful projects.

    Kim holds a Bachelor’s degree in Honours Mechatronics Engineering and an option in Management Sciences from the University of Waterloo.

    Research Contributors and Experts

    Jack Hakimian

    Jack Hakimian
    Senior Vice President
    Info-Tech Research Group

    Jack has more than 25 years of technology and management consulting experience. He has served multibillion-dollar organizations in multiple industries including financial services and telecommunications. Jack also served several large public sector institutions.

    He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master’s degree in Computer Engineering as well as an MBA from the ESCP-EAP European School of Management.

    Michael Tweedie

    Michael Tweedie
    Practice Lead, CIO Strategy
    Info-Tech Research Group

    Mike Tweedie brings over 25 years as a technology executive. He’s led several large transformation projects across core infrastructure, application and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management.

    Mike holds a Bachelor’s degree in Architecture from Ryerson University.

    Scott Bickley

    Scott Bickley
    Practice Lead, VCCO
    Info-Tech Research Group

    Scott Bickley is a Practice Lead & Principal Research Director at Info-Tech Research Group, focused on Vendor Management and Contract Review. He also has experience in the areas of IT Asset Management (ITAM), Software Asset Management (SAM), and technology procurement along with a deep background in operations, engineering, and quality systems management.

    Scott holds a B.S. in Justice Studies from Frostburg State University. He also holds active IAITAM certification designations of CSAM and CMAM and is a Certified Scrum Master (SCM).

    Donna Bales

    Donna Bales
    Principal Research Director
    Info-Tech Research Group

    Donna Bales is a Principal Research Director in the CIO Practice at Info-Tech Research Group, specializing in research and advisory services in IT risk, governance, and compliance. She brings over 25 years of experience in strategic consulting and product development and has a history of success in leading complex, multistakeholder industry initiatives.

    Donna has a bachelor’s degree in economics from the University of Western Ontario.

    Research Contributors and Experts

    Jennifer Perrier

    Jennifer Perrier
    Principal Research Director
    Info-Tech Research Group

    Jennifer has 25 years of experience in the information technology and human resources research space, joining Info-Tech in 1998 as the first research analyst with the company. Over the years, she has served as a research analyst and research manager, as well as in a range of roles leading the development and delivery of offerings across Info-Tech’s product and service portfolio, including workshops and the launch of industry roundtables and benchmarking. She was also Research Lead for McLean & Company, the HR advisory division of Info-Tech, during its start-up years.

    Jennifer’s research expertise spans the areas of IT strategic planning, governance, policy and process management, people management, leadership, organizational change management, performance benchmarking, and cross-industry IT comparative analysis. She has produced and overseen the development of hundreds of publications across the full breadth of both the IT and HR domains in multiple industries. In 2022, Jennifer joined Info-Tech’s IT Financial Management Practice with a focus on developing financial transparency to foster meaningful dialogue between IT and its stakeholders and drive better technology investment decisions.

    Phil Bode

    Phil Bode
    Principal Research Director
    Info-Tech Research Group

    Phil has 30+ years of experience with IT procurement-related topics: contract drafting and review, negotiations, RFXs, procurement processes, and vendor management. Phil has been a frequent speaker at conferences, a contributor to magazine articles in CIO Magazine and ComputerWorld, and quoted in many other magazines. He is a co-author of the book The Art of Creating a Quality RFP.

    Phil has a Bachelor of Science in Business Administration with a double major of Finance and Entrepreneurship and a Bachelor of Science in Business Administration with a major of Accounting, both from the University of Arizona.

    Research Contributors

    Erin Morgan

    Erin Morgan
    Assistant Vice President, IT Administration
    University of Texas at Arlington

    Renee Stanley

    Renee Stanley
    Assistant Director IT Procurement and Vendor Management
    University of Texas at Arlington

    Note: Additional contributors did not wish to be identified.

    Bibliography

    Andrea, Dave. “Plante Moran’s 2022 Working Relations Index® (WRI) Study shows supplier relations can improve amid industry crisis.” Plante Moran, 25 Aug 2022. Accessed 18 May 2023.
    Andrea, Dave. “Trust between suppliers and OEMs can better prepare you for the next crisis.” Plante Moran, 9 Sept 2020. Accessed 17 May 2023.
    Cleary, Shannon, and Carolan McLarney. “Organizational Benefits of an Effective Vendor Management Strategy.” IUP Journal of Supply Chain Management, Vol. 16, Issue 4, Dec 2019.
    De Backer, Ruth, and Eileen Kelly Rinaudo. “Improving the management of complex business partnerships.” McKinsey, 21 March 2019. Accessed 9 May 2023 .
    Dennean, Kevin et al. “Let's chat about ChatGPT.” UBS, 22 Feb 2023. Accessed 26 May 2023.
    F&I Tools. “Nissan Worldwide Vehicle Sales Report.” Factory Warranty List, 2022. Accessed 18 May 2023.
    Gomez, Robin. “Adopting ChatGPT and Generative AI in Retail Customer Service.” Radial, 235, April 2023. Accessed 10 May 2023.
    Harms, Thomas and Kristina Rogers. “How collaboration can drive value for you, your partners and the planet.” EY, 26 Oct 2021. Accessed 10 May 2023.
    Hedge & Co. “Toyota, Honda finish 1-2; General Motors finishes at 3rd in annual Supplier Working Relations Study.” PR Newswire, 23 May 2022. Accessed 17 May 2023.
    Henke Jr, John W., and T. Thomas. "Lost supplier trust, lost profits." Supply Chain Management Review, May 2014. Accessed 17 May 2023.
    Information Services Group, Inc. “Global Demand for IT and Business Services Continues Upward Surge in Q2, ISG Index™ Finds.” BusinessWire, 7 July 2021. Accessed 8 May 2023.
    Kasanoff, Bruce. “New Study Reveals Costs Of Bad Supplier Relationships.” Forbes, 6 Aug 2014. Accessed 17 May 2023.
    Macrotrends. “Nissan Motor Gross Profit 2010-2022.” Macrotrends. Accessed 18 May 2023.
    Macrotrends. “Toyota Gross Profit 2010-2022.” Macrotrends. Accessed 18 May 2023.
    McKinsey. “Mind the [skills] gap.” McKinsey, 27 Jan 2021. Accessed 18 May 2023.
    Morgan, Blake. “7 Examples of How Digital Transformation Impacted Business Performance.” Forbes, 21 Jul 2019. Accessed 10 May 2023.
    Nissan Motor Corporation. “Nissan reports strong financial results for fiscal year 2022.” Nissan Global Newsroom, 11 May 2023. Accessed 18 May 2023.

    Bibliography

    “OpenAI and Microsoft extend partnership.” Open AI, 23 Jan 2023. Accessed 26 May 2023.
    Pearson, Bryan. “The Apple Of Its Aisles: How Best Buy Lured One Of The Biggest Brands.“ Forbes, 23 Apr 2015. Accessed 23 May 2023.
    Perifanis, Nikolaos-Alexandros and Fotis Kitsios. “Investigating the Influence of Artificial Intelligence on Business Value in the Digital Era of Strategy: A Literature Review.” Information, 2 Feb 2023. Accessed 10 May 2023.
    Scott, Tim and Nathan Spitse. “Third-party risk is becoming a first priority challenge.” Deloitte. Accessed 18 May 2023.
    Stanley, Renee. Interview by Kim Osborne Rodriguez, 17 May 2023.
    Statista. “Toyota's retail vehicle sales from 2017 to 2021.” Statista, 27 Jul 2022. Accessed 18 May 2023.
    Tlili, Ahmed, et al. “What if the devil is my guardian angel: ChatGPT as a case study of using chatbots in education.” Smart Learning Environments, 22 Feb 2023. Accessed 9 May 2023.
    Vitasek, Kate. “Outcome-Based Management: What It Is, Why It Matters And How To Make It Happen.” Forbes, 12 Jan 2023. Accessed 9 May 2023.

    Consolidate Your Data Centers

    • Buy Link or Shortcode: {j2store}498|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Center & Facilities Strategy
    • Parent Category Link: /data-center-and-facilities-strategy
    • Data center operating costs continue to escalate as organizations struggle with data center sprawl.
    • While data center consolidation is an attractive option to reduce cost and sprawl, the complexity of these projects makes them extremely difficulty to execute.
    • The status quo is also not an option, as budget constraints and the challenges with managing multiple data centers continues to increase.

    Our Advice

    Critical Insight

    • Despite consolidation being an effective way of addressing sprawl, it is often difficult to secure buy-in and funding from the business.
    • Many consolidation projects suffer cost overruns due to unforeseen requirements and hidden interdependencies which could have been mitigated during the planning phase.
    • Organizations that avoid consolidation projects due to their complexity are just deferring the challenge, while costs and inefficiencies continue to increase.

    Impact and Result

    • Successful data center consolidation will have an immediate impact on reducing data center sprawl. Maximize your chances of success by securing buy-in from the business.
    • Avoid cost overruns and unforeseen requirements by engaging with the business at the start of the process. Clearly define business requirements and establish common expectations.
    • While cost improvements often drive data center consolidation, successful projects will also improve scalability, operational efficiency, and data center redundancy.

    Consolidate Your Data Centers Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should perform a data center consolidation, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Discover

    Identify IT infrastructure systems and establish dependency bundles for the current and target sites.

    • Consolidate Your Data Centers – Phase 1: Discover
    • Data Center Consolidation Data Collection Workbook
    • Data Center Consolidation Project Planning and Prioritization Tool

    2. Plan

    Build a strong business case for data center consolidation by leveraging a TCO analysis and incorporating business requirements.

    • Consolidate Your Data Centers – Phase 2: Plan
    • Data Center Consolidation TCO Comparison Tool
    • Data Center Relocation Vendor Statement of Work Evaluation Tool

    3. Execute

    Streamline the move-day process through effective communication and clear delegation of duties.

    • Consolidate Your Data Centers – Phase 3: Execute
    • Communications Plan Template for Data Center Consolidation
    • Data Center Consolidation Executive Presentation
    • Minute-to-Minute Move Day Script (PDF)
    • Minute-to-Minute Move Day Script (Visio)
    • Data Center Relocation Minute-to-Minute Project Planning and Monitoring Tool

    4. Close

    Close the loop on the data center consolidation project by conducting an effective project retrospective.

    • Consolidate Your Data Centers – Phase 4: Close
    • Data Center Relocation QA Team Project Planning and Monitoring Tool
    • Data Center Move Issue Resolution and Change Order Template
    • Data Center Relocation Wrap-up Checklist
    [infographic]

    Develop the Right Message to Engage Buyers

    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions

    Sixty percent of marketers find it hard to produce high-quality content consistently. SaaS marketers have an even more difficult job due to the technical nature of content production. Without an easy content development strategy, marketers have an insurmountable task of continually creating interesting content for an audience they don’t understand.

    Globally, B2B SaaS marketers without the ability to consistently produce and activate quality content will experience:

    • High website bounce rates and low time on site
    • Low page views
    • A low percentage of return visitors
    • Low conversions
    • Low open and click-through rates on email campaigns

    Our Advice

    Critical Insight

    Marketing content that identifies the benefit of the product along with a deep understanding of the buyer pain points, desired value, and benefit proof points is a key driver in delivering value to a prospect, thereby increasing marketing metrics such as open rates, time on site, page views, and click-through rates.

    Impact and Result

    Marketers that activate the SoftwareReviews message mapping architecture will be able to crack the code on the formula for improving open and click-through rates.

    By applying the SoftwareReviews message mapping architecture, clients will be able to:

    • Quickly diagnose the current state of their content marketing effectiveness compared to industry metrics.
    • Compare their current messaging approach versus the key elements of the Message Map Architecture.
    • Create more compelling and relevant content that aligns with a buyer’s needs and journey.
    • Shrink marketing and sales cycles.
    • Increase the pace of content production.

    Develop the Right Message to Engage Buyers Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop the Right Message to Engage Buyers Executive Brief – A mapping architecture to enable marketers to crack the code on the formula for improving open and click-through rates.

    Through this blueprint marketers will learn how to shift content away from low-performing content that only focuses on the product and company to high-performing customer-focused content that answers the “What’s in it for me?” question for a buyer, increasing engagement and conversions.

    Infographic

    Further reading

    Develop the Right Message to Engage Buyers

    Drive higher open rates, time-on-site, and click-through rates with buyer-relevant messaging.

    Analyst Perspective

    Develop the right message to engage buyers.

    Marketers only have seven seconds to capture a visitor's attention but often don't realize that the space between competitors and their company is that narrow. They often miss the mark on content and create reams of product and company-focused messaging that result in high bounce rates, low page views, low return visits, low conversions, and low click-through rates.

    We wouldn't want to sit in a conversation with someone who only speaks about themselves, so why would it be any different when we buy something? Today's marketers must quickly hook their visitors with content that answers the critical question of "What's in it for me?"

    Our research finds that leading content marketers craft messaging that lets their audience ”know they know them,” points out what’s in it for them, and includes proof points of promised value. This simple, yet often missed approach, we call Message Mapping, which helps marketers grab a visitor’s initial attention and when applied throughout the customer journey will turn prospects into customers, lifelong buyers, advocates, and referrals.

    Photo of Terra Higginson, Marketing Research Director, SoftwareReviews.

    Terra Higginson
    Marketing Research Director
    SoftwareReviews

    Executive Summary

    Your Challenge

    Globally, B2B SaaS marketers without the ability to consistently produce and activate quality content will experience:

    • High website bounce rates and low time on site
    • Low page views
    • A low percentage of return visitors
    • Low conversions
    • Low open and click-through rates on email campaigns
    Sixty percent of marketers find it hard to produce high-quality content consistently. SaaS marketers have an even more difficult job due to the technical nature of content production. Without an easy content development strategy, marketers have an insurmountable task of continually creating interesting content for an audience they don’t understand.
    Common Obstacles

    Marketers struggle to create content that quickly engages the buyer because they lack:

    • Resources to create a high volume of quality content.
    • True buyer understanding.
    • Experience in how to align technical messaging with the buyer persona.
    • Easy-to-deploy content strategy tools.
    Even though most marketers will say that it’s important to produce interesting content, only 58% of B2B markers take the time to ask their customers what’s important to them. Without a true and deep understanding of buyers, marketers continue to invest their time and resources in an uninteresting product and company-focused diatribe.
    SoftwareReviews’ Approach

    By applying the SoftwareReviews’ message mapping architecture, clients will be able to:

    • Quickly diagnose the current state of their content marketing effectiveness compared to industry metrics.
    • Compare their current messaging approach against the key elements of the Message Map Architecture.
    • Create more compelling and relevant content that aligns with a buyer’s needs and journey.
    • Shrink marketing and sales cycles.
    • Increase the pace of content production.
    Marketers that activate the SoftwareReviews message mapping architecture will be able to crack the code on the formula for improving open and click-through rates.

    SoftwareReviews Insight

    Marketing content that identifies the benefit of the product, along with a deep understanding of the buyer pain points, desired value, and benefit proof-points, is a key driver in delivering value to a prospect, thereby increasing marketing metrics such as open rates, time on site, page views, and click-through rates.

    Your Challenge

    65% of marketers find it challenging to produce engaging content.

    Globally, B2B SaaS marketers without the ability to consistently produce and activate quality content will experience:

    • High website bounce rates and low time on site
    • Low page views
    • A low percentage of return visitors
    • Low conversions
    • Low open and click-through rates on email campaigns

    A staggering 60% of marketers find it hard to produce high-quality content consistently and 62% don’t know how to measure the ROI of their campaigns according to OptinMonster.

    SaaS marketers have an even more difficult job due to the technical nature of content production. Without an easy content development strategy, marketers have an insurmountable task of continually creating interesting content for an audience they don’t understand.


    Over 64% of marketers want to learn how to build a better content
    (Source: OptinMonster, 2021)

    Benchmark your content marketing

    Do your content marketing metrics meet the industry-standard benchmarks for the software industry?
    Visualization of industry benchmarks for 'Bounce Rate', 'Organic CTR', 'Pages/Session', 'Average Session Duration', '% of New Sessions', 'Email Open Rate', 'Email CTR', and 'Sales Cycle Length (Days)' with sources linked below.
    GrowRevenue, MarketingSherpa, Google Analytics, FirstPageSage, Google Analytics, HubSpot
    • Leaders will measure content marketing performance against these industry benchmarks.
    • If your content performance falls below these benchmarks, your content architecture may be missing the mark with prospective buyers.

    Common flaws in content messaging

    Why do marketers have a hard time consistently producing messaging that engages the buyer?

    Mistake #1

    Myopic Focus on Company and Product

    Content suffers a low ROI due to a myopic focus on the company and the product. This self-focused content fails to engage prospects and move them through the funnel.

    Mistake #2

    WIIFM Question Unanswered

    Content never answers the fundamental “What’s in it for me?” question due to a lack of true buyer understanding. This leads to an inability to communicate the value proposition to the prospect.

    Mistake #3

    Inability to Select the Right Content Format

    Marketers often guess what kind of content their buyers prefer without any real understanding or research behind what buyers would actually want to consume.

    Leaders Will Avoid the “Big Three” Pitfalls
    • While outdated content, poor content organization on your website, and poor SEO are additional strategic factors (outside the scope of this research), poor messaging structure will doom your content marketing strategy.
    • Leaders will be vigilant to diagnose current messaging structure and avoid:
      1. Making messaging all about you and your company.
      2. Failing to describe what’s in it for your prospects.
      3. Often guessing at what approach to use when structuring your messaging.

    Implications of poor content

    Without quality content, the sales and marketing cycles elongate and content marketing metrics suffer.
    • Lost sales: Research shows that B2B buyers are 57-70% done with their buying research before they ever contact sales.(Worldwide Business Research, 2022)
    • The buyer journey is increasingly digital: Research shows that 67% of the buyer's journey is now done digitally.(Worldwide Business Research, 2022)
    • Wasted time: In a Moz study of 750,000 pieces of content, 50% had zero backlinks, indicating that no one felt these assets were interesting enough to reference or share. (Moz, 2015)
    • Wasted money: SaaS companies spend $342,000 to $1,080,000 per year (or more) on content marketing. (Zenpost, 2022) The wrong content will deliver a poor ROI.

    50% — Half of the content produced has no backlinks. (Source: Moz, 2015)

    Content matters more than ever since 67% of the buyer's journey is now done digitally. (Source: Worldwide Business Research, 2022)

    Benefits of good content

    A content mapping approach lets content marketers:
    • Create highly personalized content. Content mapping helps marketers to create highly targeted content at every stage of the buyer’s journey, helping to nurture leads and prospects toward a purchase decision.
    • Describe “What’s in it for me?” to buyers. Remember that you aren’t your customer. Good content quickly answers the question “What’s in it for me?” (WIIFM) developed from the findings of the buyer persona. WIIFM-focused content engages a prospect within seven seconds.
    • Increase marketing ROI. Content marketing generates leads three times greater than traditional marketing (Patel, 2016).
    • Influence prospects. Investing in a new SaaS product isn’t something buyers do every day. In a new situation, people will often look to others to understand what they should do. Good content uses the principles of authority and social proof to build the core message of WIIFM. Authority can be conferred with awards and accolades, whereas social proof is given through testimonials, case studies, and data.
    • Build competitive advantage. Increase competitive advantage by providing content that aligns with the ideal client profile. Fifty-two percent of buyers said they were more likely to buy from a vendor after reading its content (1827 Marketing, 2022).
    Avoid value claiming. Leaders will use client testimonials as proof points because buyers believe peers more than they believe you.

    “… Since 95 percent of the people are imitators and only 5 percent initiators, people are persuaded more by the actions of others than by any proof we can offer. (Robert Cialdini, Influence: The Psychology of Persuasion)

    Full slide: 'Message Map Architecture'.

    Full slide: 'Message Map Template' with field descriptions and notes.

    Full slide: 'Message Map Template' with field descriptions, no notes.

    Full slide: 'Message Map Template' with blank fields.

    Full slide: 'Message Map Template' with 'Website Example segment.com' filled in fields.

    Full slide: 'Website Example segment.com' the website as it appears online with labels on the locations of elements of the message map.

    Full slide: 'Website Example segment.com' the website as it appears online with labels on the locations of elements of the message map.

    Full slide: 'Website Example segment.com' the website as it appears online with labels on the locations of elements of the message map.

    Full slide: 'Website Example segment.com' the website as it appears online with labels on the locations of elements of the message map.

    Email & Social Post Example

    Use the message mapping architecture to create other types of content.

    Examples of emails and social media posts as they appear online with labels on the locations of elements of the message map.

    Insight Summary

    Create Content That Matters

    Marketing content that identifies the benefit of the product along with a deep understanding of the buyer pain points, desired value, and benefit proof-points is a key driver in delivering value to a prospect, thereby increasing marketing metrics such as open rates, time on site, page views, and click-through rates.

    What’s in It for Me?

    Most content has a focus on the product and the company. Content that lacks a true and deep understanding of the buyer suffers low engagement and low conversions. Our research shows that all content must answer ”What’s in it for me?” for a prospect.

    Social Proof & Authority

    Buyers that are faced with a new and unusual buying experience (such as purchasing SaaS) look at what others say about the product (social proof) and what experts say about the product (authority) to make buying decisions.

    Scarcity & Loss Framing

    Research shows that scarcity is a strong principle of influence that can be used in marketing messages. Loss framing is a variation of scarcity and can be used by outlining what a buyer will lose instead of what will be gained.

    Unify the Experience

    Use your message map to structure all customer-facing content across Sales, Product, and Marketing and create a unified and consistent experience across all touchpoints.

    Close the Gap

    SaaS marketers often find the gap between product and company-focused content and buyer-focused content to be so insurmountable that they never manage to overcome it without a framework like message mapping.

    Related SoftwareReviews Research

    Sample of 'Create a Buyer Persona and Journey' blueprint.

    Create a Buyer Persona and Journey

    Make it easier to market, sell, and achieve product-market fit with deeper buyer understanding.
    • Reduce time and treasure wasted chasing the wrong prospects.
    • Improve product-market fit.
    • Increase open and click-through rates in your lead gen engine.
    • Perform more effective sales discovery and increase eventual win rates.
    Sample of 'Diagnose Brand Health to Improve Business Growth' blueprint.

    Diagnose Brand Health to Improve Business Growth

    Have a significant and well-targeted impact on business success and growth by knowing how your brand performs, identifying areas of improvement, and making data-driven decisions to fix it.
    • Importance of brand is recognized, endorsed, and prioritized.
    • Support and resources allocated.
    • All relevant data and information collected in one place.
    • Ability to make data-driven recommendations and decisions on how to improve.
    Sample of 'Build a More Effective Go-to-Market Strategy' blueprint.

    Build a More Effective Go-to-Market Strategy

    Creating a compelling Go-to-Market strategy, and keeping it current, is a critical software company function – as important as financial strategy, sales operations, and even corporate business development – given its huge impact on the many drivers of sustainable growth.
    • Align stakeholders on a common vision and execution plan.
    • Build a foundation of buyer and competitive understanding.
    • Deliver a team-aligned launch plan that enables commercial success.

    Bibliography

    Arakelyan, Artash. “How SaaS Companies Increase Their ROI With Content Marketing.” Clutch.co, 27 July 2018. Accessed July 2022.

    Bailyn, Evan. “Average Session Duration: Industry Benchmarks.” FirstPageSage, 16 March 2022. Accessed July 2022.

    Burstein, Daniel. “Marketing Research Chart: Average clickthrough rates by industry.” MarketingSherpa, 1 April 2014. Accessed July 2022.

    Cahoon, Sam. “Email Open Rates By Industry (& Other Top Email Benchmarks).” HubSpot, 10 June 2021. Accessed July 2022.

    Cialdini, Robert. Influence: Science and Practice. 5th ed. Pearson, 29 July 2008. Print.

    Cialdini, Robert. Influence: The Psychology of Persuasion. Revised ed. Harper Business, 26 Dec. 2006. Print.

    Content Marketing—Statistics, Evidence and Trends.” 1827 Marketing, 7 Jan. 2022. Accessed July 2022.

    Devaney, Erik. “Content Mapping 101: The Template You Need to Personalize Your Marketing.” HubSpot, 21 April 2022. Accessed July 2022.

    Hiscox Business Insurance. “Growing Your Business--and Protecting It Every Step of the Way.” Inc.com. 25 April 2022. Accessed July 2022.

    Hurley Hall, Sharon. “85 Content Marketing Statistics To Make You A Marketing Genius.” OptinMonster, 14 Jan. 2021. Accessed July 2022.

    Patel, Neil. “38 Content Marketing Stats That Every Marketer Needs to Know.” NeilPatel.com, 21 Jan. 2016. Web.

    Prater, Meg. “SaaS Sales: 7 Tips on Selling Software from a Top SaaS Company.” HubSpot, 9 June 2021. Web.

    Polykoff, Dave. “20 SaaS Content Marketing Statistics That Lead to MRR Growth in 2022.” Zenpost blog, 22 July 2022. Web.

    Rayson, Steve. “Content, Shares, and Links: Insights from Analyzing 1 Million Articles.” Moz, 8 Sept. 2015. Accessed July 2022.

    “SaaS Content Marketing: How to Measure Your SaaS Content’s Performance.” Ken Moo, 9 June 2022. Accessed July 2022.

    Taylor Gregory, Emily. “Content marketing challenges and how to overcome them.” Longitude, 14 June 2022. Accessed July 2022.

    Visitors Benchmarking Channels. Google Analytics, 2022. Accessed July 2022.

    WBR Insights. “Here's How the Relationship Between B2B Buying, Content, and Sales Reps Has Changed.” Worldwide Business Research, 2022. Accessed July 2022.

    “What’s a good bounce rate? (Here’s the average bounce rate for websites).” GrowRevenue.io, 24 Feb. 2020. Accessed July 2022.

    Tame the Project Backlog

    • Buy Link or Shortcode: {j2store}439|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Unmanaged project backlogs can become the bane of IT departments, tying IT leaders and PMO staff down to an ever-growing receptacle of project ideas that provides little by way of strategic value and that typically represents a lack of project intake and approval discipline.
    • Decision makers frequently use the backlog to keep the peace. Lacking the time to assess the bulk of requests, or simply wanting to avoid difficult conversations with stakeholders, they “approve” everything and leave it to IT to figure it out.
    • As IT has increasing difficulty assessing – let alone starting – any of the projects in the backlog, stakeholder relations suffer. Requestors view inclusion in the backlog as a euphemism for “declined,” and often characterize the backlog as the place where good project ideas go to die.
    • Faced with these challenges, you need to make your project backlog more useful and reliable. The backlog may contain projects worth doing, but in its current untamed state, you have difficulty discerning, let alone capitalizing upon, those instances of value.

    Our Advice

    Critical Insight

    • Project backlogs are an investment and need to be treated as such. Incurring a cost impact that can be measured in terms of time and money, the backlog needs to be actively managed to ensure that you’re investing wisely and getting a good return in terms of strategic value and project throughput.
    • Unmanageable project backlogs are rooted in bad habits and poorly-defined processes. Identifying the sources that fuel backlog growth is key to long-term success. Unless the problem is addressed at the root, any gains made in the near-term will simply fade away as old, unhealthy habits re-emerge and take hold.
    • Backlog management should facilitate executive awareness about the status of backlog items as new work is being approved. In the long run, this ongoing executive engagement will not only help to keep the backlog manageable, but it will also help to bring more even workloads to IT project staff.

    Impact and Result

    • Keep the best, forget the rest. Develop a near-term approach to limit the role of the backlog to include only those items that add value to the business.
    • Shine a light. Improve executive visibility into the health and status of the backlog so that the backlog is taken into account when decision makers approve new work.
    • Evolve the organizational culture. Effectively employ organizational change management practices to evolve the culture that currently exists around the project backlog in order to ensure customer-service needs are more effectively addressed.
    • Ensure long-term sustainability. Institute processes to make sure that your list of pending projects – should you still require one after implementing this blueprint – remains minimal, maintainable, and of high value.

    Tame the Project Backlog Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how a more disciplined approach to managing your project backlog can help you realize increased value and project throughput.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a project backlog battle plan

    Calculate the cost of the project backlog and assess the root causes of its unmanageability.

    • Tame the Project Backlog – Phase 1: Create a Backlog Battle Plan
    • Project Backlog ROI Calculator

    2. Execute a near-term backlog cleanse

    Increase the manageability of the backlog by updating stale requests and removing dead weight.

    • Tame the Project Backlog – Phase 2: Execute a Near-Term Backlog Cleanse
    • Project Backlog Management Tool
    • Project Backlog Stakeholder Communications Template

    3. Ensure long-term backlog manageability

    Develop and maintain a manageable backlog growth rate by establishing disciplined backlog management processes.

    • Tame the Project Backlog – Phase 3: Ensure Long-Term Backlog Manageability
    • Project Backlog Operating Plan Template
    • Project Backlog Manager
    [infographic]

    Workshop: Tame the Project Backlog

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Create a Project Backlog Battle Plan

    The Purpose

    Gauge the manageability of your project backlog in its current state.

    Calculate the total cost of your project backlog investments.

    Determine the root causes that contribute to the unmanageability of your project backlog.

    Key Benefits Achieved

    An understanding of the organizational need for more disciplined backlog management.

    Visibility into the costs incurred by the project backlog.

    An awareness of the sources that feed the growth of the project backlog and make it a challenge to maintain.

    Activities

    1.1 Calculate the sunk and marginal costs that have gone into your project backlog.

    1.2 Estimate the throughput of backlog items.

    1.3 Survey the root causes of your project backlog.

    Outputs

    The total estimated cost of the project backlog.

    A project backlog return-on-investment score.

    A project backlog root cause analysis.

    2 Execute a Near-Term Project Backlog Cleanse

    The Purpose

    Identify the most organizationally appropriate goals for your backlog cleanse.

    Pinpoint those items that warrant immediate removal from the backlog and establish a game plan for putting a bullet in them.

    Communicate backlog decisions with stakeholders in a way that minimizes friction and resistance. 

    Key Benefits Achieved

    An effective, achievable, and organizationally right-sized approach to cleansing the backlog.

    Criteria for cleanse outcomes and a protocol for carrying out the near-term cleanse.

    A project sponsor outreach plan to help ensure that decisions made during your near-term cleanse stick. 

    Activities

    2.1 Establish roles and responsibilities for the near-term cleanse.

    2.2 Determine cleanse scope.

    2.3 Develop backlog prioritization criteria.

    2.4 Prepare a communication strategy.

    Outputs

    Clear accountabilities to ensure the backlog is effectively minimized and outcomes are communicated effectively.

    Clearly defined and achievable goals.

    Effective criteria for cleansing the backlog of zombie projects and maintaining projects that are of strategic and operational value.

    A communication strategy to minimize stakeholder friction and resistance.

    3 Ensure Long-Term Project Backlog Manageability

    The Purpose

    Ensure ongoing backlog manageability.

    Make sure the executive layer is aware of the ongoing status of the backlog when making project decisions.

    Customize a best-practice toolkit to help keep the project backlog useful. 

    Key Benefits Achieved

    A list of pending projects that is minimal, maintainable, and of high value.

    Executive engagement with the backlog to ensure intake and approval decisions are made with a view of the backlog in mind.

    A backlog management tool and processes for ongoing manageability. 

    Activities

    3.1 Develop a project backlog management operating model.

    3.2 Configure a project backlog management solution.

    3.3 Assign roles and responsibilities for your long-term project backlog management processes.

    3.4 Customize a project backlog management operating plan.

    Outputs

    An operating model to structure your long-term strategy around.

    A right-sized management tool to help enable your processes and executive visibility into the backlog.

    Defined accountabilities for executing project backlog management responsibilities.

    Clearly established processes for how items get in and out of the backlog, as well as for ongoing backlog review.

    Drive Digital Transformation With Platform Strategies

    • Buy Link or Shortcode: {j2store}78|cart{/j2store}
    • member rating overall impact (scale of 10): 8.5/10 Overall Impact
    • member rating average dollars saved: $3,750 Average $ Saved
    • member rating average days saved: 4 Average Days Saved
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • Enterprise is grappling with the challenges of existing business models and strategies not leading to desired outcomes.
    • Enterprise is struggling to remain competitive.
    • Enterprise wants to understand how to leverage platform strategies and a digital platform.

    Our Advice

    Critical Insight

    To remain competitive enterprises must renew and refresh their business model strategies and design/develop digital platforms – this requires enterprises to:

    • Understand how digital-native enterprises are using platform business models and associated strategies.
    • Understand their core assets and strengths and how these can be leveraged for transformation.
    • Understand the core characteristics and components of a digital platform so that they can design digital platform(s) for their enterprise.
    • Ask if the client’s digital transformation (DX) strategy is aligned with a digital platform enablement strategy.
    • Ask if the enterprise has paid attention to the structure, culture, principles, and practices of platform teams.

    Impact and Result

    Organizations that implement this project will gain benefits in five ways:

    • Awareness and understanding of various platform strategies.
    • Application of specific platform strategies within the context of the enterprise.
    • Awareness of their existing business mode, core assets, value proposition, and strengths.
    • Alignment between DX themes and platform enablement themes so enterprises can develop roadmaps that gauge successful DX.
    • Design of a digital platform, including characteristics, components, and team characteristics, culture, principles, and practices.

    Drive Digital Transformation With Platform Strategies Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should consider the platform business model and a digital platform to remain competitive.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Set goals for your platform business model

    Understand the platform business model and strategies and then set your platform business model goals.

    • Drive Digital Transformation With Platform Strategies – Phase 1: Set Goals for Your Platform Business Model
    • Business Platform Playbook

    2. Configure digital platform

    Define design goals for your digital platform. Align your DX strategy with digital platform capabilities and understand key components of the digital platform.

    • Drive Digital Transformation With Platform Strategies – Phase 2: Configure Your Digital Platform
    • Digital Platform Playbook
    [infographic]

    Workshop: Drive Digital Transformation With Platform Strategies

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Platform Business Model and Strategies

    The Purpose

    Understand existing business model, value proposition, and key assets.

    Understand platform business model and strategies.

    Key Benefits Achieved

    Understanding the current assets helps with knowing what can be leveraged in the new business model/transformation.

    Understanding the platform strategies can help the enterprise renew/refresh their business model.

    Activities

    1.1 Document the current business model along with value proposition and key assets (that provide competitive advantage).

    1.2 Transformation narrative.

    1.3 Platform model canvas.

    1.4 Document the platform strategies in the context of the enterprise.

    Outputs

    Documentation of current business model along with value proposition and key assets (that provide competitive advantage).

    Documentation of the selected platform strategies.

    2 Planning for Platform Business Model

    The Purpose

    Understand transformation approaches.

    Understand various layers of platforms.

    Ask fundamental and evolutionary questions about the platform.

    Key Benefits Achieved

    Understanding of the transformational model so that the enterprise can realize the differences.

    Understanding of the organization’s strengths and weaknesses for a DX.

    Extraction of strategic themes to plan and develop a digital platform roadmap.

    Activities

    2.1 Discuss and document decision about DX approach and next steps.

    2.2 Discuss and document high-level strategic themes for platform business model and associated roadmap.

    Outputs

    Documented decision about DX approach and next steps.

    Documented high-level strategic themes for platform business model and associated roadmap.

    3 Digital Platform Strategy

    The Purpose

    Understand the design goals for the digital platform.

    Understand gaps between the platform’s capabilities and the DX strategy.

    Key Benefits Achieved

    Design goals set for the digital platform that are visible to all stakeholders.

    Gap analysis performed between enterprise’s digital strategy and platform capabilities; this helps understand the current situation and thus informs strategies and roadmaps.

    Activities

    3.1 Discuss and document design goals for digital platform.

    3.2 Discuss DX themes and platform capabilities – document the gaps.

    3.3 Discuss gaps and strategies along with timelines.

    Outputs

    Documented design goals for digital platform.

    Documented DX themes and platform capabilities.

    DX themes and platform capabilities map.

    4 Digital Platform Design: Key Components

    The Purpose

    Understanding of key components of a digital platform, including technology and teams.

    Key Benefits Achieved

    Understanding of the key components of a digital platform and designing the platform.

    Understanding of the team structure, culture, and practices needed for successful platform engineering teams.

    Activities

    4.1 Confirmation and discussion on existing UX/UI and API strategies.

    4.2 Understanding of microservices architecture and filling of microservices canvas.

    4.3 Real-time stream processing data pipeline and tool map.

    4.4 High-level architectural view.

    4.5 Discussion on platform engineering teams, including culture, structure, principles, and practices.

    Outputs

    Filled microservices canvas.

    Documented real-time stream processing data pipeline and tool map.

    Documented high-level architectural view.

    Reduce Time to Consensus With an Accelerated Business Case

    • Buy Link or Shortcode: {j2store}286|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $12,999 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Business Analysis
    • Parent Category Link: /business-analysis
    • Enterprise application initiatives are complex, expensive, and require a significant amount of planning before initiation.
    • A financial business case is sometimes used to justify these initiatives.
    • Once the business case (and benefits therein) are approved, the case is forgotten, eliminating a critical check and balance of benefit realization.

    Our Advice

    Critical Insight

    1. Frame the conversation.

    Understand the audience and forum for the business case to best frame the conversation.

    2. Time-box the process of building the case.

    More time should be spent on performing the action rather than building the case.

    3. The business case is a living document.

    The business case creates the basis for review of the realization of the proposed business benefits once the procurement is complete.

    Impact and Result

    • Understand the drivers for decision making in your organization, and the way initiatives are evaluated.
    • Compile a compelling business case that provides decision makers with sufficient information to make decisions confidently.
    • Evaluate proposed enterprise application initiatives “apples-to-apples” using a standardized and repeatable methodology.
    • Provide a mechanism for tracking initiative performance during and after implementation.

    Reduce Time to Consensus With an Accelerated Business Case Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a business case for enterprise application investments, review Info-Tech’s methodology, and understand how we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Gather the required information

    Complete the necessary preceding tasks to building the business case. Rationalize the initiative under consideration, determine the organizational decision flow following a stakeholder assessment, and conduct market research to understand the options.

    • Reduce Time to Consensus With an Accelerated Business Case – Phase 1: Gather the Required Information
    • Business Case Readiness Checklist
    • Business Case Workbook
    • Request for Information Template
    • Request for Quotation Template

    2. Conduct the business case analysis

    Conduct a thorough assessment of the initiative in question. Define the alternatives under consideration, identify tangible and intangible benefits for each, aggregate the costs, and highlight any risks.

    • Reduce Time to Consensus With an Accelerated Business Case – Phase 2: Conduct the Business Case Analysis

    3. Make the case

    Finalize the recommendation based on the analysis and create a business case presentation to frame the conversation for key stakeholders.

    • Reduce Time to Consensus With an Accelerated Business Case – Phase 3: Make the Case
    • Full-Form Business Case Presentation Template
    • Summary Business Case Presentation Template
    • Business Case Change Log
    • Business Case Close-Out Form
    [infographic]

    Workshop: Reduce Time to Consensus With an Accelerated Business Case

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Plan for Business Case Development

    The Purpose

    Complete the necessary preceding tasks to building a strong business case.

    Key Benefits Achieved

    Alignment with business objectives.

    Stakeholder buy-in.

    Activities

    1.1 Map the decision flow in your organization.

    1.2 Define the proposed initiative.

    1.3 Define the problem/opportunity statement.

    1.4 Clarify goals and objectives expected from the initiative.

    Outputs

    Decision traceability

    Initiative summary

    Problem/opportunity statement

    Business objectives

    2 Build the Business Case Model

    The Purpose

    Put together the key elements of the business case including alternatives, benefits, and costs.

    Key Benefits Achieved

    Rationalize the business case.

    Activities

    2.1 Design viable alternatives.

    2.2 Identify the tangible and intangible benefits.

    2.3 Assess current and future costs.

    2.4 Create the financial business case model.

    Outputs

    Shortlisted alternatives

    Benefits tracking model

    Total cost of ownership

    Impact analysis

    3 Enhance the Business Case

    The Purpose

    Determine more integral factors in the business case such as ramp-up time for benefits realization as well as risk assessment.

    Key Benefits Achieved

    Complete a comprehensive case.

    Activities

    3.1 Determine ramp-up times for costs and benefits.

    3.2 Identify performance measures and tracking.

    3.3 Assess initiative risk.

    Outputs

    Benefits realization schedule

    Performance tracking framework

    Risk register

    4 Prepare the Business Case

    The Purpose

    Finalize the recommendation and formulate the business case summary and presentation.

    Key Benefits Achieved

    Prepare the business case presentation.

    Activities

    4.1 Choose the alternative to be recommended.

    4.2 Create the detailed and summary business case presentations.

    4.3 Present and incorporate feedback.

    4.4 Monitor and close out.

    Outputs

    Final recommendation

    Business case presentation

    Final sign-off

    Streamline Application Maintenance

    • Buy Link or Shortcode: {j2store}402|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: 20 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Maintenance
    • Parent Category Link: /maintenance
    • Application maintenance teams are accountable for the various requests and incidents coming from a variety business and technical sources. The sheer volume and variety of requests create unmanageable backlogs.
    • The increasing complexity and reliance on technology within the business has set unrealistic expectations on maintenance teams. Stakeholders expect teams to accommodate maintenance without impact on project schedules.

    Our Advice

    Critical Insight

    • Improving maintenance’s focus and attention may mean doing less but more valuable work. Teams need to be realistic about what can be committed and be prepared to justify why certain requests have to be pushed down the backlog (e.g. lack of business value, high risks).
    • Maintenance must be treated like any other development activity. The same intake and prioritization practices and quality standards must be upheld, and best practices followed.

    Impact and Result

    • Justify the necessity of streamlined maintenance. Gain a grounded understanding of stakeholder objectives and concerns, and validate their achievability against the current state of the people, process, and technologies involved in application maintenance.
    • Strengthen triaging and prioritization practices. Obtain a holistic picture of the business and technical impacts, risks, and urgencies of each accepted maintenance requests in order to justify its prioritization and relevance within your backlog. Identify opportunities to bundle requests together or integrate them within project commitments to ensure completion.
    • Establish and govern a repeatable process. Develop a maintenance process with well-defined stage gates, quality controls, and roles and responsibilities, and instill development best practices to improve the success of delivery.

    Streamline Application Maintenance Research & Tools

    Start here – read the Executive Brief

    Read our Executive Brief to understand the common struggles found in application maintenance, their root causes, and the Info-Tech methodology to overcoming these hurdles.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand your maintenance priorities

    Understand the stakeholder priorities driving changes in your application maintenance practice.

    • Streamline Application Maintenance – Phase 1: Assess the Current Maintenance Landscape
    • Application Maintenance Operating Model Template
    • Application Maintenance Resource Capacity Assessment
    • Application Maintenance Maturity Assessment

    2. Instill maintenance governance

    Identify the appropriate level of governance and enforcement to ensure accountability and quality standards are upheld across maintenance practices.

    • Streamline Application Maintenance – Phase 2: Develop a Maintenance Release Schedule

    3. Enhance triaging and prioritization practices

    Build a maintenance triage and prioritization scheme that accommodates business and IT risks and urgencies.

    • Streamline Application Maintenance – Phase 3: Optimize Maintenance Capabilities

    4. Streamline maintenance delivery

    Define and enforce quality standards in maintenance activities and build a high degree of transparency to readily address delivery challenges.

    • Streamline Application Maintenance – Phase 4: Streamline Maintenance Delivery
    • Application Maintenance Business Case Presentation Document
    [infographic]

    Workshop: Streamline Application Maintenance

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Your Maintenance Priorities

    The Purpose

    Understand the business and IT stakeholder priorities driving the success of your application maintenance practice.

    Understand any current issues that are affecting your maintenance practice.

    Key Benefits Achieved

    Awareness of business and IT priorities.

    An understanding of the maturity of your maintenance practices and identification of issues to alleviate.

    Activities

    1.1 Define priorities for enhanced maintenance practices.

    1.2 Conduct a current state assessment of your application maintenance practices.

    Outputs

    List of business and technical priorities

    List of the root-cause issues, constraints, and opportunities of current maintenance practice

    2 Instill Maintenance Governance

    The Purpose

    Define the processes, roles, and points of communication across all maintenance activities.

    Key Benefits Achieved

    An in-depth understanding of all maintenance activities and what they require to function effectively.

    Activities

    2.1 Modify your maintenance process.

    2.2 Define your maintenance roles and responsibilities.

    Outputs

    Application maintenance process flow

    List of metrics to gauge success

    Maintenance roles and responsibilities

    Maintenance communication flow

    3 Enhance Triaging and Prioritization Practices

    The Purpose

    Understand in greater detail the process and people involved in receiving and triaging a request.

    Define your criteria for value, impact, and urgency, and understand how these fit into a prioritization scheme.

    Understand backlog management and release planning tactics to accommodate maintenance.

    Key Benefits Achieved

    An understanding of the stakeholders needed to assess and approve requests.

    The criteria used to build a tailored prioritization scheme.

    Tactics for efficient use of resources and ideal timing of the delivery of changes.

    A process that ensures maintenance teams are always working on tasks that are valuable to the business.

    Activities

    3.1 Review your maintenance intake process.

    3.2 Define a request prioritization scheme.

    3.3 Create a set of practices to manage your backlog and release plans.

    Outputs

    Understanding of the maintenance request intake process

    Approach to assess the impact, urgency, and severity of requests for prioritization

    List of backlog management grooming and release planning practices

    4 Streamline Maintenance Delivery

    The Purpose

    Understand how to apply development best practices and quality standards to application maintenance.

    Learn the methods for monitoring and visualizing maintenance work.

    Key Benefits Achieved

    An understanding of quality standards and the scenarios for where they apply.

    The tactics to monitor and visualize maintenance work.

    Streamlined maintenance delivery process with best practices.

    Activities

    4.1 Define approach to monitor maintenance work.

    4.2 Define application quality attributes.

    4.3 Discuss best practices to enhance maintenance development and deployment.

    Outputs

    Taskboard structure and rules

    Definition of application quality attributes with user scenarios

    List of best practices to streamline maintenance development and deployment

    5 Finalize Your Maintenance Practice

    The Purpose

    Create a target state built from appropriate metrics and attainable goals.

    Consider the required items and steps for the implementation of your optimization initiatives.

    Key Benefits Achieved

    A realistic target state for your optimized application maintenance practice.

    A well-defined and structured roadmap for the implementation of your optimization initiatives.

    Activities

    5.1 Refine your target state maintenance practices.

    5.2 Develop a roadmap to achieve your target state.

    Outputs

    Finalized application maintenance process document

    Roadmap of initiatives to achieve your target state

    Become a Strategic CIO

    • Buy Link or Shortcode: {j2store}80|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $10,000 Average $ Saved
    • member rating average days saved: 15 Average Days Saved
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • As a CIO, you are currently operating in a stable and trusted IT environment, but you would like to advance your role to strategic business partner.
    • CIOs are often overlooked as a strategic partner by their peers, and therefore face the challenge of proving they deserve a seat at the table.

    Our Advice

    Critical Insight

    • To become a strategic business partner, you must think and act as a business person that works in IT, rather than an IT person that works for the business.
    • Career advancement is not a solo effort. Building relationships with your executive business stakeholders will be critical to becoming a respected business partner.

    Impact and Result

    • Create a personal development plan and stakeholder management strategy to accelerate your career and become a strategic business partner. For a CIO to be considered a strategic business partner, he or she must be able to:
      • Act as a business person that works in IT, rather than an IT person that works for the business. This involves meeting executive stakeholder expectations, facilitating innovation, and managing stakeholder relationships.
      • Align IT with the customer. This involves providing business stakeholders with information to support stronger decision making, keeping up with disruptive technologies, and constantly adapting to the ever-changing end-customer needs.
      • Manage talent and change. This involves performing strategic workforce planning, and being actively engaged in identifying opportunities to introduce change in your organization, suggesting ways to improve, and then acting on them.

    Become a Strategic CIO Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should become a strategic CIO, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch

    Analyze strategic CIO competencies and assess business stakeholder satisfaction with IT using Info-Tech's CIO Business Vision Diagnostic and CXO-CIO Alignment Program.

    • Become a Strategic CIO – Phase 1: Launch

    2. Assess

    Evaluate strategic CIO competencies and business stakeholder relationships.

    • Become a Strategic CIO – Phase 2: Assess
    • CIO Strategic Competency Evaluation Tool
    • CIO Stakeholder Power Map Template

    3. Plan

    Create a personal development plan and stakeholder management strategy.

    • Become a Strategic CIO – Phase 3: Plan
    • CIO Personal Development Plan
    • CIO Stakeholder Management Strategy Template

    4. Execute

    Develop a scorecard to track personal development initiatives.

    • Become a Strategic CIO – Phase 4: Execute
    • CIO Strategic Competency Scorecard
    [infographic]

    Workshop: Become a Strategic CIO

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Competencies & Stakeholder Relationships

    The Purpose

    Gather and review information from business stakeholders.

    Assess strategic CIO competencies and business stakeholder relationships.

    Key Benefits Achieved

    Gathered information to create a personal development plan and stakeholder management strategy.

    Analyzed the information from diagnostics and determined the appropriate next steps.

    Identified and prioritized strategic CIO competency gaps.

    Evaluated the power, impact, and support of key business stakeholders.

    Activities

    1.1 Conduct CIO Business Vision diagnostic

    1.2 Conduct CXO-CIO Alignment program

    1.3 Assess CIO competencies

    1.4 Assess business stakeholder relationships

    Outputs

    CIO Business Vision results

    CXO-CIO Alignment Program results

    CIO competency gaps

    Executive Stakeholder Power Map

    2 Take Control of Your Personal Development

    The Purpose

    Create a personal development plan and stakeholder management strategy.

    Track your personal development and establish checkpoints to revise initiatives.

    Key Benefits Achieved

    Identified personal development and stakeholder engagement initiatives to bridge high priority competency gaps.

    Identified key performance indicators and benchmarks/targets to track competency development.

    Activities

    2.1 Create a personal development plan

    2.2 Create a stakeholder management strategy

    2.3 Establish key performance indicators and benchmarks/targets

    Outputs

    Personal Development Plan

    Stakeholder Management Strategy

    Strategic CIO Competency Scorecard

    Renovate the Data Center

    • Buy Link or Shortcode: {j2store}497|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Center & Facilities Optimization
    • Parent Category Link: /data-center-and-facilities-optimization
    • 33% of enterprises will be undertaking facility upgrades or refreshes in 2010 aimed at extending the life of their existing data centers.
    • Every upgrade or refresh targeting specific components in the facility to address short-term pain will have significant impact on the data center environment as a whole. Planning upfront and establishing a clear project scope will minimize expensive changes in later years.
    • This solution set will provide you with step-by-step design, planning, and selection tools to define a Data Center renovation plan to reduce cost and risk while supporting cost-effective long-term growth for power, cooling, standby power, and fire protection renovations.

    Our Advice

    Critical Insight

    • 88% of organizations cited they would spend more time and effort on documenting and identifying facility requirements for initial project scoping. Organizations can prevent scope creep by conducting the necessary project planning up front and identify requirements and the effect that the renovation project will have in all areas of the data center facility.
    • Data Center facilities renovations must include the specific requirements related to power provisioning, stand-by power, cooling, and fire protection - not just the immediate short-term pain.
    • 39% of organizations cited they would put more emphasis on monitoring contractor management and performance to improve the outcome of the data center renovation project.

    Impact and Result

    • Early internal efforts to create a budget and facility requirements yields better cost and project outcomes when construction begins. Each data center renovation project is unique and should have its own detailed budget.
    • Upfront planning and detailed project scoping can prevent a cascading impact on data center renovation projects to other areas of the data center that can increase project size, scope and spend.
    • Contractor selection is one of the most important first steps in a complex data center renovation. Organizations must ensure the contractor selected has experience specifically in data center renovation.

    Renovate the Data Center Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and understand the renovation project.

    • Storyboard: Renovate the Data Center
    • None
    • Data Center Annual Review Checklist

    2. Renovate power in the data center.

    • Data Center Power Requirements Calculator

    3. Renovate cooling in the data center.

    • Data Center Cooling Requirements Calculator

    4. Renovate standby power in the data center.

    • Data Center Standby Power Requirements Calculator

    5. Define current and future fire protection requirements.

    • Fire Protection & Suppression Engineer Selection Criteria Checklist
    • None

    6. Assess the opportunities and establish a clear project scope.

    • Data Center Renovation Project Charter
    • Data Center Renovation Project Planning & Monitoring Tool

    7. Establish a budget for the data center renovation project.

    • Data Center Renovation Budget Tool

    8. Select a general contractor to execute the project.

    • None
    • Data Center Renovation Contractor Scripted Interview
    • Data Center Renovation Contractor Scripted Interview Scorecard
    • Data Center Renovation Contractor Reference Checklist
    [infographic]

    Create and Manage Enterprise Data Models

    • Buy Link or Shortcode: {j2store}340|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $7,263 Average $ Saved
    • member rating average days saved: 16 Average Days Saved
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Business executives don’t understand the value of Conceptual and Logical Data Models and how they define their data assets.
    • Data, like mercury, is difficult to manage and contain.
    • IT needs to justify the time and cost of developing and maintaining Data Models.
    • Data as an asset is only perceived from a physical point of view, and the metadata that provides context and definition is often ignored.

    Our Advice

    Critical Insight

    • Data Models tell the story of the organization and its data in pictures to be used by a business as a tool to evolve the business capabilities and processes.
    • Data Architecture and Data Modeling have different purposes and should be represented as two distinct processes within the software development lifecycle (SDLC).
    • The Conceptual Model provides a quick win for both business and IT because it can convey abstract business concepts and thereby compartmentalize the problem space.

    Impact and Result

    • A Conceptual Model can be used to define the semantics and relationships for your analytical layer.
      • It provides a visual representation of your data in the semantics of business.
      • It acts as the anchor point for all data lineages.
      • It can be used by business users and IT for data warehouse and analytical planning.
      • It provides the taxonomies for data access profiles.
      • It acts as the basis for your Enterprise Logical and Message Models.

    Create and Manage Enterprise Data Models Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create enterprise data models, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Setting the stage

    Prepare your environment for data architecture.

    • Enterprise Data Models

    2. Revisit your SDLC

    Revisit your SDLC to embed data architecture.

    • Enterprise Architecture Tool Selection

    3. Develop a Conceptual Model

    Create and maintain your Conceptual Data Model via an iterative process.

    4. Data Modeling Playbook

    View the main deliverable with sample models.

    • Data Modeling Playbook
    [infographic]

    Workshop: Create and Manage Enterprise Data Models

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the Data Architecture Practice

    The Purpose

    Understand the context and goals of data architecture in your organization.

    Key Benefits Achieved

    A foundation for your data architecture practice.

    Activities

    1.1 Review the business context.

    1.2 Obtain business commitment and expectations for data architecture.

    1.3 Define data architecture as a discipline, its role, and the deliverables.

    1.4 Revisit your SDLC to embed data architecture.

    1.5 Modeling tool acquisition if required.

    Outputs

    Data Architecture vision and mission and governance.

    Revised SDLC to include data architecture.

    Staffing strategy.

    Data Architecture engagement protocol.

    Installed modeling tool.

    2 Business Architecture and Domain Modeling

    The Purpose

    Identify the concepts and domains that will inform your data models.

    Key Benefits Achieved

    Defined concepts for your data models.

    Activities

    2.1 Revisit business architecture output.

    2.2 Business domain selection.

    2.3 Identify business concepts.

    2.4 Organize and group of business concepts.

    2.5 Build the Business Data Glossary.

    Outputs

    List of defined and documented entities for the selected.

    Practice in the use of capability and business process models to identify key data concepts.

    Practice the domain modeling process of grouping and defining your bounded contexts.

    3 Harvesting Reference Models

    The Purpose

    Harvest reference models for your data architecture.

    Key Benefits Achieved

    Reference models selected.

    Activities

    3.1 Reference model selection.

    3.2 Exploring and searching the reference model.

    3.3 Harvesting strategies and maintaining linkage.

    3.4 Extending the conceptual and logical models.

    Outputs

    Established and practiced steps to extend the conceptual or logical model from the reference model while maintaining lineage.

    4 Harvesting Existing Data Artifacts

    The Purpose

    Gather more information to create your data models.

    Key Benefits Achieved

    Remaining steps and materials to build your data models.

    Activities

    4.1 Use your data inventory to select source models.

    4.2 Match semantics.

    4.3 Maintain lineage between BDG and existing sources.

    4.4 Select and harvest attributes.

    4.5 Define modeling standards.

    Outputs

    List of different methods to reverse engineer existing models.

    Practiced steps to extend the logical model from existing models.

    Report examples.

    5 Next Steps and Wrap-Up (offsite)

    The Purpose

    Wrap up the workshop and set your data models up for future success.

    Key Benefits Achieved

    Understanding of functions and processes that will use the data models.

    Activities

    5.1 Institutionalize data architecture practices, standards, and procedures.

    5.2 Exploit and extend the use of the Conceptual model in the organization.

    Outputs

    Data governance policies, standards, and procedures for data architecture.

    List of business function and processes that will utilize the Conceptual model.

    Maintain Employee Engagement During the COVID-19 Pandemic

    • Buy Link or Shortcode: {j2store}548|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $12,399 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • The uncertainty of the pandemic means that employee engagement is at higher risk.
    • Organizations need to think beyond targeting traditional audiences by considering engagement of onsite, remote, and laid-off employees.

    Our Advice

    Critical Insight

    • The changing way of work triggered by this pandemic means engagement efforts must be easy to implement and targeted for relevant audiences.

    Impact and Result

    • Identify key drivers to leverage during the pandemic to boost engagement as well as at-risk drivers to focus efforts on.
    • Select quick-win tactics to sustain and boost engagement for relevant target audiences.

    Maintain Employee Engagement During the COVID-19 Pandemic Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine the scope

    Evaluate the current state, stakeholder capacity, and target audience of engagement actions.

    • Maintain Employee Engagement During the COVID-19 Pandemic Storyboard
    • Pandemic Engagement Workbook

    2. Identify engagement drivers

    Review impact to engagement drivers in order to prioritize and select tactics for addressing each.

    • Tactics Catalog: Maintain Employee Engagement During the COVID-19 Pandemic
    • Employee Engagement During COVID-19: Manager Tactics

    3. Determine ownership and communicate engagement actions

    Designate owners of tactics, select measurement tools and cadence, and communicate engagement actions.

    • Crisis Communication Guide for HR
    • Crisis Communication Guide for Leaders
    • Leadership Crisis Communication Guide Template
    • HR Action and Communication Plan
    [infographic]

    Decide if You Are Ready for SAFe

    • Buy Link or Shortcode: {j2store}355|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Complex application landscapes require delivery teams to work together and coordinate changes across multiple product lines and releases.
    • Leadership wants to balance strategic goals with localized prioritization of changes.
    • Traditional methodologies are not well suited to support enterprise agility: Scrum doesn’t scale easily, and Waterfall is too slow and risky.

    Our Advice

    Critical Insight

    SAFe’s popularity is largely due to its structural resemblance to enterprise portfolio and project planning with top-down prioritization and decision making. This directly conflicts with Agile’s purpose and principles of empowerment and agility.

    • Poor culture, processes, governance, and leadership will disrupt any methodology. Many drivers for SAFe could be solved by improving and standardizing development and release management within current methodologies.
    • Few organizations are capable or should be applying a pure SAFe framework. Successful organizations have adopted and modified SAFe frameworks to best fit their needs, teams, value streams, and maturity.

    Impact and Result

    • Start with a clear understanding of your needs, constraints, goals, and culture.
      • Start with an Agile readiness assessment. Agile is core to value realization.
      • Take the time to determine your drivers and goals.
      • If SAFe is right for you, selecting the right implementation partner is key.
    • Plan SAFe as a long-term enterprise cultural transformation requiring changes at all levels.

    Decide if You Are Ready for SAFe Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Decide if You Are Ready for SAFe Storyboard – Research to help you understand where SAFe fits into delivery methodologies and determine if SAFe is right for your organization.

    This deck will guide you to define your primary drivers for SAFe, assess your Agile readiness, define enablers and blockers, estimate implementation risk, and start your SAFe implementation plan.

    • Decide if You Are Ready for SAFe Storyboard

    2. Scaled Agile Readiness Assessment – A tool to conduct an Agile readiness survey.

    Start your journey with a clear understanding about the level of Agile and product maturity throughout the organization. Each area that lacks strength should be evaluated further and added to your journey map.

    • Scaled Agile Readiness Assessment

    3. SAFe Transformation Playbook – A template to build a change management plan to guide your transition.

    Define clear ownership for every critical step.

    • SAFe Transformation Playbook
    [infographic]

    Workshop: Decide if You Are Ready for SAFe

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand where SAFe fits into delivery methodologies and SDLCs

    The Purpose

    Understand what is driving your proposed SAFe transformation and if it is the right framework for your organization.

    Key Benefits Achieved

    Better understanding of your scaled agile needs and drivers

    Activities

    1.1 Define your primary drivers for SAFe.

    1.2 Create your own list of pros and cons of SAFe.

    Outputs

    List of primary drivers for SAFe

    List of pros and cons of SAFe

    2 Determine if you are ready for SAFe

    The Purpose

    Identify factors influencing a SAFe implementation and ensure teams are aware and prepared.

    Key Benefits Achieved

    Starting understanding of your organization’s readiness to implement a SAFe framework

    Activities

    2.1 Assess your Agile readiness.

    2.2 Define enablers and blockers of scaling Agile delivery.

    2.3 Estimate your SAFe implementation risk.

    2.4 Start your SAFe implementation plan.

    Outputs

    Agile readiness assessment results

    List of enablers and blockers of scaling Agile delivery

    Estimated SAFe implementation risk

    High-level SAFe implementation plan template

    Further reading

    Decide if You Are Ready for SAFe

    Approach the Scaled Agile Framework (SAFe) with open eyes and an open wallet.

    Analyst Perspective

    Ensure that SAFe is the right move before committing.

    Waterfall is dead. Or obsolete at the very least.

    Organizations cannot wait months or years for product, service, application, and process changes. They need to embrace business agility to respond to opportunities more quickly and deliver value sooner. Agile established values and principles that have promoted smaller cycle times, greater connections between teams, improved return on investment (ROI) prioritization, and improved team empowerment.

    Where organizations continue to struggle is matching localized Scrum teams with enterprise initiatives. This struggle is compounded by legacy executive planning cycles, which undermine Agile team authority. SAFe has provided a series of frameworks to help organizations deal with these issues. It combines enterprise planning and alignment with cross-team collaboration.

    Don't rely on popularity or marketing to make your scaled Agile decision. SAFe is a highly disruptive transformation, and it requires extensive training, coaching, process changes, and time to implement. Without the culture shift to an Agile mindset at all levels, SAFe becomes a mirror of Waterfall processes dressed in SAFe names. Furthermore, SAFe itself will not fix problems with communication, requirements, development, testing, release, support, or governance. You will still need to fix these problems within the SAFe framework to be successful.

    Hans Eckman, Principal Research Director, Applications Delivery and Management

    Hans Eckman
    Principal Research Director, Applications Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge Common Obstacles Info-Tech's Approach
    • Complex application landscapes require delivery teams to work together and coordinate changes across multiple product lines and releases.
    • Leadership wants to maintain executive strategic planning with faster delivery of changes.
    • Traditional methodologies are not well suited to support enterprise agility.
      • Waterfall is too slow, inefficient, and full of accumulated risk.
      • Scrum is not easy to scale and requires behavioral changes.
    • Enterprise transformations are never fast or easy, and SAFe is positioned as a complete replacement of your delivery practices.
    • Teams struggle with SAFe's rigid framework, interconnected methodologies, and new terms.
    • Few organizations are successful at implementing a pure SAFe framework.
    • Organizations without scaled product families have difficulties organizing SAFe teams into proper value streams.
    • Team staffing and stability are hard to resolve.
    Start with a clear understanding of your needs, constraints, goals, and culture.
    • Developing an Agile mindset is core to value realization. Start with Info-Tech's Agile Readiness Assessment.
    • Take the time to identify your drivers and goals.
    • If SAFe is right for you, build a transformation plan and select the right implementation partner.
    Plan SAFe as a long-term enterprise cultural transformation, requiring changes at all levels.

    Info-Tech Insight
    SAFe is a highly disruptive enterprise transformation, and it won't solve your organizational delivery challenges by itself. Start with an open mind, and understand what is needed to support a multi-year cultural transition. Decide how far and how fast you are willing to transform, and make sure that you have the right transformation and coaching partner in place. There is no right software development lifecycle (SDLC) or methodology. Find or create the methodology that best aligns to your needs and goals.

    Agile's Four Core Values

    "...while there is value in the items on the right, we value the items on the left more."
    - The Agile Manifesto

    STOP! If you're not Agile, don't start with SAFe.

    Agile over SAFe

    Successful SAFe requires an Agile mindset at all levels.

    Be aware of common myths around Agile and SAFe

    SAFe does not...

    1...solve development and communication issues.

    2...ensure that you will finish requirements faster.

    3...mean that you do not need planning and documentation.

    "Without proper planning, organizations can start throwing more resources at the work, which spirals into the classic Waterfall issues of managing by schedule."
    – Kristen Morton, Associate Implementation Architect,
    OneShield Inc. (Info-Tech Interview)

    Info-Tech Insight
    Poor culture, processes, governance, and leadership will disrupt any methodology. Many drivers for SAFe could be solved by improving and standardizing development and release management within current methodologies.

    Review the drivers that are motivating your organization to adopt and scale Agile practices

    Functional groups have their own drivers to adopt Agile development processes, practices, and techniques (e.g. to improve collaboration, decrease churn, or increase automation). Their buy-in to scaling Agile is just as important as the buy-in of stakeholders.

    If a group's specific needs and drivers are not addressed, its members may develop negative sentiments toward Agile development. These negative sentiments can affect their ability to see the benefits of Agile, and they may return to their old habits once the opportunity arises.

    It is important to find opportunities in which both business objectives and functional group drivers can be achieved by scaling Agile development. This can motivate teams to continuously improve and adhere to the new environment, and it will maintain business buy-in. It can also be used to justify activities that specifically address functional group drivers.

    Examples of Motivating Drivers for Scaling Agile

    • Improve artifact handoffs between development and operations.
    • Increase collaboration among development teams.
    • Reveal architectural and system risks early.
    • Expedite the feedback loop from support.
    • Improve capacity management.
    • Support development process innovation.
    • Create a safe environment to discuss concerns.
    • Optimize value streams.
    • Increase team engagement and comradery.

    Don't start with scaled Agile!

    Scaling Agile is a way to optimize product management and product delivery in application lifecycle management practices. Do not try to start with SAFe when the components are not yet in place.

    Scaled Agile


    Thought model describing how Agile connects Product Management to Product Delivery to elevate the entire Solution Lifecycle.

    Scale Agile delivery to improve cross-functional dependencies and releases

    Top Business Concerns When Scaling Agile

    1 Organizational Culture: The current culture may not support team empowerment, learning from failure, and other Agile principles. SAFe also allows top-down decisions to persist.

    2 Executive Support: Executives may not dedicate resources, time, and effort into removing obstacles to scaling Agile because of lack of business buy-in.

    3 Team Coordination: Current collaboration structures may not enable teams and stakeholders to share information freely and integrate workflows easily.

    4 Business Misalignment: Business vision and objectives may be miscommunicated early in development, risking poorly planned and designed initiatives and low-quality products.

    Extending collaboration is the key to success.

    Uniting stakeholders and development into a single body is the key to success. Assess the internal and external communication flow and define processes for planning and tracking work so that everyone is aware of how to integrate, communicate, and collaborate.

    The goal is to enable faster reaction to customer needs, shorter release cycles, and improved visibility of the project's progress with cross-functional and diverse conversations.

    Advantages of successful SAFe implementations

    Once SAFe is complete and operational, organizations have seen measurable benefits:

    • Multiple frameworks to support different levels of SAFe usage
    • Deliberate and consistent planning and coordination
    • Coordinating dependencies within value streams
    • Reduced time to delivery
    • Focus on customers and end users
    • Alignment to business goals and value streams
    • Increased employee engagement

    Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
    "Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

    Advantages of successful SAFe implementations

    Source: "Benefits," Scaled Agile, 2023

    Recognize the difference between Scrum teams and the Scaled Agile Framework (SAFe)

    SAFe provides a framework that aligns Scrum teams into coordinated release trains driven by top-down prioritization.

    Scrum vs SAFe

    Develop Your Agile Approach for a Successful Transformation

    Source: Scaled Agile, Inc.

    Info-Tech's IT Management & Governance Framework

    Info-Tech's IT Management & Governance Framework

    Info-Tech Insight
    SAFe is an enterprise, culture, and process transformation that impacts all IT services. Some areas of Info-Tech's IT Management & Governance Framework have higher impacts and require special attention. Plan to include transformation support for each of these topics during your SAFe implementation. SAFe will not fix broken processes on its own.

    Without adopting an Agile mindset, SAFe becomes Waterfall with SAFe terminology

    Waterfall with SAFe terminology

    Source: Scaled Agile, Inc.

    Info-Tech Insight
    When first implementing SAFe, organizations reproduce their organizational design and Waterfall delivery structures with SAFe terms:

    • Delivery Manager = Release Train Engineer
    • Stakeholder/Sponsor = Product Manager
    • Release = Release Train
    • Project/Program = Project or Portfolio

    SAFe isn't without risks or challenges

    Risks and Causes of Failed SAFe Transformations

    • SAFe conflicts with legacy cultures and delivery processes.
    • SAFe promotes continued top-down decisions, undermining team empowerment.
    • Scaled product families are required to define proper value streams.
    • Team empowerment and autonomy are reduced.
    • SAFe activities are poorly executed.
    • There are high training and coaching costs.
    • Implementation takes a long time.
    • End-to-end delivery management tools aligned to SAFe are required.
    • Legacy delivery challenges are not specifically solved with SAFe.
    • SAFe is designed to work for large-scale development teams.

    Challenges

    • Adjusting to a new set of terms for common roles, processes, and activities
    • Executing planning cycles
    • Defining features and epics at the right level
    • Completing adequate requirements
    • Defining value streams
    • Coordinating releases and release trains
    • Providing consistent quality

    Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
    "Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

    Focus on your core competencies instead

    Before undertaking an enterprise transformation, consider improving the underlying processes that will need to be fixed anyway. Fixing these areas while implementing SAFe compounds the effort and disruption.

    Product Delivery

    Product Management

    "But big-bang transitions are hard. They require total leadership commitment, a receptive culture, enough talented and experienced agile practitioners to staff hundreds of teams without depleting other capabilities, and highly prescriptive instruction manuals to align everyone's approach."
    – "Agile at Scale," Harvard Business Review

    Insight Summary

    Overarching insight
    SAFe is a highly disruptive enterprise transformation, and it will not solve your organizational delivery challenges by itself. Start with an open mind, and understand what is needed to support a multi-year cultural transition. Decide how far and fast you are willing to transform and make sure that you have the right transformation and coaching partner in place.

    SAFe conflicts with core Agile principles.
    The popularity of SAFe is largely due to its structural resemblance to enterprise portfolio and project planning with top-down prioritization and decision-making. This directly conflicts with Agile's purpose and principles of empowerment and agility.

    SAFe and Agile will not solve enterprise delivery challenges.
    Poor culture, processes, governance, and leadership will disrupt any methodology. Many issues with drivers for SAFe could be solved by improving development and release management within current methodologies.

    Most organizations should not be using a pure SAFe framework
    Few organizations are capable of, or should be, applying a pure SAFe framework. Successful organizations have adopted and modified SAFe frameworks to best fit their needs, teams, value streams, and maturity.

    Without an Agile mindset, SAFe will be executed as Waterfall stages using SAFe terminology.
    Groups that "Do Agile" are not likely to embrace the behavioral changes needed to make any scaled framework effective. SAFe becomes a series of Waterfall PIs using SAFe terminology.

    Your transformation does not start with SAFe.
    Start your transition to scaled Agile with a maturity assessment for current delivery practices. Fixing broken process, tools, and teams must be at the heart of your initiative.

    Blueprint Deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key Deliverable

    SAFe Transformation Playbook

    Build a transformation and organizational change management plan to guide your transition. Define clear ownership for every critical step.

    Scaled Agile Readiness Assessment

    Conduct the Agile readiness survey. Without an Agile mindset, SAFe will follow Waterfall or WaterScrumFall practices.

    Case Study

    Spotify's approach to Agile at scale

    INDUSTRY: Digital Media
    SOURCE: Unified Communications and Collaborations

    Spotify's Scaling Agile Initiative

    With rapid user adoption growth (over 15 million active users in under six years), Spotify had to find a way to maintain an Agile mindset across 30+ teams in three different cities, while maintaining the benefits of cross-functional collaboration and flexibility for future growth.

    Spotify's Approach

    Spotify found a fit-for-purpose way for the organization to increase team autonomy without losing the benefits of cross-team communication from economics of scale. Spotify focused on identifying dependencies that block or slow down work through a mix of reprioritization, reorganization, architectural changes, and technical solutions. The organization embraced dependencies that led to cross-team communication and built in the necessary flexibility to allow Agile to grow with the organization.

    Spotify's scaling Agile initiative used interview processes to identify what each team depended on and how those dependencies blocked or slowed the team.

    Squad refers to an autonomous Agile release team in this case study.

    Case Study

    Suncorp instilled dedicated communication streams to ensure cross-role collaboration and culture.

    INDUSTRY: Insurance
    SOURCE: Agile India, International Conference on Agile and Lean Software Development, 2014

    Challenge Solution Results
    • Suncorp Group wanted to improve delivery and minimize risk. Suncorp realized that it needed to change its project delivery process to optimize business value delivery.
    • With five core business units, over 15,000 employees, and US$96 billion in assets, Suncorp had to face a broad set of project coordination challenges.
    • Suncorp decided to deliver all IT projects using Agile.
    • Suncorp created a change program consisting of five main streams of work, three of which dealt with the challenges specific to Agile culture:
      • People: building culture, leadership, and support
      • Communication: ensuring regular employee collaboration
      • Capabilities: blending training and coaching
    • Sponsorship from management and champions to advocate Agile were key to ensure that everyone was unified in a common purpose.
    • Having a dedicated communication stream was vital to ensure regular sharing of success and failure to enable learning.
    • Having a structured, standard approach to execute the planned culture change was integral to success.

    Case Study

    Nationwide embraces DevOps and improves software quality.

    INDUSTRY: Insurance
    SOURCE: Agile India, International Conference on Agile and Lean Software Development, 2014

    Challenge Solution Results
    • In the past, Nationwide primarily followed a Waterfall development process. However, this method created conflicts between IT and business needs.
    • The organization began transitioning from Waterfall to Agile development. It has seen early successes with Agile: decrease in defects per release and more success in meeting delivery times.
    • Nationwide needed to respond more efficiently to changing market requirements and regulations and to increase speed to market.
    • Nationwide decided to take a DevOps approach to application development and delivery.
    • IT wanted to perform continuous integration and deployment in its environments.
    • Cross-functional teams were organically created, made up of members from the business and multiple IT groups, including development and operations.
    • DevOps allowed Nationwide to be more Agile and more responsive to its customers.
    • Teams were able to perform acceptance testing with their customers in parallel with development. This allowed immediate feedback to help steer the project in the right direction.
    • DevOps improved code quality by 50% over a three-year period and reduced user downtime by 70%.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1

    Call #1:

    Scope your requirements, objectives, and specific challenges.

    Call #2:

    1.1.1 Define your primary drivers for SAFe.

    1.1.2 Create your own list of pros and cons of SAFe.

    Call #3:

    1.2.1 Assess your Agile readiness.

    1.2.2 Define enablers and blockers for scaling Agile delivery.

    1.2.3 Estimate your SAFe implementation risk.

    Call #4:

    1.2.4 Start your SAFe implementation plan.

    Summarize your results and plan your next steps.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is one to four calls over the course of one to six weeks.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Pre-Planning Step 1.1 Step 1.2
    Identify your stakeholders. Step 1.1 Understand where SAFe fits into your delivery methodologies and SDLCs. Step 1.2 Determine if you are ready for SAFe.
    Activities 1. Determine stakeholders and subject matter experts.
    2. Coordinate timing and participation.
    3. Set goals and expectations for the workshop.
    1.1.1 Define your primary drivers for SAFe.
    1.1.2 Create your own list of pros and cons of SAFe
    1.2.1 Assess your Agile readiness.
    1.2.2 Define enablers and blockers for scaling Agile delivery.
    1.2.3 Estimate your SAFe implementation risk.
    1.2.4 Start your SAFe implementation plan.
    Deliverables
  • Workshop schedule
  • Participant commitment
    • List of primary drivers for SAFe
    • List of pros and cons of SAFe
    • Agile Readiness Assessment results
    • List of enablers and blockers for scaling Agile delivery
    • Estimated SAFe implementation risk
    • Template for high-level SAFe implementation plan

    Supporting Your Agile Journey

    Enable Product Agile Delivery Executive Workshop Develop Your Agile Approach Spread Best Practices with an Agile Center of Excellence Implement DevOps Practices That Work Enable Organization-Wide Collaboration by Scaling Agile
    Number One Number two Number Three Number Four Number Five

    Align and prepare your IT leadership teams.

    Audience: Senior and IT delivery leadership

    Size: 8-16 people

    Time: 7 hours

    Tune Agile team practices to fit your organization culture.

    Audience: Agile pilot teams and subject matter experts (SMEs)

    Size: 10-20 people

    Time: 4 days

    Leverage Agile thought leadership to expand your best practices.

    Audience: Agile SMEs and thought leaders

    Size: 10-20 people

    Time: 4 days

    Build a continuous integration and continuous delivery pipeline.

    Audience: Product owners (POs) and delivery team leads

    Size: 10-20 people

    Time: 4 days

    Execute a disciplined approach to rolling out Agile methods.

    Audience: Agile steering team and SMEs

    Size: 3-8 people

    Time: 3 hours

    Repeat Legend

    Sample agendas are included in the following sections for each of these topics.

    Your Product Transformation Journey

    1. Make the Case for Product Delivery2. Enable Product Delivery - Executive Workshop3. Deliver on Your Digital Product Vision4. Deliver Digital Products at Scale5. Mature and Scale Product Ownership
    Align your organization with the practices to deliver what matters most.Participate in a one-day executive workshop to help you align and prepare your leadership.Enhance product backlogs, roadmapping, and strategic alignment.Scale product families to align with your organization's goals.Align and mature your product owners.

    Audience: Senior executives and IT leadership

    Size: 8-16 people

    Time: 6 hours

    Repeat Symbol

    Audience: Product owners/managers

    Size: 10-20 people

    Time: 3-4 days

    Repeat Symbol

    Audience: Product owners/managers

    Size: 10-20 people

    Time: 3-4 days

    Audience: Product owners/managers

    Size: 8-16 people

    Time: 2-4 days

    Repeat Symbol

    Repeat Legend

    Phase 1

    Determine if SAFe Is Right for Your Organization

    Phase 1
    1.1 Understand where SAFe fits into your delivery methodologies and SDLCs
    1.2 Determine if you are ready for SAFe (fit for purpose)

    This phase will walk you through the following activities:

    • 1.1.1 Define your primary drivers for SAFe.
    • 1.1.2 Create your own list of pros and cons of SAFe.
    • 1.2.1 Assess your Agile readiness.
    • 1.2.2 Define enablers and blockers for scaling Agile delivery.
    • 1.2.3 Estimate your SAFe implementation risk.
    • 1.2.4 Start your SAFe implementation plan.

    This phase involves the following participants:

    • Senior leadership
    • IT leadership
    • Project Management Office
    • Delivery managers
    • Product managers/owners
    • Agile thought leaders and coaches
    • Compliance teams leads

    Step 1.1

    Understand where SAFe fits into your delivery methodologies and SDLCs

    Activities
    1.1.1 Define your primary drivers for SAFe
    1.1.2 Create your own list of pros and cons of SAFe

    This step involves the following participants:

    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Outcomes of this step:

    • List of primary drivers for SAFe
    • List of pros and cons of SAFe

    Agile's Four Core Values

    "...while there is value in the items on the right, we value the items on the left more."
    – The Agile Manifesto

    STOP! If you're not Agile, don't start with SAFe.

    Agile's Four Core Values

    Successful SAFe requires an Agile mindset at all levels.

    Be aware of common myths around Agile and SAFe

    SAFe does not...

    1...solve development and communication issues.

    2...ensure that you will finish requirements faster.

    3...mean that you do not need planning and documentation.

    "Without proper planning, organizations can start throwing more resources at the work, which spirals into the classic Waterfall issues of managing by schedule."
    – Kristen Morton, Associate Implementation Architect,
    OneShield Inc. (Info-Tech Interview)

    Info-Tech Insight
    SAFe only provides a framework and steps where these issues can be resolved.

    The importance of values and principles

    Modern development practices (such as Agile, Lean, and DevOps) are based on values and principles. This supports the move away from command-and-control management to self-organizing teams.

    Values

    • Values represent your team's core beliefs and capture what you want to instill in your team.

    Principles

    • Principles represent methods for solving a problem or deciding.
    • Given that principles are rooted in specifics, they can change more frequently because they are both fallible and conducive to learning.

    Consider the guiding principles of your application team

    Teams may have their own perspectives on how they deliver value and their own practices for how they do this. These perspectives can help you develop guiding principles for your own team to explain your core values and cement your team's culture. Guiding principles can help you:

    • Enable the appropriate environment to foster collaboration within current organizational, departmental, and cultural constraints
    • Foster the social needs that will engage and motivate your team in a culture that suits its members
    • Ensure that all teams are driven toward the same business and team goals, even if other teams are operating differently
    • Build organizational camaraderie aligned with corporate strategies

    Info-Tech Insight
    Following methodologies by the book can be detrimental if they do not fit your organization's needs, constraints, and culture. The ultimate goal of all teams is to deliver value. Any practices or activities that drive teams away from this goal should be removed or modified.

    Review the drivers that are motivating your organization to adopt and scale Agile practices

    Functional groups have their own drivers to adopt Agile development processes, practices, and techniques (e.g. to improve collaboration, decrease churn, or increase automation). Their buy-in to scaling Agile is just as important as the buy-in of stakeholders.

    By not addressing a group's specific needs and drivers, the resulting negative sentiments of its members toward Agile development can affect their ability to see the benefits of Agile and they may return to old habits once the opportunity arises.

    Find opportunities in which both business objectives and functional group drivers can be achieved with scaling Agile development. This alignment can motivate teams to continuously improve and adhere to the new environment, and it will maintain business buy-in. This assessment can also be used to justify activities that specifically address functional group drivers.

    Examples of Motivating Drivers for Scaling Agile

    • Improve artifact hand-offs between development and operations.
    • Increase collaboration among development teams.
    • Reveal architectural and system risks early.
    • Expedite the feedback loop from support.
    • Improve capacity management.
    • Support development process innovation.
    • Create a safe environment to discuss concerns.
    • Optimize value streams.
    • Increase team engagement and comradery.

    Exercise 1.1.1 Define your primary drivers for SAFe

    30 minutes

    • Brainstorm a list of drivers for scaling Agile.
    • Build a value canvas to help capture and align team expectations.
    • Identify jobs or functions that will be impacted by SAFe.
    • List your current pains and gains.
    • List the pain relievers and gain creators.
    • Identify the deliverable needed for a successful transformation.
    • Complete your SAFe value canvas in your SAFe Transformation Playbook.

    Enter the results in your SAFe Transformation Playbook.

    Input
    • Organizational understanding
    • Existing Agile delivery strategic plans
    Output
    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    SAFe Value Canvas Template

    SAFe Value Canvas Template

    Case Study

    A public utilities organization steadily lost stakeholder engagement, diminishing product quality.

    INDUSTRY: Public Utilities
    SOURCE: Info-Tech Expert Interview

    Challenge

    • The goal of a public utilities organization was to adopt Agile so it could quickly respond to changes and trim costs.
    • The organization decided to scale Agile using a structured approach. It began implementation with IT teams that were familiar with Agile principles and leveraged IT seniors as Agile champions. To ensure that Agile principles were widespread, the organization decided to develop a training program with vendor assistance.
    • As Agile successes began to be seen, the organization decided to increase the involvement of business teams gradually so it could organically grow the concept within the business.

    Results

    • Teams saw significant success with many projects because they could easily demonstrate deliverables and clearly show the business value. Over time, the teams used Agile for large projects with complex processing needs.
    • Teams continued to deliver small projects successfully, but business engagement waned over time. Some of the large, complex applications they delivered using Agile lacked the necessary functionality and appropriate controls and, in some cases, did not have the ability to scale due to a poor architectural framework. These applications required additional investment, which far exceeded the original cost forecasts.

    While Agile and product development are intertwined, they are not the same!

    Delivering products does not necessarily require an Agile mindset. However, Agile methods help to facilitate the journey because product thinking is baked into them.

    Agile and product development are intertwined

    Recognize the difference between Scrum teams and the Scaled Agile Framework (SAFe)

    SAFe provides a framework that aligns Scrum teams into coordinated release trains driven by top-down prioritization.

    Difference between Scrum and SAFe

    Develop Your Agile Approach for a Successful Transformation

    Without adopting an Agile mindset, SAFe becomes Waterfall with SAFe terminology

    Waterfall with SAFe terminology

    Info-Tech Insight
    When first implementing SAFe, organizations reproduce their organizational design and Waterfall delivery structures with SAFe terms:

    • Delivery Manager = Release Train Engineer
    • Stakeholder/Sponsor = Product Manager
    • Release = Release Train
    • Project/Program = Project or Portfolio

    Advantages of successful SAFe implementations

    Once SAFe is complete and operational, organizations have seen measurable benefits:

    • Multiple frameworks to support different levels of SAFe usage
    • Deliberate and consistent planning and coordination
    • Coordinating dependencies within value streams
    • Reduced time to delivery
    • Focus on customers and end users
    • Alignment to business goals and value streams
    • Increased employee engagement

    Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
    "Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

    Advantages of successful SAFe implementations

    Source: "Benefits," Scaled Agile, 2023

    SAFe isn't without risks or challenges

    Risks and Causes of Failed SAFe Transformations

    • SAFe conflicts with legacy cultures and delivery processes.
    • SAFe promotes continued top-down decisions, undermining team empowerment.
    • Scaled product families are required to define proper value streams.
    • Team empowerment and autonomy are reduced.
    • SAFe activities are poorly executed.
    • There are high training and coaching costs.
    • Implementation takes a long time.
    • End-to-end delivery management tools aligned to SAFe are required.
    • Legacy delivery challenges are not specifically solved with SAFe.
    • SAFe is designed to work for large-scale development teams.

    Challenges

    • Adjusting to a new set of terms for common roles, processes, and activities
    • Executing planning cycles
    • Defining features and epics at the right level
    • Completing adequate requirements
    • Defining value streams
    • Coordinating releases and release trains
    • Providing consistent quality

    Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023; "Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

    Exercise 1.1.2 Create your own list of the pros and cons of SAFe

    1 hour

    Pros Cons

    Enter the results in your SAFe Transformation Playbook

    Input
    • Organizational drivers
    • Analysis of SAFe
    • Estimate of fit for purpose
    Output
    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Focus on your core competencies instead

    Before undertaking an enterprise transformation, consider improving the underlying processes that will need to be fixed anyway. Fixing these areas while implementing SAFe compounds the effort and disruption.

    Product Delivery

    Product Management

    "But big-bang transitions are hard. They require total leadership commitment, a receptive culture, enough talented and experienced agile practitioners to staff hundreds of teams without depleting other capabilities, and highly prescriptive instruction manuals to align everyone's approach."
    - "Agile at Scale," Harvard Business Review

    Step 1.2

    Determine if you are ready for SAFe (fit for purpose)

    Activities
    1.2.1 Assess your Agile readiness
    1.2.2 Define enablers and blockers for scaling Agile delivery
    1.2.3 Estimate your SAFe implementation risk
    1.2.4 Start your SAFe implementation plan

    This step involves the following participants:

    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Outcomes of this step:

    • Agile Readiness Assessment results
    • Enablers and blockers for scaling Agile
    • SAFe implementation risk
    • SAFe implementation plan

    Use CLAIM to guide your Agile journey

    Use CLAIM to guide your Agile journey

    Conduct the Agile Readiness Assessment Survey

    Without an Agile mindset, SAFe will follow Waterfall or WaterScrumFall practices.

    • Start your journey with a clear understanding of the level of Agile and product maturity throughout your organization.
    • Each area that lacks strength should be evaluated further and added to your journey map.

    Chart of Agile Readiness

    Exercise 1.2.1 Assess your Agile readiness

    1 hour

    • Open and complete the Agile Readiness Assessment in your playbook or the Excel tool provided.
    • Discuss each area's high and low scores to reach a consensus.
    • Record your results in your SAFe Transformation Playbook.

    Chart of Agile Readiness

    Enter the results in Scaled Agile Readiness Assessment.

    Input
    • Organizational knowledge
    • Agile Readiness Assessment
    Output
    • IT leadership
    • Delivery managers
    • Project Management Office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Exercise 1.2.2 Define enablers and blockers for scaling Agile delivery

    1 hour

    • Identify and mitigate blockers for scaling Agile in your organization.
      • Identify enablers who will support successful SAFe transformation.
      • Identify blockers who will make the transition to SAFe more difficult.
      • For each blocker, define at least one mitigating step.
    Enablers Blockers Mitigation

    Enter the results in your SAFe Transformation Playbook

    Input
    • Agile Readiness Assessment
    • Organizational knowledge
    Output
    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Estimate your SAFe implementation risk

    Poor Fit High Risk Scaling Potential
    Team size <50 >150 or non-dedicated 50-150 dedicated
    Agile maturity Waterfall and project delivery Individual Scrum DevOps teams Scrum DevOps teams coordinating dependencies
    Product management maturity Project-driver changes from stakeholders Proxy product owners within delivery teams Defined product families and products
    Strategic goals Localized decisions Enterprise goals implemented at the app level Translation and refinement of enterprise goals through product families
    Enterprise architecture Siloed architecture standards Common architectures Future enterprise architecture and employee review board (ERB) reviews
    Release management Independent release schedules Formal release calendar Continuous integration/development (CI/CD) with organizational change management (OCM) scheduled cross-functional releases
    Requirements management and quality assurance Project based Partial requirements and test case coverage Requirements as an asset and test automation

    Exercise 1.2.3 Estimate your SAFe implementation risk

    30 minutes

    • Determine which description best matches your overall organizational state.
    • Enter the results in your SAFe Transformation Playbook.
    • Change the text to bold in the cell you selected to describe your current state and/or add a border around the cell.

    Chart of SAFe implementation risk

    Enter the results in SAFe Transformation Playbook.

    Input
    • Agile Readiness Assessment
    • Organizational knowledge
    Output
    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Interpret your SAFe implementation risks

    Analyze your highlighted selections and patterns in the rows and columns. Use these factors to inform your SAFe implementation steps and timing.

    Interpret your SAFe implementation risks

    Build your implementation plan

    Build a transformation and organizational change management plan to guide your transition. Define clear ownership for every critical step.

    Plan your transformation.

    • Align stakeholders and thought leaders.
    • Select an implementation partner.
    • Insert critical steps.

    Build your SAFe framework.

    • Define your target SAFe framework.
    • Customize your SAFe framework.
    • Establish SAFe governance and reporting.
    • Insert critical steps.

    Implement SAFe practices.

    • Define product families and value streams.
    • Conduct SAFe training for:
      • Executive leadership
      • Agile SAFe coaches
      • Practitioners
    • Insert critical steps.

    For additional help with OCM, please download Master Organizational Change Management Practices.

    Exercise 1.2.4 Start your SAFe implementation plan

    30 minutes

    • Using the high-level SAFE implementation framework, begin building out the critical steps.
    • Record the results in your SAFe Transformation Playbook.
    • Your playbook is an evergreen document to help guide your implementation. It should be reviewed often.

    SAFe implementation plan

    Enter the results in your SAFe Transformation Playbook

    Input
    • SAFe readiness assessment
    • Enablers and blockers
    • Drivers for SAFe
    Output
    • IT leadership
    • Delivery managers
    • Project management office
    • Product owners and managers
    • Development team leads
    • Portfolio managers
    • Architects

    Select an implementation partner

    Finding the right SAFe implementation partner is critical to your transformation success.

    • Using your previous assessment, align internal and external resources to support your transformation.
    • Select a partner who has experience in similar organizations and is aligned with your delivery goals.
    • Plan to transition support to internal teams when SAFe practices have stabilized and moved into continuous improvement.
    • Augment your transformation partner with internal coaches.
    • Plan for a multiyear engagement before SAFe benefits are realized.

    Summary of Accomplishments

    Your journey begins.

    Implementing SAFe is a long, expensive, and difficult process. For some organizations, SAFe provides the balance of leadership-driven prioritization and control with shorter release cycles and time to value. The key is making sure that SAFe is right for you and you are ready for SAFe. Few organizations fit perfectly into one of the SAFe frameworks. Instead, consider fine-tuning and customizing SAFe to meet your needs and gradual transformation.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.
    workshops@infotech.com
    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.

    Below are sample activities that will be conducted by Info-Tech analysts with your team:

    Scaled Agile Delivery Readiness Assessment
    This assessment will help identify enablers and blockers in your organizational culture using our CLAIM+G organization transformation model.

    SAFE Value Canvas
    Use a value campus to define jobs, pains, gains, pain relievers, gain creators, and needed deliverables to help inform and guide your SAFe transformation.

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Bibliography

    "6 Biggest SAFe Agile Implementation Mistakes to Avoid." Triumph Strategic Consulting, 27 July 2017.

    "The 7 Must-Haves for Achieving Scaling Agile Success." The 7 Must-Haves for Achieving Scaling Agile Success.

    Ageling, Willem-Jan. "11 Most Common Reasons to Use Scaled Agile Framework (SAFE) and How to Do This With Unscaled Scrum." Medium, Serious Scrum, 26 Jan. 2020.

    Agile India, International Conference on Agile and Lean Software Development, 2014.

    "Air France - KLM - Agile Adoption with SAFe." Scaled Agile, 28 Nov. 2022.

    "Application Development Trends 2019 - Global Survey Report." OutSystems.

    "Benefits of SAFe: How It Benefits Organizations." Scaled Agile, 13 Mar. 2023.

    Berkowitz, Emma. "The Cost of a SAFe(r) Implementation: CPRIME Blog." Cprime, 30 Jan. 2023.

    "Chevron - Adopting SAFe with Remote Workforce." Scaled Agile, 28 Nov. 2022.

    "Cisco It - Adopting Agile Development with SAFe." Scaled Agile, 13 Sept. 2022.

    "CMS - Business Agility Transformation Using SAFe." Scaled Agile, 13 Sept. 2022.

    Crain, Anthony. "4 Biggest Challenges in Moving to Scaled Agile Framework (SAFe)." TechBeacon, 25 Jan. 2019.

    "The Essential Role of Communications ." Project Management Institute .

    Gardiner, Phil. "SAFe Implementation: 4 Tips for Getting Started." Applied Frameworks, 20 Jan. 2022.

    "How Do I Start Implementing SAFe?" Agility in Mind, 29 July 2022.

    "How to Masterfully Screw Up Your SAFe Implementation." Wibas Artikel-Bibliothek, 6 Sept. 2022.

    "Implementation Roadmap." Scaled Agile Framework, 14 Mar. 2023.

    Islam, Ayvi. "SAFe Implementation 101 - The Complete Guide for Your Company." //Seibert/Media, 22 Dec. 2020.

    "Johnson Controls - SAFe Implementation Case Study." Scaled Agile, 28 Nov. 2022.

    "The New Rules and Opportunities of Business Transformation." KPMG.

    "Nokia Software - SAFe Agile Transformation." Scaled Agile, 28 Nov. 2022.

    Pichler, Roman. "What Is Product Management?" Romanpichler, 2014.

    "Product Documentation." ServiceNow.

    "Pros and Cons of Scaled Agile Framework." PremierAgile.

    "Pulse of the Profession Beyond Agility." Project Management Institute.

    R, Ramki. "Pros and Cons of Scaled Agile Framework (SAFe)." Medium, 3 Mar. 2019.

    R, Ramki. "When Should You Consider Implementing SAFe (Scaled Agile Framework)?" Medium, Medium, 3 Mar. 2019.

    Rigby, Darrell, Jeff Sutherland, and Andy Noble. "Agile at Scale: How to go from a few teams to hundreds." Harvard Business Review, 2018.

    "SAFe Implementation Roadmap." Scaled Agile Framework, Scaled Agile, Inc., 14 Mar. 2023.

    "SAFe Partner Cprime: SAFe Implementation Roadmap: Scaled Agile." Cprime, 5 Apr. 2023.

    "SAFe: The Good, the Bad, and the Ugly." Project Management Institute.

    "Scaled Agile Framework." Wikipedia, Wikimedia Foundation, 29 Mar. 2023.

    "Scaling Agile Challenges and How to Overcome Them." PremierAgile.

    "SproutLoud - a Case Study of SAFe Agile Planning." Scaled Agile, 29 Nov. 2022.

    "Story." Scaled Agile Framework, 13 Apr. 2023.

    Sutherland , Jeff. "Scrum: How to Do Twice as Much in Half the Time." Tedxaix, YouTube, 7 July 2014.

    Venema, Marjan. "6 Scaled Agile Frameworks - Which One Is Right for You?" NimbleWork, 23 Dec. 2022.

    Warner, Rick. "Scaled Agile: What It Is and Why You Need It." High-Performance Low-Code for App Development, OutSystems, 25 Oct. 2019.

    Watts, Stephen, and Kirstie Magowan. "The Scaled Agile Framework (SAFE): What to Know and How to Start." BMC Blogs, 9 Sept. 2020.

    "What Is SAFe? The Scaled Agile Framework Explained." CIO, 9 Feb. 2021.

    "Why Agile Transformations Fail: Four Common Culprits." Planview.

    "Why You Should Use SAFe (and How to Find SAFe Training to Help)." Easy Agile.

    Y., H. "Story Points vs. 'Ideal Days.'" Cargo Cultism, 19 Aug. 2010.

    Bibliography

    Enable Organization-Wide Collaboration by Scaling Agile

    Ambler, Scott W. "Agile Architecture: Strategies for Scaling Agile Development." Agile Modeling, 2012.

    - - -. "Comparing Approaches to Budgeting and Estimating Software Development Projects." AmbySoft.

    - - -. "Agile and Large Teams." Dr. Dobb's, 17 Jun 2008.

    Ambler, Scott W. and Mark Lines. Disciplined Agile Delivery: A Practitioner's Guide to Agile Software Delivery in the Enterprise. IBM Press, 2012.

    Ambler, Scott W., and Mark Lines. "Scaling Agile Software Development: Disciplined Agility at Scale." Disciplined Agile Consortium White Paper Series, 2014.

    AmbySoft. "2014 Agile Adoption Survey Results." Scott W. Ambler + Associates, 2014.

    Bersin, Josh. "Time to Scrap Performance Appraisals?" Forbes Magazine, 5 June 2013. Accessed 30 Oct. 2013..

    Cheese, Peter, et al. " Creating an Agile Organization." Accenture, Oct. 2009. Accessed Nov. 2013..

    Croxon, Bruce, et al. "Dinner Series: Performance Management with Bruce Croxon from CBC's 'Dragon's Den.'" HRPA Toronto Chapter. Sheraton Hotel, Toronto, ON, 12 Nov. 2013. Panel discussion.

    Culbert, Samuel. "10 Reasons to Get Rid of Performance Reviews." Huffington Post Business, 18 Dec. 2012. Accessed 28 Oct. 2013.

    Denning, Steve. "The Case Against Agile: Ten Perennial Management Objections." Forbes Magazine, 17 Apr. 2012. Accessed Nov. 2013.

    Estis, Ryan. "Blowing up the Performance Review: Interview with Adobe's Donna Morris." Ryan Estis & Associates, 17 June 2013. Accessed Oct. 2013.

    Heikkila et al. "A Revelatory Case Study on Scaling Agile Release Planning." EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), 2010.

    Holler, Robert, and Ian Culling. "From Agile Pilot Project to Enterprise-Wide Deployment: Five Sure-Fire Ways To Fail When You Scale." VersionOne, 2010.

    Kniberg, Henrik, and Anders Ivarsson, "Scaling Agile @ Spotify," Unified Communications and Collaborations, 2012.

    Narayan, Sriram. "Agile IT Organization Design: For Digital Transformation and Continuous Delivery." Addison-Wesley Professional, 2015.

    Shrivastava, NK, and Phillip George. "Scaling Agile." RefineM, 2015.

    Sirkia, Rami, and Maarit Laanti. "Lean and Agile Financial Planning." Scaled Agile Framework Blog, 2014.

    Scaled Agile Framework (SAFe). "Agile Architecture." Scaled Agile Inc., 2015.

    VersionOne. 9th Annual: State of Agile Survey. VersionOne, LLC, 2015.

    Appendix A: Supporting Info-Tech Research

    Transformation topics and supporting research to make your journey easier, with less rework

    Supporting research and services

    Improving IT Alignment

    Build a Business-Aligned IT Strategy
    Success depends on IT initiatives clearly aligned to business goals, IT excellence, and driving technology innovation.

    Make Your IT Governance Adaptable
    Governance isn't optional, so keep it simple and make it flexible.

    Create an IT View of the Service Catalog
    Unlock the full value of your service catalog with technical components.

    Application Portfolio Management Foundations
    Ensure your application portfolio delivers the best possible return on investment.

    Shifting Toward Agile DevOps

    Agile/DevOps Research Center
    Access the tools and advice you need to be successful with Agile.

    Develop Your Agile Approach for a Successful Transformation
    Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.

    Implement DevOps Practices That Work
    Streamline business value delivery through the strategic adoption of DevOps practices.

    Perform an Agile Skills Assessment
    Being Agile isn't about processes, it's about people.

    Define the Role of Project Management in Agile and Product-Centric Delivery
    Projects and products are not mutually exclusive.

    Shifting Toward Product Management

    Make the Case for Product Delivery
    Align your organization on the practices to deliver what matters most.

    Deliver on Your Digital Product Vision
    Build a product vision your organization can take from strategy through execution.

    Deliver Digital Products at Scale
    Deliver value at the scale of your organization through defining enterprise product families.

    Mature and Scale Product Ownership
    Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

    Build a Value Measurement Framework
    Focus product delivery on business value- driven outcomes.

    Improving Value and Delivery Metrics

    Build a Value Measurement Framework
    Focus product delivery on business value-driven outcomes.

    Create a Holistic IT Dashboard
    Mature your IT department by measuring what matters.

    Select and Use SDLC Metrics Effectively
    Be careful what you ask for, because you will probably get it.

    Reduce Time to Consensus With an Accelerated Business Case
    Expand on the financial model to give your initiative momentum.

    Improving Governance, Prioritization, and Value

    Make Your IT Governance Adaptable
    Governance isn't optional, so keep it simple and make it flexible.

    Maximize Business Value From IT Through Benefits Realization
    Embed benefits realization into your governance process to prioritize IT spending and confirm the value of IT.

    Drive Digital Transformation With Platform Strategies
    Innovate and transform your business models with digital platforms.

    Succeed With Digital Strategy Execution
    Building a digital strategy is only half the battle: create a systematic roadmap of technology initiatives to execute the strategy and drive digital transformation.

    Build a Value Measurement Framework
    Focus product delivery on business value-driven outcomes.

    Create a Holistic IT Dashboard
    Mature your IT department by measuring what matters.

    Improving Requirements Management and Quality Assurance

    Requirements Gathering for Small Enterprises
    Right-size the guidelines of your requirements gathering process.

    Improve Requirements Gathering
    Back to basics: great products are built on great requirements.

    Build a Software Quality Assurance Program
    Build quality into every step of your SDLC.

    Automate Testing to Get More Done
    Drive software delivery throughput and quality confidence by extending your automation test coverage.

    Manage Your Technical Debt
    Make the case to manage technical debt in terms of business impact.

    Create a Business Process Management Strategy
    Avoid project failure by keeping the "B" in BPM.

    Build a Winning Business Process Automation Playbook
    Optimize and automate your business processes with a user-centric approach.

    Improving Release Management

    Optimize Applications Release Management
    Build trust by right-sizing your process using appropriate governance.

    Streamline Application Maintenance
    Effective maintenance ensures the long-term value of your applications.

    Streamline Application Management
    Move beyond maintenance to ensure exceptional value from your apps.

    Optimize IT Change Management
    Right-size IT change management to protect the live environment.

    Manage Your Technical Debt
    Make the case to manage technical debt in terms of business impact.

    Improve Application Development Throughput
    Drive down your delivery time by eliminating development inefficiencies and bottlenecks while maintaining high quality.

    Improving Business Relationship Management

    Embed Business Relationship Management in IT
    Show that IT is worthy of Trusted Partner status.

    Mature and Scale Product Ownership
    Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

    Improving Security

    Build an Information Security Strategy
    Create value by aligning your strategy to business goals and business risks.

    Develop and Deploy Security Policies
    Enhance your overall security posture with a defensible and prescriptive policy suite.

    Simplify Identity and Access Management
    Leverage risk- and role-based access control to quantify and simplify the identity and access management (IAM) process.

    Improving and Supporting Business-Managed Applications

    Embrace Business-Managed Applications
    Empower the business to implement their own applications with a trusted business-IT relationship.

    Enhance Your Solution Architecture Practices
    Ensure your software systems solution is architected to reflect stakeholders' short- and long-term needs.

    Satisfy Digital End Users With Low- and No-Code
    Extend IT, automation, and digital capabilities to the business with the right tools, good governance, and trusted organizational relationships.

    Build Your First RPA Bot
    Support RPA delivery with strong collaboration and management foundations.

    Automate Work Faster and More Easily With Robotic Process Automation
    Embrace the symbiotic relationship between the human and digital workforce.

    Improving Business Intelligence, Analytics, and Reporting

    Modernize Data Architecture for Measurable Business Results
    Enable the business to achieve operational excellence, client intimacy, and product leadership with an innovative, agile, and fit-for-purpose data architecture practice.

    Build a Reporting and Analytics Strategy
    Deliver actionable business insights by creating a business-aligned reporting and analytics strategy.

    Build Your Data Quality Program
    Quality data drives quality business decisions.

    Design Data-as-a-Service
    Journey to the data marketplace ecosystems.

    Build a Robust and Comprehensive Data Strategy
    Learn about the key to building and fostering a data-driven culture.

    Build an Application Integration Strategy
    Level the table before assembling the application integration puzzle or risk losing pieces.

    Appendix B: SDLC Transformation Steps

    Waterfall SDLC

    Valuable product delivered at the end of an extended project lifecycle, frequently in years

    Waterfall SDLC

    • Business is separated from the delivery of technology it needs. Only one-third of the product is actually valuable (ITRG, N=40,000).
    • In Waterfall, a team of experts in specific disciplines hand off different aspects of the lifecycle.
    • Document sign-offs are required to ensure integration between silos (Business, Development, and Operations) and individuals.
    • A separate change-request process lays over the entire lifecycle to prevent changes from disrupting delivery.
    • Tools are deployed to support a specific role (e.g. BA) and seldom integrated (usually requirements <-> test).

    Wagile/Agifall/WaterScrumFall SDLC

    Valuable product delivered in multiple releases

     Wagile/Agifall/WaterScrumFall SDLC

    • Business is more closely integrated by a business product owner, who is accountable for day-to-day delivery of value for users.
    • The team collaborates and develops cross-functional skills as they define, design, build, and test code over time.
    • Sign-offs are reduced but documentation is still focused on satisfying project delivery and operations policy requirements.
    • Change is built into the process to allow the team to respond to change dynamically.
    • Tools start to be integrated to streamline delivery (usually requirements and Agile work management tools).

    Agile SDLC

    Valuable product delivered iteratively: frequency depends Ops' capacity

    Agile SDLC

    • Business users are closely integrated through regularly scheduled demos (e.g. every two weeks).
    • Team is fully cross-functional and collaborates to plan, define, design, build, and test the code, supported by specialists.
    • Documentation is focused on future development and operations needs.
    • Change is built into the process to allow the team to respond to change dynamically.
    • Automation is explored for application development (e.g. automated regression testing).

    Agile With DevOps SDLC

    High frequency iterative delivery of valuable product (e.g. every two weeks)

     Agile With DevOps SDLC

    • Business users are closely integrated through regularly scheduled demos.
    • Development and operations teams collaborate to plan, define, design, build, test, and deploy code, supported by automation.
    • Documentation is focused on supporting users, future changes, and operational support.
    • Change is built into the process to allow the team to respond to change dynamically.
    • Test, build, deploy process is fully automated. (Service desk is still separated.)

    DevOps SDLC

    Continuous integration and delivery

     DevOps SDLC

    • Business users are closely integrated through regularly scheduled demos.
    • Fully integrated DevOps team collaborates to plan, define, design, build, test, deploy, and maintain code.
    • Documentation is focused on future development and use adoption.
    • Change is built into the process to allow the team to respond to change dynamically.
    • Development and operations toolchain are fully integrated.

    Fully integrated product SDLC

    Agile + DevOps + continuous delivery of valuable product on demand

     Fully integrated product SDLC

    • Business users are fully integrated with the teams through dedicated business product owner.
    • Cross-functional teams collaborate across the business and technical life of the product.
    • Documentation supports internal and external needs (business, users, operations).
    • Change is built into the process to allow the team to respond to change dynamically.
    • Toolchain is fully integrated (including service desk).

    Appendix C: Understanding Agile Scrum Practices and Ceremonies

    Cultural advantages of Agile

    Cultural advantages of Agile

    Agile* SDLC

    With shared ownership instead of silos, we are able to deliver value at the end of every iteration (aka sprint)

    Agile SDLC

    Key Elements of the Agile SDLC

    • You are not "one and done." There are many short iterations with constant feedback.
    • There is an empowered product owner. This is a single authoritative voice who represents stakeholders.
    • There is a fluid product backlog. This enables prioritization of requirements "just-in-time."
    • There is a cross-functional, self-managing team. This team makes commitments and is empowered by the organization to do so.
    • There is working, tested code at the end of each sprint: Value becomes more deterministic along sprint boundaries.
    • Stakeholders are allowed to see and use the functionality and provide necessary feedback.
    • Feedback is being continuously injected back into the product backlog. This shapes the future of the solution.
    • There is continuous improvement through sprint retrospectives.
    • The virtuous cycle of sprint-demo-feedback is internally governed when done right.

    * There are many Agile methodologies to choose from, but Scrum is by far the most widely used (and is shown above).

    Understand the Scrum process

    The scrum process coordinates multiple stakeholders to deliver on business priorities.

    Understand the Scrum process

    Understand the ceremonies part of the scrum process

     Understand the ceremonies part of the scrum process

    Scrum vs. Kanban: Key differences

    Scrum vs. Kanban: Key differences

    Scrum vs. Kanban: When to use each

    Scrum

    Related or grouped changes are delivered in fixed time intervals.

    Use when:

    • Coordinating the development or release of related items
    • Maturing a product or service
    • Coordinating interdependencies between work items

    Kanban

    Independent items are delivered as soon as each is ready.

    Use when:

    • Completing work items from ticketing or individual requests
    • Completing independent changes
    • Releasing changes as soon as possible

    Appendix D: Improving Product Management

    Product delivery realizes value for your product family

    While planning and analysis are done at the family level, work and delivery are done at the individual product level.

    Product delivery realizes value for your product family

    Manage and communicate key milestones

    Successful product-delivery managers understand and define key milestones in their product-delivery lifecycles. These milestones need to be managed along with the product backlog and roadmap.

    Manage and communicate key milestones

    Info-Tech Best Practice
    Product management is not just about managing the product backlog and development cycles. Teams need to manage key milestones, such as learning milestones, test releases, product releases, phase gates, and other organizational checkpoints.

    A backlog stores and organizes product backlog items (PBIs) at various stages of readiness

    Organize product backlog at various stages of readiness

    A well-formed backlog can be thought of as a DEEP backlog:

    Detailed Appropriately: PBIs are broken down and refined as necessary.

    Emergent: The backlog grows and evolves over time as PBIs are added and removed.

    Estimated: The effort that a PBI requires is estimated at each tier.

    Prioritized: A PBI's value and priority are determined at each tier.

    Source: Perforce, 2018

    Backlog tiers facilitate product planning steps

    Ranging from the intake of an idea to a PBI ready for development; to enter the backlog, each PBI must pass through a given quality filter.

    Backlog tiers facilitate product planning steps

    Each activity is a variation of measuring value and estimating effort in order to validate and prioritize a PBI.

    A PBI successfully completes an activity and moves to the next backlog tier when it meets the appropriate criteria. Quality filters should exist between each tier.

    Use quality filters to ensure focus on the most important PBIs

    Expand the concepts of defining "ready" and "done" to include the other stages of a PBI's journey through product planning.

    Use quality filters to ensure focus on the most important PBIs

    Info-Tech Best Practice
    A quality filter ensures that quality is met and the appropriate teams are armed with the correct information to work more efficiently and improve throughput.

    Define product value by aligning backlog delivery with roadmap goals

    In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    Define product value by aligning backlog delivery with roadmap goals

    Product roadmaps guide delivery and communicate your strategy

    In "Deliver on Your Digital Product Vision," we demonstrate how a product roadmap is core to value realization. The product roadmap is your communicated path. As a product owner, you use it to align teams and changes to your defined goals, as well as your product to enterprise goals and strategy.

    Product roadmaps guide delivery and communicate your strategy

    Info-Tech Insight
    The quality of your product backlog - and your ability to realize business value from your delivery pipeline - is directly related to the input, content, and prioritization of items in your product roadmap.

    Info-Tech's approach

    Operationally align product delivery to enterprise goals

    Operationally align product delivery to enterprise goals

    The Info-Tech Difference

    Create a common definition of what a product is and identify the products in your inventory.

    Use scaling patterns to build operationally aligned product families.

    Develop a roadmap strategy to align families and products to enterprise goals and priorities.

    Use products and families to assess value realization.

    Application Portfolio Management Foundations

    • Buy Link or Shortcode: {j2store}172|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $54,542 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy

    Organizations consider application oversight a low priority and app portfolio knowledge is poor:

    • No dedicated or centralized effort to manage the app portfolio means no single source of truth is available to support informed decision making.
    • Organizations acquire more applications over time, creating redundancy, waste, and the need for additional support.
    • Organizations are more vulnerable to changing markets. Flexibility and growth are compromised when applications are unadaptable or cannot scale.

    Our Advice

    Critical Insight

    • You cannot outsource application strategy.
    • Modern software options have lessened the need for organizations to have robust in-house application management capabilities. But your applications’ future and governance of the portfolio still require centralized oversight to ensure the best overall return on investment.
    • Application portfolio management is the mechanism to ensure that the applications in your enterprise are delivering value and support for your value streams and business capabilities. Understanding value, satisfaction, technical health, and total cost of ownership are critical to digital transformation, modernization, and roadmaps.

    Impact and Result

    Build an APM program that is actionable and fit for size:

    • Understand your current state, needs, and goals for your application portfolio management.
    • Create an application and platform inventory that is built for better decision making.
    • Rationalize your apps with business priorities and communicate risk in operational terms.
    • Create a roadmap that improves communication between those who own, manage, and support your applications.

    Application Portfolio Management Foundations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Application Portfolio Management Foundations Deck – A guide that helps you establish your core application inventory, simplified rationalization, redundancy comparison, and modernization roadmap.

    Enterprises have more applications than they need and rarely apply oversight to monitor the health, cost, and relative value of applications to ensure efficiency and minimal risk. This blueprint will help you build a streamlined application portfolio management process.

    • Application Portfolio Management Foundations – Phases 1-4

    2. Application Portfolio Management Diagnostic Tool – A tool that assesses your current application portfolio.

    Visibility into your application portfolio and APM practices will help inform and guide your next steps.

    • Application Portfolio Management Diagnostic Tool

    3. Application Portfolio Management Foundations Playbook – A template that builds your application portfolio management playbook.

    Capture your APM roles and responsibilities and build a repeatable process.

    • Application Portfolio Management Foundations Playbook

    4. Application Portfolio Management Snapshot and Foundations Tool – A tool that stores application information and allows you to execute rationalization and build a portfolio roadmap.

    This tool is the central hub for the activities within Application Portfolio Management Foundations.

    • Application Portfolio Management Snapshot and Foundations Tool
    [infographic]

    Workshop: Application Portfolio Management Foundations

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Lay Your Foundations

    The Purpose

    Work with key corporate stakeholders to come to a shared understanding of the benefits and aspects of application portfolio management.

    Key Benefits Achieved

    Establish the goals of APM.

    Set the scope of APM responsibilities.

    Establish business priorities for the application portfolio.

    Activities

    1.1 Define goals and metrics.

    1.2 Define application categories.

    1.3 Determine steps and roles.

    1.4 Weight value drivers.

    Outputs

    Set short- and long-term goals and metrics.

    Set the scope for applications.

    Set the scope for the APM process.

    Defined business value drivers.

    2 Improve Your Inventory

    The Purpose

    Gather information on your applications to build a detailed inventory and identify areas of redundancy.

    Key Benefits Achieved

    Populated inventory based on your and your team’s current knowledge.

    Understanding of outstanding data and a plan to collect it.

    Activities

    2.1 Populate inventory.

    2.2 Assign business capabilities.

    2.3 Review outstanding data.

    Outputs

    Initial application inventory

    List of areas of redundancy

    Plan to collect outstanding data

    3 Gather Application Information

    The Purpose

    Work with the application subject matter experts to collect and compile data points and determine the appropriate disposition for your apps.

    Key Benefits Achieved

    Dispositions for individual applications

    Application rationalization framework

    Activities

    3.1 Assess business value.

    3.2 Assess end-user perspective.

    3.3 Assess TCO.

    3.4 Assess technical health.

    3.5 Assess redundancies.

    3.6 Determine dispositions.

    Outputs

    Business value score for individual applications

    End-user satisfaction scores for individual applications

    TCO score for individual applications

    Technical health scores for individual applications

    Feature-level assessment of redundant applications

    Assigned dispositions for individual applications

    4 Gather, Assess, and Select Dispositions

    The Purpose

    Work with application delivery specialists to determine the strategic plans for your apps and place these in your portfolio roadmap.

    Key Benefits Achieved

    Prioritized initiatives

    Initial application portfolio roadmap

    Ongoing structure of APM

    Activities

    4.1 Prioritize initiatives

    4.2 Populate roadmap.

    4.3 Determine ongoing APM cadence.

    4.4 Build APM action plan.

    Outputs

    Prioritized new potential initiatives.

    Built an initial portfolio roadmap.

    Established an ongoing cadence of APM activities.

    Built an action plan to complete APM activities.

    Further reading

    Application Portfolio Management Foundations

    Ensure your application portfolio delivers the best possible return on investment.

    Analyst Perspective

    You can’t outsource accountability.

    Many lack visibility into their overall application portfolio, focusing instead on individual projects or application development. Inevitably, application sprawl creates process and data disparities, redundant applications, and duplication of resources and stands as a significant barrier to business agility and responsiveness. The shift from strategic investment to application maintenance creates an unnecessary constraint on innovation and value delivery.

    With the rise and convenience of SAAS solutions, IT has an increasing need to discover and support all applications in the organization. Unmanaged and unsanctioned applications can lead to increased reputational risk. What you don’t know WILL hurt you.

    You can outsource development, you can even outsource maintenance, but you cannot outsource accountability for the portfolio. Organizations need a holistic dashboard of application performance and dispositions to help guide and inform planning and investment discussions. Application portfolio management (APM) can’t tell you why something is broken or how to fix it, but it is an important tool to determine if an application’s value and performance are up to your standards and can help meet your future goals.

    The image contains a picture of Hans Eckman.

    Hans Eckman
    Principal Research Director
    Info-Tech Research Group


    Is this research right for you?

    Research Navigation

    Managing your application portfolio is essential regardless of its size or whether your software is purchased or developed in house. Each organization must have some degree of application portfolio management to ensure that applications deliver value efficiently and that their risk or gradual decline in technical health is appropriately limited.

    Your APM goals

    If this describes your primary goal(s)

    • We are building a business case to determine where and if APM is needed now.
    • We want to understand how well supported are our business capabilities, departments, or core functions by our current applications.
    • We want to start our APM program with our core or critical applications.
    • We want to build our APM inventory for less than 150 applications (division, department, operating unit, government, small enterprise, etc.).
    • We want to start simple with a quick win for our 150 most important applications.
    • We want to start with an APM pilot before committing to an enterprise APM program.
    • We need to rationalize potentially redundant and underperforming applications to determine which to keep, replace, or retire.
    • We want to start enterprise APM, with up to 150 critical applications.
    • We want to collect and analyze detailed information about our applications.
    • We need tools to help us calculate total cost of ownership (TCO) and value.
    • We want to customize our APM journey and rationalization.
    • We want to build a formal communication strategy for our APM program.

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    • Organizations consider application oversight a low priority and app portfolio knowledge is poor.
    • No dedicated or centralized effort to manage the app portfolio means no single source of truth is available to support informed decision making.
    • Organizations acquire more applications over time, creating redundancy, waste, and the need for additional support.
    • Organizations are more vulnerable to changing markets. Flexibility and growth are compromised when applications are unadaptable or cannot scale.
    • APM implies taking a holistic approach and compiling multiple priorities and perspectives.
    • Organizations have limited time to act strategically or proactively and need to be succinct.
    • Uncertainties on business value prevent IT from successfully advising software decision making.
    • IT knows its technical debt but struggles to get the business to act on technical risks.
    • Attempts at exposing these problems rarely gain buy-in and discourage the push for improvement.
    • Think low priority over no priority.
    • Integrate these tasks into your mixed workload.
    • Create an inventory built for better decision making.
    • Rationalize your apps in accordance with business priorities and communicate risks on their terms.
    • Create a roadmap that improves communication between those who own, manage, and support an application.
    • Build your APM process fit for size.

    Info-Tech Insight: You can’t outsource strategy.

    Modern software options have decreased the need for organizations to have robust in-house application management capabilities. Your applications’ future and governance of the portfolio still require a centralized IT oversight to ensure the best return on investment.

    The top IT challenges for SE come from app management

    #1 challenge small enterprise owners face in their use of technology:

    Taking appropriate security precautions

    24%

    The costs of needed upgrades to technology

    17%

    The time it takes to fix problems

    17%

    The cost of maintaining technology

    14%

    Lack of expertise

    9%

    Breaks in service

    7%
    Source: National Small Business Association, 2019

    Having more applications than an organization needs means unnecessarily high costs and additional burden on the teams who support the applications. Especially in the case of small enterprises, this is added pressure the IT team cannot afford.

    A poorly maintained portfolio will eventually hurt the business more than it hurts IT.

    Legacy systems, complex environments, or anything that leads to a portfolio that can’t adapt to changing business needs will eventually become a barrier to business growth and accomplishing objectives. Often the blame is put on the IT department.

    56%

    of small businesses cited inflexible technology as a barrier to growth

    Source: Salesforce as quoted by Tech Republic, 2019

    A hidden and inefficient application portfolio is the root cause of so many pains experienced by both IT and the business.

    • Demand/Capacity Imbalance
    • Overspending
    • Security and Business Continuity Risk
    • Delays in Delivery
    • Barriers to Growth

    APM comes at a justified cost

    The image contains a screenshot of a graph to demonstrate APM and the costs.

    The benefits of APM

    APM identifies areas where you can reduce core spending and reinvest in innovation initiatives.

    Other benefits can include:

    • Fewer redundancies
    • Less risk
    • Less complexity
    • Improved processes
    • Flexibility
    • Scalability

    APM allows you to better understand and set the direction of your portfolio

    Application Inventory

    The artifact that documents and informs the business of your application portfolio.

    Application Rationalization

    The process of collecting information and assessing your applications to determine recommended dispositions.

    Application Alignment

    The process of revealing application information through interviewing stakeholders and aligning to business capabilities.

    Application Roadmap

    The artifact that showcases the strategic directions for your applications over a given timeline.

    Application Portfolio Management (APM):

    The ongoing practice of:

    • Providing visibility into applications across the organization.
    • Recommending corrections or enhancements to decision makers.
    • Aligning delivery teams on priority.
    • Showcasing the direction of applications to stakeholders.

    Create a balanced approach to value delivery

    Enterprise Agility and Value Realization

    Product Lifecycle Management

    Align your product and service improvement and execution to enterprise strategy and value realization in three key areas: defining your products and services, aligning product/service owners, and developing your product vision.

    Product Delivery Lifecycle (Agile DevOps)

    Enhance business agility by leveraging an Agile mindset and continuously improving your delivery throughput, quality, value realization, and adaptive governance.

    Application Portfolio Management

    Transform your application portfolio into a cohesive service catalog aligned to your business capabilities by discovering, rationalizing, and modernizing your applications while improving application maintenance, management, and reuse.

    The image contains a screenshot of a Thought Model on the Application Department Strategy.


    The image contains a screenshot of a Thought Model on Accelerate Your Transition to Product Delivery.

    Every organization experiences some degree of application sprawl

    The image contains a screenshot of images to demonstrate application sprawl.

    Causes of Sprawl

    • Poor Lifecycle Management
    • Turnover & Lack of Knowledge Transfer
    • Siloed Business Units & Decentralized IT
    • Business-Managed IT
    • (Shadow IT)
    • Mergers & Acquisitions

    Problems With Sprawl

    • Redundancy and Inefficient Spending
    • Disparate Apps & Data
    • Obsolescence
    • Difficulties in Prioritizing Support
    • Barriers to Change & Growth

    Application Sprawl:

    Inefficiencies within your application portfolio are created by the gradual and non-strategic accumulation of applications.

    You have more apps than you need.

    Only 34% of software is rated as both IMPORTANT and EFFECTIVE by users.

    Source: Info-Tech’s CIO Business Vision

    Build your APM journey map

    The image contains screenshots of diagrams that reviews building your APM journey map.

    Application rationalization provides insight

    Directionless portfolio of applications

    Info-Tech’s Five Lens Model

    Assigned dispositions for individual apps

    The image contains a screenshot of an example of directionless portfolio of applications.

    Application Alignment

    Business Value

    Technical Health

    End-User Perspective

    Total Cost of Ownership (TCO)

    Maintain: Keep the application but adjust its support structure.

    Modernize: Create a new initiative to address an inadequacy.

    Consolidate: Create a new initiative to reduce duplicate functionality.

    Retire: Phase out the application.

    Disposition: The intended strategic direction or implied course of action for an application.

    How well do your apps support your core functions and teams?

    How well are your apps aligned to value delivery?

    Do your apps meet all IT quality standards and policies?

    How well do your apps meet your end users’ needs?

    What is the relative cost of ownership and operation of your apps?

    Application rationalization requires the collection of several data points that represent these perspectives and act as the criteria for determining a disposition for each of your applications.

    APM is an iterative and evergreen process

    APM provides oversight and awareness of your application portfolio’s performance and support for your business operations and value delivery to all users and customers.

    Determine Scope and categories Build your list of applications and capabilities Score each application based on your values Determine outcomes based on app scoring and support for capabilities

    1. Lay Your Foundations

    1.1 Assess the state of your current application portfolio.

    1.2 Determine narrative.

    1.3 Define goals and metrics.

    1.4 Define application categories.

    1.5 Determine APM steps and roles (SIPOC).

    2. Improve Your Inventory

    2.1 Populate your inventory.

    2.2 Align to business capabilities.

    *Repeat

    3. Rationalize Your Apps

    3.1 Assess business value.

    3.2 Assess technical health.

    3.3 Assess end-user perspective.

    3.4 Assess total cost of ownership.

    *Repeat

    4. Populate Your Roadmap

    4.1 Review APM Snapshot results.

    4.2 Review APM Foundations results.

    4.3 Determine dispositions.

    4.4 Assess redundancies (optional).

    4.5 Determine dispositions for redundant applications (optional).

    4.6 Prioritize initiatives.

    4.7 Determine ongoing cadence.

    *Repeat

    Repeat according to APM cadence and application changes

    Executive Brief Case Study

    INDUSTRY: Retail

    SOURCE: Deloitte, 2017

    Supermarket Company

    The grocer was a smaller organization for the supermarket industry with a relatively low IT budget. While its portfolio consisted of a dozen applications, the organization still found it difficult to react to an evolving industry due to inflexible and overly complex legacy systems.

    The IT manager found himself in a scenario where he knew the applications well but had little awareness of the business processes they supported. Application maintenance was purely in keeping things operational, with little consideration for a future business strategy.

    As the business demanded more responsiveness to changes, the IT team needed to be able to react more efficiently and effectively while still securing the continuity of the business.

    The IT manager found success by introducing APM and gaining a better understanding of the business use and future needs for the applications. The organization started small but then increased the scope over time to produce and develop techniques to aid the business in meeting strategic goals with applications.

    Results

    The IT manager gained credibility and trust within the organization. The organization was able to build a plan to move away from the legacy systems and create a portfolio more responsive to the dynamic needs of an evolving marketplace.

    The application portfolio management initiative included the following components:

    Train teams and stakeholders on APM

    Model the core business processes

    Collect application inventory

    Assign APM responsibilities

    Start small, then grow

    Info-Tech’s application portfolio management methodology

    1. Lay Your Foundations

    2. Improve Your Inventory

    3. Rationalize Your Apps

    4. Populate Your Roadmap

    Phase Activities

    1.1 Assess your current application portfolio

    1.2 Determine narrative

    1.3 Define goals and metrics

    1.4 Define application categories

    1.5 Determine APM steps and roles

    2.1 Populate your inventory

    2.2 Align to business capabilities

    3.1 Assess business value

    3.2 Assess technical health

    3.3 Assess end-user perspective

    3.4 Assess total cost of ownership

    4.1 Review APM Snapshot results

    4.2 Review APM Foundations results

    4.3 Determine dispositions

    4.4 Assess redundancies (optional)

    4.5 Determine dispositions for redundant applications (optional)

    4.6 Prioritize initiatives

    4.7 Determine ongoing APM cadence

    Phase Outcomes

    Work with the appropriate management stakeholders to:

    • Extract key business priorities.
    • Set your goals.
    • Define scope of APM effort.

    Gather information on your own understanding of your applications to build a detailed inventory and identify areas of redundancy.

    Work with application subject matter experts to collect and compile data points and determine the appropriate disposition for your apps.

    Work with application delivery specialists to determine the strategic plans for your apps and place these in your portfolio roadmap.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

    Application Portfolio Management Foundations Playbook

    Application Portfolio Management Snapshot and Foundations Tool

    This template allows you to capture your APM roles and responsibilities and build a repeatable process.

    This tool stores all relevant application information and allows you to assess your capability support, execute rationalization, and build a portfolio roadmap.

    The image contains screenshots of the Application Portfolio Management Foundations Playbook. The image contains screenshots of the Application Portfolio Management Snapshot and Foundations Tool.

    Key deliverable:

    Blueprint Storyboard

    This is the PowerPoint document you are viewing now. Follow this guide to understand APM, learn how to use the tools, and build a repeatable APM process that will be captured in your playbook.

    The image contains a screenshot of the blueprint storyboard.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI for on this topic look like?

    Phase 1 Phase 2 Phase 3 Phase 4

    Call #1: Establish goals and foundations for your APM practice.

    Call #2:

    Initiate inventory and determine data requirements.

    Call #3:

    Initiate rationalization with group of applications.

    Call #4:

    Review result of first iteration and perform retrospective.

    Call #5:

    Initiate your roadmap and determine your ongoing APM practice.

    Note: The Guided Implementation will focus on a subset or group of applications depending on the state of your current APM inventory and available time. The goal is to use this first group to build your APM process and models to support your ongoing discovery, rationalization, and modernization efforts.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our right-sized best practices in your organization. A typical GI, using our materials, is 3 to 6 calls over the course of 1 to 3 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    1. Lay Your Foundations

    2. Improve Your Inventory

    3. Rationalize Your Apps

    4. Populate Your Roadmap

    Post Workshop Steps

    Activities

    1.1 Assess your current
    application portfolio

    1.2 Determine narrative

    1.3 Define goals and metrics

    1.4 Define application categories

    1.5 Determine APM steps and roles

    2.1 Populate your inventory

    2.2 Align to business capabilities

    3.1 Assess business value

    3.2 Assess technical health

    3.3 Assess end-user perspective

    3.4 Assess total cost of ownership

    4.1 Review APM Snapshot results

    4.2 Review APM Foundations results

    4.3 Determine dispositions

    4.4 Assess redundancies (optional)

    4.5 Determine dispositions for redundant applications (optional)

    4.6 Prioritize initiatives

    4.7 Determine ongoing APM cadence

    • Complete in-progress deliverables from the previous four days.
    • Set up review time for workshop deliverables and to discuss the next steps.

    Outcomes

    Work with the appropriate management stakeholders to:

    1. Extract key business priorities
    2. Set your goals
    3. Agree on key terms and set the scope for your APM effort

    Work with your applications team to:

    1. Build a detailed inventory
    2. Identify areas of redundancy

    Work with the SMEs for a subset of applications to:

    1. Define your rationalization criteria, descriptions, and scoring
    2. Evaluate each application using rationalization criteria

    Work with application delivery specialists to:

    1. Determine the appropriate disposition for your apps
    2. Build an initial application portfolio roadmap
    3. Establish an ongoing cadence of APM activities

    Info-Tech analysts complete:

    1. Workshop report
    2. APM Snapshot and Foundations Toolset
    3. Action plan

    Note: The workshop will focus on a subset or group of applications depending on the state of your current APM inventory and available time. The goal is to use this first group to build your APM process and models to support your ongoing discovery, rationalization, and modernization efforts.

    Workshop Options

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Outcomes

    1-Day Snapshot

    3-Day Snapshot and Foundations (Key Apps)

    4-Day Snapshot and Foundations (Pilot Area)

    APM Snapshot

    • Align applications to business capabilities
    • Evaluate application support for business capabilities

    APM Foundations

    • Define your APM program and cadence
    • Rationalize applications using weighted criteria
    • Define application dispositions
    • Build an application roadmap aligned to initiatives

    Establish APM practice with a small sample set of apps and capabilities.

    Establish APM practice with a pilot group of apps and capabilities.

    Blueprint Pre-Step: Get the right stakeholders to the right exercises

    The image contains four steps and demonstrates who should be handling each exercise. 1. Lay Your Foundations, is to be handled by the APM Lead/Owner and the Key Corporate Stakeholders. 2. Improve Your Inventory, is to be handled by the APM Lead/Owner and the Applications Subject Matter Experts. 3. Rationalize Your Apps, is to be handled by the APM Lead/Owner, the Applications Subject Matter Experts, and the Delivery Leads. 4. Populate Your Roadmap, is to be handled by the APM Lead/Owner, the Key Corporate Stakeholders, and the Delivery Leads.

    APM Lead/Owner (Recommended)

    ☐ Applications Lead or the individual responsible for application portfolio management, along with any applications team members, if available

    Key Corporate Stakeholders

    Depending on size and structure, participants could include:

    ☐ Head of IT (CIO, CTO, IT Director, or IT Manager)

    ☐ Head of shared services (CFO, COO, VP HR, etc.)

    ☐ Compliance Officer, Steering Committee

    ☐ Company owner or CEO

    Application Subject Matter Experts

    Individuals who have familiarity with a specific subset of applications

    ☐ Business owners (product owners, Head of Business Function, power users)

    ☐ Support owners (Operations Manager, IT Technician)

    Delivery Leads

    ☐ Development Managers

    ☐ Solution Architects

    ☐ Project Managers

    Understand your APM tools and outcomes

    1.Diagnostic The image contains a screenshot of the diagnostic APM tool.

    5. Foundations: Chart

    The image contains a screenshot of the Foundations: Chart APM tool.

    2. Data Journey

    The image contains a screenshot of the data journey APM tool.

    6. App Comparison

    The image contains a screenshot of the App Comparison APM tool.

    3. Snapshot

    The image contains a screenshot of the snapshot APM tool.

    7. Roadmap

    The image contains a screenshot of the Roadmap APM tool.

    4. Foundations: Results

    The image contains a screenshot of the Foundations: Results APM Tool.

    Examples and explanations of these tools are located on the following slides and within the phases where they occur.

    Assess your current application portfolio with Info-Tech’s APM Diagnostic Tool

    The image contains a screenshot of the APM Diagnostic Tool.

    One of the primary purposes of application portfolio management is to get what we know and need to know on paper so we can share a common vision and understanding of our portfolio. This enables better discussions and decisions with your application owners and stakeholders.

    APM worksheet data journey map

    The image contains a screenshot of the APM worksheet data journey map.

    Interpreting your APM Snapshot results

    The image contains a screenshot of the APM snapshots results.

    Interpreting your APM Foundations results

    The image contains a screenshot of the APM Foundations results.

    Interpreting your APM Foundations chart

    The image contains a screenshot of the APM Foundations chart.

    Compare application groups

    Group comparison can be used for more than just redundant/overlapping applications.

    The image contains a screenshot of images that demonstrate comparing application groups.

    Apply Info-Tech’s 6 R’s Rationalization Disposition Model

    The image contains a screenshot of Info-Tech's 6 R's Rationalization Disposition Model.

    Disposition

    Description

    Reward

    Prioritize new features or enhancement requests and openly welcome the expansion of these applications as new requests are presented.

    Refresh

    Address the poor end-user satisfaction with a prioritized project. Consult with users to determine if UX issues require improvement to address satisfaction.

    Refocus

    Determine the root cause of the low value. Refocus, retrain, or refresh the UX to improve value. If there is no value found, aim to "keep the lights on" until the app can be decommissioned.

    Replace

    Replace or rebuild the application as technical and user issues are putting important business capabilities at risk. Decommission application alongside replacement.

    Remediate

    Address the poor technical health or risk with a prioritized project. Further consult with development and technical teams to determine if migration or refactoring is suited to address the technical issue.

    Retire

    Cancel any requested features and enhancements. Schedule the proper decommission and transfer end users to a new or alternative system if necessary.

    TCO, compared relatively to business value, helps determine the practicality of a disposition and the urgency of any call to action. Application alignment is factored in when assessing redundancies and has a separate set of dispositions.

    Populate roadmap example

    The image contains an example of the populate roadmap.

    ARE YOU READY TO GET STARTED?

    Phase 1

    Lay Your Foundations

    Phase 1

    1.1 Assess Your Current Application Portfolio

    1.2 Determine Narrative

    1.3 Define Goals and Metrics

    1.4 Define Application Categories

    1.5 Determine APM Steps and Roles

    Phase 2

    2.1 Populate Your Inventory

    2.2 Align to Business Capabilities

    Phase 3

    3.1 Assess Business Value

    3.2 Assess Technical Health

    3.3 Assess End-User Perspective

    3.4 Assess Total Cost of Ownership

    Phase 4

    4.1 Review APM Snapshot Results

    4.2 Review APM Foundations Results

    4.3 Determine Dispositions

    4.4 Assess Redundancies (Optional)

    4.5 Determine Dispositions for Redundant Applications (Optional)

    4.6 Prioritize Initiatives

    4.7 Determine Ongoing APM Cadence

    This phase involves the following participants:

    Applications Lead

    Key Corporate Stakeholders

    Additional Resources

    APM supports many goals

    Building an APM process requires a proper understanding of the underlying business goals and objectives of your organization’s strategy. Effectively identifying these drivers is paramount to gaining buy-in and the approval for any changes you plan to make to your application portfolio.

    After identifying these goals, you will need to ensure they are built into the foundations of your APM process.

    “What is most critical?” but also “What must come first?”

    Discover

    Improve

    Transform

    Collect Inventory

    Uncover Shadow IT

    Uncover Redundancies

    Anticipate Upgrades

    Predict Retirement

    Reduce Cost

    Increase Efficiency

    Reduce Applications

    Eliminate Redundancy

    Limit Risk

    Improve Architecture

    Modernize

    Enable Scalability

    Drive Business Growth

    Improve UX

    Assess your current application portfolio with Info-Tech’s APM Diagnostic Tool

    The image contains a screenshot of the APM Diagnostic Tool.

    One of the primary purposes of application portfolio management is to get what we know and need to know on paper so we can share a common vision and understanding of our portfolio. This enables better discussions and decisions with your application owners and stakeholders.

    1.1 Assess your current application portfolio with Info-Tech’s diagnostic tool

    Estimated time: 1 hour

    1. This tool provides visibility into your application portfolio and APM practices.
    2. Based on your assessment, you should gain a better understanding of whether the appropriate next steps are in application discovery, rationalization, or roadmapping.
    3. Complete the “Data Entry” worksheet in the Application Portfolio Management Diagnostic Tool (Excel).
    4. Review the “Results” worksheet to help inform and guide your next steps.

    Download the Application Portfolio Management Diagnostic Tool

    Input Output
    • Current APM program
    • Application landscape
    • APM current-state assessment
    Materials Participants
    • Application Portfolio Management Diagnostic Tool
    • Applications Lead

    1.1 Understanding the diagnostic results

    • Managed Apps are your known knowns and most of your portfolio.
    • Unmanaged and Unsanctioned Apps are known but have unknown risks and compliance. Bring these under IT support.
    • Unknown Apps are high risk and noncompliant. Prioritize these based on risk, cost, and use.
    The image contains a screenshot of the diagnostic APM tool.
    • APM is more than an inventory and assessment. A strong APM program provides ongoing visibility and insights to drive application improvement and value delivery.
    • Use your Sprawl Factors to identify process and organizational gaps that may need to be addressed.
    • Your APM inventory is only as good as the information in it. Use this chart to identify gaps and develop a path to define missing information.
    • APM is an iterative process. Use this state assessment to determine where to focus most of your current effort.

    Understand potential motivations for APM

    The value of APM is defined by how the information will be used to drive better decisions.

    Portfolio Governance

    Transformative Initiatives

    Event-Driven Rationalization

    Improves:

    • Spending efficiency
    • Risk
    • Retirement of aged and low-value applications
    • Business enablement

    Impact on your rationalization framework:

    • Less urgent
    • As rigorous as appropriate
    • Apply in-depth analysis as needed

    Enables:

    • Data migration or harmonization
    • Legacy modernization
    • Infrastructure/cloud migration
    • Standardizing platforms
    • Shift to cloud and SAAS

    Impact on your rationalization framework:

    • Time sensitive
    • Scope on impacted areas
    • Need to determine specific dispositions
    • Outcomes need to include detailed and actionable steps

    Responds to:

    • Mergers and acquisitions
    • Regulatory and compliance change
    • New applications
    • Application retirement by vendors
    • Changes in business operations
    • Security risks and BC/DR

    Impact on your rationalization framework:

    • Time constrained
    • Lots of discovery work
    • Primary focus on duplication
    • Increased process and system understanding

    Different motivations will influence the appropriate approach to and urgency of APM or, specifically, rationalizing the portfolio. When rationalizing is directly related to enabling or in response to a broader initiative, you will need to create a more structured approach with a formal budget and resources.

    1.2 Determine narrative

    Estimated time: 30 minutes-2 hours

    1. Open the “Narrative” tab in the APM Snapshot and Foundations Tool.
    2. Start by listing your prevailing IT pain points with the application portfolio. These will be the issues experienced predominantly by the IT team and not necessarily by the stakeholders. Be sure to distinguish pain points from their root causes.
    3. Determine an equivalent business pain point for each IT pain point. This should be how the problem manifests itself to business stakeholders and should include potential risks to the organization is exposed to.
    4. Determine the business goal for each business pain point. Ideally, these are established organizational goals that key decision-makers will recognize. These goals should address the business pain points you have documented.
    5. Determine the technical objective for each business goal. These speak to the general corrections or enhancements to the portfolio required to accomplish the business goals.
    6. Use the “Narrative - Matrix” worksheet to group items into themes if needed.

    Record the results in the APM Snapshot and Foundations Tool

    Input Output
    • Familiarity with application landscape
    • Organizational context and strategic artifacts
    • Narrative for application portfolio transformation
    Materials Participants
    • APM Snapshot and Foundations Tool
    • Application Portfolio Manager

    Connect your pains to what the business cares about to find the most effective narrative

    Root Cause

    IT Pain Points

    Business Pain Points

    Business Goals

    Narrative

    Technical Objectives

    Sprawl

    Shadow IT/decentralized oversight

    Neglect over time

    Poor delivery processes

    Back-End Complexity

    Disparate Data/Apps

    Poor Architectural Fit

    Redundancy

    Maintenance Demand/
    Resource Drain

    Low Maintainability

    Technical Debt

    Legacy, Aging, or Expiring Apps

    Security Vulnerabilities

    Unsatisfied Customers

    Hurdles to Growth/Change

    Poor Business Analytics

    Process Inefficiency

    Software Costs

    Business Continuity Risk

    Data Privacy Risk

    Data/IP Theft Risk

    Poor User Experience

    Low-Value Apps

    Scalability

    Flexibility/Agility

    Data-Driven Insights

    M&A Transition

    Business Unit Consolidation/ Centralization

    Process Improvement

    Process Modernization

    Cost Reduction

    Stability

    Customer Protection

    Security

    Employee Enablement

    Business Enablement

    Innovation

    Create Strategic Alignment

    Identify specific business capabilities that are incompatible with strategic initiatives.

    Reduce Application Intensity

    Highlight the capabilities that are encumbered due to functional overlaps and complexity.

    Reduce Software Costs

    Specific business capabilities come at an unnecessarily or disproportionately high cost.

    Mitigate Business Continuity Risk

    Specific business capabilities are at risk of interruption or stoppages due to unresolved back-end issues.

    Mitigate Security Risk

    Specific business capabilities are at risk due to unmitigated security vulnerabilities or breaches.

    Increase Satisfaction Applications

    Specific business capabilities are not achieving their optimal business value.

    Platform Standardization

    Platform Standardization Consolidation

    Data Harmonization

    Removal/Consolidation of Redundant Applications

    Legacy Modernization

    Application Upgrades

    Removal of Low-Value Applications

    1.3 Define goals and metrics

    Estimated time: 1 hour

    1. Determine the motivations behind APM. You may want to collect and review any of the organization’s strategic documents that provide additional context on previously established goals.
    2. With the appropriate stakeholders, discuss the goals of APM. Try to label your goals as either:
      1. Short term: Refers to immediate goals used to represent the progress of APM activities. Likely these goals are more IT-oriented
      2. Long term: Refers to broader and more distant goals more related to the impact of APM. These goals tend to be more business-oriented.
    3. To help clearly define your goals, discuss appropriate metrics for each goal. Often these metrics can be expressed as:
      1. Leading indicators: Metrics used to gauge the success of your short-term goals and the progress of APM activities.
      2. Lagging indicators: Metrics used to gauge the success of your long-term goals.

    Record the results in the APM Snapshot and Foundations Tool

    Input Output
    • Overarching organizational strategy
    • IT strategy
    • Defined goals and metrics for APM
    Materials Participants
    • Whiteboard
    • Markers
    • APM Snapshot and Foundations Tool
    • Applications Lead
    • Key Corporate Stakeholders

    1.3 Define goals and metrics: Example

    Goals

    Metric

    Target

    Short Term

    Improve ability to inform the business

    Leading Indicators

    • Application inventory with all data fields completed
    • Applications with recommended dispositions
    • 80% of portfolio

    Improve ownership of applications

    • Applications with an assigned business and technical owner
    • 80% of portfolio

    Reduce costs of portfolio

    • TCO of full application portfolio
    • The number of recovered/avoided software licenses from retired apps
    • Reduce by 5%
    • $50,000

    Long Term

    Migrate platform

    Lagging Indicators

    • Migrate all applications
    • Total value change in on-premises apps switched to SaaS
    • 100% of applications
    • Increase 50%

    Improve overall satisfaction with portfolio

    • End-user satisfaction rating
    • Increase 25%

    Become more customer-centric

    • Increased sales
    • Increased customer experience
    • Increase 35%

    “Application” doesn’t have the same meaning to everyone

    The image contains a picture of Martin Fowler.

    Code: A body of code that's seen by developers as a single unit.

    Functionality: A group of functionality that business customers see as a single unit.

    Funding: An initiative that those with the money see as a single budget.

    ?: What else?

    “Essentially applications are social constructions.

    Source: Martin Fowler

    APM focuses on business applications.

    “Software used by business users to perform a business function.”

    – ServiceNow, 2020

    Unfortunately, that definition is still quite vague.

    You must set boundaries and scope for “application”

    1. Many individual items can be considered applications on their own or components within or associated with an application.

    2. Different categories of applications may be out of scope or handled differently within the activities and artifacts of APM.

    Different categories of applications may be out of scope or handled differently within the activities and artifacts of APM.

    • Interface
    • Software Component
    • Supporting Software
    • Platform
    • Presentation Layer
    • Middleware
    • Micro Service
    • Database
    • UI
    • API
    • Data Access/ Transfer/Load
    • Operating System

    Apps can be categorized by generic categories

    • Enterprise Applications
    • Unique Function-Specific Applications
    • Productivity Tools
    • Customer-Facing Applications
    • Mobile Applications

    Apps can be categorized by bought vs. built or install types

    • Custom
    • On-Prem
    • Off the Shelf
    • SaaS
    • Hybrid
    • End-User-Built Tools

    Apps can be categorized by the application family

    • Parent Application
    • Child Application
    • Package
    • Module
    • Suite
    • Component (Functional)

    Apps can be categorized by the group managing them

    • IT-Managed Applications
    • Business-Managed Applications (Shadow IT)
    • Partner/External Applications

    Apps can be categorized by tiers

    • Mission Critical
    • Tier 2
    • Tier 3

    Set boundaries on what is an application or the individual unit that you’re making business decisions on. Also, determine which categories of applications are in scope and how they will be included in the activities and artifacts of APM. Use your product families defined in Deliver Digital Products at Scale to help define your application categories, groups, and boundaries.

    1.4 Define application categories

    Estimated time: 1 hour

    1. Review the items listed on the previous slide and consider what categories provide the best initial grouping to help organize your rationalization and dispositions. Update the category list to match your application groupings.
    2. Identify the additional categories you need to manage in your application portfolio.
    3. For each category, establish or modify a description or definition and provide examples that exist in your current portfolio.
    4. For each category, answer:
      1. Will these be documented in the application inventory?
      2. Will these be included in application rationalization? Think about if this item will be assigned a TCO, value score, and, ultimately, a disposition.
      3. Will these be listed in the application portfolio roadmap?
    5. If you completed Deliver Digital Products at Scale, use your product families to help define your application categories.

    Record the results in the APM Snapshot and Foundations Tool

    InputOutput
    • Working list of applications
    • Definitions and guidelines for which application categories are in scope for APM
    MaterialsParticipants
    • Whiteboard and markers
    • APM Snapshot and Foundations Tool
    • Applications Lead
    • Key Corporate Stakeholders

    1.4 APM worksheet data journey map

    The image contains a screenshot of the APM worksheet data journey map.

    1.4 Define application categories: Example

    Category

    Definition/Description

    Examples

    Documented in your application inventory?

    Included in application rationalization?

    Listed in your application portfolio roadmap?

    Business Application

    End-user facing applications that directly enable specific business functions. This includes enterprise-wide and business-function-specific applications. Separate modules will be considered a business application when appropriate.

    ERP system, CRM software, accounting software

    Yes

    Yes. Unless currently in dev. TCO of the parent application will be divided among child apps.

    Yes

    Software Components

    Back-end solutions are self-contained units that support business functions.

    ETL, middleware, operating systems

    No. Documentation in CMDB. These will be listed as a dependency in the application inventory.

    No. These will be linked to a business app and included in TCO estimates and tech health assessments.

    No

    Productivity Tools

    End-user-facing applications that enable standard communication of general document creation.

    MS Word, MS Excel, corporate email

    Yes

    No

    Yes

    End-User- Built Microsoft Tools

    Single instances of a Microsoft tool that the business has grown dependent on.

    Payroll Excel tool, Access databases

    No. Documentation in Business Tool Glossary.

    No No

    Partner Applications

    Partners or third-party applications that the business has grown dependent on but are internally owned or managed.

    Supplier’s ERP portal, government portal

    No No

    Yes

    Shadow IT

    Business-managed applications.

    Downloaded tools

    Yes

    Yes. However, just from a redundancy perspective.

    Yes

    The roles in APM rarely exist; you need to adapt

    Application Portfolio Manager

    • Responsible for the health and evolution of the application portfolio.
    • Facilitates the rationalization process.
    • Compiles and assesses application information and recommends and supports key decisions regarding the direction of the applications.
    • This is rarely a dedicated role even in large enterprises. For small enterprises, this should be an IT employee at a manager level – an IT manager or operations manager.

    Business Owner

    • Responsible for managing individual applications on a functional level and approves and prioritizes projects.
    • Provides business process or functional subject matter expertise for the assessment of applications.
    • For small enterprises, this role is rarely defined, but the responsibility should exist. Consider the head of a business unit or a process owner as the owner of the application.

    Support Owner

    • Responsible for the maintenance and management of individual applications.
    • Provides technical information and subject matter expertise for the assessment of an application.
    • For small enterprises, this would be those responsible for maintaining the application and those responsible for its initial implementation. Often support responsibilities are external, and this role will be more of a vendor manager.

    Project Portfolio Manager

    • Responsible for intake, planning, and coordinating the resources that deliver any changes.
    • The body that consumes the results of rationalization and begins planning any required action or project.
    • For small enterprises, the approval process can come from a steering committee but it is often less formal. Often a smaller group of project managers facilitates planning and coordination and works closely with the delivery leads.

    Corner-of-the-Desk Approach

    • No one is explicitly dedicated to building a strategy or APM practices.
    • Information is collected whenever the applications team has time available.
    • Benefits are pushed out and the value is lost.

    Dedicated Approach

    • The initiative is given a budget and formal agenda.
    • Roles and responsibilities are assigned to team members.

    The high-level steps of APM present some questions you need to answer

    Build Inventory

    Create the full list of applications and capture all necessary attributes.

    • Who will build the inventory?
    • Do you know all your applications (Shadow IT)?
    • Do you know your applications’ functionality?
    • Do you know where your applications overlap?
    • Who do you need to consult with to fill in the gaps?
    • Who will provide specific application information?

    Collect & Compile

    Engage with appropriate SMEs and collect necessary data points for rationalization.

    • Who will collect and compile the data points for rationalization?
    • What are the specific data points?
    • Are some of the data points currently documented?
    • Who will provide specific data points on technical health, cost, performance, and business value?
    • Who will determine what business value is?

    Assess & Recommend

    Apply rationalization framework and toolset to determine dispositions.

    • Who will apply a rationalization tool or decision-making framework to generate dispositions for the applications?
    • Who will modify the tool or framework to ensure results align to the goals of the organization?
    • Who will define any actions or projects that result from the rationalization? And who needs to be consulted to assess the feasibility of any potential project?

    Validate & Roadmap

    Present dispositions for validation and communicate any decisions or direction for applications.

    • Who will present the recommended disposition, corrective action, or new project to the appropriate decision maker?
    • Who is the appropriate decision maker for application changes or project approval?
    • What format is recommended (idea, proposal, business case) and what extra analysis is required?
    • Who needs to be consulted regarding the potential changes?

    1.5 Determine APM steps and roles (SIPOC)

    Estimated time: 1-2 hours

    1. Begin by comparing Info-Tech’s list of common APM roles to the roles that exist in your organization with respect to application management and ownership.
    2. There are four high-level steps for APM: build inventory, collect & compile, assess & recommend, and validate & roadmap. Apply the SIPOC (Supplier, Input, Process, Output, Customer) model by completing the following for each step:
      1. In the Process column, modify the description, if necessary. Identify who is responsible for performing the step.
      2. In the Inputs column, modify the list of inputs.
      3. In the Suppliers column, identify who must be included to provide the inputs.
      4. In the Outputs column, modify the list of outputs.
      5. In the Customers column, identify who consumes the outputs.
    3. (Optional) Outline how the results of APM will be consumed. For example, project intake or execution, data or platform migration, application or product management, or whichever is appropriate.

    Record the results in the APM Snapshot and Foundations Tool

    Input Output
    • Existing function and roles regarding application delivery, management, and ownership
    • Scope of APM
    • Responsibilities assigned to your roles
    Materials Participants
    • Whiteboard and markers
    • “Supporting Activities – SIPOC” worksheet in the APM Snapshot and Foundations Tool
    • Applications Lead
    • Key Corporate Stakeholders

    1.5 Determine steps and roles

    Suppliers

    Inputs

    Process

    Outputs

    Customers

    • Applications Manager
    • Operations Manager
    • Business Owners
    • IT Team
    • List of applications
    • Application attributes
    • Business capabilities

    Build Inventory

    Create the full list of applications and capture all necessary attributes.

    Resp: Applications Manager & IT team member

    • Application inventory
    • Identified redundancies
    • Whole organization
    • Applications SMEs
    • Business Owners
    • Support Owners & Team
    • End Users
    • Application inventory
    • Existing documentation
    • Additional collection methods
    • Knowledge of business value, cost, and performance for each application

    Collect & Compile

    Engage with appropriate SMEs and collect necessary data points for rationalization.

    Resp: IT team member

    • Data points of business value, cost, and performance for each application
    • Applications Manager
    • Applications Manager
    • Defined application rationalization framework and toolset
    • Data points of business value, cost, and performance for each application

    Assess & Recommend

    Apply rationalization framework and toolset to determine dispositions.

    Resp: Applications Manager

    • Assigned disposition for each application
    • New project ideas for applications
    • Business Owners
    • Steering Committee
    • Business Owners
    • Steering Committee
    • Assigned disposition for each application
    • New project ideas for applications
    • Awareness of goals and priorities
    • Awareness of existing projects and resources capacity

    Validate & Roadmap

    Present dispositions for validation and communicate any decisions or direction for applications.

    Resp: Applications Manager

    • Application portfolio roadmap
    • Confirmed disposition for each application
    • Project request submission
    • Whole organization
    • Applications Manager
    • Solutions Engineer
    • Business Owner
    • Project request submission
    • Estimated cost
    • Estimated value or ROI

    Project Intake

    Build business case for project request.

    Resp: Project Manager

    • Approved project
    • Steering Committee

    Planning your APM modernization journey steps

    Discovery Rationalization Disposition Roadmap

    Enter your pilot inventory.

    • Optional Snapshot: Populate your desired snapshot grouping lists (departments, functions, groups, capabilities, etc.).

    Score your pilot apps to refine your rationalization criteria and scoring.

    • Score 3 to 9 apps to adjust and get comfortable with the scoring.
    • Validate scoring with the remaining apps in your pilot group. Refine and finalize the criteria and scoring descriptions.
    • Optional Snapshot: Use the Group Alignment Matrix to match your grouping list to select which apps support each grouping item.

    Determine recommended disposition for each application.

    • Review and adjust the disposition recommendations on the “Disposition Options” worksheet and set your pass/fail threshold.
    • Review your apps on the “App Rationalization Results” worksheet. Update (override) the recommended disposition and priority if needed.

    Populate your application roadmap.

    • Indicate programs, projects, initiatives, or releases that are planned for each app.
    • Update the priority based on the initiative.
    • Use the visual roadmap to show high-level delivery phases.

    Phase 2

    Improve Your Inventory

    Phase 1

    1.1 Assess Your Current Application Portfolio

    1.2 Determine Narrative

    1.3 Define Goals and Metrics

    1.4 Define Application Categories

    1.5 Determine APM Steps and Roles

    Phase 2

    2.1 Populate Your Inventory

    2.2 Align to Business Capabilities

    Phase 3

    3.1 Assess Business Value

    3.2 Assess Technical Health

    3.3 Assess End-User Perspective

    3.4 Assess Total Cost of Ownership

    Phase 4

    4.1 Review APM Snapshot Results

    4.2 Review APM Foundations Results

    4.3 Determine Dispositions

    4.4 Assess Redundancies (Optional)

    4.5 Determine Dispositions for Redundant Applications (Optional)

    4.6 Prioritize Initiatives

    4.7 Determine Ongoing APM Cadence

    This phase involves the following participants:

    • Applications Lead
    • Applications Team

    Additional Resources

    Document Your Business Architecture

    Industry Reference Architectures

    Application Capability Template

    Pre-step: Collect your applications

    1. Consult with your IT team and leverage any existing documentation to gather an initial list of your applications.
    2. Build an initial working list of applications. This is just meant to be a starting point. Aim to include any new applications in procurement, implementation, or development.
    3. The rationalization and roadmapping phases are best completed when iteratively focusing on manageable groups of applications. Group your applications into subsets based on shared subject matter experts. Likely this will mean grouping applications by business units.
    4. Select a subset to be the first group of applications that will undergo the activities of rationalization and roadmapping to refine your APM processes, scoring, and disposition selection.

    Info-Tech Best Practice

    The more information you plan to capture, the larger the time and effort, especially as you move along toward advanced and strategic items. Capture the information most aligned to your objectives to make the most of your investment.

    If you completed Deliver Digital Products at Scale, use your product families and products to help define your applications.

    Learn more about automated application discovery:
    High Application Satisfaction Starts With Discovering Your Application Inventory

    Discover your applications

    The image contains a screenshot of examples of applications that support APM.

    2.1 Populate your inventory

    Estimated time: 1-4 hours per group

    1. Review Info-Tech’s list of application inventory attributes.
    2. Open the “Application Inventory Details” tab of the APM Snapshot and Foundations Tool. Modify, add, or omit attributes.
    3. For each application, populate your prioritized data fields or any fields you know at the time of discovery. You will complete all the fields in future iterations.
    4. Complete this the best you can based on your team’s familiarity and any readily available documentation related to these applications.
    5. Use the drop-down list to select Enabling, Redundant/Overlapping, and Dependent apps. This will be used to help determine dispositions and comparisons.
    6. Highlight missing information or placeholder values that need to be verified.

    Record the results in the APM Snapshot and Foundations Tool

    Input Output
    • Working list of applications
    • Determined attributes for inventory
    • Populated inventory
    Materials Participants
    • APM Snapshot and Foundations Tool
    • Applications Lead
    • Any Applications Team Members

    2.1 APM worksheet data journey map

    The image contains a screenshot of the APM worksheet data journey map.

    Why is the business capability so important?

    For the purposes of an inventory, business capabilities help all stakeholders gain a sense of the functionality the application provides.

    However, the true value of business capability comes with rationalization.

    Upon linking all the organization’s applications to a standardized and consistent set of business capabilities, you can then group your applications based on similar, complementary, or overlapping functionality. In other words, find your redundancies and consolidation opportunities.

    Important Consideration

    Defining business capabilities and determining the full extent of redundancy is a challenging undertaking and often is a larger effort than APM all together.

    Business capabilities should be defined according to the unique functions and language of your organization, at varying levels of granularity, and ideally including target-state capabilities that identify gaps in the future strategy.

    This blueprint provides a simplified and generic list for the purpose of categorizing similar functionality. We strongly encourage exploring Document Your Business Architecture to help in the business capability defining process, especially when visibility into your portfolio and knowledge of redundancies is poor.

    The image contains a screenshot of the business capability scenarios.

    For a more detailed capability mapping, use the Application Portfolio Snapshot and the worksheets in your current workbook.

    What is a business capability map?

    The image contains a screenshot of a business capability map.

    A business capability map (BCM) is an abstraction of business operations that helps describe what the enterprise does to achieve its vision, mission, and goals. Business capabilities are the building blocks of the enterprise. They are typically defined at varying levels of granularity and include target-state capabilities that identify gaps in the future strategy. These are the people, process, and tool units that deliver value to your teams and customers.

    Info-Tech’s Industry Coverage and Reference Architectures give you a head start on producing a BCM fit for your organization. The visual to the left is an example of a reference architecture for the retail industry.

    These are the foundational piece for our Application Portfolio Snapshot. By linking capabilities to your supporting applications, you can better visualize how the portfolio supports the organization at a single glance. More specifically, you can highlight how issues with the portfolio are impacting capability delivery.

    Reminder: Best practices imply that business capabilities are methodologically defined by business stakeholders and business architects to capture the unique functions and language of your organization.

    The approach laid out in this service is about applying minimal time and effort to make the case for proper investment into the best practices, which can include creating a tailored BCM. Start with a good enough example to produce a useful visual and generate a positive conversation toward resourcing and analyses.

    We strongly encourage exploring Document Your Business Architecture and the Application Portfolio Snapshot to understand the thorough methods and tactics for BCM.

    Why perform a high-level application alignment before rationalization?

    Having to address redundancy complicates the application rationalization process. There is no doubt that assessing applications in isolation is much easier and allows you to arrive at dispositions for your applications in a timelier manner.

    Rationalization has two basic steps: first, collect and compile information, and second, analyze that information and determine a disposition for each application. When you don’t have redundancy, you can analyze an application and determine a disposition in isolation. When you do have redundancies, you need to collect information for multiple applications, likely across departments or lines of business, then perform a comparative analysis.

    Most likely your approach will fall somewhere between the examples below and require a hybrid approach.

    Benefits of a high-level application alignment:

    • Review the degree of redundancy across your portfolio.
    • Understand the priority areas for rationalization and the sequence of information collection.

    The image contains a screenshot of a timeline of rationalization effort.

    2.2 Align apps to capabilities and functions

    Estimated time: 1-4 hours per grouping

    The APM tool provides up to three different grouping comparisons to assess how well your applications are supporting your enterprise. Although business capabilities are important, identify your organizational perspectives to determine how well your portfolio supports these functions, departments, or value streams. Each grouping should be a consistent category, type, or arrangement of applications.

    1. Enter the business capabilities, from either your own BCM or the Info-Tech reference architectures, into the Business Capability column under Grouping 1.
    2. Open the “Group 1 Alignment Matrix” worksheet in the APM Snapshot and Foundations Tool.
    3. For each application’s row, enter an “X” in the column of a capability that the application supports.
    4. Optionally, repeat these steps under Grouping 2 and 3 for each value stream, department, function, or business unit where you’d like to assess application support. Note: To use Grouping 3, unhide the columns on the “Application and Group Lists” worksheet and unhide the worksheet “Grouping 3 Alignment Matrix.”

    Record the results in the APM Snapshot and Foundations Tool

    InputOutput
    • Application inventory
    • List of business capabilities, Info-Tech Reference Architecture capabilities, departments, functions, divisions, or value streams for grouping comparison
    • Assigned business capabilities to applications
    MaterialsParticipants
    • Whiteboard and markers
    • APM Snapshot and Foundations Tool
    • Applications Lead
    • Any Applications Team Members

    2.2 APM worksheet data journey map

    The image contains a screenshot of the APM worksheet data journey map.

    2.2 Aligning applications to groups example

    Alignment Matrix: Identify applications supporting each capability or function.

    Capability, Department, or Function 1

    Capability, Department, or Function 2

    Capability, Department, or Function 3

    Capability, Department, or Function 4

    Capability, Department, or Function 5

    Capability, Department, or Function 6

    Application A

    x

    Application B

    x

    Application C

    x

    Application D

    x

    Application E

    x x

    Application F

    x

    Application G

    x

    Application H

    x

    Application I

    x

    Application J

    x

    In this example:

    BC 1 is supported by App A

    BC 2 is supported by App B

    BC 3 is supported by Apps C & D

    BCs 4 & 5 are supported by App E

    BC 6 is supported by Apps F-G. BC 6 shows an example of potential redundancy and portfolio complexity.

    The APM tool supports three different Snapshot groupings. Repeat this exercise for each grouping.

    Align application to capabilities – tool view

    The image contains screenshots of the align application to capabilities - tool view

    Phase 3

    Rationalize Your Applications

    Phase 1

    1.1 Assess Your Current Application Portfolio

    1.2 Determine Narrative

    1.3 Define Goals and Metrics

    1.4 Define Application Categories

    1.5 Determine APM Steps and Roles

    Phase 2

    2.1 Populate Your Inventory

    2.2 Align to Business Capabilities

    Phase 3

    3.1 Assess Business Value

    3.2 Assess Technical Health

    3.3 Assess End-User Perspective

    3.4 Assess Total Cost of Ownership

    Phase 4

    4.1 Review APM Snapshot Results

    4.2 Review APM Foundations Results

    4.3 Determine Dispositions

    4.4 Assess Redundancies (Optional)

    4.5 Determine Dispositions for Redundant Applications (Optional)

    4.6 Prioritize Initiatives

    4.7 Determine Ongoing APM Cadence

    This phase involves the following participants:

    • Applications Lead
    • Application SMEs

    Additional Resources

    Phase pre-step: Sequence rationalization assessments appropriately

    Use the APM Snapshot results to determine APM iterations

    • Application rationalization requires an iterative approach.
    • Review your application types and alignment from Phase 2 to begin to identify areas of overlapping or redundant applications.
    • Sequence the activities of Phase 3 based on whether you have a:
      • Redundant Portfolio
        • Use the APM Snapshot to prioritize analysis by grouping.
        • Complete the application functional analysis.
        • Use the “Application Comparison” worksheet to aid your comparison of application subsets.
        • Update application dispositions and roadmap initiatives.
      • Non-Redundant Portfolio
        • Use the APM Snapshot to prioritize analysis by grouping.
        • Update application dispositions and roadmap initiatives.

    The image contains a screenshot of a timeline of rationalization effort.

    Phase pre-step: Are the right stakeholders present?

    Make sure you have the right people at the table from the beginning.

    • Application rationalization requires specific stakeholders to provide specific data points.
    • Ensure your application subsets are grouped by shared subject matter experts. Ideally, these are grouped by business units.
    • For each subset, identify the appropriate SMEs for the five areas of rationalization criteria.
    • Communicate and schedule interviews with groups of stakeholders. Inform them of additional information sources to have readily available.
    • (Optional) This phase’s activities follow the clockwise sequence of the diagram to the right. Reorder the sequence of activities based on overlaps of availability in subject matter expertise.

    Application

    Rationalization

    Additional Information Sources

    Ideal Stakeholders

    • KPIs

    Business Value

    • Business Application/Product Owners
    • Business Unit/ Process Owners
    • Survey Results

    End User

    • Business Application/ Product Owners
    • Key/Power Users
    • End Users
    • General Ledger
    • Service Desk
    • Vendor Contracts

    TCO

    • Operations/Maintenance Manager
    • Vendor Managers
    • Finance & Acct.
    • Service Desk
    • ALM Tools

    Technical Health

    • Operations/ Maintenance Manager
    • Solution Architect
    • Security Manager
    • Dev. Manager
    • Capability Maps
    • Process Maps

    Application Alignment

    • Business Unit/ Process Owners

    Rationalize your applications

    The image contains screenshots of diagrams that reviews building your APM journey map.

    One of the principal goals of application rationalization is determining dispositions

    Disposition: The intended strategic direction or course of action for an application.

    Directionless portfolio of applications

    Assigned dispositions for individual apps

    High-level examples:

    The image contains a screenshot of an image that demonstrates a directionless portfolio of applications.

    Maintain: Keep the application but adjust its support structure.

    The image contains screenshots of a few images taken from the directionless application to demonstrate the text above.

    Modernize: Create a new project to address an inadequacy.

    The image contains screenshots of a few images taken from the directionless application to demonstrate the text above.

    Consolidate: Create a new project to reduce duplicate functionality.

    The image contains screenshots of a few images taken from the directionless application to demonstrate the text above.

    Retire: Phase out the application.

    The image contains screenshots of a few images taken from the directionless application to demonstrate the text above.

    Application rationalization provides insight

    Directionless portfolio of applications

    Info-Tech’s Five Lens Model

    Assigned dispositions for individual apps

    The image contains a screenshot of an example of directionless portfolio of applications.

    Application Alignment

    Business Value

    Technical Health

    End-User Perspective

    Total Cost of Ownership (TCO)

    Maintain: Keep the application but adjust its support structure.

    Modernize: Create a new initiative to address an inadequacy.

    Consolidate: Create a new initiative to reduce duplicate functionality.

    Retire: Phase out the application.

    Disposition: The intended strategic direction or implied course of action for an application.

    How well do your apps support your core functions and teams?

    How well are your apps aligned to value delivery?

    Do your apps meet all IT quality standards and policies?

    How well do your apps meet your end users’ needs?

    What is the relative cost of ownership and operation of your apps?

    Application rationalization requires the collection of several data points that represent these perspectives and act as the criteria for determining a disposition for each of your applications.

    Disposition: The intended strategic direction or implied course of action for an application.

    3.1-3.4 APM worksheet data journey map

    The image contains a screenshot of the APM worksheet data journey map.

    Assessing application business value

    The Business Business Value of Applications IT
    Keepers of the organization’s mission, vision, and value statements that define IT success. The business maintains the overall ownership and evaluation of the applications. Technical subject matter experts of the applications they deliver and maintain. Each IT function works together to ensure quality applications are delivered to stakeholder expectations.

    First, the authorities on business value need to define and weigh their value drivers that describe the priorities of the organization.

    This will then allow the applications team to apply a consistent, objective, and strategically aligned evaluation of applications across the organization.

    In this context…business value is the value of the business outcome that the application produces and how effective the application is at producing that outcome.

    Business value IS NOT the user’s experience or satisfaction with the application.

    Review the value drivers of your applications

    The image contains a screenshot of a the business value matrix.

    Financial vs. Human Benefits

    Financial benefits refer to the degree to which the value source can be measured through monetary metrics and are often quite tangible.

    Human benefits refer to how an application can deliver value through a user’s experience.

    Inward vs. Outward Orientation

    Inward orientation refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations.

    Outward orientation refers to value sources that come from your interaction with external factors, such as the market or your customers.

    Increased Revenue

    Reduced Costs

    Enhanced Services

    Reach Customers

    Application functions that are specifically related to the impact on your organization’s ability to generate revenue and deliver value to your customers.

    Reduction of overhead. The ways in which an application limits the operational costs of business functions.

    Functions that enable business capabilities that improve the organization’s ability to perform its internal operations.

    Application functions that enable and improve the interaction with customers or produce market information and insights.

    3.1 Assess business value

    Estimated time: 1 -4 hours

    1. Review Info-Tech’s four quadrants of business value: increase revenue/value, reduce costs, enhance services, and reach customers. Edit your value drivers, description, and scoring on the “Rationalization Inputs” worksheet. For each value driver, update the key indicators specific to your organization’s priorities. When editing the scoring descriptions, keep only the one you are using.
    2. (Optional) Add an additional value driver if your organization has distinct value drivers (e.g. compliance, sustainability, innovation, and growth).
    3. For each application, score on a scale of 0 to 5 how impactful the application is for each value driver. Use the indicators set in Phase 1 to guide your scoring.
    4. For each value driver, adjust the criteria weighting to match its relative importance to the organization. Start with a balanced or low weighting. Adjust the weights to ensure that the category score matches your relative values and priorities.

    Record the results in the APM Snapshot and Foundations Tool

    InputOutput
    • Knowledge of organizational priorities
    • (Optional) Existing mission, vision, and value statements
    • Scoring scheme for assessing business value
    MaterialsParticipants
    • Whiteboard and markers
    • APM Snapshot and Foundations Tool
    • Applications Lead
    • Key Corporate Stakeholders

    3.1 Weigh value drivers: Example

    The image contains a screenshot example of the weigh value drivers.

    For additional support in implementing a balanced value framework, refer to Build a Value Measurement Framework.

    Understand the back end and technical health of your applications

    Technical health identifies the extent of technology risk to the organization.

    MAINTAINABILITY (RAS)

    RAS refers to an app’s reliability, availability, and serviceability. How often, how long, and how difficult is it for your resources to keep an app functioning, and what are the resulting continuity risks? This can include root causes of maintenance challenges.

    SECURITY

    Applications should be aligned and compliant with ALL security policies. Are there vulnerabilities or is there a history of security incidents? Remember that threats are often internal and non-malicious.

    ADAPTABILITY

    How easily can the app be enhanced or scaled to meet changes in business needs? Does the app fit within the business strategy?

    INTEROPERABILITY

    The degree to which an app is integrated with current systems. Apps require comprehensive technical planning and oversight to ensure they connect within the greater application architecture. Does the app fit within your enterprise architecture strategy?

    BUSINESS CONTINUITY/DISASTER RECOVERY

    The degree to which the application is compatible with business continuity/disaster recovery (BC/DR) policies and plans that are routinely tested and verified.

    Unfortunately, the business only cares about what they can see or experience. Rationalization is your opportunity to get risk on the business’ radar and gain buy-in for the necessary action.

    3.2 Assess technical health

    Estimated time: 1-4 hours

    1. Review Info-Tech’s suggested technical health criteria. Edit your criteria, descriptions, and scoring on the “Rationalization Inputs” worksheet. For each criterion, update the key indicators specific to your organization’s priorities.
    2. For each application, score on a scale of 1 to 5 on how impactful the application is for each criterion.
    3. For each criterion, adjust the weighting to match its relative importance to the organization. Start with a balanced or low weighting. Adjust the weights to ensure that the category score matches your relative values and priorities.
    InputOutput
    • Familiarity of technical health perspective for applications within this subset
    • Maintenance history, architectural models
    • Technical health scores for each application
    MaterialsParticipants
    • APM Snapshot and Foundations Tool
    • Technical SMEs
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    End users provide valuable perspective

    Your end users are your best means of determining front-end issues.

    Data Quality

    To what degree do the end users find the data quality sufficient to perform their role and achieve their desired outcome?

    Effectiveness

    To what degree do the end users find the application effective for performing their role and desired outcome?

    Usability

    To what degree do the end users find the application reliable and easy to use to achieve their desired outcome?

    Satisfaction

    To what degree are end users satisfied with the features of this application?

    What else matters to you?

    Tune your criteria to match your values and priorities.

    Info-Tech Best Practice

    When facing large user groups, do not make assumptions or use lengthy methods of collecting information. Use Info-Tech’s Application Portfolio Assessment to collect data by surveying your end users’ perspectives.

    3.3 Assess end-user perspective

    Estimated time: 1-4 hours

    1. Review Info-Tech’s suggested end-user perspective criteria. Edit your criteria, descriptions and scoring on the “Rationalization Inputs” worksheet. For each criterion, update the key indicators specific to your organization’s priorities.
    2. For each application, score on a scale of 1 to 5 on how impactful the application is for each criterion.
    3. For each criterion, adjust the weighting to match its relative importance to the organization. Start with a balanced or low weighting. Adjust the weights to ensure that the category score matches your relative values and priorities.
    InputOutput
    • Familiarity of end user’s perspective for applications within this subset
    • User satisfaction scores for each application
    MaterialsParticipants
    • APM Snapshot and Foundations Tool
    • Business Owners, Key Users
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    Consider the spectrum of application cost

    An application’s cost extends past a vendor’s fee and even the application itself.

    LICENSING AND SUBSCRIPTIONS: Your recurring payments to a vendor.

    Many commercial off-the-shelf applications require a license on a per-user basis. Review contracts and determine costs by looking at per-user or fixed rates charged by the vendor.

    MAINTENANCE COSTS: Your internal spending to maintain an app.

    These are the additional costs to maintain an application such as support agreements, annual maintenance fees, or additional software or hosting expenses.

    INDIRECT COSTS: Miscellaneous expenses necessary for an app’s continued use.

    Expenses like end-user training, developer education, and admin are often neglected, but they are very real costs organizations pay regularly.

    RETURN ON INVESTMENT: Perceived value of the application related to its TCO.

    Some of our most valuable applications are the most expensive. ROI is an optional criterion to account for the value and importance of the application.

    Info-Tech Best Practice

    The TCO assessment is one area where what you are considering the ”application” matters quite a bit. An application’s peripherals or software components need to be considered in your estimates. For additional help calculating TCO, use the Application TCO Calculator from Build a Rationalization Framework.

    3.4 Assess total cost of ownership

    Estimated time: 1-4 hours

    1. Review Info-Tech’s suggested TCO criteria. Edit your criteria, descriptions, and scoring on the “Rationalization Inputs” worksheet. For each criterion, update the key indicators specific to your organization’s priorities.
    2. For each application, score on a scale of 1 to 5 on how impactful the application is for each criterion.
    3. For each criterion, adjust the weighting to match its relative importance to the organization. Start with a balanced or low weighting. Adjust the weights to ensure that the category score matches your relative values and priorities.
    InputOutput
    • Familiarity with the TCO for applications within this subset
    • Vendor contracts, maintenance history
    • TCO scores for each application
    MaterialsParticipants
    • APM Snapshot and Foundations Tool
    • Business Owners, Vendor Managers, Operations Managers
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    Phase 4

    Populate Your Roadmap

    Phase 1

    1.1 Assess Your Current Application Portfolio

    1.2 Determine Narrative

    1.3 Define Goals and Metrics

    1.4 Define Application Categories

    1.5 Determine APM Steps and Roles

    Phase 2

    2.1 Populate Your Inventory

    2.2 Align to Business Capabilities

    Phase 3

    3.1 Assess Business Value

    3.2 Assess Technical Health

    3.3 Assess End-User Perspective

    3.4 Assess Total Cost of Ownership

    Phase 4

    4.1 Review APM Snapshot Results

    4.2 Review APM Foundations Results

    4.3 Determine Dispositions

    4.4 Assess Redundancies (Optional)

    4.5 Determine Dispositions for Redundant Applications (Optional)

    4.6 Prioritize Initiatives

    4.7 Determine Ongoing APM Cadence

    his phase involves the following participants:

    • Applications Lead
    • Delivery Leads

    Additional Resources

    Review your APM Snapshot

    The image contains a screenshot of examples of applications that support APM.

    4.1 Review your APM Snapshot results

    Estimated time: 1-2 hours

    1. The APM Snapshot provides a dashboard to support your APM program’s focus and as an input to demand planning. Unhide the “Group 3” worksheet if you completed the alignment matrix.
    2. For each grouping area, review the results to determine underperforming areas. Use this information to prioritize your application root cause analysis and demand planning. Use the key on the following slide to guide your analysis.
    3. Analysis guidance:
      1. Start with the quartile grouping to find areas scoring in Remediate or Critical Need and focus follow-up actions on these areas.
      2. Use the lens/category heat map to determine which lenses are underperforming. Use this to then look up the individual app scores supporting that group to identify application issues.
      3. Use the “Application Comparison” worksheet to select and compare applications for the group to make your review and comparison easier.
      4. Work with teams in the group to provide root cause analysis for low scores.
      5. Build a plan to address any apps not supported by IT.
    InputOutput
    • Application list
    • Application to Group mapping
    • Rationalization scores
    • Awareness of application support for each grouping

    Materials

    Participants
    • APM Snapshot and Foundations Tool
    • Business Owners
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    Interpreting your APM Snapshot

    The image contains a screenshot of the APM Snapshot with guides on how to interpret it.

    4.1 APM worksheet data journey map

    The image contains a screenshot of the AMP worksheet data journey map.

    Review your APM rationalization results

    The image contains a screenshot of examples of applications that support APM.

    4.2 Review your APM Foundations results

    Estimated time: 1-2 hours

    The APM Foundations Results dashboard (“App Rationalization Results” worksheet) provides a detailed summary of your relative app scoring to serve as input to demand planning.

    1. For each grouping, review the results to determine underperforming app support. Use this information to prioritize your application root cause analysis using the individual criteria scores on the “Rationalization Inputs” worksheet.
    2. Use guidance on the following example slides to understand each area of the results.
    3. Any applications marked as N/A for evaluation will display N/A on the results worksheet and will not be displayed in the chart. You can still enter dispositions.
    4. Use the column filters to compare a subset of applications or use the “App Comparison” worksheet to maintain an ongoing view by grouping, redundancy, or category.
    5. Any applications marked as N/A for evaluation will display N/A on the results worksheet and will not be displayed in the chart. You can still enter dispositions.
    InputOutput
    • Application list
    • Rationalization scores
    • Application awareness
    MaterialsParticipants
    • APM Snapshot and Foundations Tool
    • Business Owners
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    4.2 APM worksheet data journey map

    The image contains a screenshot of the AMP worksheet data journey map.

    Interpreting your APM Foundations results

    The image contains a screenshot of the APM Foundations results.

    Interpreting your APM Foundations chart

    The image contains a screenshot of the APM Foundations chart.

    Modernize your applications

    The image contains a screenshot of examples of applications that support APM.

    Apply Info-Tech’s 6 R’s Rationalization Disposition Model

    The image contains a screenshot of Info-Tech's 6 R's Rationalization Disposition Model.

    Disposition

    Description

    Reward

    Prioritize new features or enhancement requests and openly welcome the expansion of these applications as new requests are presented.

    Refresh

    Address the poor end-user satisfaction with a prioritized project. Consult with users to determine if UX issues require improvement to address satisfaction.

    Refocus

    Determine the root cause of the low value. Refocus, retrain, or refresh the UX to improve value. If there is no value found, aim to "keep the lights on" until the app can be decommissioned.

    Replace

    Replace or rebuild the application as technical and user issues are putting important business capabilities at risk. Decommission application alongside replacement.

    Remediate

    Address the poor technical health or risk with a prioritized project. Further consult with development and technical teams to determine if migration or refactoring is suited to address the technical issue.

    Retire

    Cancel any requested features and enhancements. Schedule the proper decommission and transfer end users to a new or alternative system if necessary.

    TCO, compared relatively to business value, helps determine the practicality of a disposition and the urgency of any call to action. Application alignment is factored in when assessing redundancies and has a separate set of dispositions.

    4.3 Determine dispositions

    Estimated time: 1-4 hours

    1. The Recommended Disposition and Priority fields are prepopulated from your scoring thresholds and options on the “Disposition Options” worksheet. You can update any individual application disposition or priority using the drop-down menu and it will populate your selection on the “Roadmap” worksheet.
    2. Question if that disposition is appropriate. Be sure to consider:
      1. TCO – cost should come into play for any decisions.
      2. Alignment to strategic goals set for the overarching organizational, IT, technology (infrastructure), or application portfolio.
      3. Existing organizational priorities or funded initiatives impacting the app.
    3. Some dispositions may imply a call to action, new project, or initiative. Ideate and/or discuss with the team any potential initiatives. You can use different dispositions and priorities on the “App Rationalization Results” and “Roadmap” worksheets.
    4. Note: Modify the list of dispositions on the “Disposition Options” worksheet as appropriate for your rationalization initiative. Any modifications to the Disposition column will be automatically updated in the “App Rationalization Results” and “Roadmap” worksheets.
    InputOutput
    • Rationalization results
    • Assigned dispositions for applications
    MaterialsParticipants
    • APM Snapshot and Foundations Tool
    • Business Owners
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    4.3 APM worksheet data journey map

    The image contains a screenshot of the worksheet data journey map.

    Redundancies require a different analysis and set of dispositions

    Solving application redundancy is a lot more complicated than simply keeping one application and eliminating the others.

    First, you need to understand the extent of the redundancy. The applications may support the same capability, but do they offer the same functions? Determine which apps offer which functions within a capability. This means you cannot accurately arrive at a disposition until you have evaluated all applications.

    Next, you need to isolate the preferred system. This is completed by comparing the same data points collected for rationalization and the application alignment analysis. Cost and coverage of all necessary functions become the more important factors in this decision-making process.

    Lastly, for the non-preferred redundant applications you need to determine: What will you do with the users? What will you do with the data? And what can you do with the functionality (can the actual coding be merged onto a common platform)?

    Disposition

    Description & Additional Analysis

    Call to Action (Priority)

    Keep & Absorb

    Higher value, health satisfaction, and cost than alternatives

    These are the preferred apps to be kept. However, additional efforts are still required to migrate new users and data and potentially configure the app to new processes.

    Application or Process Initiative

    (Moderate)

    Shift & Retire

    Lower value, health satisfaction, and cost than alternatives

    These apps will be decommissioned alongside efforts to migrate users and data to the preferred system.

    *Confirm there are no unique and necessary features.

    Process Initiative & Decommission

    (Moderate)

    Merge

    Lower value, health satisfaction, and cost than alternatives but still has some necessary unique features

    These apps will be merged with the preferred system onto a common platform.

    *Determine the unique and necessary features.

    *Determine if the multiple applications are compatible for consolidation.

    Application Initiative

    (Moderate)

    Compare groups of applications

    The image contains a screenshot of examples of applications that support APM.

    4.4 Assess redundancies (optional)

    Estimated rime: 1 hour per group

    This exercise is best performed after aligning business capabilities to applications across the portfolio and identifying your areas of redundancy. At this stage, this is still an information collection exercise, and it will not yield a consolidation-based disposition until applied to all relevant applications. Lastly, this exercise may still be at too high a level to outline the full details of redundancy, but it is still vital information to collect and a starting point to determine which areas require more concentrated analysis.

    1. Determine which areas of redundancy or comparisons are desired. Duplicate the “App Comparison” worksheet for each grouping or comparison.
    2. Extend the comparison to better identify redundancy.
      1. For each area of redundancy, identify the high-level features. Aim to limit the features to ten, grouping smaller features if necessary. SoftwareReviews can be a resource for identifying common features.
      2. Label features using the MoSCoW model: must have, should have, could have, will not have.
      3. For each application, identify which features they support. You can use the grouping alignment matrix as a template for feature alignment comparison. Duplicate the worksheet, unlock it, and replace the grouping cell references with your list of features.
    Input Output
    • Areas of redundancy
    • Familiarity with features for applications within this subset
    • Feature-level review of application redundancy
    Materials Participants
    • Whiteboard and markers
    • APM Snapshot and Foundations Tool
    • Business Owners
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    4.4 Assess redundancies (optional)

    Account Management

    Call Management

    Order/Transaction Processing

    Contract Management

    Lead/Opportunity Management

    Forecasting/Planning

    Customer Surveying

    Email Synchronization

    M M M M S S C W

    CRM 1

    CRM 2

    CRM 3

    4.5 Determine dispositions for redundant applications (optional)

    Estimated time: 1 hour per group

    1. Based on the feature-level assessment, determine if you can omit applications if they don’t truly overlap with other applications.
    2. Make a copy of the “App Comparison” worksheet and select the applications you want to compare based on your functional analysis.
    3. Determine the preferred application(s). Use the diagram to inform your decision. This may be the application closest to the top right (strong health and value). However, less expensive options or any options that provide a more complete set of features may be preferable.
    4. Open the “App Rationalization Results” worksheet. Update your disposition for each application.
    5. Use these updated dispositions to determine a call to action, new project, or initiative. Ideate and/or discuss with the team any potential initiatives. Update your roadmap with these initiatives in the next step.
    InputOutput
    • Feature-level review of application redundancy
    • Redundancy comparison
    • Assigned dispositions for redundant applications
    MaterialsParticipants
    • APM Snapshot and Foundations Tool
    • Business Owners
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    Compare application groups

    Group comparison can be used for more than just redundant/overlapping applications.

    The image contains a screenshot of images that demonstrate comparing application groups.

    Roadmaps are used for different purposes

    Roadmaps are used for different communication purposes and at varying points in your application delivery practice. Some use a roadmap to showcase strategy and act as a feedback mechanism that allows stakeholders to validate any changes (process 1). Others may use it to illustrate and communicate approved and granular elements of a change to an application to inform appropriate stakeholders of what to anticipate (process 2).

    Select Dispositions & Identify New Initiatives

    Add to Roadmap

    Validate Direction

    Plan Project

    Execute Project

    Select Dispositions & Identify New Initiatives

    • Project Proposal
    • Feasibility/ Estimation
    • Impact Assessment
    • Business Case
    • Initial Design

    Approve Project

    Add to Roadmap

    Execute Project

    The steps between selecting a disposition and executing on any resulting project will vary based on the organization’s project intake standards (or lack thereof).

    This blueprint focuses on building a strategic portfolio roadmap prior to any in-depth assessments related to initiative/project intake, approval, and prioritization. For in-depth support related to intake, approval, prioritization, or planning, review the following resources.

    The image contains a screenshot of the Deliver on your Digital Product Vision blueprint. The image contains a screenshot of the Deliver Digital Products at Scale blueprint.

    Determine what makes it onto the roadmap

    A roadmap should not be limited to what is approved or committed to. A roadmap should be used to present the items that need to happen and begin the discussion of how or if this can be put into place. However, not every idea should make the cut and end up in front of key stakeholders.

    The image contains a screenshot of steps to be taken to determine what makes it onto the roadmap.

    4.6 Prioritize initiatives

    Estimated time: 1-4 hours

    1. This is a high-level assessment to provide a sense of feasibility, practicality, and priority as well as an estimated timeline of a given initiative. Do not get lost in granular estimations. Use this as an input to your demand planning process.
    2. Enter the specific name or type of initiative.
      1. Process Initiative: Any project or effort focused on process improvements without technical modification to an app (e.g. user migration, change in SLA, new training program). Write the application and initiative name on a blue sticky note.
      2. App Initiative: Any project or effort involving technical modification to an app (e.g. refactoring, platform migration, feature addition or upgrade). Write the application and initiative name on a yellow sticky note.
      3. Decommission Initiative: Any project and related efforts to remove an app (e.g. migrating data, removal from server). Write the application and initiative name on a red sticky note.
    3. Prioritize the initiative to aid in demand planning. This is prepopulated from your selected application disposition, but you can set a different priority for the initiative here.
    4. Select the Initiative Phase in the timeline to show the intended schedule and sequencing of the initiative.
    Input Output
    • Assigned dispositions
    • Rationalization results
    • Prioritized initiatives
    Materials Participants
    • Whiteboard and markers
    • APM Snapshot and Foundations Tool
    • Delivery Leads
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    4.6 APM worksheet data journey map

    The image contains a screenshot of the worksheet data journey map.

    Populate roadmap example

    The image contains an example of the populate roadmap.

    Create a recurring update plan

    • Application inventories become stale before you know it. Build steps in your procurement process to capture the appropriate information on new applications. Also, build in checkpoints to revisit your inventory regularly to assess the accuracy of inventory data.
    • Rationalization is not one and done; it must occur with an appropriate cadence.
      • Business priorities change, which will impact the current and future value of your apps.
      • Now more than ever, user expectations evolve rapidly.
      • Application sprawl likely won’t stop, so neither will shadow IT and redundancies.
      • Obsolescence, growing technical debt, changing security threats, or shifting technology strategies are all inevitable, as is the gradual decline of an app’s health or technical fit.
    • An application’s disposition changes quicker than you think, and rationalization requires a structured cadence. You need to plan to minimize the need for repeated efforts. Conversely, many use preceding iterations to increase the analysis (e.g. more thorough TCO projections or more granular capability-application alignment).
    • Portfolio roadmaps require a cadence for both updates and presentations to stakeholders. Updates are often completed semiannually or quarterly to gauge the business adjustments that affect the timeline of the domain-specific applications. The presentation of a roadmap should be completed alongside meetings or gatherings of key decision makers.
    • M&A or other restructuring events will prompt the need to address all the above.

    The image contains a screenshot of chart to help determine frequency of updating your roadmap.

    Build your APM maturity by taking the right steps at the right time

    The image contains a diagram to demonstrate the steps taken to build APM maturity.

    Info-Tech’s Build an Application Rationalization Framework provides additional TCO and value tools to help build out your portfolio strategy.

    APM is an iterative and evergreen process

    APM provides oversight and awareness of your application portfolio’s performance and support for your business operations and value delivery to all users and customers.

    Determine scope and categories Build your list of applications and capabilities Score each application based on your values Determine outcomes based on app scoring and support for capabilities

    1. Lay Your Foundations

    • 1.1 Assess the state of your current application portfolio
    • 1.2 Determine narrative
    • 1.3 Define goals and metrics
    • 1.4 Define application categories
    • 1.5 Determine APM steps and roles (SIPOC)

    2. Improve Your Inventory

    • 2.1 Populate your inventory
    • 2.2 Align to business capabilities

    3. Rationalize Your Apps

    • 3.1 Assess business value
    • 3.2 Assess technical health
    • 3.3 Assess end-user perspective
    • 3.4 Assess total cost of ownership

    4. Populate Your Roadmap

    • 4.1 Review APM Snapshot results
    • 4.2 Review APM Foundations results
    • 4.3 Determine dispositions
    • 4.4 Assess redundancies (Optional)
    • 4.5 Determine dispositions for redundant applications (Optional)
    • 4.6 Prioritize initiatives
    • 4.7 Ongoing APM cadence

    Repeat according to APM cadence and application changes

    4.7 Ongoing APM cadence

    Estimated time: 1-2 hours

    1. Determine how frequently you will update or present the artifacts of your APM practice: Application Inventory, Rationalization, Disposition, and Roadmap.
    2. For each artifact, determine the:
      1. Owner: Who is accountable for the artifact and the data or information within the artifact and will be responsible for or delegate the responsibility of updating or presenting the artifact to the appropriate audience?
      2. Update Cadence: How frequently will you update the artifact? Include what regularly scheduled meetings this activity will be within.
      3. Update Scope: Describe what activities will be performed to keep the artifact up to date. The goal here is to minimize the need for a full set of activities laid out within the blueprint. Optional: How will you expand the thoroughness of your analysis?
      4. Audience: Who is the audience for the artifact or assessment results?
      5. Presentation Cadence: How frequently and when will you review the artifact with the audience?
    InputOutput
    • Initial experience with APM
    • Strategic meetings schedule
    • Ongoing cadence for APM activities
    MaterialsParticipants
    • Whiteboard and markers
    • APM Snapshot and Foundations Tool
    • Applications Lead
    • Any Applications Team Members

    Record the results in the APM Snapshot and Foundations Tool

    4.7 Ongoing APM cadence

    Artifact

    Owner

    Update Cadence

    Update Scope

    Audience

    Presentation Cadence

    Inventory

    Greg Dawson

    • As new applications are acquired
    • Annual review
    • Add new application data points (this is added to implementation standards)
    • Review inventory and perform a data health check
    • Validate with app’s SME
    • Whole organization
    • Always available on team site

    Rationalization Tool

    Judy Ng

    • Annual update
    • Revisit value driver weights
    • Survey end users
    • Interview support owners
    • Interview business owners
    • Update TCO based on change in operational costs; expand thoroughness of cost estimates
    • Rescore applications
    • Business owners of applications
    • IT leaders
    • Annually alongside yearly strategy meeting

    Portfolio Roadmap

    Judy Ng

    • Monthly update alongside project updates
    • Shift the timeline of the roadmap to current day 1
    • Carry over project updates and timeline changes
    • Validate with PMs and business owners
    • Steering Committee
    • Business owners of applications
    • IT leaders
    • Quarterly alongside Steering Committee meetings
    • Upon request

    Appendices

    • Additional support slides
    • Bibliography

    The APM tool provides a single source of truth and global data sharing

    The table shows where source data is used to support different aspects of APM discovery, rationalization, and modernization.

    Worksheet Data Mapping

    Application and Capability List

    Group Alignment Matrix (1-3)

    Rationalization Inputs

    Group 1-3 Results

    Application Inventory Details

    App Rationalization Results

    Roadmap

    App Redundancy Comparison

    Application and Capability List

    App list, Groupings

    App list

    App list, Groupings

    App list, Categories

    App list, Categories

    App list

    App list

    Groups 1-3 Alignment Matrix

    App to Group Tracing

    Application Categories

    Category
    drop-down

    Category

    Category

    Rationalization Inputs

    Lens Scores (weighted input to Group score)

    Lens Scores (weighted input)

    Disposition Options

    Disposition list, Priorities list, Recommended Disposition and Priority

    Lens Scores (weighted input)

    App Rationalization Results

    Disposition

    Common application inventory attributes

    Attribute Description Common Collection Method
    Name Organization’s terminology used for the application. Auto-discovery tools will provide names for the applications they reveal. However, this may not be the organizational nomenclature. You may adapt the names by leveraging pre-existing documentation and internal knowledge or by consulting business users.
    ID Unique identifiers assigned to the application (e.g. app number). Typically an identification system developed by the application portfolio manager.
    Description A brief description of the application, often referencing core capabilities. Typically completed by leveraging pre-existing documentation and internal knowledge or by consulting business users.
    Business Units A list of all business units, departments, or user groups. Consultation, surveys, or interviews with business unit representatives. However, this doesn’t always expose hidden applications. Application-capability mapping is the most effective way to determine all the business units/user groups of an app.
    Business Capabilities A list of business capabilities the application is intended to enable. Application capability mapping completed via interviews with business unit representatives.
    Criticality A high-level grading of the importance of the application to the business, typically used for support prioritization purposes (i.e. critical, high, medium, low). Typically the criticality rating is determined by a committee representing IT and business leaders.
    Ownership The individual accountable for various aspect of the application (e.g. product owner, product manager, application support, data owner); typically includes contact information and alternatives. If application ownership is an established accountability in your organization, typically consulting appropriate business stakeholders will reveal this information. Otherwise, application capability mapping can be an effective means of identifying who that owner should be.
    Application SMEs Any relevant subject matter experts who can speak to various aspects of the application (e.g. business process owners, development managers, data architects, data stewards, application architects, enterprise architects). Technical SMEs should be known within an IT department, but shadow IT apps may require interviews with the business unit. Application capability mapping will determine the identity of those key users/business process SMEs.
    Type An indication of whether the application was developed in-house, commercial off-the-shelf, or a hybrid option. Consultation, surveys, or interviews with product owners or development managers.
    Active Status An indication of whether the application is currently active, out of commission, in repair, etc. Consultation, surveys, or interviews with product owners or operation managers.

    Common application inventory attributes

    Attribute Description Common Collection Method
    Vendor Information Identification of the vendor from whom the software was procured. May include additional items such as the vendor’s contact information. Consultation with business SMEs, end users, or procurement teams, or review of vendor contracts or license agreements.
    Links to Other Documentation Pertinent information regarding the other relevant documentation of the application (e.g. SLA, vendor contracts, data use policies, disaster recovery plan). Typically includes links to documents. Consultation with product owners, service providers, or SMEs, or review of vendor contracts or license agreements.
    Number of Users The current number of users for the application. This can be based on license information but will often require some estimation. Can include additional items of quantities at different levels of access (e.g. admin, key users, power users). Consultation, surveys, or interviews with product owners or appropriate business SMEs or review of vendor contracts or license agreements. Auto-discovery tools can reveal this information.
    Software Dependencies List of other applications or operating components required to run the application. Consultation with application architects and any architectural tools or documentation. This information can begin to reveal itself through application capability mapping.
    Hardware Dependencies Identification of any hardware or infrastructure components required to run the application (i.e. databases, platform). Consultation with infrastructure or enterprise architects and any architectural tools or documentation. This information can begin to reveal itself through application capability mapping.
    Development Language Coding language used for the application. Consultation, surveys, or interviews with development managers or appropriate technical SMEs.
    Platform A framework of services that application programs rely on for standard operations. Consultation, surveys, or interviews with infrastructure or development managers.
    Lifecycle Stage Where an application is within the birth, growth, mature, end-of-life lifecycle. Consultation with business owners and technical SMEs.
    Scheduled Updates Any major or minor updates related to the application, including the release date. Consultation with business owners and vendor managers.
    Planned or In-Flight Projects Any projects related to the application, including estimated project timeline. Consultation with business owners and project managers.

    Bibliography

    ”2019 Technology & Small Business Survey.” National Small Business Association (NSBA), n.d. Accessed 1 April 2020.
    “Application Rationalization – Essential Part of the Process for Modernization and Operational Efficiency.” Flexera, 2015. Web.
    “Applications Rationalization during M&A: Standardize, Streamline, Simplify.” Deloitte Consulting, 2016. Web.
    Bowling, Alan. “Clearer Visibility of Product Roadmaps Improves IT Planning.” ComputerWeekly.com, 1 Nov. 2010. Web.
    Brown, Alex. “Calculating Business Value.” Agile 2014 Orlando, 13 July 2014. Scrum Inc. 2014. Web.
    Brown, Roger. “Defining Business Value.” Scrum Gathering San Diego 2017. Agile Coach Journal. Web.
    “Business Application Definition.” Microsoft Docs, 18 July 2012. Web.
    “Connecting Small Businesses in the US.” Deloitte Consulting, 2017. Accessed 1 April. 2020.
    Craveiro, João. “Marty meets Martin: connecting the two triads of Product Management.” Product Coalition, 18 Nov. 2017. Web.
    Curtis, Bill. “The Business Value of Application Internal Quality.” CAST, 6 April 2009. Web.
    Fleet, Neville, Joan Lasselle, and Paul Zimmerman. “Using a Balance Scorecard to Measure the Productivity and Value of Technical Documentation Organizations.” CIDM, April 2008. Web.
    Fowler, Martin. “Application Boundary.” MartinFowler.com, 11 Sept. 2003. Web.
    Harris, Michael. “Measuring the Business Value of IT.” David Consulting Group, 2007. Web.
    “How Application Rationalization Contributes to the Bottom Line.” LeanIX, 2017. Web.
    Jayanthi, Aruna. “Application Landscape Report 2014.” Capgemini, 4 March 2014. Web.
    Lankhorst, Marc., et al. “Architecture-Based IT Valuation.” Via Nova Architectura, 31 March 2010. Web.
    “Management of business application.” ServiceNow, Jan.2020. Accessed 1 April 2020.
    Mauboussin, Michael J. “The True Measures of Success.” HBR, Oct. 2012. Web.
    Neogi, Sombit., et al. “Next Generation Application Portfolio Rationalization.” TATA, 2011. Web.
    Riverbed. “Measuring the Business Impact of IT Through Application Performance.” CIO Summits, 2015. Web.
    Rouse, Margaret. “Application Rationalization.” TechTarget, March 2016. Web.
    Van Ramshorst, E.A. “Application Portfolio Management from an Enterprise Architecture Perspective.” Universiteit Utrecht, July 2013.
    “What is a Balanced Scorecard?” Intrafocus, n.d. Web.
    Whitney, Lance. “SMBs share their biggest constraints and great challenges.” Tech Republic, 6 May 2019. Web.

    Make IT a Successful Partner in M&A Integration

    • Buy Link or Shortcode: {j2store}79|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • Many organizations forget the essential role IT plays during M&A integration. IT is often unaware of a merger or acquisition until the deal is announced, making it very difficult to adequately interpret business goals and appropriately assess the target organization.
    • IT-related integration activities are amongst the largest cost items in an M&A, yet these costs are often overlooked or underestimated during due diligence.
    • IT is expected to use the M&A team’s IT due diligence report and estimated IT integration budget, which may not have been generated appropriately.
    • IT involvement in integration is critical to providing a better view of risks, improving the ease of integration, and optimizing synergies.

    Our Advice

    Critical Insight

    • Anticipate that you are going to be under pressure. Fulfill short-term, tactical operational imperatives while simultaneously conducting discovery and designing the technology end-state.
    • To migrate risks and guide discovery, select a high-level IT integration posture that aligns with business objectives.

    Impact and Result

    • Once a deal has been announced, use this blueprint to set out immediately to understand business M&A goals and expected synergies.
    • Assemble an IT Integration Program to conduct discovery and begin designing the technology end-state, while simultaneously identifying and delivering operational imperatives and quick-wins as soon as possible.
    • Following discovery, use this blueprint to build initiatives and put together an IT integration budget. The IT Integration Program has an obligation to explain the IT cost implications of the M&A to the business.
    • Once you have a clear understanding of the cost of your IT integration, use this blueprint to build a long-term action plan to achieve the planned technology end-state that best supports the business capabilities of the organization.

    Make IT a Successful Partner in M&A Integration Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should follow Info-Tech’s M&A IT integration methodology and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch the project

    Define the business’s M&A goals, assemble an IT Integration Program, and select an IT integration posture that aligns with business M&A strategy.

    • Make IT a Successful Partner in M&A Integration – Phase 1: Launch the Project
    • IT Integration Charter

    2. Conduct discovery and design the technology end-state

    Refine the current state of each IT domain in both organizations, and then design the end-state of each domain.

    • Make IT a Successful Partner in M&A Integration – Phase 2: Conduct Discovery and Design the Technology End-State
    • IT Integration Roadmap Tool

    3. Initiate operational imperatives and quick-wins

    Generate tactical operational imperatives and quick-wins, and then develop an interim action plan to maintain business function and capture synergies.

    • Make IT a Successful Partner in M&A Integration – Phase 3: Initiate Operational Imperatives and Quick-Wins

    4. Develop an integration roadmap

    Generate initiatives and put together a long-term action plan to achieve the planned technology end-state.

    • Make IT a Successful Partner in M&A Integration – Phase 4: Develop an Integration Roadmap
    [infographic]

    Workshop: Make IT a Successful Partner in M&A Integration

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Launch the Project

    The Purpose

    Identification of staffing and skill set needed to manage the IT integration.

    Generation of an integration communication plan to highlight communication schedule during major integration events.

    Identification of business goals and objectives to select an IT Integration Posture that aligns with business strategy.

    Key Benefits Achieved

    Defined IT integration roles & responsibilities.

    Structured communication plan for key IT integration milestones.

    Creation of the IT Integration Program.

    Generation of an IT Integration Posture.

    Activities

    1.1 Define IT Integration Program responsibilities.

    1.2 Build an integration communication plan.

    1.3 Host interviews with senior management.

    1.4 Select a technology end-state and IT integration posture.

    Outputs

    Define IT Integration Program responsibilities and goals

    Structured communication plan

    Customized interview guide for each major stakeholder

    Selected technology end-state and IT integration posture

    2 Conduct Discovery and Design the Technology End-State

    The Purpose

    Identification of information sources to begin conducting discovery.

    Definition of scope of information that must be collected about target organization.

    Definition of scope of information that must be collected about your own organization.

    Refinement of the technology end-state for each IT domain of the new entity. 

    Key Benefits Achieved

    A collection of necessary information to design the technology end-state of each IT domain.

    Adequate information to make accurate cost estimates.

    A designed end-state for each IT domain.

    A collection of necessary, available information to make accurate cost estimates. 

    Activities

    2.1 Define discovery scope.

    2.2 Review the data room and conduct onsite discovery.

    2.3 Design the technology end-state for each IT domain.

    2.4 Select the integration strategy for each IT domain.

    Outputs

    Tone set for discovery

    Key information collected for each IT domain

    Refined end-state for each IT domain

    Refined integration strategy for each IT domain

    3 Initiate Tactical Initiatives and Develop an Integration Roadmap

    The Purpose

    Generation of tactical initiatives that are operationally imperative and will help build business credibility.

    Prioritization and execution of tactical initiatives.

    Confirmation of integration strategy for each IT domain and generation of initiatives to achieve technology end-states.

    Prioritization and execution of integration roadmap.

    Key Benefits Achieved

    Tactical initiatives generated and executed.

    Confirmed integration posture for each IT domain.

    Initiatives generated and executed upon to achieve the technology end-state of each IT domain. 

    Activities

    3.1 Build quick-win and operational imperatives.

    3.2 Build a tactical action plan and execute.

    3.3 Build initiatives to close gaps and redundancies.

    3.4 Finalize your roadmap and kick-start integration.

    Outputs

    Tactical roadmap to fulfill short-term M&A objectives and synergies

    Confirmed IT integration strategies

    Finalized integration roadmap

    Implement Risk-Based Vulnerability Management

    • Buy Link or Shortcode: {j2store}296|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $122,947 Average $ Saved
    • member rating average days saved: 34 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
    • Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option itself.

    Our Advice

    Critical Insight

    • Patches are often seen as the only answer to vulnerabilities, but these are not always the most suitable solution.
    • Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
    • There is more than one way to tackle the problem. Leverage your existing security controls in order to protect the organization.

    Impact and Result

    • At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.
    • Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.
    • The risk-based approach will allow you prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities, while allowing your standard remediation cycle to address the medium to low vulnerabilities.
    • With your program defined and developed, you now need to configure your vulnerability scanning tool, or acquire one if you don’t already have a tool in place.
    • Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

    Implement Risk-Based Vulnerability Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should design and implement a vulnerability management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify vulnerability sources

    Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.

    • Vulnerability Management SOP Template

    2. Triage vulnerabilities and assign priorities

    Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.

    • Vulnerability Tracking Tool
    • Vulnerability Management Risk Assessment Tool
    • Vulnerability Management Workflow (Visio)
    • Vulnerability Management Workflow (PDF)

    3. Remediate vulnerabilities

    Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available. Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

    4. Measure and formalize

    Evolve the program continually by developing metrics and formalizing a policy.

    • Vulnerability Management Policy Template
    • Vulnerability Scanning Tool RFP Template
    • Penetration Test RFP Template

    Infographic

    Workshop: Implement Risk-Based Vulnerability Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Vulnerability Sources

    The Purpose

    Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.

    Key Benefits Achieved

    Attain visibility on all of the vulnerability information sources, and a common understanding of vulnerability management and its scope.

    Activities

    1.1 Define the scope & boundary of your organization’s security program.

    1.2 Assign responsibility for vulnerability identification and remediation.

    1.3 Develop a monitoring and review process of third-party vulnerability sources.

    1.4 Review incident management and vulnerability management

    Outputs

    Defined scope and boundaries of the IT security program

    Roles and responsibilities defined for member groups

    Process for review of third-party vulnerability sources

    Alignment of vulnerability management program with existing incident management processes

    2 Triage and Prioritize

    The Purpose

    We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.

    Key Benefits Achieved

    A consistent, documented process for the evaluation of vulnerabilities in your environment.

    Activities

    2.1 Evaluate your identified vulnerabilities.

    2.2 Determine high-level business criticality.

    2.3 Determine your high-level data classifications.

    2.4 Document your defense-in-depth controls.

    2.5 Build a classification scheme to consistently assess impact.

    2.6 Build a classification scheme to consistently assess likelihood.

    Outputs

    Adjusted workflow to reflect your current processes

    List of business operations and their criticality and impact to the business

    Adjusted workflow to reflect your current processes

    List of defense-in-depth controls

    Vulnerability Management Risk Assessment tool formatted to your organization

    Vulnerability Management Risk Assessment tool formatted to your organization

    3 Remediate Vulnerabilities

    The Purpose

    Identifying potential remediation options.

    Developing criteria for each option in regard to when to use and when to avoid.

    Establishing exception procedure for testing and remediation.

    Documenting the implementation of remediation and verification.

    Key Benefits Achieved

    Identifying and selecting the remediation option to be used

    Determining what to do when a patch or update is not available

    Scheduling and executing the remediation activity

    Planning continuous improvement

    Activities

    3.1 Develop risk and remediation action.

    Outputs

    List of remediation options sorted into “when to use” and “when to avoid” lists

    4 Measure and Formalize

    The Purpose

    You will determine what ought to be measured to track the success of your vulnerability management program.

    If you lack a scanning tool this phase will help you determine tool selection.

    Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

    Key Benefits Achieved

    Outline of metrics that you can then configure your vulnerability scanning tool to report on.

    Development of an inaugural policy covering vulnerability management.

    The provisions needed for you to create and deploy an RFP for a vulnerability management tool.

    An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

    Activities

    4.1 Measure your program with metrics, KPIs, and CSFs.

    4.2 Update the vulnerability management policy.

    4.3 Create an RFP for vulnerability scanning tools.

    4.4 Create an RFP for penetration tests.

    Outputs

    List of relevant metrics to track, and the KPIs, CSFs, and business goals for.

    Completed Vulnerability Management Policy

    Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

    Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

    Further reading

    Implement Risk-Based Vulnerability Management

    Get off the patching merry-go-round and start mitigating risk!

    Table of Contents

    4 Analyst Perspective

    5 Executive Summary

    6 Common Obstacles

    8 Risk-based approach to vulnerability management

    16 Step 1.1: Vulnerability management defined

    24 Step 1.2: Defining scope and roles

    34 Step 1.3: Cloud considerations for vulnerability management

    33 Step 1.4: Vulnerability detection

    46 Step 2.1: Triage vulnerabilities

    51 Step 2.2: Determine high-level business criticality

    56 Step 2.3: Consider current security posture

    61 Step 2.4: Risk assessment of vulnerabilities

    71 Step 3.1: Assessing remediation options

    Table of Contents

    80 Step 3.2: Scheduling and executing remediation

    85 Step 3.3: Continuous improvement

    89 Step 4.1: Metrics, KPIs, and CSFs

    94 Step 4.2: Vulnerability management policy

    97 Step 4.3: Select & implement a scanning tool

    107 Step 4.4: Penetration testing

    118 Summary of accomplishment

    119 Additional Support

    120 Bibliography

    Analyst Perspective

    Vulnerabilities will always be present. Know the unknowns!

    In this age of discovery, technology changes at such a rapid pace. New things are discovered, both in new technology and in old. The pace of change can often be very confusing as to where to start and what to do.

    The ever-changing nature of technology means that vulnerabilities will always be present. Taking measures to address these completely will consume all your department’s time and resources. That, and your efforts will quickly become stale as new vulnerabilities are uncovered. Besides, what about the systems that simply can’t be patched? The key is to understand the vulnerabilities and the levels of risk they pose to your organization, to prioritize effectively and to look beyond patching.

    A risk-based approach to vulnerability management will ensure you are prioritizing appropriately and protecting the business. Reduce the risk surface!

    Vulnerability management is more than just systems and application patching. It is a full process that includes patching, compensating controls, segmentation, segregation, and heightened diligence in security monitoring.

    Jimmy Tom, Research Advisor – Security, Privacy, Risk, and Compliance, Info-Tech Research Group.Jimmy Tom
    Research Advisor – Security, Privacy, Risk, and Compliance
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.

    Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option.

    Common Obstacles

    Patches are often seen as the answer to vulnerabilities, but these are not always the most suitable solution.

    Some systems deemed vulnerable simply cannot be patched or easily replaced.

    Companies are unaware of the risk implications that come from leaving the vulnerability open and from the remediation option itself.

    Info-Tech’s Approach

    Design and implement a vulnerability management program that identifies, prioritizes, and remediates vulnerabilities.

    Understand what needs to be considered when implementing remediation options, including patches, configuration changes, and defense-in-depth controls.

    Build a process that is easy to understand and allows vulnerabilities to be remediated proactively, instead of in an ad hoc fashion.

    Info-Tech Insight

    Vulnerability management does not always equal patch management. There is more than one way to tackle the problem, particularly if a system cannot be easily patched or replaced. If a vulnerability cannot be completely remediated, steps to reduce the risk to a tolerable level must be taken.

    Common obstacles

    These barriers make vulnerability management difficult to address for many organizations:
    • The value of vulnerability management is not well articulated in many organizations. As a result, investment in vulnerability scanning technology is often insufficient.
    • Many organizations feel that a “patch everything” approach is the most effective path.
    • Vulnerability management is commonly misunderstood as being a process that only supports patch management.
    • There is often misalignment between SecOps and ITOps in remediation action and priority, affecting the timeliness of remediation.
    CVSS Score Distribution From the National Vulnerability Database: Pie Charts presenting the CVSS Core Distribution for the National Vulnerability Database. The left circle represents 'V3' and the right 'V2', where V3 has an extra option for 'Critical', above 'High', 'Medium', and 'Low', and V2 does not.
    (Source: NIST National Vulnerability Database Dashboard)

    Leverage risk to sort, triage, and prioritize vulnerabilities

    Reduce your risk surface to avoid cost to your business; everything else is table stakes.

    Reduce the critical and high vulnerabilities below the risk threshold and operationalize the remediation of medium/low vulnerabilities by following your effective vulnerability management program cycles.

    Identify vulnerability sources

    An inventory of your scanning tool and vulnerability threat intelligence data sources will help you determine a viable strategy for addressing vulnerabilities. Defining roles and responsibilities ahead of time will ensure you are not left scrambling when dealing with vulnerabilities.

    Triage and prioritize

    Bring the vulnerabilities into context by assessing vulnerabilities based on your security posture and mechanisms and not just what your data sources report. This will allow you to gauge the true urgency of the vulnerabilities based on risk and determine an effective mitigation plan.

    Remediate vulnerabilities

    Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available.

    Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

    Measure and formalize

    Upon implementation of the program, measure with metrics to ensure that the program is successful. Improve the program with each iteration of vulnerability mitigation to ensure continuous improvement.

    Tactical Insight 1

    All actions to address vulnerabilities should be based on risk and the organization’s established risk tolerance.

    Tactical Insight 2

    Reduce the risk surface down below the risk threshold.

    The industry has shifted to a risk-based approach

    Traditional vulnerability management is no longer viable.

    “For those of us in the vulnerability management space, ensuring that money, resources, and time are strategically spent is both imperative and difficult. Resources are dwindling fast, but the vulnerability problem sure isn’t.” (Kenna Security)

    “Using vulnerability scanners to identify unpatched software is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and mitigation actions that touch the entire ecosystem.” (Balbix)

    “Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. It helps you understand vulnerability risks with threat context and insight into potential business impact.” (Tenable)

    “A common mistake when prioritizing patching is equating a vulnerability’s Common Vulnerability Scoring System (CVSS) score with risk. Although CVSS scores can provide useful insight into the anatomy of a vulnerability and how it might behave if weaponized, they are standardized and thus don’t reflect either of the highly situational variables — namely, weaponization likelihood and potential impact — that factor into the risk the vulnerability poses to an organization.” (SecurityWeek)

    Why a take risk-based approach?

    Vulnerabilities, by the numbers

    60% — In 2019, 60% of breaches were due to unpatched vulnerabilities.

    74% — In the same survey, 74% of survey responses said they cannot take down critical applications and systems to patch them quickly. (Source: SecurityBoulevard, 2019)

    Info-Tech Insight

    Taking a risk-based approach will allow you to focus on mitigating risk, rather than “just patching” your environment.

    The average cost of a breach in 2020 is $3.86 million, and “…the price tag was much less for mature companies and industries and far higher for firms that had lackluster security automation and incident response processes.” (Dark Reading)

    Vulnerability Management

    A risk-based approach

    Reduce the risk surface to avoid cost to your business, everything else is table stakes

    Logo for Info-Tech.
    Logo for #iTRG.

    1

    Identify

    4

    Address

    Mitigate the risk surface by reducing the time across the phases ›Mitigate the risk by implementing:
    • patch systems & apps
    • compensating controls
    • systems and apps hardening
    • systems segregation
    Chart presenting an example of 'Risk Surface' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. The area between the line and your organization's risk tolerance is labelled 'Risk Surface'.

    Objective: reduce risk surface by reducing time to address

    Your organization's risk tolerance threshold

    Identify vulnerability management scanning tools & external threat intel sources (Mitre CVE, US-CERT, vendor alerts, etc.)Vulnerability information feeds:
    • scanning tool
    • external threat intel
    • internal threat intel

    2

    Analyze

    Assign actual risk (impact x urgency) to the organization based on current security posture

    Triage based on risk ›

    Your organization's risk tolerance threshold

    Risk tolerance threshold map with axes 'Impact' and 'Likelihood'. High levels of one and low levels of the other, or medium levels of both, is 'Medium', High level of one and Medium levels of the other is 'High', and High levels of both is 'Critical'.

    3

    Assess

    Plan risk mitigation strategy ›Consider:
    • risk tolerance
    • compensating controls
    • business impact

    Info-Tech’s vulnerability management methodology

    Focus on developing the most efficient processes.

    Vulnerability management isn’t “old school.”

    The vulnerability management market is relatively mature; however, vulnerability management remains a very relevant and challenging topic.

    Security practitioners are inundated with the advice they need to prioritize their vulnerabilities. Every vulnerability scanning vendor will proclaim their ability to prioritize the identified vulnerabilities.

    Third-party prioritization methodology can’t be effectively applied across all organizations. Each organization is too unique with different constraints. No tool or service can account for these variables.

    Equation to find 'Vulnerability Priority'.

    When patching is not possible, other options exist: configuration changes (hardening), defense-in-depth, compensating controls, and even elevated security monitoring are possible options.

    Info-Tech Insight

    Vulnerability management is not only patch management. Patching is only one aspect.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Vulnerability Management SOP

    The Standard operating procedure (SOP) will comprise the end-to-end description of the program: roles & responsibilities, data flow, and expected outcomes of the program.

    Sample of the key deliverable, Vulnerability Management SOP.
    Vulnerability Management Policy

    Template for your vulnerability management policy.

    Sample of the Vulnerability Management Policy blueprint.Vulnerability Tracking Tool

    This tool offers a template to track vulnerabilities and how they are remedied.

    Sample of the Vulnerability Tracking Tool blueprint.
    Vulnerability Scanning RFP Template

    Request for proposal template for the selection of a vulnerability scanning tool.

    Sample of the Vulnerability Scanning RFP Template blueprint.Vulnerability Risk Assessment Tool

    Methodology to assess vulnerability risk by determining impact and likelihood.

    Sample of the Vulnerability Risk Assessment Tool blueprint.

    Blueprint benefits

    IT Benefits

    • A standardized, consistent methodology to assess, prioritize, and remediate vulnerabilities.
    • A risk-based approach that aligns with what’s important to the business.
    • A way of dealing with the high volumes of vulnerabilities that your scanning tool is reporting.
    • Identification of “where to start” in terms of vulnerability management.
    • Ability to not lose yourself in the patch madness but rather take a sound approach to scheduling and prioritizing patches and updates.
    • Knowledge of what to do when patching is simply not possible or feasible.

    Business Benefits

    • Alignment with IT in ensuring that business processes are only interrupted when absolutely necessary while maintaining a regular cadence of vulnerability remediation.
    • A consistent program that the business can plan around and predict when interruptions will occur.
    • IT’s new approach being integrated with existing IT operations processes, offering the most efficient yet expedient method of dealing with vulnerabilities.

    Info-Tech’s process can save significant financial resources

    PhaseMeasured Value
    Phase 1: Identify vulnerability sources
      Define the process, scope, roles, vulnerability sources, and current state
      • Consultant at $100 an hour for 16 hours = $1,600
    Phase 2: Triage vulnerabilities and assign urgencies
      Establish triaging and vulnerability evaluation process
      • Consultant at $100 an hour for 16 hours = $1,600
      Determine high-level business criticality and data classifications
      • Consultant at $100 an hour for 40 hours = $4,000
      Assign urgencies to vulnerabilities
      • Consultant at $100 an hour for 8 hours = $800
    Phase 3: Remediate vulnerabilities
      Prepare documentation for the vulnerability process
      • Consultant at $100 an hour for 8 hours = $800
      Establish defense-in-depth modelling
      • Consultant at $100 an hour for 24 hours = $2,400
      Identify remediation options and establish criteria for use
      • Consultant at $100 an hour for 40 hours = $4,000
      Formalize backup and testing procedures, including exceptions
      • Consultant at $100 an hour for 8 hours = $800
      Remediate vulnerabilities and verify
      • Consultant at $100 an hour for 24 hours = $2,400
    Phase 4: Continually improve the vulnerability management process
      Establish a metrics program for vulnerability management
      • Consultant at $100 an hour for 16 hours = $1,600
      Update vulnerability management policy
      • Consultant at $100 an hour for 8 hours = $800
      Develop a vulnerability scanning tool RFP
      • Consultant at $100 an hour for 40 hours = $4,000
      Develop a penetration test RFP
      • Consultant at $100 an hour for 40 hours = $4,000
    Potential financial savings from using Info-Tech resourcesPhase 1 ($1,600) + Phase 2 ($6,400) + Phase 3 ($10,400) + Phase 4 ($10,400) = $28,800

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Discuss current state and vulnerability sources.

    Call #3: Identify triage methods and business criticality.

    Call #4:Review current defense-in-depth and discuss risk assessment.

    Call #5: Discuss remediation options and scheduling.

    Call #6: Review release and change management and continuous improvement.

    Call #7: Identify metrics, KPIs, and CSFs.

    Call #8: Review vulnerability management policy.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1Day 2Day 3Day 4Day 5
    Activities
    Identify vulnerability sources

    1.1 What is vulnerability management?

    1.2 Define scope and roles

    1.3 Cloud considerations for vulnerability management

    1.4 Vulnerability detection

    Triage and prioritize

    2.1 Triage vulnerabilities

    2.2 Determine high-level business criticality

    2.3 Consider current security posture

    2.4 Risk assessment of vulnerabilities

    Remediate vulnerabilities

    3.1 Assess remediation options

    3.2 Schedule and execute remediation

    3.3 Drive continuous improvement

    Measure and formalize

    4.1 Metrics, KPIs & CSFs

    4.2 Vulnerability Management Policy

    4.3 Select & implement a scanning tool

    4.4 Penetration testing

    Next Steps and Wrap-Up (offsite)

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables
    1. Scope and boundary definition of vulnerability management program
    2. Responsibility assignment for vulnerability identification and remediation
    3. Monitoring and review process of third-party vulnerability sources
    4. Incident management and vulnerability convergence
    1. Methodology for evaluating identified vulnerabilities
    2. Identification of high-level business criticality
    3. Defined high-level data classifications
    4. Documented defense-in-depth controls
    5. Risk assessment criteria for impact and likelihood
    1. Documented risk assessment methodology and remediation options
    1. Defined metrics, key performance indicators (KPIs), and critical success factors (CSFs)
    2. Initial draft of vulnerability management policy
    3. Scanning tool selection criteria
    4. Introduction to penetration testing
    1. Completed vulnerability management standard operating procedure
    2. Defined vulnerability management risk assessment criteria
    3. Vulnerability management policy draft

    Implement Risk-Based Vulnerability Management

    Phase 1

    Identify Vulnerability Sources

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    Establish a common understanding of vulnerability management, define the roles, scope, and information sources of vulnerability detection.

    This phase involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Step 1.1

    Vulnerability Management Defined

    Activities

    None for this section

    This step will walk you through the following activities:

    Establish a common understanding of vulnerability management and its place in the IT organization.

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Foundational knowledge of vulnerability management in your organization.

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    What is vulnerability management?

    It’s more than just patching.

    • Vulnerability management is the regular and ongoing practice of scanning an operating environment to uncover vulnerabilities. These vulnerabilities can be outdated applications, unpatched operating systems and software, open ports, obsolete hardware, or any combination of these.
    • The scanning and detection of vulnerabilities is the first step. Planning and executing of remediation is next, along with the approach, prioritized sequence of events, and timing.
    • A vendor-supplied software patch or firmware update is often the easy answer, however, this is not always a viable solution. What if you can’t patch in a timely fashion? What if patching is not possible as it will break the application and bring down operations? What if no patch exists due to the age of the application or operating platform?

    “Most organizations do not have a formal process for vulnerability management.” (Morey Haber, VP of Technology, BeyondTrust, 2016)

    Effective vulnerability management

    It’s not easy, but it’s much harder without a process in place.
    • Effective vulnerability management requires a formal process for organizations to follow; without one, vulnerabilities are dealt with in an ad hoc fashion.
    • Patching isn’t the only solution, but it’s the one that often draws focus.
    • Responsibilities for the different aspects of vulnerability management are often unclear, such as for testing, remediation, and implementation.
    • Identifying new threats without proper vulnerability scanning tools can be a near-impossible task.
    • Determining which vulnerabilities are most urgent can be an inconsistent process, increasing the organizational risk.
    • Measuring the effectiveness of your vulnerability remediation activities can help you better manage resources in SecOps and ITOps. Your staff will be spending the appropriate effort on vulnerabilities that warrant that level of attention.

    You’re not just doing this for yourself. It’s also for your auditors.

    Many compliance and regulatory obligations require organizations to have thorough documentation of their vulnerability management practices.

    Vulnerability management revolves around your asset security services

    Diagram with 'Asset Security Services' at the center. On either side are 'Network Security Services' and 'Identity Security Services', all three of which flow up into 'Security Analytics | Security Incident Response', and all four share a symbiotic flow with 'Management' below and contribute to 'Mega Trend Mapping' above. Management is supported by 'Governance'.Vulnerabilities can be found primarily within your assets but also connect to your information risk management. These must be effectively managed as part of a holistic security program.

    Without management, vulnerabilities left unattended can be easy for attackers to exploit. It becomes difficult to identify the correct remediation option to mitigate against the vulnerabilities.

    Vulnerability management works in tandem with SecOps and ITOps

    Vulnerability Management Process Inputs/Outputs:
    'Vulnerability Management (Process and Tool)' outputs are 'Incident Management', 'Release Management', 'Change Management', 'IT Asset Management', 'Application Security Testing', 'Threat Intelligence', and 'Security Risk Management'; inputs are 'Vulnerability Disclosure', 'Threat Intelligence', and 'Security Risk Management'.

    Arrows denote direction of information feed

    Vulnerability management serves as the input into a number of processes for remediation, including:
    • Incident management, to deal with issues
    • Release management, for patch management
    • Change management, for change control
    • IT asset management, to track version information, e.g. for patching
    • Application security testing, for the verification of vulnerabilities

    A two-way data flow exists between vulnerability management and:

    • Security risk management, for the overall risk posture of the organization
    • Threat intelligence, as vulnerability management reveals only one of several threat vectors

    For additional information please refer to Info-Tech’s research for each area:

    • Vulnerability management can leverage your existing processes to gain an operational element for the program.
    • As you strive to mature each of the processes on their own, vulnerability management will benefit accordingly.
    • Review our research for each of these areas and speak to one of our analysts if you wish to improve any of the listed processes.

    Info-Tech’s Information Security Program Framework

    Vulnerability management is a component of the Infrastructure Security section of Security Management

    Information Security Framework with Level 1 and Level 2 capabilities in two main sections, 'Management' and 'Governance'. Level 2 capabilities are grouped within Level 1 capabilities.For more information, review our Build an Information Security Strategy blueprint, or speak to one of our analysts.

    Info-Tech Insight

    Vulnerability management is but one piece of the information security puzzle. Ensure that you have all the pieces!

    Case Study

    Logo for Cimpress.
    INDUSTRY: Manufacturing
    SOURCE: Cimpress, 2016

    One organization is seeing immediate benefits by formalizing its vulnerability management program.

    Challenge

    Cimpress was dealing with many challenges in regards to vulnerability management. Vulnerability scanning tools were used, but the reports that were generated often gave multiple vulnerabilities that were seen as critical or high and required many resources to help address them. Scanning was done primarily in an attempt to adhere to PCI compliance rather than to effectively enable security. After re-running some scans, Cimpress saw that some vulnerabilities had existed for an extended time period but were deemed acceptable.

    Solution

    The Director of Information Security realized that there was a need to greatly improve this current process. Guidelines and policies were formalized that communicated when scans should occur and what the expectations for remediations should be. Cimpress also built a tiered approach to prioritize vulnerabilities for remediation that is specific to Cimpress instead of relying on scanning tool reports.

    Results

    Cimpress found better management of the vulnerabilities within its system. There was no pushback to the adoption of the policies, and across the worldwide offices, business units have been proactively trying to understand if there are vulnerabilities. Vulnerability management has been expanded to vendors and is taken into consideration when doing any mergers and acquisitions. Cimpress continues to expand its program for vulnerability management to include application development and vulnerabilities within any existing legacy systems.

    Step 1.2

    Defining the scope and roles

    Activities
    • 1.2.1 Define the scope and boundary of your organization’s security program
    • 1.2.2 Assign responsibility for vulnerability identification and remediation

    This step will walk you through the following activities:

    Define and understand the scope and boundary of the security program. For example, does it include OT? Define roles and responsibilities for vulnerability identification and remediation

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Understand how far vulnerability management extends and what role each person in IT plays in the remediation of vulnerabilities

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    Determine the scope of your security program

    This will help you adjust the depth and breadth of your vulnerability management program.
    • Determining the scope will help you decide how much organizational risk the vulnerability management program will oversee.
    • Scope can be defined along four aspects:
      • Data Scope – What data elements in your organization does your security program cover? How is data classified?
      • Physical Scope – What physical scope, such as geographies, does the security program cover?
      • Organizational Scope – How are business units engaged with security initiatives? Does the scope cover all subsidiary organizations?
      • IT Scope – What parts of the organization does IT cover? Does their coverage include operational technology (OT) and industrial control systems (ICS)?
    Stock image of figures standing in connected circles.

    1.2.1 Define the scope and boundary of your organization’s security program

    60 minutes

    Input: List of Data Scope, Physical Scope, Organization Scope, and IT Scope

    Output: Defined scope and boundaries of the IT security program

    Materials: Whiteboard/Flip Charts, Sticky Notes, Markers, Vulnerability Management SOP Template

    Participants: Business stakeholders, IT leaders, Security team members

    1. On a whiteboard, write the headers: Data Scope, Physical Scope, Organizational Scope, and IT Scope.
    2. Give each group member a handful of sticky notes. Ask them to write down as many items as possible for the organization that could fall under one of the four scope buckets.
    3. In a group, discuss the sticky notes and the rationale for including them. Discuss your security-related locations, data, people, and technologies, and define their scope and boundaries.

    The goal is to identify what your vulnerability management program is responsible for and document it.

    Consider the following:

    How is data being categorized and classified? How are business units engaged with security initiatives? How are IT systems connected to each other? How are physical locations functioning in terms of information security management?

    Download the Vulnerability Management SOP Template

    Assets are part of the scope definition

    An inventory of IT assets is necessary if there is to be effective vulnerability management.

    • Organizations need an up-to-date and comprehensive asset inventory for vulnerability management. This is due to multiple reasons:
      • When vulnerabilities are announced, they will need to be compared to an inventory to determine if the organization has any relevant systems or versions.
      • It indicates where all IT assets can be found both physically and logically.
      • Asset inventories typically have owners assigned to the assets and systems whose responsibility it is to carry out remediations for vulnerabilities.
    • Furthermore, asset inventories can provide insight into where data can be found within the organization. This is extremely useful within a formal data classification program, which plays a large factor in vulnerability management.
    If you need assistance building your asset inventory, review Info-Tech’s Implement Hardware Asset Management and Implement Software Asset Management blueprints.

    Info-Tech Insight

    Create a formal IT asset inventory before continuing with the rest of this project. Otherwise, you risk being at the mercy of a weak vulnerability management program.

    Assign responsibility for vulnerability identification and remediation

    Determine who is critical to effectively detecting and managing vulnerabilities.
    • Some of the remediation steps will involve members of IT management to identify the true organizational risk of a vulnerability.
    • Vulnerability remediation comes in different shapes and sizes. In addition to patching, this can include implementing compensating controls, server and application hardening, or the segregating of vulnerable systems.
      • Who carries out each of these activities? Who coordinates the activities and tracks them to ensure completion?
    • The people involved may be members outside of the security team, such as members from IT operations, infrastructure, and applications. The specific roles that each of these groups play should be clearly identified.
    Stock image of many connected profile photos in a cloud network.

    1.2.2 Assign responsibility for vulnerability identification and remediation

    60 minutes

    Input: Sample list of vulnerabilities and requisite actions from each group, High-level organizational chart with area functions

    Output: Defined set of roles and responsibilities for member groups

    Materials: Vulnerability Management SOP Template

    Participants: CIO, CISO, IT Management representatives for each area of IT

    1. Display the table of responsibilities that need to be assigned.
    2. List all the positions within the IT security team.
    3. Map these to the positions that require IT security team members.
    4. List all positions that are part of the IT team.
    5. Map these to the positions that require IT team members.

    If your organization does not have a dedicated IT security team, you can perform this exercise by mapping the relevant IT staff to the different positions shown on the right.

    Download the Vulnerability Management SOP TemplateSample of the Roles and Responsibilities table from the Vulnerability Management SOP Template.

    Step 1.3

    Cloud considerations for vulnerability management

    Activities

    None for this section.

    This step will walk you through the following activities:

    Review cloud considerations for vulnerability management

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Understand the various types of cloud offerings and the implications (and limitations) of vulnerability management in a cloud environment.

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    Cloud considerations

    Cloud will change your approach to vulnerability management.
    • There will be a heavy dependence on the cloud service provider to ensure that vulnerabilities in their foundational technologies have been addressed.
    • Depending on the level of “as-a-Service,” customers will have varying degrees of control and visibility into the underlying operations.
    • With vendor acquiescence, you can set your tool to scan a given cloud environment, depending on how much visibility you have into their environment based on the service you have purchased.
    • Due to compliance obligations of their customers, there is a growing trend among cloud providers to allow more scanning of cloud environments.
    • In the absence of customer scanning capability, vendors may offer attestation of vulnerability management and remediation.
    Table outlining who has control, between the 'Organization' and the 'Vendor', of different cloud capabilities in different cloud strategies.

    For more information, see Info-Tech Research Group’s Document Your Cloud Strategy blueprint.

    Cloud environment scanning

    Cloud scanning is becoming a more common necessity but still requires special consideration.

    An organization’s cloud environment is just an extension of its own environment. As such, cloud environments need to be scanned for vulnerabilities.

    Private Cloud
    If your organization owns a private cloud, these environments can be tested normally.
    Public Cloud
    Performing vulnerability testing against public, third-party cloud environments is an area experiencing rapid growth and general acceptance, although customer visibility will still be limited.

    In many cases, a customer must rely on the vendor’s assurance that vulnerabilities are being addressed in a sufficient manner.

    Security standards’ compliance requirements are driving the need for cloud suppliers to validate and assure that they are appropriately scanning for and remediating vulnerabilities.

    Infrastructure- or Platform-as-a-Service (IaaS or PaaS) Environments
    • There is a general trend for PaaS and IaaS vendors to allow testing if given due notice.
    • Your contract with the cloud vendor or the vendor’s terms and conditions will outline the permissibility of customer vulnerability scanning. In some cases, a cloud vendor will deny the ability to do vulnerability scanning if they already provide a solution as part of their service.
    • Always ensure that the vendor is aware of your vulnerability scanning activity so that false positives aren’t triggering their security measures as possible denial-of-service (DoS) attacks.
    Software-as-a-Service (SaaS) Environments
    • SaaS offers very limited visibility to the services behind the software that the customer sees. You therefore cannot test for patch levels or vulnerabilities.
    • SaaS customers must rely exclusively on the provider for the regular scanning and remediation of vulnerabilities in the back-end technologies supporting the SaaS application.
    • You can only test the connection points to SaaS environments. This involves trying to figure out what you can see, e.g. looking for encrypted traffic.

    Certain testing (e.g. DoS or load testing) will be very limited by your cloud vendor. Cloud vendors won’t open themselves to testing that would possibly impact their operations.

    Step 1.4

    Vulnerability detection

    Activities
    • 1.4.1 Develop a monitoring and review process of third-party vulnerability sources
    • 1.4.2 Incident management and vulnerability management

    This step will walk you through the following activities:

    Create an inventory of your vulnerability monitoring capability and third-party vulnerability information sources.

    Determine how incident management and vulnerability management interoperate.

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Catalog of vulnerability information data sources. Understanding of the intersection of incident management and vulnerability management.

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    Vulnerability detection

    Vulnerabilities can be identified through numerous mediums.

    Info-Tech has determined the following to be the four most common ways to identify vulnerabilities.

    Vulnerability Assessment and Scanning Tools
    • Computer programs that function to identify and assess security vulnerabilities and weaknesses within computers, computer systems, applications, or networks.
    • Using a known vulnerability database, the tool scans targeted hosts or systems to identify flaws and generate reports and recommendations based on the results.
    • There are four main types of tools under this category: network and operating system vulnerability scanners, application scanning and testing tools, web application scanners, and exploitation tools.
    Penetration Tests
    • The act of identifying vulnerabilities on computers, computer systems, applications, or networks followed by testing of the vulnerability to validate the findings.
    • Penetration tests are considered a service that is offered by third-parties in which a variety of products, tools, and methods are used to exploit systems and gain access to data.
    Open Source Monitoring
    • New vulnerabilities are detected daily with each vulnerability’s information being uploaded to an information-sharing platform to enable other organizations to be able to identify the same vulnerability on their systems.
    • Open source platforms are used to alert and distribute information on newly discovered vulnerabilities to security professionals.
    Security Incidents
    • Any time an incident response plan is called into action to mitigate an incident, there should be formal communication with the vulnerability management team.
    • Any IT incident an organization experiences should provide a feed for analysis into your vulnerability management program.

    Automate with a vulnerability scanning tool

    Vulnerabilities are too numerous for manual scanning and detection.
    • Vulnerability management is not only the awareness of the existence of vulnerabilities but that they are actively present in your environment.
    • A vulnerability scanner will usually report dozens, if not hundreds, of vulnerabilities on a regular and recurring basis. Typical IT environments have several dozen, if not hundreds, of servers. We haven’t even considered the amount of network equipment or the hundreds of user workstations in an environment.
    • This tool will give you information of the presence of a vulnerability in your environment and the host on which the vulnerability exists. This includes information on the version of software that contains a vulnerability and whether you are running that version. The tool will also report on the criticality of the vulnerability based on industry criticality ratings.
    • The tools are continually updated by the vendor with the latest definition updates for the latest vulnerabilities out there. This ensures you are always scanning for the greatest number of potential vulnerabilities.
    Automation requires oversight.
    1. Vulnerability scanners bring great automation to the task of scanning and detecting vulnerabilities in high numbers.
    2. Vulnerability scanners, however, do not have your level of intelligence. Any compensating controls, network segregation, or other risk mitigation features that you have in place will not be known by the tool.
    3. Determining the risk and urgency of a vulnerability within the context of your specific environment will still require internal review by you or your SecOps team.

    For guidance on tool selection

    Refer to section 4.3 Selecting and Implement a Scanning Tool in this blueprint.

    Vulnerability scanning tool considerations

    Select a vulnerability scanning tool with the features you need to be effective.
    • Vulnerability scanning tool selection can be an exciting and confusing process. You will need to consider what features you desire in a tool and whether you want the tool to go beyond just scanning and reporting.
    • In addition to vulnerability scanning, some tools will integrate with your IT service management (service desk ticketing system) tool and asset, configuration, and change management modules. This can facilitate the necessary workflow that the remediation process follows once a vulnerability is discovered.
    • A number of vulnerability scanning tool vendors have started offering remediation as part of their software features. This includes the automation and orchestration functionality and configuration and asset management to track its remediation activities.
    • A side benefit of the asset discovery feature in vulnerability scanning tools is that it can help enhance an organization’s asset inventory and license compliance, particularly in cases where end users are able to install software on their workstations.
    Stock photo of a smartphone scanning a barcode.

    For guidance on tool vendors

    Visit SoftwareReviews for information on vulnerability management tools and vendors.

    Vulnerability scanning tool best practices

    How often should scans be performed?

    One-off scans provide snapshots in time. Repeated scans over time provide tracking for how systems are changing and how well patches are being applied and software is being updated.

    The results of a scan (asset inventory, configuration data, and vulnerability data) are basic information needed to understand your security posture. This data needs to be as up to date as possible.

    ANALYST PERSPECTIVE: Organizations should look for continuous scanning

    Continuous scanning is the concept of providing continual scanning of your systems so any asset, configuration, or vulnerability information is up to date. Most vendors will advertise continuous scanning but you need to be skeptical of how this feature is met.

    Continuous Scanning Methods

    Continuous agent scanning

    Real-time scanning that is completed through agent-based scanning. Provides real-time understanding of system changes.

    On-demand scanning

    Cyclical scanning is the method where once you’re done scanning an area, you start it again. This is usually done because doing some scans on some areas of your network take time. How long the scan takes depends on the scan itself. How often you perform a scan depends on how long a scan takes. For example, if a scan takes a day, you perform a daily scan.

    Cloud-based scanning

    Cloud-scanning-as-a-Service can provide hands-free continuous monitoring of your systems. This is usually priced as a subscription model.

    Vulnerability scanning tool best practices

    Where to perform a scan.

    What should be scannedHow to point a scanner
    The general idea is that you want to scan pretty much everything. Here are considerations for three environments:
    Mobile Devices

    You need to scan mobile devices for vulnerabilities, but the problem is these can be hard to scan and often come and go on your network. There are always going to be some devices that aren’t on the network when scanning occurs.

    Several ways to scan mobile devices:

    • Intercept the device when it remotes into your network using a VPN. You catch the device with a remote scan. This can only be done if a VPN is required.
    • An agent-based approach can be used for mobile devices. Locally installed software gives the information needed to evaluate the security posture of a device. Discernibly, concerns around device processing, memory, and network bandwidth come into play. Ease of installation becomes key for agents.
    Virtualization
    • In a virtual environment, you will have servers being dynamically spun up. Ensure your tool is able to scan these new servers automatically.
    • Often, vulnerability scanning tool providers will restrict scanning to preapproved scanners. Look for tools that are preapproved by the VM vendors.
    Cloud Environments
    • You can set your tool to scan a given cloud environment. The main concern here is who owns the cloud. If it is a private cloud, there is little concern.
    • If it is a third-party cloud (AWS, Azure, etc.) you need to confirm with the cloud service provider that scanning of your cloud environment can occur.
    • There is a trend to allow more scanning of cloud environments.
    • You need to tell the scanner an IP address, a group of IP addresses, an asset group, or a combination of those.
    • You can categorize by functional classifications – internet-facing servers, workstations, network devices, etc., or by organizational structure – Finance, HR, Legal, etc.
    • If you have a strong change management system, you can better hone when and where to perform a scan based on actual changes.
    • You can set the number of concurrent outbound TCP connections that are being made. For example, set the tool so it sends out to 10 ports at a time, rather than pinging at 64k ports on a machine, which would flood the NIC.
    • Side Note: Flooding a host with pings from a scanning tool can be done to find out DoS thresholds on a machine. There are no bandwidth concerns for a network DoS, however, because the packets are so small.

    Vulnerability scanning tool best practices

    Communication and measurement

    Pre-Scan Communication With Users

    • It is always important to inform owners and users of systems that a scan will be happening.
    • Although it is unlikely any performance issues will arise, it is important to notify end users of potential impact.
    • Local admins or system owners may have controls in place that stop vulnerability scans and you need to inform the owners so that they can safelist the scanner you will be using.
    Vulnerability Scanning Tool Tracking Metrics
    • Vulnerability score by operating system, application, or organization division.
      • This provides a look at the widely accepted severity of the vulnerability as it relates across the organization’s systems.
    • Most vulnerable applications and application version.
      • This provides insight into how outdated applications are creating risk exposure for an organization.
      • This will also provide metrics on the effectiveness of your patching program.
    • Number of assets scanned within the last number of days.
      • This provides visibility into how often your assets are being scanned and thus protected.
    • Number of unowned devices or unapproved applications.
      • This metric will track how many unowned devices or unapproved applications may be on your network. Unowned devices may be rogue devices or just consultant/contractor devices.

    Third-party vulnerability information sources

    IT security forums and mailing lists are another source of vulnerability information.

    Proactively identify new vulnerabilities as they are announced.

    By monitoring for vulnerabilities as they are announced through industry alerts and open-source mechanisms, it is possible to identify vulnerabilities beyond your scanning tool’s penetration tests.

    Common sources:
    • Vendor websites and mailing lists
      • Vendors are the trusted sources for vulnerability and patch information on their products, particularly with new industry vulnerability disclosure requirements. Vendors are the most familiar with their products, downloads are most likely malware free, and additional information is often included.
      • There are some issues: vendors won’t announce a vulnerability until a patch is created, which creates a potential unknown risk exposure; numerous vendor sites will have to be monitored continually.
    • Third-party websites
      • A non-vendor site providing information on vulnerabilities. They often will cover a specific technology or an industry section, becoming a potential “one-stop shop” for some. They will often provide vulnerability information that is augmented with different remediation recommendations faster than vendors.
      • However, it’s more likely that malicious code could be downloaded and it will often not be comprehensive information on patching.
    • Third-party mailing lists, newsgroups, live paid subscriptions, and live open-source feeds
      • These are alerting and notification services for the detection and dissemination of vulnerability information. They provide information on the latest and most critical vulnerabilities, e.g. US-CERT Cybersecurity Alerts.
    • Vulnerability databases
      • These usually consist of dedicated databases on vulnerabilities. They perform the hard work of identifying and aggregating vulnerability and patch information into a central repository for end-user consumption. The commentary features on these databases provide excellent insight for practitioners, e.g. National Vulnerability Database (NVD).
    Stock photo of a student checking a bulletin board.

    Third-party vulnerability information sources

    IT security forums and mailing lists are another source of vulnerability information.

    Third-party sources for vulnerabilities

    • Open Source Vulnerability Database (OSVDB)
      • An open-source database that is run independently of any vendors.
    • Common Vulnerabilities and Exposures (CVE)
      • Free, international dictionary of publicly known information security vulnerabilities and exposures.
    • National Vulnerability Database (NVD)
      • Through NIST, the NVD is the US government’s repository of vulnerabilities and includes product names, flaws, and any impact metrics.
      • The National Checklist Repository Program (NCRP), also provided by NIST, provides security checklists for configurations of operating systems and applications.
      • The Center for Internet Security, a separate entity unrelated to NIST, provides configuration benchmarks that are often referenced by the NCRP.
    • Open Web Application Security Project (OWASP)
      • OWASP is another free project helping to expose vulnerabilities within software.
    • US-CERT National Cyber Alert System (US-CERT Alerts)
      • Cybersecurity Alerts – Provide timely information about current security issues, vulnerabilities, and exploits.
      • Cybersecurity Tips – Provide advice about common security issues for the general public.
      • Cybersecurity Bulletins – Provide weekly summaries of new vulnerabilities. Patch information is provided when available.
    • US-CERT Vulnerability Notes Database (US-CERT Vulnerability Notes)
      • Database of searchable security vulnerabilities that were deemed not critical enough to be covered under US-CERT Alerts. Note that the NVD covers both US-CERT Alerts and US-CERT Notes.
    • Open Vulnerability Assessment Language (OVAL)
      • Coding language for security professionals to discuss vulnerability checking and configuration issues. Vulnerabilities are identified using tests that are disseminated in OVAL definitions (XML executables that can be used by end users).

    1.4.1 Develop a monitoring and review process for third-party vulnerability sources

    60 minutes

    Input: Third-party resources list

    Output: Process for review of third-party vulnerability sources

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, CISO

    1. Identify what third-party resources are useful and relevant.
    2. Shortlist your third-party sources.
    3. Identify what is the best way to receive information from a third party.
    4. Document the method to receive or check information from the third-party source.
    5. Identify who is responsible for maintaining third-party vulnerability information sources
    6. Capture this information in the Vulnerability Management SOP Template.
    Download the Vulnerability Management SOP TemplateSample of the Third Party Vulnerability Monitoring tables from the Vulnerability Management SOP Template.

    Incidents and vulnerability management

    Incidents can also be a sources of vulnerabilities.

    When any incident occurs, for example:

    • A security incident, such as malware detected on a machine
    • An IT incident, such as an application becomes unresponsive
    • A crisis occurs, like a worker accident

    There can be underlying vulnerabilities that need to be processed.

    Three Types of IT Incidents exist:
    1. Information Security Incident
    2. IT Incident and/or Problem
    3. Crisis

    Note: You need to have developed your various incident response plans to develop information feeds to the vulnerability mitigation process.
    If you are missing an incident response plan, take a look at Info-Tech’s Related Resources.

    Info-Tech Related Resources:
    If you do not have a formalized information security incident management program, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.

    If you do not have a formalized problem management process, take a look at Info-Tech’s blueprint Incident and Problem Management.

    If you do not have a formalized IT incident management process, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.

    If you do not have formalized crisis management, take a look at Info-Tech’s blueprint Implement Crisis Management Best Practices.

    1.4.2 Incident management and vulnerability management

    60 minutes

    Input: Existing incident response processes, Existing crisis communications plans

    Output: Alignment of vulnerability management program with existing incident management processes

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

    1. Inventory what incident response plans the organization has. These include:
      1. Information Security Incident Response Plan
      2. IT Incident Plan
      3. Problem Management Plan
      4. Crisis Management Plan
    2. Identify what part of those plans contains the post-response recap or final analysis.
    3. Formalize a communication process between the incident response plan and the vulnerability mitigation process.

    Note: Most incident processes will cover some sort of root cause analysis and investigation of the incident. If a vulnerability of any kind is detected within this analysis it needs to be reported on and treated as a detected vulnerability, thus warranting the full vulnerability mitigation process.

    Download the Vulnerability Management SOP Template

    Implement Risk-Based Vulnerability Management

    Phase 2

    Triage & prioritize

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    Examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach, and prepare for remediation options.

    This phase involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Step 2.1

    Triage vulnerabilities

    Activities
    • 2.1.1 Evaluate your identified vulnerabilities

    This step will walk you through the following activities:

    Review your vulnerability information sources and determine a methodology that will be used to consistently evaluate vulnerabilities as your scanning tool alerts you to them.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    A consistent, documented process for the evaluation of vulnerabilities in your environment.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Triaging vulnerabilities

    Use Info-Tech’s methodology to allocate urgencies to your vulnerabilities to assign the appropriate resources to each one.

    When evaluating numerous vulnerabilities, use the following three factors to help determine the urgency of vulnerabilities:

    • The intrinsic qualities of the vulnerability
    • The business criticality of the affected asset
    • The sensitivity of the data stored on the affected asset

    Intrinsic qualities of the vulnerability — Vulnerabilities need to be examined for the inherent risk they pose specifically to the organization, which includes if an exploit has been identified or if the industry views this as a serious and likely threat.

    Business criticality of the affected asset — Assets with vulnerabilities need to be assessed for their criticality to the business. Vulnerabilities on systems that are critical to business operations or customer interactions are usually top of mind.

    Sensitivity of the data of the affected asset — Beyond just the criticality of the business, there must be consideration of the sensitivity of the data that may be compromised or modified as a result of any vulnerabilities.

    Info-Tech Insight

    This methodology allows you to determine urgency of vulnerabilities, but your remediation approach needs to be risk-based, within the context of your organization.

    Triage your vulnerabilities, filter out the noise

    Triaging enables your vulnerability management program to focus on what it should focus on.

    Use the Info-Tech Vulnerability Mitigation Process Template to define how to triage vulnerabilities as they first appear.

    Triaging is an important step in vulnerability management, whether you are facing ten to tens of thousands of vulnerability notifications.
    Many scanning tools already provide the capability to compare known vulnerabilities against existing assets through integration with the asset inventory.

    There are two major use cases for this process:
    1. For organizations that have identified vulnerabilities but do not know their own systems well enough. This can be due to a lack of a formal asset inventory.
    2. For proactive organizations that are regularly staying up to date with industry announcements regarding vulnerabilities. Once an alert has been made publicly, this process can assist in confirming if the vulnerability is relevant to the organization.
    The Info-Tech methodology for initial triaging of vulnerabilities:
    Flowchart of the Info-Tech methodology for initial triaging of vulnerabilities, beginning with 'Vulnerability has been identified' and ending with either 'Vulnerability has been triaged' or 'No action needed'.

    Even if neither of these use cases apply to your organization, triaging still addresses the issues of false positives. Triaging provides a quick way to determine if vulnerabilities are relevant.

    After eliminating the noise, evaluate your vulnerabilities to determine urgency

    Consider the intrinsic risk to the organization.

    Is there an associated, verified exploit?
    • For a vulnerability to become a true threat to the organization, it must be exploited to cause damage. In today’s threat landscape, exploit kits are sold online that allow individuals with low technical knowledge to exploit a vulnerability.
    • Not all vulnerabilities have an associated exploit, but this does not mean that these vulnerabilities can be left alone. In many cases, it is just a matter of time before an exploit is created.
    • Another point to consider is that while exploits can exist theoretically, they may not be verified. Vulnerabilities always pose some level of risk, but if there are no known verified exploits, there is less risk attached.
    Is there a CVSS base score of 7.0 or higher?
    • Common Vulnerability Scoring System (CVSS) is an open-source industry scoring method to assess the potential severity of vulnerabilities.
    • CVSS takes into account: attack vector, complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact.
    • Vulnerabilities that have a score of 4.0 or lower are classified as low vulnerabilities, while scores between 4.0 and 6.9 are put in the medium category. Scores of 7 or higher are in the high and critical categories. As we will review in the Risk Assessment section, you will want to immediately deal with high and critical vulnerabilities.
    Is there potential for significant lateral movement?
    • Even though a vulnerability may appear to be part of an inconsequential asset, it is important to consider whether it can be leveraged to gain access to other areas of the network or system by an attacker.
    • Another consideration should be whether the vulnerability can be exploited by remote or local access. Remote exploits pose a greater risk as this can mean that attackers can perform an exploit from any location. Local exploits carry less risk, although the risk of insider threats should be considered here as well.

    2.1.1 Evaluate your identified vulnerabilities

    60 minutes

    Input: Visio workflow of Info-Tech’s vulnerability management process

    Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

    Using the criteria from the previous slide, Info-Tech has created a methodology to evaluate your vulnerabilities by examining their intrinsic qualities.

    The methodology categorizes the vulnerabilities into high, medium, and low risk importance categorizations, before assigning final urgency scores in the later steps.

    1. Review the evaluation process in the Vulnerability Management Workflow library.
    2. Determine if this process makes sense for the organization; otherwise, change the flow to include any other considerations of process flows.
    3. As this process is used to evaluate vulnerabilities, document vulnerabilities to an importance category. This can be done in the Vulnerability Tracking Tool or using a similar internal vulnerability tracking document, if one exists.

    Download the Vulnerability Management SOP Template

    Step 2.2

    Determine high-level business criticality

    Activities
    • 2.2.1 Determine high-level business criticality
    • 2.2.2 Determine your high-level data classifications

    This step will walk you through the following activities:

    Determining high-level business criticality and data classifications will help ensure that IT security is aligned with what is critical to the business. This will be very important when decisions are made around vulnerability risk and the urgency of remediation action.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO

    Outcomes of this step

    Understanding and consistency in how business criticality and business data is assessed by IT in the vulnerability management process.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Understanding business criticality is key to determining vulnerability urgency

    Prioritize operations that are truly critical to the operation of the business, and understand how they would be impacted by an exploited vulnerability.

    Use the questions below to help assess which operations are critical for the business to continue functioning.

    For example, email is often thought of as a business-critical operation when this is not always the case. It is important to the business, but as regular operations can continue for some time without it, it would not be considered extremely business critical.

    Questions to askDescription
    Is there a hard-dollar impact from downtime?This refers to when revenue or profits are directly impacted by a business disruption. For example, when an online ordering system is compromised and shut down, it impacts sales, and therefore, revenue.
    Is there an impact on goodwill/ customer trust?If downtime means delays in service delivery or otherwise impacts goodwill, there is an intangible impact on revenue that may make the associated systems mission critical.
    Is regulatory compliance a factor?Depending on the circumstances of the vulnerabilities, it can be a violation of regulatory compliance and would cause significant fines.
    Is there a health or safety risk?Some operations are critical to health and safety. For example, medical organizations have operations that are necessary to ensure that individuals’ health and safety are maintained. An exploited vulnerability that prevents these operations can directly impact the lives of these individuals.
    Don’t start from scratch – your disaster recovery plan (DRP) may have a business impact analysis (BIA) that can provide insight into which applications and operations are considered business critical.

    Analyst Perspective

    When assessing the criticality of business operations, most core business applications may be deemed business critical over the long term.

    Consider instead what the impact is over the first 24 or 48 hours of downtime.

    2.2.1 Determine high-level business criticality

    120 minutes; less time if a Disaster recovery plan business impact analysis exists

    Input: List of business operations, Insight into business operations impacts to the business

    Output: List of business operations and their criticality and impact to the business

    Materials: Vulnerability Management SOP Template

    Participants: Participants from the business, IT Security Manager, CISO, CIO

    1. List your core business operations at a high level.
    2. Use a High, Medium, or Low ranking to prioritize the business operations based on mission-critical criteria and the impact of the vulnerability.
    3. When using the process flow, consider if the vulnerability directly affects any of these business operations and move through the process flow based on the corresponding High, Medium, or Low ranking.
    Example prioritization of business operations for a manufacturing company:Questions to ask:
    1. Is there a hard-dollar impact from downtime?
    2. Is there impact on goodwill or customer trust?
    3. Is regulatory compliance a factor?
    4. Is there a health or safety risk?

    Download the Vulnerability Management SOP Template

    Determine vulnerability urgency by its data classification

    Consider how to classify your data based on if the Confidentiality, Integrity, or Availability (CIA) is compromised.

    To properly classify your data, consider how the confidentiality, integrity, and availability of that data would be affected if it were to be exploited by a vulnerability. Review the table below for an explanation for each objective.
    Confidentiality

    Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

    Integrity

    Guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity.

    Availability

    Ensuring timely and reliable access to and use of information.

    Each piece of data should be ranked as High, medium, or low across confidentiality, integrity, and availability based on adverse effect.Arrow pointing right.Low — Limited adverse effect

    Moderate — Serious adverse effect

    High — Severe or catastrophic adverse effect

    If you wish to build a whole data classification methodology, refer to our Discover and Classify Your Data blueprint.

    How to determine data classification when CIA differs:

    The overall ranking of the data will be impacted by the highest objective’s ranking.

    For example, if confidentiality and availability are low, but integrity is high, the overall impact is high.

    This process was developed in part by Federal Information Processing Standards Publication 199.

    2.2.2 Determine your high-level data classifications

    120 minutes, less time if data classification already exists

    Input: Knowledge of data use and sensitivity

    Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, CISO, CIO

    If your organization has formal data classification in place, it should be leveraged to determine the high, medium, and low rankings necessary for the process flows. However, if there is no formal data classification in place, the process below can be followed:

    1. List common assets or applications that are prone to vulnerabilities.
    2. Consider the data that is on these devices and provide a high (severe or catastrophic adverse effect), medium (serious adverse effect), or low (limited adverse effect) ranking based on confidentiality, availability, and integrity.
      1. Use the table on the previous slide to assist in providing the ranking.
      2. Remember that it is the highest ranking that dictates the overall ranking of the data.
    3. Document which data belongs in each of the categories to provide contextual evidence.

    Download the Vulnerability Management SOP Template

    This process should be part of your larger data classification program. If you need assistance in building this out, review the Info-Tech research, Discover and Classify Your Data.

    Step 2.3

    Consider current security posture

    Activities
    • 2.3.1 Document your defense-in-depth controls

    This step will walk you through the following activities:

    Your defense-in-depth controls are the existing layers of security technology that protects your environment. These are relevant when considering the urgency and risk of vulnerabilities in your environment, as they will mitigate some of the risk.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    Understanding and documentation of your current defense-in-depth controls.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Review your current security posture

    What you have today matters.
    • In most cases, your vulnerability scanning tool alone will not have the context of your security posture in the results of its scans. This can skew the true urgency of detected vulnerabilities in your environment.
    • What you have in place today is what comprises your organization’s overall security posture. This bears high relevance to the determination of the risk that a vulnerability poses to your environment.
    • Elements such as enterprise architecture and defense in depth mechanisms should be factored into determining the risk of a vulnerability and what kind of immediacy is warranted to address it.
    • Details of your current security posture will also contribute to the assessment and selection of remediation options.
    Stock image of toy soldiers split into two colours, facing eachother down.

    Enterprise architecture considerations

    What does your network look like?
    • Most organizations have a network topology that has been put in place with operational needs in mind. These includes specific vLANs or subnets, broadcast domains, or other methods of traffic segregation.
    • The firewall and network ACLs (access control lists) will manage traffic and the routes that data packets follow to traverse a network.
    • Organizations may physically separate data network types, for example, a network for IT services and one for operational technology (OT)(OT is often known as ICS (industrial control systems) or SCADA (supervisory control and data acquisition)) or other types of production technology.
    • The deployment of distribution and access switches across an enterprise can also be a factor, where a flatter network will have fewer network devices within the topology.
    • In a directory services environment such as Windows Active Directory, servers and applications can be segregated by domains and trust relationships, organizational units, and security groups.
    What’s the relevance to vulnerability management?

    For a vulnerability to be exploited, a malicious actor must find a way to access the vulnerable system to make use of the vulnerability in question.

    Any enterprise architecture characteristics that you have in place may lessen the probability of a successful vulnerability exploit.

    This may potentially “buy time” for SecOps to address and remediate the vulnerability.

    Defense-in-depth

    Defense-in-depth provides extra layers of protection to the organization.

    • Defense-in-depth refers to the coordination of security controls to add layers of security to the organization.
      • This means that even if attackers are able to get past one control or layer, they are hindered by additional security.
    • Defense-in-depth is distinct from the previous section on enterprise architecture as these are security controls put in place with the purpose of being lines of defense within your security posture.
    • This can be extremely useful in managing vulnerabilities; thus, it is important to establish the existing defense-in-depth controls. By establishing the base model for your defense-in-depth, it will allow you to leverage these controls to manage vulnerabilities.
    • Controls are typically distributed across endpoints, network infrastructure, servers, and physical security.

    Note: Defense-in-depth controls do not entirely mitigate vulnerability risk. They provide a way in which the vulnerability cannot be exploited, but it continues to exist on the application. This must be kept in mind as the controls or applications themselves change, as it can re-open the vulnerability and cause potential problems.

    Examples of defense-in-depth controls can consist of any of the following:
    • Antivirus software
    • Authentication security
    • Multi-factor authentication
    • Firewalls
    • Demilitarized zones (DMZ)
    • Sandboxing
    • Network zoning
    • Application whitelisting
    • Access control lists
    • Intrusion detection & prevention systems
    • Airgapping
    • User security awareness training

    2.3.1 Document your defense-in-depth controls

    2 hours, less time if a security services catalog exists

    Input: List of technologies within your environment, List of IT security controls that are in place

    Output: List of defense-in-depth controls

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, Infrastructure Manager, IT Director, CISO

    1. Document the existing defense-in-depth controls within your system.
    2. Review the initial list that has been provided and see if these are controls that currently exist.
    3. Indicate any other controls that are being used by the organization. This may already exist if you have a security services catalog.
    4. Indicate who the owners of the different controls are.
    5. Track the information in the Vulnerability Management SOP Template.

    Download the Vulnerability Management SOP Template

    Sample table of security controls within a Defense-in-depth model with column headers 'Defense-in-depth control', 'Description', 'Workflow', and 'Control Owner'.

    Step 2.4

    Risk assessment of vulnerabilities

    Activities
    • 2.4.1 Build a classification scheme to consistently assess impact
    • 2.4.2 Build a classification scheme to consistently assess likelihood

    This step will walk you through the following activities:

    Assessing risk will be the cornerstone of how you evaluate vulnerabilities and what priority you place on remediation. This is actual risk to the organization and not simply what the tool reports without the context of your defense-in-depth controls.

    This step involves the following participants:

    • IT Security Manager
    • IT Operations Management
    • CISO
    • CIO

    Outcomes of this step

    A risk matrix tailored to your organization, based on impact and likelihood. This will provide a consistent, unambiguous way to assess risk across the vulnerability types that is reported by your scanning tool.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Vulnerabilities and risk

    Vulnerabilities must be addressed to mitigate risk to the business.
    • Vulnerabilities are a concern because they are potential threats to the business. Vulnerabilities that are not addressed can turn from potential threats into actual threats; it is only a matter of time and opportunity.
    • Your organization will already be familiar with risk management, as every decision carries a business risk component. There may even be a senior manager assigned as corporate risk officer to manage organizational risk.
    • The organization likely has a risk tolerance level that defines the organization’s risk appetite. This may be measured in dollars, non-productivity time, or other units of inefficiency.
    • The risk of a vulnerability can be calculated using impact and likelihood. Impact is the effect that the vulnerability will have if it is exploited by a malicious actor. Likelihood is the degree to which a vulnerability exploit can possibly occur.
    Stock image of a cartoon character in a tie hanging on the needle of a 'RISK' meter as it sits at 'LOW'.

    Info-Tech Insight

    Risk to the organization is business language that everyone can understand. This is particularly true when the risk is to productivity or to the company’s bottom line.

    A risk-based approach to vulnerability management

    CVSS scores are just the starting point!

    Vulnerabilities are constant.
    • There will always be vulnerabilities in the environment, many of which won’t be reported as they are currently unknown.
    • Don’t focus on trying to resolve all vulnerabilities in your environment. You are neither resourced for it nor can the business tolerate the downtime needed to remediate every single vulnerability.
      • The constant follow of new vulnerabilities will quickly render your efforts useless and it will become a game of “whack-a-mole.”
    • Being able to prioritize which vulnerabilities require appropriate levels of response is crucial to ensuring that an organization stays ahead of the continual flow.
    • Your vulnerability scanning tool will report the severity of a vulnerability, often using an industry Common Vulnerability Scoring System (CVSS) system ranging from 0 to 10. It will then scan your environment for the presence of the vulnerability and report accordingly.
      • Your vulnerability scanning tool will not be aware of any mitigation components in your environment, such as compensating controls, network segregation, server/application hardening, or any other measures that can reduce the risk. That is why determining actual risk is a crucial step.

    Stock image of a whack-a-mole game.

    Info-Tech Insight

    Vulnerability scanning is a valuable function, but it does not tell the full picture. You must determine how urgent a vulnerability truly is, based on your specific environment.

    Prioritize remediation by levels of risk

    Address critical and high risk with high immediacy.

    • Addressing the critical and high-risk vulnerabilities with urgency will ensure that you are addressing a more manageable number of vulnerabilities.
    • An optimized vulnerability management process will address the medium and low risk vulnerabilities within the regular cycle.
    • This may be very similar to what you do today in an ad hoc fashion:
      • Zero-day vulnerabilities tend to warrant a stop in operations and are dealt with immediately (or as soon as a vendor has a fix).
      • The standard remediation process (patching/updating, change of configuration, etc.) happens within a regular controlled time cycle.
    • Formalizing this process will ensure that appropriate attention is given to vulnerabilities that warrant it and that the remaining vulnerabilities are dealt with as a regular, recurring activity.

    Mitigate the risk surface by reducing the time across the phases

    Chart titled 'Mitigate the risk surface by reducing the time across the phases' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. A note on the line reads 'Objective: Reduce risk surface by reducing time to address'. The area between the line and your organization's risk tolerance is labelled 'Risk Surface, to be addressed with high priority'. A bracket around Risk levels 'High' and 'Critical' reads 'Priority focus zone (risk surface)'. Risk lines within levels 'Low' and 'Medium' read 'Follow standard vulnerability management cycles'.

    Risk matrix

    Risk = Impact x Likelihood
    • Info-Tech’s Vulnerability Management Risk Assessment Tool provides a method of calculating the risk of a vulnerability. The risk rating is assigned using the impact of the risk and the likelihood or probability that the event may occur.
    • The tool puts the vulnerability into your organization’s context: How many people will be affected? What service types are vulnerable and how does that impact the business? Is there an anticipated update from the vendor of the system being affected?
    • Urgency of remediation should be based on the business consequences if the vulnerability were to be exploited, relative to the business’ risk tolerance.

    Info-Tech Insight

    Risk determination should be done within the context of your current environment and not simply based on what your vulnerability tool is reporting.

    A risk matrix is useful in calculating a risk rating for vulnerabilities. Risk matrix with axes 'Impact' and 'Time' and individual vulnerabilities mapped onto it via their risk rating. The example 'Organizational Risk Tolerance Threshold' line runs diagonally through the 'Medium' squares.

    2.4.1 Build a classification scheme to consistently assess impact

    60 minutes

    Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service

    Output: Vulnerability Management Risk Assessment Tool formatted to your organization

    Materials: Vulnerability Management Risk Assessment Tool

    Participants: Functional Area Managers, IT Security Manager, CISO

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    1. Define a set of questions to measure risk impact or edit existing questions in the tool.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk. The drop-down box content can be modified in the hidden Labels tab.

    Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.

    Download the Vulnerability Management Risk Assessment Tool

    Screenshot of table from Info-Tech's Vulnerability Management Risk Assessment Tool for assessing Impact. Column headers are 'Weight', 'Question', 'OS vulnerability', 'Application vulnerability', 'Network vulnerability', and 'Vendor patch release'.

    2.4.2 Build a classification scheme to consistently assess likelihood

    60 minutes

    Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service

    Output: Vulnerability Management Risk Assessment Tool formatted to your organization

    Materials: Vulnerability Management Risk Assessment Tool

    Participants: Functional Area Managers, IT Security Manager, CISO

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    1. Define a set of questions to measure risk impact or edit existing questions in the tool.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk. The drop-down box content can be modified in the hidden Labels tab.

    Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability that your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.

    Download the Vulnerability Management Risk Assessment Tool

    Screenshot of table from Info-Tech's Vulnerability Management Risk Assessment Tool for assessing Likelihood. Column headers are 'Weight', 'Question', 'OS vulnerability', 'Application vulnerability', and 'Network vulnerability'.

    Prioritize based on risk

    Select the best remediation option to minimize risk.

    Through the combination of the identified risk and remediation steps in this phase, the prioritization for vulnerabilities will become clear. Vulnerabilities will be assigned a priority once their intrinsic qualities and threat potential to business function and data have been identified.

    • Remediation options will be identified for the higher urgency vulnerabilities.
    • Options will be assessed for whether they are appropriate.
    • They will be further tested to determine if they can be used adequately prior to full implementation.
    • Based on the assessments, the remediation will be implemented or another option will be considered.
    Prioritization
    1. Assignment of risk
    2. Identification of remediation options
    3. Assessment of options
    4. Implementation

    Remediation plays an incredibly important role in the entire program. It plays a large part in wider risk management when you must consider the risk of the vulnerability, the risk of the remediation option, and the risk associated with the overall process.

    Implement Risk-Based Vulnerability Management

    Phase 3

    Remediate vulnerabilities

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    • Identifying potential remediation options.
    • Developing criteria for each option with regards to when to use and when to avoid.
    • Establishing exception procedure for testing and remediation.
    • Documenting the implementation of remediations and verification.

    This phase involves the following participants:

    • CISO, or equivalent
    • Security Manager/Analyst
    • Network, Administrator, System, Database Manager
    • Other members of the vulnerability management team
    • Risk managers for the risk-related steps

    Determining how to remediate

    Patching is only one option.

    This phase will allow organizations to build out the specific processes for remediating vulnerabilities. The overall process will be the same but what will be critical is the identification of the correct material. This includes building the processes around:
    • Identifying and selecting the remediation option to be used.
    • Determining what to do when a patch or update is not available.
    • Scheduling and executing the remediation activity.
    • Continuous improvement.

    Each remediation option carries a different level of risk that the organization needs to consider and accept by building out this program.

    It is necessary to be prepared to do this in real time. Careful documentation is needed when dealing with vulnerabilities. Use the Vulnerability Tracking Tool to assist with documentation in real time. This is separate from using the process template but can assist in the documentation of vulnerabilities.

    Step 3.1

    Assessing remediation options

    Activities
    • 3.1.1 Develop risk and remediation action

    This step will walk you through the following activities:

    With the risk assessment from the previous activity, we can now examine remediation options and make a decision. This activity will guide us through that.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    List of remediation options and criteria on when to consider each.

    Remediate vulnerabilities
    Step 3.1Step 3.2Step 3.3

    Identify remediation options

    There are four options when it comes to vulnerability remediation.

    Patches and Updates

    Patches are software or pieces of code that are meant to close vulnerabilities or provide fixes to any bugs within existing software. These are typically provided by the vendor to ensure that any deployed software is properly protected after vulnerabilities have been detected.

    Configuration Changes

    Configuration changes involve administrators making significant changes to the system or network to remediate against the vulnerability. This can include disabling the vulnerable application or specific element and can even extend to removing the application altogether.

    Remediation

    Compensating Controls

    By leveraging security controls, such as your IDS/IPS, firewalls, or access control, organizations can have an added layer of protection against vulnerabilities beyond the typical patches and configuration changes. This can be used as a measure while waiting to implement another option (if one exists) to reduce the risk of the vulnerability in the short or long term.

    Risk Acceptance

    Whenever a vulnerability is not remediated, either indefinitely or for a short period of time, the organization is accepting the associated risk. Segregation of the vulnerable system can occur in this instance. This can occur in cases where a system or application cannot be updated without detrimental effect to the business.

    Patches and updates

    Patches are often the easiest and most common method of remediation.

    Patches are usually the most desirable remediation solution when it comes to vulnerability management. They are typically provided by the vendor of the vulnerable application or system and are meant to eliminate the existing vulnerability.

    When to use

    • When adequate testing can be performed on the patch to be implemented.
    • When there is a change window approaching for the affected systems.
    • When there is standardization across the IT assets to allow for easier installation of patches.

    When to avoid

    • When the patch cannot be adequately tested.
    • When a patch has been tested, but it caused an unfavorable consequence such as a system or application failure.
    • When there is no near change window in which to install the patches, which is often the case for critical systems.
    When to consider other remediation options
    • For critical systems, it can be difficult to implement a patch as they often require the system to be rebooted or go through some downtime. There must be consideration towards whether there is a change window approaching if a patch is to be implemented on a business-critical system.
      • If there is no opportunity to implement the patch, or no approaching change window, it is wise to leverage another remediation option.
    • When patches are not currently available from the vendor or they are in production, other remediation options are needed.
    • Other remediation options can be used in tandem with the patch. For example, if a patch is being deferred until the change window, it would be wise to use alternate remediation options to close the vulnerability.

    Compensating controls

    Compensating controls can decrease the risk of vulnerabilities that cannot be (immediately) remediated.

    • Compensating controls are measures put in place when direct remediation measures are impractical or non-existent.
    • Similar to the payment card industry’s PCI DSS 1.0 provision of compensating controls, these are meant to meet the intent or rigor of the original requirement; unlike PCI DSS, these measures are to mitigate risk rather than meet compliance.
    • The compensating control should be viewed as only a temporary measure for dealing with a vulnerability, although circumstances may dictate a degree of permanence in the application of the compensating control.
    • Examples where compensating controls may be needed are:
      • The software vendor is developing an update or patch to address a vulnerability.
      • Through your testing process, a patch will adversely affect the performance or operation of the target system and be detrimental to the business.
      • A critical application will only run on a legacy operating system, the latter of which is no longer supported by the vendor.
      • A legacy application is no longer being supported but is critical to your operations. A replacement, if one exists, will take time to implement.
    Examples of compensating controls
    • Segregating a vulnerable server or application on the network, physically or logically.
    • Hardening the operating system or application.
    • Restricting user logins to the system or application.
    • Implementing access controls on the network route to the system.
    • Instituting application whitelisting.

    Configuration changes

    Configuration changes involve making changes directly to the application or system in which there is a vulnerability. This can vary from disabling or removing the vulnerable element or, in the case of applications built in-house, changing the coding of the application itself. These are commonly used in network vulnerabilities such as open ports.

    When to use

    • A patch is not available.
    • The vulnerable element can be significantly changed, or even disabled, without significantly disrupting the business.
    • The application is built in-house, as the vulnerability must be closed internally.
    • There is adequate testing to ensure that the configuration change does not affect the business.
    • A configuration change in your network or system can affect numerous endpoints or systems, reducing endpoint patching or use of defense-in-depth controls.

    When to avoid

    • When a suitable patch is available.
    • When the vulnerability is on a business-critical element with no nearby change window or it cannot be disabled.
    • When there is no opportunity in which to perform testing to ensure that there are no unintended consequences.
    When to consider other remediation options
    • Configuration changes require careful documentation as changes are occurring to the system and applications. If there is a need to perform a back-out process and return to the original configuration, this can be extremely difficult without clear documentation of what occurred.
    • If business systems are too critical or important to the regular business function to perform any changes, it is necessary to consider other options.

    Info-Tech Insight

    Remember your existing processes: configuration changes may need to be approved and orchestrated through your organization’s configuration and change management processes.

    Case Study

    Remediation options do not have to be used separately. Use the Shellshock 2014 case as an example.

    INDUSTRY: All
    SOURCE: Public Domain
    Challenge

    Bashdoor, more commonly known as Shellshock, was announced on September 24, 2014.

    This bug involved the Bash shell, which normally executes user commands, but this vulnerability meant that malicious attackers could exploit it.

    This was rated a 10/10 by CVSS – the highest possible score.

    Within hours of the announcement, hackers began to exploit this vulnerability across many organizations.

    Solution

    Organizations had to react quickly and multiple remediation options were identified:

    • Configuration changes – Companies were recommended to use other shells instead of the Bash shell.
    • Defense-in-depth controls – Using HTTP server logs, it could be possible to identify if the vulnerability had been exploited.
    • Patches – Many vendors released patches to close this vulnerability including Debian, Ubuntu, and Red Hat.
    Results

    Companies began to protect themselves against these vulnerabilities.

    While many organizations installed patches as quickly as possible, some also wished to test the patch and leveraged defense-in-depth controls in the interim.

    However, even today, many still have the Shellshock vulnerability and exploits continue to occur.

    Accept the risk and do nothing

    By choosing not to remediate vulnerabilities, you must accept the associated risk. This should be your very last option.

    Every time that a vulnerability is not remediated, it continues to pose a risk to the organization. While it may seem that every vulnerability needs to be remediated, this is simply not possible due to limited resources. Further, it can take away resources from other security initiatives as opposed to low-priority vulnerabilities that are extremely unlikely to be exploited.

    Common criteria for vulnerabilities that are not remediated:
    • Affected systems are of extremely low criticality.
    • Affected systems are deemed too critical to take offline to perform adequate remediation.
    • Low urgency is assigned to those vulnerabilities.
    • Cost and time required for the remediation are too high.
    • No adequate solutions exist – the vendor has not released a patch, there are weak defense-in-depth controls, and it is not possible to perform a configuration change.

    Risk acceptance is not uncommon…

    • With an ever-increasing number of vulnerabilities, organizations are struggling to keep up and often, intentionally or unintentionally, accept the risk associated.
    • In the end, non-remediation means full acceptance of the risk and any consequences.

    Enterprise risk management
    Arrow pointing up.
    Risk acceptance of vulnerabilities

    While these are common criteria, they must be aligned to the enterprise risk management framework and approved by management.

    Don’t forget the variables that were assessed in Phase 2. This includes the risk from potential lateral movement or if there is an existing exploit.

    Risk considerations

    When determining if risk acceptance is appropriate, consider the cost of not mitigating vulnerabilities.

    Don’t accept the risk because it seems easy. Consider the financial impact of leaving vulnerabilities open.

    With risk acceptance, it is important to review the financial impact of a security incident resulting from that vulnerability. There is always the possibility of exploitation for vulnerabilities. A simple metric taken from NIST SP800-40 to use for this is:

    Cost not to mitigate = W * T * R

    Where (W) is the number of work stations, (T) is the time spent fixing systems or lost in productivity, and (R) is the hourly rate of the time spent.

    As an example provided by NIST SP800-40 Version 2.0, Creating a Patch and Vulnerability Management Program:

    “For an organization where there are 1,000 computers to be fixed, each taking an average of 8 hours of down time (4 hours for one worker to rebuild a system, plus 4 hours the computer owner is without a computer to do work) at a rate of $70/hour for wages and benefits:

    1,000 computers * 8 hours * $70/hour = $560,000”

    Info-Tech Insight

    Always consider the financial impact that can occur from an exploited vulnerability that was not remediated.

    3.1.1 Develop risk and remediation action

    90 minutes

    Input: List of remediation options

    Output: List of remediation options sorted into “when to use” and “when to avoid” lists

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, IT Infrastructure Manager, IT Operations Manager, Corporate Risk Officer, CISO

    It is important to define and document your organization-specific criteria for when a remediation option is appropriate and inappropriate.

    1. List each remediation option on a flip chart and create two headings: “When to use” and “When to avoid.”
    2. Each person will list “when to use” criteria on a green sticky note and “when to avoid” criteria on a red one for each option; these will be placed on the appropriate flip chart.
    3. Discuss as a group which criteria are appropriate and which should be removed.
    4. Move on to the next remediation option when completed.
      • Ensure to include when there are remediation options that will be connected. For example, the risk may be accepted until the next available change window, or a defense-in-depth control is used before a patch can be fully installed.
    5. Once the criteria has been established, document this in the Vulnerability Management SOP Template.
    When to use:
    • When adequate testing can be performed on the patch to be implemented.
    • When there is a change window approaching, especially for critical systems.
    • When there is standardization across the IT assets to allow for easier installation of patches.
    When to avoid:
    • When the patch cannot be adequately tested.
    • When a patch has been tested, but it has caused an unfavorable consequence such as a system or application failure.
    • When there is no near change window in which to install the patches.
    (Example from the Vulnerability Management SOP Template for Patches.)

    Download the Vulnerability Management SOP Template

    Step 3.2

    Scheduling and executing remediation

    Activities

    None for this section.

    This step will walk you through the following activities:

    Although there are no specific activities for this section, it will walk you through your existing processes configuration and change management to ensure that you are leveraging those activities in your vulnerability remediation actions.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    Gained understanding of how IT operations processes configuration and change management can be leveraged for the vulnerability remediation process. Don’t reinvent the wheel!

    Remediate vulnerabilities
    Step 3.1Step 3.2Step 3.3

    Implementing the remediation

    Vulnerability management converges with your IT operations functions.
    • Once a remediation strategy has been formulated, you can leverage your release and change management processes to orchestrate the testing, version tracking, scheduling, approval, and implementation activities.
    • Each of these processes should exist in your environment in some form. Leveraging these will engage the IT operations team to carry out their tasks in the remediation process.
    • There can be a partial or full handoff to these processes, however, the owner of the vulnerability management program is responsible for verifying the application of the remediation measure and that the overall risk has been reduced.
    • Although full blueprints exist that cover each of these processes in great detail, the following slides provide an overview of each of these IT operations processes and how they intersect with vulnerability management.
    Stock image of a person on a laptop overlaid by an icon with gears indicating settings.

    Release Management

    Control the quality of deployments and releases of software updates.

    • The release management process exists to ensure that new software releases (such as patches and updates) are properly tested and documented with version control prior to their implementation into the production environment.
    • The process should map out the logistics of the deployment process to ensure that it is consistent and controlled.
    • Testing is an important part of release management and the urgency of a vulnerability remediation operation can expedite this process to ensure minimal delays. Once testing has been completed successfully, the update is then “promoted” to production-ready status and submitted into the change management process.
    • Often a separate release team may not exist, however, release management still occurs.

    For guidance on implementing or improving your release management process, refer to Info-Tech’s Stabilize Release and Deployment Management blueprint or speak to one of our experts.

    Info-Tech Insight

    Many organizations don’t have a separate release team. Rather, whomever is doing the deployment will submit a change request and the testing details are vetted through the organization’s change management process.

    For guidance on the change management process review our Optimize Change Management blueprint.

    Change Management

    Leverage change control, interruption management, approval, and scheduling.
    • Change management likely exists in some shape or form in your organization. There is usually someone or a committee, such as a change advisory board (CAB), that gives approval for a change.
    • Leveraging the change management process will ensure that your vulnerability remediation has undergone the proper review and approval before implementation. There will usually be business sign-off as part of a change management approval process.
    • Communication will also be integrated in the change management process, so the change manager will ensure that appropriate, timely communications are sent to the proper key stakeholders.
    • The change management process will link to release management and configuration management processes if they exist.

    For further guidance on implementing or improving your change management process, refer to Info-Tech’s Optimize Change Management blueprint or speak to one of our experts.

    “With no controls in place, IT gets the blame for embarrassing outages. Too much control, and IT is seen as a roadblock to innovation.” (VP IT, Federal Credit Union)

    Post-implementation activities

    Vulnerability remediation isn’t a “set it and forget it” activity.
    • Once vulnerability remediation has occurred, it is imperative that the results are reported back to the vulnerability management program manager. This ensures that the loop is closed and the tracking of the remediation activity is done properly.
      • Organizations that are subject to audit by external entities will understand the importance of such documentation.
    • The results of post-implementation review from the change management process will be of great interest, particularly if there was any deviation from the planned activities.
    • Although change execution will usually undergo some form of testing during the maintenance window, there is always the possibility that something has broken as a result of the software update. Be quick to respond to these types of incidents!
      • One example of an issue that is near impossible to test during a maintenance window is one that manifests only when the system or software comes under load. This is what makes for busy Monday mornings after a weekend change window.
    A scan with your vulnerability management software after remediation can be a way to verify that the overall risk has been reduced, if remediation was done by way of patching/updates.

    Info-Tech Insight

    After every change completion, whether due to vulnerability remediation or not, it is a good idea to ensure that your infrastructure team increases its monitoring diligence and that your service desk is ready for any sudden influx of end-user calls.

    Step 3.3

    Continuous improvement

    Activities

    None for this section.

    This step will walk you through the following activities:

    Although this section has no activities, it will review the process by which you may continually improve vulnerability management.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    An understanding of the importance of ongoing improvements to the vulnerability management program.

    Remediate vulnerabilities
    Step 3.1Step 3.2Step 3.3

    Drive continuous improvement

    • Also known as “Continual Improvement” within the ITIL best practice framework.
    • Your vulnerability management program will not be perfect on first launch. In fact, due to the ever-changing nature of vulnerabilities and the technology designed to detect and combat vulnerabilities, the processes within your vulnerability management program will need to be tweaked from time to time.
    • Continuous improvement is a sustained, proactive approach to process improvement. The practice allows for all process participants to observe and suggest incremental improvements that can help improve the overall process.
    • In many cases, continuous improvement can be triggered by changes in the environment. This makes perfect sense for vulnerability management process improvement as a change in the environment will require vulnerability scanning to ensure that such changes have not introduced new vulnerabilities into the environment, increasing your risk surface.
    • One key method to tracking continuous improvement is through the effective use of metrics, covered in Section 4.1 of this blueprint.
    “The success rate for continual improvement efforts is less than 60 percent. A major – if not the biggest – factor affecting the deployment of long-term continual improvement initiatives today is the fundamental change taking place in the way companies manage and execute work.” (Industry analyst at a consulting firm, 2014)

    Continuous Improvement

    Continuously re-evaluate the vulnerability management process.

    As your systems and assets change, your vulnerability management program may need updates in two ways.

    When new assets and systems are introduced:

    • When new systems and assets are introduced, it is important for organizations to recognize how these can affect vulnerability management.
    • It will be necessary to identify the business criticality of the new assets and systems and the sensitivity of the data that can be found on them.
    • Without doing so, these will be considered rogue systems or assets – there is no clear process for assigning urgencies.
    • This will only cause problems as actions may be taken that are not aligned with the organization’s risk management framework.

    Effective systems and asset management are needed to track this. Review Info-Tech’s Implement Systems Management to Improve Availability and Visibility blueprint for more help.

    Document any changes to the vulnerability management program in the Vulnerability Management SOP Template.

    When defense-in-depth capabilities are modified:

    • As you build an effective security program, more controls will be added that can be used to protect the organization.
    • These should be documented and evaluated based on ability to mitigate against vulnerabilities.
    • The defense-in-depth model that was previously established should be updated to include the new capabilities that can be used.
    • Defense-in-depth models are continually evolving as the security landscape evolves, and organizations must be ready for this.

    To assist in building a defense-in-depth model, review Build an Information Security Strategy.

    Implement Risk-Based Vulnerability Management

    Phase 4

    Measure and formalize

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    • You will determine what ought to be measured to track the success of your vulnerability management program.
    • If you lack a scanning tool this phase will help you determine tool selection.
    • Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

    This phase involves the following participants:

    • IT Security Manager
    • SecOps team members
    • Procurement representatives
    • CISO
    • CIO

    Step 4.1

    Metrics, Key Performance Indicators (KPIs), and Critical Success Factors (CSFs)

    Activities
    • 4.1.1 Measure your program with metrics, KPIs, and CSFs

    This step will walk you through the following activities:

    After a review of the differences between raw metrics, key performance indicators (KPI), and critical success factors (CSF), compile a list of what metrics you will be tracking, why, and the business goals for each.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO
    • CIO

    Outcomes of this step

    Outline of metrics you can configure your vulnerability scanning tool to report on.

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    You can’t manage what you can’t measure

    Metrics provides visibility.

    • Management consultant Peter Drucker introduced the concept of metrics tied to key performance indicators (KPIs), and the concept holds true: without metrics, you lack the visibility to manage or improve a process.
    • Metrics aren’t just a collection of statistics, they have to be meaningful, they have to tell the story, and most importantly, they have to answer the “so what?” question. What is the significance of a metric – do they illustrate a trend or an anomaly? What actions should be carried out when a metric hits a certain threshold?
    • It would be prudent to track several metrics that can be combined to tell the full story. For example, tracking the number of critical vulnerabilities alone does not give a sense of the overall risk to the organization, nor does it offer any information on how quickly they have been remediated or what amount of effort was invested.
    Stock image of measuring tape.

    Metrics, KPIs, and CSFs

    Tracking the right information and making the information relevant.
    • There is often confusion between raw metrics, key performance indicators, and critical success factors.
    • Raw metrics are what is trackable from your systems and processes as a set of measurements without any context. Raw metrics in themselves are useful in telling the story of “what are we doing?”
    • KPIs are the specific metric or combination of metrics that help you track or gauge performance. KPIs tell the story of “how are we doing?” or “how well are we doing?”
    • CSFs are the specific KPIs that track the activities that are absolutely critical to accomplish for the business or business unit to be successful.
    The activity tracker on your wrist is a wealth of metrics, KPIs, and CSFs.

    If you wear an activity tracker, you are likely already familiar with the differences between metrics, key performance indicators, and critical success factors:

    • The raw metrics are your heart rate, step count, hours of sleep, caloric intake, etc.
    • KPIs are the individual goals that you have set: maintain a heart rate within the appropriate range for your age/activity level, achieve a step count goal per day, get x hours of sleep per night, consume a calorie range of y per day, etc.
    • CSFs are your overall goal: increase your cardiovascular capacity, lose weight, feel more energetic, etc.

    Your security systems can be similarly measured and tracked – transfer this skill!

    Tracking relevant information

    Tell the story in the numbers.

    Below are a number of suggested metrics to track, and why.

    Business Goal

    Critical Success Factor

    Key Performance Indicator

    Metric to track

    Minimize overall risk exposureReduction of overall risk due to vulnerabilitiesDecrease in vulnerabilitiesTrack the number of vulnerabilities year after year.
    Appropriate allocation of time and resourcesProper prioritization of vulnerability mitigation activitiesDecrease of critical and high vulnerabilitiesTrack the number of high-urgency vulnerabilities.
    Consistent timely remediation of threats to the businessMinimize risk when vulnerabilities are detectedRemediate vulnerabilities more quicklyMean time to detect: track the average time between the identification to remediation.
    Track effectiveness of scanning toolMinimize the ratio, indicating that the tool sees everythingRatio between known assets and what the scanner tracksScanner coverage compared to known assets in the organization.
    Having effective tools to track and addressAccuracy of the scanning toolDifference or ratio between reported vulnerabilities and verified onesNumber of critical or high vulnerabilities verified, between the scanning tool’s criticality rating and actual criticality.
    Reduction of exceptions to ensure minimal exposureVisibility into persistent vulnerabilities and risk mitigation measuresNumber of exceptions grantedNumber of vulnerabilities in which little or no remediation action was taken.

    4.1.1 Measure your program with metrics, KPIs, and CSFs

    60 minutes

    Input: List of metrics current being measured by the vulnerability management tool

    Output: List of relevant metrics to track, and the KPIs, CSFs, and business goals related to the metric

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, IT operations management, CISO

    Metrics can offer a way to view how the organization is dealing with vulnerabilities and if there is improvement.

    1. Determine the high-level vulnerability management goals for the organization.
    2. Even with a formal process in place, the organization should be considering ways it can improve.
    3. Determine metrics that can help quantify those goals and how they can be measured.
    4. Metrics should always be easy to measure. If it’s a complex process to find the information required, it means that it is not a metric that should be used.
    5. Document your list of metrics in the Vulnerability Management SOP Template.

    Download the Vulnerability Management SOP Template

    Step 4.2

    Vulnerability Management Policy

    Activities
    • 4.2.1 Update the vulnerability management program policy

    This step will walk you through the following activities:

    If you have a vulnerability management policy, this activity may help augment it. Otherwise, if you don’t have one, this would be a great starting point.

    This step involves the following participants:

    • IT Security Manager
    • CISO
    • CIO
    • Human resources representative

    Outcomes of this step

    An inaugural policy covering vulnerability management

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    Vulnerability Management Program Policy

    Policies provide governance and enforcement of processes.
    • Policies offer formal guidance on the “rules” of a program, describing its purpose, scope, detailed program description, and consequences of non-compliance. Often they will have a employee sign-off acknowledging understanding.
    • In many organizations, policies are endorsed by senior executives, which gives the policy its “teeth” across the company. The human resources department will always have input due to the implications of the non-compliance aspect.
    • Policies are written to ensure an outcome of consistent expected behavior and are often written to protect the company from liability.
    • Policies should be easy to understand and unambiguous, reflect the current state, and be enforceable. Enforceability can come in the form of audit, technology, or any other means of determining compliance and enforcing behavior.
    Stock image of a judge's gavel.

    4.2.1 Update the vulnerability management policy

    60 minutes

    Input: Vulnerability Management SOP, HR guidance on policy creation and approval

    Output: Completed Vulnerability Management Policy

    Materials: Vulnerability Management SOP, Vulnerability Management Policy Template

    Participants: IT Security Manager, IT operations management, CISO, Human resources representative

    After having built your entire process in this project, formalize it into a vulnerability management policy. This will set the standards and expectations for vulnerability management in the organization, while the process will be around the specific actions that need to be taken around vulnerability management.

    This is separate and distinct from the Vulnerability Management SOP Template, which is a process and procedure document.
    1. Review Info-Tech’s Vulnerability Management Policy and customize it to your organization’s specifications.
    2. Use your Vulnerability Management SOP as a resource when specifying some of the details within the policy.
    Sample of Info-Tech's Vulnerability Management Policy Template

    Download the Vulnerability Management Policy Template

    Step 4.3

    Select and implement a scanning tool

    Activities
    • 4.3.1 Create an RFP for vulnerability scanning tools

    This step will walk you through the following activities:

    If you need to select a new vulnerability scanning tool, or replace your existing one, this activity will help set up a request for proposal (RFP).

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO

    Outcomes of this step

    The provisions needed for you to create and deploy an RFP for a vulnerability management tool.

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    Vulnerability management and penetration testing

    Similar in nature, yet provide different security functions.

    Vulnerability Scanning Tools

    Scanning tools focus on the network and operating systems. These tools look for items such as missing patches or open ports. They won’t detect specific application vulnerabilities.

    Exploitation Tools

    These tools will look to exploit a detected vulnerability to validate it.

    Penetration Tests

    A penetration test simulates the actions of an external or internal cyber attacker that aims to breach the information security of the organization. (Formal definition of penetration test)

    ‹————— What’s the difference again? —————›
    Vulnerability scanning tools are just one type of tool.When you add an exploitation tool to the mix, you move down the spectrum.Penetration tests will use scanning tools, exploitation tools, and people.

    What is the value of each?

    • For vulnerability scans, the person performing the scan provides the value – value comes from the organization itself.
    • For exploitation tools on their own, the value comes from the tool itself being used in a safe environment.
    • For penetration tests, the tester is providing the value. They are the value add.

    What’s the implication for me?

    Info-Tech Recommends:
    • A combination of vulnerability scanning and penetration testing. This will improve your security posture through systematic risk reduction and improve your security program through the testing of prevention, detection, and response capabilities with unique recommendations being generated.
    • Start with as much vulnerability scanning as possible to identify gaps to fix and then move onto a penetration test to do a more robust and validated assessment.
    • For penetration tests, start with a transparent box test first, then move to an opaque box. Ideally, this is done with different third parties.

    Vulnerability scanning software

    All organizations can benefit from having one.

    Scanning tools will benefit areas beyond just vulnerability management

    • Network security: It improves the accuracy and granularity of your network security technologies such as WAFs, NGFWs, IDPS, and SIEM.
    • Asset management: Vulnerability scanning can identify new or unknown assets and provide current status information on assets.
    • System management: Information from a vulnerability scan supports baselining activities and determination of high-value and high-risk assets.

    Vulnerability Detection Use Case

    Most organizations use scanners to identify and assess system vulnerabilities and prioritize efforts.

    Compliance Use Case

    Others will use scanners just for compliance, auditing, or larger GRC reasons.

    Asset Discovery Use Case

    Many organizations will use scanners to perform active host and application identification.

    Scanning Tool Market Trends

    Vulnerability scanning tools have expanded value from conventional checking for vulnerabilities to supporting configuration checking, asset discovery, inventory management, patch management, SSL certificate validation, and malware detection.

    Expect to see network and system vulnerability scanners develop larger vulnerability management functions and develop exploitation tool functionality. This will become a table stakes option enabling organizations to provide higher levels of validation of detected vulnerabilities. Some tools already possess these capabilities:

    • Core Impact is an exploitation tool with vulnerability scanning aspects.
    • Metasploit is an exploitation tool with some new vulnerability scanning aspects.
    • Nessus is mainly a vulnerability scanning tool but has some exploitation aspects.

    Device proliferation (BYOD, IoT, etc.) is increasing the need for stronger vulnerability management and scanners. This is driving the need for numerous device types and platform support and the development of baseline and configuration norms to support system management.

    Increased regulatory or compliance controls are also stipulating the need for vulnerability scanning, especially by a trusted third party.

    Organizations are outsourcing security functions or moving to cloud-based deployment options for any security technology they can. Expect to see massive growth of vulnerability scanning as a service.

    Vulnerability scanning market

    There are several technology types or functional differentiators that divide the market up.

    Vulnerability Exploitation Tools

    • These will actually test defences and better emulate real life than just scanning. These tools include packet manipulation tools (such as hping) and password cracking tools (such as John the Ripper or Cain and Abel).
    • These tools will provide much more granular information on your network, operations systems, and applications.
    • The main limitation of these tools is how to use them. If you do not have development or test environments that mimic your real production environments to run the exploit tools, these tools may not be appropriate. It may work if you can find some downtime on production systems, but only in very specific and careful instances.
    • Lower maturity security programs usually just do network and application vulnerability scanning. Higher maturity programs will also use penetration testing, application testing, and vulnerability exploitation tools.
    • Network vulnerability scanning tools should always be used. Once you identify any servers or ports running web applications, then you run a web application vulnerability scanner.
    • Exploitation tools and application testing tools are used in more specific use cases that are often related to more-demanding security programs.

    Scanning Tool Market Trends

    • These are considered baseline tools and are near commoditization.
    • Vulnerability scanning tools are not granular enough to detect application-level vulnerabilities (thus the need for application scanners and testing tools) and they don’t validate the exploitability of the vulnerability (thus the need for exploit tools).

    Web Application Scanning Tools

    These tools perform dynamic application security testing (DAST) and static application security testing (SAST).

    Application Scanning and Testing Tools

    • These perform a detailed scan against an application to detect any problematic or malicious code and try to break the application using known vulnerabilities.
    • These tools will identify if something is vulnerable to an exploit but won’t actually run the exploit.
    • These tools are evaluated based on their ability to detect application-specific issues and validate them.

    Vulnerability scanning tool features

    Evaluate vulnerability scanning tools on specific features or functions that are the best differentiators.

    Differentiator

    Description

    Deployment OptionsDo you want a traditional on-premises, cloud-based, or managed service?
    Vulnerability Database CoverageScanners use a library of known vulnerabilities to test for. Evaluate based on the amount of exploits/vulnerabilities the tool can scan for.
    Scanning MethodEvaluate if you want agent-based, authenticated active, unauthenticated active, passive, or some combination of those scanning methods.
    IntegrationWhat is the breadth of other security and non-security technologies the tool can integrate with?
    RemediationHow detailed are the recommended remediation actions? The more granular, the better.

    Differentiator

    Description

    PrioritizationDoes the tool evaluate vulnerabilities based on commonly accepted methods or through a custom-designed prioritization methodology?
    Platform SupportWhat is the breadth of environment, application, and device support in the tool? Consider your need for virtual support, cloud support, device support, and application-specific support. Also consider how often new scanning modules are supported (e.g. how quickly Windows 10 was supported).
    PricingAs with many security controls that have been around for a long time and are commonly used, pricing becomes a main consideration, especially when there are so many open-source options available.

    Common areas people mistake as tool differentiators:

    • Accuracy – Scanning tools are evaluated more on efficiency than effectiveness. Evaluate on the ability to detect, remediate, and manage vulnerabilities rather than real vulnerability detection and the number of false positives. To reduce false positives, you need to use exploitation tools.
    • Performance – Scanning tools have such a small footprint in an environment and the actual scanning itself is such a small impact that evaluation on performance doesn’t matter.

    For more information on vulnerability scanning tools and how they rate, review the Vulnerability Management category on SoftwareReviews.

    Vulnerability scanning deployment options

    Understand the different deployment options to identify which is best for your security program.

    Option

    Description

    Pros

    Cons

    Use Cases

    On-PremisesEither an on-premises appliance or an on-premises virtualized machine that performs external and internal scanning.
    • Small resource need, so limited network impact.
    • Strong internal scanning.
    • Easier integration with other technologies.
    • Network footprint and resource usage.
    • Maintenance and support costs.
    • Most common deployment option.
    • Appropriate if you have cloud concerns or strong internal network scanning, or if you require strong integration with other systems.
    CloudEither hosted on a public cloud infrastructure or hosted by a third party and offered “as a service.”
    • Small network footprint.
    • On-demand scanning as needed.
    • Optimal external scanning capabilities.
    • Can only do edge-related scanning unless authenticated or agent based.
    • No internal network scanning with passive or unauthenticated active scanning methods.
    • Very limited network resources.
    • Compliance obligations that dictate external vulnerability scanning.
    ManagedA third party is contracted to manage and maintain your vulnerability scanner so you can dedicate resources elsewhere.
    • Expert management of environment scanning, optimizing tool usage.
    • Most scanning work time is report customization and tuning and remediation efforts; thus, managed doesn’t provide sizable resource alleviation.
    • Third party has and owns the vulnerability information.
    • Limited staff resources or expertise to maintain and manage scanner.

    Vulnerability scanning methods

    Understand the different scanning methods to identify which tool best supports your needs.

    Method

    Description

    Pros

    Cons

    Use Cases

    Agent-Based ScanningLocally installed software gives the information needed to evaluate the security posture of a device.
    • Provides information that can’t be discovered remotely such as installed applications that aren’t running at a given time.
    • Device processing, memory, and network bandwidth impact.
    • Asset without an agent is not scanned.
    • Need for continuous scanning.
    • Organization has strong asset management
    Authenticated Active ScanningTool uses authenticated credentials to log in to a device or application to perform scanning.
    • Provides information that can’t be discovered remotely such as installed applications that aren’t running at a given time.
    • Best accuracy for vulnerability detection across a network.
    • Aggregation and centralization of authenticated credentials creates a major risk.
    • All use cases.
    Unauthenticated Active ScanningScanning of devices without any authentication.
    • Emulates realistic scan by an attacker.
    • Provides limited scope of scanning.
    • Some compliance use cases.
    • Perform after either agent or authenticated scanning.
    Passive ScanningScanning of network traffic.
    • Lowest resource impact.
    • Not enough information can be provided for true prioritization and remediation.
    • Augmenting scanning technique to agent or authenticated scanning.

    IP Management and IPv6

    IP management and the ability to manage IPv6 is a new area for scanning tool evaluation.

    Scanning on IPv4

    Scanning tools create databases of systems and devices with IP addresses.
    Info-Tech Recommends:

    • It is easier to do discovery by directing the scanner at a set IP address or range of IP addresses; thus, it’s useful to organize your database by IPs.
    • Do discovery by phases: Start with internet-facing systems. Your perimeter usually is well-defined by IP addresses and system owners and is most open to attack.
    • Stipulate a list of your known IP addresses through the DHCP registration and perform a scan on that.
    • Depending on your IP address space, another option is to scan your entire IP address space.

    Current Problem With IP Addresses

    IP addresses are becoming no longer manageable or even owned by organizations. They are often provided by ISPs or other third parties.

    Even if it is your range, chances are you don't do static IP ranges today.

    Info-Tech Recommends:

    • Agent-based scanning or MAC address-based scanning
    • Use your DHCP for scanning

    Scanning on IPv6

    First, you need to know if your organization is moving to IPv6. IPv6 is not strategically routed yet for most organizations.

    If you are moving to IPv6, Info-Tech recommends the following:

    • Because you cannot point a scanner at an IPv6 IP range, any scanning tool needs to have a strategy around how to handle IPv6 and properly scan based on IP ranges.
    • You need to know IPv4 to IPv6 translations.
    • Evaluate vulnerability scanning tools on whether any IPv6 features are on par with IPv4 features.

    If you are already on IPv6, Info-Tech recommends the following:

    • If you are on an IPv6 native network, it is nearly impossible to scan the network. You have to always scan your known addresses from your DHCP.

    4.3.1 Create an RFP for vulnerability scanning tools

    2 hours

    Input: List of key feature requirements for the new tool, List of intersect points with current software, Network topology and layout of servers and applications

    Output: Completed RFP document that can be distributed to vendor proponents

    Materials: Whiteboard/flip charts, Vulnerability Scanning Tool RFP Template

    Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative

    Use a request for proposal (RFP) template to convey your desired scanning tool requirements to vendors and outline the proposal and procurement steps set by your organization.

    1. Determine what kind of requirements will be needed for your scanning tool RFP, based on people, process, and technology requirements.
    2. Consider items such as the desired capabilities and the scope of the scanning.
    3. Conduct interviews with relevant stakeholders to determine the exact requirements needed.
    4. Use Info-Tech’s Vulnerability Scanning Tool RFP Template. It lists many requirements but can be customized to your organization’s specific needs.

    Download the Vulnerability Scanning Tool RFP Template

    4.3.1 Create an RFP for vulnerability scanning tools (continued)

    Things to Consider:
    • Ensure there is adequate resource dedication to support and maintenance for vulnerability scanning.
    • Consider if you will benefit from an RFP. If there is a more appropriate option for your need and your organization, consider that instead.
    • If you don’t know the product you want, then perform an RFI.
    • In the RFP, you need to express your driving needs for the tool so the vendor can best understand your use case.
    • Identify who should participate in the RFP creation and evaluation. Make sure they have time available and it does not conflict with other items.
    • Determine if you want to send it to a select few or if you want to send it to a lot of vendors.
    • Determine a response date so you can know who is soliciting your business.
    • You need to have a process to handle questions from vendors.
    Info-Tech RFP Table of Contents:
    1. Statement of Work
    2. General Information
    3. Proposal Preparation Instructions
    4. Scope of Work, Specifications, and Requirements
    5. Vendor Qualifications and References
    6. Budget and Estimated Pricing
    7. Vendor Certification

    Download the Vulnerability Scanning Tool RFP Template

    Step 4.4

    Penetration testing

    Activities
    • 4.1.1 Create an RFP for penetration tests

    This step will walk you through the following activities:

    We will review penetration testing, its distinction from vulnerability management, and why you may want to engage a penetration testing service.

    We provide a request for proposal (RFP) template that we can review if this is an area of interest.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO
    • CIO

    Outcomes of this step

    An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    Penetration testing

    Penetration tests are critical parts of any strong security program.

    Penetration testing will emulate the methods an attacker would use in the real world to circumvent your security controls and gain access to systems and data.

    Penetration testing is much more than just running a scanner or other automated tools and then generating a report. Penetration testing performs critical exploit validation to create certainty around your vulnerability.

    The primary objective of a penetration test is to identify and validate security weaknesses in an organization’s security systems.

    Reasons to Test:

    • Assess current security control effectiveness
    • Develop an action plan of items
    • Build a business case for a better security program
    • Increased security budget through vulnerability validation
    • Third-party, unbiased validation
    • Adhere to compliance or regulatory requirements
    • Raise security awareness
    • Demonstrate how an attacker can escalate privileges
    • Effective way to test incident response

    Regulatory Considerations:

    • There is a lot of regulatory wording saying that organizations can’t get a system that is managed, integrated, and supported by one vendor and then have it tested by the same vendor.
    • There is the need for separate third-party testing.
    • Penetration testing is required for PCI, cloud providers, and federal entities.

    How and where is the value being generated?

    Penetration testing is a service provided by trained and tested professionals with years of experience. The person behind the test is the most important part of the test. The person is able to emulate a real-life attacker better than any computer. It is just a vulnerability scan if you use tools or executables alone.

    “A penetration test is an audit with validation.” (Joel Shapiro, Vice President Sales, Digital Boundary Group)

    Start by considering the spectrum of penetration tests

    Network Penetration Tests

    Conventional testing of network defences.

    Testing vectors include:

    • Perimeter infrastructure
    • Wireless, WEP/WPA cracking
    • Cloud penetration testing
    • Telephony systems or VoIP
    Types of tests:
    • Denial-of-service testing
    • Out-of-band attacks
    • War dialing
    • Wireless network testing/war driving
    • Spoofing
    • Trojan attacks
    • Brute force attacks
    • Watering hole attacks
    • Honeypots
    • Cloud-penetration testing
    Application Penetration Tests

    Core business functions are now being provided through web applications, either to external customers or to internal end users.

    Types: Web apps, non-web apps, mobile apps

    Application penetration and security testing encompasses:

    • Code review – analyzing the application code for sensitive information of vulnerabilities in the code.
    • Authorization testing – testing systems responsible for user session management to see if unauthorized access can be permitted.
    • Authentication process for user testing.
    • Functionality testing – test the application functionality itself.
    • Website pen testing – active analysis of weaknesses or vulnerabilities.
    • Encryption testing – testing things like randomness or key strength.
    • User-session integrity testing.
    Human-Centric Testing
    • Penetration testing is developing a people aspect as opposed to just being technology focused.
    • End users and their susceptibility to social engineering attacks (spear phishing, phone calls, physical site testing, etc.) is now a common area to test.
    • Social engineering penetration testing is not only about identifying your human vulnerabilities, but also about proactively training your end users. As well as discovering and fixing potential vulnerabilities, social engineering penetration testing will help to raise security awareness within an organization.

    Info-Tech Insight

    Your pen test should use multiple methods. Demonstrating weakness in one area is good but easy to identify. When you blend techniques, you get better success at breaching and it becomes more life-like. Think about prevention, detection, and response testing to provide full insight into your security defenses.

    Penetration testing types

    Evaluate four variables to determine which type of penetration test is most appropriate for your organization.

    Evaluate these dimensions to determine relevant penetration testing.

    Network, Application, or Human

    Evaluate your need to perform different types of penetration testing.

    Some level of network and application testing is most likely appropriate.

    The more common decision point is to consider to what degree your organization requires human-centric penetration testing.

    External or Internal

    External: Attacking an organization’s perimeter and internet-facing systems. For these, you generally provide some level of information to the tester. The test will begin with publicly available information gathering followed by some kind of network scanning or probing against externally visible servers or devices (DNS server, email server, web server, firewall, etc.)

    Internal: Carried out within the organization’s network. This emulates an attack originating from an internal point (disgruntled employee, authorized user, etc.). The idea is to see what could happen if the perimeter is breached.

    Transparent, Semi-Transparent, or Opaque Box

    Opaque Box: The penetration tester is not provided any information. This emulates a real-life attack. Test team uses publicly available information (corporate website, DNS, USENET, etc.) to start the test. These tests are more time consuming and expensive. They often result in exploitation of the easiest vulnerability.
    Use cases: emulating a real-life attack; testing detection and response capabilities; limited network segmentation.

    Transparent Box: Tester is provided full disclosure of information. The tester will have access to everything they need: building floor plans, data flow designs, network topology, etc. This represents what a credentialed and knowledgeable insider would do.
    Use cases: full assessment of security controls; testing of attacker traversal capabilities.

    Aggressiveness of the Test

    Not Aggressive: Very slow and careful penetration testing. Usually spread out in terms of packets being sent and number of calls to individuals. It attempts to not set off any alarm bells.

    Aggressive: A full DoS attack or something similar. These would be DoS attacks that take down systems or full SQL injection attacks all at once versus small injections over time. Testing options cover anything including physical tests, network tests, social engineering, and data extraction and exfiltration. This is more costly and time consuming.

    Assessing Aggressiveness: How aggressive the test should be is based on the threats you are concerned with. Assess who you are concerned with: random individuals on the internet, state-sponsored attacks, criminals, hacktivists, etc. Who you are concerned with will determine the appropriate aggressiveness of the test.

    Penetration testing scope

    Establish the scope of your penetration test before engaging vendors.

    Determining the scope of what is being tested is the most important part of a penetration test. Organizations need to be as specific as possible so the vendor can actually respond or ask questions.

    Organizations need to define boundaries, objectives, and key success factors.

    For scope:
    • If you go too narrow, the realism of the test suffers.
    • If you go too broad, it is more costly and there’s a possible increase in false positives.
    • Balance scope vs. budget.
    Boundaries to scope before a test:
    • IP addresses
    • URLs
    • Applications
    • Who is in scope for social engineering
    • Physical access from roof to dumpsters defined
    • Scope prioritized for high-value assets
    Objectives and key success factors to scope:
    • When is the test complete? Is it at the point of validated exploitation?
    • Are you looking for as many holes as possible, or are you looking for how many ways each hole can be exploited?

    What would be out of scope?

    • Are there systems, IP addresses, or other things you want out of scope? These are things you don’t explicitly want any penetration tester to touch.
    • Are there third-party connections to your environment that you don’t want to be tested? These are instances such as cloud providers, supply chain connections, and various services.
    • Are there things that would be awkward to test? For example, determine if you include high-level people in a social engineering test. Do you conduct social engineering for the CEO? If you get their credentials, it could be an awkward moment.

    Ways to break up a penetration test:

    • Location – This is the most common way to break up a penetration test.
    • Division – Self-contained business units are often done as separate tests so you can see how each unit does.
    • IT systems – For example, you put certain security controls in a firewall and want to test its effectiveness.
    • Applications – For example, you are launching a new website or a new portal and you want to test it.

    Penetration testing appropriateness

    Determine your penetration testing appropriateness.

    Usual instances to conduct a penetration test:
    • Setting up a new physical office. Penetration testing will not only test security capabilities but also resource availability and map out network flows.
    • New infrastructure hardware implemented. All new infrastructure needs to be tested.
    • Changes or upgrades to existing infrastructure. Need for testing varies depending on the size of the change.
    • New application deployment. Need to test before being pushed to production environments.
    • Changes or upgrades to existing applications. When fundamental functional changes occur, perform testing:
      • Before upgrades or patching
      • After upgrades or patching
    • Periodic testing. It is a best practice to periodically test your security control effectiveness. Consider at least an annual test.

    Specific timing considerations: Testing should be completed during non-production times of day. Testing should be completed after a backup has been performed.

    Assess your threats to determine your appropriate test type:

    Penetration testing is about what threats you are concerned about. Understand your risk profile, risk tolerance level, and specific threats to see how relevant penetration tests are.

    • Are external attackers concerning to you? Are you distressed about how an attacker can use brute force to enter your network? If so, focus on ingress points, such as FWs, routers, and DMZ.
    • Is social engineering a concern for you (i.e. phone-based or email-based)? Then you are concerned about a credentialed hacker.
    • Is it an insider threat, a disgruntled employee, etc.? This also includes an internal system that is under command and control (C&C).

    ANALYST PERSPECTIVE: Do a test only after you take a first pass.
    If you have not done some level of vulnerability assessment on your own (performing a scan, checking third-party sources, etc.) don’t waste your money on a penetration test. Only perform a penetration test after you have done a first pass and identified and remediated all the low-hanging fruit.

    4.4.1 Create an RFP for penetration tests

    2 hours

    Input: List of criteria and scope for the penetration test, Systems and application information if white box

    Output: Completed RFP document that can be distributed to vendor proponents

    Materials: Whiteboard/flip charts, Penetration Test RFP Template

    Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative

    Use an RFP template to convey your desired penetration test requirements to vendors and outline the proposal and procurement steps set by your organization.

    1. Determine what kind of requirements will be needed for your penetration test RFP based on people, process, and technology requirements.
      • Consider items such as your technology environment and the scope of the penetration tests.
    2. Conduct an interview with relevant stakeholders to determine the exact requirements needed.
    3. Use Info-Tech’s Penetration Test RFP Template, which lists many requirements but can be customized to your organization’s specific needs.

    Download the Penetration Test RFP Template

    4.4.1 Create an RFP for penetration tests (continued)

    Steps of a penetration test:
    1. Determine scope
    2. Gather targeted intelligence
    3. Review exploit attempts, such as access and escalation
    4. Test the collection of sensitive data
    5. Run reporting
    Info-Tech RFP Table of Contents:
    1. Statement of Work
    2. General Information
    3. Proposal Preparation Instructions
    4. Scope of Work, Specifications, and Requirements
    5. Vendor Qualifications and References
    6. Budget and Estimated Pricing
    7. Vendor Certification

    Download the Penetration Test RFP Template

    Penetration testing considerations – service providers

    Consider what type of penetration testing service provider is best for your organization

    Professional Service Providers

    Professional Services Firms. These firms will often provide a myriad of professional services across auditing, financial, and consulting services. If they offer security-related consulting services, they will most likely offer some level of penetration testing.

    Security Service Firms. These are dedicated security consulting or advisory firms that will offer a wide spectrum of security-related services. Penetration testing may be one aspect of larger security assessments and strategy development services.

    Dedicated Penetration Testing Firms. These are service providers that will often offer the full gamut of penetration testing services.

    Integrators

    Managed Security Service Providers. These providers will offer penetration testing. For example, Dell SecureWorks offers numerous services including penetration testing. For organizations like this, you need to be skeptical of ulterior motives. For example, expect recommendations around outsourcing from Dell SecureWorks.

    Regional or Small Integrators. These are service providers that provide security services of some kind. For example, they would help in the implementation of a firewall and offer penetration testing services as well.

    Info-Tech Recommends:

    • Always be conscientious of who is conducting the testing and what else they offer. Even if you get another party to test rather than your technology provider, they will try to obtain you as a client. Remember that for larger technology vendors, security testing is a small revenue stream for them and it’s a way to find technology clients. They may offer penetration testing for free to obtain other business.
    • Most of the penetration testers were systems administrators (for network testing) or application developers (for application testing) at some point before becoming penetration testers. Remember this when evaluating providers and evaluating remediation recommendations.
    • Evaluate what kind of open-source tools, commercial tools, and proprietary tools are being used. In general, you don’t want to rely on an open-source scanner. For open source, they will have more outdated vulnerability databases, system identification can also be limited compared to commercial, and reporting is often lacking.
    • Above all else, ensure your testers are legally capable, experienced, and abide by non-disclosure agreements.

    Penetration testing best practices – communications

    Communication With Service Provider

    • During testing there should be designated points of contact between the service provider and the client.
    • There needs to be secure channels for communication of information between the tester and the client both during the test and for any results.
    • Results should always be explained to the client by the tester, regardless of the content or audience.
    • There should be a formal debrief with the results report.
    Immediate reporting of issues
    • Before any testing commences, immediate reporting conditions need to be defined. These are instances when you would want immediate notification of something occurring.
    • Stipulate certain systems or data types that if broken into or compromised, you would want to be notified right away.
    • Example:
      • If you are conducting social engineering, require notification for all account credentials that are compromised. Once credentials are compromised, it destroys all accountability for those credentials and the actions associated with those credentials by any user.
      • Require immediate reporting of specific high-critical systems that are compromised or if access is even found.
      • Require immediate reporting when regulated data is discovered or compromised in any way.

    Communication With Internal Staff

    Do you tell your internal staff that this is happening?

    This is sometimes called a “double blind test” when you don’t let your IT team know of the test occurring.

    Pros to notifying:
    • This tests the organization’s security monitoring, incident detection, and response capabilities.
    • Letting the team know they are going to see some activity will make sure they don’t get too worried about it.
    • There may be systems you can’t jeopardize but still need to test so notification beforehand is essential (e.g. you wouldn’t allow ERP testing with notification).
    Cons:
    • It does not give you a real-life example of how you respond if something happens.
    • Potential element of disrespect to IT people.

    Penetration testing best practices – results and remediation

    What to expect from penetration test results report:

    A final results report will state all findings including what was done by the testers, what vulnerabilities or exploitations were detected, how they were compromised, the related risk, and related remediation recommendations.

    Expect four major sections:
    • Introduction. An overview of the penetration test methodology including rating methodology of vulnerabilities.
    • Executive Summary. A management-level description of the test, often including a summary of any recommendations.
    • Technical Review. An overview of each item that was looked at and touched. This area breaks down what was done, how it was done, what was found, and any related remediation recommendations. Expect graphs and visuals in this section.
    • Detailed Findings. An in-depth breakdown of all testing methods used and results. Each vulnerability will be explained regarding how it was detected, what the risk is, and what the remediation recommendation is.
    Two areas that will vary by service provider:

    Prioritization

    • Most providers will boast their unique prioritization methodology.
    • A high, medium, and low rating scale based on some combination of variables (e.g. ease of exploitation, breadth of hole, information accessed resulting in further exploitation).
    • The prioritization won’t take into account asset value or criticality.
    • Keep in mind the penetration test is not an input into ultimate vulnerability prioritization, but it can help determine your urgency.

    Remediation

    • Remediation recommendations will vary across providers.
    • Generally, fairly generic recommendations are provided (e.g. remove your old telnet and input up-to-date SSH).
    • Most of the time, it is along the lines of “we found a hole; close the hole.”

    Summary of Accomplishment

    Problem Solved

    At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.

    Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.

    The risk-based approach will allow you to prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities while allowing your standard remediation cycle to address the medium to low vulnerabilities.

    With your program defined and developed, you now need to configure your vulnerability scanning tool or acquire one if you don’t already have a tool in place.

    Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Photo of Jimmy Tom.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Sample of the Implement Vulnerability Management storyboard.
    Review of the Implement Vulnerability Management storyboard
    Sample of the Vulnerability Mitigation SOP template.
    Build your vulnerability management SOP

    Contributors

    Contributors from 2016 version of this project:

    • Morey Haber, Vice President of Technology, BeyondTrust
    • Richard Barretto, Manager, Information Privacy and Security, Cimpress
    • Joel Shapiro, Vice President Sales, Digital Boundary Group

    Contributors from current version of this project:

    • 2 anonymous contributors from the manufacturing sector
    • 1 anonymous contributor from a US government agency
    • 2 anonymous contributors from the financial sector
    • 1 anonymous contributor from the medical technology industry
    • 2 anonymous contributors from higher education
    • 1 anonymous contributor from a Canadian government agency
    • 7 anonymous others; information gathered from advisory calls

    Bibliography

    Arya. “COVID-19 Impact: Vulnerability Management Solution Market | Strategic Industry Evolutionary Analysis Focus on Leading Key Players and Revenue Growth Analysis by Forecast To 2028 – FireMon, Digital Shadows, AlienVault.” Bulletin Line, 6 Aug. 2020. Accessed 6 Aug. 2020.

    Campagna, Rich. “The Lean, Mean Vulnerability Management Machine.” Security Boulevard, 31 Mar. 2020. Accessed 15 Aug. 2020.

    Constantin, Lucian. “What are vulnerability scanners and how do they work?” CSO Online, 10 Apr. 2020. Accessed 1 Sept. 2020.

    “CVE security vulnerabilities published in 2019.” CVE Details. Accessed 22 Sept. 2020.

    Garden, Paul, et al. “2019 Year End Report – Vulnerability QuickView.” Risk Based Security, 2020. Accessed 22 Sept. 2020.

    Keary, Eoin. “2019 Vulnerability Statistics Report.” Edgescan, Feb. 2019. Accessed 22 Sept. 2020.

    Lefkowitz, Josh. ““Risk-Based Vulnerability Management is a Must for Security & Compliance.” SecurityWeek, 1 July 2019. Accessed 1 Nov. 2020.

    Mell, Peter, Tiffany Bergeron, and David Henning. “Creating a Patch and Vulnerability Management Program.” Creating a Patch and Vulnerability Management Program. NIST, Nov. 2005. Web.

    “National Vulnerability Database.” NIST. Accessed 18 Oct. 2020.

    “OpenVAS – Open Vulnerability Assessment Scanner.” OpenVAS. Accessed 14 Sept. 2020.

    “OVAL.” OVAL. Accessed 21 Oct. 2020.

    Paganini, Pierluigi. “Exploiting and Verifying Shellshock: CVE-2014-6271.” INFOSEC, 27 Sept. 2014. Web.

    Pritha. “Top 10 Metrics for your Vulnerability Management Program.” CISO Platform, 28 Nov. 2019. Accessed 25 Oct. 2020.

    “Risk-Based Vulnerability Management: Understanding Vulnerability Risk With Threat Context And Business Impact.” Tenable. Accessed 21 Oct. 2020.

    Stone, Mark. “Shellshock In-Depth: Why This Old Vulnerability Won’t Go Away.” SecurityIntelligence, 6 Aug. 2020. Web.

    “The Role of Threat Intelligence in Vulnerability Management.” NOPSEC, 18 Sept. 2014. Accessed 18 Aug. 2020.

    “Top 15 Paid and Free Vulnerability Scanner Tools in 2020.” DNSstuff, 6 Jan. 2020. Accessed 15 Sept. 2020.

    Truta, Filip. “60% of Breaches in 2019 Involved Unpatched Vulnerabilities.” Security Boulevard, 31 Oct. 2019. Accessed 2 Nov. 2020.

    “Vulnerability Management Program.” Core Security. Accessed 15 Sept. 2020.

    “What is Risk-Based Vulnerability Management?” Balbix. Accessed 15 Sept. 2020.

    White, Monica. “The Cost Savings of Effective Vulnerability Management (Part 1).” Kenna Security, 23 April 2020. Accessed 20 Sept. 2020.

    Wilczek, Marc. “Average Cost of a Data Breach in 2020: $3.86M.” Dark Reading, 24 Aug. 2020. Accessed 5 Nov 2020.

    Position IT to Support and Be a Leader in Open Data Initiatives

    • Buy Link or Shortcode: {j2store}326|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Open data programs are often seen as unimportant or not worth taking up space in the budget in local government.
    • Open data programs are typically owned by a single open data evangelist who works on it as a side-of-desk project.
    • Having a single resource spend a portion of their time on open data doesn’t allow the open data program to mature to the point that local governments are realizing benefits from it.
    • It is difficult to gain buy-in for open data as it is hard to track the benefits of an open data program.

    Our Advice

    Critical Insight

    • Local government can help push the world towards being more open, unlocking economic benefits for the wider economy.
    • Cities don’t know the solutions to all of their problems often they don’t know all of the problems they have. Release data as a platform to crowdsource solutions and engage your community.
    • Build your open data policies in collaboration with the community. It’s their data, let them shape the way it’s used!

    Impact and Result

    • Level-set expectations for your open data program. Every local government is different in terms of the benefits they can achieve with open data; ensure the business understands what is realistic to achieve.
    • Create a team of open data champions from departments outside of IT. Identify potential champions for the team and use this group to help gain greater business buy-in and gather feedback on the program’s direction.
    • Follow the open data maturity model in order to assess your current state, identify a target state, and assess capability gaps that need to be improved upon.
    • Use industry best practices to develop an open data policy and processes to help improve maturity of the open data program and reach your desired target state.
    • Identify metrics that you can use to track, and communicate the success of, the open data program.

    Position IT to Support and Be a Leader in Open Data Initiatives Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop your open data program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Set the foundation for the success of your open data program

    Identify your open data program's current state maturity, and gain buy-in from the business for the program.

    • Position IT to Support and Be a Leader in Open Data Initiatives – Phase 1: Set the Foundation for the Success of Your Open Data Program
    • Open Data Maturity Assessment
    • Open Data Program – IT Stakeholder Powermap Template
    • Open Data in Our City Stakeholder Presentation Template

    2. Grow the maturity of your open data program

    Identify a target state maturity and reach it through building a policy and processes and the use of metrics.

    • Position IT to Support and Be a Leader in Open Data Initiatives – Phase 2: Grow the Maturity of Your Open Data Program
    • Open Data Policy Template
    • Open Data Process Template
    • Open Data Process Descriptions Template
    • Open Data Process Visio Templates (Visio)
    • Open Data Process Visio Templates (PDF)
    • Open Data Metrics Template
    [infographic]

    Workshop: Position IT to Support and Be a Leader in Open Data Initiatives

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Business Drivers for Open Data Program

    The Purpose

    Ensure that the open data program is being driven out from the business in order to gain business support.

    Key Benefits Achieved

    Identify drivers for the open data program that are coming directly from the business.

    Activities

    1.1 Understand constraints for the open data program.

    1.2 Conduct interviews with the business to gain input on business drivers and level-set expectations.

    1.3 Develop list of business drivers for open data.

    Outputs

    Defined list of business drivers for the open data program

    2 Assess Current State and Define Target State of the Open Data Program

    The Purpose

    Understand the gaps between where your program currently is and where you want it to be.

    Key Benefits Achieved

    Identify top processes for improvement in order to bring the open data program to the desired target state maturity.

    Activities

    2.1 Perform current state maturity assessment.

    2.2 Define desired target state with business input.

    2.3 Highlight gaps between current and target state.

    Outputs

    Defined current state maturity

    Identified target state maturity

    List of top processes to improve in order to reach target state maturity

    3 Develop an Open Data Policy

    The Purpose

    Develop a draft open data policy that will give you a starting point when building your policy with the community.

    Key Benefits Achieved

    A draft open data policy will be developed that is based on best-practice standards.

    Activities

    3.1 Define the purpose of the open data policy.

    3.2 Establish principles for the open data program.

    3.3 Develop a rough governance outline.

    3.4 Create a draft open data policy document based on industry best-practice examples.

    Outputs

    Initial draft of open data policy

    4 Develop Open Processes and Identify Metrics

    The Purpose

    Build open data processes and identify metrics for the program in order to track benefits realization.

    Key Benefits Achieved

    Formalize processes to set in place to improve the maturity of the open data program.

    Identify metrics that can track the success of the open data program.

    Activities

    4.1 Develop the roles that will make up the open data program.

    4.2 Create processes for new dataset requests, updates of existing datasets, and the retiring of datasets.

    4.3 Identify metrics that will be used for measuring the success of the open data program.

    Outputs

    Initial draft of open data processes

    Established metrics for the open data program

    Choose a Right-Sized Contact Center Solution

    • Buy Link or Shortcode: {j2store}334|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $25,535 Average $ Saved
    • member rating average days saved: 18 Average Days Saved
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design
    • IT needs a method to pinpoint which contact center solution best aligns with business objectives, adapting to a post-COVID world of remote work, flexibility, and scalability.
    • Scoring RFP and RFQ proposals is a complex process, and it is difficult to map and gap without a clear view of the organization’s needs. SOWs can contain pitfalls that cause expensive headaches for the organization in the long run. Guidance through a SOW is required to best represent the organization’s interests.

    Our Advice

    Critical Insight

    • “On-premises versus cloud” is a false dichotomy. Contact center architectures come in all shapes and sizes, and organizations should discern whether a hybrid option best meets their needs.
    • Contact centers should service customers – not capabilities. Capabilities must work for you, your agents, and your customers – not the other way around.
    • Deliverables and responsibilities should be a contract’s focal point. While organizations are right to focus on avoiding unanticipated license charges, it is more important to clearly define how deliverables and responsibilities will be divided among the organization, the vendor, and potential third parties.

    Impact and Result

    • Assess the array of contact center architectures with Info-Tech’s Contact Center Decision Points Tool to select a right-sized solution.
    • Build business requirements in a formalized process to achieve stakeholder buy-in.
    • Use Info-Tech’s Contact Center RFP Scoring Tool to evaluate and choose from a range of vendors.
    • Successfully navigate and avoid major pitfalls in a SOW construction.
    • Justify each stage of the process with this blueprint’s key deliverable: the Contact Center Playbook.

    Choose a Right-Sized Contact Center Solution Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to examine the current contact center marketspace, review Info-Tech’s methodology for choosing a right-sized contact center solution, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess Contact Center Architectures

    Establish your project vision and metrics of success before shortlisting potential contact center architectures and deciding which is right-sized for the organization.

    • Choose a Right-Sized Contact Center Solution – Phase 1: Assess Contact Center Architectures
    • Contact Center Playbook
    • Contact Center Decision Points Tool

    2. Gather Requirements and Shortlist Vendors

    Build business requirements to achieve stakeholder buy-in, define key deliverables, and issue an RFP/RFQ to shortlisted vendors.

    • Choose a Right-Sized Contact Center Solution – Phase 2: Gather Requirements and Shortlist Vendors
    • Requirements Gathering Documentation Tool
    • Lean RFP Template
    • Contact Center Business Requirements Document
    • Request for Quotation Template
    • Long-Form RFP Template

    3. Score Vendors and Construct SOW

    Score RFP/RFQ responses and decide upon a vendor before constructing a SOW.

    • Choose a Right-Sized Contact Center Solution – Phase 3: Score Vendors and Construct SOW
    • Contact Center RFP Scoring Tool
    • Contact Center SOW Template and Guide
    [infographic]

    Workshop: Choose a Right-Sized Contact Center Solution

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Architecture

    The Purpose

    Shortlist and decide upon a right-sized contact center architecture.

    Key Benefits Achieved

    A high-level decision for a right-sized architecture

    Activities

    1.1 Define vision and mission statements.

    1.2 Identify infrastructure metrics of success.

    1.3 Confirm key performance indicators for contact center operations.

    1.4 Complete architecture assessment.

    1.5 Confirm right-sized architecture.

    Outputs

    Project outline

    Metrics of success

    KPIs confirmed

    Quickly narrow down right-sized architecture

    Decision on right-sized contact center architecture

    2 Gather Requirements

    The Purpose

    Build business requirements and define key deliverables to achieve stakeholder buy-in and shortlist potential vendors.

    Key Benefits Achieved

    Key deliverables defined and a shortlist of no more than five vendors

    Sections 7-8 of the Contact Center Playbook completed

    Activities

    2.1 Hold focus groups with key stakeholders.

    2.2 Gather business, nonfunctional, and functional requirements.

    2.3 Define key deliverables.

    2.4 Shortlist five vendors that appear meet those requirements.

    Outputs

    User requirements identified

    Business Requirements Document completed

    Key deliverables defined

    Shortlist of five vendors

    3 Initial Vendor Scoring

    The Purpose

    Compare and evaluate shortlisted vendors against gathered requirements.

    Key Benefits Achieved

    Have a strong overview of which vendors are preferred for issuing RFP/RFQ

    Section 9 of the Contact Center Playbook

    Activities

    3.1 Input requirements to the Contact Center RFP Scoring Tool. Define which are mandatory and which are desirable.

    3.2 Determine which vendors best meet requirements.

    3.3 Compare requirements met with anticipated TCO.

    3.4 Compare and rank vendors.

    Outputs

    An assessment of requirements

    Vendor scoring

    A holistic overview of requirements scoring and vendor TCO

    An initial ranking of vendors to shape RFP process after workshop end

    4 SOW Walkthrough

    The Purpose

    Walk through the Contact Center SOW Template and Guide to identify how much time to allocate per section and who will be responsible for completing it.

    Key Benefits Achieved

    An understanding of a SOW that is designed to avoid major pitfalls with vendor management

    Section 10 of the Contact Center Playbook

    Activities

    4.1 Get familiar with the SOW structure.

    4.2 Identify which sections will demand greater time allocation.

    4.3 Strategize how to avoid potential pitfalls.

    4.4 Confirm reviewer responsibilities.

    Outputs

    A broad understanding of a SOW’s key sections

    A determination of how much time should be allocated for reviewing major sections

    A list of ways to avoid major pitfalls with vendor management

    A list of reviewers, the sections they are responsible for reviewing, and their time allocation for their review

    5 Communicate and Implement

    The Purpose

    Finalize deliverables and plan post-workshop communications.

    Key Benefits Achieved

    A completed Contact Center Playbook that justifies each decision of this workshop

    Activities

    5.1 Finalize deliverables.

    5.2 Support communication efforts.

    5.3 Identify resources in support of priority initiatives.

    Outputs

    Contact Center Playbook delivered

    Post-workshop engagement to confirm satisfaction

    Follow-up research that complements the workshop or leads workshop group in relevant new directions

    Tech Trend Update: If Contact Tracing Then Distributed Trust

    • Buy Link or Shortcode: {j2store}424|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity

    With COVID-19's rapid spread through populations, governments are looking for technology tools that can augment the efforts of manual contact tracing processes. How the system is designed is crucial to a positive outcome.

    • CIOs must understand how distributed trust principles achieve embedded privacy and help encourage user adoption.
    • CEOs must consider how society's waning trust in institutions affects the way they engage their customers.

    Our Advice

    Critical Insight

    Mobile contact tracing apps that use a decentralized design approach will be the most likely to be adopted by a wide swath of the population.

    Impact and Result

    There are some key considerations to realize from the way different governments are approaching contact tracing:

    1. If centralized, then seek to ensure privacy protections.
    2. If decentralized, then seek to enable collaboration.
    3. In either case, put in place data governance to create trust.

    Tech Trend Update: If Contact Tracing Then Distributed Trust Research & Tools

    Learn why distributed trust is becoming critical to technology systems design

    Understand the differences between mobile app architectures available to developers and how to achieve success in implementation based on your goals.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Tech Trend Update: If Contact Tracing Then Distributed Trust Storyboard
    [infographic]

    Build Resilience Against Ransomware Attacks

    • Buy Link or Shortcode: {j2store}317|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $68,467 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Sophisticated ransomware attacks are on the rise and evolving quickly.
    • Executives want reassurance but are not ready to write a blank check. We need to provide targeted and justified improvements.
    • Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in hours, which makes recovery a grueling challenge.

    Our Advice

    Critical Insight

    • Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
    • Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
    • Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

    Impact and Result

    • Conduct a thorough assessment of your current state; identify potential gaps and assess the possible outcomes of an attack.
    • Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protections and detection to reduce your attack surface.
    • Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

    Build Resilience Against Ransomware Attacks Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build Resilience Against Ransomware Attacks

    Use this step-by-step guide to assess your ransomware readiness and implement controls that will improve your ability to prevent incursions and defend against attacks.

    • Build Resilience Against Ransomware Attacks – Phases 1-4

    2. Ransomware Resilience Assessment – Complete the ransomware resilience assessment and establish metrics.

    Use this assessment tool to assess existing protection, detection, response, and recovery capabilities and identify potential improvements.

    • Ransomware Resilience Assessment

    3. Threat Preparedness Workbook – Improve protection and detection capabilities.

    Use this threat preparedness workbook to evaluate the threats and tactics in the ransomware kill chain using the MITRE framework and device appropriate countermeasures.

    • Enterprise Threat Preparedness Workbook

    4. Tabletop Planning Exercise and Example Results – Improve response and recovery capabilities with a tabletop exercise for your internal IT team.

    Adapt this tabletop planning session template to plan and practice the response of your internal IT team to a ransomware scenario.

    • Tabletop Exercise – Internal (Ransomware Template)
    • Ransomware Tabletop Planning Results – Example (Visio)
    • Ransomware Tabletop Planning Results – Example (PDF)

    5. Ransomware Response Runbook and Workflow – Document ransomware response steps and key stakeholders.

    Adapt these workflow and runbook templates to coordinate the actions of different stakeholders through each stage of the ransomware incident response process.

    • Ransomware Response Runbook Template
    • Ransomware Response Workflow Template (Visio)
    • Ransomware Response Workflow Template (PDF)

    6. Extended Tabletop Exercise and Leadership Guide – Run a tabletop test to plan and practice the response of your leadership team.

    Adapt this tabletop planning session template to plan leadership contributions to the ransomware response workflow. This second tabletop planning session will focus on communication strategy, business continuity plan, and deciding whether the organization should pay a ransom.

    • Tabletop Exercise – Extended (Ransomware Template)
    • Leadership Guide for Extended Ransomware

    7. Ransomware Resilience Summary Presentation – Summarize status and next steps in an executive presentation.

    Summarize your current state and present a prioritized project roadmap to improve ransomware resilience over time.

    • Ransomware Resilience Summary Presentation

    Infographic

    Workshop: Build Resilience Against Ransomware Attacks

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Ransomware Resilience

    The Purpose

    Set workshop goals, review ransomware trends and risk scenarios, and assess the organization’s resilience to ransomware attacks.

    Key Benefits Achieved

    Develop a solid understanding of the likelihood and impact of a ransomware attack on your organization.

    Complete a current state assessment of key security controls in a ransomware context.

    Activities

    1.1 Review incidents, challenges, and project drivers.

    1.2 Diagram critical systems and dependencies and build risk scenario.

    1.3 Assess ransomware resilience.

    Outputs

    Workshop goals

    Ransomware Risk Scenario

    Ransomware Resilience Assessment

    2 Protect and Detect

    The Purpose

    Improve your capacity to protect your organization from ransomware and detect attacks along common vectors.

    Key Benefits Achieved

    Identify targeted countermeasures that improve protection and detection capabilities.

    Activities

    2.1 Assess ransomware threat preparedness.

    2.2 Determine the impact of ransomware techniques on your environment.

    2.3 Identify countermeasures to improve protection and detection capabilities.

    Outputs

    Targeted ransomware countermeasures to improve protection and detection capabilities.

    Targeted ransomware countermeasures to improve protection and detection capabilities.

    Targeted ransomware countermeasures to improve protection and detection capabilities.

    3 Respond and Recover

    The Purpose

    · Improve your organization’s capacity to respond to ransomware attacks and recover effectively.

    Key Benefits Achieved

    Build response and recovery capabilities that reduce the potential business disruption of successful ransomware attacks.

    Activities

    3.1 Review the workflow and runbook templates.

    3.2 Update/define your threat escalation protocol.

    3.3 Define scenarios for a range of incidents.

    3.4 Run a tabletop planning exercise (IT).

    3.5 Update your ransomware response runbook.

    Outputs

    Security Incident Response Plan Assessment.

    Tabletop Planning Session (IT)

    Ransomware Workflow and Runbook.

    4 Improve Ransomware Resilience.

    The Purpose

    Identify prioritized initiatives to improve ransomware resilience.

    Key Benefits Achieved

    Identify the role of leadership in ransomware response and recovery.

    Communicate workshop outcomes and recommend initiatives to improve ransomware resilience.

    Activities

    4.1 Run a tabletop planning exercise (Leadership).

    4.2 Identify initiatives to close gaps and improve resilience.

    4.3 Review broader strategies to improve your overall security program.

    4.4 Prioritize initiatives based on factors such as effort, cost, and risk.

    4.5 Review the dashboard to fine tune your roadmap.

    4.6 Summarize status and next steps in an executive presentation.

    Outputs

    Tabletop Planning Session (Leadership)

    Ransomware Resilience Roadmap and Metrics

    Ransomware Workflow and Runbook

    Further reading

    Build Ransomware Resilience

    Prevent ransomware incursions and defend against ransomware attacks

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    Ransomware is a high-profile threat that demands immediate attention:

    • Sophisticated ransomware attacks are on the rise and evolving quickly.
    • Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in only a few hours, which makes recovery a grueling challenge.
    • Executives want reassurance but aren't ready to write a blank check. Improvements must be targeted and justified.

    Common Obstacles

    Ransomware is more complex than other security threats:

    • Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
    • Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
    • Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

    Info-Tech's Approach

    To prevent a ransomware attack:

    • Conduct a through assessment of your current state, identify potential gaps, and assess the possible outcomes of an attack.
    • Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protection and detection to reduce your attack surface.
    • Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

    Info-Tech Insight

    Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recovery quickly.

    Analyst Perspective

    Ransomware is an opportunity and a challenge.

    As I write, the frequency and impact of ransomware attacks continue to increase, with no end in sight. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls as you do now.

    The opportunity comes with important challenges. Hackers need to spend less time in discovery before they deploy an attack, which have become much more effective. You can't afford to rely solely on your ability to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.

    Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. But eventually you reach the top and look back at how far you've come.

    This is an image of Michael Hébert

    Michel Hébert
    Research Director, Security and Privacy
    Info-Tech Research Group

    Ransomware attacks are on the rise and evolving quickly.

    Three factors contribute to the threat:

    • The rise of ransomware-as-a-service, which facilitates attacks.
    • The rise of crypto-currency, which facilitates anonymous payment.
    • State sponsorship of cybercrime.

    Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least $2B in payments.

    A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the clean-up cost and economic fallout over attacks during this period.

    Total ransom money collected (2015 – 2021): USD 2,592,889,121

    This image contains a bubble plot graph showing the total ransom money collected between the years 2015 - 2021.

    The frequency and impact of ransomware attacks are increasing

    Emerging strains can exfiltrate sensitive data, encrypt systems and destroy backups in only a few hours, which makes recovery a grueling challenge.

    Sophos commissioned a vendor agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.

    The survey was conducted in Jan – Feb 2022 and asked about the experience of respondents over the previous year.

    66%
    Hit by ransomware in 2021
    (up from 37% in 2020)

    90%
    Ransomware attack affected their ability to operate

    $812,360 USD
    Average ransom payment

    $4.54M
    Average remediation cost (not including ransom)

    ONE MONTH
    Average recovery time

    Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.

    Of the respondents whose organizations weren't hit by ransomware in 2021 and don't expect to be hit in the future, 72% cited either backups or cyberinsurance as reasons why they anticipated an attack.

    While these elements can help recover from an attack, they don't prevent it in the first place.

    Source: Sophos, State of Ransomware (2022)
    IBM, Cost of A Data Breach (2022)

    The 3-step ransomware attack playbook

    • Get in
    • Spread
    • Profit

    At each point of the playbook, malicious agents need to achieve something before they can move to the next step.

    Resilient organizations look for opportunities to:

    • Learn from incursions
    • Disrupt the playbook
    • Measure effectiveness

    Initial access

    Execution

    Privilege Escalation

    Credential Access

    Lateral Movement

    Collection

    Data Exfiltration

    Data encryption

    Deliver phishing email designed to avoid spam filter.

    Launch malware undetected.

    Identify user accounts.

    Target an admin account.

    Use brute force tactics to crack it.

    Move through the network and collect data.

    Infect as many critical systems and backups as possible to limit recovery options.

    Exfiltrate data to gain leverage.

    Encrypt data, which triggers alert.

    Deliver ransom note.

    Ransomware is more complex than other security threats

    Ransomware groups thrive through extortion tactics.

    • Traditionally, ransomware attacks focused on encrypting files as an incentive for organizations to pay up.
    • As organizations improved backup and recovery strategies, gangs began targeting, encrypting, and destroying back ups.
    • Since 2019, gangs have focused on a double-extortion strategy: exfiltrate sensitive or protected data before encrypting systems and threaten to publish them.

    Organizations misunderstand ransomware risk scenarios, which obscures the potential impact of an attack.

    Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:

    • Detection and Response – Activities that enable detection, containment, eradication and recovery.
    • Notification – Activities that enable reporting to data subjects, regulators, law enforcement, and third parties.
    • Lost Business – Activities that attempt to minimize the loss of customers, business disruption, and revenue.
    • Post Breach Response – Redress activities to victims and regulators, and the implementation of additional controls.

    Source: IBM, Cost of a Data Breach (2022)

    Disrupt the attack each stage of the attack workflow.

    An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.

    Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.

    Shortening dwell time requires better protection and detection

    Ransomware dwell times and average encryption rates are improving dramatically.

    Hackers spend less time in your network before they attack, and their attacks are much more effective.

    Avg dwell time
    3-5 Days

    Avg encryption rate
    70 GB/h

    Avg detection time
    11 Days

    What is dwell time and why does it matter?

    Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until they pay the ransom.

    Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.

    Dwell times are dropping, and encryption rates are increasing.

    It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.

    References: Bleeping Computers (2022), VentureBeat, Dark Reading, ZDNet.

    Resilience depends in part on response and recovery capabilities

    This blueprint will focus on improving your ransomware resilience to:

    • Protect against ransomware.
    • Detect incursions.
    • Respond and recovery effectively.

    Response

    Recovery

    This image depicts the pathway for response and recovery from a ransomware event.

    For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery.

    Info-Tech's ransomware resilience framework

    Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

    Prioritize protection

    Put controls in place to harden your environment, train savvy end users, and prevent incursions.

    Support recovery

    Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

    Protect Detect Respond

    Recover

    Threat preparedness

    Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

    Awareness and training

    Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

    Perimeter security

    Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

    Respond and recover

    Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

    Access management

    Review the user access management program, policies and procedures to ensure they are ransomware-ready.

    Vulnerability management

    Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

    This image contains the thought map for Info-Tech's Blueprint: Build Resilience Against Ransomware Attacks.

    Info-Tech's ransomware resilience methodology

    Assess resilience Protect and detect Respond and recover Improve resilience
    Phase steps
    1. Build ransomware risk scenario
    2. Conduct resilience assessment
    1. Assess attack vectors
    2. Identify countermeasures
    1. Review Security Incident Management Plan
    2. Run Tabletop Test (IT)
    3. Document Workflow and Runbook
    1. Run Tabletop Test (Leadership)
    2. Prioritize Resilience Initiatives
    Phase outcomes
    • Ransomware Resilience Assessment
    • Risk Scenario
    • Targeted ransomware countermeasures to improve protection and detection capabilities
    • Security Incident Response Plan Assessment
    • Tabletop Test (IT)
    • Ransomware Workflow and Runbook
    • Tabletop Test (Leadership)
    • Ransomware Resilience Roadmap & Metrics

    Insight Summary

    Shift to a ransomware resilience model

    Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges.

    Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, and respond and recover quickly

    Visualize challenges

    Build risk scenarios that describe how a ransomware attack would impact organizational goals.

    Understand possible outcomes to motivate initiatives, protect your organization, plan your response, and practice recovery.

    Prioritize protection

    Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

    Seize the moment

    The frequency and impact of ransomware attacks continue to increase, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.

    Measure ransomware resilience

    The anatomy of ransomware attack is relatively simple: malicious agents get in, spread, and profit. Deploy ransomware protection metrics to measure ransomware resilience at each stage.

    Key deliverable

    Ransomware resilience roadmap

    The resilience roadmap captures the key insights your work will generate, including:

    • An assessment of your current state and a list of initiatives you need to improve your ransomware resilience.
    • The lessons learned from building and testing the ransomware response workflow and runbook.
    • The controls you need to implement to measure and improve your ransomware resilience over time.

    Project deliverables

    Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.

    Ransomware Resilience Assessment

    Measure ransomware resilience, identify gaps, and draft initiatives.

    Enterprise Threat Preparedness Workbook

    Analyze common ransomware techniques and develop countermeasures.

    Ransomware Response Workflow & Runbook

    Capture key process steps for ransomware response and recovery.

    Ransomware Tabletop Tests

    Run tabletops for your IT team and your leadership team to gather lessons learned.

    Ransomware Resilience Roadmap

    Capture project insights and measure resilience over time.

    Plan now or pay later

    Organizations worldwide spent on average USD 4.62M in 2021 to rectify a ransomware attack. These costs include escalation, notification, lost business and response costs, but did not include the cost of the ransom. Malicious ransomware attacks that destroyed data in destructive wiper-style attacks cost an average of USD 4.69M.

    Building better now is less expensive than incurring the same costs in addition to the clean-up and regulatory and business disruption costs associated with successful ransomware attacks.

    After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research and advisory services helped them achieve.

    Source: IBM, Cost of a Data Breach (2022)

    See what members have to say about the ransomware resilience blueprint:

    • Overall Impact: 9.8 / 10
    • Average $ Saved: $98,796
    • Average Days Saved: 17

    "Our advisor was well-versed and very polished. While the blueprint alone was a good tool to give us direction, his guidance made it significantly faster and easier to accomplish than if we had tried to tackle it on our own."

    CIO, Global Manufacturing Organization

    Blueprint benefits

    IT benefits

    Business benefits

    • Provide a structured approach for your organization to identify gaps, quantify the risk, and communicate status to drive executive buy-in.
    • Create a practical ransomware incident response plan that combines a high-level workflow with a detailed runbook to coordinate response and recovery.
    • Present an executive-friendly project roadmap with resilience metrics that summarizes your plan to address gaps and improve your security posture.
    • Enable leadership to make risk-based, informed decisions on resourcing and investments to improve ransomware readiness.
    • Quantify the potential impact of a ransomware attack on your organization to drive risk awareness.
    • Identify existing gaps so they can be addressed, whether by policy, response plans, technology, or a combination of these.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Executive brief case study

    SOURCE: Interview with CIO of large enterprise

    Organizations who "build back better" after a ransomware attack often wish they had used relevant controls sooner.

    Challenge

    In February 2020, a large organization found a ransomware note on an admin's workstation. They had downloaded a local copy of the organization's identity management database for testing and left a port open on their workstation. Hackers exfiltrated it and encrypted the data on the workstation. They demanded a ransom payment to decrypt the data.

    Complication

    Because private information was breached, the organization informed the state-level regulator. With 250,000 accounts affected, plans were made to require password changes en masse. A public announcement was made two days after the breach to ensure that everyone affected could be reached.

    The organization decided not to pay the ransom because it had a copy on an unaffected server.

    Resolution

    The organization was praised for its timely and transparent response.

    The breach motivated the organization to put more protections in place, including:

    • The implementation of a deny-by-default network.
    • The elimination of remote desktop protocol and secure shell.
    • IT mandating MFA.
    • New endpoint-detection and response systems.

    Executive brief case study

    SOURCE: Info-Tech Workshop Results
    iNDUSTRY: Government

    Regional government runs an Info-Tech workshop to fast-track its ransomware incident response planning

    The organization was in the middle of developing its security program, rolling out security awareness training for end users, and investing in security solutions to protect the environment and detect incursions. Still, the staff knew they still had holes to fill. They had not yet fully configured and deployed security solutions, key security policies were missing, and they had didn't have a documented ransomware incident response plan.

    Workshop results

    Info-Tech advisors helped the organization conduct a systematic review of existing processes, policies, and technology, with an eye to identify key gaps in the organization's ransomware readiness. The impact analysis quantified the potential impact of a ransomware attack on critical systems to improve the organizational awareness ransomware risks and improve buy-in for investment in the security program.

    Info-Tech's tabletop planning exercise provided a foundation for the organization's actual response plan. The organization used the results to build a ransomware response workflow and the framework for a more detailed runbook. The workshop also helped staff identifies ways to improve the backup strategy and bridge further gaps in their ability to recover.

    The net result was a current-state response plan, appropriate capability targets aligned with business requirements, and a project roadmap to achieve the organization's desired state of ransomware readiness.

    Guided implementation

    What kind of analyst experiences do clients have when working through this blueprint?

    Scoping Call Phase 1 Phase 2 Phase 3 Phase 4

    Call #1:

    Discuss context, identify challenges, and scope project requirements.

    Identify ransomware resilience metrics.

    Call #2:

    Build ransomware risk scenario.

    Call #4:

    Review common ransomware attack vectors.

    Identify and assess mitigation controls.

    Call #5:

    Document ransomware workflow and runbook.

    Call #7:

    Run tabletop test with leadership.

    Call #3:

    Assess ransomware resilience.

    Call #6:

    Run tabletop test with IT.

    Call #8:

    Build ransomware roadmap.

    Measure ransomware resilience metrics.

    A guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 8 calls over the course of 4 to 6 months.

    Workshop overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Activities

    Assess ransomware resilience

    Protect and detect

    Respond and recover

    Improve ransomware resilience

    Wrap-up (offsite and offline)

    1.1 1 Review incidents, challenges, and project drivers.

    1.1.2 Diagram critical systems and dependencies.

    1.1.3 Build ransomware risk scenario.

    2.1 1. Assess ransomware threat preparedness.

    2.2 2. Determine the impact of ransomware techniques on your environment.

    2.3 3. Identify countermeasures to improve protection and detection capabilities.

    3.1.1 Review the workflow and runbook templates.

    3.1.2 Update/define your threat escalation protocol.

    3.2.1 Define scenarios for a range of incidents.

    3.2.2 Run a tabletop planning exercise (IT).

    3.3.1 Update your ransomware response workflow.

    4.1.1 Run a tabletop planning exercise (leadership).

    4.1.2 Identify initiatives to close gaps and improve resilience.

    4.1.3 Review broader strategies to improve your overall security program.

    4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk.

    4.2.2 Review the dashboard to fine tune your roadmap.

    4.3.1 Summarize status and next steps in an executive presentation.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    5.3 Revisit ransomware resilience metrics in three months.

    Deliverables
    1. Workshop goals
    2. Ransomware Risk Scenario
    3. Ransomware Resilience Assessment
    1. Targeted ransomware countermeasures to improve protection and detection capabilities.
    1. Security Incident Response Plan Assessment
    2. Tabletop Planning Session (IT)
    3. Ransomware Workflow and Runbook
    1. Tabletop Planning Session (Leadership)
    2. Ransomware Resilience Roadmap and Metrics
    3. Ransomware Summary Presentation
    1. Completed Ransomware Resilience Roadmap
    2. Ransomware Resilience Assessment
    3. Ransomware Resilience Summary Presentation

    Phase 1

    Assess ransomware resilience

    Phase 1 Phase 2 Phase 3 Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will walk you through the following activities:

    • Conducting a maturity assessment.
    • Reviewing selected systems and dependencies.
    • Assessing a ransomware risk scenario.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Build Ransomware Resilience

    Step 1.1

    Build ransomware risk scenario

    Activities

    1.1.1 Review incidents, challenges and project drivers

    1.1.2 Diagram critical systems and dependencies

    1.1.3 Build ransomware risk scenario

    Assess ransomware resilience

    This step will guide you through the following activities:

    • Reviewing incidents, challenges, and drivers.
    • Diagraming critical systems and dependencies.
    • Building a ransomware risk scenario.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Subject-Matter Experts

    Outcomes of this step

    • Establish a repeatable process to evaluate and improve ransomware readiness across your environment.
    • Build a ransomware risk scenario to assess the likelihood and impact of an attack.

    1.1.1 Review incidents, challenges, and project drivers

    1 hour

    Brainstorm the challenges you need to address in the project. Avoid producing solutions at this stage, but certainly record suggestions for later. Use the categories below to get the brainstorming session started.

    Past incidents and other drivers

    • Past incidents (be specific):
      • Past security incidents (ransomware and other)
      • Close calls (e.g. partial breach detected before damage done)
    • Audit findings
    • Events in the news
    • Other?

    Security challenges

    • Absent or weak policies
    • Lack of security awareness
    • Budget limitations
    • Other?

    Input

    • Understanding of existing security capability and past incidents.

    Output

    • Documentation of past incidents and challenges.
    • Level-setting across the team regarding challenges and drivers.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    1.1.2 Diagram critical systems and dependencies (1)

    1 hour

    Brainstorm critical systems and their dependencies to build a ransomware risk scenario. The scenario will help you socialize ransomware risks with key stakeholders and discuss the importance of ransomware resilience.

    Focus on a few key critical systems.

    1. On a whiteboard or flip chart paper, make a list of systems to potentially include in scope. Consider:
      1. Key applications that support critical business operations.
      2. Databases that support multiple key applications.
      3. Systems that hold sensitive data (e.g. data with personally identifiable information [PII]).
    2. Select five to ten systems from the list.
      1. Select systems that support different business operations to provide a broader sampling of potential impacts and recovery challenges.
      2. Include one or two non-critical systems to show how the methodology addresses a range of criticality and context.

    Input

    • High-level understanding of critical business operations and data sets.

    Output

    • Clarify context, dependencies, and security and recovery challenges for some critical systems.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)
    • System SMEs (if not covered by SIRT members)

    1.1.2 Diagram critical systems and dependencies (2)

    1 hour

    1. A high-level topology or architectural diagram is an effective way to identify dependencies and communicate risks to stakeholders.

    Start with a WAN diagram, then your production data center, and then each critical
    system. Use the next three slides as your guide.

    Notes:

    • If you have existing diagrams, you can review those instead. However, if they are too detailed, draw a higher-level diagram to provide context. Even a rough sketch is a useful reference tool for participants.
    • Keep the drawings tidy and high level. Visualize the final diagram before you start to draw on the whiteboard to help with spacing and placement.
    • Collaborate with relevant SMEs to identify dependencies.

    Input

    • High-level understanding of critical business operations and data sets.

    Output

    • Clarify context, dependencies, and security and recovery challenges for some critical systems.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)
    • System SMEs (if not covered by SIRT members)

    For your WAN diagram, focus on data center and business locations

    Start with a high-level network diagram like this one, and then dig deeper (see following slides) to provide more context. Below is an example; of course, your sketched diagrams may be rougher.

    This image contains a nexample of a High level Network Diagram.

    Diagram your production data center to provide context for the systems in scope

    Creating a high-level diagram provides context across different IT disciplines involved in creating your DRP. If you have multiple production data centers, focus on the data center(s) relevant to the selected systems. Below is an example.

    This image contains a nexample of a high level diagram which focuses on the data centers relevent to the selected system.

    Diagram each selected system to identify specific dependencies and redundancies

    Diagram the "ecosystem" for each system, identifying server, storage, and network dependencies. There may be overlap with the production data center diagram – but aim to be specific here. Below is an example that illustrates front-end and back-end components.

    When you get to this level of detail, use this opportunity to level-set with the team. Consider the following:

    • Existing security (Are these systems protected by your existing security monitoring and threat detection tools?).
    • Security challenges (e.g. public-facing systems).
    • Recovery challenges (e.g. limited or infrequent backups).
    This is an example of a diagram of a system ecosystem.

    Note the limitations of your security, backup, and DR solutions

    Use the diagrams to assess limitations. Gaps you identify here will often apply to other aspects of your environment.

    1. Security limitations
    • Are there any known security vulnerabilities or risks, such as external access (e.g. for a customer portal)? If so, are those risks mitigated? Are existing security solutions being fully used?
  • Backup limitations
    • What steps are taken to ensure the integrity of your backups (e.g. through inline or post-backup scanning, or the use of immutable backups)? Are there multiple restore points to provide more granularity when determining how far back you need to go for a clean backup?
  • Disaster recovery limitations
    • Does your DR solution account for ransomware attacks or is it designed only for one-way failover (i.e. for a smoking hole scenario)?
  • We will review the gaps we identify through the project in phase 4.

    For now, make a note of these gaps and continue with the next step.

    Draft risk scenarios to illustrate ransomware risk

    Risk scenarios help decision-makers understand how adverse events affect business goals.

    • Risk-scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that describes the circumstances and consequences if it were to happen.
    • Risk scenarios set up the risk analysis stage of the risk assessment process. They are narratives that describe in detail:
      • The asset at risk.
      • The threat that can act against the asset.
      • Their intent or motivation.
      • The circumstances and threat actor model associated with the threat event.
      • The potential effect on the organization.
      • When or how often the event might occur.

    Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.

    Risk identification → Risk scenario → Risk statement

    Well-crafted risk scenarios have four components

    The slides walk through how to build a ransomware risk scenario

    THREAT Exploits an ASSET Using a METHOD Creating an EFFECT.

    An actor capable of harming an asset

    Anything of value that can be affected and results in loss

    Technique an actor uses to affect an asset

    How loss materializes

    Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors

    Examples: Systems, regulated data, intellectual property, people

    Examples: Credential compromise, privilege escalation, data exfiltration

    Examples: Loss of data confidentiality, integrity, or availability; impact on staff health and safety

    Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events.

    Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address ransomware risks.

    1.1.3 Build ransomware risk scenario (1)

    2 hours

    In a ransomware risk scenario, the threat, their motivations, and their methods are known. Malicious agents are motivated to compromise critical systems, sabotage recovery, and exfiltrate data for financial gain.

    The purpose of building the risk scenario is to highlight the assets at risk and the potential effect of a ransomware attack.

    As a group, consider critical or mission-essential systems identified in step 1.1.2. On a whiteboard, brainstorm the potential adverse effect of a loss of system availability, confidentiality or integrity.

    Consider the impact on:

    • Information systems.
    • Sensitive or regulated data.
    • Staff health and safety.
    • Critical operations and objectives.
    • Organizational finances.
    • Reputation and brand loyalty.

    Input

    • Understanding of critical systems and dependencies.

    Output

    • Ransomware risk scenario to engage guide stakeholders to make informed decisions about addressing risks.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    1.1.3 Build ransomware risk scenario (2)

    2 hours

    1. On a whiteboard, brainstorm how threat agents will exploit vulnerabilities in critical assets to reach their goal. Redefine attack vectors to capture what could result from a successful initial attack.
    2. Bring together the critical risk elements into a single risk scenario.
    3. Distill the risk scenario into a single risk statement that captures the threat, the asset it will exploit, the method it will use, and the impact it will have on the organization.
    4. You can find a sample risk scenario and risk statement on the next slide.

    THREAT Exploits an ASSET Using a METHOD Creating an EFFECT.

    Inputs for risk scenario identification

    Risk analysis

    Critical assets

    ERP, CRM, FMS, LMS

    Operational technology

    Sensitive or regulated data

    Threat agents

    Cybercriminals

    Methods

    Compromise end user devices through social engineering attacks,. Compromise networks through external exposures and software vulnerabilities.

    Identify and crack administrative account. Escalate privileges. Move laterally.

    Collect data, destroy backups, exfiltrate data for leverage, encrypt systems,.

    Threaten to publish exfiltrated data and demand ransom.

    Adverse effect

    Serious business disruption

    Financial damage

    Reputational damage

    Potential litigation

    Average downtime: 30 Days

    Average clean-up costs: USD 1.4M

    Sample ransomware risk scenario

    Likelihood: Medium
    Impact: High

    Risk scenario

    Cyber-criminals penetrate the network, exfiltrate critical or sensitive data, encrypt critical systems, and demand a ransom to restore access.

    They threaten to publish sensitive data online to pressure the organization to pay the ransom, and reach out to partners, staff, and students directly to increase the pressure on the organization.

    Network access likely occurs through a phishing attack, credential compromise, or remote desktop protocol session.

    Risk statement

    Cybercriminals penetrate the network, compromise backups, exfiltrate and encrypt data, and disrupt computer systems for financial gain.

    Threat Actor:

    • Cybercriminals

    Assets:

    • Critical systems (ERP, FMS, CRM, LMS)
    • HRIS and payroll
    • Data warehouse
    • Office 365 ecosystem (email, Teams)

    Effect:

    • Loss of system availability
    • Lost of data confidentiality

    Methods:

    • Phishing
    • Credential compromise
    • Compromised remote desktop protocol
    • Privilege escalation
    • Lateral movement
    • Data collection
    • Data exfiltration
    • Data encryption

    Step 1.2

    Conduct resilience assessment

    Activities

    1.2.1 Complete resilience assessment

    1.2.2 Establish resilience metrics

    This step will guide you through the following activities :

    • Completing a ransomware resilience assessment
    • Establishing baseline metrics to measure ransomware resilience.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Subject-matter experts

    .Outcomes of this step

    • Current maturity, targets, and initial gap analysis

    Maturity levels in this blueprint draw on the CMMI framework

    The maturity levels are based on the Capability Maturity Model Integration framework. We outline our modifications below.

    CMMI Maturity Level – Default Descriptions:

    CMMI Maturity Level – Modified for This Assessment:

    • Level 1 – Initial: Unpredictable and reactive. Work gets completed but is often delayed and over budget.
    • Level 2 – Managed: Managed on the project level. Projects are planned, performed, measured, and controlled.
    • Level 3 – Defined: Proactive rather than reactive. Organization-wide standards provide guidance across projects, programs, and portfolios.
    • Level 4 – Quantitatively managed: Measured and controlled. Organization is data-driven, with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders.
    • Level 5 – Optimizing: Stable and flexible. Organization is focused on continuous improvement and is built to pivot and respond to opportunity and change. The organization's stability provides a platform for agility and innovation.
    • Level 1 – Initial/ad hoc: Not well defined and ad hoc in nature.
    • Level 2 – Developing: Established but inconsistent and incomplete.
    • Level 3 – Defined: Formally established, documented, and repeatable.
    • Level 4 – Managed and measurable: Managed using qualitative and quantitative data to ensure alignment with business requirements.
    • Level 5 – Optimizing: Qualitative and quantitative data is used to continually improve.

    (Source: CMMI Institute, CMMI Levels of Capability and Performance)

    Info-Tech's ransomware resilience framework

    Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

    Prioritize protection

    Put controls in place to harden your environment, train savvy end users, and prevent incursions.

    Support recovery

    Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

    Protect Detect Respond

    Recover

    Threat preparedness

    Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

    Awareness and training

    Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

    Perimeter security

    Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

    Respond and recover

    Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

    Access management

    Review the user access management program, policies and procedures to ensure they are ransomware-ready.

    Vulnerability management

    Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

    1.2.1 Complete the resilience assessment

    2-3 hours

    Use the Ransomware Resilience Assessment Tool to assess maturity of existing controls, establish a target state, and identify an initial set of initiatives to improve ransomware resilience.

    Keep the assessment tool on hand to add gap closure initiatives as you proceed through the project.

    Download the Ransomware Resilience Assessment

    Outcomes:

    • Capture baseline resilience metrics to measure progress over time.
      • Low scores are common. Use them to make the case for security investment.
      • Clarify the breadth of security controls.
      • Security controls intersect with a number of key processes and technologies, each of which are critical to ransomware resilience.
    • Key gaps identified.
      • Allocate more time to subsections with lower scores.
      • Repeat the scorecard at least annually to clarify remaining areas to address.

    Input

    • Understanding of current security controls

    Output

    • Current maturity, targets, and gaps

    Materials

    • Ransomware Resilience Assessment Tool

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of the Ransomeware Resilience Assessment Table from Info-Tech's Ransomware Resilience Assessment Blueprint.

    1.2.2 Establish resilience metrics

    Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.

    Measure metrics at the start of the project to establish a baseline, as the project nears completion to measure progress.

    Attack workflow Process Metric Target trend Current Goal
    GET IN Vulnerability Management % Critical patches applied Higher is better
    Vulnerability Management # of external exposures Fewer is better
    Security Awareness Training % of users tested for phishing Higher is better
    SPREAD Identity and Access Management Adm accounts / 1000 users Lower is better
    Identity and Access Management % of users enrolled for MFA Higher is better
    Security Incident Management Avg time to detect Lower is better
    PROFIT Security Incident Management Avg time to resolve Lower is better
    Backup and Disaster Recovery % critical assets with recovery test Higher is better
    Backup and Disaster Recovery % backup to immutable storage Higher is better

    Phase 2

    Improve protection and detection capabilities

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will walk you through the following activities:

    • Assessing common ransomware attack vectors.
    • Identifying countermeasures to improve protection and detection capabilities.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Build Ransomware Resilience

    Step 2.1

    Assess attack vectors

    Activities

    2.1.1 Assess ransomware threat preparedness

    2.1.2 Determine the impact of ransomware techniques on your environment

    This step involves the following activities:

    • Assessing ransomware threat preparedness.
    • Configuring the threat preparedness tool.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Outcomes of this step

    Assess risks associated with common ransomware attack vectors.

    Improve protection and detection capabilities

    Use the MITRE attack framework to prepare

    This phase draws on MITRE to improve ransomware protection and detection capabilities

    • The activities in this phase provide guidance on how to use the MITRE attack framework to protect your organizations against common ransomware techniques and tactics, and detect incursions.
    • You will:
      • Review common ransomware tactics and techniques.
      • Assess their impact on your environment.
      • Identify relevant countermeasures.
    • The Enterprise Threat Preparedness Workbook included with the project blueprint will be set up to deal with common ransomware threats and tactics.

    Download the Enterprise Threat Preparedness Workbook

    Review ransomware tactics and techniques

    Ransomware attack workflow

    Deliver phishing email designed to avoid spam filter.

    Launch malware undetected.

    Identify user accounts.

    Target an admin account.

    Use brute force tactics to crack it.

    Move through the network. Collect data.

    Infect critical systems and backups to limit recovery options.

    Exfiltrate data to gain leverage.

    Encrypt data, which triggers alert.

    Deliver ransom note.

    Associated MITRE tactics and techniques

    • Initial access
    • Execution
    • Privilege escalation
    • Credential access
    • Lateral movement
    • Collection
    • Data Exfiltration
    • Data encryption

    Most common ransomware attack vectors

    • Phishing and social engineering
    • Exploitation of software vulnerabilities
    • Unsecured external exposures
      • e.g. remote desktop protocols
    • Malware infections
      • Email attachments
      • Web pages
      • Pop-ups
      • Removable media

    2.1.1 Assess ransomware threat preparedness

    Estimated Time: 1-4 hours

    1. Read through the instructions in the Enterprise Threat Preparedness Workbook.
    2. Select ransomware attack tactics to analyze. Use the workbook to understand:
      1. Risks associated with each attack vector.
      2. Existing controls that can help you protect the organization and detect an incursion.
    3. This initial analysis is meant to help you understand your risk before you apply additional controls.

    Once you're comfortable, follow the instructions on the following pages to configure the MITRE ransomware analysis and identify how to improve your protection and detection capabilities.

    Download the Enterprise Threat Preparedness Workbook

    Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    2.1.2 Determine the impact of techniques

    Estimated Time: 1-4 hours

    1. The Enterprise Threat Preparedness Workbook included with the project blueprint is set up to deal with common ransomware use cases.

    If you would like to change the set-up, go through the following steps.

    • Review the enterprise matrix. Select the right level of granularity for your analysis. If you are new to threat preparedness exercises, the Technique Level is a good starting point.
    • As you move through each tactic, align each sheet to your chosen technique domain to ensure the granularity of your analysis is consistent.
    • Read the tactics sheet from left to right. Determine the impact of the technique on your environment. For each control, indicate current mitigation levels using the dropdown list.

    The following slides walk you through the process with screenshots from the workbook.

    Download the Enterprise Threat Preparedness Workbook

    Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Select the domain for the analysis

    • The Tactics Dashboard is a live feed of your overall preparedness for the potential attack vectors that your organization may face. These 14 tactics correspond to the Enterprise Matrix used by the MITRE ATT&CK® framework.
    • The technique domain on the right side of the sheet is split in two main groups:
    • The Technique Level
      • - High-level techniques that an attacker may use to gain entry to your network.
      • - The Technique Level is a great starting point if you are new to threat preparedness.
    • The Sub-Technique Level
      • - Individual sub-techniques found throughout the MITRE ATT&CK® Framework.
      • - More mature organizations will find the Sub-Technique Level generates a deeper and more precise understanding of their current preparedness.

    Info-Tech Insight

    Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

    This is the first screenshot from Info-Tech's Tactic Preparedness Assessment Dashboard.

    Keep an eye on the enterprise matrix

    As you fill out the Tactic tabs with your evaluation, the overall reading will display the average of your overall preparedness for that tactic.

    Choosing the Technique Domain level will increase the accuracy of the reporting at the cost of speed.

    The Technique level is faster but provides less specifics for each control and analyzes them as a group.

    The Sub-Technique level is much more granular, but each tactic and technique has several sub-techniques that you will need to account for.

    Check with the dashboard to see the associated risk level for each of the tactics based on the legend. Tactics that appear white have not yet been assessed or are rated as "N/A" (not applicable).

    This is the second screenshot from Info-Tech's Tactic Preparedness Assessment Dashboard.

    When you select your Technique Domain, you cannot change it again. Changing the domain mid-analysis will introduce inaccuracies in your security preparedness.

    Configure the tactics tabs

    • Each tactic has a corresponding tab at the bottom of the Excel workbook.
      Adjusting the Technique Domain level will change the number of controls shown.
    • Next, align the sheet to the domain you selected on Tab 2 before you continue. As shown in the example to the right,
      • Select "1" for Technique Level.
      • Select "2" for Sub-Technique Level.
    • This will collapse the controls to your chosen level of granularity.

    This is a screenshot showing how you can configure the tactics tab of the Ransomware Threat Preparedness Workbook

    Read tactic sheets from left to right

    This is a screenshot of the tactics tab of the Ransomware Threat Preparedness Workbook

    Technique:

    How an attacker will attempt to achieve their goals through a specific action.

    ID:

    The corresponding ID number on the MITRE ATT&CK® Matrix for quick reference.

    Impact of the Technique(s):

    If an attack of this type is successful on your network, how deep does the damage run?

    Current Mitigations:

    What security protocols do you have in place right now that can help prevent an attacker from successfully executing this attack technique? The rating is based on the CMMI scale.

    Determine the impact of the technique

    • For each control, indicate the current mitigation level using the dropdown list.
    • Only use "N/A" if you are confident that the control is not required in your organization.

    Info-Tech Insight

    We highly recommend that you write comments about your current-state security protocols. First, it's great to have documented your thought processes in the event of a threat modeling session. Second, you can speak to deficits clearly, when asked.

    This is the second screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Review technique preparedness

    • If you have chosen the Technique level, the tool should resemble this image:
      • High-level controls are analyzed, and sub-controls hidden.
      • The sub-techniques under the broader technique show how a successful attack from this vector would impact your network.
    • Each sub-technique has a note for additional context:
      • Under Impact, select the overall impact for the listed controls to represent how damaging you believe the controls to be.
      • Next select your current preparedness maturity in terms of preparedness for the same techniques. Ask yourself "What do I have that contributes to blocking this technique?"

    This is the third screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Info-Tech Insight

    You may discover that you have little to no mitigation actions in place to deal with one or many of these techniques. However, look at this discovery as a positive: You've learned more about the potential vectors and can actively work toward remediating them rather than hoping that a breach never happens through one of these avenues.

    Review sub-technique preparedness

    If you have chosen the Sub-Technique level, the tool should resemble this image.

    • The granular controls are being analyzed. However, the grouped controls will still appear. It is important to not fill the grouped sections, to make sure the calculations run properly.
    • The average of your sub-techniques will be calculated to show your overall preparedness level.
    • Look at the sub-techniques under the broader technique and consider how a successful attack from this vector would impact your network.

    Each sub-technique has a note for additional context and understanding about what the techniques are seeking to do and how they may impact your enterprise.

    • Because of the enhanced granularity, the final risk score is more representative of an enterprise's current mitigation capabilities.
    This is the fourth screenshot from Info-Tech's Reconnaissance Tactic Analysis

    Step 2.2

    Identify countermeasures

    Activities

    2.2.1 Identify countermeasures

    This step involves the following activities:

    • Identifying countermeasures

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Outcomes of this step

    Identification of countermeasures to common ransomware techniques, and tactics to improve protection and detection capabilities.

    Improve Protection and Detection Capabilities

    Review technique countermeasures

    As you work through the tool, your dashboard will prioritize your threat preparedness for each of the various attack techniques to give you an overall impression of your preparedness.

    For each action, the tool includes detection and remediation actions for you to consider either for implementation or as table stakes for your next threat modeling sessions.

    Note: Some sheets will have the same controls. However, the context of the attack technique may change your answers. Be sure to read the tactic and technique that you are on when responding to the controls.

    This is an image of the Privilege Escalation Tactic Analysis Table

    This is an image of the Defense Evasion Tactic Analysis Table

    Prioritize the analysis of ransomware tactics and sub-techniques identified on slide 45. If your initial analysis in Activity 2.2.1 determined that you have robust security protocols for some of the attack vectors, set these domains aside.

    2.2.1 Identify countermeasures

    Estimated Time: 1-4 hours

    1. Review the output of the Enterprise Threat Preparedness Workbook. Remediation efforts are on the right side of the sheet. These are categorized as either detection actions or mitigation actions.
      1. Detection actions:
      • What can you do before an attack occurs, and how can you block attacks? Detection actions may thwart an attack before it ever occurs.
    2. Mitigation actions:
      • If an attacker is successful through one of the attack methods, how do you lessen the impact of the technique? Mitigation actions address this function to slow and hinder the potential spread or damage of a successful attack.
  • Detection and mitigation measures are associated with each technique and sub-technique. Not all techniques will be able to be detected properly or mitigated. However, understanding their relationships can better prepare your defensive protocols.
  • Add relevant control actions to the initiative list in the Ransomware Resilience Assessment.
  • Input

    • Knowledge about existing infrastructure.
    • Security protocols.
    • Information about ransomware attack tactics, techniques, and mitigation protocols.
    • Outputs from the Threat Preparedness Workbook.

    Output

    • Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
    • Protective and detective measures to improve ransomware resilience.

    Materials

    • Enterprise Threat Preparedness Workbook
    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)
    • System subject-matter experts (SMEs)

    Phase 3

    Improve response and recovery capabilities

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will guide you through the following steps:

    • Documenting your threat escalation protocol.
    • Identify response steps and gaps.
    • Update your response workflow and runbook.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)

    Build Ransomware Resilience

    Step 3.1

    Review security incident management plan

    Activities

    3.1.1 Review the workflow and runbook templates

    3.1.2 Update/define your threat escalation protocol

    This step will walk you through the following activities:

    • Reviewing the example Workflow and Runbook
    • Updating and defining your threat escalation protocol.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Clear escalation path for critical incidents.
    • Common understanding of incident severity that will drive escalation.

    Improve response and recovery capabilities

    3.1.1 Review the workflow and runbook templates

    30 minutes

    This blueprint includes sample information in the Ransomware Response Workflow Template and Ransomware Response Runbook Template to use as a starting points for the steps in Phase 3, including documenting your threat escalation protocol.

    • The Ransomware Response Workflow Template contains an example of a high-level security incident management workflow for a ransomware attack. This provides a structure to follow for the tabletop planning exercise and a starting point for your ransomware response workflow.
      The Workflow is aimed at incident commanders and team leads. It provides an at-a-glance view of the high-level steps and interactions between stakeholders to help leaders coordinate response.
    • The Ransomware Response Runbook Template is an example of a security incident management runbook for a ransomware attack. This includes a section for a threat escalation protocol that you can use as a starting point.
      The Runbook is aimed at the teams executing the response. It provides more specific actions that need to be executed at each phase of the incident response.

    Download the Ransomware Response Workflow Template

    Download the Ransomware Response Runbook Template

    Input

    • No Input Required

    Output

    • Visualize the end goal

    Materials

    • Example workflow and runbook in this blueprint

    Participants

    • Security Incident Response Team (SIRT)

    Two overlapping screenshots are depicted, including the table of contents from the Ransomware Response Runbook.

    3.1.2 Update/define your threat escalation protocol

    1-2 hours

    Document the Threat Escalation Protocol sections in the Ransomware Response Workflow Template or review/update your existing runbook. The threat escalation protocol defines which stakeholders to involve in the incident management process, depending on impact and scope. Specifically, you will need to define the following:

    Impact and scope criteria: Impact considers factors such as the criticality of the system/data, whether PII is at risk, and whether public notification is required. Scope considers how many systems or users are impacted.

    Severity assessment: Define the severity levels based on impact and scope criteria.

    Relevant stakeholders: Identify stakeholders to notify for each severity level, which can include external stakeholders.

    If you need additional guidance, see Info-Tech's Develop and Implement a Security Incident Management Program blueprint, which takes a broader look at security incidents.

    Input

    • Current escalation process (formal or informal).

    Output

    • Define criteria for severity levels and relevant stakeholders.

    Materials

    • Ransomware Response Workflow Template

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of the Threat Escalation Protocol Criteria and Stakeholders.

    Step 3.2

    Run Tabletop Test (IT)

    Activities

    3.2.1 Define scenarios for a range of incidents

    3.2.2 Run a tabletop planning exercise

    This step will guide you through the following activities:

    • Defining scenarios for a range of incidents.
    • Running a tabletop planning exercise.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)
    • Other stakeholders (as relevant)

    Outcomes of this step

    • Current-state incident response workflow, including stakeholders, steps, timeline.
    • Process and technology gaps to be addressed.

    Improve response and recovery capabilities

    3.2.1 Define scenarios for a range of incidents

    30 minutes

    As a group, collaborate to define scenarios that enable you to develop incident response details for a wide range of potential incidents. Below are example scenarios:

    • Scenario 1: An isolated attack on one key system. The database for a critical application is compromised. Assume the attack was not detected until files were encrypted, but that you can carry out a repair-in-place by wiping the server and restoring from backups.
    • Scenario 2: A site-wide impact that warrants broader disaster recovery. Several critical systems are compromised. It would take too long to repair in-place, so you need to failover to your DR environment, in addition to executing security response steps. (Note: If you don't have a DRP, see Info-Tech's Create a Right-Sized Disaster Recovery Plan.)
    • Scenario 3: A critical outsourced service or cloud service is compromised. You need to work with the vendor to determine the scope of impact and execute a response. This includes determining if your on-prem systems were also compromised.
    • Scenario 4: One or multiple end-user devices are compromised. Your response to the above scenarios would include assessing end-user devices as a possible source or secondary attack, but this scenario would provide more focus on the containing an attack on end-user devices.

    Note: The above is too much to execute in one 30-minute session, so plan a series of exercises as outlined on the next slide.

    Input

    • No input required

    Output

    • Determine the scope of your tabletop planning exercises

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    Optimize the time spent by participants by running a series of focused exercises

    Not all stakeholders need to be present at every tabletop planning exercise. First, run an exercise with IT that focuses on the technical response. Run a second tabletop for non-IT stakeholders that focuses on the non-IT response, such as crisis communications, working with external stakeholders (e.g. law enforcement, cyberinsurance).

    Sample schedule:

    • Q1: Hold two sessions that run Scenarios 1 and 2 with relevant IT participants (see Activity 3.2.1). The focus for these sessions will be primarily on the technical response. For example, include notifying leadership and their role in decision making, but don't expand further on the details of their process. Similarly, don't invite non-IT participants to these sessions so you can focus first on understanding the IT response. Invite executives to the Q2 exercise, where they will have more opportunity to be involved.
    • Q2: Hold one session with the SIRT and non-IT stakeholders. Use the results of the Q1 exercises as a starting point and expand on the non-IT response steps (e.g. notifying external parties, executive decisions on response options).
    • Q3 and Q4: Run other sessions (e.g. for Scenarios 3 and 4) with relevant stakeholders. Ensure your ransomware incident response plan covers a wide range of possible scenarios.
    • Run ongoing exercises at least annually. Once you have a solid ransomware incident response plan, incorporate ransomware-based tabletop planning exercises into your overall security incident management testing and maintenance schedule.

    Info-Tech Insight

    Schedule these sessions well in advance to ensure appropriate resources are available. Document this in an annual test plan summary that outlines the scope, participants, and dates and times for the planned sessions.

    3.2.2 Run a tabletop planning exercise

    1-2 hours

    Remember that the goal is a deeper dive into how you would respond to an attack so you can clarify steps and gaps. This is not meant to just be a read-through of your plan. Follow the guidelines below:

    1. Select your scenario and invite relevant participants (see the previous slides).
    2. Guide participants through the incident and capture the steps and gaps along the way. Focus on one stakeholder at a time through each phase but be sure to get input from everyone. For example, focus on the Service Desk's steps for detection, then do the same as relevant to other stakeholders. Move on to analysis and do the same. (Tip: The distinction between phases is not always clear, and that's okay. Similarly, eradication and recovery might be the same set of steps. Focus on capturing the detail; you can clarify the relevant phase later.)
    3. Record the results (e.g. capture it in Visio) for reference purposes. (Tip: You can run the exercise directly in Visio. However, there's a risk that the tool may become a distraction. Enlist a scribe who is proficient with Visio so you don't need to wait for information to be captured and plan to save the detailed formatting and revising for later. )

    Refer to the Ransomware Tabletop Planning Results – Example as a guide for what to capture. Aim for more detail than found in your Ransomware Response Workflow (but not runbook-level detail).

    Download the Ransomware Tabletop Planning Results – Example

    Input

    • Baseline ransomware response workflow

    Output

    • Clarify your response workflow, capabilities, and gaps

    Materials

    • Whiteboard or sticky notes or index cards, or a shared screen

    Participants

    • Security Incident Response Team (SIRT)

    This is an example of a Ransomware Response Tabletop Planning Results Page.

    Step 3.3

    Document Workflow and Runbook

    Activities

    3.3.1 Update your ransomware response workflow

    3.3.2 Update your ransomware response runbook

    This step will guide you through the following activities:

    • Updating your ransomware response workflow.
    • Updating your ransomware response runbook.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • An updated incident response workflow and runbook based on current capabilities.

    Improve response and recovery capabilities

    3.3.1 Update your ransomware response workflow

    1 hour

    Use the results from your tabletop planning exercises (Activity 3.2.2) to update and clarify your ransomware response workflow. For example:

    • Update stakeholder swim-lanes: Clarify which stakeholders need a swim lane (e.g. where interactions between groups needs to be clarified). For example, consider an SIRT swim-lane that combines the relevant technical response roles, but have separate swim-lanes for other groups that the SIRT interacts with (e.g. Service Desk, the Executive Team).
    • Update workflow steps: Use the detail from the tabletop exercises to clarify and/or add steps, as well as further define the interactions between swim-lanes.(Tip: Your workflow needs to account for a range of scenarios. It typically won't be as specific as the tabletop planning results, which focus on only one scenario.)
    • Clarify the overall the workflow: Look for and correct any remaining areas of confusion and clutter. For example, consider adding "Go To" connectors to minimize lines crossing each other, adding color-coding to highlight key related steps (e.g. any communication steps), and/or resizing swim-lanes to reduce the overall size of the workflow to make it easier to read.
    • Repeat the above after each exercise: Continue to refine the workflow as needed until you reach the stage where you just need to validate that your workflow is still accurate.

    Input

    • Results from tabletop planning exercises (Activity 3.2.2)

    Output

    • Clarify your response workflow

    Materials

    • Ransomware Response Workflow

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot from the ransomeware response tabletop planning

    3.3.2 Update your ransomware response runbook

    1 hour

    Use the results from your tabletop planning exercises (Activity 3.2.2) to update your ransomware response runbook. For example:

    • Align stakeholder sections with the workflow: Each stakeholder swim-lane in the workflow needs its own section in the runbook.
    • Update incident response steps: Use the detail from the tabletop exercise to clarify instructions for each stakeholder. This can include outlining specific actions, defining which stakeholders to work with, and referencing relevant documentation (e.g. vendor documentation, step-by-step restore procedures). (Tip: As with the workflow, the runbook needs to account for a range of scenarios, so it will include a list of actions that might need to be taken depending on the incident, as illustrated in the example runbook.)
    • Review and update your threat escalation protocol: It's best to define your threat escalation protocol before the tabletop planning exercise to help identify participants and avoid confusion. Now use the exercise results to validate or update that documentation.
    • Repeat the above after each exercise. Continue to refine your runbook as needed until you reach the stage where you just need to validate that your runbook is still accurate.

    Input

    • Results from tabletop planning exercises (Activity 3.2.2)

    Output

    • Clarified response runbook

    Materials

    • Ransomware Response Workflow

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot of the Ransomware Response Runbook

    Phase 4

    Improve ransomware resilience

    Phase 1Phase 2Phase 3Phase 4

    1.1 Build ransomware risk scenario

    1.2 Conduct resilience assessment

    2.1 Assess attack vectors

    2.2 Identify countermeasures

    3.1 Review Security Incident Management Plan

    3.2 Run Tabletop Test (IT)

    3.3 Document Workflow and Runbook

    4.1 Run Tabletop Test (Leadership)

    4.2 Prioritize resilience initiatives

    4.3 Measure resilience metrics

    This phase will guide you through the following steps:

    • Identifying initiatives to improve ransomware resilience.
    • Prioritizing initiatives in a project roadmap.
    • Communicating status and recommendations.

    This phase involves the following participants:

    • Security Incident Response Team (SIRT)

    Build Ransomware Resilience

    Step 4.1

    Run Tabletop Test (leadership)

    Activities

    • 4.1.1 Identify initiatives to close gaps and improve resilience
    • 4.1.2 Review broader strategies to improve your overall security program

    This step will walk you through the following activities:

    • Identifying initiatives to close gaps and improve resilience.
    • Reviewing broader strategies to improve your overall security program.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Specific potential initiatives based on a review of the gaps.
    • Broader potential initiatives to improve your overall security program.

    Improve ransomware resilience

    4.1.1 Identify initiatives to close gaps and improve resilience

    1 hour

    1. Use the results from the activities you have completed to identify initiatives to improve your ransomware readiness.
    2. Set up a blank spreadsheet with two columns and label them "Gaps" and "Initiatives." (It will be easier to copy the gaps and initiatives from this spreadsheet to you project roadmap, rather than use the Gap Initiative column in the Ransomware Readiness Maturity Assessment Tool.)
    3. Review your tabletop planning results:
      1. Summarize the gaps in the "Gaps" column in your spreadsheet created for this activity.
      2. For each gap, write down potential initiatives to address the gap.
      3. Where possible, combine similar gaps and initiatives. Similarly, the same initiative might address multiple gaps, so you don't need to identify a distinct initiative for every gap.
    4. Review the results of your maturity assessment completed in Phase 1 to identify additional gaps and initiatives in the spreadsheet created for this activity.

    Input

    • Tabletop planning results
    • Maturity assessment

    Output

    • Identify initiatives to improve ransomware readiness

    Materials

    • Blank spreadsheet

    Participants

    • Security Incident Response Team (SIRT)

    4.1.2 Review broader strategies to improve your overall security program

    1 hour

    1. Review the following considerations as outlined on the next few slides:
      • Implement core elements of an effective security program – strategy, operations, and policies. Leverage the work completed in this blueprint to provide context and address your immediate gaps while developing an overarching security strategy based on business requirements, risk tolerance, and overall security considerations. Security operations and policies are key to executing your overall security strategy and day to day incident management.
      • Update your backup strategy to account for ransomware attacks. Consider what your options would be today if your primary backups were infected? If those options aren't very good, your backup strategy needs a refresh.
      • Consider a zero-trust strategy. Zero trust reduces your reliance on perimeter security and moves controls to where the user accesses resources. However, it takes time to implement. Evaluate your readiness for this approach.
    2. As a team, discuss the merits of these strategies in your organization and identify potential initiatives. Depending on what you already have in place, the project may be to evaluate options (e.g. if you have not already initiated zero trust, assign a project to evaluate your options and readiness).

    Input

    • An understanding of your existing security practices and backup strategy.

    Output

    • Broader initiatives to improve ransomware readiness.

    Materials

    • Whiteboard or flip chart (or a shared screen if staff are remote)

    Participants

    • Security Incident Response Team (SIRT)

    Implement core elements of an effective security program

    There is no silver bullet. Ransomware readiness depends on foundational security best practices. Where budget allows, support that foundation with more advanced AI-based tools that identify abnormal behavior to detect an attack in progress.

    Leverage the following blueprints to implement the foundational elements of an effective security program:

    • Build an Information Security Strategy: Consider the full spectrum of information security, including people, processes, and technologies. Then base your security strategy on the risks facing your organization – not just on best practices – to ensure alignment with business goals and requirements.
    • Develop a Security Operations Strategy: Establish unified security operations that actively monitor security events and threat information, and turn that into appropriate security prevention, detection, analysis, and response processes.
    • Develop and Deploy Security Policies: Improve cybersecurity through effective policies, from acceptable use policies aimed at your end users to system configuration management policies aimed at your IT operations.

    Supplement foundational best practices with AI-based tools to counteract more sophisticated security attacks:

    • The evolution of ransomware gangs and ransomware as a service means the most sophisticated tools designed to bypass perimeter security and endpoint protection are available to a growing number of hackers.
    • Rather than activate the ransomware virus immediately, attackers will traverse the network using legitimate commands to infect as many systems as possible and exfiltrate data without generating alerts, then finally encrypt infected systems.
    • AI-based tools learn what is normal behavior and therefore can recognize unusual traffic (which could be an attack in progress) before it's too late. For example, a "user" accessing a server they've never accessed before.
    • Engage an Info-Tech analyst or consult SoftwareReviews to review products that will add this extra layer of AI-based security.

    Update your backup strategy to account for ransomware attacks

    Apply a defense-in-depth strategy. A daily disk backup that goes offsite once a week isn't good enough.

    In addition to applying your existing security practices to your backup solution (e.g. anti-malware, restricted access), consider:

    • Creating multiple restore points. Your most recent backup might be infected. Frequent backups allow you to be more granular when determining how far you need to roll back.
    • Having offsite backups and using different storage media. Reduce the risk of infected backups by using different storage media (e.g. disk, NAS, tape) and backup locations (e.g. offsite). If you can make the attackers jump through more hoops, you have a greater chance of detecting the attack before all backups are infected.
    • Investing in immutable backups. Most leading backup solutions offer options to ensure backups are immutable (cannot be altered after they are written).
    • Using the BIA you completed in Phase 2 to help decide where to prioritize investments. All the above strategies add to your backup costs and might not be feasible for all data. Use your BIA results to decide which data sets require higher levels of protection.

    This example strategy combines multiple restore points, offsite backup, different storage media, and immutable backups.

    This is an example of a backup strategy to account for ransomware attacks.

    Refer to Info-Tech's Establish an Effective Data Protection Plan blueprint for additional guidance.

    Explore zero-trust initiatives

    Zero trust is a set of principles, not a set of controls.

    Reduces reliance on perimeter security.

    Zero trust is a strategy that reduces reliance on perimeter security and moves controls to where your user accesses resources. It often consolidates security solutions, reduces operating costs, and enables business mobility.

    Zero trust must benefit the business first.

    IT security needs to determine how zero trust initiatives will affect core business processes. It's not a one-size-fits-all approach to IT security. Zero trust is the goal – but some organizations can only get so close to that ideal.

    For more information, see Build a Zero-Trust Roadmap.

    Info-Tech Insight

    A successful zero-trust strategy should evolve. Use an iterative and repeatable process to assess available zero-trust technologies and principles and secure the most relevant protect surfaces. Collaborate with stakeholders to develop a roadmap with targeted solutions and enforceable policies.

    Step 4.2

    Prioritize resilience initiatives

    Activities

    • 4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk
    • 4.2.2 Review the dashboard to fine tune your roadmap

    This step will guide you through the following activities:

    • Prioritizing initiatives based on factors such as effort, cost, and risk.
    • Reviewing the dashboard to fine-tune your roadmap.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • An executive-friendly project roadmap dashboard summarizing your initiatives.
    • A visual representation of the priority, effort, and timeline required for suggested initiatives.

    Review the Ransomware Resilience Assessment

    Tabs 2 and 3 list initiatives relevant to your ransomware readiness improvement efforts.

    • At this point in the project, the Ransomware Resilience Assessment should contain a number of initiatives to improve ransomware resilience.
    • Tab 2 is prepopulated with examples of gap closure actions to consider, which are categorized into initiatives listed on Tab 3.
    • Follow the instructions in the Ransomware Resilience Assessment to:
      • Categorize gap control actions into initiatives.
      • Prioritize initiatives based on cost, effort, and benefit.
      • Construct a roadmap for consideration.

    Download the Ransomware Resilience Assessment

    4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk

    1 hour

    Prioritize initiatives in the Ransomware Resilience Assessment.

    1. The initiatives listed on Tab 3 Initiative List will be copied automatically on Tab 5 Prioritization.
    2. On Tab 1 Setup:
      1. Review the weight you want to assign to the cost and effort criteria.
      2. Update the default values for FTE and Roadmap Start as needed.
    3. Go back to Tab 5 Prioritization:
      1. Fill in the cost, effort, and benefit evaluation criteria for each initiative. Hide optional columns you don't plan to use, to avoid confusion.
      2. Use the cost and benefit scores to prioritize waves and schedule initiatives on Tab 6 Gantt Chart.

    Input

    • Gaps and initiatives identified in Step 4.1

    Output

    • Project roadmap dashboard

    Materials

    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)

    4.2.2 Review the dashboard to fine-tune the roadmap

    1 hour

    Review and update the roadmap dashboard in your Ransomware Resilience Assessment.

    1. Review the Gantt chart to ensure:
      1. The timeline is realistic. Avoid scheduling many high-effort projects at the same time.
      2. Higher-priority items are scheduled sooner than low-priority items.
      3. Short-term projects include quick wins (e.g. high-priority, low-effort items).
      4. It supports the story you wish to communicate (e.g. a plan to address gaps, along with the required effort and timeline).
    2. Update the values on the 5 Prioritization and 6 Gantt Chart tabs based on your review.

    Input

    • Gaps and initiatives identified in Step 4.1

    Output

    • Project roadmap dashboard

    Materials

    • Ransomware Resilience Assessment

    Participants

    • Security Incident Response Team (SIRT)

    This is an image of a sample roadmap for the years 2022-2023

    Step 4.3

    Measure resilience metrics

    Activities

    4.3.1 Summarize status and next steps in an executive presentation

    This step will guide you through the following activities:

    • Summarizing status and next steps in an executive presentation.

    This step involves the following participants:

    • Security Incident Response Team (SIRT)

    Outcomes of this step

    • Gain stakeholder buy-in by communicating the risk of the status quo and achievable next steps to improve your organization's ransomware readiness.

    Improve ransomware resilience

    4.3.1 Summarize status and next steps in an executive presentation

    1 hour

    Gain stakeholder buy-in by communicating the risk of the status quo and recommendations to reduce that risk. Specifically, capture and present the following from this blueprint:

    • Phase 1: Maturity assessment results, indicating your organization's overall readiness as well as specific areas that need to improve.
    • Phase 2: Business impact results, which objectively quantify the potential impact of downtime and data loss.
    • Phase 3: Current incident response capabilities including steps, timeline, and gaps.
    • Phase 4: Recommended projects to close specific gaps and improve overall ransomware readiness.

    Overall key findings and next steps.

    Download the Ransomware Readiness Summary Presentation Template

    Input

    • Results of all activities in Phases 1-4

    Output

    • Executive presentation

    Materials

    • Ransomware Readiness Summary Presentation Template

    Participants

    • Security Incident Response Team (SIRT)

    This is a screenshot of level 2 of the ransomware readiness maturity tool.

    Revisit metrics

    Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.

    Revisit metrics as the project nears completion and compare them against your baseline to measure progress.

    Attack workflow Process Metric Target trend Current Goal
    GET IN Vulnerability Management % Critical patches applied Higher is better
    Vulnerability Management # of external exposures Fewer is better
    Security Awareness Training % of users tested for phishing Higher is better
    SPREAD Identity and Access Management Adm accounts / 1000 users Lower is better
    Identity and Access Management % of users enrolled for MFA Higher is better
    Security Incident Management Avg time to detect Lower is better
    PROFIT Security Incident Management Avg time to resolve Lower is better
    Backup and Disaster Recovery % critical assets with recovery test Higher is better
    Backup and Disaster Recovery % backup to immutable storage Higher is better

    Summary of accomplishments

    Project overview

    Project deliverables

    This blueprint helped you create a ransomware incident response plan for your organization, as well as identify ransomware prevention strategies and ransomware prevention best practices.

    • Ransomware Resilience Assessment: Measure your current readiness, then identify people, policy, and technology gaps to address.
    • Ransomware Response Workflow: An at-a-glance summary of the key incident response steps across all relevant stakeholders through each phase of incident management.
    • Ransomware Response Runbook: Includes your threat escalation protocol and detailed response steps to be executed by each stakeholder.
    • Ransomware Tabletop Planning : This deep dive into a ransomware scenario will help you develop a more accurate incident management workflow and runbook, as well as identify gaps to address.
    • Ransomware Project Roadmap: This prioritized list of initiatives will address specific gaps and improve overall ransomware readiness.
    • Ransomware Readiness Summary Presentation: Your executive presentation will communicate the risk of the status quo, present recommended next steps, and drive stakeholder buy-in.

    Project phases

    Phase 1: Assess ransomware resilience

    Phase 2: Protect and detect

    Phase 3: Respond and recover

    Phase 4: Improve ransomware resilience

    Related Info-Tech Research

    Tab 3. Initiative List in the Ransomware Resilience Assessment identifies relevant Info-Tech Research to support common ransomware resilience initiatives.

    Related security blueprints:

    Related disaster recovery blueprints:

    Research Contributors and Experts

    This is an image of Jimmy Tom

    Jimmy Tom
    AVP of Information Technology and Infrastructure
    Financial Horizons

    This is an image of Dan Reisig

    Dan Reisig
    Vice President of Technology
    UV&S

    This is an image of Samuel Sutto

    Samuel Sutton
    Computer Scientist (Retired)
    FBI

    This is an image of Ali Dehghantanha

    Ali Dehghantanha
    Canada Research Chair in Cybersecurity and Threat Intelligence,
    University of Guelph

    This is an image of Gary Rietz

    Gary Rietz
    CIO
    Blommer Chocolate Company

    This is an image of Mark Roman

    Mark Roman
    CIO
    Simon Fraser University

    This is an image of Derrick Whalen

    Derrick Whalen
    Director, IT Services
    Halifax Port Authority

    This is an image of Stuart Gaslonde

    Stuart Gaslonde
    Director of IT & Digital Services
    Falmouth-Exeter Plus

    This is an image of Deborah Curtis

    Deborah Curtis
    CISO
    Placer County

    This is an image of Deuce Sapp

    Deuce Sapp
    VP of IT
    ISCO Industries

    This is an image of Trevor Ward

    Trevor Ward
    Information Security Assurance Manager
    Falmouth-Exeter Plus

    This is an image of Brian Murphy

    Brian Murphy
    IT Manager
    Placer County

    This is an image of Arturo Montalvo

    Arturo Montalvo
    CISO
    Texas General Land Office and Veterans Land Board

    No Image Available

    Mduduzi Dlamini
    IT Systems Manager
    Eswatini Railway

    No Image Available

    Mike Hare
    System Administrator
    18th Circuit Florida Courts

    No Image Available

    Linda Barratt
    Director of Enterprise architecture, IT Security, and Data Analytics, Toronto Community Housing Corporation

    This is an image of Josh Lazar

    Josh Lazar
    CIO
    18th Circuit Florida Courts

    This is an image of Douglas Williamson

    Douglas Williamson
    Director of IT
    Jamaica Civil Aviation Authority

    This is an image of Ira Goldstein

    Ira Goldstein
    Chief Operating Officer
    Herjavec Group

    This is an image of Celine Gravelines

    Celine Gravelines
    Senior Cybersecurity Analyst
    Encryptics

    This is an image of Dan Mathieson

    Dan Mathieson
    Mayor
    City of Stratford

    This is an image of Jacopo Fumagalli

    Jacopo Fumagalli
    CISO
    Omya

    This is an image of Matthew Parker

    Matthew Parker
    Program Manager
    Utah Transit Authority

    Two Additional Anonymous Contributors

    Bibliography

    2019-Data-Breach-Investigations-Report.-Verizon,-May-2019.
    2019-Midyear-Security-Roundup:-Evasive-Threats,-Persistent-Effects.-Trend-Micro,-2019.
    Abrams,-Lawrence.-"Ryuk-Ransomware-Uses-Wake-on-Lan-to-Encrypt-Offline-Devices."-Bleeping-Computer,-14-Jan.-2020.
    Abrams,-Lawrence.-"Sodinokibi-Ransomware-Publishes-Stolen-Data-for-the-First-Time."-Bleeping-Computer,-11-Jan.-2020.
    Canadian-Center-for-Cyber-Security,-"Ransomware-Playbook,"-30-November-2021.-Accessed-21-May-2022.-
    Carnegie-Endowment-for-International-Peace.-"Ransomware:-Prevention-and-Protection."-Accessed-May-2022.-
    Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-26-Data-Integrity:-Detecting-and-Responding-to-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.
    Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-25-Data-Integrity:-Identifying-and-Protecting-Assets-Against-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.-
    Cichonski,-P.,-T.-Millar,-T.-Grance,-and-K.-Scarfone.-"Computer-Security-Incident-Handling-Guide."-SP-800-61-Rev.-2.-NIST,-Aug.-2012.
    Cimpanu,-Catalin.-"Company-shuts-down-because-of-ransomware,-leaves-300-without-jobs-just-before-holidays."-ZDNet,-3-Jan.-2020.
    Cimpanu,-Catalin.-"Ransomware-attack-hits-major-US-data-center-provider."-ZDNet,-5-Dec.-2019.
    CISA,-"Stop-Ransomware,"-Accessed-12-May-2022.
    "CMMI-Levels-of-Capability-and-Performance."-CMMI-Institute.-Accessed-May-2022.-
    Connolly,-Lena-Yuryna,-"An-empirical-study-of-ransomware-attacks-on-organizations:-an-assessment-of-severity-and-salient-factors-affecting-vulnerability."-Journal-of-Cybersecurity,-2020,.-1-18.
    "Definitions:-Backup-vs.-Disaster-Recovery-vs.-High-Availability."-CVM-IT-&-Cloud-Services,-12-Jan.-2017.
    "Don't-Become-a-Ransomware-Target-–-Secure-Your-RDP-Access-Responsibly."-Coveware,-2019.-
    Elementus,-"Rise-of-the-Ransomware-Cartels-"(2022).-YouTube.-Accessed-May-2022.-
    Global-Security-Attitude-Survey.-CrowdStrike,-2019.
    Graham,-Andrew.-"September-Cyberattack-cost-Woodstock-nearly-$670,00:-report."-
    Global-News,-10-Dec.-2019.
    Harris,-K.-"California-2016-Data-Breach-Report."-California-Department-of-Justice,-Feb.-2016.
    Hiscox-Cyber-Readiness-Report-2019.-Hiscox-UK,-2019.
    Cost-of-A-Data-Breach-(2022).-IBM.-Accessed-June-2022.--
    Ikeda,-Scott.-"LifeLabs-Data-Breach,-the-Largest-Ever-in-Canada,-May-Cost-the-Company-Over-$1-Billion-in-Class-Action-Lawsuit."-CPO-Magazine,-2020.
    Kessem,-Limor-and-Mitch-Mayne.-"Definitive-Guide-to-Ransomware."-IBM,-May-2022.
    Krebs,-Brian.-"Ransomware-Gangs-Now-Outing-Victim-Businesses-That-Don't-Pay-Up."-Krebson-Security,-16-Dec.-2019.
    Jaquith,-Andrew-and-Barnaby-Clarke,-"Security-metrics-to-help-protect-against-ransomware."-Panaseer,-July-29,-2021,-Accessed-3-June-2022.
    "LifeLabs-pays-ransom-after-cyberattack-exposes-information-of-15-million-customers-in-B.C.-and-Ontario."-CBC-News,-17-Dec.-2019.
    Matthews,-Lee.-"Louisiana-Suffers-Another-Major-Ransomware-Attack."-Forbes,-20-Nov.-2019.
    NISTIR-8374,-"Ransomware-Risk-Management:-A-Cybersecurity-Framework-Profile."-NIST-Computer-Security-Resource-Center.-February-2022.-Accessed-May-2022.-
    "Ransomware-attack-hits-school-district-twice-in-4-months."-Associated-Press,-10-Sept.-2019.
    "Ransomware-Costs-Double-in-Q4-as-Ryuk,-Sodinokibi-Proliferate."-Coveware,-2019.
    Ransomware-Payments-Rise-as-Public-Sector-is-Targeted,-New-Variants-Enter-the-Market."-Coveware,-2019.
    Rector,-Kevin.-"Baltimore-to-purchase-$20M-in-cyber-insurance-as-it-pays-off-contractors-who-helped-city-recover-from-ransomware."-The-Baltimore-Sun,-16-Oct.-2019.
    "Report:-Average-time-to-detect-and-contain-a-breach-is-287-days."-VentureBeat,-May-25,-2022.-Accessed-June-2022.-
    "Five-Lessons-Learned-from-over-600-Ransomware-Attacks."-Riskrecon.-Mar-2022.-Accessed-May-2022.-
    Rosenberg,-Matthew,-Nicole-Perlroth,-and-David-E.-Sanger.-"-'Chaos-is-the-Point':-Russian-Hackers-and-Trolls-Grow-Stealthier-in-2020."-The-New-York-Times,-10-Jan.-2020.
    Rouse,-Margaret.-"Data-Archiving."-TechTarget,-2018.
    Siegel,-Rachel.-"Florida-city-will-pay-hackers-$600,000-to-get-its-computer-systems-back."-The-Washington-Post,-20-June-2019.
    Sheridan,-Kelly.-"Global-Dwell-Time-Drops-as-Ransomware-Attacks-Accelerate."-DarkReading,-13-April-2021.-Accessed-May-2022.-
    Smith,-Elliot.-"British-Banks-hit-by-hacking-of-foreign-exchange-firm-Travelex."-CNBC,-9-Jan.-2020.
    "The-State-of-Ransomware-2022."-Sophos.-Feb-2022.-Accessed-May-2022.-
    "The-State-of-Ransomware-in-the-U.S.:-2019-Report-for-Q1-to-Q3."-Emsisoft-Malware-Lab,-1-Oct.2019.
    "The-State-of-Ransomware-in-the-U.S.:-Report-and-Statistics-2019."-Emsisoft-Lab,-12-Dec.-2019.
    "The-State-of-Ransomware-in-2020."-Black-Fog,-Dec.-2020.
    Toulas,-Bill.-"Ten-notorious-ransomware-strains-put-to-the-encryption-speed-test."-Bleeping-Computers,-23-Mar-2022.-Accessed-May-2022.
    Tung,-Liam-"This-is-how-long-hackers-will-hide-in-your-network-before-deploying-ransomware-or-being-spotted."-zdnet.-May-19,-2021.-Accessed-June-2022.-

    Optimize Lead Generation With Lead Scoring

    • Buy Link or Shortcode: {j2store}557|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Prospective buyer traffic into digital marketing platforms has exploded.
    • Many freemium/low-cost digital marketing platforms lack lead scoring and nurturing functionality.
    • As a result, the volume of unqualified leads being delivered to outbound sellers has increased dramatically.
    • This has reduced sales productivity, frustrated prospective buyers, and raised the costs of lead generation.

    Our Advice

    Critical Insight

    • Lead scoring is a must-have capability for high-tech marketers.
    • Without lead scoring, marketers will see increased costs of lead generation and decreased SQL-to-opportunity conversion rates.
    • Lead scoring increases sales productivity and shortens sales cycles.

    Impact and Result

    • Align Marketing, Sales, and Inside Sales on your ideal customer profile.
    • Re-evaluate the assets and activities that compose your current lead generation engine.
    • Develop a documented methodology to ignore, nurture, or contact right away the leads in your marketing pipeline.
    • Deliver more qualified leads to sellers, raising sales productivity and marketing/lead-gen ROI.

    Optimize Lead Generation With Lead Scoring Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize lead generation with lead scoring, review SoftwareReviews Advisory’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Drive aligned vision for lead scoring

    Outline your plan, form your team, and plan marketing tech stack support.

    • Optimize Lead Generation With Lead Scoring – Phase 1: Drive an Aligned Vision for Lead Scoring

    2. Build and test your lead scoring model

    Set lead flow thresholds, define your ideal customer profile and lead generation engine components, and weight, score, test, and refine them.

    • Optimize Lead Generation With Lead Scoring – Phase 2: Build and Test Your Lead Scoring Model
    • Lead Scoring Workbook

    3. Apply your model to marketing apps and go live with better qualified leads

    Apply your lead scoring model to your lead management app, test it, validate the results with sellers, apply advanced methods, and refine.

    • Optimize Lead Generation With Lead Scoring – Phase 3: Apply Your Model to Marketing Apps and Go Live With Better Qualified Leads
    [infographic]

    Workshop: Optimize Lead Generation With Lead Scoring

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Drive Aligned Vision for Lead Scoring

    The Purpose

    Drive an aligned vision for lead scoring.

    Key Benefits Achieved

    Attain an aligned vision for lead scoring.

    Identify the steering committee and project team and clarify their roles and responsibilities.

    Provide your team with an understanding of how leads score through the marketing funnel.

    Activities

    1.1 Outline a vision for lead scoring.

    1.2 Identify steering committee and project team members.

    1.3 Assess your tech stack for lead scoring and seek advice from Info-Tech analysts to modernize where needed.

    1.4 Align on marketing pipeline terminology.

    Outputs

    Steering committee and project team make-up

    Direction on tech stack to support lead generation

    Marketing pipeline definitions alignment

    2 Buyer Journey and Lead Generation Engine Mapping

    The Purpose

    Define the buyer journey and map the lead generation engine.

    Key Benefits Achieved

    Align the vision for your target buyer and their buying journey.

    Identify the assets and activities that need to compose your lead generation engine.

    Activities

    2.1 Establish a buyer persona.

    2.2 Map your buyer journey.

    2.3 Document the activities and assets of your lead generation engine.

    Outputs

    Buyer persona

    Buyer journey map

    Lead gen engine assets and activities documented

    3 Build and Test Your Lead Scoring Model

    The Purpose

    Build and test your lead scoring model.

    Key Benefits Achieved

    Gain team alignment on how leads score and, most importantly, what constitutes a sales-accepted lead.

    Develop a scoring model from which future iterations can be tested.

    Activities

    3.1 Understand the Lead Scoring Grid and set your thresholds.

    3.2 Identify your ideal customer profile, attributes, and subattribute weightings – run tests.

    Outputs

    Lead scoring thresholds

    Ideal customer profile, weightings, and tested scores

    Test profile scoring

    4 Align on Engagement Attributes

    The Purpose

    Align on engagement attributes.

    Key Benefits Achieved

    Develop a scoring model from which future iterations can be tested.

    Activities

    4.1 Weight the attributes of your lead generation engagement model and run tests.

    4.2 Apply weightings to activities and assets.

    4.3 Test engagement and profile scenarios together and make any adjustments to weightings or thresholds.

    Outputs

    Engagement attributes and weightings tested and complete

    Final lead scoring model

    5 Apply Model to Your Tech Platform

    The Purpose

    Apply the model to your tech platform.

    Key Benefits Achieved

    Deliver better qualified leads to Sales.

    Activities

    5.1 Apply model to your marketing management/campaign management software and test the quality of sales-accepted leads in the hands of sellers.

    5.2 Measure overall lead flow and conversion rates through your marketing pipeline.

    5.3 Apply lead nurturing and other advanced methods.

    Outputs

    Model applied to software

    Better qualified leads in the hands of sellers

    Further reading

    Optimize Lead Generation With Lead Scoring

    In today’s competitive environment, optimizing Sales’ resources by giving them qualified leads is key to B2B marketing success.

    EXECUTIVE BRIEF

    Analyst Perspective

    Improve B2B seller win rates with a lead scoring methodology as part of your modern lead generation engine.

    The image contains a picture of Jeff Golterman.

    As B2B organizations emerge from the lowered demands brought on by COVID-19, they are eager to convert marketing contacts to sales-qualified leads with even the slightest signal of intent, but many sales cycles are wasted when sellers receive unqualified leads. Delivering highly qualified leads to sellers is still more art than science, and it is especially challenging without a way to score a contact profile and engagement. While most marketers capture some profile data from contacts, many will pass a contact over to Sales without any engagement data or schedule a demo with a contact without any qualifying profile data. Passing unqualified leads to Sales suboptimizes Sales’ resources, raises the costs per lead, and often results in lost opportunities. Marketers need to develop a lead scoring methodology that delivers better qualified leads to Field Sales scored against both the ideal customer profile (ICP) and engagement that signals lower-funnel buyer interest. To be successful in building a compelling lead scoring solution, marketers must work closely with key stakeholders to align the ICP asset/activity with the buyer journey. Additionally, working early in the design process with IT/Marketing Operations to implement lead management and analytical tools in support will drive results to maximize lead conversion rates and sales wins.

    Jeff Golterman

    Managing Director

    SoftwareReviews Advisory

    Executive Summary

    Your Challenge

    The affordability and ease of implementation of digital marketing tools have driven global adoption to record levels. While many marketers are fine-tuning the lead generation engine components of email, social media, and web-based advertising to increase lead volumes, just 32% of companies pass well-qualified leads over to outbound marketers or sales development reps (SDRs). At best, lead gen costs stay high, and marketing-influenced win rates remain suboptimized. At worst, marketing reputation suffers when poorly qualified leads are passed along to sellers.

    Common Obstacles

    Most marketers lack a methodology for lead scoring, and some lack alignment among Marketing, Product, and Sales on what defines a qualified lead. In their rush to drive lead generation, marketers often fail to “define and align” on the ICP with stakeholders, creating confusion and wasted time and resources. In the rush to adopt B2B marketing and sales automation tools, many marketers have also skipped the important steps to 1) define the buyer journey and map content types to support, and 2) invest in a consistent content creation and sourcing strategy. The wrong content can leave prospects unmotivated to engage further and cause them to seek alternatives.

    Info-Tech’s Approach

    To employ lead scoring effectively, marketers need to align Sales, Marketing, and Product teams on the definition of the ICP and what constitutes a Sales-accepted lead. The buyer journey needs to be mapped in order to identify the engagement that will move a lead through the marketing lead generation engine. Then the project team can score prospect engagement and the prospect profile attributes against the ICP to arrive at a lead score. The marketing tech stack needs to be validated to support lead scoring, and finally Sales needs to sign off on results.

    SoftwareReviews Advisory Insight:

    Lead scoring is a must-have capability for high-tech marketers. Without lead scoring, marketers will see increased costs of lead gen, decreased SQL to opportunity conversion rates, decreased sales productivity, and longer sales cycles.

    Who benefits from a lead scoring project?

    This Research Is Designed for:

    • Marketers and especially campaign managers who are:
      • Looking for a more precise way to score leads and deploy outbound marketing resources to optimize contacts-to-MQL conversion rates.
      • Looking for a more effective way to profile contacts raised by your lead gen engine.
      • Looking to use their lead management software to optimize lead scoring.
      • Starting anew to strengthen their lead generation engine and want examples of a typical engine, ways to identify buyer journey, and perform lead nurturing.

    This Research Will Help You:

    • Explain why having a lead scoring methodology is important.
    • Identify a methodology that will call for identifying an ICP against which to score prospect profiles behind each contact that engages your lead generation engine.
    • Create a process of applying weightings to score activities during contact engagement with your lead generation engine. Apply both scores to arrive at a contact/lead score.
    • Compare your current lead gen engine to a best-in-class example in order to identify gaps and areas for improvement and exploration.

    This Research Will Also Assist:

    • CMOs, Marketing Operations leaders, heads of Product Marketing, and regional Marketing leads who are stakeholders in:
      • Finding alternatives to current lead scoring approaches.
        • Altering current or evaluating new marketing technologies to support a refreshed lead scoring approaches.

    This Research Will Help Them:

    • Align stakeholders on an overall program of identifying target customers, building common understanding of what constitutes a qualified lead, and determining when to use higher-cost outbound marketing resources.
    • Deploy high-value applications that will improve core marketing metrics.

    Insight summary

    Continuous adjustment and improvement of your lead scoring methodology is critical for long-term lead generation engine success.

    • Building a highly functioning lead generation engine is an ongoing process and one that requires continual testing of new asset types, asset design, and copy variations. Buyer profiles change over time as you launch new products and target new markets.
    • Pass better qualified leads to Field Sales and improve sales win rates by taking these crucial steps to implement a better lead generation engine and a lead scoring methodology:
      • Make the case for lead scoring in your organization.
      • Establish trigger points that separate leads to ignore, nurture, qualify, or outreach/contact.
      • Identify your buyer journey and ICP through collaboration among Sales, Marketing, and Product.
      • Assess each asset and activity type across your lead generation engine and apply a weighting for each.
      • Test lead scenarios within our supplied toolkit and with stakeholders. Adjust weightings and triggers that deliver lead scores that make sense.
      • Work with IT/Marketing Operations to emulate your lead scoring methodology within your marketing automation/campaign management application.
      • Explore advanced methods including nurturing.
    • Use the Lead Scoring Workbook collaboratively with other stakeholders to design your own methodology, test lead scenarios, and build alignment across the team.

    Leading marketers who successfully implement a lead scoring methodology develop it collaboratively with stakeholders across Marketing, Sales, and Product Management. Leaders will engage Marketing Operations, Sales Operations, and IT early to gain support for the evaluation and implementation of a supporting campaign management application and for analytics to track lead progress throughout the Marketing and Sales funnels. Leverage the Marketing Lead Scoring Toolkit to build out your version of the model and to test various scenarios. Use the slides contained within this storyboard and the accompanying toolkit as a means to align key stakeholders on the ICP and to weight assets and activities across your marketing lead generation engine.

    What is lead scoring?

    Lead scoring weighs the value of a prospect’s profile against the ICP and renders a profile score. The process then weighs the value of the prospects activities against the ideal call to action (CTA) and renders an activity score. Combining the profile and activity scores delivers an overall score for the value of the lead to drive the next step along the overall buyer journey.

    EXAMPLE: SALES MANAGEMENT SOFTWARE

    • For a company that markets sales management software the ideal buyer is the head of Sales Operations. While the ICP is made up of many attributes, we’ll just score one – the buyer’s role.
    • If the prospect/lead that we wish to score has an executive title, the lead’s profile scores “High.” Other roles will score lower based on your ICP. Alongside role, you will also score other profile attributes (e.g. company size, location).
    • With engagement, if the prospect/lead clicked on our ideal CTA, which is “request a proposal,” our engagement would score high. Other CTAs would score lower.
    The image contains a screenshot of two examples of lead scoring. One example demonstrates. Profile Scoring with Lead Profile, and the second image demonstrates Activity Scoring and Lead Engagement.

    SoftwareReviews Advisory Insight:

    A significant obstacle to quality lead production is disagreement on or lack of a documented definition of the ideal customer profile. Marketers successful in lead scoring will align key stakeholders on a documented definition of the ICP as a first step in improving lead scoring.

    Use of lead scoring is in the minority among marketers

    The majority of businesses are not practicing lead scoring!

    Up to 66% of businesses don’t practice any type of lead scoring.

    Source: LeadSquared, 2014

    “ With lead scoring, you don’t waste loads of time on unworthy prospects, and you don’t ignore people on the edge of buying.”

    Source: BigCommerce

    “The benefits of lead scoring number in the dozens. Having a deeper understanding of which leads meet the qualifications of your highest converters and then systematically communicating with them accordingly increases both ongoing engagement and saves your internal team time chasing down inopportune leads.”

    – Joey Strawn, Integrated Marketing Director, in IndustrialMarketer.com

    Key benefit: sales resource optimization

    Many marketing organizations send Sales too many unqualified leads

    • Leads – or, more accurately, contacts – are not all qualified. Some are actually nothing more than time-wasters for sellers.
    • Leading marketers peel apart a contact into at least two dimensions – “who” and “how interested.”
      • The “who” is compared to the ICP and given a score.
      • The “how interested” measures contact activity – or engagement – within our lead gen engine and gives it a score.
    • Scores are combined; a contact with a low score is ignored, medium is nurtured, and high is sent to sellers.
    • A robust ICP, together with engagement scoring and when housed within your lead management software, prioritizes for marketers which contacts to nurture and gets hot leads to sellers more quickly.

    Optimizing Sales Resources Using Lead Scoring

    The image contains a screenshot of a graph to demonstrate optimizing sales resources with lead scoring.

    Lead scoring drives greater sales effectiveness

    When contacts are scored as “qualified leads” and sent to sellers, sales win rates and ROI climb

    • Contacts can be scored properly once marketers align with Sales on the ICP and work closely with colleagues in areas like product marketing and field marketing to assign weightings to lead gen activities.
    • When more qualified leads get into the hands of the salesforce, their win rates improve.
    • As win rates improve, and sellers are producing more wins from the same volume of leads, sales productivity improves and ROI on the marketing investment increases.

    “On average, organizations that currently use lead scoring experience a 77% lift in lead generation ROI, over organizations that do not currently use lead scoring.”

    – MarketingSherpa, 2012

    Average Lead Generation ROI by Use of Lead Scoring

    The image contains a screenshot of a graph to demonstrate the average lead generation ROI by using of lead scoring. 138% are currenting using lead scoring, and 78% are not using lead scoring.
    Source: 2011 B2B Marketing Benchmark Survey, MarketingSherpa
    Methodology: Fielded June 2011, N=326 CMOs

    SoftwareReviews’ Lead Scoring Approach

    1. Drive Aligned Vision for Lead Scoring

    2. Build and Test Your Lead Scoring Model

    3. Apply to Your Tech Platform and Validate, Nurture, and Grow

    Phase
    Steps

    1. Outline a vision for lead scoring and identify stakeholders.
    2. Assess your tech stack for lead scoring and seek advice from Info-Tech analysts to modernize where needed.
    3. Align on marketing pipeline terminology, buyer persona and journey, and lead gen engine components.
    1. Understand the Lead Scoring Grid and establish thresholds.
    2. Collaborate with stakeholders on your ICP, apply weightings to profile attributes and values, and test your model.
    3. Identify the key activities and assets of your lead gen engine, weight attributes, and run tests.
    1. Apply model to your marketing management software.
    2. Test quality of sales-accepted leads by sellers and measure conversion rates through your marketing pipeline.
    3. Apply advanced methods such as lead nurturing.

    Phase Outcomes

    1. Steering committee and stakeholder selection
    2. Stakeholder alignment
    3. Team alignment on terminology
    4. Buyer journey map
    5. Lead gen engine components and asset types documented
    1. Initial lead-stage threshold scores
    2. Ideal customer profile, weightings, and tested scores
    3. Documented activities/assets across your lead generation engine
    4. Test results to drive adjusted weightings for profile attributes and engagement
    5. Final model to apply to marketing application
    1. Better qualified leads in the hands of sellers
    2. Advanced methods to nurture leads

    Key Deliverable: Lead Scoring Workbook

    The workbook walks you through a step-by-step process to:

    • Identify your team.
    • Identify the lead scoring thresholds.
    • Define your IPC.
    • Weight the activities within your lead generation engine.
    • Run tests using lead scenarios.

    Tab 1: Team Composition

    Consider core functions and form a cross-functional lead scoring team. Document the team’s details here.

    The image contains a screenshot of the Lead Scoring Workbook, Tab 1.

    Tab 2: Threshold Setting

    Set your initial threshold weightings for profile and engagement scores.

    The image contains a screenshot of the Lead Scoring Workbook, Tab 2.

    Tab 3:

    Establish Your Ideal Customer Profile

    Identify major attributes and attribute values and the weightings of both. You’ll eventually score your leads against this ICP.

    Record and Weight Lead Gen Engine Activities

    Identify the major activities that compose prospect engagement with your lead gen engine. Weight them together as a team.

    Test Lead Profile Scenarios

    Test actual lead profiles to see how they score against where you believe they should score. Adjust threshold settings in Tab 2.

    Test Activity Engagement Scores

    Test scenarios of how contacts navigate your lead gen engine. See how they score against where you believe they should score. Adjust thresholds on Tab 2 as needed.

    Review Combined Profile and Activity Score

    Review the combined scores to see where on your lead scoring matrix the lead falls. Make any final adjustments to thresholds accordingly.

    The image contains screenshots of the Lead Scoring Workbook, Tab 3.

    Several ways we help you build your lead scoring methodology

    DIY Toolkit Guided Implementation Workshop Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    • Begin your project using the step-by-step process outlined in this blueprint.
    • Leverage the accompanying workbook.
    • Launch inquiries with the analyst who wrote the research.
    • Kick off your project with an inquiry with the authoring analyst and your engagement manager.
    • Additional inquiries will guide you through each step.
    • Leverage the blueprint and toolkit.
    • Reach out to your engagement manager.
    • During a half-day workshop the authoring analyst will guide you and your team to complete your lead scoring methodology.
    • Reach out to your engagement manager.
    • We’ll lead the engagement to structure the process, gather data, interview stakeholders, craft outputs, and organize feedback and final review.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Call #1: Collaborate on vision for lead scoring and the overall project.

    Call #2: Identify the steering committee and the rest of the team.

    Call #3: Discuss app/tech stack support for lead scoring. Understand key marketing pipeline terminology and the buyer journey.

    Call #4: Discuss your ICP, apply weightings, and run test scenarios.

    Call #5: Discuss and record lead generation engine components.

    Call #6: Understand the Lead Scoring Grid and set thresholds for your model.

    Call #7: Identify your ICP, apply weightings to attributes, and run tests.

    Call #8: Weight the attributes of engagement activities and run tests. Review the application of the scoring model on lead management software.

    Call #9: Test quality of sales-accepted leads in the hands of sellers. Measure lead flow and conversion rates through your marketing pipeline.

    Call #10: Review progress and discuss nurturing and other advanced topics.

    A Guided Implementation (GI) is series of calls with a SoftwareReviews Advisory analyst to help implement our best practices in your organization. For guidance on marketing applications, we can arrange a discussion with an Info-Tech analyst. Your engagement managers will work with you to schedule analyst calls.

    Workshop Overview

    Accelerate your project with our facilitated SoftwareReviews Advisory workshops

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Drive Aligned Vision for Lead Scoring

    Buyer Journey and Lead Gen Engine Mapping

    Build and Test Your Lead Scoring Model

    Align on Engagement Attributes

    Apply to Your Tech Platform

    Activities

    1.1 Outline a vision for lead scoring.

    1.2 Identify steering committee and project team members.

    1.3 Assess your tech stack for lead scoring and seek advice from Info-Tech analysts to modernize where needed.

    1.4 Align on marketing pipeline terminology.

    2.1 Establish a buyer persona (if not done already).

    2.2 Map your buyer journey.

    2.3 Document the activities and assets of your lead gen engine.

    3.1 Understand Lead Scoring Grid and set your thresholds.

    3.2 Identify ICP attribute and sub-attribute weightings. Run tests.

    4.1 Weight the attributes of your lead gen engagement model and run tests.

    4.2 Apply weightings to activities and assets.

    4.3 Test engagement and profile scenarios together and adjust weightings and thresholds as needed.

    5.1 Apply model to your campaign management software and test quality of sales-accepted leads in the hands of sellers.

    5.2. Measure overall lead flow and conversion rates through your marketing pipeline.

    5.3 Apply lead nurturing and other advanced methods.

    Deliverables

    1. Steering committee & project team composition
    2. Direction on tech stack to support lead gen
    3. Alignment on marketing pipeline definitions
    1. Buyer (persona if needed) journey map
    2. Lead gen engine assets and activities documented
    1. Lead scoring thresholds
    2. ICP, weightings, and tested scores
    3. Test profile scoring
    1. Engagement attributes and weightings tested and complete
    2. Final lead scoring model
    1. Model applied to your marketing management/ campaign management software
    2. Better qualified leads in the hands of sellers

    Phase 1

    Drive an Aligned Vision for Lead Scoring

    Phase 1

    Phase 2

    Phase 3

    1.1 Establish a cross-functional vision for lead scoring

    1.2 Asses your tech stack for lead scoring (optional)

    1.3 Catalog your buyer journey and lead gen engine assets

    2.1 Start building your lead scoring model

    2.2 Identify and verify your IPC and weightings

    2.3 Establish key lead generation activities and assets

    3.1 Apply model to your marketing management software

    3.2 Test the quality of sales-accepted leads

    3.3 Apply advanced methods

    This phase will walk you through the following activities:

    • Solidify your vision for lead scoring.
    • Achieve stakeholder alignment.
    • Assess your tech stack.

    This phase involves the following stakeholders:

    • Field Marketing/Campaign Manager
    • CMO
    • Product Marketing
    • Product Management
    • Sales Leadership/Sales Operations
    • Inside Sales leadership
    • Marketing Operations/IT
    • Digital Platform leadership

    Step 1.1

    Establish a Cross-Functional Vision for Lead Scoring

    Activities

    1.1.1 Identify stakeholders critical to success

    1.1.2 Outline the vision for lead scoring

    1.1.3 Select your lead scoring team

    This step will walk you through the following activities:

    • Discuss the reasons why lead scoring is important.
    • Review program process.
    • Identify stakeholders and team.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Stakeholder alignment on vision of lead scoring
    • Stakeholders described and team members recorded
    • A documented buyer journey and map of your current lead gen engine

    1.1.1 Identify stakeholders critical to success

    1 hour

    1. Meet to identify the stakeholders that should be included in the project’s steering committee.
    2. Finalize selection of steering committee members.
    3. Contact members to ensure their willingness to participate.
    4. Document the steering committee members and the milestone/presentation expectations for reporting project progress and results
    Input Output
    • Stakeholder interviews
    • List of business process owners (lead management, inside sales lead qualification, sales opportunity management, marketing funnel metric measurement/analytics)
    • Lead generation/scoring stakeholders
    • Steering committee members
    Materials Participants
    • N/A
    • Initiative Manager
    • CMO, Sponsoring Executive
    • Departmental Leads – Sales, Marketing, Product Marketing, Product Management (and others)
    • Marketing Applications Director
    • Senior Digital Business Analyst

    SoftwareReviews Advisory Insight:

    B2B marketers that lack agreement among Marketing, Sales, Inside Sales, and lead management supporting staff of what constitutes a qualified lead will squander precious time and resources throughout the customer acquisition process.

    1.1.2 Outline the vision for lead scoring

    1 hour

    1. Convene a meeting of the steering committee and initiative team members who will be involved in the lead scoring project.
    • Using slides from this blueprint, understand the definition of lead scoring, the value of lead scoring to the organization, and the overall lead scoring process.
    • Understand the teams’ roles and responsibilities and help your Marketing Operations/IT colleagues understand some of the technical requirements needed to support lead scoring.
    • This is important because as the business members of the team are developing the lead scoring approach on paper, the technical team can begin to evaluate lead management apps within which your lead scoring model will be brought to life.
    Input Output
    • Slides to explain lead scoring and the lead scoring program
    • An understanding of the project among key stakeholders
    Materials Participants
    • Slides taken from this blueprint. We suggest slides from the Executive Brief (slides 3-16) and any others depending on the team’s level of familiarity.
    • Initiative Manager
    • CMO, Sponsoring Executive
    • Departmental leads from Sales, Marketing, Product Marketing, Product Management (and others)
    • Marketing Applications Director
    • Senior Digital Business Analyst

    SoftwareReviews Advisory Insight:

    While SMBs can implement some form of lead scoring when volume is very low and leads can be scored by hand, lead scoring and effective lead management cannot be performed without investment in digital platforms and lead management software and integration with customer relationship management (CRM) applications in the hands of inside and field sales staff. Marketers should plan and budget for the right combination of applications and tools to be in place for proper lead management.

    Lead scoring stakeholders

    Developing a common stakeholder understanding of the ICP, the way contact profiles are scored, and the way activities and asset engagement in your lead generation engine are scored will strengthen alignment between Marketing, Sales and Product Management.

    Title

    Key Stakeholders Within a Lead Generation/Scoring Initiative

    Lead Scoring Sponsor

    • Owns the project at the management/C-suite level
    • Responsible for breaking down barriers and ensuring alignment with organizational strategy
    • CMO, VP of Marketing, CEO (in SMB providers)

    Lead Scoring Initiative Manager

    • Typically a senior member of the marketing team
    • Responsible for preparing and managing the project plan and monitoring the project team’s progress
    • Marketing Manager or a field marketing team member who has strong program management skills, has run large-scale B2B generation campaigns, and is familiar with the stakeholder roles and enabling technologies

    Business Leads

    • Works alongside the lead scoring initiative manager to ensure that the strategy is aligned with business needs
    • In this case, likely to be a marketing lead
    • Marketing Director

    Digital, Marketing/Sales Ops/IT Team

    • Composed of individuals whose application and technology tools knowledge and skills are crucial to lead generation success
    • Responsible for understanding the business requirements behind lead generation and the requirements in particular to support lead scoring and the evaluation, selection, and implementation of the supporting tech stack – apps, website, analytics, etc.
    • Project Manager, Business Lead, CRM Manager, Integration Manager, Marketing Application SMEs, Sales Application

    Steering Committee

    • Composed of C-suite/management-level individuals who act as the lead generation process decision makers
    • Responsible for validating goals and priorities, defining the scope, enabling adequate resourcing, and managing change especially among C-level leaders in Sales & Product
    • Executive Sponsor, Project Sponsor, CMO, Business Unit SMEs

    SoftwareReviews Advisory Insight:

    Marketers managing the lead scoring initiative must include Product Marketing, Sales, Inside Sales, and Product Management. And given that world-class B2B lead generation engines cannot run without technology enablement, Marketing Operations/IT – those that are charged with enabling marketing and sales – must also be part of the decision making and implementation process of lead scoring and lead generation.

    1.1.3 Select your lead scoring team

    30 minutes

    1. The CMO and other key stakeholders should discuss and determine who will be involved in the lead scoring project.
    • Business leaders in key areas – Product Marketing, Field Marketing, Digital Marketing, Inside Sales, Sales, Marketing Ops, Product Management, and IT – should be involved.
  • Document the members of your lead scoring team in tab 1 of the Lead Scoring Workbook.
    • The size of the team will vary depending on your initiative and size of your organization.
    InputOutput
    • Stakeholders
    • List of lead scoring team members
    MaterialsParticipants
    • Lead Scoring Workbook
    • Initiative Manager
    • CMO, Sponsoring Executive
    • Departmental Leads – Sales, Marketing, Product Marketing, Product Management (and others)
    • Marketing Applications Director
    • Senior Digital Business Analyst

    Download the Lead Scoring Workbook

    Lead scoring team

    Consider the core team functions when composing the lead scoring team. Form a cross-functional team (i.e. across IT, Marketing, Sales, Service, Operations) to create a well-aligned lead management/scoring strategy. Don’t let your core team become too large when trying to include all relevant stakeholders. Carefully limit the size of the team to enable effective decision making while still including functional business units.

    Required Skills/Knowledge

    Suggested Team Members

    Business

    • Understanding of the customer
    • Understanding of brand
    • Understanding of multichannel marketing: email, events, social
    • Understanding of lead qualification
    • Field Marketing/Campaign Lead
    • Product Marketing
    • Sales Manager
    • Inside Sales Manager
    • Content Marketer/Copywriter

    IT

    • Campaign management application capabilities
    • Digital marketing
    • Marketing and sales funnel Reporting/metrics
    • Marketing Application Owners
    • CRM/Sales Application Owners
    • Marketing Analytics Owners
    • Digital Platform Owners

    Other

    • Branding/creative
    • Social
    • Change management
    • Creative Director
    • Social Media Marketer

    Step 1.2 (Optional)

    Assess Your Tech Stack for Lead Scoring

    Our model assumes you have:

    1.2.1 A marketing application/campaign management application in place that accommodates lead scoring.

    1.2.2 Lead management software integrated with the sales automation/CRM tool in the hands of Field Sales.

    1.2.3 Reporting/analytics that spans the entire lead generation pipeline/funnel.

    Refer to the following three slides if you need guidance in these areas.

    This step will walk you through the following activities:

    • Confirm that you have your tech stack in place.
    • Set up an inquiry with an Info-Tech analyst should you require guidance on evaluating lead pipeline reporting, CRM, or analytics applications.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Understanding of what new application and technology support is required to support lead scoring.

    SoftwareReviews Advisory Insight:

    Marketers that collaborate closely with Marketing Ops/IT early in the process of lead scoring design will be best able to assess whether current marketing applications and tools can support a full lead scoring capability.

    1.2.1 Plan technology support for marketing management apps

    Work with Marketing Ops and IT early to evaluate application enablement for lead management, including scoring

    A thorough evaluation takes months – start early

    • Work closely with Marketing Operations (or the team that manages the marketing apps and digital platforms) as early as possible to socialize your approach to lead scoring.
    • Work with them on a set of updated requirements for selecting a marketing management suite or for changes to existing apps and tools to support your lead scoring approach that includes lead tracking and marketing funnel analytics.
    • Access the Info-Tech blueprint Select a Marketing Management Suite, along with analyst inquiry support during the requirements definition, vendor evaluation, and vendor selection phases. Use the SoftwareReviews Marketing Management Data Quadrant during vendor evaluation and selection.

    SoftwareReviews Marketing Management Data Quadrant

    The image contains a screenshot of the Marketing Management Data Quadrant.

    1.2.2 Plan technology support for sales opportunity management

    Work with Marketing Ops and IT early to evaluate applications for sales opportunity management

    A thorough evaluation takes months – start early

    • Work closely with Sales Operations as early as possible to socialize your approach to lead scoring and how lead management must integrate with sales opportunity management to manage the entire marketing and sales funnel management process.
    • Work with them on a set of updated requirements for selecting a sales opportunity management application that integrates with your marketing management suite or for changes to existing apps and tools to support your lead management and scoring approach that support the entire marketing and sales pipeline with analytics.

    Access the Info-Tech blueprint Select and Implement a CRM Platform, along with analyst inquiry support during the requirements definition, vendor evaluation, and vendor selection phases. Use the SoftwareReviews CRM Data Quadrant during vendor evaluation and selection.

    SoftwareReviews Customer Relationship Management Data Quadrant

    The image contains a screenshot of the SoftwareReviews Customer Relationship Management Data Quadrant.

    1.2.3 Plan analytics support for marketing pipeline analysis

    Work with Marketing Ops early to evaluate analytics tools to measure marketing and sales pipeline conversions

    A thorough evaluation takes weeks – start early

    • Work closely with Marketing and Sales Operations as early as possible to socialize your approach to measuring the lifecycle of contacts through to wins across the entire marketing and sales funnel management process.
    • Work with them on a set of updated requirements for selecting tools that can support the measurement of conversion ratios from contact to MQL, SQL, and opportunity to wins. Having this data enables you to measure improvement in component parts to your lead generation engine.
    • Access the Info-Tech blueprint Select and Implement a Reporting and Analytics Solution, along with analyst inquiry support during the requirements definition, vendor evaluation and vendor selection phases. Use the SoftwareReviews Best Business intelligence & Analytics Software Data Quadrant as well during vendor evaluation and selection.

    SoftwareReviews Business Intelligence Data Quadrant

    The image contains a screenshot of the Software Reviews Business Intelligent Quadrant.

    Step 1.3

    Catalog Your Buyer Journey and Lead Gen Engine Assets

    Activities

    1.3.1 Review marketing pipeline terminology

    1.3.2 Describe your buyer journey

    1.3.3 Describe your awareness and lead generation engine

    This step will walk you through the following activities:

    • Discuss marketing funnel terminology.
    • Describe your buyer journey.
    • Catalog the elements of your lead generation engine.

    This step involves the following participants:

    • Stakeholders

    Outcomes of this step

    • Stakeholder alignment on terminology, your buyer journey, and elements of your lead generation engine

    1.3.1 Review marketing pipeline terminology

    30 minutes

    1. We assume for this model the following:
      1. Our primary objective is to deliver more, and more-highly qualified, sales-qualified leads (SQLs) to our salesforce. The salesforce will accept SQLs and after further qualification turn them into opportunities. Sellers work opportunities and turn them into wins. Wins that had first/last touch attribution within the lead gen engine are considered marketing-influenced wins.
      2. This model assumes the existence of sales development reps (SDRs) whose mission it is to take marketing-qualified leads (MQLs) from the lead generation engine and further qualify them into SQLs.
      3. The lead generation engine takes contacts – visitors to activities, website, etc. – and scores them based on their profile and engagement. If the contact scores at or above the designated threshold, the lead generation engine rates it as an MQL and passes it along to Inside Sales/SDRs. If the contact scores above a certain threshold and shows promise, it is further nurtured. If the contact score is low, it is ignored.
    2. If an organization does not possess a team of SDRs or Inside Sales, you would adjust your version of the model to, for example, raise the threshold for MQLs, and when the threshold is reached the lead generation engine would pass the lead to Field Sales for further qualification.

    Stage

    Characteristics

    Actions

    Contact

    • Unqualified
    • No/low activity

    Nurture

    SDR Qualify

    Send to Sales

    Close

    MQL

    • Profile scores high
    • Engagement strong

    SQL

    • Profile strengthened
    • Demo/quote/next step confirmed

    Oppt’y

    • Sales acceptance
    • Sales opportunity management

    Win

    • Deal closed

    SoftwareReviews Advisory Insight:

    Score leads in a way that makes it crystal clear whether they should be ignored, further nurtured, further qualified, or go right into a sellers’ hands as a super hot lead.

    1.3.2 Describe your buyer journey

    1. Understand the concept of the buyer journey:
      1. Typically Product Marketing is charged with establishing deep understanding of the target buyer for each product or solution through a complete buyer persona and buyer journey map. The details of how to craft both are covered in the upcoming SoftwareReviews Advisory blueprint Craft a More Comprehensive Go-to-Market Strategy. However, we share our Buyer Journey Template here (on the next slide) to illustrate the connection between the buyer journey and the lead generation and scoring processes.
      2. Marketers and campaigners developing the lead scoring methodology will work closely with Product Marketing, asking them to document the buyer journey.
      3. The value of the buyer journey is to guide asset/content creation, nurturing strategy and therefore elements of the lead generation engine such as web experience, email, and social content and other elements of engagement.
      4. The additional value of having a buyer persona is to also inform the ICP, which is an essential element of lead scoring.
      5. For the purposes of lead scoring, use the template on the next slide to create a simple form of the buyer journey. This will guide lead generation engine design and the scoring of activities later in our blueprint.

    2 hours

    On the following slide:

    1. Tailor this template to suit your buyer journey. Text in green is yours to modify. Text in black is instructional.
    2. Your objective is to use the buyer journey to identify asset types and a delivery channel that once constructed/sourced and activated within your lead gen engine will support the buyer journey.
    3. Keep your buyer journey updated based on actual journeys of sales wins.
    4. Complete different buyer journeys for different product areas. Complete these collaboratively with stakeholders for alignment.

    SoftwareReviews Advisory Insight:

    Establishing a buyer journey is one of the most valuable tools that, typically, Product Marketing produces. Its use helps campaigners, product managers, and Inside and Field Sales. Leading marketers keep journeys updated based on live deals and characteristics of wins.

    Buyer Journey Template

    Personas: [Title] e.g. “BI Director”

    The image contains a screenshot of the describe persona level as an example.

    [Persona name] ([levels it includes from arrows above]) Buyer’s Journey for [solution type] Vendor Selection

    The image contains a screenshot of the Personas Type example to demonstrate a specific IT role, end use in a relevant department.

    1.3.3 Describe Your Awareness and Lead Gen Engine

    1. Understand the workings of a typical awareness and lead generation engine. Reference the image of a lead gen engine on the following slide when reviewing our guidance below:
      1. In our lead scoring example found in the Lead Scoring Workbook, tab 3, “Weight and Test,” we use a software company selling a sales automation solution, and the engagement activities match with the Typical Awareness and Lead Gen Engine found on the following slide. Our goal is to match a visual representation of a lead gen and awareness engine with the activity scoring portion of lead scoring.
      2. At the top of the Typical Awareness and Lead Generation Engine image, the activities are activated by a team of various roles: digital manager (new web pages), campaign manager (emails and paid media), social media marketer (organic and paid social), and events marketing manager (webinars).
      3. “Awareness” – On the right, the slide shows additional awareness activities driven by the PR/Corporate Comms and Analyst Relations teams.*
      4. The calls to action (CTAs) found in the outreach activities are illustrated below the timeline. The CTAs are grouped and are designed to 1) drive profile capture data via a main sales form fill, and 2) drive engagement that corresponds to the Education, Solution, and Selection buyer journey phases outlined on the prior slide. Ensure you have fast paths to get a hot lead – request a demo – directly to Field Sales when profiles score high.

    * For guidance on best practices in engaging industry analysts, contact your engagement manager to schedule an inquiry with our expert in this area. during that inquiry, we will share best practices and recommended analyst engagement models.

    Lead Scoring Workbook

    2 hours

    On the following slide:

    1. Tailor the slide to describe your lead generation engine as you will use it when you get to latter steps to describe the activities in your lead gen engine and weight them for lead scoring.
    2. Use the template to see what makes up a typical lead gen and awareness building engine. Record your current engine parts and see what you may be missing.
    3. Note: The “Goal” image in the upper right of the slide is meant as a reminder that marketers should establish a goal for SQLs delivered to Field Sales for each campaign.

    SoftwareReviews Advisory Insight:

    Marketing’s primary mission is to deliver marketing-influenced wins (MIWs) to the company. Building a compelling awareness and lead gen engine must be done with that goal in mind. Leaders are ruthless in testing – copy, email subjects, website navigation, etc. – to fine-tune the engine and staying highly collaborative with sellers to ensure high value lead delivery.

    Typical Awareness and Lead Gen Engine

    Understand how a typical lead generation engine works. Awareness activities are included as a reference. Use as a template for campaigns.

    The image contains a screenshot of a diagram to demonstrate how a lead generation engine works.

    Phase 2

    Build and Test Your Lead Scoring Model

    Phase 1

    Phase 2

    Phase 3

    1.1 Establish a cross-functional vision for lead scoring

    1.2 Asses your tech stack for lead scoring (optional)

    1.3 Catalog your buyer journey and lead gen engine assets

    2.1 Start building your lead scoring model

    2.2 Identify and verify your IPC and weightings

    2.3 Establish key lead generation activities and assets

    3.1 Apply model to your marketing management software

    3.2 Test the quality of sales-accepted leads

    3.3 Apply advanced methods

    This phase will walk you through the following activities:

    1. Understand the Lead Scoring Grid and establish thresholds.
    2. Collaborate with stakeholders on your ICP, apply weightings to profile attributes and values, and test.
    3. Identify the key activities and assets of your lead gen engine, weight attributes, and run tests.

    This phase involves the following participants:

    • Field Marketing/Campaign Manager
    • Product Marketing
    • Sales Leadership/Sales Operations
    • Inside Sales leadership
    • Marketing Operations/IT
    • Digital Platform leadership

    Step 2.1

    Start Building Your Lead Scoring Model

    Activities

    2.1.1 Understand the Lead Scoring Grid

    2.1.2 Identify thresholds

    This step will walk you through the following activities:

    • Discuss the concept of the thresholds for scoring leads in each of the various states – “ignore,” “nurture,” “qualify,” “send to sales.”
    • Open the Lead Scoring Workbook and validate your own states to suit your organization.
    • Arrive at an initial set of threshold scores.

    This step involves the following participants:

    • Stakeholders

    Outcomes of this step

    • Stakeholder alignment on stages
    • Stakeholder alignment on initial set of thresholds

    2.1.1 Understand the Lead Scoring Grid

    30 minutes

    1. Understand how lead scoring works and our grid is constructed.
    2. Understand the two important areas of the grid and the concept of how the contact’s scores will increase as follows:
      1. Profile – as the profile attributes of the contact approaches that of the ICP we want to score the contact/prospect higher. Note: Step 1.3 walks you through creating your ICP.
      2. Engagement – as the contact/prospect engages with the activities (e.g. webinars, videos, events, emails) and assets (e.g. website, whitepapers, blogs, infographics) in our lead generation engine, we want to score the contact/prospect higher. Note: You will describe your engagement activities in this step.
    3. Understand how thresholds work:
      1. Threshold percentages, when reached, trigger movement of the contact from one state to the next – “ignore,” “nurture,” “qualify with Inside Sales,” and “send to sales.”
    The image contains a screenshot of an example of the lead scoring grid, as described in the text above.

    2.1.2 Identify thresholds

    30 minutes

    We have set up a model Lead Scoring Grid – see Lead Scoring Workbook, tab 2, “Identify Thresholds.”

    Set your thresholds within the Lead Scoring Workbook:

    • Set your threshold percentages for ”Profile” and “Engagement.”
    • You will run test scenarios for each in later steps.
    • We suggest you start with the example percentages given in the Lead Scoring Workbook and plan to adjust them during testing in later steps.
    • Define the “Send to Sales,” “Qualify With Inside Sales,” “Nurture,” and “Ignore” zones.

    SoftwareReviews Advisory Insight:

    Clarify that all-important threshold for when a lead passes to your expensive and time-starved outbound sellers.

    The image contains a screenshot of the Lead Scoring Workbook, tab 2 demonstrating the Lead Scoring Grid.

    Lead Scoring Workbook

    Step 2.2

    Identify and Verify Your Ideal Customer Profile and Weightings

    Activities

    2.2.1 Identify your ideal customer profile

    2.2.2 Run tests to validate profile weightings

    This step will walk you through the following activities:

    • Identify the attributes that compose the ICP.
    • Identify the values of each attribute and their weightings.
    • Test different contact profile scenarios against what actually makes sense.
    • Adjust weightings if needed.

    This step involves the following participants:

    • Stakeholders

    Outcomes of this step

    • Stakeholder alignment on ICP
    • Stakeholder alignment on weightings given to attributes
    • Tested results to verify thresholds and cores

    2.2.1 Identify your ideal customer profile

    Collaborate with stakeholders to understand what attributes best describe your ICP. Assign weightings and subratings.

    2 hours

    1. Choose attributes such as job role, organization type, number of employees/potential seat holders, geographical location, interest area, etc., that describe the ideal profile of a target buyer. Best practice sees marketers choosing attributes based on real wins.
    2. Some marketers compare the email domain of the contact to a target list of domains. In the Lead Scoring Workbook, tab 3, “Weight and Test,” we provide an example profile for a “Sales Automation Software” ICP.
    3. Use the workbook as a template, remove our example, and create your own ICP attributes. Then weight the attributes to add up to 100%. Add in the attribute values and weight them. In the next step you will test scenarios.

    SoftwareReviews Advisory Insight:

    Marketers who align with colleagues in areas such as Product Marketing, Sales, Inside Sales, Sales Training/Enablement, and Product Managers and document the ICP give their organizations a greater probability of lead generation success.

    The image contains a screenshot of tab 3, demonstrating the weight and test with the example profile.

    Lead Scoring Workbook

    2.2.2 Run tests to validate profile weightings

    Collaborate with stakeholders to run different profile scenarios. Validate your model including thresholds.

    The image contains a screenshot of tab 3 to demonstrate the next step of running tests to validate profile weightings.

    SoftwareReviews Advisory Insight:

    Keep your model simple in the interest of fast implementation and to drive early learnings. The goal is not to be perfect but to start iterating toward success. You will update your scoring model even after going into production.

    2 hours

    1. Choose scenarios of contact/lead profile attributes by placing a “1” in the “Attribute” box shown at left.
    2. Place your estimate of how you believe the profile should score in the box to the right of “Estimated Profile State.” How does the calculated state, beneath, compare to the estimated state?
    3. In cases where the calculated state differs from your estimated state, consider weighting the profile attribute differently to match.
    4. If you find estimates and calculated states off dramatically, consider changing previously determined thresholds in tab 2, “Identify Thresholds.” Test multiple scenarios with your team.

    Lead Scoring Workbook

    Step 2.3

    Establish Key Lead Generation Activities and Assets

    Activities

    2.3.1 Establish activities, attribute values, and weights

    2.3.2 Run tests to evaluate activity ratings

    This step will walk you through the following activities:

    • Identify the activities/asset types in your lead gen engine.
    • Weight each attribute and define values to score for each one.
    • Run tests to ensure your model makes sense.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Final stakeholder alignment on which assets compose your lead generation engine
    • Scoring model tested

    2.3.1 Establish activities, attribute values, and weights

    2 hours

    1. Catalog the assets and activities that compose your lead generation engine outlined in Activity 1.3.3. Identify their attribute values and weight them accordingly.
    2. Consider weighting attributes and values according to how close that asset gets to conveying your ideal call to action. For example, if your ideal CTA is “schedule a demo” and the “click” was submitted in the last seven days, it scores 100%. Take time decay into consideration. If that same click was 60 days ago, it scores less – maybe 60%.
    3. Different assets convey different intent and therefore command different weightings; a video comparing your offering against the competition, considered a down funnel asset, scores higher than the company video, considered a top-of-the-funnel activity and “awareness.”
    The image contains a screenshot of the next step of establishing activities, attribute values, and weights.

    Lead Scoring Workbook

    2.3.2 Run tests to validate activity weightings

    Collaborate with stakeholders to run different engagement scenarios. Validate your model including thresholds.

    The image contains a screenshot of activity 2.3.2: run tests to validate activity weightings.

    SoftwareReviews Advisory Insight:

    Use data from actual closed deals and the underlying activities to build your model – nothing like using facts to inform your key decisions. Use common sense and keep things simple. Then update further when data from new wins appears.

    2 hours

    1. Test scenarios of contact engagement by placing a “1” in the “Attribute” box shown at left.
    2. Place your estimate of how you believe the engagement should score in the box to the right of “Estimated Engagement State.” How does the calculated state, beneath, compare to the estimated state?
    3. In cases where the calculated state differs from your estimated state, consider weighting the activity attribute differently to match.
    4. If you find that the estimates and calculated states are off dramatically, consider changing previously determined thresholds in tab 2, “Identify Thresholds.” Test multiple scenarios with your team.

    Lead Scoring Workbook

    Phase 3

    Apply Your Model to Marketing Apps and Go Live With Better Qualified Leads

    Phase 1

    Phase 2

    Phase 3

    1.1 Establish a cross-functional vision for lead scoring

    1.2 Asses your tech stack for lead scoring (optional)

    1.3 Catalog your buyer journey and lead gen engine assets

    2.1 Start building your lead scoring model

    2.2 Identify and verify your IPC and weightings

    2.3 Establish key lead generation activities and assets

    3.1 Apply model to your marketing management software

    3.2 Test the quality of sales-accepted leads

    3.3 Apply advanced methods

    This phase will walk you through the following activities:

    1. Apply model to your marketing management/campaign management software.
    2. Get better qualified leads in the hands of sellers.
    3. Apply lead nurturing and other advanced methods.

    This phase involves the following participants:

    • Field Marketing/Campaign Manager
    • Sales Leadership/Sales Operations
    • Inside Sales leadership
    • Marketing Operations/IT
    • Digital Platform leadership

    Step 3.1

    Apply Model to Your Marketing Management Software

    Activities

    3.1.1 Apply final model to your lead management software

    This step will walk you through the following activities:

    • Apply the details of your scoring model to the lead management software.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Marketing management software or campaign management application is now set up/updated with your lead scoring approach.

    3.1.1 Apply final model to your lead management software

    Now that your model is complete and ready to go into production, input your lead scoring parameters into your lead management software.

    The image contains a screenshot of activity 3.1.1 demonstrating tab 4 of the Lead Scoring Workbook.

    3 hours

    1. Go to the Lead Scoring Workbook, tab 4, “Model Summary” for a formatted version of your lead scoring model. Double-check print formatting and print off a copy.
    2. Use the copy of your model to show to prospective technology providers when asking them to demonstrate their lead scoring capabilities.
    3. Once you have finalized your model, use the printed output from this tab to ease your process of transposing the corresponding model elements into your lead management software.

    Lead Scoring Workbook

    Step 3.2

    Test the Quality of Sales-Accepted Leads

    Activities

    3.2.1 Achieve sales lead acceptance

    3.2.2 Measure and optimize

    This step will walk you through the following activities:

    • Suggest that the Inside Sales and Field Sales teams should assess whether to sign off on quality of leads received.
    • Campaign managers and stakeholders should now be able to track lead status more effectively.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Sales leadership should be able to sign off that leads are better qualified.
    • With marketing pipeline analytics in place, campaigners can start to measure lead flow and conversion rates.

    3.2.1 Achieve sales lead acceptance

    Collaborate with sellers to validate your lead scoring approach.

    1 hour

    1. Gather a set of SQLs – leads that have been qualified by Inside Sales and delivered to Field Sales. Have Field Sales team members convey whether these leads were properly qualified.
    2. Where leads are deemed not properly qualified, determine if the issue was a) a lack of proper qualification by the Inside Sales team, or b) the lead generation engine, which should have further nurtured the lead or ignored it outright.
    3. Work collaboratively with Inside Sales to update your lead scoring model and/or Inside Sales practice.

    Stage

    Characteristics

    Actions

    Contact

    • Unqualified
    • No/low activity

    Nurture

    SDR Qualify

    Send to Sales

    Close

    MQL

    • Profile scores high
    • Engagement strong

    SQL

    • Profile strengthened
    • Demo/quote/next step confirmed

    Oppt’y

    • Sales acceptance
    • Sales opportunity management

    Win

    • Deal closed

    SoftwareReviews Advisory Insight:

    Marketers that collaborate with Sales – and in this case, a group of sellers as a sales advisory team – well in advance of sales acceptance to design lead scoring will save time during this stage, build trust with sellers, and make faster decisions related to lead management/scoring.

    3.2.2 Measure and optimize

    Leverage analytics that help you optimize your lead scoring methodology.

    Ongoing

    1. Work with Marketing Ops/IT team to design and implement analytics that enable you to:
    2. Meet frequently with your stakeholder team to review results.
    3. Learn from the wins: see how they actually scored and adjust thresholds and/or asset/activity weightings.
    4. Learn from losses: fix ineffective scoring, activities, assets, form-fill strategies, and engagement paths.
    5. Test from both wins and losses if demographic weightings are delivering accurate scores.
    6. Analyze those high scoring leads that went right to sellers but did not close. This could point to a sales training or enablement challenge.
    The image contains a screenshot of the lead scoring dashboard.

    Analytics will also drive additional key insights across your lead gen engine:

    • Are volumes increasing or decreasing? What percentage of leads are in what status (A1-D4)?
    • What nurturing will re-engage stalled leads that score high in profile but low in engagement (A3, B3)?
    • Will additional profile data capture further qualify leads with high engagement (C1, C2)?
    • And beyond all of the above, what leads move to Inside Sales and convert to SQLs, opportunities, and eventually marketing-influenced wins?

    Step 3.3

    Apply Advanced Methods

    Activities

    3.3.1 Employ lead nurturing strategies

    3.3.2 Adjust your model over time to accommodate more advanced methods

    This step will walk you through the following activities:

    • Apply lead nurturing to your lead gen engine.
    • Adjust your engine over time with more advanced methods.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Marketers can begin to test lead nurturing strategies and other advanced methods.

    3.3.1 Employ lead nurturing strategies

    A robust content marketing competence with compelling assets and the capture of additional profile data for qualification are key elements of your nurturing strategy.

    The image contains a screenshot of the Lead Scoring Grid with a focus on Nurture.

    SoftwareReviews Advisory Insight:

    Nurturing success combines the art of crafting engaging copy/experiences and the science of knowing just where a prospect is within your lead gen engine. Great B2B marketers demonstrate the discipline of knowing when to drive engagement and/or additional profile attribute capture using intent while not losing the prospect to over-profiling.

    Ongoing

    1. The goal of lead nurturing is to move the collection of contacts/leads that are scoring, for example, in the A3, B3, C1, C2, and C3 cells into A2, B2, and B1 cells.
    2. How is this best done? To nurture leads that are A3 and B3, entice the prospect with engagement that leads to the bottom of funnel – e.g. “schedule a demo” or “schedule a consultation” via a compelling asset. See the example on the following slide.
    3. To nurture C1 and C2, we need to qualify them further, so entice with an asset that leads to deeper profile knowledge.
    4. For C3 leads, we need both profile and activity nurturing.

    Lead nurturing example

    The image contains an example of a lead nurturing example.

    SoftwareReviews Advisory Insight:

    When nurturing, choose/design content as to what “intent” it satisfies. For example, a head-to-head comparison with a key competitor signals “Selection” phase of the buyer journey. Content that helps determine what app-type to buy signals “Solution”. A company video, or a webinar replay, may mean your buyer is “educating themselves.

    3.3.2 Adjust your model over time to accommodate more advanced methods

    When getting started or within a smaller marketing team, focus on the basics outlined thus far in this blueprint. Larger and/or more experienced teams are able to employ more advanced methods.

    Ongoing

    Advanced Methods

    • Invest in technologies that interpret lead scores and trigger next-step actions, especially outreach by Inside and/or Field Sales.
    • Use the above to route into nurturing environments where additional engagement will raise scores and trigger action.
    • Recognize that lead value decays with time to time additional outreach/activities and to reduce lead scores over time.
    • Always be testing different engagement, copy, and subsequent activities to optimize lead velocity through your lead gen engine.
    • Build intent sensitivity into engagement activities; e.g. test if longer demo video engagement times imply ”contact me for a demo” via a qualification outreach. Update scores manually to drive learnings.
    • Vary engagement paths by demographics to deliver unique digital experiences. Use firmographics/email domain to drive leads through a more tailored account-based marketing (ABM) experience.
    • Reapply learnings from closed opportunities/wins to drive updates to buyer journey mapping and your ICP.

    Frequently used acronyms

    ABM

    Account-Based Marketing

    B2B

    Business to Business

    CMO

    Chief Marketing Officer

    CRM

    Customer Relationship Management

    ICP

    Ideal Customer Profile

    MIW

    Marketing-Influenced Win

    MQL

    Marketing-Qualified Lead

    SDR

    Sales Development Representative

    SQL

    Sales-Qualified Lead

    Works cited

    Arora, Rajat. “Mining the Real Gems from you Data – Lead Scoring and Engagement Scoring.” LeadSquared, 27 Sept. 2014. Web.

    Doyle, Jen. “2012 B2B Marketing Benchmark Report: Research and insights on attracting and converting the modern B2B buyer.” MarketingSherpa, 2012. Web.

    Doyle, Jen, and Sergio Balegno. “2011 MarketingSherpa B2B Marketing Benchmark Survey: Research and Insights on Elevating Marketing Effectiveness from Lead Generation to Sales Conversion.” MarketingSherpa, 2011.

    Kirkpatrick, David. “Lead Scoring: CMOs realize a 138% lead gen ROI … and so can you.” marketingsherpa blog, 26 Jan 2012. Web.

    Moser, Jeremy. “Lead Scoring Is Important for Your Business: Here’s How to Create Scoring Model and Hand-Off Strategy.” BigCommerce, 25 Feb. 2019. Web.

    Strawn, Joey. “Why Lead Scoring Is Important for B2Bs (and How You Can Implement It for Your Company.” IndustrialMarketer.com, 17 Aug. 2016. Web.

    Improve Email Security

    • Buy Link or Shortcode: {j2store}272|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Secure Cloud & Network Architecture
    • Parent Category Link: /secure-cloud-network-architecture

    As the sophistication of malicious attacks increases, it has become more difficult to ensure applications such as email software are properly protected and secured. The increase in usage and traffic of email exacerbates the security risks to the organization.

    Our Advice

    Critical Insight

    Email has changed. Your email security needs to evolve as well to ensure you are protecting your organization’s communication.

    Impact and Result

    • Gain an understanding of the importance of email security and steps to secure your corporate email.
    • Develop holistic guidelines on implementing best practices to modernize your organization’s email security.

    Improve Email Security Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Improve Email Security Storyboard – A guide to best practices for improving an organization’s email security.

    This research provides guidelines to assist organizations in identifying controls to secure their emails along with recommendations on the most common and effective controls to secure and protect corporate emails.

    • Improve Email Security Storyboard

    2. Email Security Checklist – A checklist tool that enables organizations to monitor their progress in implementing controls to improve their email security.

    This checklist of common email security categories and their associated controls helps ensure organizations are following best practices.

    • Email Security Checklist
    [infographic]

    Further reading

    Improve Email Security

    Follow the latest best practices for email security to mitigate evolving threats.

    Analyst Perspective

    Protecting your organization’s digital assets begins with securing your email communication.

    As organizations increasingly rely on email communication for day-to-day business operations, threat actors are exploiting the increased traction to develop and implement more sophisticated email-based attacks. Furthermore, the lack of investment in measures, tools, and technologies for an organization’s email security exacerbates the vulnerabilities at hand.

    Effective use of security procedures and techniques can mitigate and minimize email-based threats have been shown to reduce the ability of these attacks to infiltrate the email inbox. These guidelines and best practices will help your organization conduct due diligence to protect the contents of the email, its transit, and its arrival to the authorized recipient.

    Ahmad Jowhar, Research Specialist, Security & Privacy

    Ahmad Jowhar
    Research Specialist, Security & Privacy
    Info-Tech Research Group

    Executive Summary

    Your Challenge Common Obstacles Info-Tech’s Approach
    • As malicious attacks get increasingly sophisticated, it has become more difficult to ensure applications such as email software are properly protected and secured.
    • The increased usage and traffic of emails, as well as their contents, exacerbates security risks to the organization.
    • Given the variety of email security controls, it can be complicated to identify the most important techniques for improving your organization’s email security.
    • Understand the importance of implementing email security for your organization.
    • Develop a holistic guideline for implementing best practices to secure your organization’s emails.

    Info-Tech Insight
    Email has changed. Your email security must evolve to ensure the safety of your organization’s communication.

    Your Challenge

    As a security leader, you need to modernize your email security services so you can protect business communications and prevent security incidents.

    • Various factors must be considered when deciding how best to safeguard your organization’s communication chain. This includes the frequency of email traffic and the contents of emails.
    • The increased number of email-based cyberattacks reveals the sophistication of threat actors in leveraging an organization’s lack of email security to infiltrate their business.
    • As organizations continue to rely heavily on email communication, email-based threats will become increasingly prevalent.

    75% of organizations have experienced an increase in email-based threats.

    97% of security breaches are due to phishing attacks.

    82% of companies reported a higher volume of email in 2022.

    Source: Mimecast, 2023.

    Modern email security controls framework for security leaders

    Email has changed. Your email security must evolve to ensure the safety of your organization’s communication.

    Modern email security controls framework for security leaders

    Understand the best practices in securing your organization’s emails

    Enhance your security posture by modernizing your email security
    Email has changed. Your email security must evolve to ensure the safety of your organization’s communication.

    Deploy an added layer of defense by preventing the contents of your email from being intercepted.

    Encrypting your email communication will provide an additional layer of protection which only allows authorized users to read the email.

    Leverage triple-threat authentication controls to strengthen your email security.

    Leveraging SPF, DKIM, and DMARC enables you to have the proper authentication controls in place, ensuring that only legitimate users are part of the email communication.

    Protect the contents of your email through data classification and data loss prevention.

    Having tools and technologies in place to ensure that data is classified and backed up will enable better storage, analysis, and processing of the email.

    Implement email policies for a holistic email security protection.

    Policies ensure acceptable standards are in place to protect the organization’s assets, including the creation, attachment, sending, and receiving of emails.

    User awareness and training
    Training employees on protecting their corporate emails adds an extra layer of defense by ensuring end users are aware of various email-based threats and can confidently safeguard their organizations from attacks.

    Email encryption

    Deploy an added layer of defense by preventing the contents of your email from being intercepted.

    • Protecting your organization’s emails begins by ensuring only the appropriate recipients can receive and read the email’s contents.
    • This process includes encrypting the email’s contents to protect sensitive information from being read by unauthorized recipients.
    • This protects the contents even if the email is intercepted by anyone besides the intended recipient.
    • Other benefits of email encryption include:
      • Reducing any risks associated with regulatory violations.
      • Enabling business to confidently communicate sensitive information via email.
      • Ensuring protective measures taken to prevent data loss and corporate policy violations.

    Along with the increased use of emails, organizations are seeing an increase in the number of attacks orchestrating from emails. This has resulted in 74% of organizations seeing an increase in email-based threats.

    Source: Mimecast, 2023.

    Info-Tech Insight
    Encrypting your email communication will provide an additional layer of protection which only allows authorized users to read the email.

    Implementing email encryption

    Leverage these protocols and tools to help encrypt your email.

    • The most common email encryption protocols and tools include:
      • Transport Layer Security (TLS): A cryptographic protocol designed to securely deliver data via the internet, which prevents third parties from intercepting and accessing the data.
      • Secure/Multipurpose Internet Mail Extension (S/MIME): A protocol for sending digitally signed and encrypted messages by leveraging public key encryption to provide at-rest and in-transit data protection.
      • Secure Email Gateway: An email security solution that inspects emails for malicious content prior to it reaching the corporate system. The solution is positioned between the public internet and corporate email servers. An email gateway solution would be provided by a third-party vendor and can be implemented on-premises, through the cloud, or hybrid.
    • Email encryption policies can also be implemented to ensure processes are in place when sending sensitive information through emails.
    • Email encryption ensures end-to-end privacy for your email and is especially important when the email requires strict content privacy.

    Email authentication

    Three authentication controls your organization should leverage to stay secure.

    • Along with content encryption, it’s important to authenticate both the sender and recipient of an email to ensure that only legitimate users are able to send and receive it.
    • Implementing email authentication techniques prevents unsolicited email (e.g. spam) from entering your mailbox.
    • This also prevents unauthorized users from sending email on your organization’s behalf.
    • Having these standards in place would safeguard your organization from spam, spoofing, and phishing attacks.
    • The three authentication controls include:
      • Sender Policy Framework (SPF): Email validation control that verifies that the incoming email is from an authorized list of IP addresses provided by the sender’s domain administrator.
      • DomainKeys Identified Mail (DKIM): Enables recipients to verify that an email from a specific domain was authorized by the domain’s owner. This is conducted through cryptographic authentication by adding a digital signature to the message headers of outbound emails.
      • Domain Message Authentication Reporting & Conformance (DMARC): Provides domain-level protection of email channel by publishing DMARC records in the organization’s domain name system (DNS) and creates policies which prompts actions to take if an email fails authentication.

    Although these authentication controls are available for organizations to leverage, the adoption rate remains low. 73% of survey respondents indicated they didn’t deploy email authentication controls within their organization.

    Source: Mimecast, 2023.

    Email authentication controls

    All three authentication controls should be implemented to effectively secure your organization’s email. They ensure the emails you send and receive are securely authorized and legitimate.

    SPF DKIM DMARC

    Creating an SPF record identifies which IP addresses are allowed to send emails from your domain. Steps to implement SPF include the following:

    1. Create an SPF record by identifying the IP addresses that are authorized to send emails.
    2. Publish your SPF record into your DNS by creating a TXT record on your domain.

    Implementing DKIM helps prevent attackers from sending emails that pretend to come from your domain. Steps to implement DKIM include the following:

    1. Identify and enable domains you wish to configure DKIM to create DKIM keys.
    2. Copy the canonical names (CNAMEs) that are provided.
    3. Publish the CNAME records to your DNS service provider.

    Setting up DMARC ensures emails are validated and defines actions to take if an email fails authentication. These include:

    • None: Message is delivered to recipient and a DMARC report is sent to domain owner.
    • Quarantine: Message moved to quarantine folder and recipient is notified.
    • Reject: Message is not delivered to the recipient.
    • Steps to implement DMARC include:
    1. Create a DMARC record by including your organization’s email domain and IP addresses.
    2. Form a DMARC TXT record for your domain to include policies and publish it to your DNS.

    For more information:

    Data classification

    Ensure sensitive data is securely processed, analyzed, and stored.

    • Besides authenticating the legitimacy of an email and its traffic to the recipient, it’s important to have procedures in place to protect the contents of an email.
    • Data classification is found not only in databases and spreadsheets, but also in the email messages being communicated. Examples of data most commonly included in emails:
      • Personal identifiable information (PII): social security number, financial account number, passcodes/passwords
    • Applying data classification to your email can help identify the sensitivity of the information it contains. This ensures any critical data within an email message is securely processed and protected against unauthorized use, theft, and loss.
    • Emails can be classified based on various sensitivity levels. such as:
      • Top secret, public, confidential, internal

    Discover and Classify Your Data

    Leverage this Info-Tech blueprint for guidelines on implementing a data classification program for your organization.

    Info-Tech Insight
    Having tools and technologies in place to ensure that data is classified and backed up will enable better storage, analysis, and processing of the email.

    Data loss prevention (DLP)

    Protect your data from being lost/stolen.

    • Protecting an email’s contents through data classification is only one approach for improving email security. Having a data loss prevention solution would further increase security by minimizing the threat of sensitive information leaving your organization’s email network.
    • Examples of tools embedded in DLP solutions that help monitor an organization's email communication:
      • Monitoring data sent and received from emails: This ensures the data within an email communication is protected with the necessary encryption based on its sensitivity.
      • Detecting suspicious email activity: This includes analyzing users’ email behavior regarding email attachments and identifying irregular behaviors.
      • Flagging or blocking email activities which may lead to data loss: This prevents highly sensitive data from being communicated via email and reduces the risk of information being intercepted.
    • The types of DLP technologies that can be leveraged include:
      • Rule-based: Data that has been tagged by admins as sensitive can be blocklisted, which would flag and/or block data from being sent via email.
      • Machine learning: Data on users’ email behavior is collected, processed, and trained to understand the employee’s normal email behavior and detect/flag suspicious activities.
    • Implementing DLP solutions would complement your data classification techniques by ensuring proper measures are in place to secure your organization’s assets through policies, technology, and tools.

    48% of employees have accidently attached the wrong file to an email.

    39% of respondents have accidently sent emails that contained security information such as passwords and passcodes.

    Source: Tessian, 2021.

    User awareness & training

    A strong security awareness & training program is an important element of strengthening your email security.

    • Having all these tools and techniques in place to improve your email security will not be effective unless you also improve your employees’ awareness.
    • Employees should participate in email security training, especially since the majority utilize this channel of communication for day-to-day operations.
    • User awareness and training should go beyond phishing campaigns and should highlight the various types of email-based threats, the characteristics of these threats, and what procedures they can follow to minimize these threats.
    • 95% of data breaches are caused by human error. It can take nine months to discover and contain them, and they are expected to cost $8 trillion this year (Mimecast, 2023).
    • Investments in employee awareness and training would mitigate these risks by ensuring employees recognize and report suspicious emails, remain mindful of what type of data to share via email, and improve their overall understanding of the importance of email security.

    Develop a Security Awareness and Training Program That Empowers End Users

    Leverage this Info-Tech blueprint for assistance on creating various user training materials and empower your employees to become a main line of defense for your organization.

    64% of organizations conduct formal training sessions (in-person or computer-based).

    74% of organizations only focus on providing phishing-based training.

    Source: Proofpoint, 2021.

    Examples of email-based threats

    Phishing
    Email sent by threat actors designed to manipulate end user into providing sensitive information by posing as a trustworthy source

    Business Email Compromise
    Attackers trick a user into sending money or providing confidential information

    Spam
    Users receive unsolicited email, usually in bulk, some of which contains malware

    Spear Phishing
    A type of phishing attack where the email is sent to specific and targeted emails within the organization

    Whaling
    A type of phishing attack similar to spear phishing, but targeting senior executives within the organization

    Password/Email Exposure
    Employees use organizational email accounts and passwords to sign up for social media, leaving them susceptible to email and/or password exposure in a social media breach

    Email policies

    Having policies in place will enable these controls to be implemented.

    Developing security policies that are reasonable, auditable, enforceable, and measurable ensures proper procedures are followed and necessary measures are implemented to protect the organization. Policies relating to email security can be categorized into two groups:

    • User policy: Policies employees must adhere to when using their corporate email. Examples:
      • User acceptance of technology: Acknowledgment of legitimate and restrictive actions when using corporate email
      • Security awareness and training: Acknowledging completion of email security training
    • Administrator-set policy: Policies that are implemented by IT and/or security admins. Examples:
      • Email backup: Policy on how long emails should be archived and processes for disposing of them
      • Log retention: Policy on how to retain, process, and analyze logs created from email servers
      • Throttling: Policies that limit the number of emails sent by a sender and the number of recipients per email and per day depending on the employee’s grouping

    Develop and Deploy Security Policies

    Leverage this Info-Tech blueprint for assistance on developing and deploying actionable policies and creating an overall policy management lifecycle to keep your policies current, effective, and compliant.

    Info-Tech Insight
    Policies ensure acceptable standards are in place to protect the organization’s assets, including the creation, attachment, sending, and receiving of emails.

    Email security technologies & tools (SoftwareReviews)

    SoftwareReviews, a division of Info-Tech Research Group, provides enterprise software reviews to help organizations make more efficient decisions during the software selection process. Reviews are provided by authenticated IT professionals who have leveraged the software and provide unbiased insights on different vendors and their products.

    Learn from the collective knowledge of real IT professionals.

    • Know the products and features available.
    • Explore modules and detailed feature-level data.
    • Quickly understand the market.

    Evaluate market leaders through vendor rankings and awards.

    • Convince stakeholders with professional reports.
    • Avoid pitfalls with unfiltered data from real users.
    • Choose software with confidence.

    Cut through misleading marketing material.

    • Negotiate contracts based on data.
    • Know what to expect before you sign.
    • Effectively manage the vendor.

    Email security technologies & tools

    Leverage these tools for an enhanced email security solution.

    Email Security Checklist

    Follow these guidelines to ensure you are implementing best practices for securing your organization’s emails.

    • The Email Security Checklist is a tool to assess the current and future state of your organization’s email security and provides a holistic understanding on monitoring your progress within each category and associated controls.
    • The status column allows you to select the feature’s current implementation status, which includes the following options:
      • Enabled: The feature is deployed within the organization’s network.
      • Implemented: The feature is implemented within the organization’s network, but not yet deployed.
      • Not implemented: The feature has not been enabled or implemented.
    • Comments can be added for each feature to provide details such as indicating the progress on enabling/implementing a feature and why certain features are not yet implemented.

    Email Security Checklist

    Download the Email Security Checklist tool

    Related Info-Tech Research

    Discover and Classify Your Data
    Leverage this Info-Tech blueprint for guidelines on implementing a data classification program for your organization.

    Develop a Security Awareness and Training Program That Empowers End Users
    Leverage this Info-Tech blueprint for assistance on creating various user training materials and empower your employees to become a main line of defense for your organization.

    Develop and Deploy Security Policies
    Leverage this Info-Tech blueprint for assistance on developing and deploying actionable policies and creating an overall policy management lifecycle to keep your policies current, effective, and compliant.

    Bibliography

    “10 Best Practices for Email Security in 2022.” TitanFile, 22 Sept. 2022. Web.

    “2021 State of the Phish.” Proofpoint, 2021. Web.

    Ahmad, Summra. “11 Email Security Best Practices You Shouldn't Miss (2023).” Mailmunch, 9 Mar. 2023. Web.

    “Blumira's State of Detection and Response.” Blumira, 18 Jan. 2023. Web.

    Clay, Jon. “Email Security Best Practices for Phishing Prevention.” Trend Micro, 17 Nov. 2022. Web.

    Crane, Casey. “6 Email Security Best Practices to Keep Your Business Safe in 2019.” Hashed Out by The SSL Store™, 7 Aug. 2019. Web.

    Hateb, Seif. “Basic Email Security Guide.” Twilio Blog, Twilio, 5 Dec. 2022. Web.

    “How DMARC Advances Email Security.” CIS, 9 July 2021. Web.

    Pal, Suryanarayan. “10 Email Security Best Practices You Should Know in 2023.” Mailmodo, 9 Feb. 2023. Web.

    Pitchkites, Max. “Email Security: A Guide to Keeping Your Inbox Safe in 2023.” Cloudwards, 9 Dec. 2022. Web.

    Rudra, Ahona. “Corporate Email Security Checklist.” PowerDMARC, 4 July 2022. Web.

    “Sender Policy Framework.” Mimecast, n.d. Web.

    Shea, Sharon, and Peter Loshin. “Top 15 Email Security Best Practices for 2023: TechTarget.” TechTarget, 14 Dec. 2022. Web.

    “The Email Security Checklist: Upguard.” UpGuard, 16 Feb. 2022. Web.

    “The State of Email Security 2023.” Mimecast, 2023. Web.

    Wetherald, Harry. “New Product - Stop Employees Emailing the Wrong Attachments.” Tessian, 16 Sept. 2021. Web.

    “What Is DMARC? - Record, Verification & More: Proofpoint Us.” Proofpoint, 9 Mar. 2023. Web.

    “What Is Email Security? - Defining Security of Email: Proofpoint Us.” Proofpoint, 3 Mar.2023. Web.

    Wilton, Laird. “How to Secure Email in Your Business with an Email Security Policy.” Carbide, 31 Jan. 2022. Web.

    2022 Tech Trends

    • Buy Link or Shortcode: {j2store}94|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • The post-pandemic workplace continues to shift and requires collaboration between remote workers and office workers.
    • Digital transformation has accelerated across every organization and CIOs must maneuver to keep pace.
    • Customer expectations have shifted, and spending habits are moving away from in-person activities to online.
    • IT must improve its maturity in key capabilities to maintain relevance in the organization.

    Our Advice

    Critical Insight

    • Improve the capabilities that matter. Focus on IT capabilities that are most relevant to competing in the digital economy and will enable the CEO's mission for growth.
    • Assess how external environment presents opportunities or threats to your organization using a scenarios approach, then chart a plan.

    Impact and Result

    • Use the data and analysis from Info-Tech's 2022 Tech Trends report to inform your digital strategic plan.
    • Discover the five trends shaping IT's path in 2022 and explore use cases for emerging technologies.
    • Hear directly from leading subject matter experts on each trend with featured episodes from our Tech Insights podcast.

    2022 Tech Trends Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. 2022 Tech Trends Report – A deck that discusses five use cases that can improve on your organization’s ability to compete in the digital economy.

    The post-pandemic pace of change continues to accelerate as the economic rapidly becomes more digital. To keep pace with shifting consumer expectations, CIOs must help the CEO compete in the digital economy by focusing on five key capabilities: innovation, human resources management, data architecture, security strategy, and business process controls and internal audit. Raising maturity in these capabilities will help CIOs deliver on opportunities to streamline back-office processes and develop new lines of revenue.

    • 2022 Tech Trends Report

    Infographic

    Further reading

    2022 Tech Trends

    Enabling the digital economy

    Supporting the CEO for growth

    The post-pandemic pace of change

    The disruptions to the way we work caused by the pandemic haven’t bounced back to normal.

    As part of its research process for the 2022 Tech Trends Report, Info-Tech Research Group conducted an open online survey among its membership and wider community of professionals. The survey was fielded from August 2021 through to September 2021, collecting 475 responses. We asked some of the same questions as last year’s survey so we can compare results as well as new questions to explore new trends.

    How much do you expect your organization to change permanently compared to how it was operating before the pandemic?

    • 7% – No change. We'll keep doing business as we always have.
    • 33% – A bit of change. Some ways of working will shift long term
    • 47% – A lot of change. The way we work will be differ in many ways long term. But our business remains...
    • 13% – Transformative change. Our fundamental business will be different and we'll be working in new ways.

    This year, about half of IT professionals expect a lot of change to the way we work and 13% expect a transformative change with a fundamental shift in their business. Last year, the same percentage expected a lot of change and only 10% expected transformative change.

    30% more professionals expect transformative permanent change compared to one year ago.

    47% of professionals expect a lot of permanent change; this remains the same as last year. (Info-Tech Tech Trends 2022 Survey)

    The pandemic accelerated the speed of digital transformation

    With the massive disruption preventing people from gathering, businesses shifted to digital interactions with customers.

    A visualization of the growth of 'Global average share of customer interactions that are digital' from December 2019 to July 2020. In that time it went from 36% to 58% with an 'Acceleration of 3 years'.

    Companies also accelerated the pace of creating digital or digitally enhanced products and services.

    A visualization of the growth of 'Global average share of partially or fully digitized products and/or services' from December 2019 to July 2020. In that time it went from 35% to 55% with an 'Acceleration of 7 years'. (McKinsey, 2020)

    “The Digital Economy incorporates all economic activity reliant on or significantly enhanced by the use of digital inputs, including digital technologies, digital infrastructure, digital services and data.” (OECD Definition)

    IT must enable participation in the digital economy

    Consumer spending is tilting more digital.

    Consumers have cut back spending on sectors where purchases are mostly made offline. That spending has shifted to digital services and online purchases. New habits formed during the pandemic are likely to stick for many consumers, with a continued shift to online consumption for many sectors.

    Purchases on online platforms are projected to rise from 10% today to 33% by 2030.

    Estimated online share of consumption
    Recreation & culture 30%
    Restaurants & hotels 50%
    Transport 10%
    Communications 90%
    Education 50%
    Health 20%
    Housing & utilities 50%
    (HSBC, 2020)

    Changing customer expectations pose a risk.

    IT practitioners agree that customer expectations are changing. They expect this to be more likely to disrupt their business in the next 12 months than new competition, cybersecurity incidents, or government-enacted policy changes.

    Factors likely to disrupt business in next 12 months
    Government-enacted policy changes 22%
    Cybersecurity incidents 56%
    Regulatory changes 45%
    Established competitor wins 26%
    New player enters the market 23%
    Changing customer expectations 68%
    (Info-Tech Tech Trends 2022 Survey)

    This poses a challenge to IT departments below the “expand” level of maturity

    CIOs must climb the maturity ladder to help CEOs drive growth.

    Most IT departments rated their maturity in the “optimize” or “support” level on Info-Tech’s maturity ladder.

    CIOs at the “optimize” level can play a role in digital transformation by improving back-office processes but should aim for a higher mandate.

    CIOs achieving at the “expand” level can help directly improve revenues by improving customer-facing products and services, and those at the “transform” level can help fundamentally change the business to create revenue in new ways. CIOs can climb the maturity ladder by enabling new digital capabilities.

    Maturity is heading in the wrong direction.

    Only half of IT practitioners described their department’s maturity as “transform” compared to last year’s survey, and more than twice the number rated themselves as “struggle.”

    A colorful visualization of the IT 'Maturity Ladder' detailing levels of IT function within an organization. Percentages represent answers from IT practitioners to an Info-Tech survey about the maturity level of their company. Starting from the bottom: 13% answered 'Struggle', compared to 6% in 2020; 35% answered 'Support'; 37% answered 'Optimize'; 12% answered 'Expand'; and only 3% answered 'Transform', compared to 6% in 2020.

    48% rate their IT departments as low maturity.

    Improve maturity by focusing on key capabilities to compete in the digital economy

    Capabilities to unlock digital

    Innovation: Identify innovation opportunities and plan how to use technology innovation to create a competitive advantage or achieve improved operational effectiveness and efficiency.

    Human Resources Management: Provide a structured approach to ensure optimal planning, evaluation, and development of human resources.

    Data Architecture: Manage the business’ data stores, including technology, governance, and people that manage them. Establish guidelines for the effective use of data.

    Security Strategy: Define, operate, and monitor a system for information security management. Keep the impact and occurrence of information security incidents within risk appetite levels.

    Business Process Controls and Internal Audit: Manage business process controls such as self-assessments and independent assurance reviews to ensure information related to and used by business processes meets security and integrity requirements. (ISACA, 2020)

    A periodic table-esque arrangement of Info-Tech tools and templates titled 'IT Management and Governance Framework', subtitled 'A comprehensive and connected set of research to help you optimize and improve your core IT processes', and anchored by logos for Info-Tech and COBIT. Color-coded sections with highlighted tools or templates are: 'Strategy and Governance' with 'APO04 Innovation' highlighted; 'People and Resources' with 'APO07 Human Resources Management' highlighted; 'Security and Risk' with 'APO13 Security Strategy' and 'DSS06 MEA02 Business Process Controls and Internal Audit' highlighted; 'Data and BI' with 'ITRG07 Data Architecture' highlighted. Other sections are 'Financial Management', 'Service planning and architecture', 'Infrastructure and operations', 'Apps', and 'PPM and projects'.

    5 Tech Trends for 2022

    In this report, we explore five use cases for emerging technology that can improve on capabilities needed to compete in the digital economy. Use cases combine emerging technologies with new processes and strategic planning.

    DIGITAL ECONOMY

    TREND 01 | Human Resources Management

    HYBRID COLLABORATION
    Provide a digital employee experience that is flexible, contextual, and free from the friction of hybrid operating models.

    TREND 02 | Security Strategy

    BATTLE AGAINST RANSOMWARE
    Prevent ransomware infections and create a response plan for a worst-case scenario. Collaborate with relevant external partners to access resources and mitigate risks.

    TREND 03 | Business Process Controls and Internal Audit

    CARBON METRICS IN ENERGY 4.0
    Use internet of things (IoT) and auditable tracking to provide insight into business process implications for greenhouse gas emissions.

    TREND 04 | Data Architecture

    INTANGIBLE VALUE CREATION
    Provide governance around digital marketplace and manage implications of digital currency. Use blockchain technology to turn unique intellectual property into saleable digital products

    TREND 05 | Innovation

    AUTOMATION AS A SERVICE
    Automate business processes and access new sophisticated technology services through platform integration.

    Hybrid Collaboration

    TREND 01 | HUMAN RESOURCES MANAGEMENT

    Provide a digital employee experience that is flexible, contextual, and free from the friction of hybrid operating models.

    Emerging technologies:
    Intelligent conference rooms; intelligent workflows, platforms

    Introduction

    Hybrid work models enable productive, diverse, and inclusive talent ecosystems necessary for the digital economy.

    Hybrid work models have become the default post-pandemic work approach as most knowledge workers prefer the flexibility to choose whether to work remotely or come into the office. CIOs have an opportunity lead hybrid work by facilitating collaboration between employees mixed between meeting at the office and virtually.

    IT departments rose to the challenge to quickly facilitate an all-remote work scenario for their organizations at the outset of the pandemic. Now they must adapt again to facilitate the hybrid work model, which brings new friction to collaboration but also new opportunities to hire a talented, engaged, and diverse workforce.

    79% of organizations will have a mix of workers in the office and at home. (Info-Tech Tech Trends 2022 Survey)

    35% view role type as a determining factor in the feasibility of the hybrid work model.

    Return-to-the-office tensions

    Only 18% of employees want to return to the office full-time.

    But 70% of employers want people back in the office. (CNBC, April 2021)

    Signals

    IT delivers the systems needed to make the hybrid operating model a success.

    IT has an opportunity to lead by defining the hybrid operating model through technology that enables collaboration. To foster collaboration, companies plan to invest in the same sort of tools that helped them cope during the pandemic.

    As 79% of organizations envision a hybrid model going forward, investments into hybrid work tech stacks – including web conferencing tools, document collaboration tools, and team workspaces – are expected to continue into 2022.

    Plans for future investment in collaboration technologies

    Web Conferencing 41%
    Document Collaboration and Co-Authoring 39%
    Team Workspaces 38%
    Instant Messaging 37%
    Project and Task Management Tools 36%
    Office Meeting Room Solutions 35%
    Virtual Whiteboarding 30%
    Intranet Sites 21%
    Enterprise Social Networking 19%
    (Info-Tech Tech Trends 2022 Survey)

    Drivers

    COVID-19

    Vaccination rates around the world are rising and allowing more offices to welcome back workers because the risk of COVID-19 transmission is reduced and jurisdictions are lifting restrictions limiting gatherings.

    Worker satisfaction

    Most workers don't want to go to the office full-time. In a Bloomberg poll (2021), almost half of millennial and Gen Z workers say they would quit their job if not given an option to work remotely.

    IT spending

    Companies are investing more into IT budgets to find ways to support a mix of remote work and in-office resources to cope with work disruption. This extra spending is offset in some cases by companies saving money from having employees work from home some portion of the time. (CIO Dive, 2021)

    Risks and Benefits

    Benefits

    Flexibility Employees able to choose between working from home and working in the office have more control over their work/life balance.
    Intelligence Platforms that track contextual work relationships can accelerate workflows through smart recommendations that connect people at the right time, in the right place.
    Talent Flexible work arrangements provide businesses with access to the best talent available around the world and employees with more career options as they work from a home office (The Official Microsoft Blog, 2021).

    Risks

    Uncertainty The pandemic lacks a clear finish line and local health regulations can still waver between strict control of movement and open movement. There are no clear assurances of what to expect for how we'll work in the near future.
    FOMO With some employees going back to the office while others remain at home, employee bases could be fractured along the lines of those seeing each other in person every day and those still connecting by videoconference.
    Complexity Workers may not know in advance whether they're meeting certain people in person or online, or a mix of the two. They'll have to use technology on the fly to try and collaborate across a mixed group of people in the office and people working remotely (McKinsey Quarterly, 2021).

    “We have to be careful what we automate. Do we want to automate waste? If a company is accustomed to having a ton of meetings and their mode in the new world is to move that online, what are you going to do? You're going to end up with a lot of fatigue and disenchantment…. You have to rethink your methods before you think about the automation part of it." (Vijay Sundaram, Chief Strategy Officer, Zoho)

    Photo of Vijay Sundaram, Chief strategy officer, Zoho.

    Listen to the Tech Insights podcast: Unique approach to hybrid collaboration

    Case Study: Zoho

    Situation

    Zoho Corp. is a cloud software firm based in Chennai, India. It develops a wide range of cloud software, including enterprise collaboration software and productivity tools. Over the past decade, Zoho has used flexible work models to grant remote work options to some employees.

    When the coronavirus pandemic hit, not only did the office have to shut down but also many employees had to relocate back with families in rural areas. The human costs of the pandemic experienced by staff required Zoho to respond by offering counseling services and material support to employees.

    Complication

    Zoho prides itself as an employee-centric company and views its culture as a community that's purpose goes beyond work. That sense of community was lost because of the disruption caused by the pandemic. Employees lost their social context and their work role models. Zoho had to find a way to recreate that without the central hub of the office or find a way to work with the limitations of it not being possible.

    Resolution

    To support employees in rural settings, Zoho sent out phones to provide redundant bandwidth. As lockdowns in India end, Zoho is taking a flexible approach and giving employees the option to come to the office. It's seeing more people come back each week, drawn by the strong community.

    Zoho supports the hybrid mix of workers by balancing synchronous and asynchronous collaboration. It holds meetings when absolutely necessary through tools like Zoho Meet but tries to keep more work context to asynchronous collaboration that allows people to complete tasks quickly and move on. Its applications are connected to a common platform that is designed to facilitate workflows between employees with context and intelligence. (Interview with Vijay Sundaram, Chief Strategy Officer, Zoho)

    “We tend to think of it on a continuum of synchronous to asynchronous work collaboration. It’s become the paramount norm for so many different reasons…the point is people are going to work at different times in different locations. So how do we enable experiences where everyone can participate?" (Jason Brommet, Head of Modern Work and Security Business Group at Microsoft)

    Photo of Jason Brommet, Head of Modern Work and Security Business Group at Microsoft.

    Listen to the Tech Insights podcast: Microsoft on the ‘paradox of hybrid work’

    Case Study: Microsoft

    Situation

    Before the pandemic, only 18% of Microsoft employees were working remotely. As of April 1, 2020, they were joined by the other 82% of non-essential workers at the company in working remotely.

    As with its own customers, Microsoft used its own software to enable this new work experience, including Microsoft Teams for web conferencing and instant messaging and Office 365 for document collaboration. Employees proved just as productive getting their work done from home as they were working in the office.

    Complication

    At Microsoft, the effects of firm-wide remote work changed the collaboration patterns of the company. Even though a portion of the company was working remotely before the pandemic, the effects of everyone working remotely were different. Employees collaborated in a more static and siloed way, focusing on scheduled meetings with existing relationships. Fewer connections were made with more disparate parts of the organization. There was also a decrease in synchronous communication and an increase in asynchronous communication.

    Resolution

    Microsoft is creating new tools to break down the silos in organizations that are grappling with hybrid work challenges. For example, Viva Insights is designed to inform workers about their collaboration habits with analytics. Microsoft wants to provide workers with insights on their collaborative networks and whether they are creating new connections or deepening existing connections. (Interview with Jason Brommet, Head of Modern Work and Security Business Group, Microsoft; Nature Human Behaviour, 2021)

    What's Next?

    Distributed collaboration space:

    International Workplace Group says that more companies are taking advantage of its full network deals on coworking spaces. Companies such as Standard Charter are looking to provide their workers with a happy compromise between working from home and making the commute all the way to the central office. The hub-and-spoke model gives employees the opportunity to work near home and looks to be part of the hybrid operating model mix for many companies. (Interview with Wayne Berger, CEO of IWG Canada & Latin America)

    Optimized hybrid meetings:

    Facilitating hybrid meetings between employees grouped in the office and remote workers will be a major pain point. New hybrid meeting solutions will provide cameras embedded with intelligence to put boardroom participants into independent video streams. They will also focus on making connecting to the same meeting from various locations as convenient as possible and capture clear and crisp audio from each speaker.

    Uncertainties

    Mix between office and remote work:

    It's clear we're not going to work the way we used to previously with central work hubs, but full-on remote work isn't the right path forward either. A new hybrid work model is emerging, and organizations are experimenting to find the right approach.

    Attrition:

    Between April and September 2021, 15 million US workers quit their jobs, setting a record pace. Employees seek a renewed sense of purpose in their work, and many won’t accept mandates to go back to the office. (McKinsey, 2021)

    Equal footing in meetings:

    What are the new best practices for conducting an effective meeting between employees in the office and those who are remote? Some companies ask each employee to connect via a laptop. Others are using conference rooms with tech to group in-office workers together and connect them with remote workers.

    Hybrid Collaboration Scenarios

    Organizations can plan their response to the hybrid work context by plotting their circumstances across two continuums: synchronous to asynchronous collaboration approach and remote work to central hub work model.

    A map of hybrid collaboration scenarios with two axes representing 'Work Context, From all remote work to gathering in a central hub' and 'Collaboration Style, From collaborating at the same time to collaborating at different times'. The axes split the map into quarters. 'Work Context' ranges from 'Remote Work' on the left to 'Central Hub' on the right. 'Collaboration Style' ranges from 'Synchronous' on top to 'Asynchronous' on bottom. The top left quarter, synchronous remote work, reads 'Virtual collective collaboration via videoconference and collaboration software, with some workers meeting in coworking spaces.' The top right quarter, synchronous central hub, reads 'In-person collective collaboration in the office.' The bottom left quarter, asynchronous remote work, reads 'Virtual group collaboration via project tracking tools and shared documents.' The bottom right quarter, asynchronous central hub, reads 'In-person group collaboration in coworking spaces and the main office.'

    Recommendations

    Rethink technology solutions. Don't expect your pre-pandemic videoconference rooms to suffice. And consider how to optimize your facilities and infrastructure for hot-desking scenarios.

    Optimize remote work. Shift from the collaboration approach you put together just to get by to the program you'll use to maximize flexibility.

    Enable effective collaboration. Enable knowledge sharing no matter where and when your employees work and choose the best collaboration software solutions for your scenario.

    Run better meetings. Successful hybrid workplace plans must include planning around hybrid meetings. Seamless hybrid meetings are the result of thoughtful planning and documented best practices.

    89% of organizations invested in web conferencing technology to facilitate better collaboration, but only 43% invested in office meeting room solutions. (Info-Tech Tech Trends 2022 Survey)

    Info-Tech Resources

    Battle Against Ransomware

    TREND 02 | SECURITY STRATEGY

    Prevent ransomware infections and create a response plan for a worst-case scenario. Collaborate with relevant external partners to access resources and mitigate risks.

    Emerging technologies:
    Open source intelligence; AI-powered threat detection

    “It has been a national crisis for some time…. For every [breach] that hits the news there are hundreds that never make it.” (Steve Orrin, Federal Chief Technology Officer, Intel)

    Photo of Steve Orrin, Federal Chief Technology Officer, Intel.

    Listen to the Tech Insights podcast: Ransomware crisis and AI in military

    Introduction

    Between 2019 and 2020, ransomware attacks rose by 62% worldwide and by 158% in North America. (PBS NewsHour, 2021)

    Security strategies are crucial for companies to control access to their digital assets and confidential data, providing it only to the right people at the right time. Now security strategies must adapt to a new caliber of threat in ransomware to avoid operational disruption and reputational damage.

    In 2021, ransomware attacks exploiting flaws in widely used software from vendors Kaseya, SolarWinds, and Microsoft affected many companies and saw record-breaking ransomware payments made to state-sponsored cybercriminal groups.

    After a ransomware attack caused Colonial Pipeline to shut down its pipeline operations across the US, the ransomware issue became a topic of federal attention with executives brought before Senate committees. A presidential task force to combat ransomware was formed.

    62% of IT professionals say they are more concerned about being a victim of ransomware than they were one year ago. (Info-Tech Tech Trends 2022 Survey)

    $70 million demanded by REvil gang in ransom to unlock firms affected by the Kaseya breach. (TechRadar, 2021)

    Signals

    Organizations are taking a multi-faceted approach to preparing for the event of a ransomware breach.

    The most popular methods to prepare for ransomware are to buy an insurance policy or create offline backups and redundant systems. Few are making an effort to be aware of free decryption tools, and only 2% admit to budgeting to pay ransoms.

    44% of IT professionals say they spent time and money specifically to prevent ransomware over the past year. (Info-Tech Tech Trends 2022 Survey)

    Approaches to prepare for ransomware

    Kept aware of free decryption tools available 9%
    Set aside budget to pay ransoms 2%
    Designed network to contain ransomware 24%
    Implemented technology to eradicate ransomware 36%
    Created a specific incident response plan for ransomware 26%
    Created offline backups and redundant systems 41%
    Purchased insurance covering cyberattacks 47%

    (Info-Tech Tech Trends 2022 Survey)

    Drivers

    National security concerns

    Attacks on US infrastructure and government agencies have prompted the White House to treat ransomware as a matter of national security. The government stance is that Russia supports the attacks. The US is establishing new mechanisms to address the threat. Plans include new funding to support ransomware response, a mandate for organizations to report incidents, and requirements for organizations to consider the alternatives before paying a ransom. (Institute for Security and Technology, 2021)

    Advice from cybersecurity insurance providers

    Increases in ransom payouts have caused cybersecurity insurance providers to raise premiums and put in place more security requirements for policyholders to try and prevent ransomware infection. However, when clients are hit with ransomware, insurance providers advise to pay the ransom as it's usually the cheapest option. (ProPublica, 2019)

    Reputational damage

    Ransomware attacks also often include a data breach event with hackers exfiltrating the data before encrypting it. Admitting a breach to customers can seriously damage an organization's reputation as trustworthy. Organizations may also be obligated to pay for credit protection of their customers. (Interview with Frank Trovato, Research Director – Infrastructure, Info-Tech Research Group)

    Risks and Benefits

    Benefits

    Privacy Protecting personal data from theft improves people’s confidence that their privacy is being respected and they are not at risk of identity theft.
    Productivity Ransomware can lock out employees from critical work systems and stop them from being able to complete their tasks.
    Access Ransomware has prevented public access to transportation, healthcare, and any number of consumer services for days at a time. Ransomware prevention ensures public service continuity.

    Risks

    Expenses Investing in cybersecurity measures to protect against attacks is becoming more expensive, and recently cybersecurity insurance premiums have gone up in response to expensive ransoms.
    Friction More security requirements could create friction between IT priorities and business priorities in trying to get work done.
    Stability If ransomware attacks become worse or cybercriminals retaliate for not receiving payments, people could find their interactions with government services and commercial services are disrupted.

    Case Study: Victim to ransomware

    Situation

    In February 2020, a large organization found a ransomware note on an admin’s workstation. They had downloaded a local copy of the organization’s identity management database for testing and left a port open on their workstation. Hackers exfiltrated it and encrypted the data on the workstation. They demanded a ransom payment to decrypt the data.

    Complication

    Because private information of employees and customers was breached, the organization decided to voluntarily inform the state-level regulator. With 250,000 accounts affected, plans were made to require password changes en masse. A public announcement was made two days after the breach to ensure that everyone affected could be reached.

    The organization decided not to pay the ransom because it didn’t need the data back, since it had a copy on an unaffected server.

    Resolution

    After a one-day news cycle for the breach, the story about the ransom was over. The organization also received praise for handling the situation well and quickly informing stakeholders.

    The breach motivated the organization to put more protections in place. It implemented a deny-by-default network and turned off remote desktop protocol and secure shell. It mandated multi-factor authentication and put in a new endpoint-detection and response system. (Interview with CIO of large enterprise)

    What's Next

    AI for cybersecurity:

    New endpoint protections using AI are being deployed to help defend against ransomware and other cybersecurity intrusions. The solutions focus on the prevention and detection of ransomware by learning about the expected behavior of an environment and then detecting anomalies that could be attack attempts. This type of approach can be applied to everything from reading the contents of an email to helping employees detect phishing attempts to lightweight endpoint protection deployed to an Internet of Things device to detect an unusual connection attempt.

    Unfortunately, AI is a tool available to both the cybersecurity industry and hackers. Examples of hackers tampering with cybersecurity AI to bypass it have already surfaced. (Forbes, 23 Sept. 2021)

    Uncertainties

    Government response:

    In the US, the Ransomware Task Force has made recommendations to the government but it's not clear whether all of them will be followed. Other countries such as Russia are reported to be at least tolerating ransomware operations if not supporting them directly with resources.

    Supply chain security:

    Sophisticated attacks using zero-day exploits in widely used software show that organizations simply can't account for every potential vulnerability.

    Arms escalation:

    The ransomware-as-a-service industry is doing good business and finding new ways to evade detection by cybersecurity vendors. New detection techniques involving AI are being introduced by vendors, but will it just be another step in the back-and-forth game of one-upmanship? (Interview with Frank Trovato)

    Battle Against Ransomware Scenarios

    Determine your organization’s threat profile for ransomware by plotting two variables: the investment made in cybersecurity and the sophistication level of attacks that you should be prepared to guard against.

    A map of Battle Against Ransomware scenarios with two axes representing 'Attack Sophistication, From off-the-shelf, ransomware-as-a-service kits to state-sponsored supply chain attacks' and 'Investment in Cybersecurity, From low, minimal investment to high investment for a multi-layer approach.'. The axes split the map into quarters. 'Attack Sophistication' ranges from 'Ransomware as a Service' on the left to 'State-Sponsored' on the right. 'Investment in Cybersecurity' ranges from 'High' on top to 'Low' on bottom. The top left quarter, highly invested ransomware as a service, reads 'Organization is protected from most ransomware attacks and isn’t directly targeted by state-sponsored attacks.' The top right quarter, highly invested state-sponsored, reads 'Organization is protected against most ransomware attacks but could be targeted by state-sponsored attacks if considered a high-value target.' The bottom left quarter, low investment ransomware as a service, reads 'Organization is exposed to most ransomware attacks and is vulnerable to hackers looking to make a quick buck by casting a wide net.' The bottom right quarter, low investment state-sponsored, reads 'Organization is exposed to most ransomware attacks and risks being swept up in a supply chain attack by being targeted or as collateral damage.'

    Recommendations

    Create a ransomware incident response plan. Assess your current security practices and identify gaps. Quantify your ransomware risk to prioritize investments and run tabletop planning exercises for ransomware attacks.

    Reduce your exposure to ransomware. Focus on securing the frontlines by improving phishing awareness among staff and deploying AI tools to help flag attacks. Use multi-factor authentication. Take a zero-trust approach and review your use of RDP, SSH, and VPN.

    Require security in contracts. Security must be built into vendor contracts. Government contracts are now doing this, elevating security to the same level as functionality and support features. This puts money incentives behind improving security. (Interview with Intel Federal CTO Steve Orrin)

    42% of IT practitioners feel employees must do much more to help defend against ransomware. (Info-Tech Tech Trends 2022 Survey)

    Info-Tech Resources

    Carbon Metrics in Energy 4.0

    TREND 03 | BUSINESS PROCESS CONTROLS AND INTERNAL AUDIT

    Use Internet of Things (IoT) and auditable tracking to provide insight into business process implications for greenhouse gas emissions.

    Emerging technologies:
    IoT

    Introduction

    Making progress towards a carbon-neutral future.

    A landmark report published in 2021 by the United Nations Intergovernmental Panel on Climate Change underlines that human actions can still determine the future course of climate change. The report calls on governments, individuals, and organizations to stop putting new greenhouse gas emissions into the atmosphere no later than 2050, and to be at the halfway point to achieving that by 2030.

    With calls to action becoming more urgent, organizations are making plans to reduce the use of fossil fuels, move to renewable energy sources, and reduce consumption that causes more emissions downstream. As both voluntary and mandatory regulatory requirements task organizations with reducing emissions, they will first be challenged to accurately measure the size of their footprint.

    CIOs in organizations are well positioned to make conscious decisions to both influence how technology choices impact carbon emissions and implement effective tracking of emissions across the entire enterprise.

    Canada’s CIO strategy council is calling on organizations to sign a “sustainable IT pledge” to cut emissions from IT operations and supply chain and to measure and disclose emissions annually. (CIO Strategy Council, Sustainable IT Pledge)

    SCOPE 3 – Indirect Consumption

    • Goods and services
    • Fuel, travel, distribution
    • Waste, investments, leased assets, employee activity

    SCOPE 2 – Indirect Energy

    • Electricity
    • Heat and cooling

    SCOPE 1 – Direct

    • Facilities
    • Vehicles

    Signals

    Emissions tracking requires a larger scope.

    About two-thirds of organizations have a commitment to reduce greenhouse gas emissions. When asked about what tactics they use to reduce emissions, the most popular options affect either scope 1 emissions (retiring older IT equipment) or scope 2 emissions (using renewable energy sources). Fewer are using tactics that would measure scope 3 emissions such as using IoT to track or using software or AI.

    68% of organizations say they have a commitment to reduce greenhouse gas emissions. (Info-Tech Tech Trends 2022 Survey)

    Approaches to reducing carbon emissions

    Using "smart technologies" or IoT to help cut emissions 12%
    Creating incentive programs for staff to reduce emissions 10%
    Using software or AI to manage energy use 8%
    Using external DC or cloud on renewable energy 16%
    Committing to external emissions standards 15%
    Retiring/updating older IT equipment 33%
    Using renewable energy sources 41%

    (Info-Tech Tech Trends 2022 Survey)

    Drivers

    Investor pressure

    The world’s largest asset manager, at $7 trillion in investments, says it will move away from investing in firms that are not aligned to the Paris Agreement. (The New York Times, 2020)

    Compliance tipping point

    International charity CDP has been collecting environmental disclosure from organizations since 2002. In 2020, more than 9,600 of the world’s largest companies – representing over 50% of global market value – took part. (CDP, 2021)

    International law

    In 2021, six countries have net-zero emissions policies in law, six have proposed legislations, and 20 have policy documents. (Energy & Climate Intelligence Unit, 2021)

    Employee satisfaction

    In 2019, thousands of workers walked out of offices of Amazon, Google, Twitter, and Microsoft to demand their employers do more to reduce carbon emissions. (NBC News, 2021)

    High influence factors for carbon reduction

    • 25% – New government laws or policies
    • 9% – External social pressures
    • 9% – Pressure from investors
    • 8% – International climate compliance efforts
    • 7% – Employee satisfaction

    (Info-Tech Tech Trends 2022 Survey)

    Risks and Benefits

    Benefits

    Trust Tracking carbon emissions creates transparency into an organization’s operations and demonstrates accountability to its carbon emissions reduction goals.
    Innovation As organizations become more proficient with carbon measurement and modeling, insights can be leveraged as a decision-making tool.
    Resilience Reducing energy usage shrinks your carbon footprint, increases operational efficiency, and decreases energy costs.

    Risks

    Regulatory Divergence Standardization of compliance enforcement around carbon emissions is a work in progress. Several different voluntary frameworks exist, and different governments are taking different approaches including taxation and cap-and-trade markets.
    Perceptions Company communications that speak to emissions reduction targets without providing proof can be accused of “greenwashing” or falsely trying to improve public perception.
    Financial Pain Institutional investments are requiring clear commitments and plans to reduce greenhouse gases. Some jurisdictions are now taxing carbon emissions.

    “When you can take technology and embed that into management change decisions that impact the environment, you can essentially guarantee that [greenhouse gas] offset. Companies that are looking to reduce their emissions can buy those offsets and it creates value for everybody.” (Wade Barnes, CEO and founder of Farmers Edge)

    Photo of Wade Barnes, CEO and founder of Farmers Edge.

    Listen to the Tech Insights podcast: The future of farming is digital

    Case Study

    Situation

    The Alberta Technology Innovation and Emissions Reduction Regulation is Alberta’s approach to reduce emissions from large industrial emitters. It prices GHG and provides a trading system.

    No-till farming and nitrogen management techniques sequester up to 0.3 metric tons of GHG per year.

    Complication

    Farmers Edge offers farmers a digital platform that includes IoT and a unified data warehouse. It can turn farm records into digital environmental assets, which are aggregated and sold to emitters.

    Real-time data from connected vehicles, connected sensors, and other various inputs can be verified by third-party auditors.

    Resolution

    Farmers Edge sold aggregated carbon offsets to Alberta power producer Capital Power to help it meet regulatory compliance.

    Farmers Edge is expanding its platform to include farmers in other provinces and in the US, providing them opportunity to earn revenue via its Smart Carbon program.

    The firm is working to meet standards outlined by the U.S. Department of Agriculture’s Natural Resources Conservation Service. (Interview with Wade Barnes, CEO, Farmers Edge)

    What's Next

    Global standards:

    The International Sustainability Standards Board (ISSB) has been formed by the International Financial Reporting Standards Foundation and will have its headquarters location announced in November at a United Nations conference. The body is already governing a set of global standards that have a roadmap for development through 2023 through open consultation. The standards are expected to bring together the multiple frameworks for sustainability standards and offer one global set of standards. (Business Council of Canada, 2021)

    CIOs take charge:

    The CIO is well positioned to take the lead role on corporate sustainability initiatives, including measuring and reducing an organization’s carbon footprint (or perhaps even monetizing carbon credits for an organization that is a negative emitter). CIOs can use their position as facilities managers and cross-functional process owners and mandate to reduce waste and inefficiency to take accountability for this important role. CIOs will expand their roles to deliver transparent and auditable reporting on environmental, social, and governance (ESG) goals for the enterprise.

    Uncertainties

    International resolve:

    Fighting the climate crisis will require governments and private sector collaboration from around the world to commit to creating new economic structures to discourage greenhouse gas emissions and incentivize long-term sustainable thinking. If some countries or private sector forces continue to prioritize short-term gains over sustainability, the U.N.’s goals won’t be achieved and the human costs as a result of climate change will become more profound.

    Cap-and-trade markets:

    Markets where carbon credits are sold to emitters are organized by various jurisdictions around the world and have different incentive structures. Some are created by governments and others are voluntary markets created by industry. This type of organization for these markets limits their size and makes it hard to scale the impact. Organizations looking to sell carbon credits at volume face the friction of having to navigate different compliance rules for each market they want to participate in.

    Carbon Metrics in Energy 4.0 Scenarios

    Determine your organization’s approach to measuring carbon dioxide and other greenhouse gas emissions by considering whether your organization is likely to be a high emitter or a carbon sink. Also consider your capability to measure and report on your carbon footprint.

    A map of Carbon Metrics in Energy 4.0 scenarios with two axes representing 'Quantification Capability, From not tracking any emissions whatsoever to tracking all emissions at every scope' and 'Greenhouse Gas Emissions, From mitigating more emissions than you create to emitting more than regulations allow'. The axes split the map into quarters. 'Quantification Capability' ranges from 'No Measures' on the left to 'All Emissions Measured' on the right. 'Greenhouse Gas Emissions' ranges from 'More Than Allowed' on top to 'Net-Negative' on bottom. The top left quarter, no measures and more than allowed, reads 'Companies that are likely to be high emitters and not measuring will attract the most scrutiny from regulators and investors.' The top right quarter, all measured and more than allowed, reads 'Companies emit more than regulators allow but the measurements show a clear path to mitigation through the purchase of carbon credits.' The bottom left quarter, no measures and net-negative, reads 'Companies able to achieve carbon neutrality or even be net-negative in emissions but unable to demonstrate it will still face scrutiny from regulators.' The bottom right quarter, all measured and net-negative, reads 'Companies able to remove more emissions than they create have an opportunity to aggregate those reductions and sell on a cap-and-trade market.'

    Recommendations

    Measure the whole footprint. Devise a plan to measure scope 1, 2, and 3 greenhouse gas emissions at a level that is auditable by a third party.

    Gauge the impact of Industry 4.0. New technologies in Industry 4.0 include IoT, additive manufacturing, and advanced analytics. Make sustainability a core part of your focus as you plan out how these technologies will integrate with your business.

    Commit to net zero. Make a clear commitment to achieve net-zero emissions by a specific date as part of your organization’s core strategy. Take a continuous improvement approach to make progress towards the goal with measurable results.

    New laws from governments will have the highest degree of influence on an organization’s decision to reduce emissions. (Info-Tech Tech Trends 2022 Survey)

    Info-Tech Resources

    Intangible Value Creation

    TREND 04 | DATA ARCHITECTURE

    Use blockchain technology to turn unique intellectual property into saleable digital products. Provide governance around marketplaces where sales are made.

    Emerging technologies:
    Blockchain, Distributed Ledger Technology, Virtual Environments

    Introduction

    Decentralized technologies are propelling the digital economy.

    As the COVID-19 pandemic has accelerated our shift into virtual social and economic systems, blockchain technology poses a new technological frontier – further disrupting digital interactions and value creation by providing a modification of data without relying on third parties. New blockchain software developments are being used to redefine how central banks distribute currency and to track provenance for scarce digital assets.

    Tokenizing the blockchain

    Non-fungible tokens (NFTs) are distinct cryptographic tokens created from blockchain technology. The rarity systems in NFTs are redefining digital ownership and being used to drive creator-centric communities.

    Not crypto-currency, central currency

    Central Bank Digital Currencies (CBDC) combine the same architecture of cryptocurrencies built on blockchain with the financial authority of a central bank. These currencies are not decentralized because they are controlled by a central authority, rather they are distributed systems. (Decrypt, 2021)

    80% of banks are working on a digital currency. (Atlantic Council, 2021)

    Brands that launched NFTs

    NBA, NFL, Formula 1, Nike, Stella Artois, Coca-Cola, Mattel, Dolce & Gabbana, Ubisoft, Charmin

    Banks that launched digital currencies

    The Bahamas, Saint Kitts and Nevis, Antigua and Barbuda, Saint Lucia, Grenada

    Signals

    ID on the blockchain

    Blockchains can contain smart contracts that automatically execute given specific conditions, protecting stakeholders involved in a transaction. These have been used by central banks to automate when and how currency can be spent and by NFT platforms to attribute a unique identity to a digital asset. Automation and identity verification are the most highly valued digital capabilities of IT practitioners.

    $69.3 million – The world’s most expensive NFT artwork sale, for Beeple’s “Everydays: The First 5,000 Days” (The New York Times, Mar. 2021)

    Digital capabilities that provide high value to the organization

    E-commerce 50%
    Automation 79%
    Smart contracts 42%
    Community building and engagement 55%
    Real-time payments 46%
    Tracking provenance 33%
    Identity verification 74%

    (Info-Tech Tech Trends 2022 Survey)

    Drivers

    Financial autonomy

    Central banks view cryptocurrencies as "working against the public good" and want to maintain control over their financial system to maintain the integrity of payments and provide financial crime oversight and protections against money laundering. (Board of Governors of the Federal Reserve System, 2021)

    Bitcoin energy requirements and greenhouse gas emissions

    Annual energy consumption of the Bitcoin blockchain in China is estimated to peak in 2024 at 297 TwH and generate 130.5 million metric tons of carbon emissions. That would exceed the annual GHG of the Czech Republic and Qatar and rank in the top 10 among 182 cities and 42 industrial sectors in China. This is motiving cryptocurrency developers and central banks to move away from the energy-intensive "Proof of Work" mining approach and towards the "Proof of Stake" approach. (Nature Communications, 2021)

    Digital communities

    During the pandemic, people spent more time exploring digital spaces and interacting in digital communities. Asset ownership within those communities is a way for individuals to show their own personal investment in the community and achieve a status that often comes with additional privileges. The digital assets can also be viewed as an investment vehicle or to gain access to exclusive experiences.

    “The pillars of the music economy have always been based on three things that the artist has never had full control of. The idea of distribution is freed up. The way we are going to connect to fans in this direct to fan value prop is very interesting. The fact we can monetize it, and that money exchange, that transaction is immediate. And on a platform like S!NG we legitimately have a platform to community build…. Artists are getting a superpower.” (Raine Maida, Chief Product Officer, S!NG Singer, Our Lady Peace)

    Raine Maida, Chief Product Officer, S!NG, and Singer, Our Lady Peace.

    Listen to the Tech Insights podcast: Raine Maida's startup is an NFT app for music

    Case Study

    Situation

    Artists can create works and distribute them to a wide audience more easily than ever with the internet. Publishing a drawing or a song to a website allows it to be infinitely copied. Creators can use social media accounts and digital advertisements to build up a fan base for their work and monetize it through sales or premium-access subscriber schemes.

    Complication

    The internet's capacity for frictionless distribution is a boon and a burden for artists at the same time. Protecting copyright in a digital environment is difficult because there is no way to track a song or a picture back to its creator. This devalues the work because it can be freely exchanged by users.

    Resolution

    S!NG allows creators to mint their works with a digital token that stamps its origin to the file and tracks provenance as it is reused and adapted into other works. It uses the ERC 721 standard on the Ethereum blockchain to create its NFT tokens. They are portable files that the user can create for free on the S!NG platform and are interoperable with other digital token platforms. This enables a collaboration utility by reducing friction in using other people's works while giving proper attribution. Musicians can create mix tracks using the samples of others’ work easily and benefit from a smart-contract-based revenue structure that returns money to creators when sales are made. (Interview with Geoff Osler and Raine Maida, S!NG Executives)

    Risks and Benefits

    Benefits

    Autonomy Digital money and assets could proliferate the desire for autonomy as users have greater control over their assets (by cutting out the middlemen, democratizing access to investments, and re-claiming ownership over intangible data).
    Community Digital worlds and assets offer integrated and interoperable experiences influenced by user communities.
    Equity Digital assets allow different shareholder equity models as they grant accessible and affordable access to ownership.

    Risks

    Volatility Digital assets are prone to volatile price fluctuations. A primary reason for this is due to its perceived value relative to the fiat currency and the uncertainty around its future value.
    Security While one of the main features of blockchain-based digital assets is security, digital assets are vulnerable to breaches during the process of storing and trading assets.
    Access Access to digital marketplaces requires a steep learning curve and a base level of technical knowledge.

    What's Next

    Into the Metaverse:

    Digital tokens are finding new utility in virtual environments known as the Metaverse. Decentraland is an example of a virtual reality environment that can be accessed via a web browser. Based on the Ethereum blockchain, it's seen sales of virtual land plots for hundreds of thousands of dollars. Sotheby's is one buyer, building a digital replica of its New Bond Street gallery in London, complete with commissionaire Hans Lomuldur in avatar form to greet visitors. The gallery will showcase and sell Sotheby's digital artworks. (Artnet News, 2021)

    Bitcoin as legal tender:

    El Salvador became the first country in the world to make Bitcoin legal tender in September 2021. The government intended for this to help citizens avoid remittance fees when receiving money sent from abroad and to provide a way for citizens without bank accounts to receive payments. Digital wallet Chivo launched with technical glitches and in October a loophole that allowed “price scalping” had to be removed to stop speculators from using the app to trade for profit. El Salvador’s experiment will influence whether other countries consider using Bitcoin as legal tender. (New Scientist, 2021)

    Uncertainties

    Stolen goods at the mint:

    William Shatner complained that Twitter account @tokenizedtweets had taken his content without permission and minted tokens for sale. In doing so, he pointed out there’s no guarantee a minted digital asset is linked to the creator of the attached intellectual property.

    Decentralized vs. distributed finance:

    Will blockchain-based markets be controlled by a single platform operator or become truly open? For example, Dapper Labs centralizes the minting of NFTs on its Flow blockchain and controls sales through its markets. OpenSea allows NFTs minted elsewhere to be brought to the platform and sold.

    Supply and demand:

    Platforms need to improve the reliability of minting technology to create tokens in the future. Ethereum's network is facing more demand than it can keep up with and requires future upgrades to improve its efficiency. Other platforms that support minting tokens are also awaiting upgrades to be fully functional or have seen limited NFT projects launched on their platform.

    Intangible Value Creation Scenarios

    Determine your organization’s strategy by considering the different scenarios based on two main factors. The design decisions are made around whether digital assets are decentralized or distributed and whether the assets facilitate transactions or collections.

    A map of Intangible Value Creation scenarios with two axes representing 'Fungibility, From assets that are designed to be exchanged like currency to assets that are unique' and 'Asset Control Model, From decentralized control with open ownership to centralized control with distributed assets'. The axes split the map into quarters. 'Fungibility' ranges from 'Transactional' on the left to 'Collectible' on the right. 'Asset Control Model' ranges from 'Distributed' on top to 'Decentralized' on bottom. The top left quarter, distributed transactional, reads 'Platform-controlled digital exchanges and utility (e.g. tokens exchanged for fan experiences, central bank digital currency, S!NG).' The top right quarter, distributed collectible, reads 'Platform-controlled digital showcases and community (e.g. NBA Top Shot, Decentraland property).' The bottom left quarter, decentralized transactional, reads 'Peer-controlled digital exchanges and utility (e.g. Bitcoin).' The bottom right quarter, decentralized collectible, reads 'Peer-controlled digital showcases and community (e.g. OpenSea and Ethereum-based NFTs).'

    Recommendations

    Determine your role in the digital asset ecosystem.
    • Becoming a platform provider for digital tokens will require a minting capability to create blockchain-based assets and a marketplace for users to exchange them.
    • Issuing digital tokens to a platform through a sale will require making partnerships and marketing.
    • Investing in digital assets will require management of digital wallets and subject-matter expert analysis of the emerging markets.
    Track the implications of digital currencies.

    Track what your country’s central bank is planning for digital currency and determine if you’ll need to prepare to support it. Be informed about payment partner support for cryptocurrency and consider any complications that may introduce.

    $1 billion+ – The amount of cryptocurrency spent by consumers globally through crypto-linked Visa cards in first half of 2021. (CNBC, July 2021)

    Info-Tech Resources

    Automation as a Service

    TREND 05 | INNOVATION

    Automate business processes and access new sophisticated technology services through platform integration.

    Emerging technologies:
    Cloud platforms, APIs, Generative AI

    Introduction

    The glue for innovation

    Rapidly constructing a business model that is ready to compete in a digital economy requires continuous innovation. Application programming interfaces (APIs) can accelerate innovation by unlocking marketplaces of ready-to-use solutions to business problems and automating manual tasks to make more time for creativity. APIs facilitate a microarchitecture approach and make it possible to call upon a new capability with a few lines of code. This is not a new tool, as the first API was specified in 1951, but there were significant advances of both scale and capability in this area in 2021.

    In the past 18 months, API adoption has exploded and even industries previously considered as digital laggards are now integrating them to reinvent back-office processes. Technology platforms specializing in API management are attracting record-breaking investment. And sophisticated technology services such as artificial intelligence are being delivered by APIs.

    APIs can play a role in every company’s digital strategy, from transforming back-office processes to creating revenue as part of a platform.

    $500,000 was invested in API companies in 2016. (Forbes, May 2021)

    $2,000,000,000+ was invested in API companies in 2020. (Forbes, May 2021)

    69% of IT practitioners say digital transformation has been a high priority for their organization during the pandemic. (Info-Tech Tech Trends 2022 Survey)

    51% of developers used more APIs in 2020 than in 2019. (InsideHPC, 2021)

    71% of developers planned to use even more APIs in 2021. (InsideHPC, 2021)

    Signals

    IT practitioners indicate that digital transformation was a strong focus for their organization during the pandemic and will remain so during the period afterwards, and one-third say their organizations were “extremely focused” on digital transformation.

    When it came to shifting processes from being done manually to being completed digitally, more than half of IT practitioners say they shifted at least 21% of their processes during the past year. More than one in five say that at least 60% of their processes were shifted from manual to digital in the past year.

    3.5 trillion calls were performed on API management platform Apigee, representing a 50% increase year over year. (SiliconANGLE, 2021)

    Processes shifted from manual to digital in the past year

    A horizontal bar chart recording survey responses regarding the percent of processes that shifted from manual to digital in the past year. The horizontal axis is 'percent of survey respondents' with values from 0 to 35%. The vertical axis is 'percent of process shifted to digital' with bar labels 'Between 0 to 20%', 'Between 21 to 40%', and so on until 'Between 81 to 100%'. 20% of respondents answered '0 to 20%' of processes went digital. 28% of respondents answered '21 to 40%' of processes went digital. 30% of respondents answered '41 to 60%' of processes went digital. 15% of respondents answered '61 to 80%' of processes went digital. 7% of respondents answered '81 to 100%' of processes went digital.

    Drivers

    Covid-19

    The pandemic lockdowns pushed everyone into a remote-work scenario. With in-person interaction not an option, even more traditional businesses had to adapt to digital processes.

    Customer Expectations

    The success of digital services in the consumer space is causing expectations to rise in other areas, such as professional services. Consumers now want their health records to be portable and they want to pay their lawyer through e-transfer, not by writing a cheque. (Interview with Mik Lernout)

    Standardization

    Technology laggard industries such as legal and healthcare are recognizing the pain of working with siloed systems. New standardization efforts are driving the adoption of open APIs at a rapid rate. (Interview with Jennifer Jones, Research Director – Industry, Info-Tech Research Group)

    Risks and Benefits

    Benefits

    Speed Using a microarchitecture approach with readily available services constructed in different ways provides a faster way to get from idea to minimum-viable product.
    Intelligence Open APIs have more than ever exposed people to sophisticated AI algorithms that were in the domain of only advanced researchers just a couple years ago. Developers can integrate AI with a couple lines of code. Non-technical users can train algorithms with low-code and no-code tools (Forbes, Sept. 2021).
    Resilience If one function of a solution doesn't work, it can be easily replaced with another one available on the market and the overall experience is maintained.

    Risks

    Loss of Privacy APIs are being targeted by hackers as a way to access personal information. Recent API-related leaks affected Experian, John Deere, Clubhouse, and Peloton (VentureBeat, 2021).
    Complexity Using a decentralized approach to assemble applications means that there is no single party accountable for the solution. Different pieces can break, or oversights can go unnoticed.
    Copycats Platforms that take the approach of exposing all functions via API run the risk of having their services used by a competitor to offer the same solution but with an even better user experience.

    “When we think about what the pandemic did, we had this internal project called 'back to the future.' It kind of put the legal industry in a time machine and it kind of accelerated the legal industry 5, maybe even 10 years. A lot of the things we saw with the innovators became table stakes.” (Mik Lernout, Vice President of Product, Clio)

    Photo of Mik Lernout, Vice president of product, Clio.

    Listen to the Tech Insights podcast: Clio drives digital transformation to redefine the legal industry

    Case Study

    Situation

    The COVID-19 pandemic required the legal industry to shift to remote work. A typically change-resistant industry was now holding court hearings over videoconference, taking online payments, and collecting e-signatures on contracts. For Clio, a software-as-a-service software vendor that serves the legal industry, its client base grew and its usage increased. It previously focused on the innovators in the legal industry, but now it noticed laggards were going digital too.

    Complication

    Law firms have very different needs depending on their legal practice area (e.g. family law, corporate law, or personal injury) and what jurisdiction they operate in.

    Clients are also demanding more from their lawyers in terms of service experience. They don't want to travel to the law office to drop off a check but expect digital interactions on par with service they receive in other areas.

    Resolution

    Since its inception, Clio built its software product so that all of its functions could be called upon by an API as well. It describes its platform as the "operating system for the legal industry." Its API functions include capabilities like managing activities, billing, and contracts. External developers can submit applications to the Clio Marketplace to add new functionality. Its platform approach enables it to find solutions for its 150,000+ users. During the pandemic, Clio saw its customers rely on its APIs more than ever before. It expects this accelerated adoption to be the way of working in the future. (ProgrammableWeb, 2021; Interview with Mik Lernout)

    What's Next

    GOOGLE’S API-FIRST APPROACH:

    Google is expanding its Apigee API management platform so enterprises will be able to connect existing data and applications and access them via APIs. It's part of Google's API-first approach to digital transformation, helping enterprises with their integration challenges. The new release includes tools and a framework that's needed to integrate services in this way and includes pre-built connectors for common business apps and services such as Salesforce, Cloud SQL, MySQL, and BigQuery. (SiliconANGLE, 2021)

    Uncertainties

    API SECURITY:

    APIs represent another potential vulnerability for hackers to exploit and the rise in popularity has come with more security incidents. Companies using APIs have leaked data through APIs, with one research report on the state of API security finding that 91% of organizations have suffered an API security incident. Yet more than a quarter of firms running production APIs don’t have an API security strategy. (VentureBeat, 2021)

    For low IT maturity organizations moving onto platforms that introduce API capabilities, education is required about the consequences of creating more integrations. Platforms must bear some responsibility for monitoring for irregular activity. (Interview with Mik Lernout)

    Automation as a Service Scenarios

    Determine your organization’s platform strategy from the basis of your digital maturity – from that of a laggard to a native – and whether it involves monetized APIs vs. freely available public APIs. A strategy can include both the consumption of APIs and the creation of them.

    A map of Automation as a Service scenarios with two axes representing 'Business Model, From an open and public API to a monetized pay-for-use API' and 'Digital Maturity, From being a digital laggard to being a digital native'. The axes split the map into quarters. 'Business Model' ranges from 'Public APIs' on the left to 'Monetized APIs' on the right. 'Digital Maturity' ranges from 'Digital Native' on top to 'Digital Laggard' on bottom. The top left quarter, digital native public APIs, reads 'Platform business model that grows through adoption of free APIs (e.g. Clio).' The top right quarter, digital native monetized APIS, reads 'Platform business model with spectrum of API services including free tiers.' The bottom left quarter, digital laggard public APIs, reads 'Consume public APIs to simplify and automate business processes and improve customer experience (e.g. law firms using Clio).' The bottom right quarter, digital laggard monetized APIs, reads 'Consume paid APIs to provide customers with expanded services (e.g. retailer Lowe’s uses AccuWeather to predict supply and demand).'

    Recommendations

    Leverage APIs to connect your systems. Create a repeatable process to improve the quality, reusability, and governance of your web APIs.

    Transform your business model with digital platforms. Use the best practices of digital native enterprises and leverage your core assets to compete in a digital economy.

    Deliver sophisticated new capabilities with APIs. Develop an awareness of new services made available through API integration, such as artificial intelligence, and take advantage of them.

    4.5 billion words per day generated by the OpenAI natural language API GPT-3, just nine months after launch. (OpenAI, 2021)

    Info-Tech Resources

    Behind the design

    Inspiration provided by the golden ratio

    The golden ratio has long fascinated humans for its common occurrence in nature and inspired artists who adopted its proportions as a guiding principle for their creations. A new discovery of the golden ratio in economic cycles was published in August 2021 by Bert de Groot, et al. As the boundaries of value creation blur between physical and digital and the pace of change accelerates, these digital innovations may change our lives in many ways. But they are still bound by the context of the structure of the economy. Hear more about this surprising finding from de Groot and from this report’s designer by listening to our podcast. (Technological Forecasting and Social Change, 2021)

    “Everything happening will adapt itself into the next cycle, and that cycle is one phi distance away.” (Bert de Groot, professor of economics at Erasmus University Rotterdam)

    Photo of Bert de Groot, Professor of Economics at Erasmus University Rotterdam.

    Listen to the Tech Insights podcast: New discovery of the golden ratio in the economy

    Contributing Experts

    Vijay Sundaram
    Chief Strategy Officer, Zoho
    Photo of Vijay Sundaram, Chief Strategy Officer, Zoho.
    Jason Brommet
    Head of Modern Work and Security Business Group, Microsoft
    Photo of Jason Brommet, Head of Modern Work and Security Business Group at Microsoft.
    Steve Orrin
    Federal Chief Technology Officer, Intel
    Photo of Steve Orrin, Federal Chief Technology Officer, Intel.
    Wade Barnes
    CEO and Founder, Farmers Edge
    Photo of Wade Barnes, CEO and founder of Farmers Edge.

    Contributing Experts

    Raine Maida
    Chief Product Officer, S!NG
    Singer, Our Lady Peace
    Raine Maida, Chief Product Officer, S!NG Singer, Our Lady Peace.
    Geoff Osler
    CEO, S!NG
    Photo of Geoff Osler, CEO, S!NG.
    Mik Lernout
    Vice President of Product, Clio
    Photo of Mik Lernout, Vice President of Product, Clio.
    Bert de Groot
    Professor of Economics, Erasmus University Rotterdam
    Photo of Bert de Groot, Professor of Economics at Erasmus University Rotterdam.

    Bibliography – Enabling the Digital Economy

    “2021 Canada Dealer Financing Satisfaction Study.” J.D. Power, 13 May 2021. Accessed 27 May 2021.

    Brown, Sara. “The CIO Role Is Changing. Here’s What’s on the Horizon.” MIT Sloan, 2 Aug. 2021. Accessed 16 Aug. 2021.

    de Groot, E. A., et al. “Disentangling the Enigma of Multi-Structured Economic Cycles - A New Appearance of the Golden Ratio.” Technological Forecasting and Social Change, vol. 169, Aug. 2021, pp. 120793. ScienceDirect, https://doi.org/10.1016/j.techfore.2021.120793.

    Hatem, Louise, Daniel Ker, and John Mitchell. “Roadmap toward a common framework for measuring the Digital Economy.” Report for the G20 Digital Economy Task Force, OECD, 2020. Accessed 19 Oct. 2021.

    LaBerge, Laura, et al. “How COVID-19 has pushed companies over the technology tipping point—and transformed business forever.” McKinsey, 5 Oct. 2020. Accessed 14 June 2021.

    Pomeroy, James. The booming digital economy. HSBC, Sept. 2020. Web.

    Salman, Syed. “Digital Transformation Realized Through COBIT 2019.” ISACA, 13 Oct. 2020. Accessed 25 Oct. 2021.

    Bibliography – Hybrid Collaboration

    De Smet, Aaron, et al. “Getting Real about Hybrid Work.” McKinsey Quarterly, 9 July 2021. Web.

    Herskowitz, Nicole. “Brace Yourselves: Hybrid Work Is Hard. Here’s How Microsoft Teams and Office 365 Can Help.” Microsoft 365 Blog, 9 Sept. 2021. Web.

    Melin, Anders, and Misyrlena Egkolfopoulou. “Employees Are Quitting Instead of Giving Up Working From Home.” Bloomberg, 1 June 2021. Web.

    Spataro, Jared. “Microsoft and LinkedIn Share Latest Data and Innovation for Hybrid Work.” The Official Microsoft Blog, 9 Sept. 2021. Web.

    Subin, Samantha. “The new negotiation over job benefits and perks in post-Covid hybrid work.” CNBC, 23 Apr. 2021. Web.

    Torres, Roberto. “How to Sidestep Overspend as Hybrid Work Tests IT.” CIO Dive, 26 July 2021. Accessed 16 Sept. 2021.

    Wong, Christine. “How the hybrid workplace will affect IT spending.” ExpertIP, 15 July 2021. Web.

    Yang, Longqi, et al. “The Effects of Remote Work on Collaboration among Information Workers.” Nature Human Behaviour, Sept. 2021, pp. 1-12. Springer Nature, https://doi.org/10.1038/s41562-021-01196-4.

    Bibliography – Battle Against Ransomware

    Berg, Leandro. “RTF Report: Combatting Ransomware.” Institute for Security and Technology (IST), 2021. Accessed 21 Sept. 2021.

    Dudley, Renee. “The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks.” ProPublica, 27 Aug. 2019. Accessed 22 Sept. 2021.

    Durbin, Steve. “Council Post: Artificial Intelligence: The Future Of Cybersecurity?” Forbes, 23 Sept. 2021. Accessed 21 Oct. 2021.

    “FACT SHEET: Ongoing Public U.S. Efforts to Counter Ransomware.” The White House, 13 Oct. 2021. Web.

    Jeffery, Lynsey, and Vignesh Ramachandran. “Why ransomware attacks are on the rise — and what can be done to stop them.” PBS NewsHour, 8 July 2021. Web.

    McBride, Timothy, et al. Data Integrity: Recovering from Ransomware and Other Destructive Events. NIST Special Publication (SP) 1800-11, National Institute of Standards and Technology, 22 Sept. 2020. NIST Computer Security Resource Center (CSRC), https://doi.org/10.6028/NIST.SP.1800-11.

    Mehrotra, Karitkay, and Jennifer Jacobs. “Crypto Channels Targeted in Biden’s Fight Against Ransomware.” BNN Bloomberg, 21 Sept. 2021. Web.

    Sharma, Mayank. “Hackers demand $70m ransom after executing massive Solar Winds-like attack.” TechRadar, 5 July 2021. Web.

    “Unhacked: 121 Tools against Ransomware on a Single Website.” Europol, 26 July 2021. Web.

    Bibliography – Carbon Metrics in Energy 4.0

    “The A List 2020.” CDP, 2021. Web.

    Baazil, Diedrik, Hugo Miller, and Laura Hurst. “Shell loses climate case that may set precedent for big oil.” Australian Financial Review, 27 May 2021. Web.

    “BlackRock’s 2020 Carbon Footprint.” BlackRock, 2020. Accessed 25 May 2021.

    “CDP Media Factsheet.” CDP, n.d. Accessed 25 May 2021.

    Glaser, April, and Leticia Miranda. “Amazon workers demand end to pollution hitting people of color hardest.” NBC News, 24 May 2021. Accessed 25 May 2021.

    Little, Mark. “Why Canada should be the home of the new global sustainability standards board.” Business Council of Canada, 1 Oct. 2021. Accessed 22 Oct. 2021.

    McIntyre, Catherine. “Canada vying for global headquarters to oversee sustainable-finance standards.” The Logic, 22 July 2021. Web.

    “Net Zero Scorecard.” Energy & Climate Intelligence Unit, 2021. Accessed 25 May 2021.

    Sayer, Peter. “Greenhouse gas emissions: The next big issue for CIOs.” CIO, 13 Oct. 2021. Web.

    “Scope 1 and Scope 2 Inventory Guidance.” US EPA, OAR. 14 Dec. 2020. Web.

    Sorkin, Andrew Ross. “BlackRock C.E.O. Larry Fink: Climate Crisis Will Reshape Finance.” The New York Times, 14 Jan. 2020. Web.

    “Sustainable IT Pledge.” CIO Strategy Council, 2021. Accessed 22 Oct. 2021.

    Bibliography – Intangible Value Creation

    Areddy, James T. “China Creates Its Own Digital Currency, a First for Major Economy.” Wall Street Journal, 5 Apr. 2021. Web.

    Boar, Codruta, et al. Impending arrival - a sequel to the survey on central bank digital currency. BIS Papers No 107, Jan. 2020. Web.

    Brainard, Lael. “Speech by Governor Brainard on Private Money and Central Bank Money as Payments Go Digital: An Update on CBDCs.” Board of Governors of the Federal Reserve System, 24 May 2021. Accessed 28 May 2021.

    Howcroft, Elizabeth, and Ritvik Carvalho. “How a 10-second video clip sold for $6.6 million.” Reuters, 1 Mar. 2021. Web.

    “Central Bank Digital Currency Tracker.” Atlantic Council, 2021. Accessed 10 Sept. 2021.

    “Expert Comment From Warwick Business School: Problems With El Salvador’s Bitcoin Experiment Are Unsurprising.” Mondo Visione, 8 Sept. 2021. Accessed 10 Sept. 2021.

    Goldstein, Caroline. “In Its Ongoing Bid to Draw Crypto-Collectors, Sotheby’s Unveils a Replica of Its London H.Q. in the Blockchain World Decentraland.” Artnet News, 7 June 2021. Web.

    Hamacher, Adriana. “Taco Bell to Charmin: 10 Big Brands Jumping On The NFT Bandwagon.” Decrypt, 22 Mar. 2021. Web.

    Hazan, Eric, et al. “Getting tangible about intangibles: The future of growth and productivity?” McKinsey. 16 June 2021. Web.

    Bibliography – Intangible Value Creation

    Herrera, Pedro. “Dapp Industry Report: Q3 2021 Overview.” DappRadar, 1 Oct. 2021. Web.

    Holland, Frank. “Visa Says Crypto-Linked Card Usage Tops $1 Billion in First Half of 2021.” CNBC, 7 July 2021. Web.

    Jiang, Shangrong, et al. “Policy Assessments for the Carbon Emission Flows and Sustainability of Bitcoin Blockchain Operation in China.” Nature Communications, vol. 12, no. 1, Apr. 2021, p. 1938. Springer Nature, https://doi.org/10.1038/s41467-021-22256-3.

    Reyburn, Scott. “JPG File Sells for $69 Million, as ‘NFT Mania’ Gathers Pace.” The New York Times, 11 Mar. 2021. Web.

    Taylor, Luke. “Bitcoin: El Salvador’s Cryptocurrency Gamble Hit by Trading Loophole.” New Scientist, 25 Oct. 2021. Web.

    Bibliography – Automation as a Service

    Belsky, Scott. “The Furry Lisa, CryptoArt, & The New Economy Of Digital Creativity.” Medium, 21 Feb. 2021. Web.

    Culbertson, Joy. “10 Top Law APIs.” ProgrammableWeb, 14 Feb. 2021. Web.

    Caballar, Rina Diane. “Programming by Voice May Be the Next Frontier in Software Development - IEEE Spectrum.” IEEE Spectrum: Technology, Engineering, and Science News, 22 Mar 2021. Accessed 23 Mar. 2021.

    Gonsalves, Chris. “The Problem with APIs.” VentureBeat, 7 May 2021. Web.

    Graca, Joao. “Council Post: How APIs Are Democratizing Access To AI (And Where They Hit Their Limits).” Forbes, 24 Sept 2021. Accessed 28 Sept. 2021.

    Harris, Tony. “What is the API Economy?” API Blog: Everything You Need to Know, 4 May 2021. Web.

    Kitsing, Meelis. Scenarios for Digital Platform Ecosystems, 2020, pp. 453-57. ResearchGate, https://doi.org/10.1109/ICCCS49078.2020.9118571.

    Pilipiszyn, Ashley. “GPT-3 Powers the Next Generation of Apps.” OpenAI, 25 Mar. 2021. Web.

    Rethans, John. “So You Want to Monetize Your APIs?” APIs and Digital Transformation, 29 June 2018. Web.

    Bibliography – Automation as a Service

    Salyer, Patrick. “API Stack: The Billion Dollar Opportunities Redefining Infrastructure, Services & Platforms.” Forbes, 4 May 2021. Accessed 27 Oct. 2021.

    staff. “RapidAPI Raises $60M for Expansion of API Platform.” InsideHPC, 21 Apr. 2021. Web.

    Taulli, Tom. “API Economy: Is It The Next Big Thing?” Forbes, 18 Jan. 2021. Accessed 5 May 2021.

    Warren, Zach. “Clio Taking 2021 Cloud Conference Virtual, Announces New Mission Among Other News.” Legaltech News, 11 Mar. 2021. Web.

    Wheatley, Mike. “Google Announces API-First Approach to Application Data Integration with Apigee.” SiliconANGLE, 28 Sept. 2021. Web.

    About the research

    Tech trends survey

    As part of its research process for the 2022 Tech Trends Report, Info-Tech Research Group conducted an open online survey among its membership and wider community of professionals. The survey was fielded from August 2021 to September 2021, collecting 475 responses.

    The underlying metrics are diverse, capturing 14 countries and regions and 16 Industries.

    A geospatial chart of the world documenting the percentage of respondents from each country to Info-Tech's '2022 Tech Trends Report' Percentages are below.
    01 United States 45.3% 08 India 1.7%
    02 Canada 19.2% 09 Other (Asia) 1.7%
    03 Africa 9.3% 10 New Zealand 1.5%
    04 Other (Europe) 5.3% 11 Germany 0.8%
    05 Australia 4.2% 12 Mexico 0.4%
    06 Great Britain 3.8% 13 Netherlands 0.4%
    07 Middle East 2.9% 14 Japan 0.2%

    Industry

    01 Government 18.9%
    02 Media, Information, & Technology 12.8%
    03 Professional Services 12.8%
    04 Manufacturing 9.9%
    05 Education 8.8%
    06 Healthcare 8.2%
    07 Financial Services 7.8%
    08 Transportation & Logistics 3.4%
    09 Utilities 3.4%
    10 Insurance 2.5%
    11 Retail & Wholesale 2.5%
    12 Construction 2.3%
    13 Natural Resources 2.1%
    14 Real Estate & Property Management 1.7%
    15 Arts & Leisure 1.5%
    16 Professional Associations 1.3%

    Department

    IT (information technology) 88.2%
    Other (Department) 3.79%
    Operations 2.32%
    Research & Development 1.89%
    Sales 1.26%
    Administration 1.06%
    Finance 0.42%
    HR (Human Resources) 0.42%
    Marketing 0.42%
    Production 0.21%

    Role

    Manager 24%
    Director-level 22%
    C-level officer 19%
    VP-level 9%
    Team lead / supervisor 7%
    Owner / President / CEO 7%
    Team member 7%
    Consultant 5%
    Contractor 1%

    IT Spend

    Respondents on average spent 35 million per year on their IT budget.

    Accounting for the outlier responses – the median spend sits closer to 4.5 million per year. The highest spend on IT was within the Government, Healthcare, and Retail & Wholesale sectors.

    Build an IT Risk Management Program

    • Buy Link or Shortcode: {j2store}192|cart{/j2store}
    • member rating overall impact (scale of 10): 8.3/10 Overall Impact
    • member rating average dollars saved: $31,532 Average $ Saved
    • member rating average days saved: 17 Average Days Saved
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
    • The business could be making decisions that are not informed by risk.
    • Reacting to risks AFTER they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.

    Our Advice

    Critical Insight

    • IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.

    Impact and Result

    • Transform your ad hoc IT risk management processes into a formalized, ongoing program, and increase risk management success.
    • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
    • Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks most critical to the organization.

    Build an IT Risk Management Program Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build an IT Risk Management Program – A holistic approach to managing IT risks within your organization and involving key business stakeholders.

    Gain business buy-in to understanding the key IT risks that could negatively impact the organization and create an IT risk management program to properly identify, assess, respond, monitor, and report on those risks.

    • Build an IT Risk Management Program – Phases 1-3

    2. Risk Management Program Manual – A single source of truth for the risk management program to exist and be updated to reflect changes.

    Leverage this Risk Management Program Manual to ensure that the decisions around how IT risks will be governed and managed can be documented in a single source accessible by those involved.

    • Risk Management Program Manual

    3. Risk Register & Risk Costing Tool – A set of tools to document identified risk events. Assess each risk event and consider the appropriate response based on your organization’s threshold for risk.

    Engage these tools in your organization if you do not currently have a GRC tool to document risk events as they relate to the IT function. Consider the best risk response to high severity risk events to ensure all possible situations are considered.

    • Risk Register Tool
    • Risk Costing Tool

    4. Risk Event Action Plan and Risk Report – A template to document the chosen risk responses and ensure accountable owners agree on selected response method.

    Establish clear guidelines and responses to risk events that will leave your organization vulnerable to unwanted threats. Ensure risk owners have agreed to the risk responses and are willing to take accountability for that response.

    • Risk Event Action Plan
    • Risk Report

    Infographic

    Workshop: Build an IT Risk Management Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review IT Risk Fundamentals and Governance

    The Purpose

    To assess current risk management maturity, develop goals, and establish IT risk governance.

    Key Benefits Achieved

    Identified obstacles to effective IT risk management.

    Established attainable goals to increase maturity.

    Clearly laid out risk management accountabilities and responsibilities for IT and business stakeholders.

    Activities

    1.1 Assess current program maturity

    1.2 Complete RACI chart

    1.3 Create the IT risk council

    1.4 Identify and engage key stakeholders

    1.5 Add organization-specific risk scenarios

    1.6 Identify risk events

    Outputs

    Maturity Assessment

    Risk Management Program Manual

    Risk Register

    2 Identify IT Risks

    The Purpose

    Identify and assess all IT risks.

    Key Benefits Achieved

    Created a comprehensive list of all IT risk events.

    Risk events prioritized according to risk severity – as defined by the business.

    Activities

    2.1 Identify risk events (continued)

    2.2 Augment risk event list using COBIT 5 processes

    2.3 Determine the threshold for (un)acceptable risk

    2.4 Create impact and probability scales

    2.5 Select a technique to measure reputational cost

    2.6 Conduct risk severity level assessment

    Outputs

    Finalized List of IT Risk Events

    Risk Register

    Risk Management Program Manual

    3 Identify IT Risks (continued)

    The Purpose

    Prioritize risks, establish monitoring responsibilities, and develop risk responses for top risks.

    Key Benefits Achieved

    Risk monitoring responsibilities are established.

    Risk response strategies have been identified for all key risks.

    Activities

    3.1 Conduct risk severity level assessment

    3.2 Document the proximity of the risk event

    3.3 Conduct expected cost assessment

    3.4 Develop key risk indicators (KRIs) and escalation protocols

    3.5 Root cause analysis

    3.6 Identify and assess risk responses

    Outputs

    Risk Register

    Risk Management Program Manual

    Risk Event Action Plans

    4 Monitor, Report, and Respond to IT Risk

    The Purpose

    Assess and select risk responses for top risks and effectively communicate recommendations and priorities to the business.

    Key Benefits Achieved

    Thorough analysis has been conducted on the value and effectiveness of risk responses for high severity risk events.

    Authoritative risk response recommendations can be made to senior leadership.

    A finalized Risk Management Program Manual is ready for distribution to key stakeholders.

    Activities

    4.1 Identify and assess risk responses

    4.2 Risk response cost-benefit analysis

    4.3 Create multi-year cost projections

    4.4 Review techniques for embedding risk management in IT

    4.5 Finalize the Risk Report and Risk Management Program Manual

    4.6 Transfer ownership of risk responses to project managers

    Outputs

    Risk Report

    Risk Management Program Manual

    Further reading

    Build an IT Risk Management Program

    Mitigate the IT risks that could negatively impact your organization.

    Table of Contents

    3 Executive Brief

    4 Analyst Perspective

    5 Executive Summary

    19 Phase 1: Review IT Risk Fundamentals & Governance

    43 Phase 2: Identify and Assess IT Risk

    74 Phase 3: Monitor, Communicate, and Respond to IT Risk

    102 Appendix

    108 Bibliography

    Build an IT Risk Management Program

    Mitigate the IT risks that could negatively impact your organization.

    EXECUTIVE BRIEF

    Analyst Perspective

    Siloed risks are risky business for any enterprise.

    Photo of Valence Howden, Principal Research Director, CIO Practice.
    Valence Howden
    Principal Research Director, CIO Practice
    Photo of Brittany Lutes, Senior Research Analyst, CIO Practice.
    Brittany Lutes
    Senior Research Analyst, CIO Practice

    Risk is an inherent part of life but not very well understood or executed within organizations. This has led to risk being avoided or, when it’s implemented, being performed in isolated siloes with inconsistencies in understanding of impact and terminology.

    Looking at risk in an integrated way within an organization drives a truer sense of the thresholds and levels of risks an organization is facing – making it easier to manage and leverage risk while reducing risks associated with different mitigation responses to the same risk events.

    This opens the door to using risk information – not only to prevent negative impacts but as a strategic differentiator in decision making. It helps you know which risks are worth taking, driving strong positive outcomes for your organization.

    Executive Summary

    Your Challenge

    IT has several challenges when it comes to addressing risk management:

    • Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
    • The business could be making decisions that are not informed by risk.
    • Reacting to risks after they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.

    Common Obstacles

    Many IT organizations realize these obstacles:

    • IT risks and business risks are often addressed separately, causing inconsistencies in the approach.
    • Security risk receives such a high profile that it often eclipses other important IT risks, leaving the organization vulnerable.
    • Failing to include the business in IT risk management leaves IT leaders too accountable; the business must have accountability as well.

    Info-Tech’s Approach

    • Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success.
    • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
    • Involve key stakeholders, including the business senior management team, to gain buy-in and to focus on the IT risks most critical to the organization.

    Info-Tech Insight

    IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.

    Ad hoc approaches to managing risk fail because…

    If you are like the majority of IT departments, you do not have a consistent and comprehensive strategy for managing IT risk.

    1. Ad hoc risk management is reactionary.
    2. Ad hoc risk management is often focused only on IT security.
    3. Ad hoc risk management lacks alignment with business objectives.

    The results:

    • Increased business risk exposure caused by a lack of understanding of the impact of IT risks on the business.
    • Increased IT non-compliance, resulting in costly settlements and fines.
    • IT audit failure.
    • Ineffective management of risk caused by poor risk information and wrong risk response decisions.
    • Increased unnecessary and avoidable IT failures and fixes.

    58% of organizations still lack a systematic and robust method to actually report on risks (Source: AICPA, 2021)

    Data is an invaluable asset – ensure it’s protected

    Case Studies

    Logo for Cognyte.

    Cognyte, a vendor hired to be a cybersecurity analytics company, had over five billion records exposed in Spring 2021. The data was compromised for four days, providing attackers with plenty of opportunities to obtain personally identifying information. (SecureBlink., 2021 & Security Magazine, 2021)

    Logo for Facebook.

    Facebook, the world’s largest social media giant, had over 533 million Facebook users’ personal data breached when data sets were able to be cross-listed with one another. (Business Insider, 2021 & Security Magazine, 2021)

    Logo for MGM Resorts.

    In 2020, over 10.6 million customers experienced some sort of data being accessible, with 1,300 having serious personally identifying information breached. (The New York Times, 2020)

    Risk management is a business enabler

    Formalize risk management to increase your likelihood of success.

    By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem.

    A certain amount of risk is healthy and can stimulate innovation:

    • A formal risk management strategy doesn’t mean trying to mitigate every possible risk; it means exposing the organization to the right amount of risk.
    • Taking a formal risk management approach allows an organization to thoughtfully choose which risks it is willing to accept.
    • Organizations with high risk management maturity will vault themselves ahead of the competition because they will be aware of which risks to prepare for, which risks to ignore, and which risks to take.

    Only 12% of organizations are using risk as a strategic tool most or all of the time (Source: AICPA, 2021)

    IT risk is enterprise risk

    Accountability for IT risks and the decisions made to address them should be shared between IT and the business.

    Multiple types of risk, 'Finance', 'IT', 'People', and 'Digital', funneling into 'ENTERPRISE RISKS'. IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk.

    Follow the steps of this blueprint to build or optimize your IT risk management program

    Cycle of 'Goverance' beginning with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report'.

    Start Here

    PHASE 1
    Review IT Risk Fundamentals and Governance
    PHASE 2
    Identify and Assess IT Risk
    PHASE 3
    Monitor, Report, and Respond to IT Risk

    1.1

    Review IT Risk Management Fundamentals

    1.2

    Establish a Risk Governance Framework

    2.1

    Identify IT Risks

    2.2

    Assess and Prioritize IT Risks

    3.1

    Monitor IT Risks and Develop Risk Responses

    3.2

    Report IT Risk Priorities

    Integrate Risk and Use It to Your Advantage

    Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.

    Risk management is more than checking an audit box or demonstrating project due diligence.

    Risk Drivers
    • Audit & compliance
    • Preserve value & avoid loss
    • Previous risk impact driver
    • Major transformation
    • Strategic opportunities
    Arrow pointing right. Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021) 63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021) Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020) 55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021)
    1. Assess Enterprise Risk Maturity 3. Build a Risk Management Program Plan 4. Establish Risk Management Processes 5. Implement a Risk Management Program
    2. Determine Authority with Governance
    Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020)
    IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability.

    Governance and related decision making is optimized with integrated and aligned risk data.

    List of 'Integrated Risk Maturity Categories': '1. Context & Strategic Direction', '2. Risk Culture and Authority', '3. Risk Management Process', and '4. Risk Program Optimization'. The five types of a risk in 'Enterprise Risk Management (ERM)': 'IT', 'Security', 'Digital', 'Vendor/TPRM', and 'Other'.

    ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types.

    The program plan is meant to consider all the major risk types in a unified approach.

    The 'Risk Process' cycle starting with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report', and back to the beginning. Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Risk Management Program Manual

    Use the tools and activities in each phase of the blueprint to create a comprehensive, customized program manual for the ongoing management of IT risk.

    Sample of the key deliverable, Risk Manangement Program Fund.
    Integrated Risk Maturity Assessment

    Assess the organization's current maturity and readiness for integrated risk management (IRM).

    Sample of the Integrated Risk Maturity Assessment blueprint. Centralized Risk Register

    The repository for all the risks that have been identified within your environment.

    Sample of the Centralized Risk Register blueprint.
    Risk Costing Tool

    A potential cost-benefit analysis of possible risk responses to determine a good method to move forward.

    Sample of the Risk Costing Tool blueprint. Risk Report & Risk Event Action Plan

    A method to report risk severity and hold risk owners accountable for chosen method of responding.

    Samples of the Risk Report & Risk Event Action Plan blueprints.

    Benefit from industry-leading best practices

    As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk.

    Logo for COSO.

    COSO’s Enterprise Risk Management — Integrating with Strategy and Performance addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. (COSO)

    Logo for ISO.

    ISO 31000
    Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment. (ISO 31000)

    Logo for COBIT.

    COBIT 2019’s IT functions were used to develop and refine our Ten IT Risk Categories used in our top-down risk identification methodology. (COBIT 2019)

    Abandon ad hoc risk management

    A strong risk management foundation is valuable when building your IT risk management program.

    This research covers the following IT risk fundamentals:

    • Benefits of formalized risk management
    • Key terms and definitions
    • Risk management within ERM
    • Risk management independent of ERM
    • Four key principles of IT risk management
    • Importance of a risk management program manual
    • Importance of buy-in and support from the business

    Drivers of Formalized Risk Management:

    Drivers External to IT
    External Audit Internal Audit
    Mandated by ERM
    Occurrence of Risk Event
    Demonstrating IT’s value to the business Proactive initiative
    Emerging IT risk awareness
    Grassroots Drivers

    Blueprint benefits

    IT Benefits

    • Increased on-time, in-scope, and on-budget completion of IT projects.
    • Meet the business’ service requirements.
    • Improved satisfaction with IT by senior leadership and business units.
    • Fewer resources wasted on fire-fighting.
    • Improved availability, integrity, and confidentiality of sensitive data.
    • More efficient use of resources.
    • Greater ability to respond to evolving threats.

    Business Benefits

    • Reduced operational surprises or failures.
    • Improved IT flexibility when responding to risk events and market fluctuations.
    • Reduced budget uncertainty.
    • Improved ability to make decisions when developing long-term strategies.
    • Improved stakeholder and shareholder confidence.
    • Achieved compliance with external regulations.
    • Competitive advantage over organizations with immature risk management practices.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 8 calls over the course of 3 to 6 months.

    What does a typical GI on this topic look like?

      Phase 1

    • Call #1: Assess current risk maturity and organizational buy-in.
    • Call #2: Establish an IT risk council and determine IT risk management program goals.
    • Phase 2

    • Call #3: Identify the risk categories used to organize risk events.
    • Call #4: Identify the threshold for risk the organization can withstand.
    • Phase 3

    • Call #5: Create a method to assess risk event severity.
    • Call #6: Establish a method to monitor priority risks and consider possible risk responses.
    • Call #7: Communicate risk priorities to the business and implement risk management plan.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Activities
    Review IT Risk Fundamentals and Governance

    1.1 Assess current program maturity

    1.2 Complete RACI chart

    1.3 Create the IT risk council

    1.4 Identify and engage key stakeholders

    1.5 Add organization-specific risk scenarios

    1.6 Identify risk events

    Identify IT Risks

    2.1 Identify risk events (continued)

    2.2 Augment risk event list using COBIT5 processes

    2.3 Determine the threshold for (un)acceptable risk

    2.4 Create impact and probability scales

    2.5 Select a technique to measure reputational cost

    2.6 Conduct risk severity level assessment

    Assess IT Risks

    3.1 Conduct risk severity level assessment

    3.2 Document the proximity of the risk event

    3.3 Conduct expected cost assessment

    3.4 Develop key risk indicators (KRIs) and escalation protocols

    3.5 Perform root cause analysis

    3.6 Identify and assess risk responses

    Monitor, Report, and Respond to IT Risk

    4.1 Identify and assess risk responses

    4.2 Risk response cost-benefit analysis

    4.3 Create multi-year cost projections

    4.4 Review techniques for embedding risk management in IT

    4.5 Finalize the Risk Report and Risk Management Program Manual

    4.6 Transfer ownership of risk responses to project managers

    Next Steps and Wrap-Up (offsite)

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps

    Outcomes
    1. Maturity Assessment
    2. Risk Management Program Manual
    1. Finalized List of IT Risk Events
    2. Risk Register
    3. Risk Management Program Manual
    1. Risk Register
    2. Risk Event Action Plans
    3. Risk Management Program Manual
    1. Risk Report
    2. Risk Management Program Manual
    1. Workshop Report
    2. Risk Management Program Manual

    Build an IT Risk Management Program

    Phase 1

    Review IT Risk Fundamentals and Governance

    Phase 1

    • 1.1 Review IT Risk Management Fundamentals
    • 1.2 Establish a Risk Governance Framework

    Phase 2

    • 2.1 Identify IT Risks
    • 2.2 Assess and Prioritize IT Risks

    Phase 3

    • 3.1 Develop Risk Responses and Monitor IT Risks
    • 3.2 Report IT Risk Priorities

    This phase will walk you through the following activities:

    • Gain buy-in from senior leadership
    • Assess current program maturity
    • Identify obstacles and pain points
    • Determine the risk culture of the organization
    • Develop risk management goals
    • Develop SMART project metrics
    • Create the IT risk council
    • Complete a RACI chart

    This phase involves the following participants:

    • IT executive leadership
    • Business executive leadership

    Step 1.1

    Review IT Risk Management Fundamentals

    Activities
    • 1.1.1 Gain buy-in from senior leadership
    • 1.1.2 Assess current program maturity

    This step involves the following participants:

    • IT executive leadership
    • Business executive leadership

    Outcomes of this step

    • Reviewed key IT principles and terminology
    • Gained understanding of the relationship between IT risk management and ERM
    • Introduced to Info-Tech’s IT Risk Management Framework
    • Obtained the support of senior leadership
    Step 1.1 Step 1.2

    Effective IT risk management is possible with or without ERM

    Whether or not your organization has ERM, integrating your IT risk management program with the business is possible.

    Most IT departments find themselves in one of these two organizational frameworks for managing IT risk:

    Core Responsibilities With an ERM Without an ERM
    • Risk Decision-Making Authority
    • Final Accountability
    Senior Leadership Team Senior Leadership Team
    • Risk Governance
    • Risk Prioritization & Communication
    ERM IT Risk Management
    • Risk Identification
    • Risk Assessment
    • Risk Monitoring
    IT Risk Management
    Pro: IT’s risk management responsibilities are defined (assessment schedules, escalation and reporting procedures).
    Con: IT may lack autonomy to implement IT risk management best practices.
    Pro: IT is free to create its own IT risk council and develop customized processes that serve its unique needs.
    Con: Lack of clear reporting procedures and mechanisms to share accountability with the business.

    Info-Tech’s IT risk management framework walks you through each step to achieve risk readiness

    IT Risk Management Framework

    Risk Governance
    • Optimize Risk Management Processes
    • Assess Risk Maturity
    • Measure the Success of the Program
    A cycle surrounds the words 'Business Objectives', referring to the surrounding lists. On the top half is 'Communication', and the bottom is 'Monitoring'. Risk Identification
    • Engage Stakeholder Participation
    • Use Risk Identification Frameworks
    • Compile IT-Related Risks
    Risk Response
    • Establish Monitoring Responsibilities
    • Perform Cost-Benefit Analysis
    • Report Risk Response Actions
    Risk Assessment
    • Establish Thresholds for Unacceptable Risk
    • Calculate Expected Cost
    • Determine Risk Severity & Prioritize IT Risks

    Effective IT risk management benefits

    Obtain the support of the senior leadership team or IT steering committee by communicating how IT risk impacts their priorities.

    Risk management benefits To engage the business...
    IT is compliant with external laws and regulations. Identify the industry or legal legislation and regulations your organization abides by.
    IT provides support for business compliance. Find relevant business compliance issues, and relate compliance failures to cost.
    IT regularly communicates costs, benefits, and risks to the business. Acknowledge the number of times IT and the business miscommunicate critical information.
    Information and processing infrastructure are very secure. Point to past security breaches or potential vulnerabilities in your systems.
    IT services are usually delivered in line with business requirements. Bring up IT services that the business was unsatisfied with. Explain that their inputs in identifying risks are correlated with project quality.
    IT related business risks are managed very well. Make it clear that with no risk tracking process, business processes become exposed and tend to slow down.
    IT projects are completed on time and within budget. Point out late or over-budget projects due to the occurrence of unforeseen risks.

    1.1.1 Gain buy-in from senior leadership

    1-4 hours

    Input: List of IT personnel and business stakeholders

    Output: Buy-in from senior leadership for an IT risk management program

    Materials: Risk Management Program Manual

    Participants: IT executive leadership, Business executive leadership

    The resource demands of IT risk management will vary from organization to organization. Here are typical requirements:

    • Occasional participation of key IT personnel and select business stakeholders in IT risk council meetings (e.g. once every two weeks).
    • Periodic risk assessments (e.g. 4 days, twice a year).
    • IT personnel must take on risk monitoring responsibilities (e.g. 1-4 hours per week).
    • Record the results in the Program Manual sections 3.3, 3.4 and 3.5.

    Record the results in the Risk Management Program Manual.

    Integrated Risk Maturity Assessment

    The purpose of the Integrated Risk Maturity Assessment is to assess the organization's current maturity and readiness for integrated risk management (IRM)

    Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.

    Integrated Risk Maturity Assessment
    A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization.
    Sample of the Integrated Risk Maturity Assessment deliverable.

    Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organizations.

    Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.

    1.1.2 Assess current program maturity

    1-4 hours

    Input: List of IT personnel and business stakeholders

    Output: Maturity scores across four key risk categories

    Materials: Integrated Risk Maturity Assessment Tool

    Participants: IT executive leadership, Business executive leadership

    This assessment is intended for frequent use; process completeness should be re-evaluated on a regular basis.

    How to Use This Assessment:

    1. Download the Integrated Risk Management Maturity Assessment Tool.
    2. Tab 2, "Data Entry:" This is a qualitative assessment of your integrated risk management process and is organized by the categories of integrated risk maturity. You will be asked to rate the extent to which you are executing the activities required to successfully complete each phase of the assessment. Use the drop-down menus provided to select the appropriate level of execution for each activity listed.
    3. Tab 3, "Results:" This tab will display your rate of IRM completeness/maturity. You will receive a score for each category as well as an overall score. The results will be displayed numerically, by percentage, and graphically.

    Record the results in the Integrated Risk Maturity Assessment.

    Integrated Risk Maturity Categories

    Semi-circle with colored points indicating four categories.

    1

    Context & Strategic Direction Understanding of the organization’s main objectives and how risk can support or enhance those objectives.

    2

    Risk Culture and Authority Examine if risk-based decisions are being made by those with the right level of authority and if the organization’s risk appetite is embedded in the culture.

    3

    Risk Management Process Determine if the current process to identify, assess, respond to, monitor, and report on risks is benefitting the organization.

    4

    Risk Program Optimization Consider opportunities where risk-related data is being gathered, reported, and used to make informed decisions across the enterprise.

    Step 1.2

    Establish a Risk Governance Framework

    Activities
    • 1.2.1 Identify pain points/obstacles and opportunities
    • 1.2.2 Determine the risk culture of the organization
    • 1.2.3 Develop risk management goals
    • 1.2.4 Develop SMART project metrics
    • 1.2.5 Create the IT risk council
    • 1.2.6 Complete a RACI chart

    This step involves the following participants:

    • IT executive leadership
    • Business executive leadership

    Outcomes of this step

    • Developed goals for the risk management program
    • Established the IT risk council
    • Assigned accountability and responsibility for risk management processes

    Review IT Risk Fundamentals and Governance

    Step 1.1 Step 1.2

    Create an IT risk governance framework that integrates with the business

    Follow these best practices to make sure your requirements are solid:

    1. Self-assess your current approach to IT risk management.
    2. Identify organizational obstacles and set attainable risk management goals.
    3. Track the effectiveness and success of the program using SMART risk management metrics.
    4. Establish an IT risk council tasked with managing IT risk.
    5. Set clear risk management accountabilities and responsibilities for IT and business stakeholders.

    Key metrics for your IT risk governance framework

    Challenges:
    • Key stakeholders are left out or consulted once risks have already occurred.
    • Failure to employ consistent risk identification methodologies results in omitted and unknown risks.
    • Risk assessments do not reflect organizational priorities and may not align with thresholds for acceptable risk.
    • Risk assessment occurs sporadically or only after a major risk event has already occurred.
    Key metrics:
    • Number of risk management processes done ad hoc.
    • Frequency that IT risk appears as an agenda item at IT steering committee meetings.
    • Percentage of IT employees whose performance evaluations reflect risk management objectives.
    • Percentage of IT risk council members who are trained in risk management activities.
    • Number of open positions in the IT risk council.
    • Cost of risk management program operations per year.

    Info-Tech Insight

    Metrics provide the foundation for determining the success of your IT risk management program and ensure ongoing funding to support appropriate risk responses.

    IT risk management success factors

    Support and sponsorship from senior leadership

    IT risk management has more success when initiated by a member of the senior leadership team or the board, rather than emerging from IT as a grassroots initiative.

    Sponsorship increases the likelihood that risk management is prioritized and receives the necessary resources and attention. It also ensures that IT risk accountability is assumed by senior leadership.

    Risk culture and awareness

    A risk-aware organizational culture embraces new policies and processes that reflect a proactive approach to risk.

    An organization with a risk-aware culture is better equipped to facilitate communication vertically within the organization.

    Risk awareness can be embedded by revising job descriptions and performance assessments to reflect IT risk management responsibilities.

    Organization size

    Smaller organizations can often institute a mature risk management program much more quickly than larger organizations.

    It is common for key personnel within smaller organizations to be responsible for multiple roles associated with risk management, making it easier to integrate IT and business risk management.

    Larger organizations may find it more difficult to integrate a more complex and dispersed network of individuals responsible for various risk management responsibilities.

    1.2.1 Identify obstacles and pain points

    1-4 hours

    Input: Integrated Risk Maturity Assessment

    Output: Obstacles and pain points identified

    Materials: IT Risk Management Success Factors

    Participants: IT executive leadership, Business executive leadership

    Anticipate potential challenges and “blind spots” by determining which success factors are missing from your current situation.

    Instructions:

    1. List the potential obstacles and missing success factors that you must overcome to effectively manage IT risk and build a risk management program.
    2. Consider some opportunities that could be leveraged to increase the success of this program.
    3. Use this list in Activity 1.2.3 to develop program goals.

    Risk Management

    Replace the example pain points and opportunities with real scenarios in your organization.

    Pain Points/Obstacles
    • Lack of leadership buy-in
    • Skills and understanding around risk management within IT
    • Skills and understanding around risk management within the organization
    • Lack of a defined risk management posture
    Opportunities
    • Changes in regulations related to risk
    • Organization moving toward an integrated risk management program
    • Ability to leverage lessons learned from similar companies
    • Strong process management and adherence to policies by employees in the organization

    1.2.2 Determine the risk culture of your organization

    1-3 hours

    Determine how your organization fits the criteria listed below. Descriptions and examples do not have to match your organization perfectly.

    Risk Tolerant
    • You have no compliance requirements.
    • You have no sensitive data.
    • Customers do not expect you to have strong security controls.
    • Revenue generation and innovative products take priority and risk is acceptable.
    • The organization does not have remote locations.
    • It is likely that your organization does not operate within the following industries:
      • Finance
      • Health care
      • Telecom
      • Government
      • Research
      • Education
    Moderate
    • You have some compliance requirements, e.g.:
      • HIPAA
      • PIPEDA
    • You have sensitive data, and are required to retain records.
    • Customers expect strong security controls.
    • Information security is visible to senior leadership.
    • The organization has some remote locations.
    • Your organization most likely operates within the following industries:
      • Government
      • Research
      • Education
    Risk Averse
    • You have multiple, strict compliance and/or regulatory requirements.
    • You house sensitive data, such as medical records.
    • Customers expect your organization to maintain strong and current security controls.
    • Information security is highly visible to senior management and public investors.
    • The organization has multiple remote locations.
    • Your organization operates within the following industries:
      • Finance
      • Healthcare
      • Telecom

    Be aware of the organization’s attitude towards risk

    Risk culture is an organization’s attitude towards taking risks. This attitude manifests itself in two ways:

    One element of risk culture is what levels of risk the organization is willing to accept to pursue its objectives and what levels of risk are deemed unacceptable. This is often called risk appetite.
    Risk tolerant

    Risk-tolerant organizations embrace the potential of accelerating growth and the attainment of business objectives by taking calculated risks.

    Risk averse

    Risk-averse organizations prefer consistent, gradual growth and goal attainment by embracing a more cautious stance toward risk.

    The other component of risk culture is the degree to which risk factors into decision making.
    Risk conscious

    Risk-conscious organizations place a high priority on being aware of all risks impacting business objectives, regardless of whether they choose to accept or respond to those risks.

    Unaware

    Organizations that are largely unaware of the impact of risk generally believe there are few major risks impacting business objectives and choose to invest resources elsewhere.

    Info-Tech Insight

    Organizations typically fall in the middle of these spectrums. While risk culture will vary depending on the industry and maturity of the organization, a culture with a balanced risk appetite that is extremely risk conscious is able to make creative, dynamic decisions with reasonable limits placed on risk-related decision making.

    1.2.3 Develop goals for the IT risk management program

    1-4 hours

    Input: Integrated Risk Maturity Assessment, Risk Culture, Pain Points and Opportunities

    Output: Goals for the IT risk management program

    Materials: Risk Management Program Manual

    Participants: IT executive leadership, Business executive leadership

    Translate your maturity assessment and knowledge about organizational risk culture, potential obstacles, and success factors to develop goals for your IT risk management program.

    Instructions:

    1. In the Risk Management Program Manual, revise, replace, or add to the high-level goals provided in section 2.4.
    2. Make sure that you have three to five high-level goals that reflect the current and targeted maturity of IT risk management processes.
    3. Integrate potential obstacles, pain points, and insights from the organization’s risk culture.

    Record the results in the Risk Management Program Manual.

    1.2.4 Develop SMART project metrics

    1-3 hours

    Create metrics for measuring the success of the IT risk management program.

    Ensure that all success metrics are SMART Instructions
    1. Document a list of appropriate metrics to assess the success of the IT risk management program on a whiteboard.
    2. Use the sample metrics listed in the table on the next slide as a starting point.
    3. Fill in the chart to indicate the:
      1. Name of the success metric
      2. Method for measuring success
      3. Baseline measurement
      4. Target measurement
      5. Actual measurements at various points throughout the process of improving the risk management program
      6. A deadline for each metric to meet the target measurement
    Strong Make sure the objective is clear and detailed.
    Measurable Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective.
    Actionable Objectives become actionable when specific initiatives designed to achieve the objective are identified.
    Realistic Objectives must be achievable given your current resources or known available resources.
    Time-Bound An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline.

    1.2.4 Develop SMART project metrics (continued)

    1-3 hours

    Attach metrics to your goals to gauge the success of the IT risk management program.

    Replace the example metrics with accurate KPIs or metrics for your organization.

    Sample Metrics
    Name Method Baseline Target Deadline Checkpoint 1 Checkpoint 2 Final
    Number of risks identified (per year) Risk register 0 100 Dec. 31
    Number of business units represented (risk identification) Meeting minutes 0 5 Dec. 31
    Frequency of risk assessment Assessments recorded in risk management program manual 0 2 per year Year 2
    Percentage of identified risk events that undergo expected cost assessment Ratio of risks assessed in the risk costing tool to risks assessed in the risk register 0 20% Dec. 31
    Number of top risks without an identified risk response Risk register 5 0 March 1
    Cost of risk management program operations per year Meeting frequency and duration, multiplied by the cost of participation $2,000 $5,000 Dec. 31

    Create the IT risk committee (ITRC)

    Responsibilities of the ITRC:
    1. Formalize risk management processes.
    2. Identify and review major risks throughout the IT department.
    3. Recommend an appropriate risk appetite or level of exposure.
    4. Review the assessment of the impact and likelihood of identified risks.
    5. Review the prioritized list of risks.
    6. Create a mitigation plan to minimize risk likelihood and impact.
    7. Review and communicate overall risk impact and risk management success.
    8. Assign risk ownership responsibilities of key risks to ensure key risks are monitored and risk responses are effectively implemented.
    9. Address any concerns in regards to the risk management program, including, but not limited to, reviewing their risk management duties and resourcing.
    10. Communicate risk reports to senior management annually.
    11. Make any alterations to the committee roster and the individuals’ responsibilities as needed and document changes.
    Must be on the ITRC:
    • CIO
    • CRO (if applicable)
    • Senior Directors
    • Security Officer
    • Head of Operations

    Must be on the ITRC:

    • CFO
    • Senior representation from every business unit impacted by IT risk

    1.2.5 Create the IT risk council

    1-4 hours

    Input: List of IT personnel and business stakeholders

    Output: Goals for the IT risk management program

    Materials: Risk Management Program Manual

    Participants: CIO, CRO (if applicable), Senior Directors, Head of Operations

    Identify the essential individuals from both the IT department and the business to create a permanent committee that meets regularly and carries out IT risk management activities.

    Instructions:

    1. Review sections 3.1 (Mandate) and 3.2 (Agenda and Responsibilities) of the IT Risk Committee Charter, located in the Risk Management Program Manual. Make any necessary revisions.
    2. In section 3.3, document how frequently the council is scheduled to meet.
    3. In section 3.4, document members of the IT risk council.
    4. Obtain sign-off for the IT risk council from the CIO or another member of the senior leadership team in section 3.5 of the manual.

    Record the results in the Risk Management Program Manual.

    1.2.6 Complete RACI chart

    1-3 hours

    A RACI diagram is a useful visualization that identifies redundancies and ensures that every role, project, or task has an accountable party.

    RACI is an acronym made up of four participatory roles: Instructions
    1. Use the template provided on the following slide, and add key stakeholders who do not appear and are relevant for your organization.
    2. For each activity, assign each stakeholder a letter.
    3. There must be an accountable party for each activity (every activity must have an “A”).
    4. For activities that do not apply to a particular stakeholder, leave the space blank.
    5. Once the chart is complete, copy/paste it into section 4.1 of the Risk Management Program Manual.
    Responsible Stakeholders who undertake the activity.
    Accountable Stakeholders who are held responsible for failure or take credit for success.
    Consulted Stakeholders whose opinions are sought.
    Informed Stakeholders who receive updates.

    1.2.6 Complete RACI chart (continued)

    1-3 hours

    Assign risk management accountabilities and responsibilities to key stakeholders:

    Stakeholder Coordination Risk Identification Risk Thresholds Risk Assessment Identify Responses Cost-Benefit Analysis Monitoring Risk Decision Making
    ITRC A R I R R R A C
    ERM C I C I I I I C
    CIO I A A A A A I R
    CRO I R C I R
    CFO I R C I R
    CEO I R C I A
    Business Units I C C C
    IT I I I I I I R C
    PMO C C C
    Legend: Responsible Accountable Consulted Informed

    Build an IT Risk Management Program

    Phase 2

    Identify and Assess IT Risk

    Phase 1

    • 1.1 Review IT Risk Management Fundamentals
    • 1.2 Establish a Risk Governance Framework

    Phase 2

    • 2.1 Identify IT Risks
    • 2.2 Assess and Prioritize IT Risks

    Phase 3

    • 3.1 Develop Risk Responses and Monitor IT Risks
    • 3.2 Report IT Risk Priorities

    This phase will walk you through the following activities:

    • Add organization-specific risk scenarios
    • Identify risk events
    • Augment risk event list using COBIT 2019 processes
    • Conduct a PESTLE analysis
    • Determine the threshold for (un)acceptable risk
    • Create a financial impact assessment scale
    • Select a technique to measure reputational cost
    • Create a likelihood scale
    • Assess risk severity level
    • Assess expected cost

    This phase involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Business Risk Owners

    Step 2.1

    Identify IT Risks

    Activities
    • 2.1.1 Add organization-specific risk scenarios
    • 2.1.2 Identify risk events
    • 2.1.3 Augment risk event list using COBIT 19 processes
    • 2.1.4 Conduct a PESTLE analysis

    This step involves the following participants:

    • IT executive leadership
    • IT Risk Council
    • Business executive leadership
    • Business risk owners

    Outcomes of this step

    • Participation of key stakeholders
    • Comprehensive list of IT risk events
    Identify and Assess IT Risk
    Step 2.1 Step 2.2

    Get to know what you don’t know

    1. Engage the right stakeholders in risk identification.
    2. Employ Info-Tech’s top-down approach to risk identification.
    3. Augment your risk event list using alternative frameworks.
    Key metrics:
    • Total risks identified
    • New risks identified
    • Frequency of updates to the Risk Register Tool
    • Number of realized risk events not identified in the Risk Register Tool
    • Level of business participation in enterprise IT risk identification
      • Number of business units represented
      • Number of meetings attended in person
      • Number of risk reports received

    Info-Tech Insight

    What you don’t know CAN hurt you. How do you identify IT-related threats and vulnerabilities that you are not already aware of? Now that you have created a strong risk governance framework that formalizes risk management within IT and connects it to the enterprise, follow the steps outlined in this section to reveal all of IT’s risks.

    Engage key stakeholders

    Ensure that all key risks are identified by engaging key business stakeholders.

    Benefits of obtaining business involvement during the risk identification stage:
    • You will identify risk events you had not considered or you weren’t aware of.
    • You will identify risks more accurately.
    • Risk identification is an opportunity to raise awareness of IT risk management early in the process.

    Executive Participation:

    • CIO participation is integral when building a comprehensive register of risk events impacting IT.
    • CIOs and IT directors possess a holistic view of all of IT’s functions.
    • CIOs and IT directors are uniquely placed to identify how IT affects other business units and the attainment of business objectives. If applicable, CRO and CTO participation is also critical.

    Prioritizing and Selecting Stakeholders

    1. Reliance on IT services and technologies to achieve business objectives.
    2. Relationship with IT, and willingness to engage in risk management activities.
    3. Unique perspectives, skills, and experiences that IT may not possess.

    Info-Tech Insight

    While IT personnel are better equipped to identify IT risk than anyone, IT does not always have an accurate view of the business’ exposure to IT risk. Strive to maintain a 3 to 1 ratio of IT to non-IT personnel involved in the process.

    Enable IT to target risk holistically

    Take a top-down approach to risk identification to guide brainstorming

    Info-Tech’s risk categories are consistent with a risk identification method called Risk Prompting.

    A risk prompt list is a list that categorizes risks into types or areas. The n10 risk categories encapsulate the services, activities, responsibilities, and functions of most IT departments. Use these categories and the example risk scenarios provided as prompts to guide brainstorming and organize risks.

    Risk Category: High-level groupings that describe risk pertaining to major IT functions. See the following slide for all ten of Info-Tech’s IT risk categories. Risk Scenario: An abstract profile representing common risk groups that are more specific than risk categories. Typically, organizations are able to identify two to five scenarios for each category. Risk Event: Specific threats and vulnerabilities that fall under a particular risk scenario. Organizations are able to identify anywhere between 1 and 20 events for each scenario. See the Appendix of the Risk Management Program Manual for a list of risk event examples.

    Risk Category

    Risk Scenario

    Risk Event

    Compliance Regulatory compliance Being fined for not complying/being aware of a new regulation.
    Externally originated attack Phishing attack on the organization.
    Operational Technology evaluation & selection Partnering with a vendor that is not in compliance with a key regulation.
    Capacity planning Not having sufficient resources to support a DRP.
    Third-Party Risk Vendor management Vendor performance requirements are improperly defined.
    Vendor selection Vendors are improperly selected to meet the defined use case.

    2.1.1 Add organization-specific risk scenarios

    1-3 hours

    Review Info-Tech’s ten IT risk categories and add risk scenarios to the examples provided.

    IT Reputational
    • Negative PR
    • Consumers writing negative reviews
    • Employees writing negative reviews
    IT Financial
    • Stock prices drop
    • Value of the organization is reduced
    IT Strategic
    • Organization prioritizes innovation but remains focused on operational
    • Unable to access data to support strategic initiative
    Operational
    • Enterprise architecture
    • Technology evaluation and selection
    • Capacity planning
    • Operational errors
    Availability
    • Power outage
    • Increased data workload
    • Single source of truth
    • Lacking knowledge transfer processes for critical tasks
    Performance
    • Network failure
    • Service levels not being met
    • Capacity overload
    Compliance
    • Regulatory compliance
    • Standards compliance
    • Audit compliance
    Security
    • Malware
    • Internally originated attack
    Third Party
    • Vendor selection
    • Vendor management
    • Contract termination
    Digital
    • No back-up process if automation fails

    2.1.2 Identify risk events

    1-4 hours

    Input: IT risk categories

    Output: Risk events identified and categorized

    Materials: Risk Register Tool

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owners, CRO (if applicable)

    Use Info-Tech’s IT risk categories and scenarios to brainstorm a comprehensive list of IT-related threats and vulnerabilities impacting your organization.

    Instructions:

    1. Document risk events in the Risk Register Tool.
    2. List risk scenarios (organized by risk category) in the Risk Events/Threats column.
    3. Disseminate the list to key stakeholders who were unable to participate and solicit their feedback.
      • Consult the RACI chart located in section 4.1 of the Risk Management Program Manual.
    4. Attack one scenario at a time, exhausting all realistic risk events for that grouping before moving onto the next scenario. Each scenario should take approximately 45-60 minutes.

    Tip: If disagreement arises regarding whether a specific risk event is relevant to the organization or not and it cannot be resolved quickly, include it in the list. The applicability of these risks will become apparent during the assessment process.

    Record the results in the Risk Register Tool.

    2.1.3 Augment the risk event list using COBIT 2019 processes (Optional)

    1-3 hours

    Other industry-leading frameworks provide alternative ways of conceptualizing the functions and responsibilities of IT and may help you uncover additional risk events.

    1. Managed IT Management Framework
    2. Managed Strategy
    3. Managed Enterprise Architecture
    4. Managed Innovation
    5. Managed Portfolio
    6. Managed Budget and Costs
    7. Managed Human Resources
    8. Managed Relationships
    9. Managed Service Agreements
    10. Managed Vendors
    11. Managed Quality
    12. Managed Risk
    13. Managed Security
    14. Managed Data
    15. Managed Programs
    16. Managed Requirements Definition
    17. Managed Solutions Identification and Build
    18. Managed Availability and Capacity
    19. Managed Organizational Change Enablement
    20. Managed IT Changes
    1. Managed IT Change Acceptance and Transitioning
    2. Managed Knowledge
    3. Managed Assets
    4. Managed Configuration
    5. Managed Projects
    6. Managed Operations
    7. Managed Service Requests and Incidents
    8. Managed Problems
    9. Managed Continuity
    10. Managed Security Services
    11. Managed Business Process Controls
    12. Managed Performance and Conformance Monitoring
    13. Managed System of Internal Control
    14. Managed Compliance with External Requirements
    15. Managed Assurance
    16. Ensured Governance Framework Setting and Maintenance
    17. Ensured Benefits Delivery
    18. Ensured Risk Optimization
    19. Ensured Resource Optimization
    20. Ensured Stakeholder Engagement

    Instructions:

    1. Review COBIT 2019’s 40 IT processes and identify additional risk events.
    2. Match risk events to the corresponding risk category and scenario and add them to the Risk Register Tool.

    2.1.4 Finalize your risk register by conducting a PESTLE analysis (Optional)

    1-3 hours

    Explore alternative identification techniques to incorporate external factors and avoid “groupthink.”

    Consider the External Environment – PESTLE Analysis

    Despite efforts to encourage equal participation in the risk identification process, key risks may not have been shared in previous exercises.

    Conduct a PESTLE analysis as a final safety net to ensure that all key risk events have been identified.

    Avoid “Groupthink” – Nominal Group Technique

    The Nominal Group Technique uses the silent generation of ideas and an enforced “safe” period of time where ideas are shared but not discussed to encourage judgement-free idea generation.

    • Ideas are generated silently and independently.
    • Ideas are then shared and documented; however, discussion is delayed until all of the group’s ideas have been recorded.
    • Idea generation can occur before the meeting and be kept anonymous.

    Note: Employing either of these techniques will lengthen an already time-consuming process. Only consider these techniques if you have concerns regarding the homogeneity of the ideas being generated or if select individuals are dominating the exercise.

    List the following factors influencing the risk event:
    • Political factors
    • Economic factors
    • Social factors
    • Technological factors
    • Legal factors
    • Environmental factors
    'PESTLE Analysis' presented as a wheel with the acronym's meanings surrounding the title. 'Political Factors', 'Economic Factors', 'Social Factors', 'Technological Factors', 'Legal Factors', and 'Environmental Factors'.

    Step 2.2

    Assess and Prioritize IT Risks

    Activities
    • 2.2.1 Determine the threshold for (un)acceptable risk
    • 2.2.2 Create a financial impact assessment scale
    • 2.2.3 Select a technique to measure reputational cost
    • 2.2.4 Create a likelihood scale
    • 2.2.5 Risk severity level assessment
    • 2.2.6 Expected cost assessment

    This step involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Business risk owners

    Outcomes of this step

    • Business-approved thresholds for unacceptable risk
    • Completed Risk Register Tool with risks prioritized according to severity
    • Expected cost calculations for high-priority risks

    Identify and Assess IT Risk

    Step 2.1 Step 2.2

    Reveal the organization’s greatest IT threats and vulnerabilities

    1. Establish business-approved risk thresholds for acceptable and unacceptable risk.
    2. Conduct a streamlined assessment of all risks to separate acceptable and unacceptable risks.
    3. Perform a deeper, cost-based assessment of prioritized risks.
    Key metrics:
    • Frequency of IT risk assessments
      • (Annually, bi-annually, etc.)
    • Assessment accuracy
      • Percentage of risk assessments that are substantiated by later occurrences or testing
      • Ratio of cumulative actual costs to expected costs
    • Assessment consistency
      • Percentage of risk assessments that are substantiated by third-party audit
    • Assessment rigor
      • Percentage of identified risk events that undergo first-level assessment (severity scores)
      • Percentage of identified risk events that undergo second-level assessment (expected cost)
    • Stakeholder oversight and participation
      • Level of executive participation in IT risk assessment (attend in person, receive report, etc.)
      • Number of business stakeholder reviews per risk assessment

    Info-Tech Insight

    Risk is money. It’s impossible to make intelligent decisions about risks without knowing what their financial impact will be.

    Review risk assessment fundamentals

    Risk assessment provides you with the raw materials to conduct an informed cost-benefit analysis and make robust risk response decisions.

    In this section, you will be prioritizing your IT risks according to their risk severity, which is a reflection of their expected cost.

    Calculating risk severity

    How much you expect a risk event to cost if it were to occur:

    Likelihood of Risk Impact

    e.g. $250,000 or “High”

    X

    Calibrated by how likely the risk is to occur:

    Likelihood of Risk Occurrence

    e.g. 10% or “Low”

    =

    Produces a dollar value or “severity level” for comparing risks:

    Risk Severity

    e.g. $25,000 or “Medium”
    Which must be evaluated against thresholds for acceptable risk and the cost of risk responses.

    Risk Tolerance
    Risk Response

    CBA
    Cost-benefit analysis

    Maintain the engagement of key stakeholders in the risk assessment process

    1

    Engage the Business During Assessment Process

    Asking business stakeholders to make significant contributions to the assessment exercise may be unrealistic (particularly for members of the senior leadership team, other than the CIO).

    Ensure that they work with you to finalize thresholds for acceptable or unacceptable risk.

    2

    Verify the Risk Impact and Assessment

    If IT has ranked risk events appropriately, the business will be more likely to offer their input. Share impact and likelihood values for key risks to see if they agree with the calculated risk severity scores.

    3

    Identify Where the Business Focuses Attention

    While verifying, pay attention to the risk events that the business stresses as key risks. Keep these risks in mind when prioritizing risk responses as they are more likely to receive funding.

    Try to communicate the assessments of these risk events in terms of expected cost to attract the attention of business leaders.

    Info-Tech Insight

    If business executives still won’t provide the necessary information to update your initial risk assessments, IT should approach business unit leaders and lower-level management. Lean on strong relationships forged over time between IT and business managers or supervisors to obtain any additional information.

    Info-Tech recommends a two-level approach to risk assessment

    Review the two levels of risk assessment offered in this blueprint.

    Risk severity level assessment (mandatory)

    1

    Information

    Number of risks: Assess all risk events identified in Phase 1.
    Units of measurement: Use customized likelihood and impact “levels.”
    Time required: One to five minutes per risk event.

    Assess Likelihood

    Negligible
    Low
    Moderate
    High
    Very High

    X

    Assess Likelihood

    Negligible
    Low
    Moderate
    High
    Very High

    =

    Output


    Risk Security Level:

    Moderate

    Example of a risk severity level assessment chart.
    Chart risk events according to risk severity as this allows you to organize and prioritize IT risks.

    Assess all of your identified risk events with a risk severity-level assessment.

    • By creating a likelihood and impact assessment scale divided into three to nine “levels” (sometimes referred to as “buckets”), you can evaluate every risk event quickly while being confident that risks are being assessed accurately.
    • In the following activities, you will create likelihood and impact scales that align with your organizational risk appetite and tolerance.
    • Severity-level assessment is a “first pass” of your risk list, revealing your organization’s most severe IT risks, which can be assessed in greater detail by incorporating expected cost into your evaluation.

    Info-Tech recommends a two-level approach to risk assessment (continued)

    Expected cost assessment (optional)

    2

    Information

    Number of risks: Only assess high-priority risks revealed by severity-level assessment.
    Units of measurement: Use actual likelihood values (%) and impact costs ($).
    Time required: 10-20 minutes per risk event.

    Assess Likelihood

    15%

    Moderate

    X

    Assess Likelihood

    $100,000

    High

    =

    Output


    Expected Cost:

    $15,000

    Expected cost is useful for conducting cost-benefit analysis and comparing IT risks to non-IT risks and other budget priorities for the business.

    Conduct expected cost assessments for IT’s greatest risks.

    For risk events warranting further analysis, translate risk severity levels into hard expected-cost numbers.

    Why conduct expected cost assessments?
    • Expected cost represents how much you would expect to pay in an average year for each risk event.
    • Communicate risk priorities to the business in language they can understand.
    • While risk severity levels are useful for comparing one IT risk to another, expected cost data allows the business to compare IT risks to non-IT risks that may not use the same scales.
    Why is expected cost assessment optional?
    • Determining robust likelihood values and precise impact estimates can be challenging and time consuming.
    • Some risk events may require extensive data gathering and industry analysis.

    Implement and leverage a centralized risk register

    The purpose of the risk register is to act as the repository for all the risks that have been identified within your environment.

    Use this tool to:

    1. Collect and maintain a repository for all IT risk events impacting the organization and relevant information for each risk.
      • Capture all relevant IT risk information in one location.
      • Organize risk identification and assessment information for transparent risk management, stakeholder review, and/or internal audit.
    2. Calculate risk severity scores to prioritize risk events and determine which risks require a risk response.
      • Separate acceptable and unacceptable risks (as determined by the business).
      • Rank risks based on severity levels.
    3. Assess risk responses and calculate residual risk.
      • Evaluate the effect that proposed risk response actions will have on top risk events and quantify residual risk magnitude.
      • This step will be completed in section 3.1

    2.2.1 Determine the threshold for (un)acceptable risk

    1-4 hours

    Input: Risk events, Risk appetite

    Output: Threshold for risk identified

    Materials: Risk Register Tool, Risk Management Program Manual

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

    Instructions:

    There are times when the business needs to know about IT risks with high expected costs.

    1. Create an expected cost threshold that defines what constitutes an acceptable and unacceptable risk for the organization. This figure should be a concrete dollar value. In the next exercises, you will build risk impact and likelihood scales with this value in mind, ensuring that “high” or “extreme” risks are immediately communicated to senior leadership.
    2. Do not consider IT budget restrictions when developing this number. The acceptable risk threshold should reflect the business’ tolerance/appetite for risk.

    This threshold is typically based on the organization’s ability to absorb financial losses, and its tolerance/appetite towards risk.

    If your organization has ERM, adopt the existing acceptability threshold.

    Record this threshold in section 5.3 of the Risk Management Program Manual

    2.2.2 Create a financial impact assessment scale

    1-4 hours

    Input: Risk events, Risk threshold

    Output: Financial impact scale created

    Materials: Risk Register Tool, Risk Management Program Manual

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

    Instructions:

    1. Create a scale to assess the financial impact of risk events.
      • Typically, risk impacts are assessed on a scale of 1-5; however, some organizations may prefer to assess risks using 3, 4, 7, or 9-point scales.
    2. Ensure that the unacceptable risk threshold is reflected in the scale.
      • In the example provided, the unacceptable risk threshold ($100,000) is represented as “High” on the impact scale.
    3. Attach labels to each point on the scale. Effective labels will easily distinguish between risks on either side of the unacceptable risk threshold.

    Record the risk impact scale in section 5.3 of the Risk Management Program Manual

    Convert project overruns and service outages into costs

    Use the tables below to quickly convert impacts typically measured in units of time to financial cost. Replace the values in the table with those that reflect your own costs.

    • While project overruns and service outages may have intangible impacts beyond the unexpected costs stemming from paying employees and lost revenue (such as adding complexity to project management and undermining the business’ confidence in IT), these measurements will provide adequate impact estimations for risk assessment.
    • Remember, complex risk events can be analyzed further with an expected cost assessment.
    Project Overruns Scale for the use of cost assessment with dollar amounts associated with impact levels. '$250,000 - Extreme', '$100,000 - High', '$60,000 - Moderate', '$35,000 - Low', '$10,000 - Negligible'.

    Project

    Time (days)

    20 days

    Number of employees

    8

    Average cost per employee (per day)

    $300

    Estimated cost

    $48,000
    Service Outages

    Service

    Time (hours)

    4 hours

    Lost revenue (per hour)

    $10,000

    Estimated cost

    $40,000

    Impact scale

    Low

    2.2.3 Select a technique to measure reputational cost (1 of 3)

    1-3 hours

    Realized risk events may have profound reputational costs that do not immediately impact your bottom line.

    Reputational cost can take several forms, including the internal and external perception of:
    1. Brand likeability
    2. Product quality
    3. Leadership capability
    4. Social responsibility

    Based on your industry and the nature of the risk, select one of the three techniques described in this section to incorporate reputational costs into your risk assessment.

    Technique #1 – Use financial indicators:

    For-profit companies typically experience reputational loss as a gradual decline in the strength of their brand, exclusion from industry groups, or lost revenue.

    If possible, use these measures to put a price on reputational loss:

    • Lost revenue attributable to reputation loss
    • Loss of market share attributable to reputation loss
    • Drops in share price attributable to reputation loss (for public companies)

    Match this dollar value to the corresponding level on the impact scale created in Activity 2.2.2.

    • If you are not able to effectively translate all reputational costs into financial costs, proceed to techniques 2 and 3 on the following slides.

    2.2.3 Select a technique to measure reputational cost (2 of 3)

    1-3 hours
    It is common for public sector or not-for-profit organizations to have difficulty putting a price tag on intangible reputational costs.
    • For example, a government organization may be unable to directly quantify the cost of losing the confidence and/or support of the public.
    • A helpful technique is to reframe how reputation is assigned value.
    Technique #2 – Calculate the value of avoiding reputational cost:
    1. Imagine that the particular risk event you are assessing has occurred. Describe the resulting reputational cost using qualitative language.

    For example:

    A data breach, which caused the unsanctioned disclosure of 2,000 client files, has inflicted high reputational costs on the organization. These have impacted the organization in the following ways:

    • Loss of organizational trust in IT
    • IT’s reputation as a value provider to the organization is tarnished
    • Loss of client trust in the organization
    • Potential for a public reprimand of the organization by the government to restore public trust
  • Then, determine (hypothetically) how much money the organization would be willing to spend to prevent the reputational cost from being incurred.
  • Match this dollar value to the corresponding level on the impact scale created in Activity 2.2.2.
  • 2.2.3 Select a technique to measure reputational cost (3 of 3)

    1-3 hours

    If you feel that the other techniques have not reflected reputational impacts in the overall severity level of the risk, create a parallel scale that roughly matches your financial impact scale.

    Technique #3 – Create a parallel scale for reputational impact:

    Visibility is a useful metric for measuring reputational impact. Visibility measures how widely knowledge of the risk event has spread and how negatively the organization is perceived. Visibility has two main dimensions:

    • Internal vs. External
    • Low Amplification vs. High Amplification
    • Internal/External: The further outside of the organization that the risk event is visible, the higher the reputational impact.
      Low/High Amplification: The greater the ability of the actor to communicate and amplify the occurrence of a risk event, the higher the reputational impact.
      After establishing a scale for reputational impact, test whether it reflects the severity of the financial impact levels in the financial impact scale.

    • For example, if the media learns about a recent data breach, does that feel like a $100,000 loss?
    Example:
    Scale for the use of cost assessment  of reputational impact with dimension combinations associated with impact levels. 'External, High Amp, (regulators, lawsuits) - Extreme', 'Internal, High Amp, (CEO) - Low', 'Internal, Low Amp (IT) - Negligible'.

    2.2.4 Create a likelihood scale

    1-3 hours

    Instructions:
    1. Create a scale to assess the likelihood that a risk event will occur over a given period of time.
      • Info-Tech recommends assessing the likelihood that the risk event will occur over a period of one year (the IT risk council should be reassessing the risk event no less than once per year).
    2. Ensure that the likelihood scale contains the same number of levels as the financial impact scale (3, 4, 5, 7, or 9).
    3. The example provided is likely to satisfy most IT departments; however, you may customize the distribution of likelihood values to reflect the organization’s aversion towards uncertainty.
      • For example, an extremely risk-averse organization may consider any risk event with a likelihood greater than 20% to have a “High” likelihood of occurrence.
    4. Attach the same labels used for the financial impact scale (Low, Moderate, High, etc.)

    Record the risk impact scale in section 5.3 of the Risk Management Program Manual

    Scale to assess the likelihood that a risk event will occur. '80-99% - Extreme', '60-79% - High', '40-59% - Moderate' '20-39% - Low', '1-19% - Negligible'.

    Info-Tech Insight

    Note: Info-Tech endorses the use of likelihood values (1-99%) rather than frequency (3 times per year) as a measurement.
    For an explanation of why likelihood values lead to more precise and robust risk assessment, see the Appendix.

    2.2.5 Risk severity level assessment

    6-10 hours

    Input: Risk events identified

    Output: Assessed the likelihood of occurrence and impact for all identified risk events

    Materials: Risk Register Tool

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

    Instructions:

    1. Document the “Risk Category” and “Existing Controls.” in the Risk Register Tool.
      • (See the slide following this activity for tips on identifying existing controls.)
    2. Assign each risk event a likelihood and impact level.
      • Remember, you are assessing the impact that a risk event will have on the organization as a whole, not just on IT.
    3. When assigning a financial impact level to a risk event, factor in the likely number of instances that the event will occur within the time frame for which you are assessing (usually one year).
      • For risk events like third-party service outages that typically occur a few times each year, assign them an impact level that reflects the likelihood of financial impact the risk event will have over the entire year.
      • E.g. If your organization is likely to experience two major service outages next year and each outage costs the organization approximately $15,000, the total financial impact is $30,000.

    Record results in the Risk Register Tool

    2.2.5 Risk severity level assessment (continued)

    Instructions (continued):
    1. Assign a risk owner to non-negligible risk events.
      • For organizations that practice ongoing risk management and frequently reassess their risk portfolio (minimum once per year), risk ownership does not need to be assigned to “Negligible” or low-level risks.
      • View the following slides for advice on how to select a risk owner and information on their responsibilities.
    2. As you input the first few likelihood and impact values, compare them to one another to ensure consistency and accuracy:
      • Is a service outage really twice as impactful as our primary software provider going out of business?
      • Is a data breach far more likely than a ›1 hour web-services outage?
    Tips for Selecting Likelihood Values:

    Does ~10% sound right?

    Test a likelihood estimate by assessing the truth of the following statements:

    • The risk event will likely occur once in the next ten years (if the environment remains nearly identical).
    • If ten organizations existed that were nearly identical to our own, it is likely that one out of ten would experience the risk event this year.

    Screenshot of a risk severity level assessment.

    Identify current risk controls

    Consider how IT is already addressing key risks.

    Types of current risk control

    Tactical controls

    Apply to individual risks only.

    Example: A tactical control for backup/replication failure is faster WAN lines.

    Tactical risk control Strategic controls

    Apply to multiple risks.

    Example: A strategic control for backup/replication failure is implementing formal DR plans.

    Strategic risk control
    Risk event Risk event Risk event

    Screenshot of the column headings on the risk severity level assessment with 'Current Controls' highlighted.
    Consider both tactical and strategic controls already in place when filling out risk event information in the Risk Register Tool.

    Info-Tech Insight

    Identifying existing risk controls (past risk responses) provides a clear picture of the measures already in place to avoid, mitigate, or transfer key risks. This reveals opportunities to improve existing risk controls, or where new strategies are needed, to reduce risk severity levels below business thresholds.

    Assign a risk owner for each risk event

    Designate a member of the IT risk council to be responsible for each risk event.

    Selecting the Appropriate Risk Owner

    Use the following considerations to determine the best owner for each risk:

    • The risk owner should be familiar with the process, project, or IT function related to the risk event.
    • The risk owner should have access to the necessary data to monitor and measure the severity of the risk event.
    • The risk owner’s performance assessment should reflect their ability to demonstrate the ongoing management of their assigned risk events.

    Screenshot of the column headings on the risk severity level assessment with 'Risk Owner' highlighted.

    Risk Owner Responsibilities

    Risk ownership means that an individual is responsible for the following activities:

    • Monitoring the threat or vulnerability for changes in the likelihood of occurrence and/or likely impact.
    • Monitoring changes in the market and external environment that may alter the severity of the risk event.
    • Monitoring changes of closely related risks with interdependencies.
    • Developing and using key risk indicators (KRIs) to measure changes in risk severity.
    • Regularly reporting changes in risk severity to the IT risk council.
    • If necessary, escalating the risk event to other IT risk council personnel or senior management for reassessment.
    • Monitoring risk severity levels for risk events after a risk response has been implemented.

    Use Info-Tech’s Risk Costing Tool to calculate the expected cost of IT’s high-priority risks (optional)

    Sample of the Risk Costing Tool.

    Use this tool to:

    1. Conduct a deeper analysis of severe risks.
      • Determine specific likelihood and financial impact values to communicate the severity of the risk in the Expected Cost tab.
      • Identify the maximum financial impact that the risk event may inflict.
    2. Assess the effectiveness of multiple risk responses for each risk event.
      • Determine how proposed risk events will change the likelihood of occurrence and financial impact of the risk event.
    3. Incorporate risk proximity into your cost-benefit analysis of risk responses.
      • Illustrate how spending decisions will impact the expected cost of the risk event over time.

    2.2.6 Expected cost assessment (optional)

    Assign likelihood and financial impact values to high-priority risks.

    Select risks with these characteristics:

    Strongly consider conducting an expected cost assessment for risk events that meet one or more of the following criteria.

    The risk:

    • Has been assigned to the highest risk severity level.
    • Has exposed the organization previously and had severe implications.
    • Exceeds the organization’s threshold for financial impact.
    • Involves an IT function that is highly visible to the business.
    • Will likely require risk response actions that will exceed current IT budgetary constraints.
    • Is conducive to expected cost assessment:
      • There is general consensus on likelihood estimates.
      • There is general consensus on financial impact estimates.
      • Historical data exists to support estimates.
    Determine which risks require a deeper assessment:

    Info-Tech recommends conducting a second-level assessment for 5-15% of your IT risk register.

    Communicating the expected cost of high-priority risks significantly increases awareness of IT risks by the business.

    Communicating risks to the business using their language also increases the likelihood that risk responses will receive the necessary support and investment


    Record the list of risk events requiring second-level assessment in the Risk Costing Tool.

    • Transfer the likelihood and impact levels for each event into the Risk Costing Tool using data from the Risk Register Tool.

    2.2.6 Expected cost assessment (continued)

    Assign likelihood and financial impact values to high-priority risks.

    Instructions:
    1. Go through the list of prioritized risks in the Risk Costing Tool one by one. Indicate the likelihood and impact level (from the Risk Register Tool) for the risk event being assessed.
    2. Record likelihood values (1-99%) and impact values ($) from participants.
      • Only record values from individuals that indicate they are fairly confident with their estimates.
      • Keep likelihood estimates to values that are multiples of five.
    3. Estimate and record the maximum impact that the risk event could inflict.
      • See Appendix III for information on how the possibility of high-impact scenarios may influence your decision making.
    4. Discuss the estimates provided. Eliminate outliers and retracted estimates.
      • If you are unable to achieve consensus, take the average of the values provided.
    5. If you are having difficulty arriving at a likelihood or impact value, select the median value of the level assigned to the risk during the risk severity level assessment.
      • E.g. Risk event assigned to likelihood level “Moderate” (20-39%). Select a likelihood value of 30%.

    Screenshot of the column headings on the risk severity level assessment with 'Optional Inherent Likelihood Parameters' and 'Optional Inherent Impact Parameters' highlighted.

    Who should participate?
    • Depending on the size of your IT risk council, you may want to consider conducting this exercise in a smaller group.
    • Ideally, you should try to find the right balance between ensuring that the necessary experience and knowledge is in the room while insulating the exercise from outlier opinions, noise, and distractions.

    Evaluate likelihood and impact

    Refine your risk assessment process by developing more accurate measurements of likelihood and impact.

    Intersubjective likelihood

    The goal of the expected cost assessment is to develop robust intersubjective estimates of likelihood and financial impact.

    By aggregating a number of expert opinions of what they deem to be the “correct” value, you will arrive at a collectively determined value that better reflects reality than an individual opinion.

    Example: The Delphi Method

    The Delphi Method is a common technique to produce a judgement that is representative of the collective opinion of a group.

    • Participants are sent a series of sequential questionnaires (typically by email).
    • The first questionnaire asks them what the likelihood, likely impact, and expected cost is for a specific risk event.
    • Data from the questionnaire is compiled and then communicated in a subsequent questionnaire, which encourages participants to restate or revise their estimates given the group’s judgements.
    • With each successive questionnaire, responses will typically converge around a single intersubjective value.
    Justifying Your Estimates:

    When asked to explain the numbers you arrived at during the risk assessment, pointing to an assessment methodology gives greater credibility to your estimates.

    • Assign one individual to take notes during the assessment exercise.
    • Have them document the main rationale behind each value and the level of consensus.

    Info-Tech Insight

    The underlying assumption behind intersubjective forecasting is that group judgements are more accurate than individual judgements. However, this may not be the case at all.

    Sometimes, a single expert opinion is more valuable than many uninformed opinions. Defining whose opinion is valuable and whose is not is an unpleasant exercise; therefore, selecting the right personnel to participate in the exercise is crucially important.

    Build an IT Risk Management Program

    Phase 3

    Monitor, Respond, and Report on IT Risk

    Phase 1

    • 1.1 Review IT Risk Management Fundamentals
    • 1.2 Establish a Risk Governance Framework

    Phase 2

    • 2.1 Identify IT Risks
    • 2.2 Assess and Prioritize IT Risks

    Phase 3

    • 3.1 Develop Risk Responses and Monitor IT Risks
    • 3.2 Report IT Risk Priorities

    This phase will walk you through the following activities:

    • Develop key risk indicators (KRIs) and escalation protocols
    • Establish the reporting schedule
    • Identify and assess risk responses
    • Analyze risk response cost-benefit
    • Create multi-year cost projections
    • Obtain executive approval for risk action plans
    • Socialize the Risk Report
    • Transfer ownership of risk responses to project managers
    • Finalize the Risk Management Program Manual

    This phase involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Risk business owner

    Step 3.1

    Monitor IT Risks and Develop Risk Responses

    Activities
    • 3.1.1 Develop key risk indicators (KRIs) and escalation protocols
    • 3.1.2 Establish the reporting schedule
    • 3.1.3 Identify and assess risk responses
    • 3.1.4 Risk response cost-benefit analysis
    • 3.1.5 Create multi-year cost projections

    This step involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Business risk owner

    Outcomes of this step

    • Completed risk event action plans
    • Risk responses identified and assessed for top risks
    • Risk response selected for top risks

    Monitor, Respond, and Report on IT Risk

    Step 3.1 Step 3.2

    Use Info-Tech’s Risk Event Action Plan to manage high-priority risks

    Manage risks in between risk assessments and create a paper trail for key risks that exceed the unacceptable risk threshold. Use a new form for every high-priority risk that requires tracking.

    Risk Event Action Plan Sample of the Risk Event Action Plan deliverable.

    Obtaining sign-off from the senior leadership team or from the ERM office is an important step of the risk management process. The Risk Event Action Plan ensures that high-priority risks are closely monitored and that changes in risk severity are detected and reported.

    Clear documentation is a way to ensure that critical information is shared with management so that they can make informed risk decisions. These reports should be succinct yet comprehensive; depending on time and resources, it is good practice to fill out this form and obtain sign-off for the majority of IT risks.

    3.1.1 Develop key risk indicators (KRIs) and escalation protocols

    The risk owner should be held accountable for monitoring their assigned risks but may delegate responsibility for these tasks.

    Instructions:
    1. Design key risk indicators (KRIs) for risks that measure changes in their severity and document them in the Risk Event Action Plan.
      • See the following slide for examples.
    2. Clearly document the risk owner and the individual(s) carrying out risk monitoring activities (delegates) in the Risk Event Action Plan.

    Note: Examples of KRIs can be found on the following slide.

    What are KRIs?
    • KRIs should be observable metrics that alert the IT risk council and management when risk severity exceeds acceptable risk thresholds.
    • KRIs should serve as tripwires or early-warning indicators that trigger further actions to be taken on the risk.
    • Further actions may include:
      • Escalation to the risk owner (if delegated) or to a member of the senior leadership team.
      • Reporting to the IT risk council or IT steering committee.
      • Reassessment.
      • Updating the risk monitoring schedule.

    Document KRIs, escalation thresholds, and escalation protocols for each risk in a Risk Event Action Plan.

    Developing KRIs for success

    Visualization of KRI development, from the 'Risk Event' to the 'Intermediate Steps' with 'KRI Measurements' to the image of a growing seed.

    Examples of KRIs

    • Number of resources who quit or were fired who had access to critical data
    • Number of risk mitigation initiatives unfunded
    • Changes in time horizon of mitigation implementation
    • Number of employees who did not report phishing attempts
    • Amount of time required to get critical operations access to necessary data
    • Number of days it takes to implement a new regulation or compliance control

    3.1.2 Establish the reporting schedule

    For each risk event, document how frequently the risk owner must report to the IT risk council in the Risk Event Action Plan.

    • A clear reporting schedule enforces accountability for each risk event, ensuring that risk owners are fulfilling their monitoring responsibilities.
    • The ongoing discussion of risks between assessment cycles also increases overall awareness of how IT risks are not static but constantly evolving.
    Reporting Risk Event
    Weekly reports to ITRC Risk event severity represented as a thermometer with levels 'Extreme', 'High', 'Moderate', 'Low', and 'Negligible'.
    Bi-weekly reports to ITRC
    Monthly reports to ITRC
    Report to ITRC only if KRI thresholds triggered
    No reports; reassessed bi-annually

    Use Info-Tech’s tools to identify, analyze, and select risk responses

    1

    (Mandatory)
    Tool

    Screenshot of the Risk Register Tool.

    Risk Register Tool

    Information
    • Develop risk responses for all risk events pre-populated on the “2. Risk Register” sheet of the Risk Register Tool.
    • Document the root cause of the risk (Activity 3.1.3) and other contributing factors (Activity 3.1.4).
    • Identify risk responses (Activity 3.1.5).
    • Predict the effectiveness of the risk response, if implemented, by estimating the residual likelihood and impact of the risk (Activity 3.1.5).
    • The tool will calculate the residual severity of the risk after applying the risk response.

    2

    (Optional)
    Tool

    Screenshot of the Risk Costing Tool.

    Risk Costing Tool

    Information
    • Continue your second-level risk analysis for top risks for which you calculated expected cost in section 2.2.
    • Activity 3.1.5:
      • Identify between one and four risk response options for each risk.
      • Develop precise values for residual likelihood and impact.
      • Compare expected cost of the risk event to expected residual cost.
      • Select the risk response to recommend to senior leadership and document it in the Risk Register Tool.

    Determine the root cause of IT risks

    Root cause analysis

    Use the “Five Whys” methodology to identify the root cause and contributing/exacerbating factors for each risk event.

    Diagnosing the root cause of a risk as well as the environmental factors that increase its potential impact and likelihood of occurring allow you to identify more effective risk responses.

    Risk responses that only address the symptoms of the risk are less likely to succeed than responses that address the core issue.

    Concentric circles with 'Root Cause' at the center, 'Contributing Factors' around it, and 'Symptoms' on the outer circle.

    Example of 'The Five Whys Methodology', tracing symptoms to their root cause. In 'Symptoms' we see 'Risk Event: Network outage', Why? 'Network congestion', Why? Then on to 'Contributing Factors' the answer is 'Inadequate bandwidth for latency-sensitive applications', Why? 'Increased business use of latency-sensitive applications', Why? And finally to the 'Root Cause', 'Business units rely on 'real-time' data gathered from latency-sensitive applications', Why?

    Identify factors that contribute to the severity of the risk

    Environmental factors interact with the root cause to increase the likelihood or impact of the risk event.

    What factors matter?

    Identify relevant actors and assets that amplify or diminish the severity of the risk.

    Actors

    • Internal (business units)
    • External (vendor, regulator, market, competitor, hostile actor)

    Assets/Resources

    • Infrastructure
    • Applications
    • Processes
    • Information/data
    • Personnel
    • Reputation
    • Operations
    Develop risk responses that target contributing factors.
    Root cause:
    Business units rely on “real-time” data gathered from latency-sensitive applications

    Actors: Enterprise App users (Finance, Product Development, Product Management)

    Asset/resource: Applications, network

    Risk response:
    Decrease the use of latency-sensitive applications.

    X

    Decreasing the use of key apps contradicts business objectives.

    Contributing factors:
    Unreliable router software

    Actors: Network provider, router vendor, router software vendor, IT department

    Asset/resource: Network, router, router software

    Risk response:
    Replace the vendor that provides routers and router software.

    Replacing the vendor would reduce network outages at a relatively low cost.

    Symptoms:
    Network outage

    Actors: All business units, network provider

    Asset/resource: Network, business operations, employee productivity

    Risk response:
    Replace legacy systems.

    X

    Replacing legacy systems would be too costly.

    3.1.3 Identify and assess risk responses

    Instructions:
    Complete the following steps for each risk event.
    1. Identify a risk response action that will help reduce the likelihood of occurrence or the impact if the event were to occur.
      • Indicate the type of risk response (avoidance, mitigation, transfer, acceptance, or no risk exists).
    2. Assign each risk response action a residual likelihood level and a residual impact level.
      • This is the same step performed in Activity 2.2.6, when initial likelihood and impact levels were determined; however, now you are estimating the likelihood and impact of the risk event after the risk response action has been implemented successfully.
      • The Risk Register Tool will generate a residual risk severity level for each risk event.
    3. Identify the potential Risk Action Owner (Project Manager) if the response is selected and turned into an IT project, and document this in the Risk Register Tool.
    Document the following in the Risk Event Action Plan for each risk event:
      • Risk response actions
      • Residual likelihood and impact levels
      • Residual risk severity level
    • Review the following slides about the four types of risk response to help complete the activity.
      1. Avoidance
      2. Mitigation
      3. Transfer
      4. Acceptance

    Record the results in the Risk Event Action Plan.

    Take actions to avoid the risk entirely

    Risk Avoidance

    • Risk avoidance involves taking evasive maneuvers to avoid the risk event.
    • Risk avoidance targets risk likelihood, decreasing the likelihood of the risk event occurring.
    • Since risk avoidance measures are fairly drastic, the likelihood is often reduced to negligible levels.
    • However, risk avoidance response actions often sacrifice potential benefits to eliminate the possibility of the risk entirely.
    • Typically, risk avoidance measures should only be taken for risk events with extremely high severity and when the severity (expected cost) of the risk event exceeds the cost (benefits sacrificed) of avoiding the risk.

    Example

    Risk event: Information security vulnerability from third-party cloud services provider.

    • Risk avoidance action: Store all data in-house.
    • Benefits sacrificed: Cost savings, storage flexibility, etc.
    Stock photo of a person hikiing along a damp, foggy, valley path.

    Pursue projects that reduce the likelihood or impact of the risk event

    Risk Mitigation

    • Risk mitigation actions are risk responses that reduce the likelihood and impact of the risk event.
    • Risk mitigation actions can be to either implement new controls or enhance existing ones.
    Example 1

    Most risk responses will reduce both the likelihood of the risk event occurring and its potential impact.

    Example

    Mitigation: Purchase and implement enterprise mobility management (EMM) software with remote wipe capability.

    • EMM reduces the likelihood that sensitive data is accessed by a nefarious actor.
    • The remote-wipe capability reduces the impact by closing the window that sensitive data can be accessed from.
    Example 2

    However, some risk responses will have a greater effect on decreasing the likelihood of a risk event with little effect on decreasing impact.

    Example

    Mitigation: Create policies that restrict which personnel can access sensitive data on mobile devices.

    • This mitigation decreases the number of corporate phones that have access to (or are storing) sensitive data, thereby decreasing the likelihood that a device is compromised.
    Example 3

    Others will reduce the potential impact without decreasing its likelihood of occurring.

    Example

    Mitigation: Use robust encryption for all sensitive data.

    • Corporate-issued mobile phones are just as likely to fall into the hands of nefarious actors, but the financial impact they can inflict on the organization is greatly reduced.

    Pursue projects that reduce the likelihood or impact of the risk event (continued)

    Use the following IT functions to guide your selection of risk mitigation actions:

    Process Improvement

    Key processes that would most directly improve the risk profile:

    • Change Management
    • Project Management
    • Vendor Management
    Infrastructure Management
    • Disaster Recovery Plan/Business Continuity Plan
    • Redundancy and Resilience
    • Preventative Maintenance
    • Physical Environment Security
    Personnel
    • Greater staff depth in key areas
    • Increased discipline around documentation
    • Knowledge Management
    • Training
    Rationalization and Simplification

    This is a foundational activity, as complexity is a major source of risk:

    • Application Rationalization – reducing the number of applications
    • Data Management – reducing the volume and locations of data

    Transfer risks to a third party

    Risk transfer: the exchange of uncertain future costs for fixed present costs.

    Insurance

    The most common form of risk transfer is the purchase of insurance.

    • The uncertain future cost of an IT risk event can be transferred to an insurance company who assumes the risk in exchange for insurance premiums.
    • The most common form of IT-relevant insurance is cyberinsurance.

    Not all risks can be insured. Insurable risks typically possess the following five characteristics:

    1. The loss must be accidental (the risk event cannot be insured if it could have been avoided by taking reasonable actions).
    2. The insured cannot profit from the occurrence of the risk event.
    3. The loss must be able to be measured in monetary terms.
    4. The organization must have an insurable interest (it must be the party that incurs the loss).
    5. An insurance company must offer insurance against that risk.
    Other Forms of Risk Transfer

    Other forms of risk transfer include:

    • Self-insurance
      • Appropriate funds can be set aside in advance to address the financial impact of a risk event should it occur.
    • Warranties
    • Contractual transfer
      • The financial impact of a risk event can be transferred to a third party through clauses agreed to in a contract.
      • For example, a vendor can be contractually obligated to assume all costs resulting from failing to secure the organization’s data.
    • Example email addressing fields of an IT Risk Transfer to an insurance company.

    Accept risks that fall below established thresholds

    Risk Acceptance

    Accepting a risk means tolerating the expected cost of a risk event. It is a conscious and deliberate decision to retain the threat.

    You may choose to accept a risk event for one of the following three reasons:

    1. The risk severity (expected cost) of the risk event falls below acceptability thresholds and does not justify an investment in a risk avoidance, mitigation, or transfer measure.
    2. The risk severity (expected cost) exceeds acceptability thresholds but all effective risk avoidance, mitigation, and transfer measures are ineffective or prohibitively expensive.
    3. The risk severity (expected cost) exceeds acceptability thresholds but there are no feasible risk avoidance, mitigation, and transfer measures to be implemented.

    Info-Tech Insight

    Constant monitoring and the assignment of responsibility and accountability for accepted risk events is crucial for effective management of these risks. No IT risk should be accepted without detailed documentation outlining the reasoning behind that decision and evidence of approval by senior management.

    3.1.4 Risk response cost-benefit analysis (optional)

    The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.

    This helps IT make risk-conscious investment decisions that fall within the IT budget and helps the organization make sound budgetary decisions for risk response projects that cannot be addressed by IT’s existing budget.

    Instructions:
    1. Reopen the Risk Costing Tool. For each risk that you conducted an expected cost assessment in section 2.2 for, find the Excel sheet that corresponds to the risk number (e.g. R001).
    2. Identify between one and four risk response options for the risk event and document them in the Risk Costing Tool.
      • The “Risk Response 1” field will be automatically populated with expected cost data for a scenario where no action was taken (risk acceptance). This will serve as a baseline for comparing alternative responses.
      • For the following steps, go through the risk responses one by one.
    3. Estimate the first-year cost for the risk response.
      • This cost should reflect initial capital expenditures and first-year operating expenditures.
    Screenshot of the Risk Response cost-benefit-analysis from the Risk Costing Tool with 'Capital Expenditures' and 'Operating Expenditures' highlighted.

    Record the results in the Risk Costing Tool.

    3.1.4 Risk response cost-benefit analysis (continued)

    The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.

    Instructions:

    1. Estimate residual risk likelihood and financial impact for Year 1 with the risk response in place.
      • Rather than estimating the likelihood level (low, medium, high), determine a precise likelihood value of the risk event occurring once the response has been implemented.
      • Estimate the dollar value of financial impacts if the risk event were to occur with the risk response in place.
      • Screenshot of the Risk Response cost-benefit-analysis from the Risk Costing Tool with figured for 'Financial Impact' and 'Probability' highlighted. The tool will calculate the expected residual cost of the risk event: (Financial Impact x Likelihood) - Costs = Expected Residual Cost
    2. Select the highest value risk response and document it in the Risk Register Tool.
    3. Document your analysis and recommendations in the Risk Event Action Plan.

    Note: See Activity 3.1.5 to build multi-year cost projections for risk responses.

    3.1.5 Create multi-year cost projections (optional)

    Select between risk response options by projecting their costs and benefits over multiple years.

    • It can be difficult to choose between risk response options that require different payment schedules. A risk response project with costs spread out over more than one year (e.g. incremental upgrades to an IT system) may be more advantageous than a project with costs concentrated up front that may cost less in the long run (e.g. replacing the system).
    • However, the impact that risk response projects have on reducing risk severity is not necessarily static. For example, an expensive project like replacing a system may drastically reduce the risk severity of a system failure. Whereas, incremental system upgrades may only marginally reduce risk severity in the short term but reach similar levels as a full system replacement in a few years.
    Instructions:

    Calculate expected cost for multiple years using the Risk Costing Tool for:

    • Risk events that are subject to change in severity over time.
    • Risk responses that reduce the severity of the risk gradually.
    • Risk responses that cannot be implemented immediately.

    Copy and paste the graphs into the Risk Report and the Risk Event Action Plan for the risk event.

    Sample charts on the cost of risk responses from the Risk Costing Tool.

    Record the results in the Risk Costing Tool.

    Step 3.2

    Report IT Risk Priorities

    Activities
    • 3.2.1 Obtain executive approval for risk action plans
    • 3.2.2 Socialize the Risk Report
    • 3.2.3 Transfer ownership of risk responses to project managers
    • 3.2.4 Finalize the Risk Management Program Manual

    This step involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team

    Outcomes of this step

    • Obtained approval for risk action plans
    • Communicated IT’s risk recommendations to senior leadership
    • Embedded risk management into day-to-day IT operations

    Monitor, Respond, and Report on IT Risk

    Step 3.1 Step 3.2

    Effectively deliver IT risk expertise to the business

    Communicate IT risk management in two directions:

    1. Up to senior leadership (and ERM if applicable)
    2. Down to IT employees (embedding risk awareness)
    3. Visualization of communicating Up to 'Senior Leadership' and Down to 'IT Personnel'.

    Create a strong paper trail and obtain sign-off for the ITRC’s recommendations.

    Now that you have collected all of the necessary raw data, you must communicate your insights and recommendations effectively.

    A fundamental task of risk management is communicating risk information to senior management. It is your responsibility to enable them to make informed risk decisions. This can be considered upward communication.

    The two primary goals of upward communication are:

    1. Transferring accountability for high-priority IT risks to the ERM or to senior leadership.
    2. Obtaining funds for risk response projects recommended by the ITRC.

    Good risk management also has a trickle-down effect impacting all of IT. This can be considered downward communication.

    The two primary goals of downward communication are:

    1. Fostering a risk-aware IT culture.
    2. Ensuring that the IT risk management program maintains momentum and runs effectively.

    3.2.1 Obtain executive approval for risk action plans

    Best Practices and Key Benefits

    Best practice is for all acceptable risks to also be signed-off by senior leadership. However, for ITRCs that brainstorm 100+ risks, this may not be possible. If this is the case, prioritize accepted risks that were assessed to be closest to the organization’s thresholds.

    By receiving a stamp of approval for each key risk from senior management, you ensure that:

    1. The organization is aware of important IT risks that may impact business objectives.
    2. The organization supports the risk assessment conducted by the ITRC.
    3. The organization supports the plan of action and monitoring responsibilities proposed by the ITRC.
    4. If a risk event were to occur, the organization holds ultimate accountability.
    Sample of the Risk Event Action Plan template.

    Task:
    All IT risks that were flagged for exceeding the organization’s severity thresholds must obtain sign-off by the CIO or another member of the senior leadership team.

    • In the assessment phase, you evaluated risks using severity thresholds approved by the business and determined whether or not they justified a risk response.
    • Whether your recommendation was to accept the risk or to analyze possible risk responses, the business should be made aware of most IT risks.

    3.2.2 Socialize the risk report

    Create a succinct, impactful document that summarizes the outcomes of risk assessment and highlights the IT risk council’s top recommendations to the senior leadership team.

    The Risk Report contains:
    • An executive summary page highlighting the main takeaways for senior management:
      • A short summary of results from the most recent risk assessment
      • Dashboard
      • A list of top 10 risks ordered from most severe to least
    • Subsequent individual risk analyses (1 to 10)
      • Detailed risk assessment data
      • Risk responses
      • Risk response analysis
      • Multi-year cost projection (see the following slide)
      • Dashboard
      • Recommendations
    Sample of the Risk Report template.

    Risk Report

    Pursue projects that reduce the likelihood or impact of the risk event

    Encourage risk awareness to extend the benefits of risk management to every aspect of IT.

    Benefits of risk awareness:

    • More preventative and proactive approaches to IT projects are discussed and considered.
    • Changes to the IT threat landscape are more likely to be detected, communicated, and acted upon.
    • IT possesses a realistic perception of its ability to perform functions and provide services.
    • Contingency plans are put in place to hedge against risk events.
    • Fewer IT risks go unidentified.
    • CIOs and business executives make better risk decisions.

    Consequences of low risk awareness:

    • False confidence about the number of IT risks impacting the organization and their severity.
    • Risk-relevant information is not communicated to the ITRC, which may result in inaccurate risk assessments.
    • Confusion surrounding whose responsibility it is to consider how risk impacts IT decision making.
    • Uncertainty and panic when unanticipated risks impact the IT department and the organization.

    Embedding risk management in the IT department is a full-time job

    Take concrete steps to increase risk-aware decision making in IT.

    The IT risk council plays an instrumental role in fostering a culture of risk awareness throughout the IT department. In addition to periodic risk assessments, fulfilling reporting requirements, and undertaking ongoing monitoring responsibilities, members of the ITRC can take a number of actions to encourage other IT employees to adopt a risk-focused approach, particularly at the project planning stage.

    Embed risk management in project planning

    Make time for discussing project risks at every project kick-off.
    • A main benefit of including senior personnel from across IT in the ITRC is that they are able to disseminate the IT risk council’s findings to their respective practices.
    • At project kick-off meetings, schedule time to identify and assess project-specific risks.
    • Encourage the project team to identify strategies to reduce the likelihood and impact of those risks and document these in the project charter.
    • Lead by example by being clear and open about what constitutes acceptable and unacceptable risks.

    Embed risk management with employee

    Train IT staff on the ITRC’s planned responses to specific risk events.
    • If a response to a particular risk event is not to implement a project but rather to institute new policies or procedures, ensure that changes are communicated to employees and that they receive training.
    Provide risk management education opportunities.
    • Remember that a more risk-aware IT employee provides more value to the organization.
    • Invest in your employees by encouraging them to pursue education opportunities like receiving risk management accreditation or providing them with educational experiences such as workshops, seminars, and eLearning.

    Embedding risk management in the IT department is a full-time job (continued)

    Encourage risk awareness by adjusting performance metrics and job titles.

    Performance metrics:

    Depending on the size of your IT department and the amount of resources dedicated to ongoing risk management, you may consider embedding risk management responsibilities into the performance assessments of certain ITRC members or other IT personnel.

    • Personalize the risk management program metrics you have documented in your Risk Management Program Manual.
    • Evidence that KPIs are monitored and frequently reported is also a good indicator that risk owners are fulfilling their risk management responsibilities.
    • Info-Tech Insight

      If risk management responsibilities are not built into performance assessments, it is less likely that they will invest time and energy into these tasks. Adding risk management metrics to performance assessments directly links good job performance with good risk management, making it more likely that ITRC activities and initiatives gain traction throughout the IT department.

    Job descriptions:

    Changing job titles to reflect the focus of an individual’s role on managing IT risk may be a good way to distinguish personnel tasked with developing KRIs and monitoring risks on a week-to-week basis.

    • Some examples include IT Risk Officer, IT Risk Manager, and IT Risk Analyst.

    3.2.3 Transfer ownership of risk responses to project managers

    Once risk responses have obtained approval and funding, it is time to transform them into fully-fledged projects.

    Image of a hand giving a key to another hand and a circle split into quadrants of Governance with 'Governance of Risks' being put into 'Governance of Projects'.

    3.2.4 Finalize the Risk Management Program Manual

    Go back through the Risk Management Program Manual and ensure that the material will accurately reflect your approach to risk management going forward.

    Remember, the program manual is a living document that should be evolving alongside your risk management program, reflecting best practices, knowledge, and experiences accrued from your own assessments and experienced risk events.

    The best way to ensure that the program manual continues to guide and document your risk management program is to make it the focal point of every ITRC meeting and ensure that one participant is tasked with making necessary adjustments and additions.

    Sample of the Risk Management Program Manual. Risk Management Program Manual

    “Upon completing the Info-Tech workshop, the deliverables that we were left with were really outstanding. We put together a 3-year project plan from a high level, outlining projects that will touch upon our high risk areas.” (Director of Security & Risk, Water Management Company)

    Don’t allow your risk management program to flatline

    54% of small businesses haven’t implemented controls to respond to the threat of cyber attacks (Source: Insurance Bureau of Canada, 2021)

    Don’t be lulled into a false sense of security. It might be your greatest risk.

    So you’ve identified the most important IT risks and implemented projects to protect IT and the business.

    Unfortunately, your risk assessment is already outdated.

    Perform regular health checks to keep your finger on the pulse of the key risks threatening the business and your reputation.

    To continue the momentum of your newly forged IT risk management program, read Info-Tech’s research on conducting periodic risk assessments and “health checks”:

    Revive Your Risk Management Program With a Regular Health Check

    • Complete Info-Tech’s Risk Management Health Check to seize the momentum you created by building a robust IT risk management program and create a process for conducting periodic health checks and embedding ongoing risk management into every aspect of IT.
    • Our focus is on using data to make IT risk assessment less like an art and more like a science. Ongoing data-driven risk management is self-improving and grounded in historical data.

    Appendix I: Familiarize yourself with key risk terminology

    Review important risk management terms and definitions.

    Risk

    An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk consists of a combination of the likelihood of a perceived threat or opportunity occurring and the magnitude of its impact on objectives (Office of Government Commerce, 2007).

    Threat

    An event that can create a negative outcome (e.g. hostile cyber/physical attacks, human errors).

    Vulnerability

    A weakness that can be taken advantage of in a system (e.g. weakness in hardware, software, business processes).

    Risk Management

    The systematic application of principles, approaches, and processes to the tasks of identifying and assessing risks, and then planning and implementing risk responses. This provides a disciplined environment for proactive decision making (Office of Government Commerce, 2007).

    Risk Category

    Distinct from a risk event, a category is an abstract profile of risk. It represents a common group of risks. For example, you can group certain types of risks under the risk category of IT Operations Risks.

    Risk Event

    A specific occurrence of an event that falls under a particular risk category. For example, a phishing attack is a risk event that falls under the risk category of IT Security Risks.

    Risk Appetite

    An organization’s attitude towards risk taking, which determines the amount of risk that it considers acceptable. Risk appetite also refers to an organization’s willingness to take on certain levels of exposure to risk, which is influenced by the organization’s capacity to financially bear risk.

    Enterprise Risk Management

    (ERM) – A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of organizational risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS, 2015).

    Appendix II: Likelihood vs. Frequency

    Why we measure likelihood, not frequency:

    The basic formula of Likelihood x Impact = Severity is a common methodology used across risk management frameworks. However, some frameworks measure likelihood using Frequency rather than Likelihood.

    Frequency is typically measured as the number of instances an event occurs over a given period of time (e.g. once per month).

    • For risk assessment, historical data regarding the frequency of a risk event is commonly used to indicate the likelihood that the event will happen in the future.

    Likelihood is a numerical representation of the “degree of belief” that the risk event will occur in a given future timeframe (e.g. 25% likelihood that the event will occur within the next year).

    False Objectivity

    While some may argue that frequency provides an objective measurement of likelihood, it is well understood in the field of likelihood theory that historical data regarding the frequency of a risk event may have little bearing over the likelihood of that event happening in the future. Frequency is often an indication of future likelihood but should not be considered an objective measurement of it.

    Likelihood scales that use frequency underestimate the magnitude of risks that lack historical precedent. For example, an IT department that has never experienced a high-impact data breach would adopt a very low likelihood score using the frequentist approach. However, if all of the organization’s major competitors have suffered a major breach within the last two years, they ought to possess a much higher degree of belief that the risk event will occur within the next year.

    Likelihood is a more comprehensive measurement of future likelihood, as frequency can be used to inform the selection of a likelihood value. The process of selecting intersubjective likelihood values will naturally internalize historical data such as the frequency that the event occurred in the past. Further, the frequency that the event is expected to occur in the future can be captured by the expected impact value. For example, a risk event that has an expected impact per occurrence of $10,000 that is expected to occur three times over the next year has an expected impact of $30,000.

    Appendix III: Should max impacts sway decision making?

    Don’t just fixate on the most likely impact – be aware of high-impact outcomes.

    During assessment, risks are evaluated according to their most likely financial impact.

    • For example, a service outage will likely last for two hours and may have an expected cost of $14,000.

    Naturally, focusing on the most likely financial impact will exclude higher impacts that – while theoretically possible – are so unlikely that they do not warrant any real consideration.

    • For example, it is possible that a service outage could last for days; however, the likelihood for such an event may be well below 1%.

    While the risk severity level assessment allows you to present impacts as a range of values (e.g. $50,000 to $75,000), the expected cost assessment requires you to select specific values.

    • However, this analysis may fail to consider much higher potential impacts that have non-negligible likelihood values (likelihood values that you cannot ignore).
    • What you consider “non-negligible” will depend on your organizational risk tolerance/appetite.

    Sometimes called Black Swan events or Fat-Tailed outcomes, high-impact events may occur when the far right of the likelihood distribution – or the “tail” – is thicker than a normal distribution (see fig. 2).

    • A good example is a data breach. While small to medium impacts are far more likely to occur than a devastating intrusion, the high-impact scenario cannot be ignored completely.

    For risk events that contain non-negligible likelihoods (too high to be ignored) consider elevating the risk severity level or expected cost.

    Figure 1 is a graph presenting a 'Normal Likelihood Distribution', the axes being 'Likelihood' and 'Financial Impact'.
    Figure 2 is a graph presenting a 'Fat-Tailed Likelihood Distribution' with a point at the top of the parabola labelled 'Most Likely Impact' but with a much wider bottom labelled 'Fat-Tailed Outcomes', the axes being 'Likelihood' and 'Financial Impact'.

    Leverage Info-Tech’s research on security and compliance risk to identify additional risk events

    Title card of the Info-tech blueprint 'Take Control of Compliance Improvement to Conquer Every Audit' with subtitle 'Don't gamble recklessly with external compliance. Play a winning system and take calculated risks to stack the odds in your favor.


    Take Control of Compliance Improvement to Conquer Every Audit

    Info-Tech Insight

    Don’t gamble recklessly with external compliance. Play a winning system and take calculated risks to stack the odds in your favor.

    Take an agile approach to analyze your gaps and prioritize your remediations. You don’t always have to be fully compliant as long as your organization understands and can live with the consequences.

    Stock photo of a woman sitting at a computer surrounded by rows of computers.


    Develop and Implement a Security Risk Management Program

    Info-Tech Insight

    Security risk management equals cost effectiveness.

    Time spent upfront identifying and prioritizing risks can mean the difference between spending too much and staying on budget.

    Research Contributors and Experts

    Sandi Conrad
    Principal Research Director
    Info-Tech Research Group

    Christine Coz
    Executive Counsellor
    Info-Tech Research Group

    Milena Litoiu
    Principal Research Director
    Info-Tech Research Group

    Scott Magerfleisch
    Executive Advisor
    Info-Tech Research Group

    Aadil Nanji
    Research Director
    Info-Tech Research Group

    Andy Neill
    Associate Vice-President of Research
    Info-Tech Research Group

    Daisha Pennie
    IT Risk Management
    Oklahoma State University

    Ken Piddington
    CIO and Executive Advisor
    MRE Consulting

    Frank Sewell
    Research Director
    Info-Tech Research Group

    Andrew Sharpe
    Research Director
    Info-Tech Research Group

    Chris Warner
    Consulting Director- Security
    Info-Tech Research Group

    Sterling Bjorndahl
    Director of IT Operations
    eHealth Saskatchewan

    Research Contributors and Experts

    Ibrahim Abdel-Kader
    Research Analyst
    Info-Tech Research Group

    Tamara Dwarika
    Internal Auditor
    A leading North American Utility

    Anne Leroux
    Director
    ES Computer Training

    Ian Mulholland
    Research Director
    Info-Tech Research Group

    Michel Fossé
    Consulting Services Manager
    IBM Canada (LGS)

    Petar Hristov
    Research Director
    Info-Tech Research Group

    Steve Woodward
    Research Director
    CEO, Cloud Perspectives

    *Plus 10 additional interviewees who wish to remain anonymous.

    Bibliography

    “2021 State of the CIO.” IDG, 28 January 2021. Web.

    “4 Reasons Why CIOs Lose Their Jobs.” Silverton Consulting, 2012. Web.

    Beasley, Mark, Bruce Branson, and Bonnie Hancock. “The State of Risk Oversight,” AICPA, April 2021. Web.

    COBIT 2019. ISACA, 2019. Web.

    “Cognyte jeopardized its database exposing 5 billion records, including earlier data breaches.” SecureBlink, 21 June 2021. Web.

    Culp, Steve. “Accenture 2019 Global Risk Management Study, Financial Services Report.” Accenture, 2019. Web.

    Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” COSO Committee of Sponsoring Organizations of the Treadway Commission, Deloitte & Touche LLP, 2012. Web.

    “Cyber Risk Management.” Insurance Bureau of Canada (IBC), 2022. Web.

    Eccles, Robert G., Scott C. Newquist, and Roland Schatz. “Reputation and Its Risks.” Harvard Business Review, February 2007. Web.

    Eden, C. and F. Ackermann. Making Strategy: The Journey of Strategic Management. Sage Publications, 1998.

    “Enterprise Risk Management Maturity Model.” OECD, 9 February 2021. Web.

    Ganguly, Saptarshi, Holger Harreis, Ben Margolis, and Kayvaun Rowshankish. “Digital Risks: Transforming risk management for the 2020s.” McKinsey & Company, 10 February 2017. Web.

    “Governance Institute of Australia Risk Management Survey 2020.” Governance Institute of Australia, 2020. Web.

    “Guidance on Enterprise Risk Management.” COSO, 2022. Web.

    Henriquez, Maria. “The Top 10 Data Breaches of 2021” Security Magazine, 9 December 2021. Web.

    Holmes, Aaron. “533 million Facebook users’ phone numbers and personal data have been leaked online.” Business Insider, 3 April 2021. Web.

    Bibliography

    “Integrated Risk and Compliance Management for Banks and Financial Services Organizations: Benefits of a Holistic Approach.” MetricStream, 2022. Web.

    “ISACA’s Risk IT Framework Offers a Structured Methodology for Enterprises to Manage Information and Technology Risk.” ISACA, 25 June 2020. Web.

    ISO 31000 Risk Management. ISO, 2018. Web.

    Lawton, George. “10 Enterprise Risk Management Trends in 2022.” TechTarget, 2 February 2022. Web.

    Levenson, Michael. “MGM Resorts Says Data Breach Exposed Some Guests’ Personal Information.” The New York Times, 19 February 2020. Web.

    Management of Risk (M_o_R): Guidance for Practitioners. Office of Government Commerce, 2007. Web.

    “Many small businesses vulnerable to cyber attacks.” Insurance Bureau of Canada (IBC), 5 October 2021.

    Maxwell, Phil. “Why risk-informed decision-making matters.” EY, 3 December 2019. Web.

    “Measuring and Mitigating Reputational Risk.” Marsh, September 2014. Web.

    Natarajan, Aarthi. “The Top 6 Business Risks you should Prepare for in 2022.” Diligent, 22 December 2021. Web.

    “Operational Risk Management Excellence – Get to Strong Survey: Executive Report.” KMPG and RMA, 2014. Web.

    “Third-party risk is becoming a first priority challenge.” Deloitte, 2022. Web.

    Thomas, Adam, and Dan Kinsella. “Extended Enterprise Risk Management Survey, 2020.” Deloitte, 2021. Web.

    Treasury Board Secretariat. “Guide to Integrated Risk Management.” Government of Canada, 12 May 2016. Web.

    Webb, Rebecca. “6 Reasons Data is Key for Risk Management.” ClearRisk, 13 January 2021. Web.

    “What is Enterprise Risk Management (ERM)?” RIMS, 2015. Web.

    Wiggins, Perry. “Do you spend enough time assessing strategic risks?” CFO, 26 January 2022. Web.

    Drive Innovation With an Exponential IT Mindset

    • Buy Link or Shortcode: {j2store}107|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation

    To drive a rapid shift towards the adoption of emerging technology, CIOs need:

    • Highly specialized knowledge of emerging technology and trends
    • The ability to engage the business in co-creating value via emerging technology
    • The skills to manage complex enterprise risk
    • Strong governance processes which support enterprise change management

    Our Advice

    Critical Insight

    IT must lead the innovation capabilities that will drive the adoption of emerging technology across the enterprise. In an exponential world, IT needs to adopt business value targets and become a value creator rather limit itself to IT service targets and remain a cost center in the organization.

    Impact and Result

    Assess your innovation capability in five key areas supporting Exponential IT:

    • Organizational Excellence
    • Insights & Intelligence
    • Agile Ideation
    • Team Capabilities
    • Innovation Operations

    Drive Innovation With an Exponential IT Mindset Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Drive Innovation With an Exponential IT Mindset – Learn about the new era of exponential innovation and the capabilities needed to succeed.

    This research walks you through how to assess your capabilities to lead enterprise innovation and drive Exponential IT.

    • Drive Innovation With an Exponential IT Mindset Storyboard

    2. Innovation Readiness Assessment – Assess your readiness to drive innovation and the adoption of emerging technology.

    This tool will facilitate your readiness assessment.

    • Innovation Readiness Assessment
    [infographic]

    Further reading

    Drive Innovation With an Exponential IT Mindset

    Are you ready to drive the adoption of autonomous business capabilities?

    A diagram that shows exponential IT

    Analyst Perspective

    IT must develop new capabilities to drive emerging tech adoption

    Traditionally, CIOs have struggled to gain the trust of the executive leadership team and be recognized as business leaders rather than just technical leaders. In fact, based on a 2023 study by Info-Tech Research Group, only 36% of CIOs report directly to the CEO with most of the remainder reporting through either the CFO or COO.

    Exponential IT requires that CIOs gain a seat at the table and build the capabilities necessary to not only lead the transformation of their business but also drive the innovation that will lead to enterprise adoption of emerging technologies. CIOs will be required to gain a detailed understanding of their business and in-depth knowledge of emerging technologies so that they can match business opportunities with technology capabilities, while managing risk and change.

    This research will help CIOs identify the capabilities they need to transform the business, and better understand where they must mature their capabilities to drive Exponential IT.

    Photo of Kim Osborne Rodriguez
    Kim Osborne Rodriguez
    Research Director, CIO Advisory
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    To drive a rapid shift toward adopting emerging technology, CIOs need:

    • Highly specialized knowledge of emerging technology and trends
    • The ability to engage the business in co-creating value via emerging technology
    • The skills to manage complex enterprise risk
    • Strong governance processes which support enterprise change management

    Common Obstacles

    Exponential IT is dramatically shifting how IT engages the business. Many CIOs are unprepared.

    • Innovation is increasingly important for competitive advantage and business growth, narrowing the gap between large and small players.
    • Over 80% of CXOs believe their CIOs are currently unable to drive change within the business.[1]
    • 40% of CXOs anticipate that IT must be able to transform the business to maintain relevance.[1]

    Info-Tech's Approach

    Is your IT team ready to drive the adoption of emerging technology? Assess your innovation capability in five key areas supporting Exponential IT:

    • Organizational Excellence
    • Insights & Intelligence
    • Agile Ideation
    • Team Capabilities
    • Innovation Operations

    [1] Info-Tech CXO-CIO diagnostic benchmark data, 2022, n=76

    Info-Tech Insight

    IT must lead the innovation capabilities that will drive the adoption of emerging technology across the enterprise. In an exponential world, IT needs to adopt business value targets and become a value creator rather than limit itself to IT service targets and remain a cost center in the organization.

    Drive innovation with an Exponential IT mindset

    Your ability to capture enterprise value from autonomization relies on your innovation capabilities and potential. Is your IT team ready to drive the adoption of AI-driven business processes? Assess your innovation readiness in five key areas supporting Exponential IT.

    A diagram that shows 5 key areas of exponential IT

    IT must rapidly mature

    If IT leaders cannot lead the transformation, then the business will move forward without them.

    Only 3% of CXOs report that their IT department can transform the business. Most IT organizations (81%) still struggle to adequately support the business.

    A diagram that shows IT maturity and exponential IT

    A diagram that shows IT capabilities Based on a Survey of CXOs (n=76)

    Common obstacles

    Leverage Exponential IT to drive value from the adoption of emerging tech

    The most common obstacles to innovation are cultural, including politics, lack of alignment on goals, misaligned culture, and an inability to act on indicators of change.[1]

    CIOs struggle to get a seat at the table and influence change. Info-Tech research shows that only 36% of CIOs report directly to the CEO, with over a third reporting to another C-suite leader such as a COO or CFO.[2]

    [1] Harvard Business Review, 2018
    [2] Info-Tech Research Group CIO Time Study, 2023

    Info-Tech Insight

    To drive change, CIOs need to gain the trust of their senior leadership team. Getting a seat at the table should be the first step for any CIO looking to transform their business.

    Many CIOs struggle to be seen as business leaders

    36%

    Only 36% of CIOs report directly to the CEO.

    Source: Info-Tech Research Group, 2023.

    48%

    48% of Boards report that they lack frequent or direct lines of communication with their CIOs.

    Source: CIO Dive, 2022

    Executive Brief: Case Study

    Logo of RBC Royal Bank

    • INDUSTRY: Financial Services
    • SOURCE: Borealis AI

    Borealis AI drives AI-powered transformation at Royal Bank of Canada

    Borealis AI is a research center backed by RBC Royal Bank, tasked with researching, designing, and building AI products and tools which transform the financial services industry. It gathers researchers with backgrounds in artificial intelligence (AI), computer vision, natural language processing (NLP), computer science, computational finance, mathematics, and machine learning (ML) to create solutions in areas including asynchronous temporal models, non-cooperative learning in competing markets, and causal machine learning from observational data.

    Results

    Borealis AI has created many innovative products for RBC, including:

    • NOMI Forecast: an award-winning personal financial management tool
    • Turing by Borealis AI: a text-to-SQL database interface using NLP
    • Aiden: an AI-powered electronic trading tool using reinforcement learning

    In 2023, Borealis AI won the Best Use of AI for Customer Experience award from The Digital Banker, for the NOMI Forecast app, which has been downloaded by nearly a million RBC clients since launching in 2021.


    "NOMI Forecast is a cutting-edge AI solution that uses deep learning to offer timely and accurate predictions of our clients' cashflow. Powered by our unique datasets, these AI models have been trained to deliver personalized experiences for RBC clients,"
    — Foteini Agrafioti, Chief Science Officer at RBC and Head of Borealis AI

    IT needs to connect emerging technology with business opportunities

    A diagram that shows exponential innovation, emerging technology, business opportunities.

    Emerging tech is driving business change

    A diagram that shows exponential innovation and its 5 elements.

    Innovation is critical for business success, but succeeding is more difficult than ever

    Emerging tech brings new challenges for organizations looking to create a competitive advantage. Access to sophisticated tools with minimal upfront costs have lowered the barriers to entry and democratized innovation, particularly among smaller players. The explosion of data processing & collaboration tools has allowed more focused and data-driven innovation efforts through analysis and insights, increasing the competitive advantage for those who get it right.

    This has led to an accelerated pace of change as autonomous business processes start driving their own market shifts. The rise of autonomous business processes creates exponential reward, but also exponential risk for early adopters.

    Innovation is increasingly critical for competitive growth

    IT innovation leadership explains 75% of the variation in satisfaction with IT (Source: Info-Tech Research Group survey, n=305) and is the fourth-highest priority for IT end users.

    A 7-year review by McKinsey (2020) showed that the most innovative companies[1] outperformed the market by upwards of 30%.

    A 25-year study by Business Development Canada & Statistics Canada showed that innovation was more important to business success than management, human resources, marketing, or finance.

    [1]Top innovators are defined as companies which were listed on Fast Company World's 50 Most Innovative Companies for 2+ years.

    Adapt your approach to innovation

    Both traditional and exponential (AI-driven) innovation is important for business success

    IT as a fast execution engine

    Ideal for developing new methods, products, or services which provide value to the organization

    Can be led by IT or the business, depending on the scope of innovation (IT generally leads IT/internal innovation while the business leads customer-focused innovation)

    Often follows the pace of the business

    IT is a fast executor on requests generated by the business

    Leverages Agile to develop new ideas and products, and uses DevOps to put into production


    Use Info-Tech's research to Build your Enterprise Innovation Program

    IT as an exponential innovation leader

    Ideal for driving the enterprise adoption of emerging tech and autonomous business capabilities

    Led by IT, which brings the understanding of emerging technology and can link opportunities to business problems

    Driven by a faster pace of change, which requires more frequent assessment of emerging technology

    IT is a fast executor on ideas and uses partnerships to drive execution

    Leverages Agile, machine learning operations (MLOps), DataOps and product design to test and implement ideas

    Use this research to successfully drive innovation with an Exponential IT mindset

    Measure the value of this blueprint

    Transformation efforts fail over 75% of the time[1] resulting in millions of dollars of lost revenue[2]

    Our research indicates that most organizations would take months to prepare this type of assessment without our resources. That's nearly 70 work hours spent researching and gathering data to support due diligence, for a total cost of thousands of dollars. Improve your success rate by understanding what's needed to successfully drive innovation.

    [1] Lombard, 2022
    [2] FutureCIO, 2022

    A photo of Establish a baseline

    A diagram that shows Estimated time commitment without Info-Tech's research (person-hours)

    Establish a baseline

    Gauge the effectiveness of this research by completing the following table before and after using this blueprint:

    A diagram that shows Establish a baseline

    How to use this research

    Five tips to get the most out of your readiness assessment

    1. Each category consists of five competencies, with a maximum of five points each. The maximum score on this assessment is 100 points.
    2. Effectiveness levels range from basic (Level 1) to advanced (Level 5). Level 1 is generally considered the baseline for most effectively operating organizations. If your organization is struggling with Level 1 competencies, focus on those before pursuing higher maturity areas.
    3. This assessment is qualitative. Complete the assessment to the best of your ability, based on the scoring rubric provided. If you fall between levels, use the lower one in your assessment.
    4. The scoring rubric may not perfectly fit the processes and practices within every organization. Consider the spirit of the description and score accordingly.
    5. Other industry- and region-specific competencies may be required to succeed at exponential innovation. The competencies in this assessment are a starting point, and internal validation and assessments should be conducted to uncover additional competencies and skills.

    Assess your innovation readiness:

    1. Organizational Excellence

    • Innovation mandate
    • Transformational leadership
    • Culture of innovation
    • Vision & strategy

    Organizational excellence sets the stage for innovation.

    "Innovation distinguishes between a leader and a follower." – Steve Jobs, Apple Founder

    Without strong leadership, innovation efforts are almost certain to fail. Innovation requires buy-in and support, a leader who walks the talk, culture which supports risk taking and allows failure, and a clear and compelling vision. Without these elements in place, transformation efforts are a fifteen times more likely to fail [1] – and waste time and money along the way.

    [1] Lombard, 2022.

    Focus on innovation to deliver business value

    Satisfaction drives IT value, and innovation leadership drives satisfaction with IT

    Strong leadership is critical to the success of innovation. A global survey of 600 business leaders pointed to leadership as the best predictor of innovation success[1] and showed a strong correlation between leadership ability and innovation capabilities.

    Innovation leadership starts with a mandate from the senior leadership team and requires a clearly articulated vision and strategy to deliver the intended benefits to the organization. A survey of 270 business leaders showed that over a third of them struggled with articulating the right strategy or vision, hindering their efforts to innovate.[2]

    45% of business leaders report that cultural issues stifle their innovation efforts, and 55% report unhealthy politics which cause infighting that negatively affects their organization.[2]

    [1] McKinsey, 2008
    [2] Harvard Business Review, 2018

    The importance of leadership

    75% of high IT satisfaction scores are associated with a strong ability to lead innovation.
    Source: Info-Tech Research Group survey, n=305

    Struggling to get a seat at the table?

    It can be challenging to drive innovation efforts without trust and buy-in from senior leadership. Start with small initiatives and build your reputation by consistently delivering on your commitments.

    Leadership starts with a mandate

    Build your innovation leadership with the following capabilities:

    Innovation mandate: There is strong support and trust from the senior leadership team, which gives IT leaders the opportunity to lead innovation despite any temporary failure. IT leaders are well-informed about and have input into business decisions.

    Transformational leadership: IT leaders are influential change agents, not only within their organization but across their industry or community. They inspire others and actively collaborate with external partners, driving change beyond their organization.

    Culture of innovation: Innovative cultures generally demonstrate ten behaviors that are most closely correlated with innovation success: growth mindset, learning-focused, psychological safety, curiosity, trust, willingness to fail, collaboration, diverse perspectives, autonomy, and appropriate risk-taking. These behaviors are embedded in the organization and strongly demonstrated in daily work.

    Vision & strategy: The innovation vision and strategy are continuously refined and adapted to changing market and emerging technology trends. Emerging technology innovation is second nature in the organization, and it becomes a leader in driving change across the industry.

    Additional resources for Organizational Excellence

    Photo of Build your Enterprise Innovation Program

    Build your Enterprise Innovation Program

    Define your innovation mandate
    Articulate your vision and guiding principles
    Build a culture of innovation

    Photo of Manage Your CXO Relations

    Manage Your CXO Relations

    Successfully manage CXO relationships to get a seat at the table and build your mandate to drive innovation

    Photo of CIO

    Become a Transformational CIO

    Build the capabilities to drive transformation as an IT leader in your organization

    Assess your innovation readiness:

    2. Insights & Intelligence

    • Business context
    • Strategic foresight
    • Emerging tech expertise
    • Strategic alignment

    The foundation of innovation is data.

    "Without data you're just another person with an opinion." – Edwards Deming, Statistician

    Having comprehensive and accurate data about the problems you hope to solve is critical to realizing the benefits of innovation. Build your understanding of the business and ability to predict how trends will impact your industry, then stay on top of emerging tech and align solutions with strategic business capabilities.

    Act on strategic indicators

    Build the ability to go from data to intelligence to insights

    Info-Tech data shows that businesses are 93% more likely to be satisfied with IT when their IT teams have a better understanding of the business. Teams need to understand who your organization serves, how it delivers value, and what its goals are.

    When seeking to capitalize on emerging technology opportunities, businesses face an execution challenge. 82% of business leaders report being able to identify leading indicators of change, but less than two thirds of them are confident in their ability to act on those indicators.[1]

    A report by Leadership IQ noted that only 29% of the 21,008 employees surveyed considered their leader's vision consistently well aligned with the organizational vision.[2] Strategic alignment is not just important from a results perspective. It impacts employee motivation: employees with strong leadership alignment are 24% more likely to give their best at work.[2]

    [1] Harvard Business Review, 2018
    [2] Leadership IQ, 2020

    Strategic Foresight Challenges

    82% of business leaders say they can correctly identify leading indicators of change…

    …however, only 58% feel confident in their abilities to act on these indicators.

    Source: Harvard Business Review, 2018

    You must understand the business

    Develop key insights and intelligence with the following capabilities:

    Business context: IT actively participates in the business as a value creator and innovator, proactively disrupting the business and driving the adoption of emerging tech that drives exponential value.

    Strategic foresight: IT not only embraces emerging technologies, but actively drives innovation and disruption through their adoption. IT is adept at using trends to drive exploration and can quickly execute on initiatives.

    Emerging tech expertise: There is an expert-level understanding of emerging technologies including their capabilities, limitations, risks, trends, and potential use cases. IT proactively drives the adoption of emerging technology.

    Strategic alignment: IT proactively uses the business strategy to drive adoption of emerging technology and identify new opportunities. Each initiative has clear metrics and targets which directly impact business targets.

    Additional resources for Intelligence & Insights

    Photo of Tech Trends 2023

    Tech Trends 2023

    Like a chess grandmaster, CIOs must play both sides of the board. Emerging technologies present opportunities to attack, but it's necessary to protect from a volatile board.

    Photo of innovation

    Establish a Foresight Capability

    To be recognized and validated as a forward-thinking CIO, you must establish a structured approach to innovation that considers external trends alongside internal processes.

    Photo of Build a Business-Aligned IT Strategy

    Build a Business-Aligned IT Strategy

    Elicit the business context and identify strategic initiatives that are most important to the organization while building a plan to execute on it.

    Assess your innovation readiness:

    3. Agile Ideation

    • Data-driven decision making
    • Ability to identify opportunities
    • Business engagement
    • Risk management

    IT must use data to drive the ideation process, engaging the business to identify opportunities – all while managing risk.

    "Innovation is key. Only those who have the agility to change with the market and innovate quickly will survive."- Robert Kiyosaki, Entrepreneur & Author

    Many Agile concepts are used in the process of innovation, regardless of whether the formal Agile methodology is used. Fast iterations ("fail fast"), lessons learned, and risk management are equally important for ideation as they are for execution. This category evaluates IT's ability to drive the ideation process at the enterprise level.

    Use data to drive agility

    Effectively using data has a threefold impact in the quality of decisions

    A diagram that shows data-driven journey

    Agility is critical for innovation, particularly when adopting emerging technology. AI and other emerging technologies are accelerating the pace of change and driving a necessary increase in how quickly organizations must adapt.

    Data is also critical when building a case for change. A survey of over 1,000 senior business leaders showed that organizations that effectively use data to drive decision making are three times more likely to report significant improvements in the quality of their decisions.[1]

    [1] Harvard Business School Online, 2019

    Start with the business

    The business must be involved in ideation. Develop the skills needed to engage the business and identify challenges and opportunities.

    Engage the business to deliver value

    Build your proficiency in the following ideation capabilities:

    Data-driven decision making: Data is proactively collected from multiple internal and external sources to inform innovation strategies. Continuous monitoring of innovation provides a strong rationale for outcomes and benefits. Data governance, quality, and privacy measures are in place to ensure data quality.

    Ability to identify opportunities: IT actively shapes the future of the organization and the industry by proactively identifying business opportunities for emerging technology and leading the way in their adoption. Experiments and pilots are often industry firsts.

    Business engagement: IT enables the business by engaging at all levels to identify and refine emerging technology opportunities. They effectively communicate benefits and risks in business terms, while understanding business needs and challenges. IT collaborates with the business to establish innovation centers or communities of practice.

    Risk management: There is a proactive and holistic approach to risk management, considering both opportunities and threats associated with emerging technology adoption. IT and the business continually anticipate and monitor emerging risks, evaluate the effectiveness of risk management practices, and adapt them to evolving technology landscapes.

    Additional resources for Agile Ideation

    Photo of Develop Your Agile Approach for a Successful Transformation

    Develop Your Agile Approach for a Successful Transformation

    Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.

    Photo of Build an IT Risk Management Program

    Build an IT Risk Management Program

    Risk is inevitable. Without a formal management program, you may be unaware of your greatest IT risks.

    Reacting to risks after they occur can be costly and devastating, yet this is one of the most common tactics used by IT departments.

    Photo of business innovation

    Kick-Start IT-Led Business Innovation

    Business demand for new technology is intensifying pressure to innovate and executive stakeholders expect more from IT. If IT is not considered a source of innovation, its perceived value decreases, and the threat of shadow IT grows. Don't wait to start finding and capitalizing on opportunities for IT-led innovation.

    Assess your innovation readiness:

    4. Team Capabilities

    • Resourcing & investment
    • Talent & skills
    • Change management
    • Partnerships & ecosystem

    Ensure you have the right resources and skills needed to drive innovation.

    "The best way to predict the future is to invent it." – Alan Kay, Computer Scientist

    Resourcing and skills are critical building blocks for driving innovation, and without a strong understanding of emerging technology and the processes needed to adopt it, organizations will falter at driving change.

    Develop the right resourcing, skills, change management, and partnerships to drive Exponential IT.

    Develop key skills

    Scaled Agile (SAFe): Scaled Agile is a framework for implementing Agile and lean methodologies at the enterprise level or outside of a single team.

    Development operations (DevOps): A methodology for software development which includes practices and tools that support the development lifecycle.

    Data operations (DataOps): A set of tools and processes that support data management within an organization. Typically used when training AI on a specialized data set.

    Analytics: The systematic analysis of information used to discover, interpret, and communicate insights gleaned from patterns in data. Analytics typically generate insights that support data-driven decision making.

    Machine learning operations (MLOps): Tools and processes that support the development of machine learning (ML) models, including AI and large language models (LLM). Can include expertise in computer science, natural language processing (NLP), computer vision, computational algorithms, mathematics, and ML expertise.

    Artificial intelligence operations (AIOps): Leveraging AI to develop autonomous business processes at the enterprise level.

    Mature your emerging technology capabilities

    Agile: Build the methodologies to drive execution
    DevOps: Drive the software development lifecycle
    DataOps: Effectively manage data
    Analytics: Develop insights from data
    MLOps: Develop machine learning tools
    AIOps: Build autonomous business processes

    Manage the building blocks of innovation

    Resourcing & investment: IT manages a well-defined and substantial budget dedicated to innovation, which is integrated into the overall strategic planning and decision-making processes. Investments are made in a holistic and forward-looking manner, considering the long-term implications and potential disruption caused by emerging technologies.

    Talent & skills: Teams exhibit thought leadership and innovate within emerging technologies, including advanced machine learning engineering, MLOps, DataOps, and analytics. Employees actively contribute to the advancement of these technologies, engage in research and development, and explore new applications and use cases.

    Change management: This is a core competency led by change champions and change management professionals. There is a strategic approach to driving and sustaining change, focusing on long-term adoption and continuous improvement. Change management is embedded in the organizational culture, and there is a proactive effort to foster change agility and build change capability at all levels.

    Partnerships & ecosystems: IT builds an orchestrated innovation ecosystem for the adoption of emerging technology. They take a proactive role in orchestrating collaboration among ecosystem partners. The organization acts as a catalyst for innovation, bringing together diverse partners to address complex challenges and drive transformative solutions.

    Additional resources for Team Capabilities

    Photo of Drive Technology Adoption

    Drive Technology Adoption

    The project isn't over if the new product or system isn't being used. How do you ensure that what you've put in place will not be ignored or only partially adopted? People are more complicated than any new system and managing them through change requires careful planning.

    Photo of team discussion

    Extend Agile Practices Beyond IT

    Further the benefits of Agile by extending a scaled Agile framework to the business.

    Not all lessons from scaling Agile to IT are transferable. IT Agile scaling processes are tailored to IT's scope, team, and tools, which may not account for diverse attributes within your organization.

    Photo of Managing Exponential Value Relationships

    Managing Exponential Value Relationships

    Successfully managing outcome-based relationships requires a higher degree of trust than traditional vendor relationships. Building trust comes from sharing risks and rewards between organizations and vendors.

    Assess your innovation readiness:

    5. Innovation Execution

    • Governance
    • Embedded security
    • Infrastructure
    • Ability to execute

    Can you deliver results? Develop the capability to execute on innovative ideas.

    "What good is an idea if it remains an idea? Try. Experiment. Fail. Try again. Change the world." – Simon Sinek, Author, Motivational Speaker

    The foundational elements of innovation significantly overlap with the activities you must do to excel at core IT operations. Build your ability to execute quickly on innovative ideas and build the trust of the enterprise.

    Rapidly execute on innovative ideas

    IT must be able to successfully manage the foundational capabilities of innovation

    The foundational capabilities of innovation are central to many core IT processes: governance, security, supporting infrastructure, and the ability to execute on ideas are all critical to running an effective IT shop.

    IT governance is a critical and embedded practice ensuring information and technology investments, risks, and resources are aligned in the organization's best interests while producing business value. Effective governance ensures that the right technology investments are made at the right time to support and enable your organization's mission, vision, and goals.

    A diagram that shows Info-Tech's IT Governance Framework and Security Framework

    Build foundational capabilities

    The ability to rapidly execute on ideas is fundamental not only to innovation but also running an effective IT organization.

    Develop foundational IT capabilities

    The ability to execute is based on key foundational capabilities, including:

    Governance: Adaptable and automated governance guides effective innovation and supports the adoption of emerging technology. Decision making is flexible and can move quickly to enable the implementation of new technologies. Responsibility and authority are aligned across all levels of the organization.

    Embedded security: Security and privacy controls are embedded in the applications and technologies deployed across the enterprise. Security is built into the organizational culture, with a strong focus on promoting security awareness and fostering a security-first mindset.

    Infrastructure: IT infrastructure is modern, adaptive, and future-proof. Infrastructure should support a range of emerging technology applications, including the flexibility to adapt to future use cases. There is a focus on agility, scalability, flexibility, and interoperability.

    Ability to execute: The IT team drives rapid innovation across the organization and can reliably execute and collaborate with internal and external partners. They are pivotal in driving innovation initiatives that align with the organization's strategic objectives. Agile methodologies and practices are embedded in the culture of the team.

    Additional resources for Innovation Execution

    Photo of Make Your IT Governance Adaptable

    Make Your IT Governance Adaptable

    Produce more value from IT by developing a governance framework optimized for your current needs and context, with the ability to adapt as your needs shift.

    Create the foundation and ability to delegate and empower governance to enable agile delivery.

    Photo of Build an Information Security Strategy

    Build an Information Security Strategy

    Many security leaders struggle to decide how best to prioritize their scarce information security resources.

    The need to move from a reactive security approach toward a strategic planning approach is clear. The path to getting there is less so.

    Photo of Exploit Disruptive Infrastructure Technology

    Exploit Disruptive Infrastructure Technology

    Accurate predicting isn't easy. Most IT leaders fail to realize how quickly technology increases in capability. Even for the tech savvy, it's difficult to predict which specific technologies will become disruptive.

    Activity 1: Assess your readiness for exponential innovation

    Input: Core competencies; Knowledge of internal processes and capabilities
    Output: Readiness assessment
    Materials: Exponential Innovation Assessment Tool; Whiteboard/Flip charts
    Participants: Executive leadership team, including CIO; Other internal stakeholders of vendor partnerships

    1-3 hours

    1. Gather key stakeholders from across your organization to participate in the readiness assessment exercise.
    2. As a group, review the core competencies from the following five sections and determine where your organization's effectiveness lies for each competency. Record your responses in the Exponential Innovation Assessment Tool.

    Download the Exponential Innovation Assessment Tool

    Interpret your results

    Understand your readiness and determine the next steps to operationalize exponential innovation.

    Once you have completed the readiness assessment, use Info-Tech's maturity ladder to identify next steps and recommendations.

    It is usually very challenging to lead innovation with a total score less than 50. Lower maturity organizations should focus on maturing the foundational aspects of innovation, such as those in the Innovation Execution and Team Capabilities categories, and core IT processes.

    For higher maturity organizations (those with total scores 50 or higher), first focus on getting all capabilities to a minimum of Level 3, then work on progressing maturity starting with foundational categories and working upwards:

    A diagram that shows innovation readiness

    Determine your readiness

    A diagram that shows Innovation Maturity ladder

    Activity 2: Create an action plan

    Input: Readiness assessment
    Output: Action plan to improve maturity of capabilities
    Materials: Exponential Innovation Assessment Tool; Whiteboard/Flip charts
    Participants: Executive leadership team, including CIO; Other internal stakeholders of vendor partnerships

    1 hour

    1. Gather the stakeholders who participated in the readiness assessment exercise.
    2. As a group, review the results of the readiness assessment. Were there any surprises? Do the results reflect your understanding of the organization's maturity?
    3. Determine which areas are likely to limit the organization's innovation capability, based on lowest scoring areas and relative importance to the organization.
    4. Break out into groups and have each group identify three actions the organization could take to mature the lowest scoring areas.
    5. Bring the group back together and prioritize the actions. Note who will be accountable for each next step.
    6. Identify additional Info-Tech research that can assist with improving your maturity (see additional resources in this blueprint).

    Author

    Photo of Kim Osborne Rodriguez
    Kim Osborne Rodriguez
    Research Director, CIO Advisory
    Info-Tech Research Group

    Kim is a professional engineer and Registered Communications Distribution Designer (RCDD) with over a decade of experience in management and engineering consulting spanning healthcare, higher education, and commercial sectors. She has worked on some of the largest hospital construction projects in Canada, from early visioning and IT strategy through to design, specifications, and construction administration. She brings a practical and evidence-based approach, with a track record of supporting successful projects.

    Kim holds a Bachelor's degree in Honours Mechatronics Engineering and an option in Management Sciences from University of Waterloo.

    Research Contributors and Experts

    Photo of Jack Hakimian
    Jack Hakimian
    Senior Vice President
    Info-Tech Research Group

    Jack has more than 25 years of Technology and Management Consulting experience. He has served multi-billion-dollar organizations in multiple industries including Financial Services and Telecommunications. Jack also served many large public sector institutions.

    He is a frequent speaker and panelist at technology and innovation conferences and events and holds a Master's degree in Computer Engineering and an MBA from the ESCP-EAP European School of Management.


    Photo of Mark Tauschek
    Mark Tauschek
    Vice President, Infrastructure & Operations Research
    Info-Tech Research Group

    Mark has hands-on network design and deployment experience across verticals including healthcare, education, manufacturing, retail, and entertainment. He has extensive knowledge in the areas of technology research, process development, vendor selection, and project management. He holds specific expertise in wireless networking and mobile technologies.

    Mark holds an MBA from the Richard Ivey School of Business at the University of Western Ontario and many professional wireless technology certifications.


    Photo of Michael Tweedie
    Michael Tweedie
    Practice Lead, CIO Strategy
    Info-Tech Research Group

    Mike Tweedie brings over 25 years as a technology executive. He's led several large transformation projects across core infrastructure, application and IT services as the head of Technology at ADP Canada. He was also the Head of Engineering and Service Offerings for a large French IT services firm, focused on cloud adoption and complex ERP deployment and management.

    Mike holds a Bachelor's degree in Architecture from Ryerson University.


    Photo of Donna Bales
    Donna Bales
    Principal Research Director
    Info-Tech Research Group

    Donna Bales is a Principal Research Director in the CIO Practice at Info-Tech Research Group specializing in research and advisory services in IT risk, governance, and compliance. She brings over 25 years of experience in strategic consulting and product development and has a history of success in leading complex, multi-stakeholder industry initiatives.

    Donna has a Bachelor's degree in Economics from the University of Western Ontario.


    Photo of Isabelle Hertanto
    Isabelle Hertanto
    Principal Research Director, Security & Privacy
    Info-Tech Research Group

    Isabelle Hertanto has over 15 years of experience delivering specialized IT services to the security and intelligence community. As a former federal officer for Public Safety Canada, Isabelle trained and led teams on data exploitation and digital surveillance operations in support of Canadian national security investigations. Since transitioning into the private sector, Isabelle has held senior management and consulting roles across a variety of industry sectors, including retail, construction, energy, healthcare, and the broader Canadian public sector.


    Photo of Aaron Shum
    Aaron Shum
    Vice President, Security, Privacy, Risk & Compliance
    Info-Tech Research Group

    Aaron Shum is a Vice President in the Security & Privacy Research and Advisory Practice at Info-Tech Research Group. With 25+ years of experience across IT, InfoSec, and Data Privacy, he currently specializes in helping organizations implement comprehensive information security and cybersecurity programs and comply with data privacy regulations such as the European Union's General Data Protection Regulation and the California Privacy Rights Act.


    Photo of Reiaz Somji
    Reiaz Somji
    Managing Director, Consulting
    Info-Tech Research Group

    As a client-focused strategist with strong organizational acumen, Reiaz leverages his 20+ years of management consulting experience to help C-suite executives and managers navigate the integration of changing technology with business goals. He is currently a managing director in Info-Tech's consulting division and leads its Infrastructure practice.


    Photo of Hans Eckman
    Hans Eckman
    Principal Research Director, Applications
    Info-Tech Research Group

    Hans Eckman is a business transformation leader helping organizations connect business strategy and innovation to operational excellence. He supports Info-Tech members in SDLC optimization, Agile and DevOps implementation, CoE/CoP creation, innovation program development, application delivery, and leadership development. Hans is based out of Atlanta, Georgia.


    Photo of Irina Sedenko
    Irina Sedenko
    Research Director, Data & Analytics
    Info-Tech Research Group

    Irina brings more than 20 years of information management experience and demonstrated expertise in big data, advanced analytics, machine learning, and AI. Her experience includes designing and implementing enterprise content management systems, defining data and analytics strategy to support business goals and objectives, creating data governance to enable data initiatives, and providing guidance to the client teams. She led teams through data lake implementation to enable advanced analytics capabilities and has hands-on data science and machine learning experience.

    Research Contributors

    Photo of Bill Macgowan
    Bill Macgowan
    Director, Smart Building Digitization
    Cisco


    Photo of Barry Wiech
    Barry Wiech
    Chief Digital and Information Officer
    Sime Darby Industrial


    Photo of Tim Dunn
    Tim Dunn
    Chief Information Officer
    Department of Energy & Public Works (Queensland)


    Photo of Sudip Ghosh
    Sudip Ghosh
    Group Manager, Office of the CIO
    Star Entertainment Group



    Samantha Rose
    Contract Manager
    Department of Energy & Public Works (Queensland)

    Bibliography

    Altringer, Beth. "A New Model for Innovation in Big Companies." Harvard Business Review. 19 Nov. 2013. Accessed 15 June 2023. https://hbr.org/2013/11/a-new-model-for-innovation-in-big-companies

    Bar Am, Jordan et al. "Innovation in a Crisis: Why it is More Critical Than Ever." McKinsey & Company, 17 June 2020. Accessed 15 June 2023. https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/innovation-in-a-crisis-why-it-is-more-critical-than-ever

    Barsh, Joanna et al. "Leadership and Innovation." McKinsey Quarterly, 1 Jan 2008. Accessed 7 July 2023. https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/leadership-and-innovation

    Borealis AI. "RBC Wins Best Use of AI for Customer Experience for NOMI Forecast." Borealis AI Blog, 28 Apr 2023. Accessed 13 June 2023. https://www.borealisai.com/news/rbc-wins-best-use-of-ai-for-customer-experience-for-nomi-forecast/

    Boston Consulting Group, "Most Innovative Companies 2022." BGC, 15 Sept. 2022. Accessed 15 June 2023. https://www.bcg.com/en-ca/publications/2022/innovation-in-climate-and-sustainability-will-lead-to-green-growth

    BrainyQuote. "Innovation Quotes." Accessed 19 June 2023. https://www.brainyquote.com/topics/innovation-quotes

    Christensen, Clayton M. The Innovator's Dilemma: When New Technologies Cause Great Firms to Fail. Harvard Business Review Press, 2016.

    Cleroux, Pierre. The "I" Word. BDC. Accessed 1 Aug 2023. https://www.bdc.ca/en/articles-tools/blog/innovation-no-1-factor-business-success

    FutureCIO Editors. "Failed transformation can result in US$6 million in lost revenue." FutureCIO, 29 Apr 2022. Accessed 10 Jul 2023. https://futurecio.tech/failed-transformation-can-result-in-us6-million-in-lost-revenue/

    Goodreads. "W. Edwards Deming Quotes." Accessed 19 June 2023. https://www.goodreads.com/quotes/7327935-without-data-you-re-just-another-person-with-an-opinion

    Haefner, Naomi et al. "Artificial intelligence and innovation management: A review, framework, and research agenda." Technological Forecasting and Social Change, Volume 162, 2021. Accessed 15 June 2023. https://www.sciencedirect.com/science/article/pii/S004016252031218X

    IBM. "The new AI innovation equation." IBM Website. 13 Oct 2016. Accessed 15 June 2023. https://www.ibm.com/watson/advantage-reports/future-of-artificial-intelligence/ai-innovation-equation.html

    Isomaki, Atte. "60+ Innovation Quotes and What They Can Teach You." Viima, 19 Mar 2019. Accessed 6 July 2023. https://www.viima.com/blog/innovation-quotes

    Kay, Alan. "The best way to predict the future is to invent it." Quote Park, 3 June 2021. Accessed 15 June 2023. https://quotepark.com/quotes/1893243-alan-kay-the-best-way-to-predict-the-future-is-to-invent-it/

    Kirsner, Scott. "The Biggest Obstacles to Innovation in Large Companies." Harvard Business Review, 30 July 2018. Accessed 15 June 2023. https://hbr.org/2018/07/the-biggest-obstacles-to-innovation-in-large-companies

    Kiyosaki, Robert. "Innovation is key. Only those who have the agility to change with the market and innovate quickly will survive." AZ Quotes, 11 Dec. 2013. Accessed 15 June 2023.

    Leadership IQ. "The State Of Leadership Development." Leadership IQ, 2020. Accessed 6 July 2023. https://www.leadershipiq.com/blogs/leadershipiq/leadership-development-state

    Lombard, Charl. "Defining Digital: A New Approach to Digital Transformation." Info-Tech LIVE Conference, 2022. https://tymansgrpup.com/videos/defining-digital-a-new-approach-to-digital-transformation

    Murphy, Mark. "A Shocking Number Of Leaders Are Not Aligned With Their Companies' Visions." Forbes, 28 Aug 2020. Accessed 6 Jul 2023. https://www.forbes.com/sites/markmurphy/2020/08/28/a-shocking-number-of-leaders-are-not-aligned-with-their-companies-visions

    Seymour, Harriet et al. "How to unlock a scientific approach to change management with powerful data insights." IBM, 11 Jan 2023. Accessed 6 July 2023. https://www.ibm.com/blog/how-to-unlock-a-scientific-approach-to-change-management-with-powerful-data-insights/

    Sinek, Simon. "What good is an idea if it remains an idea? Try. Experiment. Fail. Try again. Change the world." Praxie, n.d. https://praxie.com/top-innovation-quotes/

    Stobierski, Tim. "The Advantages of Data-Driven Decision-Making." Harvard Business School Online, 26 Aug 2019. Accessed 6 July 2023. https://online.hbs.edu/blog/post/data-driven-decision-making

    Torres, Roberto. "How tech leaders can earn C-suite trust." CIO Dive, 1 Jul 2022. Accessed 7 Jul 2023. https://www.ciodive.com/news/C-suite-trust-CIO-executives/626476/

    Tushman, Michael et al. "Change Management Is Becoming Increasingly Data-Driven. Companies Aren't Ready." Harvard Business Review, 23 Oct 2017. Accessed 6 Jul 2023. https://hbr.org/2017/10/change-management-is-becoming-increasingly-data-driven-companies-arent-ready

    Weick, Karl and Kathleen Sutcliffe. Managing the Unexpected: Sustained Performance in a Complex World, Third Edition. John Wiley & Sons, 2015.

    Embrace Business-Managed Applications

    • Buy Link or Shortcode: {j2store}179|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $64,999 Average $ Saved
    • member rating average days saved: 18 Average Days Saved
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • The traditional model of managing applications does not address the demands of today’s rapidly changing market and digitally minded business, putting stress on scarce IT resources. The business is fed up with slow IT responses and overbearing desktop and system controls.
    • The business wants more control over the tools they use. Software as a service (SaaS), business process management (BPM), robotic process automation (RPA), artificial intelligence (AI), and low-code development platforms are all on their radar.
    • However, your current governance and management structures do not accommodate the risks and shifts in responsibilities to business-managed applications.

    Our Advice

    Critical Insight

    • IT is a business partner, not just an operator. Effective business operations hinge on high-quality, valuable, fit-for-purpose applications. IT provides the critical insights, guidance, and assistance to ensure applications are implemented and leveraged in a way that maximizes return on investment, whether it is being managed by end users or lines of business (LOBs). This can only happen if the organization views IT as a critical asset, not just a supporting player.
    • All applications should be business owned. You have applications because LOBs need them to meet the objectives and key performance indicators defined in the business strategy. Without LOBs, there would be no need for business applications. LOBs define what the application should be and do for it to be successful, so LOBs should own them.
    • Everything boils down to trust. The business is empowered to make their own decisions on how they want to implement and use their applications and, thus, be accountable for the resulting outcomes. Guardrails, role-based access, application monitoring, and other controls can help curb some risk factors, but it should not come at the expense of business innovation and time-sensitive opportunities. IT must trust the business will make rational application decisions, and the business must trust IT to support them in good times and bad.

    Impact and Result

    • Focus on the business units that matter. BMA can provide significant value to LOBs if teams and stakeholders are encouraged and motivated to adopt organizational and operational changes.
    • Reimagine the role of IT. IT is no longer the gatekeeper that blocks application adoption. Rather, IT enables the business to adopt the tools they need to be productive and they guide the business on successful BMA practices.
    • Instill business accountability. With great power comes great responsibility. If the business wants more control of their applications, they must be willing to take ownership of the outcomes of their decisions.

    Embrace Business-Managed Applications Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should embrace business-managed applications, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Embrace Business-Managed Applications – Phases 1-3
    • Business-Managed Applications Communication Template

    1. State your objectives

    Level-set the expectations for your business-managed applications.

    • Embrace Business- Managed Applications – Phase 1: State Your Objectives

    2. Design your framework and governance

    Identify and define your application managers and owners and build a fit-for-purpose governance model.

    • Embrace Business-Managed Applications – Phase 2: Design Your Framework & Governance

    3. Build your roadmap

    Build a roadmap that illustrates the key initiatives to implement your BMA and governance models.

    • Embrace Business-Managed Applications – Phase 3: Build Your Roadmap

    [infographic]

    Workshop: Embrace Business-Managed Applications

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 State Your Objectives

    The Purpose

    Define business-managed applications in your context.

    Identify your business-managed application objectives.

    State the value opportunities with business-managed applications.

    Key Benefits Achieved

    A consensus definition and list of business-managed applications goals

    Understanding of the business value business-managed applications can deliver

    Activities

    1.1 Define business-managed applications.

    1.2 List your objectives and metrics.

    1.3 State the value opportunities.

    Outputs

    Grounded definition of a business-managed application

    Goals and objectives of your business-managed applications

    Business value opportunity with business-managed applications

    2 Design Your Framework & Governance

    The Purpose

    Develop your application management framework.

    Tailor your application delivery and ownership structure to fit business-managed applications.

    Discuss the value of an applications committee.

    Discuss technologies to enable business-managed applications.

    Key Benefits Achieved

    Fit-for-purpose and repeatable application management selection framework

    Enhanced application governance model

    Applications committee design that meets your organization’s needs

    Shortlist of solutions to enable business-managed applications

    Activities

    2.1 Develop your management framework.

    2.2 Tune your delivery and ownership accountabilities.

    2.3 Design your applications committee.

    2.4 Uncover your solution needs.

    Outputs

    Tailored application management selection framework

    Roles definitions of application owners and managers

    Applications committee design

    List of business-managed application solution features and services

    3 Build Your Roadmap

    The Purpose

    Build your roadmap to implement busines-managed applications and build the foundations of your optimized governance model.

    Key Benefits Achieved

    Implementation initiatives

    Adoption roadmap

    Activities

    3.1 Build your roadmap.

    Outputs

    Business-managed application adoption roadmap

     

    Select a Marketing Management Suite

    • Buy Link or Shortcode: {j2store}533|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $6,560 Average $ Saved
    • member rating average days saved: 50 Average Days Saved
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • Time, money, and effort are wasted on channels and campaigns that are not resonating with your customer base.
    • Email marketing, social marketing, and/or lead management alone are often not enough to meet more sophisticated marketing needs.
    • Many organizations struggle with taking a systematic approach to selection that pairs functional requirements with specific marketing workflows, and as a result they choose a marketing management suite (MMS) that is not well aligned to their needs, wasting resources and causing end-user frustration.
    • For IT managers or marketing professionals, the task to incorporate MMS technology into the organization requires not only receiving the buy-in for the MMS investment but also determining the vendor and solution that best fit the organization’s particular marketing management needs.

    Our Advice

    Critical Insight

    • An MMS enables complex campaigns across many channels, product lines, customer segments, and marketing groups throughout the enterprise.
    • Selecting an MMS has become increasingly difficult because the number of players in the marketplace has ballooned. Moreover, picking the wrong marketing solution has a direct impact on revenue.
    • Determine whether the investment in an MMS is worthwhile or the funds are better allocated elsewhere. For organizations with a large audience or varied product offerings, an MMS enables complex campaigns across many channels, product lines, customer segments, and marketing groups throughout the enterprise.

    Impact and Result

    • Maximize your success and credibility with a proposal that emphasizes the areas relevant to your situation.
    • Perform more effective customer targeting and campaign management. Having an MMS equips marketers with the tools they need to make informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention. This means more revenue.
    • Maximize marketing impact with analytics-based decision making. Understanding users’/customers’ behaviors and preferences will allow you to run effective marketing initiatives.

    Select a Marketing Management Suite Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to approach selecting an MMS, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch the MMS project and collect requirements

    Assess the organization’s fit for MMS technology and structure the MMS selection project.

    • Select a Marketing Management Suite – Phase 1: Launch the MMS Project and Collect Requirements
    • MMS Readiness Assessment Checklist

    2. Shortlist marketing management suites

    Produce a vendor shortlist for your MMS.

    • Select a Marketing Management Suite – Phase 2: Shortlist Marketing Management Suites

    3. Select vendor and communicate decision to stakeholders

    Evaluate RFPs, conduct vendor demonstrations, and select an MMS.

    • Select a Marketing Management Suite – Phase 3: Select Vendor and Communicate Decision to Stakeholders
    • MMS Requirements Picklist Tool
    • MMS Request for Proposal Template
    • MMS Vendor Demo Script
    • MMS Selection Executive Presentation Template
    [infographic]

    Workshop: Select a Marketing Management Suite

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Launch the MMS Project and Collect Requirements

    The Purpose

    Determine a “right-size” approach to marketing enablement applications.

    Key Benefits Achieved

    Confirmation of the goals, objectives, and direction of the organization is marketing application strategy.

    Activities

    1.1 Assess the value and identify the organization’s fit for MMS technology.

    1.2 Understand the art of the possible.

    1.3 Understand CXM strategy and identify your fit for MMS technology.

    1.4 Build procurement team and project customer experience management (CXM) strategy.

    1.5 Identify your MMS requirements.

    Outputs

    Project team list.

    Preliminary requirements list.

    2 Shortlist Marketing Management Suites

    The Purpose

    Enumerate relevant marketing management suites and point solutions.

    Key Benefits Achieved

    List of marketing enablement applications based on requirements articulated in the preliminary requirements list strategy.

    Activities

    2.1 Identify relevant use cases.

    2.2 Discuss the vendor landscape.

    Outputs

    Vendor shortlist.

    3 Select Vendor and Communicate Decision to Stakeholders

    The Purpose

    Develop a rationale for selecting a specific MMS vendor.

    Key Benefits Achieved

    MMS Vendor decision.

    A template to communicate the decision to executives.

    Activities

    3.1 Create a procurement strategy.

    3.2 Discuss the executive presentation.

    3.3 Plan the procurement process.

    Outputs

    Executive/stakeholder PowerPoint presentation.

    Selection of an MMS.

    Further reading

    Select a Marketing Management Suite

    A best-fit solution balances needs, cost, and capability.

    Table of contents

    1. Project Rationale
    2. Execute the Project/DIY Guide
    3. Appendices

    ANALYST PERSPECTIVE

    Navigate the complexity of a vast ecosystem by taking a structured approach to marketing management suite (MMS) selection.

    Marketing applications are in high demand, but it is difficult to select a suite that is right for your organization. Market offerings have grown from 50 vendors to over 800 in the past five years. Much of the process of identifying an appropriate vendor is not about the vendor at all, but rather about having a comprehensive understanding of internal needs. There are instances where a smaller-point solution is necessary to satisfy requirements and a full marketing management suite is an overinvestment.

    Likewise, a partner with differentiating features such as AI-driven workflows and a mobile software development kit can act as a powerful extension of an overall customer experience management strategy. It is crucial to make the right decision; missing the mark on an MMS selection will have a direct impact on the business’ bottom line.

    Ben Dickie
    Research Director, Enterprise Applications
    Info-Tech Research Group

    Phase milestones

    Launch the MMS Project and Collect Requirements — Phase 1

    • Understand the MMS market space.
    • Assess organizational and project readiness for MMS selection.
    • Structure your MMS selection and implementation project by refining your MMS roadmap.
    • Align organizational use-case fit with market use cases.
    • Collect, prioritize, and document MMS requirements.

    Shortlist MMS Tool — Phase 2

    • Review MMS market leaders and players within your aligned use case.
    • Review MMS vendor profiles and capabilities.
    • Shortlist MMS vendors based on organizational fit.

    Select an MMS — Phase 3

    • Submit request for proposal (RFP) to shortlisted vendors.
    • Evaluate vendor responses and develop vendor demonstration scripts.
    • Score vendor demonstrations and select the final product.

    Stop! Are you ready for this project?

    This Research Is Designed For:
    • IT applications directors and business analysts supporting their marketing teams in selecting and implementing a robust marketing solution.
    • Any organization looking to procure an MMS tool that will allow it to automate its marketing processes or learn more about the MMS vendor landscape.
    This Research Will Help You:
    • Understand today’s MMS market, specific to marketing automation, marketing intelligence, and social marketing use-case scenarios.
    • Understand MMS functionality as well as marketing terminology.
    • Follow best practices to prepare for and execute on selection, including requirements gathering and vendor evaluation.
    This Research Will Also Assist:
    • Marketing managers, brand managers, and any marketing professional looking to build a cohesive marketing platform.
    • MMS project teams or working groups tasked with managing an RFP process for vendor selection.
    This Research Will Help Them
    • Assess organizational and project readiness for embarking on MMS selection.
    • Draft an RFP, manage the vendor and product review process, and select a vendor.

    Executive summary

    Situation

    The MMS market is a landscape of vendors offering campaign management, multichannel support, analytics, and publishing tools. Many vendors specialize in some of these areas but not all. Sometimes multiple products are necessary – but determining which feature sets the organization truly needs can be a challenging task. The right technology stack is critical in order to bring automation to marketing initiatives.

    Complication

    • The first challenge is deciding whether to implement a full marketing suite or a point solution.
    • The number of marketing suites and point solutions has increased from 50 to more than 800 just in the past five years.
    • IT is receiving a growing number of marketing analytics requests and must be prepared to speak intelligently about marketing management vendor selection.

    Resolution

    • Leverage Info-Tech’s comprehensive three-phase approach to MMS selection projects: assess your organization’s preparedness to go into the selection stage, move through technology selection, and present decisions to stakeholders.
    • Conduct an MMS project preparedness assessment to ensure you maximize the value of your time, effort, and spend.
    • Determine whether your organization’s needs will best be met by a marketing management suite or a point solution.
    • Determine which use case your organization fits into and review the relevant vendor landscape, common capability, and areas of product differentiation. Consult Info-Tech’s market analysis to shortlist vendors for your RFP process.
    • Take advantage of traceable and auditable selection tools to run an effective evaluation and selection process. Be prepared to answer the retroactive question “Why this MMS?” with documentation of your selection process and outputs.

    Info-Tech Insight

    1. The new MMS market. Selecting a marketing management solution has become increasingly difficult, with the number of players in the marketplace ballooning to meet buyer demand.
    2. Direct translation to revenue. Picking the wrong marketing solution has a direct impact on the bottom line. However, the right MMS can lead to a 7.3x greater year-over-year increase in annual revenue.
    3. Don’t buy best-of-breed; buy best-for-you. Base your vendor selection on your requirements and use case, not on the vendor’s overall performance.

    MMS is a key piece of the CRM puzzle

    In order to optimize cross-sell opportunities and marketing effectiveness, there needs to be a master customer database, which belongs in the customer relationship management (CRM) suite.

    When it comes to marketing automation capabilities, using CRM is like building a car from a kit. All the parts are there, but you need the time and skill to put it all together. Using marketing automation is like buying the car you want or need, with all the features you want already installed and some gas in the tank, ready to drive. In either case, you still need to know how to drive and where you want to go.” (Mac McIntosh, Marketo Inc.) 'CRM' surrounded by its components with 'MMS' highlighted. A master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for MMS success. This is particularly true for real-time capability effectiveness and to minimize customer fatigue.

    Understand what an MMS can do for you

    Take time to learn the capabilities of modern marketing applications. Understanding the “art of the possible” will help you to get the most out of your MMS.

    MMS helps marketers in two primary ways:
    1. It allows them to efficiently execute and manage campaigns across dozens of channels and products.
    2. It allows them to analyze the outcomes of campaigns.
    Marketing suites accomplish these tasks by:
    • Leveraging workflow automation to reduce the amount of time spent creating marketing campaigns
    • Using internal or third-party data to increase conversion effectiveness from customer databases across the organization
    A strong MMS provides marketers with the data they need for actionable insights about their customers.
    A marketing automation solution delivers essentially all the benefits of an email marketing solution along with integrated capabilities that would otherwise need to be cobbled together using various standalone technologies.” (Marketo Inc.)

    Review Info-Tech’s vendor profiles of the MMS market to identify vendors that meet your requirements

    Logos of multiple vendors including 'Hubspot', 'IBM', 'Salesforce marketing cloud', etc.

    Use Info-Tech’s MMS implementation methodology as a starting point for your organization’s MMS selection

    Info-Tech’s implementation methodology is not a step-by-step approach to vendor selection, but rather it highlights the pertinent considerations for MMS selection at each of the five steps outlined below.

    1

    2

    3

    4

    5

    Establish Resources Gather Requirements Write and Assemble RFP Exercise Due Diligence Evaluate Candidate Solutions
    • Determine work initiative dependencies and project milestones.
    • Establish the project timeline.
    • Designate project resources.
    • Prioritize rollout of functionality.
    • Link business goals with the MMS selection project.
    • Determine user roles and profiles.
    • Conduct stakeholder interviews.
    • Build communication and change management plan.
    • Draft an RFP.
    • Make a plan for soliciting feedback and publishing the RFP.
    • Customize a vendor demo script and scorecard.
    • Conduct vendor demos.
    • Speak with vendor references.
    • Evaluate nonfunctional requirements.
    • Understand upgrade schedules.
    • Define a vendor evaluation framework.
    • Prepare the final evaluation.
    • Prepare a presentation for management.

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Professional services provider engages Info-Tech to guide it through its MMS selection journey

    CASE STUDY

    Industry: Professional Services | Source: Info-Tech Consulting

    Challenge

    A large professional services firm specializing in knowledge development was looking to modernize an outdated marketing services stack.

    Previous investments in marketing tools ranging from email automation to marketing analytics led to system fragmentation. As a result, there was no 360-degree overview of marketing operations and no way to run campaigns at scale.

    To satisfy the organization’s aspirations, a comprehensive marketing management suite had to be selected that met needs for the foreseeable future.

    Solution

    The Info-Tech consulting team was brought in to assist in the MMS selection process.

    After meeting with several stakeholders, MMS requirements were developed and weighted. An RFP was then created from these requirements.

    Following a market scan, four vendors were selected to complete the organization’s RFP. Demonstration scripts were then developed as the RFPs were completed by vendors.

    Shortlisted vendors progressed to the demonstration phase.

    Results

    Vendor scorecards were utilized during the two-day demonstrations with the core project team to score each vendor.

    During the scoring process the team also identified the need to replace the organization’s core customer repository (a legacy CRM).

    The decision was made to select a CRM before finalizing the MMS selection. Doing so ensured uniform system architecture and strong interoperability between the firm’s MMS and its CRM.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Select a Marketing Management Suite – project overview

    1. Launch the MMS Project and Collect Requirements 2. Shortlist Marketing Management Suites 3. Select Vendor and Communicate Decision to Stakeholders
    Supporting Tool icon

    Best-Practice Toolkit

    1.1 Assess the value and identify your organization’s fit for MMS technology.

    1.2 Build your procurement team and project customer experience management (CXM) strategy.

    1.3 Identify your MMS requirements.

    2.1 Produce your shortlist

    3.1 Select your MMS

    3.2 Present selection

    Guided Implementations

    • Understand CXM strategy and identify your fit for MMS technology.
    • Identify staffing needs.
    • Plan requirements gathering steps.
    • Discuss use-case fit assessment results.
    • Discuss vendor landscape.
    • Create a procurement strategy.
    • Discuss executive presentation.
    • Conduct a proposal review.
    Associated Activity icon

    Onsite Workshop

    Module 1:
    Launch Your MMS Selection Project
    Module 2:
    Analyze MMS Requirements and Shortlist Vendors
    Module 3:
    Plan Your Procurement Process
    Phase 1 Outcome:
    • Launch of MMS selection project
    Phase 2 Outcome:
    • Shortlist of vendors
    Phase 3 Outcome:
    • Selection of MMS

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members who will come onsite to facilitate a workshop for your organization.

    A small monochrome icon depicting a descending bar graph.

    This icon denotes a slide that pertains directly to the Info-Tech vendor profiles on marketing management technology. Use these slides to support and guide your evaluation of the MMS vendors included in the research.

    Select a Marketing Management Suite

    PHASE 1

    Launch the MMS Project and Collect Requirements

    Phase 1 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Launch Your MMS Project and Collect Requirements

    Proposed Time to Completion: 3 weeks
    Step 1.2: Structure the Project Step 1.3: Gather Requirements
    Start with an analyst kick-off call:
    • Review readiness requirements for an MMS project.
    • Understand the work initiatives involved in MMS selection.
    Review findings with analyst:
    • Determine use case based on your organizational alignment.
    • Discuss core MMS requirements.
    Then complete these activities…
    • Conduct an organizational MMS readiness assessment.
    Then complete these activities…
    • Identify best-fit use case.
    • Elicit, capture, and prioritize requirements.
    With these tools & templates:
    • MMS Readiness Assessment Checklist
    With these tools & templates:
    • MMS Requirements Picklist Tool
    Phase 1 Results:
    • Completed readiness assessment.
    • Refined project plan to incorporate selection and implementation.

    Phase 1 milestones

    Launch the MMS Project and Collect Requirements — Phase 1

    • Understand the MMS market space.
    • Assess organizational and project readiness for MMS selection.
    • Structure your MMS selection and implementation project by refining your MMS roadmap.
    • Align organizational use-case fit with market use cases.
    • Collect, prioritize, and document MMS requirements.

    Shortlist MMS Tool — Phase 2

    • Review MMS market leaders and players within your aligned use case.
    • Review MMS vendor profiles and capabilities.
    • Shortlist MMS vendors based on organizational fit.

    Select an MMS — Phase 3

    • Submit request for proposal (RFP) to shortlisted vendors.
    • Evaluate vendor responses and develop vendor demonstration scripts.
    • Score vendor demonstrations and select the final product.

    Step 1.1: Understand the MMS market

    1.1

    1.2

    1.3

    Understand the MMS Market Structure the Project Gather MMS Requirements

    This step will walk you through the following activities:

    • MMS market overview

    This step involves the following participants:

    • Project team
    • Project manager
    • Project sponsor

    Outcomes of this step

    • An understanding of the evolution of the MMS market space and how it helps today’s organizations.
    • An evaluation of new and upcoming trends sought by MMS clients.
    • Verification of whether an MMS is a fit with your organization.

    Speak the same language as the marketing department to deliver the most business value

    Marketing Management Suite Glossary

    Analytics The practice of measuring marketing performance to improve return on investment (ROI). It is often carried out through the visualization of meaningful patterns in data as a result of marketing initiatives.
    Channels The different places where marketers can reach customers (e.g. social media, print mail, television).
    Click-through rate The percentage of individuals who proceed (click-through) from one part of a marketing campaign to the next.
    Content management Curating, creating, editing, and keeping track of content and client-facing assets.
    Customer relationship management (CRM) A core enterprise application that provides a broad feature set for supporting customer interaction processes. The CRM frequently serves as a core customer data repository.
    Customer experience management (CXM) The holistic management of customer interaction processes across marketing, sales, and customer service to create valuable, mutually beneficial customer experiences.
    Engagement rate A social media metric used to describe the amount of likes, comments, shares, etc., that a piece of content receives.
    Lead An individual or organization who has shown interest in the product or service being marketed.
    Omnichannel The portfolio of interaction channels you use.

    MMS is a key piece of the customer experience ecosystem

    Within the broader CXM ecosystem, an MMS typically lives within the CRM platform. Interfacing with the CRM’s master customer database allows an MMS to optimize cross-sell opportunities and marketing effectiveness.

    A master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for MMS success. This is particularly true for real-time capability effectiveness and to minimize customer fatigue.

    If you have customer records in multiple places, you risk missing customer opportunities and potentially upsetting clients. For example, if a client has communicated preferences or disinterest through one channel, and this is not effectively recorded throughout the organization, another representative is likely to contact them in the same method again – possibly alienating the customer for good.

    A master database requires automatic synchronization with all point solutions, POS, billing systems, agencies, etc. If you don’t have up-to-the-minute information, you can’t score prospects effectively and you lose out on the benefits of the MMS.

    'CRM' surrounded by its components with 'MMS' highlighted.
    Focus on the fundamentals before proceeding. Secure organizational readiness to reduce project risk using Info-Tech’s Build a Strong Technology Foundation for CXM and Select and Implement a CRM Platform blueprints.

    Understanding the “art of the possible”

    The world of marketing technology changes rapidly! Understand how modern marketing management suites are used in most organizations.

    An MMS helps marketers in two primary ways:

    1. It allows them to efficiently execute and manage campaigns across dozens of channels and products.
    2. It allows them to analyze the outcomes of campaigns.

    Marketing suites accomplish these tasks by:

    • Leveraging workflow automation to reduce the amount of time spent creating marketing campaigns.
    • Using internal or third-party data to increase conversion effectiveness from customer databases across the organization.

    A strong MMS provides marketers with the data they need for actionable insights about their customers.

    A marketing automation solution delivers essentially all the benefits of an email marketing solution along with integrated capabilities that would otherwise need to be cobbled together using various standalone technologies.” (Marketo Inc.)

    Inform your way of thinking by understanding the capabilities of modern marketing applications.

    A tree with icons related to knowledge.

    Expect the marketing department to drive suite adoption, but don’t count out the benefits MMS will also provide to IT

    MMS adoption is driven by the need for better campaign execution and marketing intelligence. MMS technologies are adopted to create faster, easier, more intelligent, and more measurable campaigns and make managing complex channels easy and repeatable.

    Top Drivers for Adopting Marketing Management Technologies

    Bar chart of top drivers for adopting marketing management technology. The first four bars are highlighted and the largest, they are labelled 'Campaign Measurement & Effectiveness', 'Execute Multi-channel Campaigns', 'Shorten Marketing Campaign Cycle', and 'Reduce Manual Campaign Creation'.
    (Source: Info-Tech Research Group; N=23)

    The key drivers for MMS are business-related, not IT-related. However, this does not mean that there are no benefits to IT. In fact, the IT department will see numerous benefits, including time and resource savings. Further, not having an MMS creates more work for your IT department. IT must serve as a valued partner for selection and implementation.

    Additional benefits to IT driven by MMS

    Marketing management suites are ideal for large organizations with multiple product lines in complex marketing environments. IT is often more centralized than its counterparts in the business, making it uniquely positioned to encourage greater coordination by helping the business units understand the shared goals and the benefits of working together to roll out suites for marketing workflow management, intelligence, and channel management.

    Cross-Segmentation Additional Revenue Generation Real-Time Capabilities Lead Growth/ Conversion Rate
    Business Value
    • Share resources between brands and product lines.
    • Increase database size with populated client data.
    • Track customer lifetime value.
    • Increase average deal size.
    • Decrease time to execute campaigns.
    • Decrease lead acquisition costs while collecting higher quality leads.
    • Improve retention rates.
    • Reduce cost to serve.
    • Increase customer retention due to effective service.
    • Higher campaign and response rates.
    • Track, measure, and prove the value of marketing activities.
    • Broaden reach through social channels.
    IT Value
    • Reduce reliance on IT for routine tasks such as list creation and data cleansing.
    • Free up IT resources for the sectors of the business where the ROI is greatest.
    • Reduce need for IT to cleanse, modify, or merge data lists because most suites include CRM connectors.
    • Reduce need for constant customization on status reports on lead value and campaign success.

    Info-Tech Insight

    Don’t forget that MMS technologies deliver on the overarching suite value proposition: a robust solution within one integrated offering. Without an MMS in play, organizations in need of this functionality are forced to piece together point solutions (or ad hoc management). This not only increases costs but also is an integration nightmare for IT.

    Step 1.2: Structure the project

    1.1

    1.2

    1.3

    Understand the MMS MarketStructure the ProjectGather MMS Requirements

    This step will walk you through the following activities:

    • Determine if you are ready to kick off the MMS selection project.
    • Align project goals with CXM strategy and business goals.

    This step involves the following participants:

    • Core project team
    • Project manager
    • Project sponsor

    Outcomes of this step

    • Assurance that you have completed adequate preparation, obtained stakeholder and sponsor buy-in, secured sufficient resources, and completed strategy and planning activities to move forward with selection.
    • An approach to remedy organizational readiness to prepare for MMS selection.
    • An understanding of stakeholder goals.

    Identify the scope and purpose of your MMS selection process

    Vendor Profiles icon

    Sample Project Overview

    [Organization] plans to select and implement a marketing management suite in order to introduce better campaign management to the business’ processes. This procurement and implementation of an MMS tool will enable the business to improve the efficiency and effectiveness of marketing campaign execution.

    This project will oversee the assessment and shortlisting of MMS vendors, selection of an MMS tool, the configuration of the solution, and the implementation of the technology into the business environment.

    Rationale Behind the Project

    Consider the business drivers behind the interest in MMS technology.

    Be specific to business units impacted and identify key considerations (both opportunities and risks).

    Business Drivers

    • Organizational productivity
    • Customer satisfaction
    • Marketing management costs
    • Risk management

    Info-Tech Insights

    Creating repeatable and streamlined marketing processes is a common overarching business objective that is driven by multiple factors. To ensure this objective is achieved, confirm that the primary drivers are following the implementation of the first automated marketing channels.

    Activity: Understand your business’ goals for MMS by parsing your formal CXM strategy

    Associated Activity icon 1.2.1 1 hour

    INPUT: Stakeholder user stories

    OUTPUT: Understanding of ideal outcomes from MMS implementation

    MATERIALS: Whiteboard and marker or sticky notes

    PARTICIPANTS: Project sponsor, Project stakeholders, Business analysts, Business unit reps

    Instructions

    1. Outline the purpose of the future MMS tool and the drivers behind this business decision with the project’s key stakeholders.
    2. Document plans to ensure that these drivers are taken into consideration and realized following implementation. Example:
      Improve Reduce/Eliminate KPIs
      Multichannel marketing Duplication of effort Number of customer interaction channels supported
      Social integration Process inefficiencies Number of social signals received (likes, shares, etc.)

    If you do not have a well-defined CXM strategy, leverage Info-Tech’s research to Build a Strong Technology Foundation for Customer Experience Management.

    Understanding marketing suites

    Vendor Profiles icon

    This blueprint focuses on complete, integrated marketing management suites

    An integrated suite is a single product that is designed to assist with multiple marketing processes. Information from these suites is deeply connected to the core CRM. Changing a piece of information for one process will update all affected.

    'MMS' surrounded by its integrated processes, including 'Marketing Operations Management', 'Breadth of Channel Support', 'Marketing Asset Management', etc.

    Understanding marketing point solutions

    Vendor Profiles icon

    A point solution typically interfaces with a single customer interaction channel with minimal CRM integration.

    Why use a marketing point solution?

    1. A marketing point solution is a standalone application used to manage a unique process.
    2. Point solutions can be implemented and updated relatively quickly.
    3. They cost less than full-feature, integrated marketing suites.
    4. Some point solutions integrate with CRM platforms or MMS platforms.

    Refer to Phase 2 for a bird’s-eye view of the point solution marketplace.

    Marketing Point Solutions

    • Twitter Analytics
    • Search Engine Optimization
    • Customer Portals
    • Livechat
    • Marketing Attribution
    • Demand Side Platform

    Determine if MMS is right for your organization

    Vendor Profiles icon

    Adopt an MMS if:

    1. Your organization is actively pursuing a multichannel marketing strategy, particularly if its marketing campaigns are complex and multifaceted, involving consumer-specific conditional messaging.
    2. Your enterprise serves a high volume of customers and marketing needs extend to formally managing budgets and resources, lead generation and segmentation, and measuring channel effectiveness.
    3. Your organizations has multiple product lines and is interested in increasing cross-sale opportunities.

    Bypass an MMS if:

    • Your organization does not participate in multichannel campaigns and is primarily using email or web channels to generate leads. You may find the advanced features and capabilities of an MMS to be overkill and should consider lead marketing automation (LMA) or email marketing services first.
    • You are a small to midsize business (SMB) with a limited budget or fewer than five marketing professionals. Don’t buy what you don’t need; organizations with fewer than five people in the marketing department are unlikely to need an MMS.
    • Sales generation is not a priority for the business or a primary goal for the marketing department.

    Info-Tech Insight

    Using an MMS is ideal for organizations with multiple brands and product portfolios (e.g. consumer packaged goods). Ad hoc management and email marketing services are best for small organizations with a client base that requires only bare bones engagement.

    Determine if you are ready to kick off your MMS selection and implementation project

    Supporting Tool icon 1.2.2 MMS Readiness Assessment Checklist
    Use Info-Tech’s MMS Readiness Assessment Checklist to determine if your organization has sufficient process and campaign maturity to warrant the investment in a consolidated marketing management suite.

    Sections of the Tool:

    1. Goals & Objectives
    2. Project Team
    3. Current State Understanding
    4. Future State Vision
    5. Business Process Improvement
    6. Project Metrics
    7. Executive Sponsorship
    8. Stakeholder Buy-In & Change Management
    9. Risk Management
    10. Cost & Budget

    INFO-TECH DELIVERABLE

    Sample of Info-Tech's MMS Readiness Assessment Checklist.

    Complete the MMS Readiness Assessment Checklist by following the instructions in Activity 1.2.3.

    Activity: Determine if you are ready to kick off your MMS selection project

    Associated Activity icon 1.2.3 30 minutes

    INPUT: MMS foundation, MMS strategy

    OUTPUT: Readiness remediation approach, Validation of MMS project readiness

    MATERIALS: Info-Tech’s MMS Readiness Assessment Checklist

    PARTICIPANTS: Project sponsor, Core project team

    Instructions

    1. Download the MMS Readiness Assessment Checklist.
    2. Review Section 1 of the checklist with the core project team and/or project sponsor, item by item. For completed items, tick the relative checkbox.
    3. Once the whole checklist has been reviewed, document all incomplete items in the table under Section 1 in the first table column (“Incomplete Readiness Item”).
    4. For each incomplete item, use your discretion to determine whether its completion is critical in preparation for MMS selection and implementation. This may vary given the complexity of your MMS project. If the item is critical to the project, indicate this with “Y” in the second column (“Criticality (Y/N)”).
    5. For each critical item, reflect on the barriers that have prevented or are preventing its completion. Possible barriers include incomplete task dependencies, low value-to-effort determination, lack of organizational knowledge or resources, pressure of deadlines, etc. Document these barriers in the third column (“Barriers to Completion”).
    6. Based on the barriers determined in Step 5, determine a remediation approach for each item. Document the approach in the fourth column (“Remediation Approach”).
    7. For each remediation activity, designate a due date and remediation owner. Document this in the fifth column (“Due Date & Owner”).
    8. Carry out the remediation of critical tasks and return to this blueprint to kickstart your selection and implementation project.

    Step 1.3: Gather MMS requirements

    1.1

    1.2

    1.3

    Understand the MMS MarketStructure the ProjectGather MMS Requirements

    This step will walk you through the following activities:

    • Understand your MMS use case.
    • Elicit and capture your MMS requirements.
    • Prioritize your solution requirements.

    This step involves the following participants:

    • Core project team
    • Project manager
    • Business analysts
    • Procurement subject-matter experts (SMEs)

    Outcomes of this step

    • Project alignment with MMS market use case.
    • Inventory of categorized and prioritized MMS business requirements.

    Understand the dominant use-case scenarios for MMS across organizations

    Vendor Profiles icon

    USE CASES

    While an organization may be product- or service-centric, most fall into one of the three use cases described on this slide.

    1) Marketing Automation

    Workflow Management

    Managing complex marketing campaigns and building and tracking marketing workflows are the mainstay responsibilities of brand managers and other senior marketing professionals. In this category, we evaluated vendors that provide marketers with comprehensive tools for marketing campaign automation, workflow building and tracking, lead management, and marketing resource planning for campaigns that need to reach a large segment of customers.

    Omnichannel Management

    The proliferation of marketing channels has created significant challenges for many organizations. In this use case, we executed a special evaluation of vendors that are well suited for the intricacies of juggling multiple channels, particularly mobile, social, and email marketing.

    2) Marketing Intelligence

    Sifting through data from a myriad of sources and coming up with actionable intelligence and insights remains a critical activity for marketing departments, particularly for market researchers. In this category, we evaluated solutions that aggregate, analyze, and visualize complex marketing data from multiple sources to allow decision makers to execute informed decisions.

    3) Social Marketing

    The proliferation of social networks, customer data, and use cases has made ad hoc social media management challenging. In this category we evaluated vendors that bring uniformity to an organization’s social media capabilities and contribute to a 360-degree customer view.

    Activity: Understand which type of MMS you need

    Associated Activity icon 1.3.1 30 minutes

    INPUT: Use-case breakdown

    OUTPUT: Project use-case alignments

    Materials: Whiteboard, markers

    Participants: Project manager, Core project team (optional)

    Instructions

    1. Familiarize your team with Info-Tech’s MMS use-case breakdown from the previous slide.
    2. Determine which use case is best aligned with your organization’s MMS project objectives. If you need assistance with this, consider the relevance of the cases studies and statements on the following slides.
    3. If your team agrees with most or all statements under a given use case, this indicates strong alignment towards that use case. It is possible for an organization to align with more than one use case. Your use-case alignment will guide you in creating a vendor shortlist later in this project.

    Use Info-Tech’s vendor research and use-case scenarios to support your organization’s vendor analysis

    The use-case view of vendor and product performance provides multiple opportunities for vendors to fit into your application architecture depending on their product and market performance. The use cases selected are based on market research and client demand.

    Determining your use case is crucial for:

    1. Selecting an application that is the right fit
    2. Establishing a business case for MMS

    The following slides illustrate how the three most common use cases (marketing automation, marketing intelligence, and social marketing) align with business needs. As shown by the case studies, the right MMS can result in great benefits to your organization.

    Use-case alignment and business need

    Vendor Profiles icon

    Marketing Automation

    Marketing Need Manage customer experience across multiple channels Manage multiple campaigns simultaneously Integrate web-enabled devices (IoT) into marketing campaigns Run and track email marketing campaigns
    A line of arrows pointing down.
    Corresponding Feature End-to-end management of email marketing Visual workflow editor Customer journey mapping Business rules engine A/B tracking

    The Portland Trail Blazers utilize an MMS to amplify their message with marketing automation technology

    CASE STUDY

    Industry: Entertainment | Source: Marketo

    Challenge

    The Portland Trail Blazers, an NBA franchise, were looking to expand their appeal beyond the city of Portland and into the greater Pacific Northwest Region.

    The team’s management group also wanted to showcase the full range of events that were hosted in the team’s multipurpose stadium.

    The Trail Blazers were looking to engage fans in a more targeted fashion than their CRM allowed for. Ultimately, they hoped to move from “batch and blast” email campaigns to an automated and targeted approach.

    Solution

    The Trail Blazers implemented an MMS that allowed it to rapidly build different types of campaigns. These campaigns could be executed across a variety of channels and target multiple demographics at various points in the fan journey.

    Contextual ads were implemented using the marketing suite’s automated customer journey mapping feature. Targeted ads were served based on a fan’s location in the journey and interactions with the Trail Blazers’ online collateral.

    Results

    The automated campaigns led to a 75% email open rate, which contributed to a 96% renewal rate for season ticket holders – a franchise record.

    Other benefits resulting from the improved conversion rate included an increased cohesion between the Trail Blazers’ marketing, analytics, and ticket sales operations.

    Use-case alignment and business need

    Vendor Profiles icon

    Marketing Intelligence

    Marketing Need Capture marketing- and customer-related data from multiple sources Analyze large quantities of marketing data Visualize marketing-related data in a manner that is easy for decision makers to consume Perform trend and predictive analysis
    A line of arrows pointing down.
    Corresponding Feature Integrate data across customer segments Analysis through machine learning Assign attributers to unstructured data Displays featuring data from external sources Create complex customer data visualizations

    Chico’s FAS uses marketing intelligence to drive customer loyalty

    CASE STUDY

    Industry: Retail | Source: SAS

    Challenge

    Women’s apparel retailer Chico’s FAS was looking to capitalize on customer data from in-store and online experiences.

    Chico’s hoped to consolidate customer data from multiple online and brick-and-mortar retail channels to get a complete view of the customer.

    Doing so would satisfy Chico’s need to create more highly segmented, cost-effective marketing campaigns

    Solution

    Chico’s selected an MMS with strong marketing intelligence, analysis, and data visualization capability.

    The MMS could consolidate and analyze customer and transactional information. The suite’s functionality enabled Chico’s marketing team to work directly with the data, without help from statisticians or IT staff.

    Results

    The approach to marketing indigence led to customers getting deals on products that were actually relevant to them, increasing sales and brand loyalty.

    Moreover, the time it took to perform data consolidation decreased dramatically, from 17 hours to two hours, allowing the process to be performed daily instead of weekly.

    Use-case alignment and business need

    Vendor Profiles icon

    Social Marketing

    Marketing Need Understand customers' likes and dislikes Manage and analyze social media channels like Facebook and Twitter Foster a conversation around specific products Engage international audiences through regional messaging apps
    A line of arrows pointing down.
    Corresponding Feature Social listening capabilities Tools for curating customer community content Ability to aggregate social data Integration with popular social networks Ability to conduct trend reporting

    Bayer leverages MMS technology to cultivate a social presence

    CASE STUDY

    Industry: Life Sciences | Source: Adobe

    Challenge

    Bayer, a Fortune 500 health and life sciences company, was looking for a new way to communicate its complex medical breakthroughs to the general public.

    The decision was made to share the science behind its products via social channels in order to generate excitement.

    Bayer needed tools to publish content across a variety of social media platforms while fostering conversations that were more focused on the science behind products.

    Solution

    Based on the requirements, Bayer decided that an MMS would be the best fit.

    After conducting a market scan, the company selected an MMS with a comprehensive social media suite.

    The suite included tools for social listening and moderation and tools to guide conversations initiated by both marketers and customers.

    Results

    The MMS provided Bayer with the toolkit to engage its audience.

    Bayer took control of the conversation about its products by serving potential customers with relevant video content on social media.

    Its social strategy coupled with advanced engagement tools resulted in new business opportunities and more than 65,000 views on YouTube and more than 87,000 Facebook views in a single month.

    Leverage Info-Tech’s requirements gathering framework to serve as the basis for capturing your MMS requirements

    An important step in selecting an MMS that will have widespread user adoption is creating archetypal customer personas. This will enable you to talk concretely about them as consumers of the application you select and allow you to build buyer scenarios around them.
    REQUIREMENTS GATHERING
    Info-Tech’s requirements gathering framework is a comprehensive approach to requirements management that can be scaled to any size of project or organization. This framework ensures that the application created will capture the needs of all stakeholders and deliver business value. Develop and right-size a proven standard operating procedure for requirements gathering with Info-Tech’s blueprint Build a Strong Approach to Business Requirements Gathering.
    Stock photo of a Jenga tower with title: Build a Strong Approach to Business Requirements Gathering
    KEY INPUTS TO MMS REQUIREMENTS GATHERING
    Requirements Gathering Methodology

    Sample of Requirements Gathering Blueprint.

    Requirements Gathering Blueprint Slide 25: Understand the best-practice framework for requirements gathering for enterprise applications projects.

    Requirements Gathering SOP

    Sample of Requirements Gathering Blueprint.

    Requirements Gathering Blueprint Activities 1.2.2-1.2.5, 2.1.1, 2.1.2, 3.1.1, 3.2.1, 4.1.1-4.1.3, 4.2.2: Consolidate outputs to right-size a best-practice SOP for your organization.

    Project Level Selection Tool

    Sample of Requirements Gathering Blueprint.

    Requirements Gathering Blueprint Activity 1.2.4: Determine project-level selection guidelines to inform the due diligence required in your MMS requirements gathering.

    Activity: Elicit and capture your MMS requirements

    Associated Activity icon 1.3.2 Varies

    INPUT: MMS tool user expertise, MMS Requirements Picklist Tool

    OUTPUT: A list of needs from the MMS tool user perspective

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: MMS users in the organization, MMS selection committee

    Instructions

    1. Identify stakeholders for the requirements gathering exercise. Consider holding one-on-one sessions or large focus groups with key stakeholders or the project sponsor to gather business requirements for an MMS.
    2. Use the MMS Requirements Picklist Tool as a starting point for conducting the requirements elicitation session(s).
    3. Begin by reading the instructions in the template and then move to the “Requirements” worksheet. Read each defined requirement in the worksheet and indicate in the “Requirement Status” column whether the requirement is a “Must,” “High,” or “Low.” Confirming the status is an important part of the exercise. The status will help filter vendors for final selection later on in the process.
    4. Decide whether additional requirements are necessary by asking the MMS tool users. If so, add the requirements to the bottom of the “Requirements” worksheet and indicate their “Requirement Status.”

    Download the MMS Requirements Picklist Tool to help with completing this activity.

    Show the measurable benefits of MMS with metrics

    The return on investment (ROI) and perceived value of the organization’s marketing solution will be a critical indication of the likelihood of success of the suite’s selection and implementation.

    EXAMPLE
    METRICS

    MMS and Technology Adoption

    Marketing Performance Metrics
    Average revenue gain per campaign Quantity and quality of marketing insights
    Average time to execute a campaign Customer acquisition rates
    Savings from automated processes Marketing cycle times
    User Adoption and Business Feedback Metrics
    User satisfaction feedback User satisfaction survey with the technology
    Business adoption rates Application overhead cost reduction

    Info-Tech Insight

    Even if marketing metrics are difficult to track right now, the implementation of an MMS brings access to valuable customer intelligence from data that was once kept in silos.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.2.1

    Sample of activity 1.2.1 'Understand your business' goals for MMS by parsing your formal CXM strategy'. Align the CXM strategy value proposition to MMS capabilities

    Our facilitator will help your team identify the IT CXM strategy and marketing goals. The analyst will then work with the team to map the strategy to technological drivers available in the MMS market.

    1.3.2

    Sample of activity 1.3.2 'Elicit and capture your MMS requirements'. Define the needs of MMS users

    Our facilitator will work with your team to identify user requirements for the MMS Requirements Picklist Tool. The analyst will facilitate a discussion with your team to prioritize identified requirements.

    Select a Marketing Management Suite

    PHASE 2

    Shortlist Marketing Management Suites

    Phase 2 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Shortlist Marketing Management Suites

    Proposed Time to Completion: 1-3 months
    Step 2.1: Analyze and Shortlist MMS Vendors
    Start with an analyst kick-off call:
    • Review requirements gathering findings.
    • Review the MMS market space.
    Then complete these activities…
    • Review vendor profiles and analysis.
    • Weigh the evaluation criteria’s importance in product capabilities and vendor characteristics.
    • Shortlist MMS vendors.
    With these tools & templates:
    Phase 2 Results:
    • Shortlist of MMS tools

    Phase 2 milestones

    Launch the MMS Project and Collect Requirements — Phase 1

    • Understand the MMS market space.
    • Assess organizational and project readiness for MMS selection.
    • Structure your MMS selection and implementation project by refining your MMS roadmap.
    • Align organizational use-case fit with market use cases.
    • Collect, prioritize, and document MMS requirements.

    Shortlist MMS Tool — Phase 2

    • Review MMS market leaders and players within your aligned use case.
    • Review MMS vendor profiles and capabilities.
    • Shortlist MMS vendors based on organizational fit.

    Select an MMS — Phase 3

    • Submit request for proposal (RFP) to shortlisted vendors.
    • Evaluate vendor responses and develop vendor demonstration scripts.
    • Score vendor demonstrations and select the final product.

    Step 2.1: Analyze and shortlist MMS vendors

    2.1

    Analyze and Shortlist MMS Vendors

    This step will walk you through the following activities:

    • Review MMS vendor landscape.
    • Take note of relevant point solutions.
    • Shortlist vendors for the RFP process.

    This step involves the following participants:

    • Core project team

    Outcomes of this step

    • Understanding of Info-Tech’s use-case scenarios for MMS: marketing automation, marketing intelligence, and social marketing.
    • Familiarity with the MMS vendor landscape.
    • Shortlist of MMS vendors for RFP process.

    Familiarize yourself with the MMS market: How it got here

    Vendor Profiles icon

    Loosely Tied Together

    Originally the sales and marketing enterprise application space was highly fragmented, with disparate best-of-breed point solutions patched together. Soon after, vendors in the late 1990s started bundling automation technologies into a single suite offering. Marketing capabilities of CRM suites were minimal at best and often restricted to web and email only.

    Limited to Large Enterprises

    Many vendors started to combine all marketing tools into a single, comprehensive marketing suite, but cost and complexity limited them to large enterprises and marketing agencies.

    Best-of-breed solutions targeting new channels and new goals, like closed-loop sales and marketing, continued driving new marketing software genres, like dedicated lead management suites.

    In today’s volatile business environment, judgment built from past experience is increasingly unreliable. With consumer behaviors in flux, once-valid assumptions (e.g. ‘older consumers don’t use Facebook or send text messages’) can quickly become outdated.” (SAS Magazine)

    Info-Tech Insight

    As the market evolves, capabilities that were once cutting edge become default and new functionality becomes differentiating. Some features, like basic CRM integration, have become table stakes capabilities. Focus on advanced analytics features and omnichannel integration capabilities to get the best fit for your requirements.

    Familiarize yourself with the MMS market: Where it’s going

    Vendor Profiles icon

    AI and Machine Learning

    Vendors are beginning to offer AI capabilities across MMS for data-driven customer engagement scoring and social listening insights. Machine learning capability is being leveraged to determine optimal customer journey and suggest next steps to users.

    Marketplace Fragmentation

    The number of players in the marketing application space has grown exponentially. The majority of these new vendors offer point solutions rather than full-blown marketing suites. Fragmentation is leading to tougher choices when looking to augment an existing platform with specific functionality.

    Improving Application Integration

    MMS vendors are fostering deeper integrations between their marketing products and core CRM products, leading to improved data hygiene. At the same time, vendors are improving flexibility in the marketing suite so that new channels can be added easily.

    Greater Self-Service

    Vendors have an increased emphasis on application usability. Their goal is to enable marketers to execute campaigns without relying on specialists.

    There’s a firehose of customer data coming at marketers today, and with more interconnected devices emerging (wearables, smart watches, etc.), cultivating a seamless customer experience is likely to grow even more challenging.

    Building out a data-driven marketing strategy and technology stack that enables you to capture behaviors across channels is key.” (IBM, Ideas for Exceeding Customer Expectations)

    Review Info-Tech’s vendor profiles of the MMS market to identify vendors that meet your requirements

    Vendors & Products Evaluated

    Vendor logos including 'Adobe', 'ORACLE', and 'IBM'.

    VENDOR PROFILES

    Review the MMS Vendor Evaluation

    Large icon of a descending bar graph for vendor profiles title page.

    Table stakes are the minimum standard; without these, a product doesn’t even get reviewed

    Vendor Profiles icon

    TABLE STAKES

    Feature Table Stake Functionality
    Basic Workflow Automation Simple automation of common marketing tasks (e.g. handling inbound leads).
    Basic Channel Integration Integration with minimum two or more marketing channels (e.g. email and direct mail).
    Customizable User Interface A user interface that can be changed and optimized to users’ preferences. This includes customizable dashboards for displaying relevant marketing metrics.
    Basic Mobile UX Accessible from a mobile device in some fashion.
    Cloud Compatibility Able to offer integration within pre-existing or proprietary cloud server. Many vendors only have SaaS products.

    What does this mean?

    The products assessed in these vendor profiles meet, at the very least, the requirements outlined as table stakes.

    Many of the vendors go above and beyond the outlined table stakes; some even do so in multiple categories. This section aims to highlight the products’ capabilities in excess of the criteria listed here.

    Info-Tech Insight

    If table stakes are all you need from your MMS, determine whether your existing CRM platform already satisfies your requirements. Otherwise, dig deeper to find the best price-to-value ratio for your needs.

    Take a holistic approach to vendor and product evaluation

    Almost – or equally – as important as evaluating vendor feature capabilities is the need to evaluate vendor viability and non-functional aspects of the MMS. Include an evaluation of the following criteria in your vendor scoring methodology:

    Vendor Attribute Description
    Vendor Stability and Variability The vendor’s proven ability to execute on constant product improvement, deliberate strategic direction, and overall commitment to research and development efforts in responding to emerging trends.
    Security Model The potential to integrate the application to existing security models and the vendor's approach to handling customer data.
    Deployment Style The choice to deploy a single or multi-tenant SaaS environment via a perpetual license.
    Ease of Customization The relative ease with which a system can be customized to accommodate niche or industry-specific business or functional needs.
    Vendor Support Options The availability of vendor support options, including selection consulting, application development resources, implementation assistance, and ongoing support resources.
    Size of Partner Ecosystem The quantity of enterprise applications and third-party add-ons that can be linked to the MMS, as well as the number of system integrators available.
    Ease of Data Integration The relative ease with which the system can be integrated with an organization’s existing application environment, including legacy systems, point solutions, and other large enterprise applications.

    Info-Tech Insight

    Evaluate vendor capabilities, not just product capabilities. An MMS is typically a long-term commitment; ensure that your organization is teaming up with a vendor or provider that you feel you can work well with and depend on.

    Advanced features are the capabilities that allow for granular differentiation of market players and use-case performance

    Vendor Profiles icon

    Evaluation Methodology

    These product features were assessed as part of the classification of vendors into use cases. In determining use-case leaders and players, select features were considered based on best alignment with the use case.

    Feature Advanced Functionality
    Advanced Campaign Management End-to-end marketing campaign management: customer journey mapping, campaign initiation, monitoring, and dynamic reporting and adjustment.
    Marketing Asset Management Content repository functionality (or tight ECM integration) for marketing assets and campaign collateral (static, multimedia, e-commerce–related, etc.).
    Marketing Analytics
    • Predictive analytics; machine learning; capabilities for data ingestion and visualization across various marketing research/marketing intelligence categories (demographic, psychographic, etc.).
    • Data segmentation; drill-down ability to assign attributes to unstructured data; ability to construct complex customer/competitive data visualizations from segmented data.
    Breadth of Channel Support Ability to support and manage a wide range of marketing channels (e-commerce, SEO/SEM, paid advertising, email, traditional [print, multimedia], etc.).
    Marketing Workflow Management Visual workflow editors and business rules engine creation.

    Advanced features are the capabilities that allow for granular differentiation of market players and use-case performance

    Vendor Profiles icon

    Evaluation Methodology

    These product features were assessed as part of the classification of vendors into use cases. In determining use-case leaders and players, select features were considered based on best alignment with the use case.

    Feature Advanced Functionality
    Community Marketing Management Branded customer communities (e.g. community support forums) and DMB/DSP.
    Email Marketing Automation End-to-end management of email marketing: email templates, email previews, spam testing, A/B tracking, multivariate testing, and email metrics tracking.
    Social Marketing Ability to integrate with popular social media networks and manage social properties and to aggregate and analyze social data for trend reporting.
    Mobile Marketing Ability to manage SMS, push, and mobile application marketing.
    Marketing Operations Management Project management tools for marketers (timelines, performance indicators, budgeting/resourcing tools, etc.).

    Use the information in the MMS vendor profiles to streamline your vendor analysis process

    Vendor Profiles icon This section includes profiles of the vendors evaluated against the previously outlined framework.
    Review the use-case scenarios relevant to your organization’s use case to identify a vendor’s fit to your organization’s MMS needs.
    • L = Use-case leader
    • P = Use-case player
    Three column headers: 'Marketing Automation', 'Marketing Intelligence', and 'Social Media Marketing'.
    Understand your organization’s size and whether it falls within the product’s market focus.
    • Large enterprise: 2,000+ employees and revenue of $250M+
    • Small-medium enterprise: 30-2,000 employees and revenue of $25M-$250M
    Column header 'MARKET FOCUS' with row headers 'Small-Medium' and 'Large Enterprise'.
    Review the differentiating features to identify where the application performs best. A list of features.
    Colors signify a feature’s performance. A key for color-coding: Blue - 'Best of Breed', Green - 'Present: Competitive Strength', Yellow-Green - 'Present: Competitive Parity', Yellow - 'Semi-Present', Grey - 'Absent'.

    Adobe Marketing Cloud

    Vendor Profiles icon
    Logo for Adobe. FUNCTIONAL SPOTLIGHT

    Creative Cloud Integration: To make for a more seamless cross-product experience, projects can be sent between Marketing Cloud and Creative Cloud apps such as Photoshop and After Effects.

    Sensei: Adobe has revamped its machine learning and AI platform in an effort to integrate AI into all of its marketing applications. Sensei includes data from Microsoft in a new partnership program.

    Anomaly Detection: Adobe’s Anomaly Detection contextualizes data and provides a statistical method to determine how a given metric has changed in relation to previous metrics.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    L

    L

    P

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    Adobe’s goal with Marketing Cloud is to help businesses provide customers with cohesive, seamless experiences by surfacing customer profiles in relevant situations quickly. Adobe Marketing Cloud has traditionally been used in the B2C space but has seen an increase in B2C use cases driven by the finance and technology sectors. FEATURES
    Color-coded ranking of each feature for Adobe.
    Employees (2018): 17,000 Presence: Global Founded: 1982 NASDAQ: ADBE

    HubSpot

    Vendor Profiles icon

    Logo for Hubspot.FUNCTIONAL SPOTLIGHT

    Content Optimization System (COS): The fully integrated system stores assets and serves them to their designated channels at relevant times. The COS is integrated into HubSpot's marketing platform.

    Email Automation: HubSpot provides basic email that can be linked to a specific part of an organization’s marketing funnel. These emails can also be added to pre-existing automated workflows.

    Email Deliverability Tool: HubSpot identifies HTML or content that will be flagged by spam filters. It also validates links and minimizes email load times.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    P

    P

    P

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    Hubspot’s primary focus has been on email marketing campaigns. It has put effort into developing solid “click not code” email marketing capabilities. Also, Hubspot has an official integration with Salesforce for expanded operations management and analytics capabilities. FEATURES
    Color-coded ranking of each feature for Hubspot.
    Employees (2018): 1,400 Presence: Global Founded: 2006 NYSE: HUBS

    IBM Marketing Cloud

    Vendor Profiles icon

    Logo for IBM.FUNCTIONAL SPOTLIGHT

    Watson: IBM is leveraging its popular Watson AI brand to generate marketing insights for automated campaigns.

    Weather Effects: Set campaign rules based on connections between weather conditions and customer behavior relative to zip code made by Watson.

    Real-Time Personalization: IBM has made efforts to remove campaign interaction latency and optimize live customer engagement by acting on information about what customers are doing in the current moment.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    L

    L

    P

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    IBM has remained ahead of the curve by incorporating its well-known AI technology throughout Marketing Cloud. The application’s integration with the wide array of IBM products makes it a powerful tool for users already in the IBM ecosystem. FEATURES
    Color-coded ranking of each feature for IBM.
    Employees (2018): 380,000 Presence: Global Founded: 1911 NYSE: IBM

    Marketo

    Vendor Profiles icon

    Logo for Marketo.FUNCTIONAL SPOTLIGHT

    Content AI: Marketo has leveraged its investments in machine learning to intelligently fetch marketing assets and serve them to customers based on their interactions with a campaign.

    Email A/B Testing: To improve lead generation from email campaigns, Marketo features the ability to execute A/B testing for customized campaigns.

    Partnership with Google: Marketo is now hosted on Google’s cloud platform, enabling it to provide support for larger enterprise clients and improve GDPR compliance.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    P

    P

    P

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    Marketo has strong capabilities for lead management but has recently bolstered its analytics capabilities. Marketo is hoping to capture some of the analytics application market share by offering tools with varying complexity and to cater to firms with a wide range of analytics needs. FEATURES
    Color-coded ranking of each feature for Marketo.
    Employees (2018): 1,000 Presence: Global Founded: 2006 Private Corporation

    Oracle Marketing Cloud

    Vendor Profiles icon

    Logo for Oracle.FUNCTIONAL SPOTLIGHT

    Data Visualization: To make for a more seamless cross-product experience, marketing projects can be sent between Marketing Cloud and Creative Cloud apps such as Dreamweaver.

    ID Graph: Use ID Graph to unite disparate data sources to form a singular profile of leads, making the personalization and contextualization of campaigns more efficient.

    Interest-Based Messaging: Pause a campaign to update a segment or content based on aggregated customer activity and interaction data.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    P

    P

    P

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    Oracle Marketing Cloud is known for its balance between campaigns and analytics products. Oracle has taken the lead on expanding its marketing channel mix to include international options such as WeChat. Users already using Oracle’s CRM/CEM products will derive the most value from Marketing Cloud. FEATURES
    Color-coded ranking of each feature for Oracle.
    Employees (2018): 138,000 Presence: Global Founded: 1977 NYSE: ORCL

    Salesforce Marketing Cloud

    Vendor Profiles icon

    Logo for Salesforce Marketing Cloud.FUNCTIONAL SPOTLIGHT

    Einstein: Salesforce is putting effort into integrating AI into all of its applications. The Einstein AI platform provides marketers with predictive analytics and insights into customer behavior.

    Mobile Studio: Salesforce has a robust mobile marketing offering that encompasses SMS/MMS, in-app engagement, and group messaging platforms.

    Journey Builder: Salesforce created Journey Builder, which is a workflow automation tool. Its user-friendly drag-and-drop interface makes it easy to automate responses to customer actions.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    L

    P

    L

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    Salesforce Marketing Cloud is primarily used by organizations in the B2C space. It has strong Sales Cloud CRM integration. Pardot is positioning itself as a tool for sales teams in addition to marketers. FEATURES
    Color-coded ranking of each feature for Salesforce Marketing Cloud.
    Employees (2018): 1,800 Presence: Global Founded: 2000 NYSE: CRM

    Salesforce Pardot

    Vendor Profiles icon

    Logo for Salesforce Pardot.FUNCTIONAL SPOTLIGHT

    Engagement Studio: Salesforce is putting marketing capabilities in the hands of sales reps by giving them access to a team email engagement platform.

    Einstein: Salesforce’s Einstein AI platform helps marketers and sales reps identify the right accounts to target with predictive lead scoring.

    Program Steps: Salesforce developed a distinct own workflow building tool for Pardot. Workflows are made of “Program Steps” that have the functionality to initiate campaigns based on insights from Einstein.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    P

    P

    -

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    Pardot is Salesforce’s B2B marketing solution. Pardot has focused on developing tools that enable sales teams and marketers to work in lockstep in order to achieve lead-generation goals. Pardot has deep integration with Salesforce’s CRM and customer service management products. FEATURES
    Color-coded ranking of each feature for Salesforce Pardot.
    Employees (2018): 1,800 Presence: Global Founded: 2000 NYSE: CRM

    SAP Hybris Marketing

    Vendor Profiles icon

    Logo for SAP.FUNCTIONAL SPOTLIGHT

    CMO Dashboard: The specialized dashboard is aimed at providing overviews for the executive level. It includes the ability to coordinate marketing activities and project budgets, KPIs, and timelines.

    Loyalty Management: SAP features in-app tools to manage campaigns specifically geared toward customer loyalty with digital coupons and iBeacons.

    Customer Segmentation: SAP’s predictive capabilities dynamically suggest relevant customer profiles for new campaigns.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    P

    L

    P

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    SAP Hybris Marketing Cloud optimizes marketing strategies in real time with accurate attribution and measurements. SAP’s operations management capabilities are robust, including the ability to view consolidated data streams from ongoing marketing plans, performance targets, and budgets. FEATURES
    Color-coded ranking of each feature for SAP.
    Employees (2018): 84,000 Presence: Global Founded: 1972 NYSE: SAP

    SAS Marketing Intelligence

    Vendor Profiles icon

    Logo for SAS.FUNCTIONAL SPOTLIGHT

    Activity Map: A user-friendly workflow builder that can be used to execute campaigns. Multiple activities can be simultaneously A/B tested within the Activity Map UI. The outcome of the test can automatically adjust the workflow.

    Spots: A native digital asset manager that can store property that is part of existing and future campaigns.

    Viya: A framework for fully integrating third-party data sources into SAS Marketing Intelligence. Viya assists with pairing on-premises databases with a cloud platform for use with the SAS suite.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    P

    L

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    SAS has been a leading BI and analytics provider for more than 35 years. Rooted in statistical analysis of data, SAS products provide forward-looking strategic insights. Organizations that require extensive customer intelligence capabilities and the ability to “slice and dice” segments should have SAS on their shortlist. FEATURES
    Color-coded ranking of each feature for SAS.
    Employees (2018): 14,000 Presence: Global Founded: 1976 Private Corporation

    Consider alternative MMS vendors not included in Info-Tech’s vendor profiles

    Info-Tech evaluated only a portion of vendors in the MMS market. In order for a vendor to be included in this landscape, the company needed to meet three baseline criteria:
    1. Our clients must be talking about the solution.
    2. Our analysts must believe the solution will play well within the evaluation.
    3. The vendor must meet table stakes criteria.
    Below is a list of notable vendors in the space that did not meet all of Info-Tech’s inclusion requirements.

    Additional vendors in the MMS market:

    Logo for act-on. Logo for SharpSpring.

    See the next slides for suggested point solutions.

    Leverage Info-Tech’s WXM and SMMP vendor landscapes to select platforms that fit with your CXM strategy

    Web experience management (WXM) and social media management platforms (SMMP) act in concert with your MMS to execute complex campaigns.

    Social Media Management

    Info-Tech’s SMMP selection guide enables you to find a solution that satisfies your objectives across marketing, sales, public relations, HR, and customer service. Create a unified framework for driving successful implementation and adoption of your SMMP that fully addresses CRM and marketing automation integration, end-user adoption, and social analytics with Info-Tech’s blueprint Select and Implement a Social Media Management Platform.

    Stock image with the title Select and Implement a Social Media Management Platform.
    Web Experience Management

    Info-Tech’s approach to WXM ensures you have the right suite of tools for web content management, experience design, and web analytics. Put your best foot forward by conducting due diligence as the selection project advances. Ensure that your organization will see quick results with Info-Tech’s blueprint Select and Implement a Web Experience Management Solution.

    Stock image with the title Select and Implement a Web Experience Management Solution.

    POINT SOLUTION PROFILES

    Review this cursory list of point solutions by use case

    Consider point solutions if a full suite is not required

    Large icon of a target for point solution profiles title page.

    Consider point solutions if a full suite is not required

    Email Marketing

    Logos of companies for Email Marketing including MailChimp and emma.

    Consider point solutions if a full suite is not required

    Search Engine Optimization (SEO)

    Logos of companies for Search Engine Optimization including SpyFu and SerpStat.

    Consider point solutions if a full suite is not required

    Demand-Side Platform (DSP)

    Logos of companies for Demand-Side Platform including MediaMath and rocketfuel.

    Consider point solutions if a full suite is not required

    Customer Portal Software

    Logos of companies for Customer Portal Software including LifeRay and lithium.

    Select a Marketing Management Suite

    PHASE 3

    Select Vendor and Communicate Decision to Stakeholders

    Phase 3 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Plan Your MMS Implementation

    Proposed Time to Completion: 2 weeks
    Step 3.1: Select Your MMS Step 3.2: Communicate the Decision to Stakeholders
    Start with an analyst kick-off call:
    • Review the MMS shortlist.
    • Discuss how to link RFP questions and demo script scenarios to gathered requirements.
    Review findings with analyst:
    • Review the alignment between MMS capability and the business’ CXM strategy.
    • Discuss how to present the decision to stakeholders.
    Then complete these activities…
    • Build a vendor response template.
    • Evaluate RFP responses from vendors.
    • Build demo scripts and set up product demonstrations.
    • Establish evaluation criteria.
    • Select MMS product and vendor.
    Then complete these activities…
    • Present decision rationale to stakeholders.
    With these tools & templates:
    • MMS Request for Proposal Template
    • MMS Vendor Demo Script
    With these tools & templates:
    • MMS Selection Executive Presentation Template
    Phase 3 Results
    • Select an MMS that meets requirements and is approved by stakeholders.

    Phase 3 milestones

    Launch the MMS Project and Collect Requirements — Phase 1

    • Understand the MMS market space.
    • Assess organizational and project readiness for MMS selection.
    • Structure your MMS selection and implementation project by refining your MMS roadmap.
    • Align organizational use-case fit with market use cases.
    • Collect, prioritize, and document MMS requirements.

    Shortlist MMS Tool — Phase 2

    • Review MMS market leaders and players within your aligned use case.
    • Review MMS vendor profiles and capabilities.
    • Shortlist MMS vendors based on organizational fit.

    Select an MMS — Phase 3

    • Submit request for proposal (RFP) to shortlisted vendors.
    • Evaluate vendor responses and develop vendor demonstration scripts.
    • Score vendor demonstrations and select the final product.

    Step 2.1: Analyze and shortlist MMS vendors

    3.1

    3.2

    Select Your MMS Communicate Decision to Stakeholders

    This step will walk you through the following activities:

    • Build a response template to standardize potential vendor responses and streamline your evaluation process.
    • Evaluate the RFPs you receive with a clear scoring process and evaluation framework.
    • Build a demo script to evaluate product demonstrations by vendors.
    • Select your solution.

    This step involves the following participants:

    • Core project team
    • Procurement SMEs
    • Project sponsor

    Outcomes of this step

    • Completed MMS RFP vendor response template
    • Completed MMS demo script(s)
    • Established product and vendor evaluation criteria
    • Final MMS selection

    Activity: Shortlist vendors for the RFP process

    Associated Activity icon 3.1.1 30 minutes

    INPUT: Organizational use-case fit

    OUTPUT: MMS vendor shortlist

    Materials: Info-Tech’s MMS use cases, Info-Tech’s vendor profiles, Whiteboard, markers

    Participants: Core project team

    Instructions

    1. Collectively with the core project team, determine any knock-out criteria for shortlisting MMS vendors. For example, if your team is executing on a strategy that favors mobile deployment, vendors who do not have a mobile offering may be off the table.
    2. Based on the results in Activity 1.3.2, write a longlist of vendors. In most cases, this list will consist of all the vendors that fall into your organization’s use-case scenario. If your organization fits into more than one use case (e.g. your organization has both product-centric and service-centric MMS needs), look for the overlap of vendors between the use cases.
    3. Review the profiles of the vendors that fall into your use-case scenario. Based on your knock-out criteria established in Step 1, eliminate any vendors as applicable.
    4. Finalize and record your shortlist of MMS vendors.

    Use Info-Tech’s MMS Request for Proposal Template to document and communicate your requirements to vendors

    Supporting Tool icon 3.1.2 MMS Request for Proposal Template

    Use the MMS Request for Proposal Template as a step-by-step guide on how to request interested vendors to submit written proposals that meet your set of requirements.

    If interested in bidding for your project, vendors will respond with a description of the techniques they would employ to address your organizational challenges and meet your requirements, along with a plan of work and detailed budget for the project.

    The RFP is an important piece of setting and aligning your expectations with the vendors’ product offerings. Make sure to address the following elements in the RFP:

    Sections of the Tool:

    1. Statement of work
    2. General information
    3. Proposal preparation instructions
    4. Scope of work, specifications, and requirements
    5. Vendor qualifications and references
    6. Budget and estimated pricing
    7. Additional terms and conditions
    8. Vendor certification

    INFO-TECH DELIVERABLE

    Sample of Info-Tech's MMS Request Proposal Template.

    Complete the MMS Request for Proposal Template by following the instructions in Activity 3.1.3.

    Activity: Create an RFP to submit to MMS vendors

    Associated Activity icon 3.1.3 1-2 hours

    INPUT: Business requirements document, Procurement procedures

    OUTPUT: MMS RFP

    Materials: Internal RFP tools or templates (if available), Info-Tech’s MMS Request for Proposal Template (optional)

    Participants: Procurement SMEs, Project manager, Core project team (optional)

    Instructions

    1. Download Info-Tech’s MMS Request for Proposal Template or prepare internal best-practice RFP tools.
    2. Build your RFP:
      1. Complete the statement of work and general information sections to provide organizational context to your longlisted vendors.
      2. Outline the organization’s procurement instructions for vendors, including due diligence, assessment criteria, and dates.
      3. Input the business requirements document as created in Activity 1.3.2.
      4. Create a scenario overview to provide vendors with an opportunity to give an estimate price.
    3. Obtain approval for your RFP. Each organization has a unique procurement process; follow your own organization’s process as you submit your RFPs to vendors. Ensure compliance with your organization’s standards and gain approval for submitting your RFP.

    Establish vendor evaluation criteria

    Vendor demonstrations are an integral part of the selection process. Having clearly defined selection criteria will help with setting up relevant demos as well as inform the vendor scorecards.

    EXAMPLE EVALUATION CRITERIAPie chart indicating the weight of each 'Vendor Evaluation Criteria': 'Functionality, 30%', 'Ease of Use, 25%', 'Cost, 15%', 'Vendor, 15%', and 'Technology, 15%'.
    Functionality (30%)
    • Breadth of capability
    • Tactical capability
    • Operational capability
    Ease of Use (25%)
    • End-user usability
    • Administrative usability
    • UI attractiveness
    • Self-service options
    Cost (15%)
    • Maintenance
    • Support
    • Licensing
    • Implementation (internal and external costs)
    Vendor (15%)
    • Support model
    • Customer base
    • Sustainability
    • Product roadmap
    • Proof of concept
    • Implementation model
    Technology (15%)
    • Configurability options
    • Customization requirements
    • Deployment options
    • Security and authentication
    • Integration environment
    • Ubiquity of access (mobile)

    Info-Tech Insight

    Base your vendor evaluations not on the capabilities of the solutions but instead on how the solutions align with your organization’s process automation requirements and considerations.

    Vendor demonstrations

    Examine how the vendor’s solution performs against your evaluation framework.

    What is the value of a vendor demonstration?

    Vendor demonstrations create a valuable opportunity for your organization to confirm that the vendor’s claims in the RFP are actually true.

    A display of the vendor’s functional capabilities and its execution of the scenarios given in your demo script will help to support your assessment of whether a vendor aligns with your MMS requirements.

    What should be included in a vendor demonstration?

    1. Vendor’s display of its solution for the scenarios provided in the demo script.
    2. Display of functional capabilities of the tool.
    3. Briefing on integration capabilities.

    Activity: Invite top performing vendors for product demonstrations

    Associated Activity icon 3.1.4 1-2 hours

    INPUT: Business requirements document, Logistical considerations, Usage scenarios by functional area

    OUTPUT: MMS demo script

    Materials: Info-Tech’s MMS Vendor Demo Script

    Participants: Procurement SMEs, Core project team

    Instructions

    1. Have your evaluation team (selected at the onset of the project) present to evaluate each vendor’s presentation. In some cases you may choose to bring in a subject matter expert (SME) to evaluate a specific area of the tool.
    2. Outline the logistics of the demonstration in the Introduction section of the template. Be sure to outline the total length of the demo and the amount of time that should be dedicated to the following:
      • Product demonstration in response to the demo script
      • Showcase of unique product elements, not reflective of the demo script
      • Question and answer session
      • Breaks and other potential interruptions
    3. Provide prompts for the vendor to display the capabilities by listing and describing usage scenarios by functional area. For example, when asking a vendor to demo financial and accounting management capabilities, you may break scenarios out by task (e.g. general ledger, accounts payable) or user role (e.g. finance manager, administrator).

    Info-Tech Insight

    Challenge vendor project teams during product demonstrations. Asking the vendor to make adjustments or customizations on the fly will allow you to get an authentic feel of product capability and flexibility, as well as of the degree of adaptability of the vendor project team. Ask the vendor to demonstrate how to do things not listed in your user scenarios, such as change system visualizations or design, change underlying data, add additional datasets, demonstrate analytics capabilities, or channel specific automation.

    Use Info-Tech’s MMS Vendor Demo Script template to set expectations for vendor product demonstration

    Vendor Profiles icon MMS Vendor Demo Script

    Customize and use Info-Tech’s MMS Vendor Demo Script to help identify how a vendor’s solution will fit your organization’s particular business capability needs.

    This tool assists with outlining logistical considerations for the demo itself and the scenarios with which the vendors should script their demonstration.

    Sections of the Tool:

    1. Introduction
    2. Demo scenarios by functional area

    Info-Tech Best Practice

    Avoid providing vendors with a rigid script for product demonstration; instead, provide user scenarios. Part of the value of a vendor demonstration is the opportunity to assess whether or not the vendor project team has a solid understanding of your organization’s MMS challenges and requirements and can work with your team to determine the best solution possible. A rigid script may result in your inability to assess whether the vendor will adjust for and scale with your project and organization as a technology partner.

    INFO-TECH DELIVERABLE

    Sample of Info-Tech's MMS Vendor Demo Script.

    Use the MMS Vendor Demo Script by following the instructions in Activity 3.1.4.

    Leverage Info-Tech’s vendor selection and negotiation models as the basis for a streamlined MMS selection process

    Design a procurement process that is robust, ruthless, and reasonable. Rooting out bias during negotiation is vital to making unbiased vendor selections.

    Vendor Selection

    Info-Tech’s approach to vendor selection gets you to design a procurement process that is robust, ruthless, and reasonable. This approach enables you to take control of vendor communications. Implement formal processes with an engaged team to achieve the right price, the right functionality, and the right fit for the organization with Info-Tech's blueprint Implement a Proactive and Consistent Vendor Selection Process.

    Stock image with the title Implement a Proactive and Consistent Vendor Selection Process.
    Vendor Negotiation

    Info-Tech’s SaaS negotiation strategy focuses on taking control of implementation from the beginning. The strategy allows you to work with your internal stakeholders to make sure they do not team up with the vendor instead of you. Reach an agreement with your vendor that takes into account both parties’ best interests with Info-Tech’s blueprint Negotiate SaaS Agreements That Are Built to Last.

    Stock image with the title Negotiate SaaS Agreements That Are Built to Last.

    Step 3.2: Communicate decision to stakeholders

    3.1

    3.2

    Select Your MMS Communicate Decision to Stakeholders

    This step will walk you through the following activities:

    • Collect project rationale documentation.
    • Create a presentation to communicate your selection decision to stakeholders.

    This step involves the following participants:

    • Core project team
    • Procurement SMEs
    • Project sponsor
    • Business stakeholders
    • Relevant management

    Outcomes of this step

    • Completed MMS Selection Executive Presentation Template
    • Affirmation of MMS selection by stakeholders

    Inform internal stakeholders of the final decision

    Ensure traceability from the selected tool to the needs identified in the first phase. Internal stakeholders must understand the reasoning behind the final selection and see the alignment to their defined requirements and needs.

    Document the selection process to show how the selected tool aligns to stakeholder needs:

    A large arrow labelled 'Application Benefits', underlaid beneath two smaller arrows labelled 'MMS stakeholder needs' and 'MMS technology needs', all pointing to the right.

    Documentation will assist with:

    1. Adopting the selected MMS.
    2. Demonstrating that proper due diligence was performed during the selection process.
    3. Providing direct traceability between the selected applications and internal stakeholder needs.

    Activity: Prepare a presentation deck to communicate the selection process and decision to internal stakeholders

    Associated Activity icon 3.2.1 1 week

    INPUT: MMS tool selection committee expertise

    OUTPUT: Decision to invest or not invest in an MMS tool

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: MMS tool selection committee

    Instructions

    1. Download Info-Tech’s MMS Selection Executive Presentation Template.
    2. Read the instructions on slide 2 of the template. Then, on slide 3, decide if any portion of the selection process should be removed from the communication. Discuss with the team and make adjustments to slide 3 as necessary.
    3. Work with the MMS selection committee to populate the slides that remain after the adjustments. Follow the instructions on each slide to help complete the content.
    4. Refer to the square brackets on each slide (e.g. [X.X]) to identify the activity numbers in this storyboard that correspond to the slide in the MMS Selection Executive Presentation Template. Use the outputs produced from the corresponding activities in this deck and populate each slide in the MMS Selection Executive Presentation Template.
    5. Use the completed template to present to internal stakeholders.

    Info-Tech Insight

    Documenting the process of how the selection decision was made will avoid major headaches down the road. Without a documented process, internal stakeholders and even vendors can challenge and discredit the selection process.

    Vendor participation

    Vendors Who Briefed with Info-Tech Research Group

    Logos of vendors who participated in this blueprint: Salesforce Pardot, SAS, Adobe, Marketo, and Salesforce Marketing Cloud.

    Professionals Who Contributed to Our Evaluation and Research

    • Sara Camden, Digital Change Agent, Equifax
    • Caren Carrasco, Lifecycle Marketing and Automation, Benjamin David Group
    • 10 anonymous contributors participated in the vendor briefings

    Works cited

    Adobe Systems Incorporated. “Bayer builds understanding, socially.” Adobe.com, 2017. Web.

    IBM Corporation, “10 Key Marketing Trends for 2017.” IBM.com, 2017. Web.

    Marketo, Inc. “The Definitive Guide to Marketing Automation.” Marketo.com, 2013. Web.

    Marketo, Inc. “NBA franchise amplifies its message with help from Marketo’s marketing automation technology.” Marketo.com, 2017. Web.

    Salesforce Pardot. “Marketing Automation & Your CRM: The Dynamic Duo.” Pardot.com, 2017. Web.

    SAS Institute Inc. “Marketing Analytics: How, why and what’s next.” SAS Magazine, 2013. Web.

    SAS Institute Inc. “Give shoppers offers they’ll love.” SAS.com, 2017. Web.

    Implement Software Asset Management

    • Buy Link or Shortcode: {j2store}313|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $107,154 Average $ Saved
    • member rating average days saved: 39 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Organizations are aware of the savings that result from implementing software asset management (SAM), but are unsure of where to start the process.
    • Poor data capture procedures and lack of a centralized repository produce an incomplete picture of software assets and licenses, preventing accurate forecasting and license optimization.
    • Audit protocols are ad hoc, resulting in sloppy reporting and time-consuming work and lack of preparedness for external software audits.

    Our Advice

    Critical Insight

    • A strong SAM program will benefit all aspects of the business. Data and reports gained through SAM will enable data-driven decision making for all areas of the business.
    • Don’t just track licenses; manage them to create value from data. Gathering and monitoring license data is just the beginning. What you do with that data is the real test.
    • Win the audit battle without fighting. Conduct internal audits to minimize surprises when external audits are requested.

    Impact and Result

    • Conduct a current state assessment of existing SAM processes to form an appropriate plan for implementing or improving your SAM program.
    • Define standard policies, processes, and procedures for each stage of the software asset lifecycle, from procurement through to retirement.
    • Develop an internal audit policy to mitigate the risk of costly external audits.

    Implement Software Asset Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement software asset management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess & plan

    Assess current state and plan the scope of the SAM program, team, and budget.

    • Implement Software Asset Management – Phase 1: Assess & Plan
    • SAM Maturity Assessment
    • SAM Standard Operating Procedures
    • SAM Budget Workbook

    2. Procure, receive & deploy

    Define processes for software requests, procurement, receiving, and deployment.

    • Implement Software Asset Management – Phase 2: Procure, Receive & Deploy
    • SAM Process Workflows (Visio)
    • SAM Process Workflows (PDF)

    3. Manage, redeploy & retire

    Define processes for software inventory, maintenance, harvest and redeployment, and retirement.

    • Implement Software Asset Management – Phase 3: Manage, Redeploy & Retire
    • Patch Management Policy

    4. Build supporting processes

    Build processes for audits and plan the implementation.

    • Implement Software Asset Management – Phase 4: Build Supporting Processes & Tools
    • Software Audit Scoping Email Template
    • Software Audit Launch Email Template
    • SAM Communication Plan
    • SAM FAQ Template
    • Software Asset Management Policy
    [infographic]

    Workshop: Implement Software Asset Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess & Plan

    The Purpose

    Assess current state and plan the scope of the SAM program, team, and budget.

    Key Benefits Achieved

    Current state assessment

    Defined roles and responsibilities

    SAM budget plan

    Activities

    1.1 Outline SAM challenges and objectives.

    1.2 Assess current state.

    1.3 Identify roles and responsibilities for SAM team.

    1.4 Identify metrics and reports.

    1.5 Identify SAM functions to centralize vs. decentralize.

    1.6 Plan SAM budget process.

    Outputs

    Current State Assessment

    RACI Chart

    Defined metrics and reports

    SAM Budget Workbook

    2 Procure, Receive & Deploy

    The Purpose

    Define processes for software requests, procurement, receiving, and deployment.

    Key Benefits Achieved

    Defined standards for software procurement

    Documented processes for software receiving and deployment

    Activities

    2.1 Determine software standards.

    2.2 Define procurement process for new contracts.

    2.3 Define process for contract renewals and additional procurement scenarios.

    2.4 Design process for receiving software.

    2.5 Design deployment workflow.

    2.6 Define process for non-standard software requests.

    Outputs

    Software standards

    Standard Operating Procedures

    SAM Process Workflows

    3 Manage, Redeploy & Retire

    The Purpose

    Define processes for software inventory, maintenance, harvest and redeployment, and retirement.

    Key Benefits Achieved

    Defined process for conducting software inventory

    Maintenance and patch policy

    Documented workflows for software harvest and redeployment as well as retirement

    Activities

    3.1 Define process for conducting software inventory.

    3.2 Define policies for software maintenance and patches.

    3.3 Map software license harvest and reallocation process.

    3.4 Define policy for retiring software.

    Outputs

    Standard Operating Procedures

    Patch management policy

    SAM Process Workflows

    4 Build Supporting Processes & Tools

    The Purpose

    Build processes for audits, identify tool requirements, and plan the implementation.

    Key Benefits Achieved

    Defined process for internal and external audits

    Tool requirements

    Communication and implementation plan

    Activities

    4.1 Define and document the internal audit process.

    4.2 Define and document the external audit process.

    4.3 Document tool requirements.

    4.4 Develop a communication plan.

    4.5 Prepare an FAQ list.

    4.6 Identify SAM policies.

    4.7 Develop a SAM roadmap to plan your implementation.

    Outputs

    Audit response templates

    Tool requirements

    Communication plan

    End-user FAQ list

    Software Asset Management Policy

    Implementation roadmap

    Further reading

    Implement Software Asset Management

    Go beyond tracking licenses to proactively managing software throughout its lifecycle.

    Table of contents

    1. Title
    2. Executive Brief
    3. Execute the Project/DIY Guide
    4. Next Steps
    5. Appendix

    Analyst Perspective

    “Organizations often conflate software asset management (SAM) with license tracking. SAM is not merely knowing how many licenses you require to be in compliance; it’s asking the deeper budgetary questions to right-size your software spend.

    Software audits are a growing concern for businesses, but proactive reporting and decision making supported by quality data will mitigate audit risks. Value is left on the table through underused or poor-quality data, so active data management must be in play. A dedicated ITAM tool can assist with extracting value from your license data.

    Achieving an optimized SAM program is a transformative effort, but the people, processes, and technology need to be in place before that can happen.” (Sandi Conrad, Senior Director, Infrastructure & Operations Practice, Info-Tech Research Group)

    Software license complexity and audit frequency are increasing: are you prepared to manage the risk?

    This Research Is Designed For:

    • CIOs that want to improve IT’s reputation with the business.
    • CIOs that want to eliminate the threat of a software audit.
    • Organizations that want proactive reporting that benefits the entire business.
    • IT managers who want visibility into their software usage.

    This Research Will Help You:

    • Establish a standardized software management process.
    • Track and manage software throughout its lifecycle, from procurement through to retirement or redeployment.
    • Rationalize your software license estate.
    • Improve your negotiations with software vendors.
    • Improve the quality of your SAM data gathering and reporting.

    Executive summary

    Situation

    • Organizations are aware of the savings that result from implementing software asset management (SAM), but are unsure of where to start the process. With no formal standards in place for managing licenses, organizations are constantly at risk for costly software audits and poorly executed software spends.

    Complication

    • Poor data-capture procedures produce an incomplete picture of software lifecycles.
    • No centralized repository exists, resulting in fragmented reporting.
    • Audit protocols are ad hoc, resulting in sloppy reporting and time-consuming work.

    Resolution

    • Conduct a current state assessment of existing SAM processes to form an appropriate plan for implementing or improving your SAM program.
    • Build and involve a SAM team in the process from the beginning to help embed the change.
    • Define standard policies, processes, and procedures for each stage of the software asset lifecycle, from procurement through to retirement. Pace yourself; a staged implementation will make your ITAM program a success.
    • Develop an internal audit program to mitigate the risk of costly audits.
    • Once a standardized SAM program and data are in place, you will be able to use the data to optimize and rationalize your software licenses.

    Info-Tech Insight

    A strong SAM program will benefit all aspects of the business.
    Data and reports gained through SAM will enable data-driven decision making for all areas of the business.

    Don’t just track licenses; manage them to create value from data.
    Gathering and monitoring license data is just the beginning. What you do with that data is the real test.

    Win the audit battle without fighting.
    Conduct internal audits to minimize surprises when external audits are requested.

    Build the business case for SAM on cost and risk avoidance

    You can estimate the return even without tools or data.

    Benefit Calculate the return
    Compliance

    How many audits did you have in the past three years?

    How much time did you spend in audit response?

    Suppose you had two audits each year for the last three years, each with an average $250,000 in settlements.

    A team of four with an average salary of $75,000 each took six months to respond each year, allocating 20% of their work time to the audit.

    You could argue annual audits cost on average $530,000. Increasing ITAM maturity stands to reduce that cost significantly.

    Efficiency

    How much do you spend on software and maintenance by supplier?

    Suppose you spent $1M on software last year. What if you could reduce the spend by just 10% through better practices?

    SAM can help reduce the annual spend by simplifying support, renegotiating contracts based on asset data, reducing redundancy, and reducing spend.

    The Business Benefits of SAM

    • Compliance: Managing audits and meeting legal, contractual, and regulatory obligations.
    • Efficiency: Reducing costs and making the best use of assets while maintaining service.
    • Agility: Anticipate requirements using asset data for business intelligence and analytics.

    Poor software asset management practices increase costs and risks

    Failure to implement SAM can lead to:

    High cost of undiscovered IT assets
    • Needless procurement of software for new hires can be costly.
    Licensing, liability, and legal violations
    • Legal actions and penalties that result from ineffective SAM processes and license incompliance can severely impact an organization’s financial performance and corporate brand image.
    Compromised security
    • Not knowing what assets you have, who is using them and how, can compromise the security of sensitive information.
    Increased management costs
    • Not having up-to-date software license information impacts decision making, with many management teams failing to respond quickly and efficiently to operational demands.
    Increased disruptions
    • Vendors seek out organizations who don’t manage their software assets effectively; it is likely that you could be subject to major operational disruptions as a result of an audit.
    Poor supplier/vendor relationship
    • Most organizations fear communicating with vendors and are anxious about negotiating new licenses.

    54% — A study by 1E found that only 54% of organizations believe they can identify all unused software in their organization.

    28% — On average, 28% of deployed software is unused, with a wasted cost of $224 per PC on unused software (1E, 2014).

    53% — Express Metrix found that 53% of organizations had been audited within the past two years. Of those, 72% had been audited within the last 12 months.

    SAM delivers cost savings beyond the procurement stage

    SAM delivers cost savings in several ways:

    • Improved negotiating position
      • Certainty around software needs and licensing terms can put the organization in a better negotiating position for new contracts or contract renewals.
    • Improved purchasing position
      • Centralized procurement can allow for improved purchasing agreements with better pricing.
    • More accurate forecasting and spend
      • With accurate data on what software is installed vs. used, more accurate decisions can be made around software purchasing needs and budgeting.
    • Prevention of over deployment
      • Deploy software only where it is needed based on what end users actively use.
    • Software rationalization
      • SAM data may reveal multiple applications performing similar functions that can be rationalized into a single standard software that is used across the enterprise.
    • License harvesting
      • Identify unused licenses that can be harvested and redeployed to other users rather than purchasing new licenses.

    SAM delivers many benefits beyond cost savings

    Manage risk. If licensing terms are not properly observed, the organization is at risk of legal and financial exposure, including illegal software installation, loss of proof of licenses purchased, or breached terms and conditions.

    Control and predict spend. Unexpected problems related to software assets and licenses can significantly impact cash flow.

    Less operational interruptions. Poor software asset management processes could lead to failed deployments, software update interruptions, viruses, or a shutdown of unlicensed applications.

    Avoid security breaches. If data is not secure through software patches and security, confidential information may be disclosed.

    More informed decisions. More accurate data on software assets improves transparency and informs decision making.

    Improved contract management. Automated tools can alert you to when contracts are up for renewal to allow time to plan and negotiate, then purchase the right amount of licenses.

    Avoid penalties. Conduct internal audits and track compliance to avoid fees or penalties if an external audit occurs.

    Reduced IT support. Employees should require less support from the service desk with proper, up to date, licensed software, freeing up time for IT Operations to focus on other work.

    Enhanced productivity. By rationalizing and standardizing software offerings, more staff should be using the same software with the same versioning, allowing for better communication and collaboration.

    Asset management is especially correlated with the following processes

    Being highly effective at asset management means that you are more likely to be highly effective at almost all IT processes, especially:

    Icon for process 'BAI10 Configuration Management'. Configuration Management
    76% more effective
    Icon for process 'ITRG03 Manage Service Catalogs'. Service Catalog
    74% more effective
    Icon for process 'APO11 Quality Management'. Quality Management
    63% more effective
    Icon for process 'ITRG08 Data Quality'. Data Quality
    62% more effective
    Icon for process 'MEA01 Performance Measurement'. Performance Measurement
    61% more effective
    Icon for process 'BAI05 Organizational Change Management'. Organizational Change Management
    60% more effective
    Icon for process 'APO05 Portfolio Management'. Portfolio Management
    59% more effective
    Icon for process 'APO03 Enterprise Architecture'. Enterprise Architecture
    58% more effective

    Why? Good SAM processes are integral to both service management and configuration management

    (Source: Info-Tech Research Group, IT Management and Governance Diagnostic; N=972 organizations) (High asset management effectiveness was defined as those organizations with an effectiveness score of 8 or above.)

    To accelerate progress, Info-Tech Research Group parses software asset management into its essential processes

    Focus on software asset management essentials

    Software Procurement:

    • Define procurement standards for software and related warranties and support options.
    • Develop processes and workflows for purchasing and work out financial implications to inform budgeting later.

    Software Deployment and Maintenance:

    • Define policies, processes, and workflows for software receiving, deployment, and maintenance practices.
    • Develop processes and workflows for managing imaging, harvests and redeployments, service requests, and large-scale rollouts.

    Software Harvest and Retirement:

    • Manage the employee termination and software harvest cycle.
    • Develop processes, policies, and workflows for software security and retirement.

    Software Contract and Audit Management:

    • Develop processes for data collection and validation to prepare for an audit.
    • Define metrics and reporting processes to keep asset management processes on track.
    A diagram that looks like a tier circle with 'Implement SAM' at the center. The second ring has 'Request & Procure', 'Receive & Deploy', 'Manage & Maintain', and 'Harvest & Retire'. The third ring seems to be a cycle beginning with 'Plan', 'Request', 'Procure', 'Deploy', 'Manage', 'Retire', and back to 'Plan'.

    Asset management is a key piece of Info-Tech’s COBIT-based IT Management and Governance Framework

    The Info-Tech / COBIT5 IT Management & Governance Framework, a number of IT process icons arranged like a periodic table. A magnifying glass highlights process 'BAI09 Asset Management' in the 'Infrastructure & Operations' category.

    Follow Info-Tech's methodology to build a plan to implement software asset management

    Phase 1
    Assess & Plan
    Phase 2
    Procure, Receive & Deploy
    Phase 3
    Manage, Redeploy & Retire
    Phase 4
    Build supporting processes

    1.1

    Assess current state

    2.1

    Request & procure

    3.1

    Manage & maintain contracts

    4.1

    Compliance & audits

    1.2

    Build team and define metrics

    2.2

    Receive & deploy

    3.2

    Harvest or retire

    4.2

    Communicate & build roadmap

    1.3

    Plan & budget
    Deliverables
    Standard Operating Procedures (SOP)
    SAM maturity assessment Process workflows Process workflows Audit response templates
    RACI chart Software standards Patch management policy Communication plan & FAQ template
    SAM metrics SAM policies
    SAM budget workbook

    Thanks to SAM, Visa saved $200 million in three years

    Logo for VISA.

    Case Study

    Industry: Financial Services
    Source: International Business Software Managers Association

    Visa, Inc.

    Visa, Inc. is the largest payment processing company in the world, with a network that can handle over 40,000 transactions every minute.

    Software Asset Management Program

    In 2006, Visa launched a formal IT asset management program, but it was not until 2011 that it initiated a focus on SAM. Joe Birdsong, the SAM director, first addressed four major enterprise license agreements (ELAs) and compliance issues. The SAM team implemented a few dedicated SAM tools in conjunction with an aggressive approach to training.

    Results

    The proactive approach taken by Visa used a three-pronged strategy: people, process, and tools. The process included ELA negotiations, audit responses, and software license rationalization exercises.

    According to Birdsong, “In the past three years, SAM has been credited with saving Visa over $200 million.”

    An timeline arrow with benchmarks, in order: 'Tool purchases', 'ELA negotiations', 'License rationalization', 'Audit responses', '$200 million in savings in just three years thanks to optimized SAM processes'.

    Info-Tech delivers: Use our tools and templates to accelerate your project to completion

    Thumbnail of Info-Tech's 'SAM Standard Operating Procedures (SOP)'.
    SAM Standard Operating Procedures (SOP)
    Thumbnail of Info-Tech's 'SAM Maturity Assessment'.
    SAM Maturity Assessment
    Thumbnail of Info-Tech's 'SAM Visio Process Workflows'.
    SAM Visio Process Workflows
    Thumbnail of Info-Tech's 'SAM Budget Workbook'.
    SAM Budget Workbook
    Thumbnail of Info-Tech's 'Additional SAM Policy Templates'.
    Additional SAM Policy Templates
    Thumbnail of Info-Tech's 'Software Asset Management Policy'.
    Software Asset Management Policy
    Thumbnail of Info-Tech's 'SAM Communication Plan'.
    SAM Communication Plan
    Thumbnail of Info-Tech's 'SAM FAQ Template'.
    SAM FAQ Template

    Use these insights to help guide your understanding of the project

    • SAM provides value to other processes in IT.
      Data, reports, and savings gained through SAM will enable data-driven decision making for all areas of the business.
    • Don’t just track licenses; manage them to create value from data.
      Gathering and monitoring license data is just the beginning. What you do with that data is the real test.
    • SAM isn’t about managing costs; it’s about understanding your environment to make better decisions.
      Capital tied up in software can impact the progress of other projects.
    • Managing licenses can impact the entire organization.
      Gain project buy-in from stakeholders by articulating the impact that managing licenses can have on other projects and the prevalence of shadow IT.

    Measure the value of a guided implementation (GI)

    Engaging in GIs doesn’t just offer valuable project advice, it also results in significant cost savings.

    GI Measured Value (Assuming 260 workdays in a year)
    Phase 1: Assess & Plan
    • Time, value, and resources saved by using Info-Tech’s methodology to assess current state and create a defined SAM team with actionable metrics
    • For example, 2 FTEs * 5 days * $80,000/year = $6,400
    Phase 2: Procure, Receive & Deploy
    • Time, value, and resources saved by using Info-Tech’s methodology to streamline request, procurement, receiving, and deployment processes for software assets.
    • For example, 2 FTEs * 5 days * $80,000/year = $6,400
    Phase 3: Manage, Redeploy & Retire
    • Time, value, and resources saved by using Info-Tech’s methodology to streamline the maintenance, inventory, license redeployment, and software retiring processes.
    • For example, 2 FTEs * 5 days * $80,000/year = $6,400
    Phase 4: Build Supporting Processes and Tools
    • Time, resources, and potential audit fines saved by using Info-Tech’s methodology to improve audit defense processes ($298,325 average audit penalty (Based on the results of Cherwell Software’s 2013 Software Audit Industry Report)) and design a communication and implementation plan.
    • For example, 2 FTEs * 5days * $80,000/year = $6,400 + $298,325 = $304,725
    Total savings $330,325

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Implement Software Asset Management – project overview

    Phase 1: Assess & plan Phase 2: Procure, receive & deploy Phase 3: Manage, redeploy & retire Phase 4: Build supporting processes
    Supporting Tool icon Best-Practice Toolkit

    Step 1.1: Assess current state

    Step 1.2: Build team and define metrics

    Step 1.3: Plan and budget

    Step 2.1: Request and procure

    Step 2.2: Receive and deploy

    Step 3.1: Manage and maintain contracts

    Step 3.2: Harvest, redeploy, or retire

    Step 4.1: Compliance and audits

    Step 4.2: Communicate and build roadmap

    Guided Implementations
    • Assess current state and challenges.
    • Define roles and responsibilities as well as metrics.
    • Discuss SAM budgeting.
    • Define software standards and procurement process.
    • Build processes for receiving software and deploying software.
    • Define process for conducting software inventory and maintenance and patches.
    • Build software harvest and redeployment processes and retirement.
    • Define process for internal and external audits.
    • Develop communication and implementation plan.
    Associated Activity icon Onsite Workshop Module 1:
    Assess & Plan
    Module 2:
    Map Core Processes: Procure, Receive & Deploy
    Module 3:
    Map Core Processes: Manage, Redeploy & Retire
    Module 4:
    Prepare for audit, build roadmap and communications

    Workshop Overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4
    Activities
    Assess & Plan

    1.1 Outline SAM challenges and objectives

    1.2 Assess current state

    1.3 Identify roles and responsibilities for SAM team

    1.4 Identify metrics and reports

    1.5 Identify SAM functions to centralize vs. decentralize

    1.6 Plan SAM budget process

    Map Core Processes: Procure, Receive & Deploy

    2.1 Determine software standards

    2.2 Define procurement process for new contracts

    2.3 Define process for contract renewals and additional procurement scenarios

    2.4 Design process for receiving software

    2.5 Design deployment workflow

    2.6 Define process for non-standard software requests

    Map Core Processes: Manage, Redeploy & Retire

    3.1 Define process for conducting software inventory

    3.2 Define policies for software maintenance and patches

    3.3 Map software license harvest and reallocation process

    3.4 Define policy for retiring software

    Build Supporting Processes

    4.1 Define and document the internal audit process

    4.2 Define and document the external audit process

    4.3 Develop a communication plan

    4.4 Prepare an FAQ list

    4.5 Identify SAM policies

    4.6 Develop a SAM roadmap to plan your implementation

    Deliverables
    • SAM maturity assessment
    • RACI chart
    • Defined metrics and reports
    • Budget workbook
    • Process workflows
    • Software standards
    • Process workflows
    • Patch management policy
    • Standard operating procedures
    • Audit response templates
    • Communication plan
    • FAQ template
    • Additional policy templates
    • Roadmap of initiatives

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

    Phase 1: Assess Current State

    VISA fought fire with fire to combat costly software audits

    Logo for VISA.

    Case Study

    Industry: Financial Services
    Source: SAM Summit 2014

    Challenge

    Visa implemented an IT asset management program in 2006. After years of software audit teams from large firms visiting and leaving expensive software compliance bills, the world’s leading payment processing company decided it was time for a change.

    Upper management recognized that it needed to combat audits. It had the infrastructure in place and the budget to purchase SAM tools that could run discovery and tracking functions, but it was lacking the people and processes necessary for a mature SAM program.

    Solution

    Visa decided to fight fire with fire. It initially contracted the same third-party audit teams to help build out its SAM processes. Eventually, Visa formed a new SAM team that was led by a group of former auditors.

    The former auditors recognized that their role was not technology based, so a group of technical individuals were hired to help roll out various SAM tools.

    The team rolled out tools like BDNA Discover and Normalize, Flexera FlexNet Manager, and Microsoft SCCM.

    Results

    To establish an effective SAM team, diverse talent is key. Visa focused on employees that were consultative but also technical. Their team needed to build relationships with teams within the organization and externally with vendors.

    Most importantly, the leaders of the team needed to think like auditors to better prepare for audits. According to Joe Birdsong, SAM Director at Visa, “we want to be viewed as a team that can go in and help right-size their environment and better understand licensing to help teams make better decisions.”

    The SAM team was only the beginning.

    Step 1.1 Assess current state and plan scope

    Phase 1:
    Assess & Plan
    This step will walk you through the following activities:This step involves the following participants:

    1.1

    Assess current state
    • 1.1.1 Outline the organization’s SAM challenges
    • 1.1.2 Identify objectives of SAM program
    • 1.1.3 Determine the maturity of your SAM program
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and SAM Manager

    1.2

    Build team and define metrics

    1.3

    Plan & budget

    Step Outcomes

    • An outline of the challenges related to SAM
    • A clear direction for the program based on drivers, anticipated benefits, and goals
    • A completed maturity assessment of current SAM processes

    Sketch out challenges related to software asset management to shape the direction of the project

    Common SAM challenges

    • Audits are disruptive, time-consuming, and costly
    • No audit strategy and response in place
    • Software non-compliance risk is too high
    • Lacking data to forecast software needs
    • No central repository of software licenses
    • Untracked or unused software licenses results in wasted spend
    • Software license and maintenance costs account for a large percentage of the budget
    • Lacking data to know what software is purchased and deployed across the organization
    • Lack of software standards make it difficult to collect consistent information about software products
    • New software licenses are purchased when existing licenses remain on the shelf or multiple similar software products are purchased
    • Employees or departments make ad hoc purchases, resulting in overspending and reduced purchasing power
    • License renewal dates come up unexpectedly without time for adequate decision making
    • No communication between departments to coordinate software purchasing
    • Difficult to stay up to date with software licensing rule changes to remain in compliance
    • Processes and policies are unstandardized and undocumented

    Outline the organization’s SAM challenges

    Associated Activity icon 1.1.1 Brainstorm SAM challenges

    Participants: CIO/CFO, IT Director, Asset Manager, Purchasing, Service Desk Manager, Security (optional), Operations (optional)

    1. Distribute sticky notes to participants. Have everyone start by identifying challenges they face as a result of poor software asset management.
    2. As group, discuss and outline the software asset management challenges facing the organization. These may be challenges caused by poor SAM processes or simply by a lack of process. Group the challenges into key pain points to inform the current state discussion and assessment to follow.

    To be effective with software asset management, understand the drivers and potential impact to the organization

    Drivers of effective SAM Results of effective SAM
    Contracts and vendor licensing programs are complex and challenging to administer without data related to assets and their environment. Improved access to accurate data on contracts, licensing, warranties, installed software for new contracts, renewals, and audit requests.
    Increased need to meet compliance requires a formal approach to tracking and managing assets. Encryption, software application controls, and change notifications all contribute to better asset controls and data security.
    Cost cutting is on the agenda, and management is looking to reduce overall IT spend in the organization in any possible way. Reduction of software spend through data for better forecasting, planning, and licensing rationalization and harvesting.
    Audits are time consuming, disruptive to project timelines and productivity, and costly. Respond to audits with a formalized process, accurate data, and minimal disruption using always-available reporting.

    Determine goals to focus the direction of your SAM program

    Associated Activity icon 1.1.2 Identify objectives of the SAM program

    Participants: CIO/CFO, IT Director, Asset Manager, Service Manager (optional)

    Document: Document in the Standard Operating Procedures.

    1. Identify the drivers behind the software asset management implementation or improvement project. List on a whiteboard or flip chart.
    2. Using the project drivers as input, brainstorm the goals of the SAM project. Discuss the goals as a group and finalize into a list of objectives for the SAM program.
    3. Record the objectives in the SOP and keep them in mind as you work through the rest of the project.

    Sample Objectives:

    1. A single data repository to efficiently manage assets for their entire lifecycle.
    2. Formalizing a methodology for documenting assets to make data retrieval easy and accurate.
    3. Defining and documenting processes to determine where improvements can be made.
    4. Improving customer experience in accessing, using, and maintaining assets.
    5. Centralizing contract information.
    6. Providing access to information for all technical teams as needed.

    Implementing SAM processes will support other IT functions

    By improving how you manage your licenses and audit requests, you will not only provide benefits through a mature SAM program, you will also improve your service desk and disaster recovery functions.

    Service Desk Disaster Recovery
    • Effective service desk tickets require a certain degree of technical detail for completion that a SAM program often provides.
    • Many tools are available that can handle both ITSM and ITAM functions. Your SAM data can be integrated into many of your service desk functions.
    • For example, if a particular application is causing a high number of tickets, SAM data could show the application’s license is almost expired and its usage has decreased due to end-user frustrations. The SAM team could review the application and decide to purchase software that better meets end-user needs.
    • If you don’t know what you have, you don’t know what needs to be back online first.
    • The ability to restore system functionality is heavily dependent on the ability to locate or reproduce master media documentation and system configuration information.
    • If systems/software are permanently lost, the ability to recover software licensing information is crucial to preserving compliance.
    • License agreement and software are needed to demonstrate software ownership. Unless the proof of ownership is present, there is no proof of compliance.
    Short description of Info-Tech blueprint 'Standardize the Service Desk'. Short description of Info-Tech blueprint 'Create a Right-Sized Disaster Recovery Plan'.

    Each level of SAM maturity comes with its own unique challenges

    Maturity People & Policies Processes Technology
    Chaos
    • No dedicated staff
    • No policies published
    • Procedures not documented or standardized
    • Licenses purchased randomly
    • Help desk images machines, but users can buy and install software
    • Minimal tracking tools in place
    Reactive
    • Semi-focused SAM manager
    • No policies published
    • Reliance on suppliers to provide reports for software purchases
    • Buy licenses as needed
    • Software installations limited to help desk
    • Discovery tools and spreadsheets used to manage software
    Controlled
    • Full-time SAM manager
    • End-user policies published and requiring sign-off
    • License reviews with maintenance and support renewals
    • SAM manager involved in budgeting and planning sessions
    • Discovery and inventory tools used to manage software
    • Compliance reports run as needed
    Proactive
    • Extended SAM team, including help desk and purchasing
    • Corporate anti-piracy statement in place and enforced
    • Quarterly license reviews
    • Centralized view into software licenses
    • Software requests through service catalog with defined standard and non-standard software
    • Product usage reports and alerts in place to harvest and reuse licenses
    • Compliance and usage reports used to negotiate software contracts
    Optimized
    • SAM manager trained and certified
    • Working with HR, Legal, Finance, and IT to enforce policies
    • Full support and maintenance analysis for all license reviews
    • Quarterly meetings with SAM team to review policies, procedures, upcoming contracts, and rollouts
    • Software deployed automatically through service catalog/apps store
    • Detailed savings reports provided to executive team annually
    • Automated policy enforcement and process workflows

    Determine the maturity of your SAM program

    Supporting Tool icon 1.1.3 Use the SAM Maturity Assessment Tool
    1. Download the SAM Maturity Assessment Tool and go to tab 2.
    2. Complete the self-assessment in all seven categories:
      1. Control Environment
      2. Roles & Responsibilities
      3. Policies & Procedures
      4. Competence
      5. Planning & Implementation Process
      6. Monitoring & Review
      7. Inventory Processes
    3. Go to tab 3 and examine the graphs produced. Identify the areas in your SAM program that require the most attention and which are already relatively mature.
    4. Use the results of this maturity assessment to focus the efforts of the project moving forward. Return to the assessment after a pre-determined time (e.g. one year later) to track improvement in maturity over time.
    Screenshot of the results page from the SAM Maturity Assessment Tool. Screenshot of the processes page from the SAM Maturity Assessment Tool.

    Step 1.2 Build team and define metrics

    Phase 1:
    Assess & Plan
    This step will walk you through the following activities:This step involves the following participants:

    1.1

    Assess current state
    • 1.2.1 Identify roles and responsibilities for SAM team
    • 1.2.2 Identify metrics and KPIs to track the success of your SAM program
    • 1.2.3 Define SAM reports to track metrics
    • CIO/CFO
    • IT Director
    • SAM Manager
    • SAM Team
    • Service Desk Manager

    1.2

    Build team and define metrics

    1.3

    Plan & budget

    Step Outcomes

    • A description of the roles and responsibilities of IT staff involved in SAM
    • A list of metrics and reports to track to measure the success of the software asset management program

    Define roles and responsibilities for the SAM program

    Roles and responsibilities should be adapted to fit specific organizational requirements based on its size, structure, and distribution and the scope of the program. Not all roles are necessary and in small organizations, one or two people may fulfill multiple roles.

    Senior Management Sponsor – Ensures visibility and support for the program.

    IT Asset Manager – Responsible for management of all assets and maintaining asset database.

    Software Asset Manager – Responsible for management of all software assets (a subset of the overall responsibility of the IT Asset Manager).

    SAM Process Owner – Responsible for overall effectiveness and efficiency of SAM processes.

    Asset Analyst – Maintains up-to-date records of all IT assets, including software version control.

    Additional roles that interact with SAM:

    • Security Manager
    • Auditors
    • Procurement Manager
    • Legal Council
    • Change Manager
    • Configuration Manager
    • Release and Deployment Manager
    • Service Desk Manager

    Form a software asset management team to drive project success

    Many organizations simply do not have a large enough staff to hire a full-time software asset manager. The role will need to be championed by an internal employee.

    Avoid filling this position with a temporary contract; one of the most difficult operational factors in SAM implementation and continuity is constant turnover and organizational shifts. Hiring a software asset manager on contract might get the project going faster, but without the knowledge gained by doing the processes, the program won’t have enough momentum to sustain itself.

    Software Asset Manager Duties

    • Gather proof of license.
    • Record and track all assets within the SAM repository.
    • Produce compliance reports.
    • Preparation of budget requests.
    • Administration of software renewal process.
    • Contract and support analysis.
    • Document procedures.
    • Ensure project is on track.

    SAM Team Member Duties

    • Record license and contract data in SAM tool.
    • Assist in production of SAM reports.
    • Data analysis.
    • Match tickets to SAM data.
    • Assist in documentation.
    • Assist in compliance reports.
    • Gather feedback from end users.

    Info-Tech Best Practice

    Make sure your SAM team is diverse. The SAM team will need to be skilled at achieving compliance, but there is also a need for technically skilled individuals to maximize the function of the SAM tool(s) at your organization.

    Identify roles and responsibilities for SAM

    Associated Activity icon 1.2.1 Complete a RACI chart for your organization

    Participants: CIO/CFO, IT Director, SAM Manager, SAM Team, Service Desk Manager

    Document: Document in the Standard Operating Procedures.

    Determine the roles and responsibilities for your SAM program. Record the results in a RACI (responsible, accountable, consulted, informed) chart such as the example below.

    SAM Processes and Tasks CIO CFO SAM Manager IT Director Service Management Team IT Ops Security Finance Legal Project Manager
    Policies/Governance A C R R I I C I R I
    Strategy A C R R I I I I C
    Risk Management/Asset Security A C R R C R C C C
    Data Entry/Quality I I A R R
    Compliance Auditing R C A R I I I I
    Education & Training R I A C I I
    Contract Lifecycle Management R R A R C C C C R C
    Workflows R C A R I I I R I C/I
    Budgeting R R R A C R
    Software Acquisition R I A R I C R C C
    Controls/Reporting R I A R I I C I
    Optimize License Harvesting I I A R I C C

    Identify metrics to form the framework of the project

    Trying to achieve goals without metrics is like trying to cook without measuring your ingredients. You might succeed, but you’ll have no idea how to replicate it.

    SAM metrics should measure one of five categories:

    • Quantity → How many do we have? How many do we want?
    • Compliance → What is the level of compliance in a specific area?
    • Duration → How long does it take to achieve the desired result?
    • Financial → What is the cost/value? What is our comparative spend?
    • Quality → How good was the end result? E.g. Completeness, accuracy, timeliness

    The metrics you track depend on your maturity level. As your organization shifts in maturity, the metrics you prioritize for tracking will shift to reflect that change. Example:

    Metric category Low maturity metric High maturity metric
    Compliance % of software installed that is unauthorized % of vendors in effective licensing position (ELP) report
    Quantity % of licenses documented in ITAM tool % of requests made through unauthorized channels

    Associate KPIs and metrics with SAM goals

    • Identify the critical success factors (CSFs) for your software asset management program based on strategic goals.
    • For each success factor, identify the key performance indicators (KPIs) to measure success, as well as specific metrics that will be tracked and reported on.
    • Sample metrics are below:

    CSF = Goal, or what success looks like

    KPI = How achievement of goal will be defined

    Metric = Numerical measure to determine if KPI has been achieved

    CSF/Goal KPI Metrics
    Improve accuracy of software budget and forecasting
    • Reduce software spend by 5%
    • Total software asset spending
    • Budgeted software spend vs. actual software spend
    Avoid over purchasing software licenses and optimize use of existing licenses
    • Reduce number of unused and underused licenses by 10%
    • Number of unused licenses
    • Money saved from harvesting licenses instead of purchasing new ones
    Improve accuracy of data
    • Data in SAM tool matches what is deployed with 95% accuracy
    • Percentage of entitlements recorded in SAM tool
    • Percentage of software titles recognized by SAM tool
    Improved service delivery
    • Reduce time to deploy new software by 10%
    • Mean time to purchase new software
    • Mean time to fulfill new software requests

    Identify metrics and KPIs to track the success of your SAM program

    Associated Activity icon 1.2.2 Brainstorm metrics and KPIs

    Participants: CIO, IT Director, SAM Manager, SAM Team

    Document: Document in the Standard Operating Procedures.

    1. Discuss the goals and objectives of implementing or improving software asset management, based on challenges identified earlier.
    2. From the goals, identify the critical success factors for the SAM program.
    3. For each CSF, identify one to three key performance indicators (KPIs) to evaluate achievement of the success factor.
    4. For each KPI, identify one to three metrics that can be tracked and reported on to measure success. Ensure that the metrics are tangible and measurable.

    Use the table below as an example.

    Goal/CSF KPI Metric
    Improve license visibility Increase accuracy and completeness of SAM data
    • % of total titles included in ITAM tool
    • % of licenses documented in ITAM tool
    Reduce software costs Reduce number of unused software licenses by 20%
    • % of licenses assigned to ex-employees
    • % of deployed licenses that have not been used in the past six months
    Reduce shadow IT Reduce number of unauthorized software purchases and installations by 10%
    • % of software requests made through unauthorized channels
    • % of software installed that is unauthorized

    Tailor metrics and reports to specific stakeholders

    Asset Managers

    Asset managers require data to manage how licenses are distributed throughout the organization. Are there multiple versions of the same application deployed? What proportion of licenses deployed are assigned to employees who are no longer at the organization? What are the usage patterns for applications?

    Service Desk Technicians

    Service desk technicians need real-time data on licenses currently available to deploy to machines that need to be imaged/updated, otherwise there is a risk of breaching a vendor agreement.

    Business Managers and Executives

    Business managers and executives need reports to make strategic decisions. The reports created for business stakeholders need to help them align business projects or business processes with SAM metrics. To determine which reports will provide the most value, start by looking at business goals and determining the tactical data that will help inform and support these goals and their progress.

    Additional reporting guidelines:

    • Dashboards should provide quick-glance information for daily maintenance.
    • Alerts should be set for all contract renewals to provide enough advanced notice (e.g. 90 days).
    • Reports should be automated to provide actionable information to appropriate stakeholders as needed.

    Define SAM reports to track metrics

    Associated Activity icon 1.2.3 Identify reports and metrics to track regularly

    Participants: CIO, IT Director, SAM Manager, SAM Team

    Document: Document in the Standard Operating Procedures.

    1. Identify key stakeholders requiring SAM reports. For each audience, identify their goals and requirements from reporting.
    2. Using the list of metrics identified previously, sort metrics into reports for each audience based on their requirements and goals. Add any additional metrics required.
    3. Identify a reporting frequency for each report.

    Example:

    Stakeholder Purpose Report Frequency
    Asset Manager
    • Manage budget
    • Manage contracts and cash flow
    • Ensure processes are being followed
    Operational budget spent to date Monthly
    Capital budget spent to date Monthly
    Contracts coming due for renewal Quarterly
    Software harvested for redeployment Quarterly
    Number of single applications being managed Annually
    CFO
    • Manage budget
    • Manage cash flow
    Software purchased, operational & capital Monthly
    Software accrued for future purchases Monthly
    Contracts coming due for renewal
    • Include dollar value, savings/spend
    Quarterly
    CIO
    • Resource planning
    • Progress reporting
    Software deployments and redeployments Monthly
    Software rollouts planned Quarterly
    % of applications patched Quarterly
    Money saved Annually
    Number of contracts & apps managed Quarterly

    Step 1.3 Plan the SAM program and budget

    Phase 1:
    Assess & Plan
    This step will walk you through the following activities:This step involves the following participants:

    1.1

    Assess current state
    • 1.3.1 Identify SAM functions to centralize vs. decentralize
    • 1.3.2 Complete the SAM budget tool
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and SAM Manager
    • CFO

    1.2

    Build team and define metrics

    1.3

    Plan & budget

    Step Outcomes

    • Defined scope for the SAM program in terms of the degree of centralization of core functions and contracts
    • A clearer picture of software spend through the use of a SAM budgeting tool.

    Asset managers need to be involved in infrastructure projects at the decision-making stage

    Ensure that your software asset manager is at the table when making key IT decisions.

    Many infrastructure managers and business managers are unaware of how software licensing can impact projects. For example, changes in core infrastructure configuration can have big impacts from a software licensing perspective.

    Mini Case Study

    • When a large healthcare organization’s core infrastructure team decided to make changes to their environment, they failed to involve their asset manager in the decision-making process.
    • When the healthcare organization decided to make changes to their servers, they were running Oracle software on their servers, but the licenses were not being tracked.
    • When the change was being made to the servers, the business contacted Oracle to notify them of the change. What began as a tech services call quickly devolved into a licensing error; the vendor determined that the licenses deployed in the server environment were unauthorized.
    • For breaching the licensing agreement, Oracle fined the healthcare organization $250,000.
    • Had the asset manager been involved in the process, they would have understood the implications that altering the hardware configuration would have on the licensing agreement and a very expensive mistake could have been avoided.

    Decide on the degree of centralization for core SAM functions

    • Larger organizations with multiple divisions or business units will need to decide which SAM functions will be centralized and which, if any, will be decentralized as they plan the scope of their SAM program. Generally, certain core functions should be centralized for the SAM program to deliver the greatest benefits.
    • The degree of centralization may also be broken down by contract, with some contracts centralized and some decentralized.
    • A centralized SAM database gives needed visibility into software assets and licenses across the organization, but operation of the database may also be done locally.

    Centralization

    • Allows for more strategic planning
    • Visibility into software licenses across the organization promotes rationalization and cost savings
    • Ensure common products are used
    • More strategic sourcing of vendors and resellers
    • Centrally negotiate pricing for better deals
    • Easier to manage risk and prepare for audits
    • Greater coordination of resources

    Decentralization

    • May allow for more innovation
    • May be easier to demonstrate local compliance if the organization is geographically decentralized
    • May be easier to procure software if offices are in different countries
    • Deployment and installation of software on user devices may be easier

    Identify SAM functions to centralize vs. decentralize

    Associated Activity icon 1.3.1 Identify functions for centralization

    Participants: CIO, IT Director, SAM Manager, SAM Team

    Document: Document in the Standard Operating Procedures.

    1. If applicable, identify SAM functions that will need to be centralized and evaluate the implications of centralization to ensure it is feasible.
    2. If applicable, identify SAM functions that will be decentralized, if resources are available to manage those functions locally.

    Example:

    Centralized Functions
    • Operation of SAM database
    • SAM budget
    • Vendor selection
    • Contract negotiation and purchasing
    • Data analysis
    • Software receiving and inventory
    • Audits and risk management
    Decentralized functions
    • Procurement
    • Deployment and installation

    Software comprises the largest part of the infrastructure and operations budget

    After employee salaries (38%), the four next largest spend buckets have historically been infrastructure related. Adding salaries and external services, the average annual infrastructure and operations spend is over 50% of all IT spend.

    The largest portion of that spend is on software license and maintenance. As of 2016, software accounted for the roughly the same budget total as voice communications, data communications, and hardware combined. Managing software contracts is a crucial part of any mature budgeting process.

    Graph showing the percentage of all IT spend used for 'Ongoing software license and maintenance' annually. In 2010 it was 17%; in 2018 it was 21%. Graph showing the percentage of all IT spend used for 'Hardware maintenance / upgrades' annually. In 2010 it was 7%; in 2018 it was 8%. Graph showing the percentage of all IT spend used for 'Data communications' annually. In 2010 it was 7%; in 2018 it was 7%. Graph showing the percentage of all IT spend used for 'Voice communications' annually. In 2010 it was 5%; in 2018 it was 7%.

    Gain control of the budget to increase the success of SAM

    A sophisticated software asset management program will be able to uncover hidden costs, identify opportunities for rationalization, save money through reharvesting unused licenses, and improve forecasting of software usage to help control IT spending.

    While some asset managers may not have experience managing budgets, there are several advantages to the ITAM function owning the budget:

    • Be more involved in negotiating pricing with vendors.
    • Build better relationships with stakeholders across the business.
    • Gain greater purchasing power and have a greater influence on purchasing decisions.
    • Forecast software requirements more accurately.
    • Inform benchmarks and metrics with more data.
    • Directly impact the reduction in IT spend.
    • Manage the asset database more easily and have a greater understanding of software needs.
    • Identify opportunities for cost savings through rationalization.

    Examine your budget from a SAM perspective to optimize software spend

    How does examining your budget from a SAM perspective benefit the business?

    • It provides a chance to examine vendor contracts as they break down contracts by projects and services, which gives a clearer picture of where software fits into the budget.
    • It also gives organizations a chance to review vendor agreements and identify any redundancies present in software supporting services.

    Review the budget:

    • When reviewing your budget, implement a contingency fund to mitigate risk from a possible breach of compliance.
    • If your organization incurs compliance issues that relate to specific services, these fines may be relayed back to the departments that own those services, affecting how much money each department has.
    • The more sure you are of your compliance position, the less likely you are to need a contingency fund, and vice versa.

    Info-Tech Best Practice

    Finance needs to be involved. Their questions may cover:

    • Where are the monthly expenditures? Where are our financial obligations? Do we have different spending amounts based on what time of year it is?

    Use the SAM Budget Workbook to uncover insights about your software spend

    Supporting Tool icon 1.3.2 Complete the SAM budget tool

    The SAM Budget Workbook is designed to assist in developing and justifying the budget for software assets for the upcoming year.

    Instructions

    1. Work through tabs 2-6, following the instructions as you go.
    2. Tab 2 involves selecting software vendors and services provided by software.
    3. Tab 3 involves classifying services by vendor and assigning a cost to them. Tab 3 also allows you to classify the contract status.
    4. Tab 4 is a cost variance tracking sheet for software contracts.
    5. Tabs 5 and 6 are monthly budget sheets that break down software costs by vendor and service, respectively.
    6. Tab 7 provides graphs to analyze the data generated by the tool.
    7. Use the results found on tab 7 to analyze your budget: are you spending too much with one service? Is there vendor overlap based on what project or service that software is reporting?
    Screenshots of the 'Budget of Services Supported by Software Vendors' and 'Software Expense cashflow reports by Vendor' pages from the SAM Budget Workbook. Screenshot of the 'Analysis of Data' page from the SAM Budget Workbook.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.3

    Sample of activity 1.1.3 'Determine the maturity of your SAM program'. Determine the maturity of your SAM program

    Using the SAM Maturity Assessment Tool, fill out a series of questions in a survey to assess the maturity of your current SAM program. The survey assesses seven categories that will allow you to align your strategy to your results.

    1.2.3

    Sample of activity 1.2.3 'Define SAM reports to track metrics'. Define SAM reports to track metrics

    Identify key stakeholders with reporting needs, metrics to track to fulfill reporting requirements, and a frequency for producing reports.

    Phase 1 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Assess and Plan

    Proposed Time to Completion (in weeks): 4
    Step 1.1: Assess current state Step 1.2: Build team and define metrics Step 1.3: Plan and budget
    Start with an analyst kick-off call:
    • Outline SAM challenges
    • Overview of the project
    • Assess current maturity level
    Review findings with analyst:
    • Define roles and responsibilities of SAM staff
    • Identify metrics and reports to track
    Review findings with analyst:
    • Plan centralization of SAM program
    • Discuss SAM budgeting
    Then complete these activities…
    • Identify challenges
    • Identify objectives of SAM program
    • Assess maturity of current state
    Then complete these activities…
    • Define roles and responsibilities
    • Identify metrics and KPIs
    • Plan reporting
    Then complete these activities…
    • Identify SAM functions to centralize
    • Complete the SAM budgeting tool
    With these tools & templates:
    • SAM Maturity Assessment
    • Standard Operating Procedures
    With these tools & templates:
    • Standard Operating Procedures
    With these tools & templates:
    • SAM Budget Workbook

    Phase 2: Procure, Receive, and Deploy

    VISA used high-quality SAM data to optimize its software licensing

    Logo for VISA.

    Case Study

    Industry: Financial Services
    Source: SAM Summit 2014

    Challenge

    Visa formed a SAM team in 2011 to combat costly software audits.

    The team’s first task was to use the available SAM data and reconcile licenses deployed throughout the organization.

    Organizations as large as Visa constantly run into issues where they are grossly over or under licensed, causing huge financial risk.

    Solution

    Data collection and analysis were used as part of the license rationalization process. Using a variety of tools combined with a strong team allowed Visa to perform the necessary steps to gather license data and analyze usage.

    One of the key exercises was uniting procurement and deployment data and the teams responsible for each.

    End-to-end visibility allowed the data to be uniform. As a result, better decisions about license rationalization can be made.

    Results

    By improving its measurement of SAM data, Visa was able to dedicate more time to analyze and reconcile its licenses. This led to improved license management and negotiations that reflected actual usage.

    By improving license usage through rationalization, Visa reduced the cost of supporting additional titles.

    The SAM team also performed license reclamation to harvest and redistribute licenses to further improve usage. The team’s final task was to optimize audit responses.

    Step 2.1 Request and procure software

    Phase 2:
    Procure, Receive & Deploy
    This step will walk you through the following activities:This step involves the following participants:

    2.1

    Request & Procure
    • 2.1.1 Determine which software contracts should be centralized vs. localized
    • 2.1.2 Determine your software standards
    • 2.1.3 Define procurement policy
    • 2.1.4 Identify approvals and requests for authorization thresholds
    • 2.1.5 Build software procurement workflow for new contracts
    • 2.1.6 Define process for contract renewals and additional procurement scenarios
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team

    2.2

    Receive & Deploy

    Step Outcomes

    • Defined standards for software requests
    • A documented policy for software procurement including authorization thresholds
    • Documented process workflows for new contracts and contract renewals

    Procurement and SAM teams must work together to optimize purchasing

    Procurement and SAM must collaborate on software purchases to ensure software purchases meet business requirements and take into account all data on existing software and licenses to optimize the purchase and contract. Failure to work together can lead to unnecessary software purchases, overspending on purchases, and undesirable contract terms.

    SAM managers must collaborate with Procurement when purchasing software.

    SAM managers should:

    • Receive requests for software licenses
    • Ensure a duplicate license isn’t already purchased before going through with purchase
    • Ensure the correct license is purchased for the correct individuals
    • Ensure the purchasing information is tracked in the ITAM/SAM tool
    • Report on software usage to inform purchases
    Two cartoon people in work attire each holding a piece of a puzzle that fits with the other. Procurement must commit to be involved in the asset management process.

    Procurement should:

    • Review requests and ensure all necessary approvals have been received before purchasing
    • Negotiate optimal contract terms
    • Track and manage purchasing information and invoices and handle financial aspects
    • Use data from SAM team on software usage to decide on contract terms and optimize value

    Centralize procurement to decrease the likelihood of overspending

    Centralized negotiation and purchasing of software can ensure that the SAM team has visibility and control over the procurement process to help prevent overspending and uncontrolled agreements.

    Benefits of centralized procurement

    • Ability to easily manage software demand.
    • Provides capability to effectively manage your relationships with suppliers.
    • Allows for decreased contract processing times.
    • Provides easy access to data with a single consolidated system for tracking assets at an early stage.
    • Reduces number of rogue purchases by individual departments.
    • Efficiency through automation and coordinated effort to examine organization’s compliance and license position.
    • Higher degree of visibility and transparency into asset usage in the organization.

    Info-Tech Insights

    It may be necessary to procure some software locally if organizations have multiple locations, but try to centrally procure and manage the biggest contracts from vendors that are likely to audit the organization. Even with a decentralized model, ensure all teams communicate and that contracts remain visible centrally even if managed locally.

    Standards for software procurement help prevent overspending

    Software procurement is often more difficult for organizations than hardware procurement because:

    • Key departments that need to be involved in the purchasing process do not communicate or interact enough.
    • A fear of software auditing causes organizations to overspend to mitigate risk.
    • Standards are often not in place, with most purchases being made outside of the gold imaging standard.
    • A lack of discovery results in gross overspending on software licenses that are already present and underused.

    Info-Tech Insight

    One of the major challenges involved in implementing SAM is uniting multiple datasets and data sources across the enterprise. A conversation with each major business unit will help with the creation of software procurement standards that are acceptable to all.

    Determine which software contracts should be centralized vs. localized (optional)

    Associated Activity icon 2.1.1 Identify central standard enterprise offerings

    Participants: CIO, IT Director, SAM Manager, SAM Team

    Document: Document in the Standard Operating Procedures.

    1. As a group, list as many software contracts that are in place across the organization as can easily be identified, focusing on top vendors.
    2. Identify which existing software contracts are standard enterprise offerings that are procured and managed centrally and which are non-standard or localized applications.
    3. Looking at the list of non-standard software, identify if any can or should be rationalized or replaced with a standard offering.
    Standard enterprise offerings
    • Microsoft
    • IBM
    • Adobe
    • Dell
    • Cisco
    • VMware
    • Barracuda
    Localized or non-standard software

    Classify your approved software into tiers to improve workflow efficiency

    Not all titles are created equal; classifying your pre-approved and approved software titles into a tiered system will provide numerous benefits for your SAM program.

    The more prestigious the asset tier, the higher the degree of data capture, support, and maintenance required.

    • Mission-critical, high-priority applications are classified as gold standard.
    • Secondary applications or high priority are silver standard.
    • Low-usage applications or normal priority are bronze standard.

    E.g. An enterprise application that needs to be available 24/7, such as a learning management system, should be classified as a gold tier to ensure it has 24/7 support.

    Creating tiers assists stakeholders in justifying the following set of decision points:

    • Which assets will require added maintenance (e.g. software assurance for Microsoft)
    • Technical support requirements to meet business requirements
    • Lifecycle and upgrade cycle of the software assets.
    • Monitoring usage to determine whether licenses can be harvested
    • Authorizations required for purchase requests

    Determine your software standards

    Associated Activity icon 2.1.2 Identify standard software images for your organization

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    1. As a group, discuss and identify the relevant software asset tiers and number of tiers.
    2. For each tier, define:
      • Support requirements (hours and payments)
      • Maintenance requirements (mandatory or optional)
      • Lifecycle (when to upgrade, when to patch)
      • Financial requirements (CapEx/OpEx expenses)
      • Request authorizations (requestors and approvers)
    3. Sort the software contracts identified in the previous category into tiers, for example:
      • Mission-critical software (gold tier)
      • High-priority software (silver tier)
      • Normal-priority software (bronze tier)
    4. Use the SOP as an example.

    Determine which licensing options and methodologies fit into future IT strategy

    Not everyone is ready to embrace the cloud for all solutions; make sure to align cloud strategy to business requirements. Work closely with IT executives to determine appropriate contract terms, licensing options, and tracking processes.

    Vendors make changes to bundles and online services terms on a regular basis. Ensure you document your agreed upon terms to save your required functionality as vendor standard offerings change.

    • Any contracts getting moved to the cloud will need to undergo a contract comparison first.
    • The contract you signed last month could be completely different this month. Many cloud contracts are dynamic in nature.
    • Keep a copy of the electronic contract that you signed in a secure, accessible location.
    • Consider reaching a separate agreement with the vendor that they will ensure you maintain the results of the original agreement to prevent scope creep.

    Not all on-premises to cloud options transition linearly:

    • Features of perpetual licenses may not map to subscriptions
    • Product terms may differ from online services terms
    • Licensing may change from per device to per user
    • Vendor migrations may be more complex than anticipated

    Download the Own the Cloud: Strategy and Action Plan blueprint for more guidance

    Understand the three primary models of software usage agreements

    Licensed Open Source Shareware
    License Structure A software supplier is paid for the permission to use their software. The software is provided free of charge, but is still licensed. The software is provided free of charge, but is still licensed. Usage may be on a trial basis, with full usage granted after purchase.
    Source Code The source code is still owned by the supplier. Source code is provided, allowing users to change and share the software to suit their needs. Source code is property of the original developer/supplier.
    Technical Support Technical support is included in the price of the contract. Technical support may be provided, often in a community-based format from other developers of the open-source software in question. Support may be limited during trial of software, but upgraded once a purchase is made.

    Info-Tech Insight

    Open-source software should be managed in the same manner as commercial software to understand licensing requirements and be aware of any changes to these agreements, such as commercialization of such products, as well as any rules surrounding source code.

    Coordinate with purchasing department to define software procurement policy

    Associated Activity icon 2.1.3 Define procurement policy

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    Define and document policies that will apply to IT software purchases, including policies around:

    • Software purchase approvals
    • Licenses for short-term contractors
    • On-premises vs. SaaS purchases
    • Shareware and freeware fees
    • Open-source software

    Use the example below as guidance and document in the SOP.

    • Software will not be acquired through user corporate credit cards, office supply, petty cash, or personal expense budgets. Purchases made outside of the acceptable processes will not be reimbursed and will be removed from company computers.
    • Contractors who are short term and paid through vendor contracts and invoices will supply their own licenses.
    • Software may be purchased as on-premises or as-a-service solutions as IT deems appropriate for the solution.
    • Shareware and freeware authors will be paid the fee they specify for use of their products.
    • Open-source software will be managed in the same manner as commercial software to understand licensing requirements and be aware of any changes to these agreements, such as commercialization of such products.

    Identify approvals and requests for authorization thresholds

    Associated Activity icon 2.1.4 Identify financial thresholds for approvals and requests

    Participants: Asset Manager, Purchasing, CIO, CFO, IT Director

    Document: Document in the Standard Operating Procedures.

    Identify and classify financial thresholds for contracts requiring approval. For each category of contract value, identify who needs to authorize the request. Discuss and document any other approvals necessary. An example is provided below.

    Example:
    Requests for authorization will need to be directed based on the following financial thresholds:

    Contract value Authorization
    <$50,000 IT Director
    $50,000 to $250,000 CIO
    $250,000 to $500,000 CIO and CFO
    >$500,000 Legal review

    Develop a defined process for software procurement

    A poorly defined software procurement workflow can result in overspending on unnecessary software licensing throughout the year. This can impact budgeting and any potential software refreshes, as businesses will often rely on purchasing what they can afford, not what they need.

    Benefits of a defined workflow

    • Standardized understanding of the authorization processes results in reduced susceptibility to errors and quicker processing times.
    • Compliance with legal regulations.
    • Protection from compliance violations.
    • Transparency with the end user by communicating the process of software procurement to the business.

    Elements to include in procurement workflows:

    • RFP
    • Authorizations and approvals
    • Contract review
    • Internal references to numbers, cost centers, locations, POs, etc.

    Four types of procurement workflows:

    1. New contract – Purchasing brand new software
    2. Add to contract – Adding new POs or line items to an existing contract
    3. Contract renewal – Renewing an existing contract
    4. No contract required – Smaller purchases that don’t require a signed contract

    Outline the procurement process for new contracts

    The procurement workflow may involve the Service Desk, procurement team, and asset manager.

    The following elements should be accounted for:

    • Assignee
    • Requestor
    • Category
    • Type
    • Model or version
    • Requisition number
    • Purchase order number
    • Unit price
    A flowchart outlining the procurement process for new contracts. There are three levels, at the top is 'Tier 2 or Tier 3', the middle is 'IT Procurement', the bottom is 'Asset Manager'. It begins in 'Tier 2 or Tier 3' with 'Approved request received', and if it is not declined it moves on to 'Purchasing request forwarded to Procurement' on the 'IT Procurement' level. If an RFP is required, it eventually moves to 'Receives contract' on the 'Asset Manager' level and ends with 'Document license requirements, notify IT Product Owner'.

    Build software procurement workflow for new contracts

    Associated Activity icon 2.1.5 Build new contract procurement workflow

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    1. As a team, outline each of the tasks in the process of procuring a new software asset using cue cards, sticky notes, or a whiteboard.
    2. Use the sample procurement workflow on the previous slide as an example if needed.
    3. Ensure the following elements required for the asset procurement process have been accounted for:
      • Assignee
      • Requestor
      • Category
      • Type
      • Model or version
      • Requisition number
      • Purchase order number
      • Unit price
    4. Review the workflow and make any adjustments necessary to improve the process. Document using Visio and add to the SOP.

    Review vendor contracts to right-size licensing procurement

    Many of your applications come from the same vendor, and a view into the business services provided by each software vendor contract will prove beneficial to the business.

    • You may uncover overlaps in services provided by software across departments.
    • The same service may be purchased from different vendors simply because two departments never compared notes!
    • This leaves a lot of money on the table from a lack of volume discounts.
    A graphic depicting a Venn diagram in which the 'Software' and 'Services' circles overlap, both of which stem from a 'Vendor Contract'.
    • Be cautious about approaching license budgeting strictly from a cost perspective. SAM is designed to right-size your licenses to properly support your organization.
    • One trap organizations often fall into is bundling discounts. Vendors will offer steep discounts if clients purchase multiple titles. On the surface, this might seem like a great offer.
    • However, what often happens is that organizations will bundle titles to get a steep discount on their prize title of the group.
    • The other titles become shelfware, and when the time comes to renew the contract, the maintenance fees on the shelfware titles will often make the contract more expensive than if only the prize title was purchased.

    Additionally, information regarding what licenses are being used for certain services may yield insight into potential redundancies. For example, two separate departments may have each have a different application deployed that supports the same service. This presents an opportunity for savings based on bulk licensing agreements, not to mention a simplified support environment by reducing the number of titles deployed in your environment.

    Define a procedure for tracking and negotiating contract renewals

    Participants: IT Director/CIO, Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    Discuss and document a policy for tracking and negotiating contract renewals. Answer the following questions as guides:

    • How will renewal dates be tracked and monitored?
    • How soon should contracts be reviewed prior to renewal to determine appropriateness for use and compliance?
    • What criteria will be used to determine if the product should be renewed?
    • Who will be consulted for contract renewal decisions for major contracts?
    • How will licensing and support decisions be made?

    Optional contract review:

    1. Take a sample contract to renew. Create a list of services that are supported by the software. Look for overlaps, redundancies, shelfware, and potential bundling opportunities. Recall the issues outlined when purchasing bundled software.
    2. Create a list of action items to bring into the next round of contract negotiations with that vendor and identify a start date to begin reviewing these items.

    Define process for contract renewals and additional procurement scenarios

    Associated Activity icon 2.1.6 Build additional procurement workflows

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    Build procurement workflows and define policies and procedures for additional purchasing scenarios beyond new contracts.

    This may include:

    1. Contract renewals
    2. Single purchase, non-contract procurement
    3. Adding to contracts

    Use the sample workflows in the Standard Operating Procedures as a guide.

    A flowchart outlining the procurement process for 'Software Contract Renewal'.

    A flowchart outlining the procurement process for 'Software single purchase, non-contract'.

    Negotiate for value to ensure quality license agreements

    Approach negotiating from a value-first, price-second perspective.

    Contract negotiations too often come down to a question of price. While you want to avoid overpaying for licenses, a worse offense is getting a steep discount for a bundle of applications where the majority will go unused.

    Vendors will try to sell a full stack of software at a steep discount to give the illusion of value. Often organizations bite off more than they can chew. When auditors come knocking, the business may be in compliance, but being over-licensed is a dangerous state to be in. Organizations end up over-licensed and in possession of numerous “shelfware” apps that sit on the proverbial shelf collecting dust while drawing expensive maintenance and licensing fees from the business.
    • Pressure from the business is also an issue. Negotiations can be rushed in an effort to fulfill an immediate need.
    • Make sure you clearly outline the level of compliance expected from the vendor.
    • Negotiate reduced-fee software support services. Your Service Desk can already handle the bulk of requests, and investing in a mature Service Desk will provide more lasting value than paying for expensive maintenance and support services that largely go unused.

    Learn to negotiate effectively to optimize contract renewals

    Leverage Info-Tech’s research, Master Contract Review and Negotiation for Software Agreements, to review your software contracts to leverage your unique position during negotiations and find substantial cost savings.

    This blueprint includes the following tools and templates:

    • RASCI Chart
    • Vendor Communication Management Plan
    • Software Business Use Case Template
    • SaaS TCO Calculator
    • Software Terms & Conditions Evaluation Tool
    • Software Buyer’s Checklist
    • Controlled Vendor Communications Letter
    • Key Vendor Fiscal Year End Calendar
    • Contract Negotiation Tactics Playbook

    Step 2.2 Receive and deploy software

    Phase 2:
    Procure, Receive & Deploy
    This step will walk you through the following activities:This step involves the following participants:

    2.1

    Request & Procure
    • 2.2.1 Identify storage locations for software information and media
    • 2.2.2 Design the workflow for receiving software
    • 2.2.3 Design and document the deployment workflow(s)
    • 2.2.4 Create a list of pre-approved, approved, and unapproved software titles
    • 2.2.5 Document the request and deployment process for non-standard software requests
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team
    • Purchasing (optional)
    • Service Desk Manager (optional)
    • Operations (optional)
    • Release & Deployment manager (optional)

    2.2

    Receive & Deploy

    Step Outcomes

    • A strategy for storing software information and media in the ITAM database and DML
    • A documented workflow for the software receiving process
    • Documented process workflows for software requests and deployment, including for large quantities of software
    • A list of pre-approved, approved, and unapproved software titles for deployment
    • A process for responding to non-standard software requests

    Verify product and information upon receipt

    Upon receipt of procured software:

    • Verify that the product is correct
    • Reconcile with purchase record to ensure the order has been completed
    • Verify that the invoice is correct
    • Update financial information such as budget and accounting records
    • Update ITAM database to show status as received
    • Record/attach license keys and software codes in ITAM database
    • Attach relevant documents to record in the ITAM database (license reports, invoices, end-user agreement, etc.)
    • Download and store any installation files, DVDs, and CDs
    • Once software has been installed, verify license is matched to discovered installed software within the ITAM database

    Info-Tech Best Practice

    While most software will be received through email and download, in some cases physical software may be received through courier or mail. Ensure processes and procedures are defined for both cases.

    Establish a secure repository for licenses and documentation

    All licenses, documentation, and digital media for authorized and supported software should be collected and stored in a central, secure location to minimize risk of theft, loss, or unauthorized installation or duplication of software.

    Where to store software data?

    The ITAM database should contain an up-to-date record of all software assets, including their associated:

    • Serial numbers
    • License keys and codes
    • Contracts and agreements

    The database allows you to view software that is installed and associated licenses.

    A definitive media library (DML) is a single logical storage area, which may consist of one or more locations in which definitive authorized versions of all software configuration items are securely stored and protected.

    The DML consists of file storage as well as physical storage of CDs and DVDs and must be continually updated to contain the latest information about each configuration item.

    The DML is used to organize content and link to automated deployment to easily install software.

    Use a definitive media library (DML) to assist in storage of software packages for deployment

    The DML will usually contain the most up-to-date versions to minimize errors created by having unauthorized, old, or problematic software releases being deployed into the live IT environment. The DML can be used for both full-packed product (FPP) software and in-house developed software, providing formalized data around releases of in-house software.

    The DML should consist of two main storage areas:

    1. Secure file storage
    2. Secure physical storage for any master CD/DVDs

    Additional Recommendations:

    • The process of building, testing, adapting, and final pre-production testing should provide your IT department with a solid final deployment package, but the archive will enable you to quickly pull in a previous version if necessary.
    • When upgrading software packages to include new patches or configurations, use the DML to ensure you're referencing a problem-free version.
    • Include the DML in your disaster recovery plan (DRP) and include testing of the DML as part of your DRP testing. If you need to rebuild servers from these files, offsite, you'll want to know your backup DML is sound.

    Ensure you have a strategy to create and update your DML

    Your DML should have a way to separate archived, new, and current software to allow for optimal organization of files and code, to ensure the correct software is installed, and to prepare for automated deployment through the service catalog.

    New software hasn’t been tested yet. Make it available for testing, but not widely available.

    Keep a record for archived software, but do not make it available for install.

    Current software is regularly used and should be available for install.

    Deployment

    • Are you using tools to integrate with the DML for deployment?
    • Store files that are ready for automated deployment in a separate location.

    Identify storage locations for software information and media

    Associated Activity icon 2.2.1 Identify software storage locations

    Participants: Asset Manager, IT Director

    Document: Document in the Standard Operating Procedures.

    1. Identify storage locations for asset data that is received (i.e. ITAM database, DML).
    2. Identify information that should be stored with each asset (i.e. license, serial number, invoice, end-user license agreement) and where this information should be stored.
    3. Identify fields that should be populated in the DML for each record:
      • Product name
      • Version
      • Description
      • Authorized by
      • Received by/date
      • Configuration item on which asset is installed
      • Media
      • Physical and backup locations
      • Verified by/date

    Define the standard process for receiving software

    Define the following in your receiving process:

    • Process for software received by email/download
    • Process for physical material received at Service Desk
    • Information to be recorded and where
    • Process following discrepancy of received software
    A flowchart outlining the standard process for receiving software. There are two levels, at the top is 'Desktop Support Team' and the bottom is 'Procurement'. It begins in 'Desktop Support Team' with 'Received at Service Desk' or 'Receive by email/download'. If the reconciliation is correct it eventually moves on to 'Fulfill service request, deliver and close ticket'. If the reconciliation is not correct it moves to 'Contact vendor with discrepancy details' in 'Procurement'. If a return is required 'Repackage and ship', or if not 'Notify Desktop Support Team of resolution'.

    Design the workflow for receiving software

    Associated Activity icon 2.2.2 Design the workflow for receiving software

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    Option 1: Whiteboard

    1. Discuss the workflow and draw it on the whiteboard.
    2. Assess whether you are using the best workflow. Modify it if necessary.
    3. Use the sample workflow from this step as a guide if starting from scratch.
    4. Engage the team in refining the process workflow.
    5. Transfer data to Visio and add to the SOP.

    Option 2: Tabletop Exercise

    1. Distribute index cards to each member of the team.
    2. Have each person write a single task they perform on the index card. Be granular. Include the title or the name of the person responsible.
    3. Mark cards that are decision points. Use a card of a different color or use a marker to make a colored dot.
    4. Arrange the index cards in order, removing duplicates.
    5. Assess whether you are using the best workflow. Engage the team to refine it if necessary.
    6. Transfer data to Visio and add to the SOP.

    Build release management into your software deployment process

    A sound software deployment process is tied to sound release management practices.

    Releases: A collection of authorized changes to an IT service. Releases are divided into:

    • Major software releases/upgrades: Normally containing large areas of new functionality, some of which may make intervening fixes to redundant problems.
    • Minor software releases/upgrades: Normally containing small enhancements and fixes, some of which may have already been issued as emergency fixes.
    • Emergency software fixes: Contain the corrections to a small number of known problems.

    Ensure that release management processes work with SAM processes:

    • If a release will impact licensing, the SAM manager must be made aware to make any necessary adjustments.
    • Deployment models should be in line with SAM strategy (i.e. is software rolled out to everyone or individually when upgrades are needed?).
    • How will user requests for upgrades be managed?
    • Users should be on the same software version to ensure file compatibility and smooth patch management.
    • Ideally, software should be no more than two versions back.

    Document the process workflow for software deployment

    Define the process for deploying software to users.

    Include the following in your workflow:

    • All necessary approvals
    • Source of software
    • Process for standard vs. non-standard software requests
    • Update ITAM database once software has been installed with license data and install information
    A flowchart outlining the process workflow for software deployment. There are four levels, at the top is 'Business', then 'Desktop Support Team', 'Procurement', and the bottom is 'Asset Manager'. It begins in 'Business' with 'Request for software', and if it is approved by the manager it moves to 'Check DB: Can a volume serial # be used?' in 'Desktop Support Team'. If yes, it eventually moves on to 'Close ticket' on the same level, if not it eventually moves to 'Initiate procurement process' in 'Procurement', 'Initiate receiving process' in 'Asset Manager', and finally to 'Run quarterly license review to purchase volume licenses'.

    Large-scale software rollouts should be run as projects

    Rollouts or upgrades of large quantities of software will likely be managed as projects.

    These projects should include project plans, including resources, timelines, and detailed procedures.

    Define the process for large-scale deployment if it will differ from the regular deployment process.

    A flowchart outlining large-scale software rollouts. There are three levels, at the top is 'IT Procurement', then 'Asset Manager', and the bottom is 'Software Packager'. It begins in 'IT Procurement' with 'Project plan approved', and if a bid is not required it skips to 'Sign contract/Create purchase order'. This eventually moves to 'Receive access to eLicense site/receive access to new product' in 'Asset Manager', and either to 'Approve invoice for payment, forward to accounting' on the same level or to 'Download software, license keys' in 'Software Packager' then eventually to 'Deploy'.

    Design and document the deployment workflow(s)

    Associated Activity icon 2.2.3 Document deployment workflows for desktop and large-scale deployment

    Participants: Asset Manager, Service Desk Manager, Release & Deployment Manager

    Document: Document in the Standard Operating Procedures.

    1. Outline each step in the process of software deployment using notecards or on a whiteboard. Be as granular as possible. On each card, describe the step and the individual responsible for each step.
      • Be sure to identify the type of release for standard software releases and patches.
      • Additionally, identify how additional software outside the scope of the base image will be addressed.
    2. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    3. Examine each challenge or pain point. Discuss whether there is a clear solution to the problem. If so, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, considering people, processes, and available technology.
    4. Document separately the process for large-scale software deployment if required.

    Develop standards to streamline your software estate

    Software should be approved and deployed based on approved standards to minimize over-deployed software and manage costs appropriately. A list of standard software improves the efficiency of the software approval process.

    • Pre-approved titles include basic platforms like Office or Adobe Reader that are often available in enterprise-wide license packages.
    • Approved titles include popular titles with license numbers that need to be managed on a role-by-role basis. For example, if most of your marketing team uses the Adobe Creative Suite, a user still needs to get approval before they can get a license.
    • Unapproved titles are managed on a case-by-case basis and are up to the discretion of the asset manager and other involved parties.

    Additionally, create a list of unauthorized software including titles not to be installed under any circumstances. This list should be designed with feedback from your end users and technical support staff. Front-line knowledge is crucial to identifying which titles are causing major problems.

    Create a list of pre-approved, approved, and unapproved software titles

    Associated Activity icon 2.2.4 Determine software categories for deployment

    Participants: IT Director, Asset Manager, Purchasing (optional), Service Desk Manager (optional), Release & Deployment Manager (optional)

    Document: Document in the Standard Operating Procedures.

    1. Define software categories that will be used to build software standards.
    2. Include definitions of each category.
    3. Add examples of software to each category to begin building list of approved software titles for deployment.

    Use the following example as a guide.

    Category Definition Software titles
    Pre-approved/standard
    • Supported and approved for install for all end users
    • Included on most, if not all devices
    • Typically installed as a base image
    • Microsoft Office (Outlook, Word, Excel, PowerPoint)
    • Adobe Reader
    • Windows
    Approved by role
    • Supported and approved for install, but only for certain groups of end users
    • Popular titles with license numbers that need to be managed on a role-by-role basis
    • Pre-approved for purchase with business manager’s approval
    • Adobe Creative Cloud Suite
    • Adobe Acrobat Pro
    • Microsoft Visio
    Unapproved/requires review
    • Not previously approved or installed by IT
    • Special permission required for installation based on demonstrable business need
    • Managed on a case-by-case basis
    • Up to the discretion of the asset manager and other involved parties
    • Dynamics
    • Zoom Text
    • Adaptive Insights
    Unauthorized
    • Not to be installed under any circumstances
    • Privately owned software
    • Pirated copies of any software titles
    • Internet downloads

    Define the review and approval process for non-standard software

    Software requiring review will need to be managed on a case-by-case basis, with approval dependent on software evaluation and business need.

    The evaluation and approval process may require input from several parties, including business analysts, Security, technical team, Finance, Procurement, and the manager of the requestor’s department.

    A flowchart outlining the review and approval process for non-standard software. There are five levels, at the top is 'Business Analyst/Project Manager', then 'Security Team', 'Technical Team', 'Financial & Contract Review' and the bottom is 'Procurement'. It begins in 'Business Analyst/Project Manager' with 'Request for non-standard software', and if the approved product is available it moves to 'Evaluate tool for security, data, and privacy compliance' in 'Security Team'. If more evaluation is necessary it moves to 'Evaluate tool for infrastructure and integration requirements' in 'Technical Team', and then 'Evaluate terms and conditions' in 'Financial & Contract Review'. At any point in the evaluation process it can move back to the 'Business Analyst/Project Manager' level for 'Assemble requirements details', and finally down to the 'Procurement' level for 'Execute purchase'.

    Document the request and deployment process for non-standard software

    Associated Activity icon 2.2.5 Document process for non-standard software requests

    Participants: Asset Manager, Service Desk Manager, Release & Deployment Manager

    Document: Document in the Standard Operating Procedures.

    Define the review and approval process for non-standard software requests.

    Use the workflow on the previous slide as a guide to map your own workflow process and document the steps in the Standard Operating Procedures.

    The following assessments may need to be included in the process:

    • Functionality and use requirements: May include suggestion back to the business before proceeding any further to see if similar, already approved software could be used in its place.
    • Technical specifications: Cloud, data center, hardware, backups, integrations (Active Directory, others), file, and program compatibility.
    • Security: Security team may need to assess to ensure nothing will install that will compromise data or systems security.
    • Privacy policy: Security and compliance team may need to evaluate the solution to ensure data will be secured and accessed only by authorized users.
    • Terms and conditions: The contracts team may evaluate terms and conditions to ensure contracts and end-user agreements do not violate existing standards.
    • Accessibility and compliance: Software may be required to meet accessibility requirements in accordance with company policies.

    BMW deployed a global data centralization program to achieve 100% license visibility

    Logo for BMW.

    Case Study

    Industry: Financial Services
    Source: SAM Summit 2014

    Challenge

    BMW is a large German automotive manufacturer that employs over 100,000 people. It has over 7,000 software products deployed across 106,000 clients and servers in over 150 countries.

    When the global recession hit in 2008, the threat of costly audits increased, so BMW decided to boost its SAM program to cut licensing costs. It sought to centralize inventory data from operations across the globe.

    Solution

    A new SAM office was established in 2009 in Germany. The SAM team at BMW began by processing all the accumulated license and installation data from operations in Germany, Austria, and the UK. Within six months, the team had full visibility of all licenses and software assets.

    Compliance was also a priority. The team successfully identified where they could make substantial reductions in support and maintenance costs as well as remove surplus costs associated with duplicate licensing.

    Results

    BMW overcame a massive data centralization project to achieve 100% visibility of its global licensing estate, an incredible achievement given the scope of the operation.

    BMW experienced efficiency gains due to transparency and centralized management of licenses through the new SAM office.

    Additionally, internal investment in training and technical knowledge has helped BMW continuously improve the program. This has resulted in ongoing cost reductions for the manufacturer.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.5

    Sample of activity 2.1.5 'Build software procurement workflow for new contracts'. Build software procurement workflow for new contracts

    Use the sample workflow to document your own process for procurement of new software contracts.

    2.2.4

    Sample of activity 2.2.4 'Create a list of pre-approved, approved, and unapproved software titles'. Create a list of pre-approved, approved, and unapproved software titles

    Build definitions of software categories to inform software standards and brainstorm examples of each category.

    Phase 2 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Procure, receive, and deploy

    Proposed Time to Completion (in weeks): 6
    Step 2.1: Request and procureStep 2.2: Receive and deploy
    Start with an analyst kick-off call:
    • Define standards for software requests
    • Build procurement policy
    • Define procurement processes
    Review findings with analyst:
    • Build processes for software receiving
    • Build processes for software requests and deployment
    • Define process for non-standard requests
    Then complete these activities…
    • Determine software standards
    • Define procurement policy
    • Identify authorization thresholds
    • Build procurement workflows for new contracts and renewals
    Then complete these activities…
    • Identify storage locations for software information
    • Design workflow for receiving software
    • Design workflow for software deployment
    • Create a list of approved and non-standard requests
    • Define process for non-standard requests
    With these tools & templates:
    • Standard Operating Procedures
    With these tools & templates:
    • Standard Operating Procedures

    Phase 3: Manage, Redeploy, and Retire

    Step 3.1 Manage and maintain software contracts

    Phase 3:
    Manage, Redeploy & Retire
    This step will walk you through the following activities:This step involves the following participants:

    3.1

    Manage & Maintain Software
    • 3.1.1 Define process for conducting software inventory
    • 3.1.2 Define policies for software maintenance and patches
    • 3.1.3 Document your patch management policy
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team
    • Release Manager (optional)
    • Security (optional)

    3.2

    Harvest, Redeploy, or Retire

    Step Outcomes

    • A process for conducting regular software inventory checks and analyzing the data to continually manage software assets and license compliance.
    • An understanding of software maintenance requirements
    • A policy for conducting regular software maintenance and patching
    • A documented patch management policy

    Manage your software licenses to decrease your risk of overspending

    Many organizations fail to track their software inventory effectively; the focus often remains on hardware due to its more tangible nature. However, annual software purchases often account for a higher IT spend than annual hardware purchases, so it’s important to track both.

    Benefits of managing software licenses

    • Better control of the IT footprint. Many companies already employ hardware asset management, but when they employ SAM, there is potential to save millions of dollars through optimal use of all technology assets.
    • Better purchasing decisions and negotiating leverage. Enhanced visibility into actual software needs means not only can companies procure and deploy the right increments of software in the right areas, but they can also do so more cost-effectively through tools such as volume purchase agreements or bundled services.
    • No refund policy combined with shelfware (software that sits unused “on the shelf”) is where software companies make their money.
    • Managing licenses will help prevent costly audit penalties. Special attention should be paid to software purchased from large vendors such as Microsoft, Oracle, Adobe, SAP, or IBM.

    Maintain a comprehensive, up-to-date software inventory to manage licenses effectively

    A clearly defined process for inventory management will reduce the risk of over buying licenses and falling out of compliance.

    • A detailed software inventory and tracking system should act as a single point of contact for all your license data.
    • Maintain a comprehensive inventory of installed software through complete and accurate records of all licenses, certifications, and software purchase transactions, storing these in a secure repository.
    • Periodically review installed software and accompanying licenses to ensure only legal and supported software is in use and to ensure ongoing compliance with the software management policy.

    Info-Tech Best Practice

    Have and maintain a list of supported software to guide what new software will be approved for purchase and what current software should be retained on the desktops, servers, and other processing devices.

    Conduct a baseline inventory of deployed software to know what you have

    You have to know what you have before you can manage it.

    A baseline inventory tells you exactly what software you have deployed and where it is being used. This can help to determine how to best optimize software and license usage.

    A software inventory will allow you to:

    • Identify all software residing on computers.
    • Compare existing software to the list of supported software.
    • Identify and delete illegal or unsupported software.
    • Identify and stop software use that violates license agreements, copyright law, or organizational policies.

    Two methods for conducting a software inventory:

    1. If you have several computers to analyze, use automated tools to conduct inventory for greater accuracy and efficiency. Software inventory or discovery tools scan installed software and generate inventory reports, while asset management tools will help you manage that data.
    2. Manual inventory may be possible if your organization has few computers.

    How to conduct a manual software inventory:

    1. Record serial number of device being analyzed.
    2. Record department and employee to whom the computer is assigned.
    3. Inspect contents of hard drive and/or server to identify software as well as hidden files and directories.
    4. Record licensing information for software found on workstation and server.
    5. Compare findings with list of supported software and licenses stored in repository.

    Keep the momentum going through regular inventory and licensing checks

    Take preventive action to avoid unauthorized software usage through regular software inventory and license management:

    • Regularly update the list of supported software and authorized use.
    • Monitor and optimize software license usage.
    • Continually communicate with and train employees around software needs and policies.
    • Maintain a regular inventory schedule to keep data up to date and remain compliant with licensing requirements – your specific schedule will depend on the size of the company and procurement schedule.
    • Conduct random spot inventories – even if you are using a tool, periodic spot checks should still be performed to ensure accuracy of inventory.
    • Periodically review software procurement records and ensure procurement process is being followed.
    • Continuously monitor software installations on networked computers through automated tools.
    • Ensure software licensing documentation and data is secure.

    Define process for conducting software inventory

    Associated Activity icon 3.1.1 Define process for regular software inventory

    Participants: IT Director, Asset Manager

    Document: Document in the Standard Operating Procedures.

    1. If a baseline software inventory has not been conducted, discuss and document a plan for completing the inventory.
      • Will the inventory be conducted manually or through automated tools?
      • If manually, what information will be collected and recorded? Which devices will be analyzed? Where will data be stored?
      • If automatically, which tools will be used? Will any additional information need to be collected? Who will have access to the inventory?
      • When will the inventory be conducted and by whom?
        • Monthly inventory may be required if there is a lot of change and movement, otherwise quarterly is usually sufficient.
    2. Document how inventory data will be analyzed.
      • How will data be compared against supported software?
      • How will software violations be addressed?
    3. Develop a plan for continual inventory spot checks and maintenance.
      • How often will inventory be conducted and/or analyzed?
      • How often will spot checks be performed?

    Don’t forget that software requires maintenance

    While maintenance efforts are typically focused around hardware, software maintenance – including upgrades and patches – must be built into the software asset management process to ensure software remains compliant with security and regulatory requirements.

    Software maintenance guidelines:

    • Maintenance agreements should be stored in the ITAM database.
    • Software should be kept as current as possible. It is recommended that software remain no more than two versions off.
    • Unsupported software should be uninstalled or upgraded as required.
    • Upgrades should be tested, especially for high-priority or critical applications or if integrated with other applications.
    • Change and release management best practices should be applied for all software upgrades and patches.
    • A process should be defined for how often patches will be applied to end-user devices.

    Integrate patch management with your SAM practice to improve security and reduce downtime

    The integration between patch management and asset management is incredibly valuable from a technology point of view. IT asset management (ITAM) tools create reports on the characteristics of deployed software. By combining these reports with a generalized software updater, you can automate most simple patches to save your team’s efforts for more-critical incidents. Usage reports can also help determine which applications should be reviewed and removed from the environment.

    • In recent years, patch management has grown in popularity due to widespread security threats, the resultant downtime, and expenses associated with them.
    • The main objective of patch management is to create a consistently configured environment that is secure against known vulnerabilities in operating systems and application software.

    Assessing new patches should include questions such as:

    • What’s the risk of releasing the patch? What is the criticality of the system? What end users will be affected?
    • How will we manage business disruption during an incident caused by a failed patch deployment?
    • In the event of service outage as a result of a failed patch deployment, how will we recover services effectively in business priority order?
    • What’s the risk of expediting the patch? Of not releasing the patch at all?

    Define policies for software maintenance and patches

    Associated Activity icon 3.1.2 Define software maintenance and patching policies

    Participants: IT Director, Asset Manager, Release Manager (optional), Security (optional)

    Document: Document in the Standard Operating Procedures.

    Software maintenance:

    Review the software maintenance guidelines in this section and in the SOP template. Discuss each policy and revise and document in accordance with your policies.

    Patch management:

    Discuss and document patch management policies:

    1. How often will end-user devices receive patches?
    2. How often will servers be patched?
    3. How will patches be prioritized? See example below.
      • Critical patches will be applied within two days of release, with testing prioritized to meet this schedule.
      • High-priority patches will be applied within 30 days of release, with testing scheduled to meet this requirement.
      • Normal-priority patches will be evaluated for appropriateness and will be installed as needed.

    Document your patch management policy

    Supporting Tool icon 3.1.3 Use the Patch Management Policy template to document your policy

    The patch management policy helps to ensure company computers are properly patched with the latest appropriate updates to reduce system vulnerability and to enhance repair application functionality. The policy aids in establishing procedures for the identification of vulnerabilities and potential areas of functionality enhancements, as well as the safe and timely installation of patches. The patch management policy is key to identifying and mitigating any system vulnerabilities and establishing standard patch management practices.

    Use Info-Tech’s Patch Management Policy template to get started.

    Sample of the 'Patch Management Policy' template.

    Step 3.2 Harvest, Redeploy, or Retire Software

    Phase 3:
    Manage, Redeploy & Retire
    This step will walk you through the following activities:This step involves the following participants:

    3.1

    Manage & Maintain Software
    • 3.2.1 Map your software license harvest and reallocation process
    • 3.2.2 Define the policy for retiring software
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team

    3.2

    Harvest, Redeploy, or Retire

    Step Outcomes

    • A defined process for harvesting and reallocating unused software licenses
    • A defined policy for how and when to retire unused or outdated software

    Harvest and reallocate software to optimize license usage

    Using a defined process for harvesting licenses will yield a crop of savings throughout the organization.

    Unused software licenses are present in nearly every organization and result in wasted resources and software spend. Recycling and reharvesting licenses is a critical process within software asset management to save your organization money.

    Licensing Recycling

    When computers are no longer in use and retired, the software licenses installed on the machines may be able to be reused.

    License recycling involves reusing these licenses on machines that are still in use or for new employees.

    License Harvesting

    License harvesting involves more actively identifying machines with licenses that are either not in use or under utilized, and recovering them to be used elsewhere, thus reducing overall software spend on new licenses.

    Use software monitoring data to identify licenses for reallocation in alignment with policies and agreements

    1. Monitor software usage
      Monitor and track software license usage to gain a clear picture of where and how existing software licenses are being used and identify any unused or underused licenses.
    2. Identify licenses for reharvesting
      Identify software licenses that can be reharvested and reallocated according to your policy.
    3. Uninstall software
      Notify user, schedule a removal time if approved, uninstall software, and confirm it has been removed.
    4. Reallocate license when needed

    Sources of surplus licenses for harvest:

    • Projects that required a license during a particular time period, but now do not require a license (i.e. the free version of the software will suffice)
    • Licenses assigned to users no longer with the organization
    • Software installed on decommissioned hardware
    • Installed software that hasn’t been used by the user in the last 90 days (or other defined period)
    • Over-purchased software due to poorly controlled software request, approval, or provisioning processes

    Info-Tech Insight

    Know the stipulations of your end-user license agreement (EULA) before harvesting and reallocating licenses. There may be restrictions on how often a license can be recycled in your agreement.

    Create a defined process for software license harvesting

    Define a standard reharvest timeline. For example, every 90 days, your SAM team can perform an internal audit using your SAM tool to gather data on software usage. If a user has not used a title in that time period, your team can remove that title from that user’s machine. Depending on the terms and conditions of the contract, the license can either be retired or harvested and reallocated.

    Ensure you have exception rules built in for software that’s cyclical in its usage. For example, Finance may only use tax software during tax season, so there’s no reason to lump it under the same process as other titles.

    It’s important to note that in addition to this process, you will need a software usage policy that supports your license harvest process.

    The value of license harvesting

    • Let’s say you paid for 1,000 licenses of a software title at a price of $200 per license.
    • Of this total, 950 have been deployed, and of that total, 800 are currently being used.
    • This means that 16% of deployed licenses are not in use – at a cost of $30,000.
    • With a defined license harvest process, this situation would have been prevented.

    Build a workflow to document the software harvest process

    Include the following in your process:

    • How will unused software be identified?
    • How often will usage reports be reviewed?
    • How will the user be notified of software to be removed?
    • How will the software be removed?
    A flowchart documenting the software harvest process. There are two levels, at the top is 'IT Asset Manager', and the bottom is 'Desktop Support Team'. It begins in 'IT Asset Manager' with 'Create/Review Usage Report', and if the client agrees to removal it moves to 'License deactivation required?' in 'Desktop Support Team'. Eventually you 'Close ticket' and it moves back up to 'Discovery tool will register change automatically' in 'IT Asset Manager'.

    Map your software license harvest and reallocation process

    Associated Activity icon 3.2.1 Build license harvest and reallocation workflow

    Participants: IT Director, Asset Manager, Service Desk Manager

    Document: Document in the Standard Operating Procedures.

    1. Outline each step in the process of software harvest and reallocation using notecards or a whiteboard. Be as granular as possible. On each card, describe the step and the individual responsible for each step.
    2. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    3. Examine each challenge or pain point. Discuss whether there is a clear solution to the problem. If so, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, considering people, processes, and available technology.
    4. Use the sample workflow on the previous slide as a guide if needed.

    The same flowchart documenting the software harvest process from the previous section.

    Improve your software retirement process to drive savings for the whole business

    Business Drivers for Software Disposal

    • Cost Reduction
      • Application retirement allows the application and the supporting hardware stack to be decommissioned.
      • This eliminates recurring costs such as licensing, maintenance, and application administration costs, representing potentially significant savings
    • Consolidation
      • Many legacy applications are redundant systems. For example, many companies have ten or more legacy financial systems from mergers/acquisitions.
      • Systems can be siloed, running incompatible software. Moving data to a common accessible repository streamlines research, audits, and reporting.
    • Compliance
      • An increased focus on regulations places renewed emphasis on e-discovery policies. Keeping legacy applications active just to retain data is an expensive proposition.
      • During application retirement, data is classified, assigned retention policies, and disposed of according to data/governance initiatives.
    • Risk Mitigation
      • Relying on IT to manage legacy systems is problematic. The lack of IT staff familiar with the application increases the potential risk of delayed responses to audits and e-discovery.
      • Retiring application data to a common platform lets you leverage skills you have current investments in. This enables you to be responsive to audit or litigation results.

    Retire your outdated software to decrease IT spend on redundant applications

    Benefits of software retirement:

    1. Assists the service desk in not having to support every release, version, or edition of software that your company might have used in the past.
    2. Stay current with product releases so your company is better placed to take advantage of improvements built-in to such products, rather than being limited by the lack of a newly introduced function.
    3. Removing software that is no longer of commercial benefit can offer a residual value through assets.

    Consequences of continuing to support outdated software:

    • Budgets are tied up to support existing applications and infrastructure, which leaves little room to invest in new technologies that would otherwise help grow business.
    • Much of this software includes legacy systems that were acquired or replaced when new applications were deployed. The value of these outdated systems decreases with every passing year, yet organizations often continue to support these applications.
      • Fear of compliance and data access are the most common reasons.
    • Unfortunately, the cost of doing so can consume over 50% of an overall IT budget.

    The solution to this situation is to retire outdated software.

    “Time and time again, I keep hearing stories from schools on how IT budgets are constantly being squeezed, but when I dig a little deeper, little or no effort is being made on accounting for software that might be on the kit we are taking away.” (Phil Goldsmith, Managing Director – ScrumpyMacs)

    Define the policy for retiring software

    Associated Activity icon 3.2.2 Document process for software retirement

    Participants: IT Director, Asset Manager, Operations

    Document: Document in the Standard Operating Procedures.

    1. Discuss and document the process for retiring software that has been deemed redundant due to changing business needs or an improvement in competitive options.
    2. Consider the following:
      • What criteria will determine when software is suited for retirement?
      • The contract should always be reviewed before making a decision to ensure proper notice is given to the vendor.
      • Notice should be provided as soon as possible to ensure no additional billing arrives for renewals.
      • How will software be removed from all devices? How soon must the software be replaced, if applicable?
      • How long will records be archived in the ITAM database?
    3. Document decisions in the Standard Operating Procedures.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1.2

    Sample of activity 3.1.2 'Define policies for software maintenance and patches'. Define policies for software maintenance and patches

    Discuss best practices and define policies for conducting regular software maintenance and patching.

    3.2.1

    Sample of activity 3.3.1 'Assess the maturity of audit management processes and policies'. Map your software license harvest and reallocation process

    Build a process workflow for harvesting and reallocating unused software licenses.

    Phase 3 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Manage, redeploy, and retire

    Proposed Time to Completion (in weeks): 4
    Step 3.1: Manage and maintain softwareStep 3.2: Harvest, redeploy, or retire
    Start with an analyst kick-off call:
    • Define a process for conducting software inventory
    • Define a policy for software maintenance
    • Build a patch management policy
    Review findings with analyst:
    • Build a process for harvesting and reallocating software licenses
    • Define a software retirement policy
    Then complete these activities…
    • Define process for conducting software inventory
    • Define policies for software maintenance
    • Document patch management policy
    Then complete these activities…
    • Map software harvest and reallocation process
    • Define software retirement policy
    With these tools & templates:
    • Standard Operating Procedures
    • Patch Management Policy
    With these tools & templates:
    • Standard Operating Procedures

    Phase 4: Build Supporting Processes & Tools

    Visa used an internal SAM strategy to win the audit battle

    Logo for VISA.

    Case Study

    Industry: Financial Services
    Source: SAM Summit 2014

    Challenge

    The overarching goal of any SAM program is compliance to prevent costly audit fines. The SAM team at Visa was made up of many individuals who were former auditors.

    To deal with audit requests from vendors, “understand how auditors do things and understand their approach,” states Joe Birdsong, SAM Director at Visa.

    Vendors are always on the lookout for telltale signs of a lucrative audit. For Visa, the key was to understand these processes and learn how to prepare for them.

    Solution

    Vendors typically look for the following when evaluating an organization for audit:

    1. A recent decrease in customer spend
    2. How easy the licensed software is to audit
    3. Organizational health

    Ultimately, an audit is an attack on the relationship between the vendor and organization. According to Birdsong: “Maybe they haven’t really touched base with your teams and had good contact and relationship with them, and they don’t really know what’s going on in your enterprise.”

    Results

    By understanding the motivations behind potential audits, Visa was able to form a strategy to increase transparency with the vendor.

    Regular data collection, almost real-time reporting, and open, quick communication with the vendor surrounding audits made Visa a low-risk client for vendors.

    Buy-in from management is also important, and the creation of an official SAM strategy helps maintain support. Thanks to its proactive SAM program, Visa saved $200 million in just three years.

    Step 4.1 Ensure compliance for audits

    Phase 4:
    Build supporting processes & tools
    This step will walk you through the following activities:This step involves the following participants:

    4.1

    Compliance & audits
    • 4.1.1 Define and document the internal audit process
    • 4.1.2 Define and document the external audit process
    • 4.1.3 Prepare an audit scoping email template
    • 4.1.4 Prepare an audit launch email template
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team

    4.2

    Communicate & build roadmap

    Step Outcomes

    • An understanding of the audit process and importance of audit preparation
    • A defined process for conducting regular internal audits to prepare for and defend against external audits
    • A strategy and documented process for responding to external audit requests

    Take a lifecycle approach to your software compliance process

    Internal audits are an effective way for organizations to regularly assess their licensing position in preparation for an audit.

    1. Gather License Data
      Use your SAM tool to run a discovery check to determine the current state of your software estate.
    2. Improve Data Quality
      Scan the data for red flags. Improve its completeness, consistency, and quality.
    3. Identify Audit Risks
      Using corrected license data, examine your reports and identify areas of risk within the organization.
    4. Identify priority titles
      Determine which titles need attention first by using the output of the license rationalization step.
    5. Reconcile to eliminate gaps
      Ensure that the correct number of licenses are deployed for each title.
    6. Draft Vendor Response
      Prepare response to vendor for when an audit has been requested.

    Improve audit response maturity by leveraging technology and contract data

    By improving your software asset management program’s maturity, you will drive savings for the business that go beyond the negotiating table.

    Recognize the classic signs of each stage of audit response maturity to identify where your organization currently stands and where it can go.

    • Optimized: Automated tools generate compliance, usage, and savings reports. Product usage reports and alerts in place to harvest and reuse licenses. Detailed savings reports provided to executive team.
    • Proactive: Best practices enforced. Compliance positions are checked quarterly, and compliance reports are used to negotiate software contracts.
    • Reactive: Best practices identified but unused. Manual tools still primarily in use. Compliance reports are time-consuming and often inaccurate.
    • Chaotic: Purchases are ad hoc and transaction based. Minimal tracking in place, leading to time-consuming manual processes.

    Implement a proactive internal audit strategy to defend against external audits

    Audits – particularly those related to software – have been on the rise as vendors attempt to recapture revenue.

    Being prepared for an audit is critical. Internal preparation will not only help your organization reduce the risk associated with an audit but will also improve daily operations through focusing on diligent documentation and data collection.

    Conducting routine internal audits will help prepare your organization for the real deal and may even prevent the audit from happening altogether. Hundreds of thousands of dollars can be saved through a proactive audit strategy with routine documentation in place.

    In addition to the fines incurred from a failed audit, numerous other negative consequences can arise:

    • Multiple audits: Failing an audit makes the organization more likely to be audited again.
    • Poor perception of IT: Unless non-compliance was previously disclosed to the business, IT can be deemed responsible.
    • Punitive injunctions: If a settlement is not reached, vendors will apply for an injunction, inhibiting use of their software.
    • Inability to justify purchases: IT can have difficulty justifying the purchase of additional resources after a failed audit.
    • Disruption to business: Precious time and resources will be spent dealing with the results of the audit.

    Perform routine internal compliance reports to decrease audit risk

    The intent of an internal audit is to stop the battle from happening before it starts. Waiting for a knock at the door from a vendor can be stressful, and it can do harm beyond a costly fine.

    • Internal audits help to ensure you’re keeping track of any software changes to keep your data and licensing up to date and avoid costly surprises if an external audit is requested.
    • Identify areas where processes are breaking down and address them before there’s a potential negative impact.
    • Identify control points in processes ahead of time to more easily identify access points where information should be verified.

    “You want to get [the] environment to a level where you’re comfortable sharing information with [a] vendor. Inviting them in to have a chat and exposing numbers means there’s no relationship there where they’re coming to audit you. They only come to audit you when they know there’s a gain to be had, otherwise what’s the point of auditing?
    I want customers to get comfortable with licensing and what they’re spending, and then there’s no problem exposing that to vendors. Vendors actually appreciate that.”
    (Ben Brand, SAM Practice Manager, Insight)

    Info-Tech Insight

    “The supreme art of war is to subdue the enemy without fighting.” – Sun Tzu

    Performing routine checks on your license compliance will drastically reduce the risk that your organization gets hit with a costly fine. Maintaining transparency and demonstrating compliance will fend off audit-hungry vendors.

    Define and document the internal audit process

    Associated Activity icon 4.1.1 Document process and procedures for internal audits

    Participants: CIO and/or IT Director, Asset Manager, IT Managers

    Document: Document in the Standard Operating Procedures.

    Define and document a process for conducting internal software audits.
    Include the following:

    1. How often will audits be completed for each software published?
    2. When will audits be conducted?
    3. Who will conduct the audit? Who will be consulted?
    4. What will be included in the scope of the audit?

    Example:

    • Annual audits will be completed for each software publisher, scheduled as part of the license or maintenance agreement renewals.
    • Where annual purchases are not required, vendor audits for compliance will be conducted annually, with a date predetermined based on minimizing scheduling conflicts with larger audits.
    • Audit will be completed with input from product managers.
    • Audit will include:
      • Software compliance review: Licenses owned compared to product installed.
      • Version review: Determine if installed versions match company standards. If there is a need for upgrades, does the license permit upgrading?
      • Maintenance review: Does the maintenance match requirements for the next year’s plans and licenses in use?
      • Support review: Is the support contract appropriate for use?
      • Budget: Has budget been allocated; is there an adjustment required due to increases?

    Identify organizational warning signs to decrease audit risk

    Being prepared for an audit is critical. Internal preparation will not only help your organization reduce the risk associated with an audit but will also improve daily operations through focusing on diligent documentation and data collection.

    Certain triggers exist that indicate a higher risk of an audit occurring. It is important to recognize these warning signs so you can prepare accordingly.

    Health of organization
    If your organization is putting out fires and a vendor can sense it, they’ll see an audit as a highly lucrative exercise.

    Decrease in customer spend
    A decrease in spend means that an organization has a high chance of being under-licensed.

    License complexity
    The more complex the license, the harder it is to remain in compliance. Some vendors are infamous for their complex licensing agreements.

    Audit Strategy

    • Audits should neither be feared nor embraced.
    • An audit is an attack on your relationship with your vendor; your vendor needs to defend its best interests, but it would also rather maintain a satisfied relationship with its client.
    • A proactive approach to audits through routine reporting and transparency with vendors will alleviate all fear surrounding the audit process. It provides your vendor with compliance assurance and communicates that an audit won’t net the vendor enough revenue to justify the effort.

    Focus on three key tactics for success before responding to an audit

    Taking these due diligence steps will pay dividends downstream, reducing the risk of negative results such as release of confidential information.

    Form an Audit Team

    • Once an audit letter is received from a vendor or third party, a virtual team needs to be formed.
    • The team should be cross-functional, representing various core areas of the business.
    • Don’t forget legal counsel: they will assist in the review of audit provision(s) to determine your contractual rights and obligations with respect to the audit.

    Sign an NDA

    • An NDA should be signed by all parties, the organization, the vendor, and the auditor.
    • Don’t wait on a vendor to provide its NDA. The organization should have its own and provide it to both parties.
    • If the auditor is a third party, negotiate a three-way NDA. This will prevent data being shared with other third parties.

    Examine Contract History

    • Vendors will attempt to alter terms of contracts when new products are purchased.
    • Maintain your current agreement if they are more favorable by “grandfathering” your original agreement.
    • Oracle master level agreements are an example: master level agreements offer more favorable terms than more recent versions.

    Info-Tech Insight

    Even if you cannot get a third-party NDA signed, the negotiation process should delay the overall audit process by at least a month, buying your organization valuable time to gather license data.

    Be prepared for external audit requests with a defined process for responding

    1. Vendor-initiated audit request received and brought to attention of IT Asset Manager and CIO.
    2. Acknowledge receipt of audit notice.
    3. Negotiate timing and scope of the audit (including software titles, geographic locations, entities, and completion date).
    4. Notify staff not to remove or acquire licenses for software under audit.
    5. Gather documentation and create report of all licensed software within audit scope.
      • Include original contract, most recent contract, and any addendums, purchase receipts, or reseller invoices, and publisher documentation such as manuals or electronic media.
    6. Compare documentation to installed software according to ITAM database.
    7. Validate any unusual or non-compliant software.
    8. Complete documentation requested by auditor and review results.

    Define and document the external audit process

    Associated Activity icon 4.1.2 Define external audit process

    Participants: CIO and/or IT Director, Asset Manager, IT Managers

    Document: Document in the Standard Operating Procedures.

    Define and document a process for responding to external software audit requests.
    Include the following:

    1. Who must be notified of the audit request when it is received?
    2. When must acknowledgement of the notice be sent and by whom?
    3. What must be defined under the scope of the audit (e.g. software titles, geographic locations, entities, completion date)?
    4. What communications must be sent to IT staff and end users to ensure compliance?
    5. What documentation should be gathered to review?
    6. How will documentation be verified against data?
    7. How will unusual or non-compliant software be identified and validated?
    8. Who needs to be informed of the results?

    Control audit scope with an audit response template

    Supporting Tool icon 4.1.3 Prepare an audit scoping email template

    Use the Software Audit Scoping Email Template to create an email directed at your external (or internal) auditors. Send the audit scoping email several weeks before an audit to determine the audit’s scope and objectives. The email should include:

    • Detailed questions about audit scope and objectives.
    • Critical background information on your organization/program.

    The email will help focus your preparation efforts and initiate your relationship with the auditors.

    Control scope by addressing the following:

    • Products covered by a properly executed agreement
    • Geographic regions
    • User groups
    • Time periods
    • Specific locations
    • A subset of users’ computers
    Sample of the 'Software Audit Scoping Email Template'.

    Keep leadership informed with an audit launch email

    Supporting Tool icon 4.1.4 Prepare an audit launch email template

    Approximately a week before the audit, you should email the internal leadership to communicate information about the start of the audit. Use the Software Audit Launch Email Template to create this email, including:

    • Staffing
    • Functional requirements
    • Audit contact person information
    • Scheduling details
    • Audit report estimated delivery time

    For more guidance on preparing for a software audit, see Info-Tech’s blueprint: Prepare and Defend Against a Software Audit.

    Sample of the 'Software Audit Launch Email Template'.

    A large bank employed proactive, internal audits to experience big savings

    Case Study

    Industry: Banking
    Source: Pomeroy

    Challenge

    A large American financial institution with 1,300 banking centers in 12 states, 28,000 end users, and 108,000 assets needed to improve its asset management program.

    The bank had employed numerous ITAM tools, but IT staff identified that its asset data was still fragmented. There was still incomplete insight into what assets the banked owned, the precise value of those assets, their location, and what they’re being used for.

    The bank decided to establish an asset management program that involved internal audits to gather more-complete data sets.

    Solution

    With the help of a vendor, the bank implemented cradle-to-grave asset tracking and lifecycle management, which provided discovery of almost $80 million in assets.

    The bank also assembled an ITAM team and a dedicated ITAM manager to ensure that routine internal audits were performed.

    The team was instrumental in establishing standardization of IT policies, hardware configuration, and service requirements.

    Results

    • The bank identified and now tracks over 108,000 assets.
    • The previous level of 80% accuracy in inventory tracking was raised to 96%.
    • Nearly $500,000 was saved through asset recovery and repurposing of 600 idle assets.
    • There are hundreds of thousands of dollars in estimated savings as the result of avoiding costly penalties from failed audits thanks to proactive internal audits.

    Step 4.2 Build communication plan and roadmap

    Phase 4:
    Build supporting processes & tools
    This step will walk you through the following activities:This step involves the following participants:

    4.1

    Compliance & audits
    • 4.2.1 Develop a communication plan to convey the right messages
    • 4.2.2 Anticipate end-user questions by preparing an FAQ list
    • 4.2.3 Build a software asset management policy
    • 4.2.4 Build additional SAM policies
    • 4.2.5 Develop a SAM roadmap to plan your implementation
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team

    4.2

    Communicate & build roadmap

    Step Outcomes

    • A documented communications plan for relevant stakeholders to understand the benefits and changes the SAM program will bring
    • A list of anticipated end-user questions with responses
    • Documented software asset management policies
    • An implementation roadmap

    Communicate SAM processes to gain acceptance and support

    Communication is crucial to the integration and overall implementation of your SAM program. If staff and users do not understand the purpose of processes and policies, they will fail to provide the desired value.

    An effective communication plan will:

    • Gain support from management at the project proposal phase.
    • Create end-user buy-in once the program is set to launch.
    • Maintain the presence of the program throughout the business.
    • Instill ownership throughout the business from top-level management to new hires.

    Communicate the following:

    1. Advertise successes

      • Regularly demonstrate the value of the SAM program with descriptive statistics focused on key financial benefits.
      • Share data with the appropriate personnel; promote success to obtain further support from senior management.
    2. Report and share asset data

      • Sharing detailed asset-related reports frequently gives decision makers useful data to aid in their strategy.
      • These reports can help your organization prepare for audits, adjust budgeting, and detect unauthorized software.
    3. Communicate the value of SAM

      • Educate management and end users about how they fit into the bigger picture.
      • Individuals need to know which behaviors may put the organization at risk or adversely affect data quality.

    Educate staff and end users through SAM training to increase program success

    As part of your communication plan and overall SAM implementation, training should be provided to both staff and end users within the organization.

    • ITAM solutions are complex by nature with both business process and technical knowledge required to use them correctly.
    • All facets of the business, from management to new hires, should be provided with training to help them understand their role in the program’s success.
    • Keep the message appropriate to the audience – end users don’t need to know the complete process, but will need to know policy and how to request.
    • Even after the SAM program has been fully implemented, keep employees up to date with policies and processes through ongoing training sessions for both new hires and existing employees:
      • New hires: Provide new hires with all relevant SAM policies and ensure they understand the importance of software asset management.
      • Existing employees: Continually remind them of how SAM is involved in their daily operations and inform them of any changes to policies.

    Create your communications plan to anticipate challenges, remove obstacles, and ensure buy-in

    Provide separate communications to key stakeholder groups

    Why:
    • What problems are you trying to solve?
    What:
    • What processes will it affect (that will affect me)?
    Who:
    • Who will be affected?
    • Who do I go to if I have issues with the new process?
    Three circular arrows each linking t the next in a downward daisy chain. The type arrow has 'IT Staff' in the middle, the second 'Management', and the third 'End Users' When:
    • When will this be happening?
    • When will it affect me?
    How:
    • How will these changes manifest themselves?
    Goal:
    • What is the final goal?
    • How will it benefit me?

    Develop a communication plan to convey the right messages

    Associated Activity icon 4.2.1 Develop a communication plan to convey the right messages

    Participants: CIO, IT Director, Asset Manager, Service Desk Manager

    Document: Document in the SAM Communication Plan.

    1. Identify the groups that will be affected by the SAM program.
    2. For each group requiring a communication plan, identify the following:
    3. Benefits of SAM for that group of individuals (e.g. more efficient software requests).
    4. The impact the change will have on them (e.g. change in the way a certain process will work).
    5. Communication method (i.e. how you will communicate).
    6. Timeframe (i.e. when and how often you will communicate the changes).
    7. Complete this information in a table like the one below and document in the Communication Plan.
    Group Benefits Impact Method Timeline
    Executives
    • Improved audit compliance
    • Improved budgeting and forecasting
    • Review and sign off on policies
    End Users
    • Streamlined software request process
    • Follow software installation and security policies
    IT
    • Faster access to data and one source of truth
    • Modified processes
    • Ensure audits are completed regularly

    Anticipate end-user questions by preparing an FAQ list

    Associated Activity icon 4.2.2 Prepare an FAQ list

    Document: Document FAQ questions and answers in the SAM FAQ Template.

    ITAM imposes changes to end users throughout the business and it’s normal to expect questions about the new program. Prepare your team ahead of time by creating a list of FAQs.

    Some common questions include:

    • Why are you changing from the old processes?
    • Why now?
    • What are you going to ask me to do differently?
    • Will I lose any of my software?

    The benefits of preparing a list of answers to FAQs include:

    • A reduction in time spent creating answers to questions. If you focus on the most common questions, you will make efficient use of your team’s time.
    • Consistency in your team’s responses. By socializing the answers to FAQs, you ensure that no one on your team is out of the loop and the message remains consistent across the board.

    Include policy design and enforcement in your communication plan

    • Software asset management policies should define the actions to be taken to support software asset management processes and ensure the effective and efficient management of IT software assets across the asset lifecycle.
    • Implementing asset management policies enforces the notion that the organization takes its IT assets and the management of them seriously and will help ensure the benefits of SAM are achieved.
    • Designing, approving, documenting, and adopting one set of standard SAM policies for each department to follow will ensure the processes are enforced equally across the organization.

    Info-Tech Insight

    Use policy templates to jumpstart your policy development and ensure policies are comprehensive, but be sure to modify and adapt policies to suit your corporate culture or they will not gain buy-in from employees. For a policy to be successful, it must be a living document and have participation and involvement from the committees and departments to whom it will pertain.

    Build a software asset management policy

    Supporting Tool icon 4.2.3 Document a SAM policy

    Use Info-Tech’s Software Asset Management Policy template to define and document the purpose, scope, objectives, and roles and responsibilities for your organization's software asset management program.

    The template allows you to customize policy requirements for:

    • Procurement
    • Installation and Removal
    • Maintenance
    • Mergers and Acquisitions
    • Company Divestitures
    • Audits

    …as well as consequences for non-compliance.

    Sample of the 'Software Asset Management Policy' template.

    Use Info-Tech’s policy templates to build additional policies

    Supporting Tool icon 4.2.4 Build additional SAM policies

    Asset Security Policy
    The IT asset security policy will describe your organization's approach to ensuring the physical and digital security of your IT assets throughout their entire lifecycle.

    End-User Devices Acceptable Use Policy
    This policy should describe how business tools provided to employees are to be used in a responsible, ethical, and compliant manner, as well as the consequences of non-compliance.

    Purchasing Policy
    The purchasing policy helps to establish company standards, guidelines, and procedures for the purchase of all information technology hardware, software, and computer-related components as well as the purchase of all technical services.

    Release Management Policy
    Use this policy template to define and document the purpose, scope, objectives, and roles and responsibilities for your organization's release management program.

    Internet Acceptable Use Policy
    Use this template to help keep the internet use policy up to date. This policy template includes descriptions of acceptable and unacceptable use, security provisions, and disclaimers on the right of the organization to monitor usage and liability.

    Samples of additional SAM policies, listed to the left.

    Implement SAM in a phased, constructive approach

    One of the most difficult decisions to make when implementing a SAM program is: “where do we start?”

    It’s not necessary to deploy a comprehensive SAM program to start. Build on the essentials to become more mature as you grow.

    SAM Program Maturity (highest to lowest)

    • Audits and reporting
      Gather and analyze data about software assets to ensure compliance for audits and to continually improve the business.
    • Contracts and budget
      Analyze contracts and licenses for software across the enterprise and optimize planning to enable cost reduction.
    • Lifecycle standardization
      Define standards and processes for all asset lifecycle phases from request and procurement through to retirement and redistribution.
    • Inventory and tracking
      Define assets you will procure, distribute, and track. Know what you have, where it is deployed, and keep track of contracts and all relevant data.

    Integrate your SAM program with the organization to assist its implementation

    SAM cannot perform on its own – it must be integrated with other functional areas of the organization to maintain its stability and support.

    • Effective SAM is supported by a comprehensive set of processes as part of its implementation.
    • For example, integration with the procurement team’s processes and tools is required to track software purchases to mitigate software license compliance risk.
    • Integration with Finance is required to support internal cost allocations and chargebacks.
    • Integration with the service desk is required to track and deploy software requests.

    Info-Tech Best Practice

    To integrate SAM effectively, a clear implementation roadmap needs to be designed. Prioritize “quick wins” to demonstrate success to the business early and to gain buy-in from your team. Short-term gains should be designed to support long-term goals of your SAM program.

    Sample short-term goals
    • Identify inventory classification and tool
    • Create basic SAM policies and processes
    • Implement SAM auto-discovery tools
    Sample long-term goals
    • Software contract data integration
    • Continual improvement through review and revision
    • Software compliance reports, internal audits

    Develop a SAM roadmap to plan your implementation

    Associated Activity icon 4.2.5 Build a project roadmap
    1. Identify and review all initiatives that will be taken to implement or improve the software asset management program. These may fall under people, process, or technology-related tasks.
    2. Assign a priority level to each task (Quick Win, Low, Medium, High).
    3. Use the priority to sort tasks into start dates, breaking down by:
      1. Short, medium, or long-term
      2. 1 month, 3 months, 6 months, 12+ months
      3. Q1, Q2, Q3, Q4
    4. Review tasks and adjust start dates for some, if needed to set realistic and achievable timelines.
    5. Transfer tasks to a project plan or Gantt chart to formalize.
    Examples:
    Q1 Q2 Q3 Q4
    • Hire software asset manager
    • Document SOP
    • Define policies
    • Select a SAM tool
    • Create list of approved services and software
    • Define metrics
    • Inventory existing software and contracts
    • Build a patch policy
    • Build a service catalog
    • Contract renewal alignment
    • Run internal audit
    • Security review

    Review and maintain the SAM program to reach optimal maturity

    • SAM is a dynamic process. It must adapt to keep pace with the direction of the organization. New applications, different licensing needs, and a constant stream of new end users all contribute to complicating the licensing process.
    • As part of your organization’s journey to an optimized SAM program, put in place continual improvement practices to maintain momentum.

    A suggested cycle of review and maintenance for your SAM: 'Plan', 'Do', 'Check', 'Act'.

    Info-Tech Insight

    Advertising the increased revenue that is gained from good SAM practices is a powerful way to gain project buy-in.

    Keep the momentum going:

    • Clearly define ongoing responsibilities for each role.
    • Develop a training and awareness program for new employees to be introduced to SAM processes and policies.
    • Continually review and revise existing processes as necessary.
    • Measure the success of the program to identify areas for improvement and demonstrate successes.
    • Measure adherence to process and policies and enforce as needed.

    Reflect on the outcomes of implementing SAM to target areas for improvement and share knowledge gained within and beyond the SAM team. Some questions to consider include:

    1. How did the data compare to our expectations? Was the project a success?
    2. What obstacles were present that impacted the project?
    3. How can we apply lessons learned through this project to others in the future?

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.2.1

    Sample of activity 4.2.1 'Develop a communication plan to convey the right messages'. Develop a communication plan to convey the right messages

    Identify stakeholders requiring communication and formulate a message and delivery method for each.

    4.2.5

    Sample of activity 4.2.5 'Develop a SAM roadmap to plan your implementation'. Develop a SAM roadmap to plan your implementation

    Outline the tasks necessary for the implementation of this project and prioritize to build a project roadmap.

    Phase 4 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Build supporting processes & tools

    Proposed Time to Completion (in weeks): 4
    Step 4.1: Compliance & audits Step 4.2: Communicate & build roadmap
    Start with an analyst kick-off call:
    • Discuss audit process
    • Define a process for internal audits
    • Define a process for external audit response
    Review findings with analyst:
    • Build communication plan
    • Discuss policy needs
    • Build a roadmap
    Then complete these activities…
    • Document internal audit process
    • Document external audit process
    • Prepare audit templates
    Then complete these activities…
    • Develop communication plan
    • Prepare an FAQ list for end users
    • Build SAM policies
    • Develop a roadmap
    With these tools & templates:
    • Standard Operating Procedures
    • Software Audit Scoping Email Template
    • Software Audit Launch Email Template
    With these tools & templates:
    • SAM Communication Plan
    • Software Asset Management FAQ Template
    • Software Asset Management Policy
    • Additional Policy Templates

    Bibliography

    2013 Software Audit Industry Report.” Express Metrix, 2013. Web.

    7 Vital Trends Disrupting Today’s Workplace: Results and Data from 2013 TINYpulse Employee Engagement Survey.” TINYpulse, 2013. Web.

    Beaupoil, Christof. “How to measure data quality and protect against software audits.” Network World, 6 June 2011.

    Begg, Daniel. “Effective Licence Position (ELP) – What is it really worth?” LinkedIn, 19 January 2016.

    Boehler, Bernhard. “Advanced License Optimization: Go Beyond Compliance for Maximum Cost Savings.” The ITAM Review, 24 November 2014.

    Bruce, Warren. “SAM Baseline – process & best practice.” Microsoft. 2013 Australia Partner Conference.

    Case Study Top 20 U.S. Bank Tackles Asset Management.” Pomeroy, 2012. Web.

    Cherwell Software Software Audit Industry Report.” Cherwell Software, 2015. Web.

    Conrad, Sandi. “SAM starter kit: everything you need to get started with software asset management. Conrad & Associates, 2010.

    Corstens, Jan, and Diederik Van der Sijpe. “Contract risk & compliance software asset management (SAM).” Deloitte, 2012.

    Deas, A., T. Markowitzm and E. Black. “Software asset management: high risk, high reward.” Deloitte, 2014.

    Doig, Chris. “Why you should always estimate ROI before buying enterprise software” CIO, 13 August 2015.

    Fried, Chuck. “America Needs An Education On Software Asset Management (SAM).” LinkedIn. 16 June 2015.

    Lyons, Gwen. “Understanding the Drivers Behind Application Rationalization Critical to Success.” Flexera Software Blog, 31 October 2012.

    Bibliography

    Metrics to Measure SAM Success: eight ways to prove your SAM program is delivering business benefits.” Snow Software White Paper, 2015.

    Microsoft. “The SAM Optimization Model.” Microsoft Corporation White Paper, 2010.

    Miller, D. and M. Oliver. “Engaging Stakeholders for Project Success.” Project Management Institute White Paper, 2015.

    Morrison, Dan. “5 Common Misconceptions of Software Asset Management.” SoftwareOne. 12 May 2015.

    O’Neill, Leslie T. “Visa Case Study: SAM in the 21st Century.” International Business Software Managers Association (IBSMA), 30 July 2014.

    Reducing Hidden Operating Costs Through IT Asset Discovery.” NetSupport Inc., 2011.

    SAM Summit 2014, 23-25 June 2014, University of Chicago Gleacher Center Conference Facilities, Chicago, MI.

    Saxby, Heather. “20 Things Every CIO Needs to Know about Software Asset Management.” Crayon Software Experts, 13 May 2015.

    The 2016 State of IT: Managing the money monsters for the coming year.” Spiceworks, 2016.

    The Hidden Cost of Unused Software.” A 1E Report, 1E.com: 2014. Web.

    What does it take to achieve software license optimization?” Flexera White Paper, 2013.

    Research contributors and experts

    Photo of Michael Dean, Director, User Support Services, Des Moines University Michael Dean
    Director, User Support Services
    Des Moines University
    Simon Leuty
    Co-Founder
    Livingstone Tech
    Photo of Simon Leuty, Co-Founder, Livingstone Tech
    Photo of Clare Walsh, PR Consultant, Adesso Tech Ltd. Clare Walsh
    PR Consultant
    Adesso Tech Ltd.
    Alex Monaghan
    Director, Presales EMEA
    Product Support Solutions
    Photo of Alex Monaghan, Director, Presales EMEA, Product Support Solutions

    Research contributors and experts

    Photo of Ben Brand, SAM Practice Manager, Insight Ben Brand
    SAM Practice Manager
    Insight
    Michael Swanson
    President
    ISAM
    Photo of Michael Swanson, President, ISAM
    Photo of Bruce Aboudara, SVP, Marketing & Business Development, Scalable Software Bruce Aboudara
    SVP, Marketing & Business Development
    Scalable Software
    Will Degener
    Senior Solutions Consultant
    Scalable Software
    Photo of Will Degener, Senior Solutions Consultant, Scalable Software

    Research contributors and experts

    Photo of Peter Gregorowicz, Associate Director, Network & Client Services, Vancouver Community College Peter Gregorowicz
    Associate Director, Network & Client Services
    Vancouver Community College
    Peter Schnitzler
    Operations Team Lead
    Toyota Canada
    Photo of Peter Schnitzler, Operations Team Lead, Toyota Canada
    Photo of David Maughan, Head of Service Transition, Mott MacDonald Ltd. David Maughan
    Head of Service Transition
    Mott MacDonald Ltd.
    Brian Bernard
    Infrastructure & Operations Manager
    Lee County Clerk of Court
    Photo of Brian Bernard, Infrastructure & Operations Manager, Lee County Clerk of Court

    Research contributors and experts

    Photo of Leticia Sobrado, IT Data Governance & Compliance Manager, Intercept Pharmaceuticals Leticia Sobrado
    IT Data Governance & Compliance Manager
    Intercept Pharmaceuticals

    Tactics to Retain IT Talent

    • Buy Link or Shortcode: {j2store}549|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • Regrettable turnover is impacting organizational productivity and leading to significant costs associated with employee departures and the recruitment required to replace them.
    • Many organizations focus on increasing engagement to improve retention, but this approach doesn’t address the entire problem.

    Our Advice

    Critical Insight

    • Engagement surveys mask the volatility of the employee experience and hide the reason why individual employees leave. You must also talk to employees to understand the moments that matter and engage managers to understand turnover triggers.

    Impact and Result

    • Build the case for creating retention plans by leveraging employee data and feedback to identify the key reasons for turnover that need to be addressed.
    • Target employee segments and work with management to develop solutions to retain top talent.

    Tactics to Retain IT Talent Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Tactics to Retain IT Talent Storyboard – Use this storyboard to develop a targeted talent retention plan to retain top and core talent in the organization.

    Integrate data from exit surveys and interviews, engagement surveys, and stay interviews to understand the most commonly cited reasons for employee departure in order to select and prioritize tactics that improve retention. This blueprint will help you identify reasons for regrettable turnover, select solutions, and create an action plan.

    • Tactics to Retain IT Talent Storyboard

    2. Retention Plan Workbook – Capture key information in one place as you work through the process to assess and prioritize solutions.

    Use this tool to document and analyze turnover data to find suitable retention solutions.

    • Retention Plan Workbook

    3. Stay Interview Guide – Managers will use this guide to conduct regular stay interviews with employees to anticipate and address turnover triggers.

    The Stay Interview Guide helps managers conduct interviews with current employees, enabling the manager to understand the employee's current engagement level, satisfaction with current role and responsibilities, suggestions for potential improvements, and intent to stay with the organization.

    • Stay Interview Guide

    4. IT Retention Solutions Catalog – Use this catalog to select and prioritize retention solutions across the employee lifecycle.

    Review best-practice solutions to identify those that are most suitable to your organizational culture and employee needs. Use the IT Retention Solutions Catalog to explore a variety of methods to improve retention, understand their use cases, and determine stakeholder responsibilities.

    • IT Retention Solutions Catalog
    [infographic]

    Workshop: Tactics to Retain IT Talent

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Reasons for Regrettable Turnover

    The Purpose

    Identify the main drivers of turnover at the organization.

    Key Benefits Achieved

    Find out what to explore during focus groups.

    Activities

    1.1 Review data to determine why employees join, stay, and leave.

    1.2 Identify common themes.

    1.3 Prepare for focus groups.

    Outputs

    List of common themes/pain points recorded in the Retention Plan Workbook.

    2 Conduct Focus Groups

    The Purpose

    Conduct focus groups to explore retention drivers.

    Key Benefits Achieved

    Explore identified themes.

    Activities

    2.1 Conduct four 1-hour focus groups with the employee segment(s) identified in the pre-workshop activities.

    2.2 Info-Tech facilitators independently analyze results of focus groups and group results by theme.

    Outputs

    Focus group feedback.

    Focus group feedback analyzed and organized by themes.

    3 Identify Needs and Retention Initiatives

    The Purpose

    Home in on employee needs that are a priority.

    Key Benefits Achieved

    A list of initiatives to address the identified needs

    Activities

    3.1 Create an empathy map to identify needs.

    3.2 Shortlist retention initiatives.

    Outputs

    Employee needs and shortlist of initiatives to address them.

    4 Prepare to Communicate and Launch

    The Purpose

    Prepare to launch your retention initiatives.

    Key Benefits Achieved

    A clear action plan for implementing your retention initiatives.

    Activities

    4.1 Select retention initiatives.

    4.2 Determine goals and metrics.

    4.3 Plan stakeholder communication.

    4.4 Build a high-level action plan.

    Outputs

    Finalized list of retention initiatives.

    Goals and associated metrics recorded in the Retention Plan Workbook.

    Further reading

    Tactics to Retain IT Talent

    Keep talent from walking out the door by discovering and addressing moments that matter and turnover triggers.

    Executive Summary

    Your Challenge

    Many organizations are facing an increase in voluntary turnover as low unemployment, a lack of skilled labor, and a rise in the number of vacant roles have given employees more employment choices.

    Common Obstacles

    Regrettable turnover is impacting organizational productivity and leading to significant costs associated with employee departures and the recruitment required to replace them.

    Many organizations tackle retention from an engagement perspective: Increase engagement to improve retention. This approach doesn't consider the whole problem.

    Info-Tech's Approach

    Build the case for creating retention plans by leveraging employee data and feedback to identify the key reasons for turnover that need to be addressed.

    Target employee segments and work with management to develop solutions to retain top talent.

    Info-Tech Insight

    Engagement surveys mask the volatility of the employee experience and hide the reason why individual employees leave. You must also talk to employees to understand the moments that matter and engage managers to understand turnover triggers.

    This research addresses regrettable turnover

    This is an image of a flow chart with three levels. The top level has only one box, labeled Turnover.  the Second level has 2 boxes, labeled Voluntary, and Involuntary.  The third level has two boxes under Voluntary, labeled Non-regrettable: The loss of employees that the organization did not wish to keep, e.g. low performers, and Regrettable:  The loss of employees that the organization wishes it could have kept.

    Low unemployment and rising voluntary turnover makes it critical to focus on retention

    As the economy continues to recover from the pandemic, unemployment continues to trend downward even with a looming recession. This leaves more job openings vacant, making it easier for employees to job hop.

    This image contains a graph of the US Employment rate between 2020 - 2022 from the US Bureau of Economic Analysis and Bureau of Labor Statistics (BLS), 2022, the percentage of individuals who change jobs every one to five years from 2022 Job Seeker Nation Study, Jobvite, 2022, and voluntary turnover rates from BLS, 2022

    With more employees voluntarily choosing to leave jobs, it is more important than ever for organizations to identify key employees they want to retain and put plans in place to keep them.

    Retention is a challenge for many organizations

    The number of HR professionals citing retention/turnover as a top workforce management challenge is increasing, and it is now the second highest recruiting priority ("2020 Recruiter Nation Survey," Jobvite, 2020).

    65% of employees believe they can find a better position elsewhere (Legaljobs, 2021). This is a challenge for organizations in that they need to find ways to ensure employees want to stay at the organization or they will lose them, which results in high turnover costs.

    Executives and IT are making retention and turnover – two sides of the same coin – a priority because they cost organizations money.

    • 87% of HR professionals cited retention/turnover as a critical and high priority for the next few years (TINYpulse, 2020).
    • $630B The cost of voluntary turnover in the US (Work Institute, 2020).
    • 66% of organizations consider employee retention to be important or very important to an organization (PayScale, 2019).

    Improving retention leads to broad-reaching organizational benefits

    Cost savings: the price of turnover as a percentage of salary

    • 33% Improving retention can result in significant cost savings. A recent study found turnover costs, on average, to be around a third of an employee's annual salary (SHRM, 2019).
    • 37.9% of employees leave their organization within the first year. Employees who leave within the first 90 days of being hired offer very little or no return on the investment made to hire them (Work Institute, 2020).

    Improved performance

    Employees with longer tenure have an increased understanding of an organization's policies and processes, which leads to increased productivity (Indeed, 2021).

    Prevents a ripple effect

    Turnover often ripples across a team or department, with employees following each other out of the organization (Mereo). Retaining even one individual can often have an impact across the organization.

    Transfer of knowledge

    Retaining key individuals allows them to pass it on to other employees through communities of practice, mentoring, or other knowledge-sharing activities.

    Info-Tech Insight

    Improving retention goes beyond cost savings: Employees who agree with the statement "I expect to be at this organization a year from now" are 71% more likely to put in extra hours and 32% more likely to accomplish more than what is expected of their role (McLean & Company Engagement Survey, 2021; N=77,170 and 97,326 respectively).

    However, the traditional engagement-focused approach to retention is not enough

    Employee engagement is a strong driver of retention, with only 25% of disengaged employees expecting to be at their organization a year from now compared to 92% of engaged employees (McLean & Company Engagement Survey, 2018-2021; N=117,307).

    Average employee Net Promoter Score (eNPS)

    This image contains a graph of the Average employee Net Promoter Score (eNPS)

    Individual employee Net Promoter Scores (eNPS)

    This image contains a graph of the Individual employee Net Promoter Scores (eNPS)

    However, engagement surveys mask the volatility of the employee experience and hide the reason why individual employees leave.

    This analysis of McLean & Company's engagement survey results shows that while an organization's average employee net promoter score (eNPS) stays relatively static, at an individual level there is a huge amount of volatility.

    This demonstrates the need for an approach that is more capable of responding to or identifying employees' in-the-moment needs, which an annual engagement survey doesn't support.

    Turnover triggers and moments that matter also have an impact on retention

    Retention needs to be monitored throughout the employee lifecycle. To address the variety of issues that can appear, consider three main paths to turnover:

    1. Employee engagement – areas of low engagement.
    2. Turnover triggers that can quickly lead to departures.
    3. Moments that matter in the employee experience (EX).

    Employee engagement

    Engagement drivers are strong predictors of turnover.

    Employees who are highly engaged are 3.6x more likely to believe they will be with the organization 12 months from now than disengaged employees (McLean & Company Engagement Survey, 2018-2021; N=117,307).

    Turnover triggers

    Turnover triggers are events that act as shocks or catalysts that quickly lead to an employee's departure.

    Turnover triggers are a cause for voluntary turnover more often than accumulated issues (Lee et al.).

    Moments that matter

    Employee experience is the employee's perception of the accumulation of moments that matter within their employee lifecycle.

    Retention rates increase from 21% to 44% when employees have positive experiences in the following categories: belonging, purpose, achievement, happiness, and vigor at work. (Workhuman, 2020).

    While managers do not directly impact turnover, they do influence the three main paths to turnover

    Research shows managers do not appear as one of the common reasons for employee turnover.

    Top five most common reasons employees leave an organization (McLean & Company, Exit Survey, 2018-2021; N=107 to 141 companies,14,870 to 19,431 responses).

    Turnover factorsRank
    Opportunities for career advancement1
    Satisfaction with my role and responsibilities2
    Base pay3
    Opportunities for career-related skill development4
    The degree to which my skills were used in my job5

    However, managers can still have a huge impact on the turnover of their team through each of the three main paths to turnover:

    Employee engagement

    Employees who believe their managers care about them as a person are 3.3x more likely to be engaged than those who do not (McLean & Company, 2021; N=105,186).

    Turnover triggers

    Managers who are involved with and aware of their staff can serve as an early warning system for triggers that lead to turnover too quickly to detect with data.

    Moments that matter

    Managers have a direct connection with each individual and can tailor the employee experience to meet the needs of the individuals who report to them.

    Gallup has found that 52% of exiting employees say their manager could have done something to prevent them from leaving (Gallup, 2019). Do not discount the power of managers in anticipating and preventing regrettable turnover.

    Addressing engagement, turnover triggers, and moments that matter is the key to retention

    This is an image of a flow chart with four levels. The top level has only one box, labeled Turnover.  the Second level has 2 boxes, labeled Voluntary, and Involuntary.  The third level has two boxes under Voluntary, labeled Non-regrettable, and Regrettable.  The fourth level has three boxes under Regrettable, labeled Employee Engagement, Turnover triggers, and Moments that matter

    Info-Tech Insight

    HR traditionally seeks to examine engagement levels when faced with retention challenges, but engagement is only a part of the full picture. You must also talk to employees to understand the moments that matter and engage managers to understand turnover triggers.

    Follow Info-Tech's two-step process to create a retention plan

    1. Identify Reasons for Regrettable Turnover

    2. Select Solutions and Create an Action Plan

    Step 1

    Identify Reasons for Regrettable Turnover

    After completing this step you will have:

    • Analyzed and documented why employees join, stay, and leave your organization.
    • Identified common themes and employee needs.
    • Conducted employee focus groups and prioritized employee needs.

    Step 1 focuses on analyzing existing data and validating it through focus groups

    Employee engagement

    Employee engagement and moments that matter are easily tracked by data. Validating employee feedback data by speaking and empathizing with employees helps to uncover moments that matter. This step focuses on analyzing existing data and validating it through focus groups.

    Engagement drivers such as compensation or working environment are strong predictors of turnover.
    Moments that matter
    Employee experience (EX) is the employee's perception of the accumulation of moments that matter with the organization.
    Turnover triggers
    Turnover triggers are events that act as shocks or catalysts that quickly lead to an employee's departure.

    Turnover triggers

    This step will not touch on turnover triggers. Instead, they will be discussed in step 2 in the context of the role of the manager in improving retention.

    Turnover triggers are events that act as shocks or catalysts that quickly lead to an employee's departure.

    Info-Tech Insight

    IT managers often have insights into where and why retention is an issue through their day-to-day work. Gathering detailed quantitative and qualitative data provides credibility to these insights and is key to building a business case for action. Keep an open mind and allow the data to inform your gut feeling, not the other way around.

    Gather data to better understand why employees join, stay, and leave

    Start to gather and examine additional data to accurately identify the reason(s) for high turnover. Begin to uncover the story behind why these employees join, stay, and leave your organization through themes and trends that emerge.

    Look for these icons throughout step 2.

    Join

    Why do candidates join your organization?

    Stay

    Why do employees stay with your organization?

    Leave

    Why do employees leave your organization?

    For more information on analysis, visualization, and storytelling with data, see Info-Tech's Start Making Data-Driven People Decisions blueprint.

    Employee feedback data to look at includes:

    Gather insights through:

    • Focus groups
    • Verbatim comments
    • Exit interviews
    • Using the employee value proposition (EVP) as a filter (does it resonate with the lived experience of employees?)

    Prepare to draw themes and trends from employee data throughout step 1.

    Uncover employee needs and reasons for turnover by analyzing employee feedback data.

    • Look for trends (e.g. new hires join for career opportunities and leave for the same reason, or most departments have strong work-life balance scores in engagement data).
    • Review if there are recurring issues being raised that may impact turnover.
    • Group feedback to highlight themes (e.g. lack of understanding of EVP).
    • Identify which key employee needs merit further investigation or information.

    This is an image showing how you can draw out themes and trends using employee data throughout step 1.

    Classify where key employee needs fall within the employee lifecycle diagram in tab 2 of the Retention Plan Workbook. This will be used in step 2 to pinpoint and prioritize solutions.

    Info-Tech Insight

    The employee lifecycle is a valuable way to analyze and organize engagement pain points, moments that matter, and turnover triggers. It ensures that you consider the entirety of an employee's tenure and the different factors that lead to turnover.

    Examine new hire data and begin to document emerging themes

    Join

    While conducting a high-level analysis of new hire data, look for these three key themes impacting retention:

    Issues or pain points that occurred during the hiring process.

    Reasons why employees joined your organization.

    The experience of their first 90 days. This can include their satisfaction with the onboarding process and their overall experience with the organization.

    Themes will help to identify areas of strength and weakness organization-wide and within key segments. Document in tab 3 of the Retention Plan Workbook.

    1. Start by isolating the top reasons employees joined your organization. Ask:
      • Do the reasons align with the benefits you associate with working at your organization?
      • How might this impact your EVP?
      • If you use a new hire survey, look at the results for the following questions:
      • For which of the following reasons did you apply to this organization?
      • For what reasons did you accept the job offer with this organization?
    2. then, examine other potential problem areas that may not be covered by your new hire survey, such as onboarding or the candidate experience during the hiring process.
      • If you conduct a new hire survey, look at the results in the following sections:
        • Candidate Experience
        • Acclimatization
        • Training and Development
        • Defining Performance Expectations

      Analyze engagement data to identify areas of strength that drive retention

      Employees who are engaged are 3.6x more likely to believe they will be with the organization 12 months from now (McLean & Company Engagement Survey, 2018-2021; N=117,307). Given the strength of this relationship, it is essential to identify areas of strength to maintain and leverage.

      1. Look at the highest-performing drivers in your organization's employee engagement survey and drivers that fall into the "leverage" and "maintain" quadrants of the priority matrix.
        • These drivers provide insight into what prompts broader groups of employees to stay.

      This is an image of a quadrant analysis, with the following quadrants in order from left to right, top to bottom.  Improve; Leverage; Evaluate; Maintain.

      1. Look into what efforts have been made to maintain programs, policies, and practices related to these drivers and ensure they are consistent across the entire organization.
      2. Document trends and themes related to engagement strengths in tab 2 of the Retention Plan Workbook.

      If you use Info-Tech's Engagement Survey, look in detail at what are classified as "Retention Drivers": total compensation, working environment, and work-life balance.

      Identify areas of weakness that drive turnover in your engagement data

      1. Look at the lowest-performing drivers in your organization's employee engagement survey and drivers that fall into the "improve" and "evaluate" quadrants of the priority matrix.
        • These drivers provide insight into what pushes employees to leave the organization.
      2. Delve into organizational efforts that have been made to address issues with the programs, policies, and practices related to these drivers. Are there any projects underway to improve them? What are the barriers preventing improvements?
      3. Document trends and themes related to engagement weaknesses in tab 2 of the Retention Plan Workbook.

      If you use a product other than Info-Tech's Engagement Survey, your results will look different. The key is to look at areas of weakness that emerge from the data.

      This is an image of a quadrant analysis, with the following quadrants in order from left to right, top to bottom.  Improve; Leverage; Evaluate; Maintain.

      If you use Info-Tech's Engagement Survey, look in detail at what are classified as "Retention Drivers": total compensation, working environment, and work-life balance.

      Mine exit surveys to develop an integrated, holistic understanding of why employees leave

      Conduct a high-level analysis of the data from your employee exit diagnostic. While analyzing this data, consider the following:

      • What are the trends and quantitative data about why employees leave your organization that may illuminate employee needs or issues at specific points throughout the employee lifecycle?
      • What are insights around your key segments? Data on key segments is easily sliced from exit survey results and can be used as a starting point for digging deeper into retention issues for specific groups.
      • Exit surveys are an excellent starting point. However, it is valuable to validate the data gathered from an exit survey using exit interviews.
      1. Isolate results for key segments of employees to target with retention initiatives (e.g. by age group or by department).
      2. Identify data trends or patterns over time; for example, that compensation factors have been increasing in importance.
      3. Document trends and themes taken from the exit survey results in tab 2 of the Retention Plan Workbook.

      If your organization conducts exit interviews, analyze the results alongside or in lieu of exit survey data.

      Compare new hire data with exit data to identify patterns and insights

      Determine if new hire expectations weren't met, prompting employees to leave your organization, to help identify where in the employee lifecycle issues driving turnover may be occurring.

      1. Look at your new hire data for the top reasons employees joined your organization.
        • McLean & Company's New Hire Survey database shows that the top three reasons candidates accept job offers on average are:
          1. Career opportunities
          2. Nature of the job
          3. Development opportunities
      2. Next, look at your exit data and the top reasons employees left your organization.
        1. McLean & Company's Exit Survey database shows that the top three reasons employees leave on average are:
          1. Opportunities for career advancement
          2. Base pay
          3. Satisfaction with my role and responsibilities
      3. Examine the results and ask:
        • Is there a link between why employees join and leave the organization?
        • Did they cite the same reasons for joining and for leaving?
        • What do the results say about what your employees do and do not value about working at your organization?
      4. Document the resulting insights in tab 2 of the Retention Plan Workbook.

      Example:

      A result where employees are leaving for the same reason they're joining the organization could signal a disconnect between your organization's employee value proposition and the lived experience.

      Revisit your employee value proposition to uncover misalignment

      Your employee value proposition (EVP), formal or informal, communicates the value your organization can offer to prospective employees.

      If your EVP is mismatched with the lived experience of your employees, new hires will be in for a surprise when they start their new job and find out it isn't what they were expecting.

      Forty-six percent of respondents who left a job within 90 days of starting cited a mismatch of expectations about their role ("Job Seeker Nation Study 2020," Jobvite, 2020).

      1. Use the EVP as a filter through which you look at all your employee feedback data. It will help identify misalignment between the promised and the lived experience.
      2. If you have EVP documentation, start there. If not, go to your careers page and put yourself in the shoes of a candidate. Ask what the four elements of an EVP look like for candidates:
        • Compensation and benefits
        • Day-to-day job elements
        • Working conditions
        • Organizational elements
      3. Next, compare this to your own day-to-day experiences. Does it differ drastically? Are there any contradictions with the lived experience at your organization? Are there misleading statements or promises?
      4. Document any insights or patterns you uncover in tab 2 of the Retention Plan Workbook.

      Conduct focus groups to examine themes

      Through focus groups, explore the themes you have uncovered with employees to discover employee needs that are not being met. Addressing these employee needs will be a key aspect of your retention plan.

      Identify employee groups who will participate in focus groups:

      • Incorporate diverse perspectives (e.g. employees, managers, supervisors).
      • Include employees from departments and demographics with strong and weak engagement for a full picture of how engagement impacts your employees.
      • Invite boomerang employees to learn why an individual might return to your organization after leaving.

      image contains two screenshots Mclean & Company's Standard Focus Group Guide.

      Customize Info-Tech's Standard Focus Group Guide based on the themes you have identified in tab 3 of the Retention Plan Workbook.

      The goal of the focus group is to learn from employees and use this information to design or modify a process, system, or other solution that impacts retention.

      Focus questions on the employees' personal experience from their perspective.

      Key things to remember:

      • It is vital for facilitators to be objective.
      • Keep an open mind; no feelings are wrong.
      • Beware of your own biases.
      • Be open and share the reason for conducting the focus groups.

      Info-Tech Insight

      Maintaining an open dialogue with employees will help flesh out the context behind the data you've gathered and allow you to keep in mind that retention is about people first and foremost.

      Empathize with employees to identify moments that matter

      Look for discrepancies between what employees are saying and doing.

      1. Say

      "What words or quotes did the employee use?"

      3.Think

      "What might the employee be thinking?"

      Record feelings and thoughts discussed, body language observed, tone of voice, and words used.

      Look for areas of negative emotion to determine the moments that matter that drive retention.

      2. Do

      "What actions or behavior did the employee demonstrate?"

      4. Feel

      "What might the employee be feeling?"

      Record them in tab 3 of the Retention Plan Workbook.

      5. Identify Needs

      "Needs are verbs (activities or desires), not nouns (solutions)"

      Synthesize focus group findings using Info-Tech's Empathy Map Template.

      6. Identify Insights

      "Ask yourself, why?"

      (Based on Stanford d.school Empathy Map Method)

      Distill employee needs into priority issues to address first

      Take employee needs revealed by your data and focus groups and prioritize three to five needs.

      Select a limited number of employee needs to develop solutions to ensure that the scope of the project is feasible and that the resources dedicated to this project are not stretched too thin. The remaining needs should not be ignored – act on them later.

      Share the needs you identify with stakeholders so they can support prioritization and so you can confirm their buy-in and approval where necessary.

      Ask yourself the following questions to determine your priority employee needs:

      • Which needs will have the greatest impact on turnover?
      • Which needs have the potential to be an easy fix or quick win?
      • Which themes or trends came up repeatedly in different data sources?
      • Which needs evoked particularly strong or negative emotions in the focus groups?

      This image contains screenshots of two table templates found in tab 5 of the Retention Plan Workbook

      In the Retention Plan Workbook, distill employee needs on tab 2 into three to five priorities on tab 5.

      Step 2

      Select Solutions and Create an Action Plan

      After completing this step, you will have:

      • Selected and prioritized solutions to address employee needs.
      • Created a plan to launch stay interviews.
      • Built an action plan to implement solutions.

      Select IT-owned solutions and implement people leader–driven initiatives

      Solutions

      First, select and prioritize solutions to address employee needs identified in the previous step. These solutions will address reasons for turnover that influence employee engagement and moments that matter.

      • Brainstorm solutions using the Retention Solutions Catalog as a starting point. Select a longlist of solutions to address your priority needs.
      • Prioritize the longlist of solutions into a manageable number to act on.

      People leaders

      Next, create a plan to launch stay interviews to increase managers' accountability in improving retention. Managers will be critical to solving issues stemming from turnover triggers.

      • Clarify the importance of harnessing the influence of people leaders in improving retention.
      • Discover what might cause individual employees to leave through stay interviews.
      • Increase trust in managers through training.

      Action plan

      Finally, create an action plan and present to senior leadership for approval.

      Look for these icons in the top right of slides in this step.

      Select solutions to employee needs, starting with the Retention Solutions Catalog

      Based on the priority needs you have identified, use the Retention Solutions Catalog to review best-practice solutions for pain points associated with each stage of the lifecycle.

      Use this tool as a starting point, adding to it and iterating based on your own experience and organizational culture and goals.

      This image contains three screenshots from Info-Tech's Retention Solutions Catalog.

      Use Info-Tech's Retention Solutions Catalog to start the brainstorming process and produce a shortlist of potential solutions that will be prioritized on the next slide.

      Info-Tech Insight

      Unless you have the good fortune of having only a few pain points, no single initiative will completely solve your retention issues. Combine one or two of these broad solutions with people-leader initiatives to ensure employee needs are addressed on an individual and an aggregate level.

      Prioritize solutions to be implemented

      Target efforts accordingly

      Quick wins are high-impact, low-effort initiatives that will build traction and credibility within the organization.

      Long-term initiatives require more time and need to be planned for accordingly but will still deliver a large impact. Review the planning horizon to determine how early these need to begin.

      Re-evaluate low-impact and low-effort initiatives and identify ones that either support other higher impact initiatives or have the highest impact to gain traction and credibility. Look for low-hanging fruit.

      Deprioritize initiatives that will take a high degree of effort to deliver lower-value results.

      When assessing the impact of potential solutions, consider:

      • How many critical segments or employees will this solution affect?
      • Is the employee need it addresses critical, or did the solution encompass several themes in the data you analyzed?
      • Will the success of this solution help build a case for further action?
      • Will the solution address multiple employee needs?

      Info-Tech Insight

      It's better to master a few initiatives than under-deliver on many. Start with a few solutions that will have a measurable impact to build the case for further action in the future.

      Solutions

      Low ImpactMedium ImpactLarge Impact
      Large EffortThis is an image of the used to help you prioritize solutions to be implemented.
      Medium Effort
      Low Effort

      Use tab 3 of the Retention Plan Workbook to prioritize your shortlist of solutions.

      Harness the influence of people leaders to improve employee retention

      Leaders at all levels have a huge impact on employees.

      Effective people leaders:

      • Manage work distribution.
      • Create a motivating work environment.
      • Provide development opportunities.
      • Ensure work is stimulating and challenging, but not overwhelming.
      • Provide clear, actionable feedback.
      • Recognize team member contributions.
      • Develop positive relationships with their teams.
      • Create a line of sight between what the employee is doing and what the organization's objectives are.

      Support leaders in recommitting to their role as people managers through Learning & Development initiatives with particular emphasis on coaching and building trust.

      For coaching training, see Info-Tech's Build a Better Manager: Team Essentials – Feedback and Coaching training deck.

      For more information on supporting managers to become better people leaders, see Info-Tech's Build a Better Manager: Manage Your People blueprint.

      "HR can't fix turnover. But leaders on the front line can."
      – Richard P. Finnegan, CEO, C-Suite Analytics

      Equip managers to conduct regular stay interviews to address turnover triggers

      Managers often have the most visibility into their employees' personal and work lives and have a key opportunity to anticipate and address turnover triggers.

      Stay interviews are an effective way of uncovering potential retention issues and allowing managers to act as an early warning system for turnover triggers.

      Examples of common turnover triggers and potential manager responses:

      • Moving, creating a long commute to the office.
        • Through stay interviews, a manager can learn that a long commute is an issue and can help find workarounds such as flexible/remote work options.
      • Not receiving an expected promotion.
        • A trusted manager can anticipate issues stemming from this, discuss why the decision was made, and plan development opportunities for future openings.

      Stay interview best practices

      1. Conducted by an employee's direct manager.
      2. Happen regularly as a part of an ongoing process.
      3. Based on the stay interview, managers produce a turnover forecast for each direct report.
        1. The method used by stay interview expert Richard P. Finnegan is simple: red for high risk, yellow for medium, and green for low.
      4. Provide managers with training and a rough script or list of questions to follow.
        1. Use and customize Info-Tech's Stay Interview Guide to provide a guide for managers on how to conduct a stay interview.
      5. Managers use the results to create an individualized retention action plan made up of concrete actions the manager and employee will take.

      Sources: Richard P. Finnegan, CEO, C-Suite Analytics; SHRM

      Build an action plan to implement the retention plan

      For each initiative identified, map out timelines and actions that need to be taken.

      When building actions and timelines:

      • Refer to the priority needs you identified in tab 4 of the Retention Plan Workbook and ensure they are addressed first.
      • Engage internal stakeholders who will be key to the development of the initiatives to ensure they have sufficient time to complete their deliverables.
        • For example, if you conduct manager training, Learning & Development needs to be involved in the development and launch of the program.
      • Include a date to revisit your baseline retention and engagement data in your project milestones.
      • Designate process owners for new processes such as stay interviews.

      Plan for stay interviews by determining:

      • Whether stay interviews will be a requirement for all employees.
      • How much flexibility managers will have with the process.
      • How you will communicate the stay interview approach to managers.
      • If manager training is required.
      • How managers should record stay interview data and how you will collect this data from them as a way to monitor retention issues.
        • For example, managers can share their turnover forecasts and action plans for each employee.

      Be clear about manager accountabilities for initiatives they will own, such as stay interviews. Plan to communicate the goals and timelines managers will be asked to meet, such as when they must conduct interviews or their responsibility to follow up on action items that come from interviews.

      Track project success to iterate and improve your solutions

      Analyze measurements

      • Regularly remeasure your engagement and retention levels to identify themes and trends that provide insights into program improvements.
      • For example, look at the difference in manager relationship score to see if training has had an impact, or look at changes in critical segment turnover to calculate cost savings.

      Revisit employee and manager feedback

      • After three to six months, conduct additional surveys or focus groups to determine the success of your initiatives and opportunities for improvement. Tweak the program, including stay interviews, based on manager and employee feedback.

      Iterate frequently

      • Revisit your initiatives every two or three years to determine if a refresh is necessary to meet changing organizational and employee needs and to update your goals and targets.

      Key insights

      Insight 1Insight 2Insight 3

      Retention and turnover are two sides of the same coin. You can't fix retention without first understanding turnover.

      Engagement surveys mask the volatility of the employee experience and hide the reason why individual employees leave. You must also talk to employees to understand the moments that matter and engage managers to understand turnover triggers.

      Improving retention isn't just about lowering turnover, it's about discovering what healthy retention looks like for your organization.

      Insight 4Insight 5Insight 6

      HR professionals often have insights into where and why retention is an issue. Gathering detailed employee feedback data through surveys and focus groups provides credibility to these insights and is key to building a case for action. Keep an open mind and allow the data to inform your gut feeling, not the other way around.

      Successful retention plans must be owned by both IT leaders and HR.

      IT leaders often have the most visibility into their employees' personal and work lives and have a key opportunity to anticipate and address turnover triggers.

      Stay interviews help managers anticipate potential retention issues on their teams.

      Workshop Overview

      Contact your account representative for more information.
      workshops@infotech.com 1-888-670-8889

      Info-Tech AnalystsPre-workPost-work
      Client Data Gathering and PlanningImplementation Supported Through Analyst Calls

      1.1 Discuss participants, logistics, overview of workshop activities

      1.2 Provide support to client for below activities through calls.

      2.1 Schedule follow-up calls to work through implementation of retention solutions based on identified needs.
      Client

      1.Gather results of engagement survey, new hire survey, exit survey, and any exit and stay interview feedback.

      2.Gather and analyze turnover data.

      3.Identify key employee segment(s) and identify and organize participants for focus groups.

      4.Complete cost of turnover analysis.

      5.Review turnover data and prioritize list of employee segments.

      1.Obtain senior leader approval to proceed with retention plan.

      2.Finalize and implement retention solutions.

      3.Prepare managers to conduct stay interviews.

      4.Communicate next steps to stakeholders.

      Workshop Overview

      Contact your account representative for more information.
      workshops@infotech.com 1-888-670-8889

      ActivitiesDay 1Day 2Day 3Day 4
      Assess Current StateConduct Focus GroupsIdentify Needs and Retention InitiativesPrepare to Communicate and Launch

      1.1 Review data to determine why employees join, stay, and leave.

      1.2 Identify common themes.

      1.3 Prepare for focus groups.

      2.1 Conduct four 1-hour focus groups with the employee segment(s) identified in the pre-workshop activities..

      2.2 Info-Tech facilitators independently analyze results of focus groups and group results by theme.

      3.1 Create an empathy map to identify needs

      3.2 Shortlist retention initiatives

      4.1 Select retention initiatives

      4.2 Determine goals and metrics

      4.3 Plan stakeholder communication4.4 Build a high-level action plan

      Deliverables

      1.List of common themes/pain points recorded in the Retention Plan Workbook

      2.Plan for focus groups documented in the Focus Group Guide

      1.Focus group feedback

      2.Focus group feedback analyzed and organized by themes

      1.Employee needs and shortlist of initiatives to address them1.Finalized list of retention initiatives

      Info-Tech offers various levels of support to best suit your needs

      DIY Toolkit

      “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

      Guided Implementation

      “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

      Workshop

      “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

      Consulting

      “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

      Diagnostics and consistent frameworks used throughout all four options

      Research Contributors and Experts

      Jeff Bonnell
      VP HR
      Info-Tech Research Group

      Phillip Kotanidis
      CHRO
      Michael Garron Hospital

      Michael McGuire
      Director, Organizational Development
      William Osler Health System

      Dr. Iris Ware
      Chief Learning Officer
      City of Detroit

      Richard P. Finnegan
      CEO
      C-Suite Analytics

      Dr. Thomas Lee
      Professor of Management
      University of Washington

      Jane Moughon
      Specialist in increasing profits, reducing turnover, and maximizing human potential in manufacturing companies

      Lisa Kaste
      Former HR Director
      Citco

      Piyush Mathur
      Head of Workforce Analytics
      Johnson & Johnson

      Gregory P. Smith
      CEO
      Chart Your Course

      Works Cited

      "17 Surprising Statistics about Employee Retention." TINYpulse, 8 Sept. 2020. Web.
      "2020 Job Seeker Nation Study." Jobvite, April 2020. Web.
      "2020 Recruiter Nation Survey." Jobvite, 2020. Web.
      "2020 Retention Report: Insights on 2019 Turnover Trends, Reasons, Costs, & Recommendations." Work Institute, 2020. Web.
      "25 Essential Productivity Statistics for 2021." TeamStage, 2021. Accessed 22 Jun. 2021.
      Agovino, Theresa. "To Have and to Hold." SHRM, 23 Feb. 2019. Web.
      "Civilian Unemployment Rate." Bureau of Labor Statistics, June 2020. Web.
      Foreman, Paul. "The domino effect of chief sales officer turnover on salespeople." Mereo, 19 July 2018. Web.
      "Gross Domestic Product." U.S. Bureau of Economic Analysis, 27 May 2021. Accessed 22 Jun. 2020.
      Kinne, Aaron. "Back to Basics: What is Employee Experience?" Workhuman, 27August 2020. Accessed 21 Jun. 2021.
      Lee, Thomas W, et al. "Managing employee retention and turnover with 21st century ideas." Organizational Dynamics, vol 47, no. 2, 2017, pp. 88-98. Web.
      Lee, Thomas W. and Terence R. Mitchell. "Control Turnover by Understanding its Causes." The Blackwell Handbook of Principles of Organizational Behaviour. 2017. Print.
      McFeely, Shane, and Ben Wigert. "This Fixable Problem Costs U.S. Businesses $1 Trillion." Gallup. 13 March 2019. Web.
      "Table 18. Annual Quit rates by Industry and Region Not Seasonally Adjusted." Bureau of Labor Statistics. June 2021. Web.
      "The 2019 Compensation Best Practices Report: Will They Stay or Will They Go? Employee Retention and Acquisition in an Uncertain Economy." PayScale. 2019. Web.
      Vuleta, Branka. "30 Troubling Employee Retention Statistics." Legaljobs. 1 Feb. 2021. Web.
      "What is a Tenured Employee? Top Benefits of Tenure and How to Stay Engaged as One." Indeed. 22 Feb. 2021. Accessed 22 Jun. 2021.

      Cost-Optimize Your Security Budget

      • Buy Link or Shortcode: {j2store}250|cart{/j2store}
      • member rating overall impact (scale of 10): 9.0/10 Overall Impact
      • member rating average dollars saved: $2,078 Average $ Saved
      • member rating average days saved: 2 Average Days Saved
      • Parent Category Name: Security Strategy & Budgeting
      • Parent Category Link: /security-strategy-and-budgeting
      • The security budget has been slashed and the team needs to do more with less.
      • Mitigating risk is still the top priority, only now we need to reassess effectiveness and efficiency to ensure we are getting the greatest level of protection for the least amount of money.

      Our Advice

      Critical Insight

      A cost-optimized security budget is one that has the greatest impact on risk for the least amount of money spent.

      Impact and Result

      • Focus on business needs and related risks. Review the risk-reduction efficacy of your people, processes, and technology and justify what can be cut and what must stay.
      • Info-Tech will guide you through this process, and by the end of this blueprint you will have a cost-optimized security budget and an executive presentation to explain your revised spending.

      Cost-Optimize Your Security Budget Research & Tools

      Start here – read the Executive Brief

      Read our concise Executive Brief to find out why you should cost-optimize your security budget, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Cost-optimize your technology and managed services

      This phase will help you assess the efficacy of your current technology and service providers.

      • Threat and Risk Assessment Tool
      • In-House vs. Outsourcing Decision-Making Tool

      2. Cost-optimize your staffing

      This phase will help you assess if layoffs are necessary.

      • Security Employee Layoff Selection Tool

      3. Cost-optimize your security strategy

      This phase will help you revise the pending process-based initiatives in your security strategy.

      • Security Cost Optimization Workbook
      • Security Cost Optimization Executive Presentation
      [infographic]

      Succeed With Digital Strategy Execution

      • Buy Link or Shortcode: {j2store}527|cart{/j2store}
      • member rating overall impact (scale of 10): N/A
      • member rating average dollars saved: N/A
      • member rating average days saved: N/A
      • Parent Category Name: Customer Relationship Management
      • Parent Category Link: /customer-relationship-management
      • Rising customer expectations and competitive pressures have accelerated the pace at which organizations are turning to digital transformation to drive revenue or cut costs.
      • Many digital strategies are not put into action, and instead sit on the shelf. A digital strategy that is not translated into specific projects and initiatives will provide no value to the organization.
      • Executing a digital strategy is easier said than done: IT often lacks the necessary framework to create a roadmap, or fails to understand how new applications can enable the vision outlined in the strategy.

      Our Advice

      Critical Insight

      • A digital strategy needs a clear roadmap to succeed. Too many digital strategies are lofty statements of objective with no clear avenue for actual execution: create a digital strategy application roadmap to avoid this pitfall.
      • Understand the art of execution. Application capabilities are rapidly evolving: IT must stand ready to educate the business on how new applications can be used to pursue the digital strategy.

      Impact and Result

      • IT must work with the business to parse specific technology drivers from the digital strategy, distill strategic requirements, and create a prescriptive roadmap of initiatives that will close the gaps between the current state and the target state outlined in the digital strategy. Doing so well is a path to the CIO’s office.
      • To better serve the organization, IT leaders must stay abreast of key application capabilities and trends. Exciting new developments such as artificial intelligence, IoT, and machine learning have opened up new avenues for process digitization, but IT leaders need to make a concerted effort to understand what modern applications bring to the table for technology enablement of the digital strategy.
      • Taking an agile approach to application roadmap development will help to provide a clear path forward for tackling digital strategy execution, while also allowing for flexibility to update and iterate as the internal and external environment changes.

      Succeed With Digital Strategy Execution Research & Tools

      Start here – read the Executive Brief

      Read our concise Executive Brief to find out why you should have a structured approach to translating your digital strategy to specific application initiatives, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Parse digital strategy drivers

      Parse specific technology drivers out of the formal enterprise digital strategy.

      • Succeed With Digital Strategy Execution – Phase 1: Parse Your Digital Strategy for Critical Technology Drivers

      2. Map drivers to enabling technologies

      Review and understand potential enabling applications.

      • Succeed With Digital Strategy Execution – Phase 2: Map Your Drivers to Enabling Applications

      3. Create the application roadmap to support the digital strategy

      Use the drivers and an understanding of enabling applications to put together an execution roadmap that will support the digital strategy.

      • Succeed With Digital Strategy Execution – Phase 3: Create an Application Roadmap That Supports the Digital Strategy
      • Digital Strategy Roadmap Tool
      • Application Roadmap Presentation Template
      • Digital Strategy Communication and Execution Plan Template
      [infographic]

      Workshop: Succeed With Digital Strategy Execution

      Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

      1 Validate the Digital Strategy

      The Purpose

      Review and validate the formal enterprise digital strategy.

      Key Benefits Achieved

      Confirmation of the goals, objectives, and direction of the organization’s digital strategy.

      Activities

      1.1 Review the initial digital strategy.

      1.2 Determine gaps.

      1.3 Refine digital strategy scope and vision.

      1.4 Finalize digital strategy and validate with stakeholders.

      Outputs

      Validated digital strategy

      2 Parse Critical Technology Drivers

      The Purpose

      Enumerate relevant technology drivers from the digital strategy.

      Key Benefits Achieved

      List of technology drivers to pursue based on goals articulated in the digital strategy.

      Activities

      2.1 Identify affected process domains.

      2.2 Brainstorm impacts of digital strategy on technology enablement.

      2.3 Distill critical technology drivers.

      2.4 Identify KPIs for each driver.

      Outputs

      Affected process domains (based on APQC)

      Critical technology drivers for the digital strategy

      3 Map Drivers to Enabling Applications

      The Purpose

      Relate your digital strategy drivers to specific, actionable application areas.

      Key Benefits Achieved

      Understand the interplay between the digital strategy and impacted application domains.

      Activities

      3.1 Build and review current application inventory for digital.

      3.2 Execute fit-gap analysis between drivers and current state inventory.

      3.3 Pair technology drivers to specific enabling application categories.

      Outputs

      Current-state application inventory

      Fit-gap analysis

      4 Understand Applications

      The Purpose

      Understand how different applications support the digital strategy.

      Understand the art of the possible.

      Key Benefits Achieved

      Knowledge of how applications are evolving from a features and capabilities perspective, and how this pertains to digital strategy enablement.

      Activities

      4.1 Application spotlight: customer experience.

      4.2 Application spotlight: content and collaboration.

      4.3 Application spotlight: business intelligence.

      4.4 Application spotlight: enterprise resource planning.

      Outputs

      Application spotlights

      5 Build the Digital Application Roadmap

      The Purpose

      Create a concrete, actionable roadmap of application and technology initiatives to move the digital strategy forward.

      Key Benefits Achieved

      Clear, concise articulation of application roadmap for supporting digital that can be communicated to the business.

      Activities

      5.1 Build list of enabling projects and applications.

      5.2 Create prioritization criteria.

      5.3 Build the digital strategy application roadmap.

      5.4 Socialize the roadmap.

      5.5 Delineate responsibility for roadmap execution.

      Outputs

      Application roadmap for the digital strategy

      RACI chart for digital strategy roadmap execution

      Create an Architecture for AI

      • Buy Link or Shortcode: {j2store}344|cart{/j2store}
      • member rating overall impact (scale of 10): 9.0/10 Overall Impact
      • member rating average dollars saved: $604,999 Average $ Saved
      • member rating average days saved: 49 Average Days Saved
      • Parent Category Name: Data Management
      • Parent Category Link: /data-management

      This research is designed to help organizations who are facing these challenges:

      • Deliver on the AI promise within the organization.
      • Prioritize the demand for AI projects and govern the projects to prevent overloading resources.
      • Have sufficient data management capability.
      • Have clear metrics in place to measure progress and for decision making.

      AI requires a high level of maturity in all data management capabilities, and the greatest challenge the CIO or CDO faces is to mature these capabilities sufficiently to ensure AI success.

      Our Advice

      Critical Insight

      • Build your target state architecture from predefined best-practice building blocks.
      • Not all business use cases require AI to increase business capabilities.
      • Not all organizations are ready to embark on the AI journey.
      • Knowing the AI pattern that you will use will simplify architecture considerations.

      Impact and Result

      • This blueprint will assist organizations with the assessment, planning, building, and rollout of their AI initiatives.
        • Do not embark on an AI project with an immature data management practice. Embark on initiatives to fix problems before they cripple your AI projects.
        • Using architecture building blocks will speed up the architecture decision phase.
      • The success rate of AI initiatives is tightly coupled with data management capabilities and a sound architecture.

      Create an Architecture for AI Research & Tools

      Start here – read the Executive Brief

      Read our concise Executive Brief to understand why you need an underlying architecture for AI, review Info-Tech's methodology, and understand the four ways we can support you in completing this project.

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Assess business use cases for AI readiness

      Define business use cases where AI may bring value. Evaluate each use case to determine the company’s AI maturity in people, tools, and operations for delivering the correct data, model development, model deployment, and the management of models in the operational areas.

      • Create an Architecture for AI – Phase 1: Assess Business Use Cases for AI Readiness
      • AI Architecture Assessment and Project Planning Tool
      • AI Architecture Assessment and Project Planning Tool – Sample

      2. Design your target state

      Develop a target state architecture to allow the organization to effectively deliver in the promise of AI using architecture building blocks.

      • Create an Architecture for AI – Phase 2: Design Your Target State
      • AI Architecture Templates

      3. Define the AI architecture roadmap

      Compare current state with the target state to define architecture plateaus and build a delivery roadmap.

      • Create an Architecture for AI – Phase 3: Define the AI Architecture Roadmap
      [infographic]

      Workshop: Create an Architecture for AI

      Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

      1 Answer “Where To?”

      The Purpose

      Define business use cases where AI may add value and assess use case readiness.

      Key Benefits Achieved

      Know upfront if all required data resources are available in the required velocity, veracity, and variety to service the use case.

      Activities

      1.1 Review the business vision.

      1.2 Identify and classify business use cases.

      1.3 Assess company readiness for each use case.

      1.4 Review architectural principles and download and install Archi.

      Outputs

      List of identified AI use cases

      Assessment of each use case

      Data sources needed for each use case

      Archi installed

      2 Define the Required Architecture Building Blocks

      The Purpose

      Define architecture building blocks that can be used across use cases and data pipeline.

      Key Benefits Achieved

      The architectural building blocks ensure reuse of resources and form the foundation of a stepwise rollout.

      Activities

      2.1 ArchiMate modelling language overview.

      2.2 Architecture building block overview

      2.3 Identify architecture building blocks by use case.

      2.4 Define the target state architecture.

      Outputs

      A set of building blocks created in Archi

      Defined target state architecture using architecture building blocks

      3 Assess the Current State Architecture

      The Purpose

      Assess your current state architecture in the areas identified by the target state.

      Key Benefits Achieved

      Only evaluating the current state architecture that will influence your AI implementation.

      Activities

      3.1 Identify the current state capabilities as required by the target state.

      3.2 Assess your current state architecture.

      3.3 Define a roadmap and design implementation plateaus.

      Outputs

      Current state architecture documented in Archi

      Assessed current state using assessment tool

      A roadmap defined using plateaus as milestones

      4 Bridge the Gap and Create the Roadmap

      The Purpose

      Assess your current state against the target state and create a plan to bridge the gaps.

      Key Benefits Achieved

      Develop a roadmap that will deliver immediate results and ensure long-term durability.

      Activities

      4.1 Assess the gaps between current- and target-state capabilities.

      4.2 Brainstorm initiatives to address the gaps in capabilities

      4.3 Define architecture delivery plateaus.

      4.4 Define a roadmap with milestones.

      4.5 Sponsor check-in.

      Outputs

      Current to target state gap assessment

      Architecture roadmap divided into plateaus

      Passwordless Authentication

      • Buy Link or Shortcode: {j2store}466|cart{/j2store}
      • member rating overall impact (scale of 10): N/A
      • member rating average dollars saved: N/A
      • member rating average days saved: N/A
      • Parent Category Name: End-User Computing
      • Parent Category Link: /end-user-computing
      • Stakeholders believe that passwords are still good enough.
      • You don’t know how the vendor products match to the capabilities you need to offer.
      • What do you need to test when you prototype these new technologies?
      • What associated processes/IT domains will be impacted or need to be considered?

      Our Advice

      Critical Insight

      Passwordless is the right direction even if it’s not your final destination.

      Impact and Result

      • Be able to handle objections from those who believe passwords are still “fine.”
      • Prioritize the capabilities you need to offer the enterprise, and match them to products/features you can buy from vendors.
      • Integrate passwordless initiatives with other key functions (cloud, IDaM, app rationalization, etc.).

      Passwordless Authentication Research & Tools

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Passwordless Authentication – Know when you’ve been beaten!

      Back in 2004 we were promised "the end of passwords" – why, then, are we still struggling with them today?

      • Passwordless Authentication Storyboard
      [infographic]

      Further reading

      Passwordless Authentication

      Know when you've been beaten!

      Executive Summary

      Your Challenge

      • The IT world is an increasingly dangerous place.
      • Every year literally billions of credentials are compromised and exposed on the internet.
      • The average employee has between 27 and 191 passwords to manage.
      • The line between business persona and personal persona has been blurred into irrelevancy.
      • You need a method of authenticating users that is up to these challenges

      Common Obstacles

      • Legacy systems aside (wouldn't that be nice) this still won't be easy.
      • Social inertia – passwords worked before, so surely, they can still work today! Besides, users don't want to change.
      • Analysis paralysis – I don't want to get this wrong! How do I choose something that is going to be at the core of my infrastructure for the next 10 years?
      • Identity management – how can you fix authentication when people have multiple usernames?

      Info-Tech's Approach

      • Inaction is not an option.
      • Most commercial, off-the-shelf apps are moving to a SaaS model, so start your efforts with them.
      • Your existing vendors already have technologies you are underusing or ignoring – stop that!
      • Your users want this change – they just might not know it yet…
      • Much like zero trust network access, the journey is more important than the destination. Incremental steps on the path toward passwordless authentication will still yield significant benefits.

      Info-Tech Insight

      Users have been burdened with unrealistic expectations when it comes to their part in maintaining enterprise security. Given the massive rise in the threat landscape, it is time for Infrastructure to adopt a user-experience-based approach if we want to move the needle on improving security posture.

      Password Security Fallacy

      "If you buy the premise…you buy the bit."
      Johnny Carson

      We've had plenty of time to see this coming.

      Why haven't we done something?

      • Passwords are a 1970s construct.
      • End-users are complexity averse.
      • Credentials are leaked all the time.
      • New technologies will defeat even the most complex passwords.

      Build the case, both to business stakeholders and end users, that "password" is not a synonym for "security."

      Be ready for some objection handling!

      This is an image of Bill Gates and Gavin Jancke at the 2004 RSA Conference in San Francisco, CA

      Image courtesy of Microsoft

      RSA Conference, 2004
      San Francisco, CA

      "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
      Bill Gates

      What about "strong" passwords?

      There has been a password arms race going on since 1988

      A massive worm attack against ARPANET prompted the initial research into password strength

      Password strength can be expressed as a function of randomness or entropy. The greater the entropy the harder for an attacker to guess the password.

      This is an image of Table 1 from Google Cloud Solutions Architects.  it shows the number of bits of entropy for a number of Charsets.

      Table: Modern password security for users
      Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects

      From this research, increasing password complexity (length, special characters, etc.) became the "best practice" to secure critical systems.

      How many passwords??

      XKCD Comic #936 (published in 2011)

      This is an image of XKCD Comic # 936.

      Image courtesy of Randall Munroe XKCD Comics (CC BY-NC 2.5)

      It turns out that humans however are really bad at remembering complex passwords.

      An Intel study (2016) suggested that the average enterprise employee needed to remember 27 passwords. A more recent study from LastPass puts that number closer to 191.

      PEBKAC
      Problem Exists Between Keyboard and Chair

      Increasing entropy is the wrong way to fight this battle – which is good because we'd lose anyway.

      Over the course of a single year, researchers at the University of California, Berkeley identified and tracked nearly 2 billion compromised credentials.

      3.8 million were obtained via social engineering, another 788K from keyloggers. That's approx. 250,000 clear text credentials harvested every week!

      The entirety of the password ecosystem has significant vulnerabilities in multiple areas:

      • Unencrypted server- and client-side storage
      • Sharing
      • Reuse
      • Phishing
      • Keylogging
      • Question-based resets

      Even the 36M encrypted credentials compromised every week are just going to be stored and cracked later.

      Source: Google, University of California, Berkeley, International Computer Science Institute

       data-verified=22B hash/s">

      Image courtesy of NVIDIA, NVIDIA Grace

      • Current GPUs (2021) have 200+ times more cracking power than CPU systems.

      <8h 2040-bit RSA Key

      Image: IBM Quantum System One (CES 2020) by IBM Research is licensed under CC BY-ND 2.0

      • Quantum computing can smash current encryption methods.
      • Google engineers have demonstrated techniques that reduce the number of qubits required from 1B to a mere 20 million

      Enabling Technologies

      "Give me a place to stand, and a lever long enough, and I will move the world."
      Archimedes

      Technology gives us (too many) options

      The time to prototype is NOW!

      Chances are you are already paying for one or more of these technologies from a current vendor:

      • SSO, password managers
      • Conditional access
      • Multifactor
      • Hardware tokens
      • Biometrics
      • PINs

      Address all three factors of authentication

      • Something the user knows
      • Something the user has
      • Something the user is

      Global Market of $12.8B
      ~16.7% CAGR
      Source: Report Linker, 2022.

      Focus your prototype efforts in four key testing areas

      • Deployment
      • User adoption/training
      • Architecture (points of failure)
      • Disaster recovery

      Three factors for positive identification

      Passwordless technologies focus on alternate authentication factors to supplement or replace shared secrets.

      Knows: A secret shared between the user and the system; Has: A token possessed by the user and identifiable as unique by the system; Is: A distinctive and repeatable attribute of the user sampled by the system

      Something you know

      Shared secrets have well-known significant modern-day problems, but only when used in isolation. For end users, consider time-limited single use options, password managers, rate-limited login attempts, and reset rather than retrieval requests. On the system side, never forget strong cryptographic hashing along with a side of salt and pepper when storing passwords.

      Something you have

      A token (now known as a cryptographic identification device) such as a pass card, fob, smartphone, or USB key that is expected to be physically under the control of the user and is uniquely identifiable by the system. Easily decoupled in the event the token is lost, but potentially expensive and time-consuming to reprovision.

      Something you are or do

      Commonly referred to as biometrics, there are two primary classes. The first is measurable physical characteristics of the user such as a fingerprint, facial image, or retinal scan. The second class is a series of behavioral traits such as expected location, time of day, or device. These traits can be linked together in a conditional access policy.

      Unlike other authentication factors, biometrics DO NOT provide for exact matches and instead rely on a confidence interval. A balance must be struck against the user experience of false negatives and the security risk of a false positive.

      Prototype testing criteria

      Deployment

      Does the solution support the full variety of end-user devices you have in use?

      Can the solution be configured with your existing single sign-on or central identity broker?

      User Experience

      Users already want a better experience than passwords.

      What new behavior are you expecting (compelling) from the user?

      How often and under what conditions will that behavior occur?

      Architecture

      Where are the points of failure in the solution?

      Consider technical elements like session thresholds for reauthorization, but also elements like automation and self-service.

      Disaster Recovery

      Understand the exact responsibilities Infra&Ops have in the event of a system or user failure.

      As many solutions are based in the public cloud, manage stakeholder expectations accordingly.

      Next Steps

      "Move the goalposts…and declare victory."
      Informal Fallacy (yet very effective…)

      It is more a direction than a destination…

      Get the easy wins in the bank and then lay the groundwork for the long campaign ahead.

      You're not going to get to a passwordless world overnight. You might not even get there for many years. But an agile approach to the journey ensures you will realize value every step of the way:

      • Start in the cloud:
      • Choose a single sign-on platform such as Azure Active Directory, Okta, Auth0, AWS IAM, TruSONA, HYPR, or others. Document Your Cloud Strategy.
      • Integrate the SaaS applications from your portfolio with your chosen platform.
      • Establish visibility and rationalize identity management:
        • Accounts with elevated privileges present the most risk – evaluate your authentication factors for these accounts first.
        • There is elegance (and deployment success) in Simplifying Identity & Access Management.
      • Pay your tech debt:

      Fast IDentity Online (2) is now part of the web's DNA and is critical for digital transformation

      • IoT
      • Anywhere remote work
      • Government identity services
      • Digital wallets

      Bibliography

      "Backup Vs. Archiving: Know the Difference." Open-E. Accessed 05 Mar 2022.Web.
      G, Denis. "How to Build Retention Policy." MSP360, Jan 3, 2020. Accessed 10 Mar 2022.
      Ipsen, Adam. "Archive Vs. Backup: What's the Difference? A Definition Guide." BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.
      Kang, Soo. "Mitigating the Expense of E-Discovery; Recognizing the Difference Between Back-Ups and Archived Data." Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.
      Mayer, Alex. "The 3-2-1 Backup Rule – An Efficient Data Protection Strategy." Naviko. Accessed 12 Mar 2022.
      Steel, Amber. "LastPass Reveals 8 Truths about Passwords in the New Password Exposé." LastPass Blog, 1 Nov. 2017. Web.
      "The Global Passwordless Authentication Market Size Is Estimated to Be USD 12.79 Billion in 2021 and Is Predicted to Reach USD 53.64 Billion by 2030 With a CAGR of 16.7% From 2022-2030." Report Linker, 9 June 2022. Web.
      "What Is Data-Archiving?" Proofpoint. Accessed 07 Mar 2022.

      Proactively Identify and Mitigate Vendor Risk

      • Buy Link or Shortcode: {j2store}227|cart{/j2store}
      • member rating overall impact (scale of 10): N/A
      • member rating average dollars saved: N/A
      • member rating average days saved: N/A
      • Parent Category Name: Vendor Management
      • Parent Category Link: /vendor-management
      • IT priorities are focused on daily tasks, pushing risk management to secondary importance and diverging from a proactive environment.
      • IT leaders are relying on an increasing number of third-party technology vendors and outsourcing key functions to meet the rapid pace of change within IT.
      • Risk levels can fluctuate over the course of the partnership, requiring manual process checks and/or automated solutions.

      Our Advice

      Critical Insight

      • Every IT vendor carries risks that have business implications. These legal, financial, security, and operational risks could inhibit business continuity and IT can’t wait until an issue arises to act.
      • Making intelligent decisions about risks without knowing what their financial impact will be is difficult. Risk impact must be quantified.
      • You don’t know what you don’t know, and what you don’t know, can hurt you. To find hidden risks, you must use a structured risk identification method.

      Impact and Result

      • A thorough risk assessment in the selection phase is your first line of defense. If you follow the principles of vendor risk management, you can mitigate collateral losses following an adverse event.
      • Make a conscious decision whether to accept the risk based on time, priority, and impact. Spend the required time to correctly identify and enact defined vendor management processes that determine spend categories and appropriately evaluate potential and preferred suppliers. Ensure you accurately assess the partnership potential.
      • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s most significant risks before they happen.

      Proactively Identify and Mitigate Vendor Risk Research & Tools

      Start here – read the Executive Brief

      Read our concise Executive Brief to find out how to create a vendor risk management program that minimizes your organization’s vulnerability and mitigates adverse scenarios.

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Review vendor risk fundamentals and establish governance

      Review IT vendor risk fundamentals and establish a risk governance framework.

      • Proactively Identify and Mitigate Vendor Risk – Phase 1: Review Vendor Risk Fundamentals and Establish Governance
      • Vendor Risk Management Maturity Assessment Tool
      • Vendor Risk Management Program Manual
      • Risk Event Action Plan

      2. Assess vendor risk and define your response strategy

      Categorize, prioritize, and assess your vendor risks. Follow up with creating effective response strategies.

      • Proactively Identify and Mitigate Vendor Risk – Phase 2: Assess Vendor Risk and Define Your Response Strategy
      • Vendor Classification Model Tool
      • Vendor Risk Profile and Assessment Tool
      • Risk Costing Tool
      • Risk Register Tool

      3. Monitor, communicate, and improve IT vendor risk process

      Assign accountability and responsibilities to formalize ongoing risk monitoring. Communicate your findings to management and share the plan moving forward.

      • Proactively Identify and Mitigate Vendor Risk – Phase 3: Monitor, Communicate, and Improve IT Vendor Risk Process
      • Risk Report
      [infographic]

      Workshop: Proactively Identify and Mitigate Vendor Risk

      Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

      1 Prepare for the Workshop

      The Purpose

      To prepare the team for the workshop.

      Key Benefits Achieved

      Avoids delays and interruptions once the workshop is in progress.

      Activities

      1.1 Send workshop agenda to all participants.

      1.2 Prepare list of vendors and review any contracts provided by them.

      1.3 Review current risk management process.

      Outputs

      All necessary participants assembled

      List of vendors and vendor contracts

      Understanding of current risk management process

      2 Review Vendor Risk Fundamentals and Establish Governance

      The Purpose

      Review IT vendor risk fundamentals.

      Assess current maturity and set risk management program goals.

      Engage stakeholders and establish a risk governance framework.

      Key Benefits Achieved

      Understanding of organizational risk culture and the corresponding risk threshold.

      Obstacles to effective IT risk management identified.

      Attainable goals to increase maturity established.

      Understanding of the gap to achieve vendor risk readiness.

      Activities

      2.1 Brainstorm vendor-related risks.

      2.2 Assess current program maturity.

      2.3 Identify obstacles and pain points.

      2.4 Develop risk management goals.

      2.5 Develop key risk indicators (KRIs) and escalation protocols.

      2.6 Gain stakeholders’ perspective.

      Outputs

      Vendor risk management maturity assessment

      Goals for vendor risk management

      Stakeholders’ opinions

      3 Assess Vendor Risk and Define Your Response Strategy

      The Purpose

      Categorize vendors.

      Prioritize assessed risks.

      Key Benefits Achieved

      Risk events prioritized according to risk severity – as defined by the business.

      Activities

      3.1 Categorize vendors.

      3.2 Map vendor infrastructure.

      3.3 Prioritize vendors.

      3.4 Identify risk contributing factors.

      3.5 Assess risk exposure.

      3.6 Calculate expected cost.

      3.7 Identify risk events.

      3.8 Input risks into the Risk Register Tool.

      Outputs

      Vendors classified and prioritized

      Vendor risk exposure

      Expected cost calculation

      4 Assess Vendor Risk and Define Your Response Strategy (continued)

      The Purpose

      Determine risk threshold and contract clause relating to risk prevention.

      Identify and assess risk response actions.

      Key Benefits Achieved

      Thorough analysis has been conducted on the value and effectiveness of risk responses for high-severity risk events.

      Risk response strategies have been identified for all key risks.

      Authoritative risk response recommendations can be made to senior leadership.

      Activities

      4.1 Determine the threshold for (un)acceptable risk.

      4.2 Match elements of the contract to related vendor risks.

      4.3 Identify and assess risk responses.

      Outputs

      Thresholds for (un)acceptable risk

      Risk responses

      5 Monitor, Communicate, and Improve IT Vendor Risk Process

      The Purpose

      Communicate top risks to management.

      Assign accountabilities and responsibilities for risk management process.

      Establish monitoring schedule.

      Key Benefits Achieved

      Risk monitoring responsibilities are established.

      Transparent accountabilities and established ongoing improvement of the vendor risk management program.

      Activities

      5.1 Create a stakeholder map.

      5.2 Complete RACI chart.

      5.3 Establish the reporting schedule.

      5.4 Finalize the vendor risk management program.

      Outputs

      Stakeholder map

      Assigned accountability for risk management

      Established monitoring schedule

      Risk report

      Vendor Risk Management Program Manual

      Build a Robust and Comprehensive Data Strategy

      • Buy Link or Shortcode: {j2store}120|cart{/j2store}
      • member rating overall impact (scale of 10): 9.3/10 Overall Impact
      • member rating average dollars saved: $46,734 Average $ Saved
      • member rating average days saved: 29 Average Days Saved
      • Parent Category Name: Data Management
      • Parent Category Link: /data-management
      • The volume and variety of data that organizations have been collecting and producing have been growing exponentially and show no sign of slowing down.
      • At the same time, business landscapes and models are evolving, and users and stakeholders are becoming more and more data centric, with maturing expectations and demands.

      Our Advice

      Critical Insight

      • As the CDO or equivalent data leader in your organization, a robust and comprehensive data strategy is the number one tool in your toolkit for delivering on your mandate of creating measurable business value from data.
      • A data strategy should never be formulated disjointed from the business. Ensure the data strategy aligns with the business strategy and supports the business architecture.
      • Building and fostering a data-driven culture will accelerate and sustain adoption of, appetite for, and appreciation for data and hence drive the ROI on your various data investments.

      Impact and Result

      • Formulate a data strategy that stitches all of the pieces together to better position you to unlock the value in your data:
        • Establish the business context and value: Identify key business drivers for executing on an optimized data strategy, build compelling and relevant use cases, understand your organization’s culture and appetite for data, and ensure you have well-articulated vision, principles, and goals for your data strategy
        • Ensure you have a solid data foundation: Understand your current data environment, data management enablers, people, skill sets, roles, and structure. Know your strengths and weakness so you can optimize appropriately.
        • Formulate a sustainable data strategy: Round off your strategy with effective change management and communication for building and fostering a data-driven culture.

      Build a Robust and Comprehensive Data Strategy Research & Tools

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Data Strategy Research – A step-by-step document to facilitate the formulation of a data strategy that brings together the business context, data management foundation, people, and culture.

      Data should be at the foundation of your organization’s evolution. The transformational insights that executives and decision makers are constantly seeking to leverage can be unlocked with a data strategy that makes high-quality, trusted, and relevant data readily available to the users who need it.

      • Build a Robust and Comprehensive Data Strategy – Phases 1-3

      2. Data Strategy Stakeholder Interview Guide and Findings – A template to support you in your meetings or interviews with key stakeholders as you work on understanding the value of data within the various lines of business.

      This template will help you gather insights around stakeholder business goals and objectives, current data consumption practices, the types or domains of data that are important to them in supporting their business capabilities and initiatives, the challenges they face, and opportunities for data from their perspective.

      • Data Strategy Stakeholder Interview Guide and Findings

      3. Data Strategy Use Case Template – An exemplar template to demonstrate the business value of your data strategy.

      Data strategy optimization anchored in a value proposition will ensure that the data strategy focuses on driving the most valuable and critical outcomes in support of the organization’s enterprise strategy. The template will help you facilitate deep-dive sessions with key stakeholders for building use cases that are of demonstrable value not only to their relevant lines of business but also to the wider organization.

      • Data Strategy Use Case Template

      4. Chief Data Officer – A job description template that includes a detailed explication of the responsibilities and expectations of a CDO.

      Bring data to the C-suite by creating the Chief Data Officer role. This position is designed to bridge the gap between the business and IT by serving as a representative for the organization's data management practices and identifying how the organization can leverage data as a competitive advantage or corporate asset.

      • Chief Data Officer

      5. Data Strategy Document Template – A structured template to plan and document your data strategy outputs.

      Use this template to document and formulate your data strategy. Follow along with the sections of the blueprint Build a Robust and Comprehensive Data Strategy and complete the template as you progress.

      • Data Strategy Document Template
      [infographic]

      Workshop: Build a Robust and Comprehensive Data Strategy

      Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

      1 Establish Business Context and Value: Understand the Current Business Environment

      The Purpose

      Establish the business context for the business strategy.

      Key Benefits Achieved

      Substantiates the “why” of the data strategy.

      Highlights the organization’s goals, objectives, and strategic direction the data must align with.

      Activities

      1.1 Data Strategy 101

      1.2 Intro to Tech’s Data Strategy Framework

      1.3 Data Strategy Value Proposition: Understand stakeholder’s strategic priorities and the alignment with data

      1.4 Discuss the importance of vision, mission, and guiding principles of the organization’s data strategy

      1.5 Understand the organization’s data culture – discuss Data Culture Survey results

      1.6 Examine Core Value Streams of Business Architecture

      Outputs

      Business context; strategic drivers

      Data strategy guiding principles

      Sample vision and mission statements

      Data Culture Diagnostic Results Analysis

      2 Business-Data Needs Discovery: Key Business Stakeholder Interviews

      The Purpose

      Build use cases of demonstrable value and understand the current environment.

      Key Benefits Achieved

      An understanding of the current maturity level of key capabilities.

      Use cases that represent areas of concern and/or high value and therefore need to be addressed.

      Activities

      2.1 Conduct key business stakeholder interviews to initiate the build of high-value business-data cases

      Outputs

      Initialized high-value business-data cases

      3 Understand the Current Data Environment & Practice: Analyze Data Capability and Practice Gaps and Develop Alignment Strategies

      The Purpose

      Build out a future state plan that is aimed at filling prioritized gaps and that informs a scalable roadmap for moving forward on treating data as an asset.

      Key Benefits Achieved

      A target state plan, formulated with input from key stakeholders, for addressing gaps and for maturing capabilities necessary to strategically manage data.

      Activities

      3.1 Understand the current data environment: data capability assessment

      3.2 Understand the current data practice: key data roles, skill sets; operating model, organization structure

      3.3 Plan target state data environment and data practice

      Outputs

      Data capability assessment and roadmapping tool

      4 Align Business Needs with Data Implications: Initiate Roadmap Planning and Strategy Formulation

      The Purpose

      Consolidate business and data needs with consideration of external factors as well as internal barriers and enablers to the success of the data strategy. Bring all the outputs together for crafting a robust and comprehensive data strategy.

      Key Benefits Achieved

      A consolidated view of business and data needs and the environment in which the data strategy will be operationalized.

      An analysis of the feasibility and potential risks to the success of the data strategy.

      Activities

      4.1 Analyze gaps between current- and target-state

      4.2 Initiate initiative, milestone and RACI planning

      4.3 Working session with Data Strategy Owner

      Outputs

      Data Strategy Next Steps Action Plan

      Relevant data strategy related templates (example: data practice patterns, data role patterns)

      Initialized Data Strategy on-a-Page

      Further reading

      Build a Robust and Comprehensive Data Strategy

      Key to building and fostering a data-driven culture.

      ANALYST PERSPECTIVE

      Data Strategy: Key to helping drive organizational innovation and transformation

      "In the dynamic environment in which we operate today, where we are constantly juggling disruptive forces, a well-formulated data strategy will prove to be a key asset in supporting business growth and sustainability, innovation, and transformation.

      Your data strategy must align with the organization’s business strategy, and it is foundational to building and fostering an enterprise-wide data-driven culture."

      Crystal Singh,

      Director – Research and Advisory

      Info-Tech Research Group

      Our understanding of the problem

      This Research is Designed For:

      • Chief data officers (CDOs), chief architects, VPs, and digital transformation directors and CIOs who are accountable for ensuring data can be leveraged as a strategic asset of the organization.

      This Research Will Help You:

      • Put a strategy in place to ensure data is available, accessible, well integrated, secured, of acceptable quality, and suitably visualized to fuel decision making by the organizations’ executives.
      • Align data management plans and investments with business requirements and the organization’s strategic plans.
      • Define the relevant roles for operationalizing your data strategy.

      This Research Will Also Assist:

      • Data architects and enterprise architects who have been tasked with supporting the formulation or optimization of the organization’s data strategy.
      • Business leaders creating plans for leveraging data in their strategic planning and business processes.
      • IT professionals looking to improve the environment that manages and delivers data.

      This Research Will Help Them:

      • Get a handle on the current situation of data within the organization.
      • Understand how the data strategy and its resulting initiatives will affect the operations, integration, and provisioning of data within the enterprise.

      Executive Summary

      Situation

      • The volume and variety of data that organizations have been collecting and producing have been growing exponentially and show no sign of slowing down. At the same time, business landscapes and models are evolving, and users and stakeholders are becoming more and more data centric, with maturing and demanding expectations.

      Complication

      • As organizations pivot in response to industry disruptions and changing landscapes, a reactive and piecemeal approach leads to data architectures and designs that fail to deliver real and measurable value to the business.
      • Despite the growing focus on data, many organizations struggle to develop a cohesive business-driven strategy for effectively managing and leveraging their data assets.

      Resolution

      Formulate a data strategy that stitches all of the pieces together to better position you to unlock the value in your data:

      • Establish the business context and value: Identify key business drivers for executing on an optimized data strategy, build compelling and relevant use cases, understand your organization’s culture and appetite for data, and ensure you have well-articulated vision, principles, and goals for your data strategy.
      • Ensure you have a solid data foundation: Understand your current data environment, data management enablers, people, skill sets, roles, and structure. Know your strengths and weakness so you can optimize appropriately.
      • Formulate a sustainable data strategy: Round off your strategy with effective change management and communication for building and fostering a data-driven culture.

      Info-Tech Insight

      1. As the CDO or equivalent data leader in your organization, a robust and comprehensive data strategy is the number one tool in your toolkit for delivering on your mandate of creating measurable business value from data.
      2. A data strategy should never be formulated disjointed from the business. Ensure the data strategy aligns with the business strategy and supports the business architecture.
      3. Building and fostering a data-driven culture will accelerate and sustain adoption of, appetite for, and appreciation for data and hence drive the ROI on your various data investments.

      Why do you need a data strategy?

      Your data strategy is the vehicle for ensuring data is poised to support your organization’s strategic objectives.

      The dynamic marketplace of today requires organizations to be responsive in order to gain or maintain their competitive edge and place in their industry.

      Organizations need to have that 360-degree view of what’s going on and what’s likely to happen.

      Disruptive forces often lead to changes in business models and require organizations to have a level of adaptability to remain relevant.

      To respond, organizations need to make decisions and should be able to turn to their data to gain insights for informing their decisions.

      A well-formulated and robust data strategy will ensure that your data investments bring you the returns by meeting your organization’s strategic objectives.

      Organizations need to be in a position where they know what’s going on with their stakeholders and anticipate what their stakeholders’ needs are going to be.

      Data cannot be fully leveraged without a cohesive strategy

      Most organizations today will likely have some form of data management in place, supported by some of the common roles such as DBAs and data analysts.

      Most will likely have a data architecture that supports some form of reporting.

      Some may even have a chief data officer (CDO), a senior executive who has a seat at the C-suite table.

      These are all great assets as a starting point BUT without a cohesive data strategy that stitches the pieces together and:

      • Effectively leverages these existing assets
      • Augments them with additional and relevant key roles and skills sets
      • Optimizes and fills in the gaps around your current data management enablers and capabilities for the growing volume and variety of data you’re collecting
      • Fully caters to real, high-value strategic organizational business needs

      you’re missing the mark – you are not fully leveraging the incredible value of your data.

      Cross-industry studies show that on average, less than half of an organization’s structured data is actively used in making decisions

      And, less than 1% of its unstructured data is analyzed or used at all. Furthermore, 80% of analysts' time is spent simply discovering and preparing, data with over 70% of employees having access to data they should not. Source: HBR, 2017

      Organizational drivers for a data strategy

      Your data strategy needs to align with your organizational strategy.

      Main Organizational Strategic Drivers:

      1. Stakeholder Engagement/Service Excellence
      2. Product and Service Innovations
      3. Operational Excellence
      4. Privacy, Risk, and Compliance Management

      “The companies who will survive and thrive in the future are the ones who will outlearn and out-innovate everyone else. It is no longer ‘survival of the fittest’ but ‘survival of the smartest.’ Data is the element that both inspires and enables this new form of rapid innovation.– Joel Semeniuk, 2016

      A sound data strategy is the key to unlocking the value in your organization’s data.

      Data should be at the foundation of your organization’s evolution.

      The transformational insights that executives are constantly seeking to leverage can be unlocked with a data strategy that makes high-quality, well-integrated, trustworthy, relevant data readily available to the business users who need it.

      Whether hoping to gain a better understanding of your business, trying to become an innovator in your industry, or having a compliance and regulatory mandate that needs to be met, any organization can get value from its data through a well-formulated, robust, and cohesive data strategy.

      According to a leading North American bank, “More than one petabyte of new data, equivalent to about 1 million gigabytes” is entering the bank’s systems every month. – The Wall Street Journal, 2019

      “Although businesses are at many different stages in unlocking the power of data, they share a common conviction that it can make or break an enterprise.”– Jim Love, ITWC CIO and Chief Digital Officer, IT World Canada, 2018

      Data is a strategic organizational asset and should be treated as such

      The expression “Data is an asset” or any other similar sentiment has long been heard.

      With such hype, you would have expected data to have gotten more attention in the boardrooms. You would have expected to see its value reflected on financial statements as a result of its impact in driving things like acquisition, retention, product and service development and innovation, market growth, stakeholder satisfaction, relationships with partners, and overall strategic success of the organization.

      The time has surely come for data to be treated as the asset it is.

      “Paradoxically, “data” appear everywhere but on the balance sheet and income statement.”– HBR, 2018

      “… data has traditionally been perceived as just one aspect of a technology project; it has not been treated as a corporate asset.”– “5 Essential Components of a Data Strategy,” SAS

      According to Anil Chakravarthy, who is the CEO of Informatica and has a strong vantage point on how companies across industries leverage data for better business decisions, “what distinguishes the most successful businesses … is that they have developed the ability to manage data as an asset across the whole enterprise.”– McKinsey & Company, 2019

      How data is perceived in today’s marketplace

      Data is being touted as the oil of the digital era…

      But just like oil, if left unrefined, it cannot really be used.

      "Data is the new oil." – Clive Humby, Chief Data Scientist

      Source: Joel Semeniuk, 2016

      Enter your data strategy.

      Data is being perceived as that key strategic asset in your organization for fueling innovation and transformation.

      Your data strategy is what allows you to effectively mine, refine, and use this resource.

      “The world’s most valuable resource is no longer oil, but data.”– The Economist, 2017

      “Modern innovation is now dependent upon this data.”– Joel Semeniuk, 2016

      “The better the data, the better the resulting innovation and impact.”– Joel Semeniuk, 2016

      What is it in it for you? What opportunities can data help you leverage?

      GOVERNMENT

      Leveraging data as a strategic asset for the benefit of citizens.

      • The strategic use of data can enable governments to provide higher-quality services.
      • Direct resources appropriately and harness opportunities to improve impact.
      • Make better evidence-informed decisions and better understand the impact of programs so that funds can be directed to where they are most likely to deliver the best results.
      • Maintain legitimacy and credibility in an increasingly complex society.
      • Help workers adapt and be competitive in a changing labor market.
      • A data strategy would help protect citizens from the misuse of their data.

      Source: Privy Council Office, Government of Canada, 2018

      What is it in it for you? What opportunities can data help you leverage?

      FINANCIAL

      Leveraging data to boost traditional profit and loss levers, find new sources of growth, and deliver the digital bank.

      • One bank used credit card transactional data (from its own terminals and those of other banks) to develop offers that gave customers incentives to make regular purchases from one of the bank’s merchants. This boosted the bank’s commissions, added revenue for its merchants, and provided more value to the customer (McKinsey & Company, 2017).
      • In terms of enhancing productivity, a bank used “new algorithms to predict the cash required at each of its ATMs across the country and then combined this with route-optimization techniques to save money” (McKinsey & Company, 2017).

      A European bank “turned to machine-learning algorithms that predict which currently active customers are likely to reduce their business with the bank.” The resulting understanding “gave rise to a targeted campaign that reduced churn by 15 percent” (McKinsey & Company, 2017).

      A leading Canadian bank has built a marketplace around their data – they have launched a data marketplace where they have productized the bank’s data. They are providing data – as a product – to other units within the bank. These other business units essentially represent internal customers who are leveraging the product, which is data.

      Through the use of data and advanced analytics, “a top bank in Asia discovered unsuspected similarities that allowed it to define 15,000 microsegments in its customer base. It then built a next-product-to-buy model that increased the likelihood to buy three times over.” Several sets of big data were explored, including “customer demographics and key characteristics, products held, credit-card statements, transaction and point-of-sale data, online and mobile transfers and payments, and credit-bureau data” (McKinsey & Company, 2017).

      What is it in it for you? What opportunities can data help you leverage?

      HEALTHCARE

      Leveraging data and analytics to prevent deadly infections

      The fifth-largest health system in the US and the largest hospital provider in California uses a big data and advanced analytics platform to predict potential sepsis cases at the earliest stages, when intervention is most helpful.

      Using the Sepsis Bio-Surveillance Program, this hospital provider monitors 120,000 lives per month in 34 hospitals and manages 7,500 patients with potential sepsis per month.

      Collecting data from the electronic medical records of all patients in its facilities, the solution uses natural language processing (NLP) and a rules engine to continually monitor factors that could indicate a sepsis infection. In high-probability cases, the system sends an alarm to the primary nurse or physician.

      Since implementing the big data and predictive analytics system, this hospital provider has seen a significant improvement in the mortality and the length of stay in ICU for sepsis patients.

      At 28 of the hospitals which have been on the program, sepsis mortality rates have dropped an average of 5%.

      With patients spending less time in the ICU, cost savings were also realized. This is significant, as sepsis is the costliest condition billed to Medicare, the second costliest billed to Medicaid and the uninsured, and the fourth costliest billed to private insurance.

      Source: SAS, 2019

      What is it in it for you? What opportunities can data help you leverage?

      RETAIL

      Leveraging data to better understand customer preferences, predict purchasing, drive customer experience, and optimize supply and demand planning.

      Netflix is an example of a big brand that uses big data analytics for targeted advertising. With over 100 million subscribers, the company collects large amounts of data. If you are a subscriber, you are likely familiar with their suggestions messages of the next series or movie you should catch up on. These suggestions are based on your past search data and watch data. This data provides Netflix with insights into your interests and preferences for viewing (Mentionlytics, 2018).

      “For the retail industry, big data means a greater understanding of consumer shopping habits and how to attract new customers.”– Ron Barasch, Envestnet | Yodlee, 2019

      The business case for data – moving from platitudes to practicality

      When building your business case, consider the following:

      • What is the most effective way to communicate the business case to executives?
      • How can CDOs and other data leaders use data to advance their organizations’ corporate strategy?
      • What does your data estate look like? Are you looking to leverage and drive value from your semi-structured and unstructured data assets?
      • Does your current organizational culture support a data-driven one? Does the organization have a history of managing change effectively?
      • How do changing privacy and security expectations alter the way businesses harvest, save, use, and exchange data?

      “We’re the converted … We see the value in data. The battle is getting executive teams to see it our way.”– Ted Maulucci, President of SmartONE Solutions Inc. IT World Canada, 2018

      Where do you stack up? What is your current data management maturity?

      Info-Tech’s IT Maturity Ladder denotes the different levels of maturity for an IT department and its different functions. What is the current state of your data management capability?

      Innovator - Transforms the Business. Business Partner - Expands the Business. Trusted Operator - Optimizes the Business. Firefighter - Supports the Business. Unstable - Struggles to Support.

      Info-Tech Insight

      You are best positioned to successfully execute on a data strategy if you are currently at or above the Trusted Operator level. If you find yourself still at the Unstable or Firefighter stage, your efforts are best spent on ensuring you can fulfill your day-to-day data and data management demands. Improving this capability will help build a strong data management foundation.

      Guiding principles of a data strategy

      Value of Clearly Defined Data Principles

      • Guiding principles help define the culture and characteristics of your practice by describing your beliefs and philosophy.
      • Guiding principles act as the heart of your data strategy, helping to shape initiative plans and day-to-day behaviors related to the use and treatment of the organization’s data assets.

      “Organizational culture can accelerate the application of analytics, amplify its power, and steer companies away from risky outcomes.”– McKinsey, 2018

      Build a Robust and Comprehensive Data Strategy

      Business Strategy and Current Environment connect with the Data Strategy. Data Strategy includes: Organizational Drivers and Data Value, Data Strategy Objectives and Guiding Principles, Data Strategy Vision and Mission, Data Strategy Roadmap, People: Roles and Organizational Structure, Data Culture and Data Literacy, Data Management and Tools, Risk and Feasibility.

      Follow Info-Tech’s methodology for effectively leveraging the value out of your data

      Some say it’s the new oil. Or the currency of the new business landscape. Others describe it as the fuel of the digital economy. But we don’t need platitudes — we need real ways to extract the value from our data. – Jim Love, CIO and Chief Digital Officer, IT World Canada, 2018

      1. Business Context. 2. Data and Resources Foundation. 3. Effective Data Strategy

      Our practical step-by-step approach helps you to formulate a data strategy that delivers business value.

      1. Establish Business Context and Value: In this phase, you will determine and substantiate the business drivers for optimizing the data strategy. You will identify the business drivers that necessitate the data strategy optimization and examine your current organizational data culture. This will be key to ensuring the fruits of your optimization efforts are being used. You will also define the vision, mission, and guiding principles and build high-value use cases for the data strategy.
      2. Ensure You Have a Solid Data and Resources Foundation: This phase will help you ensure you have a solid data and resources foundation for operationalizing your data strategy. You will gain an understanding of your current environment in terms of data management enablers and the required resources portfolio of key people, roles, and skill sets.
      3. Formulate a Sustainable Data Strategy: In this phase, you will bring the pieces together for formulating an effective data strategy. You will evaluate and prioritize the use cases built in Phase 1, which summarize the alignment of organizational goals with data needs. You will also create your strategic plan, considering change management and communication.

      Info-Tech offers various levels of support to best suit your needs

      DIY Toolkit

      “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

      Guided Implementation

      “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

      Workshop

      “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

      Consulting

      “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

      Diagnostics and consistent frameworks are used throughout all four options.

      Improve Your IT Recruitment Process

      • Buy Link or Shortcode: {j2store}578|cart{/j2store}
      • member rating overall impact (scale of 10): N/A
      • member rating average dollars saved: N/A
      • member rating average days saved: N/A
      • Parent Category Name: Attract & Select
      • Parent Category Link: /attract-and-select

      Business and IT leaders aiming to recruit and select the best talent need to:

      • Get involved in the talent acquisition process at key moments.
      • Market their organization to top talent through an authentic employer brand.
      • Create engaging and accurate job ads.
      • Leverage purposeful sourcing for anticipated talent needs.
      • Effectively assess candidates with a strong interview process.
      • Set up new employees for success.

      Our Advice

      Critical Insight

      To create a great candidate experience, IT departments must be involved in the process at key points, recruitment and selection is not a job for HR alone!

      Impact and Result

      • Use this how-to guide to articulate an authentic (employee value proposition) EVP and employer brand.
      • Perform an analysis of current sourcing methods and build an action plan to get IT involved.
      • Create an effective and engaging job ad to insure the right people are applying.
      • Train hiring managers to effectively deliver interviews that correctly assess candidate suitability.
      • Get links to in-depth Info-Tech resources and tools.

      Improve Your IT Recruitment Process Research & Tools

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Improve Your IT Recruitment Process – A guide to help you attract and select the best talent.

      Train your IT department to get involved in the recruitment process to attract and select the best talent.

      • Improve Your IT Recruitment Process Capstone Deck

      2. Improve Your IT Recruitment Process Workbook – A tool to document your action plans.

      Use this tool in conjunction with the Improve you IT Recruitment Process to document your action plans

      • Improve Your IT Recruitment Process Workbook

      3. Interview Guide Template – A template to organize interview questions and their rating scales, take notes during the interview, and ensure all interviews follow a similar structure.

      To get useful information from an interview, the interviewer should be focused on what candidates are saying and how they are saying it, not on what the next question will be, what probes to ask, or how they will score the responses. This Interview Guide Template will help interviewers stay focused and collect good information about candidates.

      • Interview Guide Template

      4. IT Behavioral Interview Question Library – A tool that contains a complete list of sample questions aligned with core, leadership, and IT competencies.

      Hiring managers can choose from a comprehensive collection of core, functional, and leadership competency-based behavioral interview questions.

      • IT Behavioral Interview Question Library

      5. Job Ad Template – A template to allow complete documentation of the characteristics, responsibilities, and requirements for a given job posting in IT.

      Use this template to develop a well-written job posting that will attract the star candidates and, in turn, deflect submission of irrelevant applications by those unqualified.

      • Job Ad Template

      6. Idea Catalog – A tool to evaluate virtual TA solutions.

      The most innovative technology isn’t necessarily the right solution. Review talent acquisition (TA) solutions and evaluate the purpose each option serves in addressing critical challenges and replacing critical in-person activities.

      • Idea Catalog: Adapt the Talent Acquisition Process to a Virtual Environment
      [infographic]

      Workshop: Improve Your IT Recruitment Process

      Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

      1 Employee Value Proposition and Employer Branding

      The Purpose

      Establish the employee value proposition (EVP) and employer brand.

      Key Benefits Achieved

      Have a well-defined EVP that you communicate through your employer brand.

      Activities

      1.1 Gather feedback.

      1.2 Build key messages.

      1.3 Assess employer brand.

      Outputs

      Content and themes surrounding the EVP

      Draft EVP and supporting statements

      A clearer understanding of the current employer brand and how it could be improved

      2 Job Ads and Sourcing

      The Purpose

      Develop job postings and build a strong sourcing program.

      Key Benefits Achieved

      Create the framework for an effective job posting and analyze existing sourcing methods.

      Activities

      2.1 Review and update your job ads.

      2.2 Review the effectiveness of existing sourcing programs.

      2.3 Review job ads and sourcing methods for bias.

      Outputs

      Updated job ad

      Low usage sourcing methods identified for development

      Minimize bias present in ads and sourcing methods

      3 Effective Interviewing

      The Purpose

      Create a high-quality interview process to improve candidate assessment.

      Key Benefits Achieved

      Training on being an effective interviewer.

      Activities

      3.1 Create an ideal candidate scorecard.

      3.2 Map out your interview process.

      3.3 Practice behavioral interviews.

      Outputs

      Ideal candidate persona

      Finalized interview and assessment process

      Practice interviews

      4 Onboarding and Action Plan

      The Purpose

      Drive employee engagement and retention with a robust program that acclimates, guides, and develops new hires.

      Key Benefits Achieved

      Evaluation of current onboarding practice.

      Activities

      4.1 Evaluate and redesign the onboarding program.

      Outputs

      Determine new onboarding activities to fill identified gaps.

      Further reading

      Improve Your IT Recruitment Process

      Train your IT department to get involved in the recruitment process to attract and select the best talent.

      Own the IT recruitment process

      Train your IT department to get involved in the recruitment process to attract and select the best talent.

      Follow this blueprint to:

      • Define and communicate the unique benefits of working for your organization to potential candidates through a strong employer brand.
      • Learn best practices around creating effective job postings.
      • Target your job posting efforts on the areas with the greatest ROI.
      • Create and deliver an effective, seamless, and positive interview and offer process for candidates.
      • Acclimate new hires and set them up for success.

      Get involved at key moments of the candidate experience to have the biggest impact


      Employee Value Proposition (EVP) and Employer Brand



      Job Postings and a Strong Sourcing Program

      Effective Interviewing

      Onboarding: Setting up New Hires For Success

      Awareness Research Application Screening Interview and Assessment Follow Up Onboarding

      RECRUIT QUALITY STAFF

      Hiring talent is critical to organizational success

      Talent is a priority for the entire organization:

      Respondents rated “recruitment” as the top issue facing organizations today (McLean & Company 2022 HR Trends Report).

      37% of IT departments are outsourcing roles to fill internal skill shortages (Info-Tech Talent Trends 2022 Survey).

      Yet bad hires are alarmingly common:

      Hiring is one of the least successful business processes, with three-quarters of managers reporting that they have made a bad hire (Robert Half, 2021).

      48% of survey respondents stated improving the quality of hires was the top recruiting priority for 2021 (Jobvite, 2021).

      Workshop overview

      Prework

      Day 1

      Day 2

      Day 3

      Day 4

      Post work

      Current Process and Job Descriptions Documented

      Establish the Employee Value Proposition (EVP) and Employer Brand

      Develop Job Postings and Build a Strong Sourcing Program

      Effective Interviewing

      Onboarding and Action Planning

      Putting the Action Plan Into Action!

      Activities

      • Recruitment Process Mapped Out and Stakeholders Identified
      • Prepare a JD and JP for Four Priority Jobs
      • Collect Information on Where Your Best Candidates Are Coming From

      1.1 Introduce the Concept of an EVP

      1.2 Brainstorm Unique Benefits of Working at Your Organization

      1.2 Employer Brand Introduction

      2.1 What Makes an Attractive Job Posting

      2.2 Create the Framework for Job Posting

      2.3 Improve the Sourcing Process

      2.4 Review Process for Bias

      3.1 Creating an Interview Process

      3.2 Selecting Interview Questions

      3.3 Avoiding Bias During Interviews

      3.4 Practice Interviews

      4.1 Why Onboarding Matters

      4.2 Acclimatize New Hires and Set Them Up for Success

      4.3 Action Plan

      5.1 Review Outputs and Select Priorities

      5.2 Consult With HR and Senior Management to Get Buy-In

      5.3 Plan to Avoid Relapse Behaviors

      Deliverables

      1. EVP draft completed
      2. Employer brand action plan
      1. Organization-specific job posting framework
      2. Sourcing Plan Template for four priority jobs
      3. Sourcing action plan
      1. Completed Interview Guide Template
      2. Managers practice a panel interview
      1. Onboarding best practices
      2. Action plan

      Enhance Your Recruitment Strategies

      The way you position the organization impacts who is likely to apply to posted positions.

      Develop a strong employee value proposition

      What is an employee value proposition?

      And what are the key components?

      The employee value proposition is your opportunity to showcase the unique benefits and opportunities of working at your organization, allowing you to attract a wider pool of candidates.

      AN EMPLOYEE VALUE PROPOSITION IS:

      AN EMPLOYEE VALUE PROPOSITION IS NOT:

      • An authentic representation of the employee experience
      • Aligned with organizational culture
      • Fundamental to all stages of the employee lifecycle
      • A guide to help investment in programs and policies
      • Short and succinct
      • What the employee can do for you
      • A list of programs and policies
      • An annual project

      THE FOUR KEY COMPONENTS OF AN EMPLOYEE VALUE PROPOSITION

      Rewards

      Organizational Elements

      Working Conditions

      Day-to-Day Job Elements

      • Compensation
      • Health Benefits
      • Retirement Benefits
      • Vacation
      • Culture
      • Customer Focus
      • Organization Potential
      • Department Relationships
      • Senior Management Relationships
      • Work/Life Balance
      • Working Environment
      • Employee Empowerment
      • Development
      • Rewards & Recognition
      • Co-Worker Relationships
      • Manager Relationships

      Creating a compelling EVP that presents a picture of your employee experience, with a focus on diversity, will attract a wide pool of diverse candidates to your team. This can lead to many internal and external benefits for your organization.

      How to collect information on your EVP

      Existing Employee Value Proposition: If your organization or IT department has an existing employee value proposition, rather than starting from scratch, we recommend leveraging that and moving to the testing phase to see if the EVP still resonates with staff and external parties.

      Employee Engagement Results: If your organization does an employee engagement survey, review the results to identify the areas in which the IT organization is performing well. Identify and document any key comment themes in the report around why employees enjoy working for the organization or what makes your IT department a great place to work.

      Social Media Sites. Prepare for the good, the bad, and the ugly. Social media websites like Glassdoor and Indeed make it easier for employees to share their experiences at an organization honestly and candidly. While postings on these sites won’t relate exclusively to the IT department, they do invite participants to identify their department in the organization. You can search these to identify any positive things people are saying about working for the organization and potentially opportunities for improvement (which you can use as a starting point in the retention section of this report).

      1.1 Gather feedback

      1. Download the Improve Your IT Recruitment Workbook.
      2. On tab 1.1, brainstorm the top five things you value most about working at the organization. Ask yourself what would fall in each category and identify any key themes. Be sure to take note of any specific quotes you have.
      3. Brainstorm limitations that the organization currently has in each of those areas.

      Download the Recruitment Workbook

      Input

      Output
      • Employee opinions
      • Employee responses to four EVP components
      • Content for EVP

      Materials

      Participants

      • Recruitment Workbook
      • Diverse employees
      • Different departments
      • Different role levels

      1.2 Build key messages

      1. Go to tab 1.2 in your workbook
      2. Identify themes from activity 1.1 that would be considered current strengths of you organization.
      3. Identify themes from activity 1.2 that are aspirational elements of your organization.
      4. Identify up to four key statements to focus on for the EVP, ensuring that your EVP speaks to at least one of the five categories above.
      5. Integrate these into one overall statement.

      Examples below.

      Input

      Output
      • Feedback from focus groups
      • EVP and supporting statements

      Materials

      Participants

      • Workbook handout
      • Pen and paper for documenting responses
      • IT leadership team

      Sample EVPs

      Shopify

      “We’re Shopify. Our mission is to make commerce better for everyone – but we’re not the workplace for everyone. We thrive on change, operate on trust, and leverage the diverse perspectives of people on our team in everything we do. We solve problems at a rapid pace. In short, we get shit done.”

      Bettercloud

      “At Bettercloud, we have a smart, ambitious team dedicated to delighting our customers. Our culture of ownership and transparency empowers our team to achieve goals they didn’t think possible. For all those on board, it’s going to be a challenging and rewarding journey – and we’re just getting started.”

      Ellevest

      “As a team member at Ellevest, you can expect to make a difference through your work, to have a direct impact on the achievement of a very meaningful mission, to significantly advance your career trajectory, and to have room for fun and fulfillment in your daily life. We know that achieving a mission as critical as ours requires incredible talent and teamwork, and team is the most important thing to us.”

      Sources: Built In, 2021; Workology, 2022

      Ensure your EVP resonates with employees and prospects

      Test your EVP with internal and external audiences.

      INTERNAL TEST REVOLVES AROUND THE 3A’s

      EXTERNAL TEST REVOLVES AROUND THE 3C’s

      ALIGNED: The EVP is in line with the organization’s purpose, vision, values, and processes. Ensure policies and programs are aligned with the organization’s EVP.

      CLEAR: The EVP is straightforward, simple, and easy to understand. Without a clear message in the market, even the best intentioned EVPs can be lost in confusion.

      ACCURATE: The EVP is clear and compelling, supported by proof points. It captures the true employee experience, which matches the organization’s communication and message in the market.

      COMPELLING: The EVP emphasizes the value created for employees and is a strong motivator to join this organization. A strong EVP will be effective in drawing in external candidates. The message will resonate with them and attract them to your organization.

      ASPIRATIONAL: The EVP inspires both individuals and the IT organization as a whole. Identify and invest in the areas that are sure to generate the highest returns for employees.

      COMPREHENSIVE: The EVP provides enough information for the potential employee to understand the true employee experience and to self-assess whether they are a good fit for your organization. If the EVP lacks depth, the potential employee may have a hard time understanding the benefits and rewards of working for your organization.

      Want to learn more?

      Recruit IT Talent

      • Improve candidate experience to hire top IT talent.

      Recruit and Retain More Women in IT

      • Gender diversity is directly correlated to IT performance.

      Recruit and Retain People of Color in IT

      • Good business, not just good philanthropy.

      Enhance Your Recruitment Strategies

      The way you position the organization impacts who is likely to apply to posted positions.

      Market your EVP to potential candidates: Employer Brand

      Employer brand includes how you market the EVP internally and externally – consistency is key

      The employer brand is the perception internal and external stakeholders hold of the organization and exists whether it has been curated or not. Curating the employer brand involves marketing the organization and employee experience. Grounding your employer brand in your EVP enables you to communicate and market an accurate portrayal of your organization and employee experience and make you desirable to both current and potential employees.

      The image contains a picture of several shapes. There is a trapezoid that is labelled EVP, and has a an arrow pointing to the text beside it. There is also an arrowing pointing down from it to another trapezoid that is labelled Employer Brand.

      The unique offering an employer provides to employees in return for their effort, motivating them to join or remain at the organization.

      The perception internal and external stakeholders hold of the organization.

      Alignment between the EVP, employer brand, and corporate brand is the ideal branding package. An in-sync marketing strategy ensures stakeholders perceive and experience the brand the same way, creating brand ambassadors.

      The image contains three circles that are connected. The circles are labelled: EVP, Employer Brand, Corporate Brand.

      Ensure your branding material creates a connection

      How you present your employer brand is just as important as the content. Ideally, you want the viewer to connect with and personalize the material for the message to have staying power. Use Marketing’s expertise to help craft impactful promotional materials to engage and excite the viewer.

      Visuals

      Images are often the first thing viewers notice. Use visuals that connect to your employer brand to engage the viewer’s attention and increase the likelihood that your message will resonate. However, if there are too many visuals this may detract from your content – balance is key!

      Language

      Wordsmithing is often the most difficult aspect of marketing. Your message should be accurate, informative, and engaging. Work with Marketing to ensure your wording is clever and succinct – the more concise, the better.

      Composition

      Integrate visuals and language to complete your marketing package. Ensure that the text and images are balanced to draw in the viewer.

      Case Study: Using culture to drive your talent pool

      This case study is happening in real time. Please check back to learn more as Goddard continues to recruit for the position.

      Recruiting at NASA

      Goddard Space Center is the largest of NASA’s space centers with approximately 11,000 employees. It is currently recruiting for a senior technical role for commercial launches. The position requires consulting and working with external partners and vendors.

      NASA is a highly desirable employer due to its strong culture of inclusivity, belonging, teamwork, learning, and growth. Its culture is anchored by a compelling vision, “For the betterment of Humankind,” and amplified by a strong leadership team that actively lives their mission and vision daily.

      Firsthand lists NASA as #1 on the 50 most prestigious internships for 2022.

      Rural location and no flexible work options add to the complexity of recruiting

      The position is in a rural area of Eastern Shore Virginia with a population of approximately 60,000 people, which translates to a small pool of candidates. Any hire from outside the area will be expected to relocate as the senior technician must be onsite to support launches twice a month. Financial relocation support is not offered and the position is a two-year assignment with the option of extension that could eventually become permanent.

      The image contains a picture of Steve Thornton.

      “Looking for a Talent Unicorn: a qualified, experienced candidate with both leadership skills and deep technical expertise that can grow and learn with emerging technologies.”

      Steve Thornton

      Acting Division Chief, Solutions Division, Goddard Space Flight Center, NASA

      Case Study: Using culture to drive your talent pool

      A good brand overcomes challenges.

      Culture takes the lead in NASA's job postings, which attract a high number of candidates. Postings begin with a link to a short video on working at NASA, its history, and how it lives its vision. The video highlights NASA's diversity of perspectives, career development, and learning opportunities.

      NASA's company brand and employer brand are tightly intertwined, providing a consistent view of the organization.

      The employer vision is presented in the best place to reach NASA's ideal candidate: usajobs.gov, the official website of the United States Government and the “go-to” for government job listings. NASA also extends its postings to other generic job sites as well as LinkedIn and professional associations.

      The image contains a picture of Robert Leahy.

      Interview with Robert Leahy

      Chief Information Officer, Goddard Space Flight Center, NASA

      2.1 Assess your organization’s employer brand

      1. Go to tab 2.1 in the Improve Your IT Recruitment Workbook.
      2. Put yourself in the shoes of someone on the outside looking in. If they were to look up your organization, what impression would they be given about what is like to work there?
      3. Run a Google search on your organization with key words “jobs,” “culture,” and “working environment” to see what a potential candidate would see when they begin researching your organization.
      4. You can use sites like:

      • Glassdoor
      • Indeed company pages
      • LinkedIn company pages
      • Social media
      • Your own website
    • Identify what your organization is doing well and record that under the “Continue” box in your workbook.
    • Record anything your organization should stop doing under the “Stop” box.
    • Brainstorm some ideas that your organization should think about implementing to improve the employer brand under the “Start” Box.
    • Input Output
      • Existing branding material on the internet
      • A clearer understanding of the current employer brand and how it could be improved
      Materials Participants
      • Workbook handout
      • Senior IT Leaders

      Want to learn more?

      Recruit IT Talent

      • Improve candidate experience to hire top IT talent.

      Recruit and Retain More Women in IT

      • Gender diversity is directly correlated to IT performance.

      Recruit and Retain People of Color in IT

      • Good business, not just good philanthropy.

      Enhance Your Recruitment Strategies

      The way you position the organization impacts who is likely to apply to posted positions.

      Create engaging job ads to attract talent to the organization

      We have a job description; can I just post that on Indeed?

      A job description is an internal document that includes sections such as general job information, major responsibilities, key relationships, qualifications, and competencies. It communicates job expectations to incumbents and key job data to HR programs.

      A job ad is an externally facing document that advertises a position with the intent of attracting job applicants. It contains key elements from the job description as well as information on the organization and its EVP.

      Write an Effective Job Ad

      • Ensure that your job ad speaks to the audience you are targeting through the language you use.
        • E.g. If you are hiring for a creative role, use creative language and formatting. If you are writing for students, emphasize growth opportunities.
      • Highlight the organization’s EVP.
      • Paint an accurate picture of key aspects of the role but avoid the nitty gritty as it may overwhelm applicants.
      • Link to your organization’s website and social media platforms so applicants can easily find more information.

      A job description informs a job ad, it doesn’t replace it. Don’t be lulled into using a job description as a posting when there’s a time crunch to fill a position. Refer to job postings as job advertisements to reinforce that their purpose is to attract attention and talent.

      An effective job posting contains the following elements:

      Position Title
      • Clearly defined job titles are important for screening applicants as this is one of the first things the candidate will read.
      • Indicating the earnings range that the position pays cuts out time spent on reviewing candidates who may never accept the position and saves them from applying to a job that doesn’t match what they are looking for.
      Company
      • Provide a brief description of the organization including the products or services it offers, the corporate culture, and any training and career development programs.
      Summary Description
      • Describe briefly why the position exists. In other words, what is the position's primary purpose? The statement should include the overall results the job is intended to produce and some of the key means by which the position achieves these results.
      Responsibilities
      • Use bullet points to list the fundamental accountabilities of the position. Candidates want to know what they will be doing on a day-to-day basis.
      • Begin each responsibility or accountability statement with an action word and follow with a brief phrase to describe what is done to accomplish the function.
      Position Characteristics
      • Give examples of key problems and thinking challenges encountered by the position. Describe the type of analysis or creativity required to resolve these problems.
      • Provide examples of final decision-making authority. The examples should reflect the constraints placed on the position by people, policies, and/or procedures.
      Position Requirements
      • List all formal education and certifications required.
      • List all knowledge and experience required.
      • List all personal attributes required.
      Work Conditions
      • List all work conditions that the employee must accommodate. This could include any sensory, physical, or mental requirements of the position or any special conditions of employment, such as hours.
      Process to Apply
      • Include the methods in which the organization wants to receive applications and contact information of who will receive the applications.

      Bottom Line: A truly successful job posting ferrets out those hidden stars that may be over cautious and filters out hundreds of applications from the woefully under qualified.

      The do’s and don’ts of an inclusive job ad

      DON’T overlook the power of words. Avoid phrases like “strong English language skills” as this may deter non-native English speakers from applying and a “clean-shaven” requirement can exclude candidates whose faith requires them to maintain facial hair.

      DON’T post a long requirements list. A study showed that the average jobseeker spends only 49.7 seconds reviewing a listing before deciding it's not a fit.*

      DON’T present a toxic work culture; phrases such as “work hard, play hard” can put off many candidates and play into the “bro- culture” stereotype in tech.

      Position Title: Senior Lorem Ipsum

      Salary Band: $XXX to $XXX

      Diversity is a core value at ACME Inc. We believe that diversity and inclusion is our strength, and we’re passionate about building an environment where all employees are valued and can perform at their best.

      As a … you will …

      Our ideal candidate ….

      Required Education and Experience

      • Bachelor’s degree in …
      • Minimum five (5) years …

      Required Skills

      Preferred Skills

      At ACME Inc. you will find …

      DO promote pay equity by being up front and honest about salary expectations.

      DO emphasize your organization’s commitment to diversity and an inclusive workplace by adding an equity statement.

      DO limit your requirements to “must haves” or at least showcase them first before the “nice-to-haves.”

      DO involve current employees or members of your employee resource groups when creating job descriptions to ensure that they ask for what you really need.

      DO focus on company values and criteria that are important to the job, not just what’s always been done.

      *Source: Ladders, 2013

      Before posting the job ad complete the DEI job posting validation checklist

      Does the job posting highlight your organization’s EVP

      Does the job posting avoid words that might discourage women, people of color, and other members of underrepresented groups from applying?

      Has the position description been carefully reviewed and revised to reflect current and future expectations for the position, rather than expectations informed by the persons who have previously held the job?

      Has the hiring committee eliminated any unnecessary job skills or requirements (college degree, years or type of previous experience, etc.) that might negatively impact recruitment of underrepresented groups?

      Has the hiring committee posted the job in places (job boards, websites, colleges, etc.) where applicants from underrepresented groups will be able to easily view or access it?

      Have members of the hiring committee attended job fairs or other events hosted by underrepresented groups?

      Has the hiring committee asked current employees from underrepresented groups to spread the word about the position?

      Has the hiring committee worked with the marketing team to ensure that people from diverse groups are featured in the organization’s website, publications, and social media?

      es the job description clearly demonstrate the organization’s and leadership’s commitment to DEI?

      *Source: Recruit and Retain People of Color in IT

      3.1 Review and update your job ads

      1. Download the Job Ad Template.
      2. Look online or ask HR for an example of a current job advertisement you are using.
      • If you don’t have one, you can use a job description as a starting point.
    • Review all the elements of the job ad and make sure they align with the list on the previous slide, adding or changing, as necessary. Your job ad should be no more than two pages long.
    • Using the tools on the previous two slides, review your first draft to ensure the job posting is free of language or elements that will discourage diverse candidates from applying.
    • Review your job advertisement with HR to get feedback or to use as a template going forward.
    • Input Output
      • Existing job ad or job description
      • Updated job ad
      Materials Participants
      • Job ad or job description
      • Job Ad Template
      • Hiring Managers

      Want to learn more?

      Recruit IT Talent

      • Improve candidate experience to hire top IT talent.

      Recruit and Retain More Women in IT

      • Gender diversity is directly correlated to IT performance.

      Recruit and Retain People of Color in IT

      • Good business, not just good philanthropy.

      Enhance Your Recruitment Strategies

      Focus on key programs and tactics to improve the effectiveness of your sourcing approach.

      Get involved with sourcing to get your job ad seen

      To meet growing expectations, organizations need to change the way they source

      Social Media

      Social media has trained candidates to expect:

      • Organizations to stay in touch and keep track of them.
      • A personalized candidate experience.
      • To understand organizational culture and a day in the life.

      While the focus on the candidate experience is important throughout the talent acquisition process, social media, technology, and values have made it a critical component of sourcing.

      Technology

      Candidates expect to be able to access job ads from all platforms.

      • Today, close to 90% of candidates use a mobile platform to job hunt (SmartRecruiters, 2022).
      • However, only 36% of organizations are optimizing their job postings for mobile. (The Undercover Recruiter, 2021)

      Job ads must be clear, concise, and easily viewed on a mobile device.

      Candidate Values

      Job candidate’s values are changing.

      • There is a growing focus on work/life balance, purpose, innovation, and career development. Organizations need to understand candidate values and highlight how the EVP aligns with these interests.

      Authenticity remains important.

      • Clearly and accurately represent your organization and its culture.

      Focus on key programs and tactics to improve the effectiveness of your sourcing approach

      Internal Talent Mobility (ITM) Program

      Social Media Program

      Employee Referral Program

      Alumni Program

      Campus Recruiting Program

      Other Sourcing Tactics

      Take advantage of your current talent with an internal talent mobility program

      What is it?

      Positioning the right talent in the right place, at the right time, for the right reasons, and supporting them appropriately.

      Internal Talent Mobility (ITM) Program

      Social Media Program

      Employee Referral Program

      Alumni Program

      Campus Recruiting Program

      Other Sourcing Tactics

      ITM program benefits:

      1. Retention
      2. Provide opportunities to develop professionally, whether in the current role or through promotions/lateral moves. Keep strong performers and high-potential employees committed to the organization.

      3. Close Skills Gap
      4. Address rapid change, knowledge drain due to retiring Baby Boomers, and frustration associated with time to hire or time to productivity.

      5. Cost/Time Savings
      6. Reduce spend on talent acquisition, severance, time to productivity, and onboarding.

      7. Employee Engagement
      8. Increase motivation and productivity by providing increased growth and development opportunities.

      9. EVP
      10. Align with the organization’s offering and what is important to the employees from a development perspective.

      11. Employee & Leadership Development
      12. Support and develop employees from all levels and job functions.

      Leverage social media to identify and connect with talent

      Internal Talent Mobility (ITM) Program

      Social Media Program

      Employee Referral Program

      Alumni Program

      Campus Recruiting Program

      Other Sourcing Tactics

      What is it? The widely accessible electronic tools that enable anyone to publish and access information, collaborate on common efforts, and build relationships.

      Learning to use social media effectively is key to sourcing the right talent.

      • Today, 92% of organizations leverage social media for talent acquisition.
      • 80% of employers find passive candidates through social media – second only to referrals.
      • 86% percent of job seekers used social media for their most recent job search.
      (Ku, 2021)

      Benefits of social media:

      • Provides access to candidates who may not know the organization.
      • Taps extended networks.
      • Facilitates consistent communication with candidates and talent in pipelines.
      • Personalizes the candidate experience.
      • Provides access to extensive data.

      Challenges of social media:

      With the proliferation of social media and use by most organizations, social media platforms have become overcrowded. As a result:

      • Organizations are directly and very apparently competing for talent with competitors.
      • Users are bombarded with information and are tuning out.

      “It is all about how we can get someone’s attention and get them to respond. People are becoming jaded.”

      – Katrina Collier, Social Recruiting Expert, The Searchologist

      Reap the rewards of an employee referral program

      Internal Talent Mobility (ITM) Program

      Social Media Program

      Employee Referral Program

      Alumni Program

      Campus Recruiting Program

      Other Sourcing Tactics

      What is it? Employees recommend qualified candidates. If the referral is hired, the referring employee typically receives some sort of reward.

      Benefits of an employee referral program:

      1. Lower Recruiting Costs
      2. 55% of organizations report that hiring a referral is less expensive that a non-referred candidate (Clutch, 2020).

      3. Decreased time to fill
      4. The average recruiting lifecycle for an employee referral is 29 days, compared with 55 days for a non referral (Betterup, 2022).

      5. Decreased turnover
      6. 46% percent of employees who were referred stay at their organization for a least one year, compared to 33% of career site hires (Betterup, 2022).

      7. Increased quality of hire
      8. High performers are more likely to refer other high performers to an organization (The University of Chicago Press, 2019).

      Avoid the Like Me Bias: Continually evaluate the diversity of candidates sourced from the employee referral program. Unless your workforce is already diverse, referrals can hinder diversity because employees tend to recommend people like themselves.

      Tap into your network of former employees

      Internal Talent Mobility (ITM) Program

      Social Media Program

      Employee Referral Program

      Alumni Program

      Campus Recruiting Program

      Other Sourcing Tactics

      What is it? An alumni referral program is a formalized way to maintain ongoing relationships with former employees of the organization.

      Successful organizations use an alumni program:

      • 98% of the F500 have some sort of Alumni program (LinkedIn, 2019).

      Benefits of an alumni program:

      1. Branding
      • Alumni are regarded as credible sources of information. They can be a valuable resource for disseminating and promoting the employer brand.
    • Source of talent
      • Boomerang employees are doubly valuable as they understand the organization and also have developed skills and industry experience.
        • Recover some of the cost of turnover and cost per hire with a pool of prequalified candidates who will more quickly reach full productivity.
    • Referral potential
      • Developing a robust alumni network provides access to a larger network through referrals.
      • Alumni already know what is required to be successful in the organization so they can refer more suitable candidates.

      Make use of a campus recruiting program

      Internal Talent Mobility (ITM) Program

      Social Media Program

      Employee Referral Program

      Alumni Program

      Campus Recruiting Program

      Other Sourcing Tactics

      What is it? A formalized means of attracting and hiring individuals who are about to graduate from schools, colleges, or universities.

      Almost 70% of companies are looking to employ new college graduates every year (HR Shelf, 2022).

      Campus recruitment benefits:

      • Increases employer brand awareness among talent entering the workforce.
      • Provides the opportunity to interact with large groups of potential candidates at one time.
      • Presents the opportunity to identify and connect with high-quality talent before they graduate and are actively looking for positions.
      • Offers access to a highly diverse audience.

      Info-Tech Insight

      Target schools that align with your culture and needs. Do not just focus on the most prestigious schools: they are likely more costly, have more intense competition, and may not actually provide the right talent.

      Identify opportunities to integrate non-traditional techniques

      Internal Talent Mobility (ITM) Program

      Social Media Program

      Employee Referral Program

      Alumni Program

      Campus Recruiting Program

      Other Sourcing Tactics

      1. Professional industry associations
      • Tap into candidates who have the necessary competencies.

      5. Not-for-profit intermediaries

      • Partner with not-for-profits to tap into candidates in training or mentorship programs.
      • Example:
        • Year Up (General)
        • Bankwork$ (Banking)
        • Youth Build (Construction)
        • iFoster (Grocery)

      American Expresscreated a boot camp for software engineers in partnership with Year Up and Gateway Community College to increase entry-level IT hires.

      Results:

      • Annually hire 80-100 interns from Year Up.
      • Improved conversion rates: 72% of Year Up interns versus 60% of traditional interns.
      • Increased retention: 44 (Year Up) versus 18 months (traditional).
      (HBR, 2016)

      2. Special interest groups

      • Use for niche role sourcing.
      • Find highly specialized talent.
      • Drive diversity (Women in Project Management).

      6. Gamification

      • Attract curiosity and reaffirm innovation at your organization.
      • Communicate the EVP.
      3. Customers
      • Access those engaged with the organization.
      • Add the employer brand to existing messaging.

      PwC (Hungary) created Multiploy, a two-day game that allows students to virtually experience working in accounting or consulting at the organization.

      Results:

      • 78% of students said they wanted to work for PwC.
      • 92% indicated they had a more positive view of the firm.
      • Increase in the number of job applicants.
      (Zielinski, 2015)

      4. Exit interviews

      • Ask exiting employees “where should we recruit someone to replace you?”
      • Leverage their knowledge to glean insight into where to find talent.

      Partner with other organizational functions to build skills and leverage existing knowledge

      Use knowledge that already exists in the organization to improve talent sourcing capabilities.

      Marketing

      HR

      Marketing knows how to:

      • Build attention-grabbing content.
      • Use social media platforms effectively.
      • Effectively promote a brand.
      • Use creative methods to connect with people.

      HR knows how to:

      • Organize recruitment activities.
      • Identify the capabilities of various technologies available to support sourcing.
      • Solve issues that may arise along the way

      To successfully partner with other departments in your organization:

      • Acknowledge that they are busy. Like IT, they have multiple competing priorities.
      • Present your needs and prioritize them. Create a list of what you are looking for and then be willing to just pick your top need. Work with the other department to decide what needs can and cannot be met.
      • Present the business case. Emphasize how partnering is mutually beneficial. For example, illustrate to Marketing that promoting a strong brand with candidates will improve the organization’s overall reputation because often, candidates are customers.
      • Be reasonable and patient. You are asking for help, so be moderate in your expectations and flexible in working with your partner.

      Info-Tech Insight

      Encourage your team to seek out, and learn from, employees in different divisions. Training sessions with the teams may not always be possible but one-on-one chats can be just as effective and may be better received.

      5.1 Review the effectiveness of existing sourcing programs

      1. As a group review the description of each program as defined on previous slides. Ensure that everyone understands the definitions.
      2. In your workbook, look for the cell Internal Talent Mobility under the title; you will find five rows with the following
      • This program is formally structured and documented.
      • This program is consistently applied across the organization.
      • Talent is sourced this way on an ad hoc basis.
      • Our organization currently does not source talent this way.
      • There are metrics in place to assess the effectiveness of this program.
    • Ask everyone in the group if they agree with the statement for each column; once everyone has had a chance to answer each of the questions, discuss any discrepancies which exist.
    • After coming to a consensus, record the answers.
    • Repeat this process for the other four sourcing programs (social media, employee referral program, alumni network program, and campus recruiting program).
    • InputOutput
      • Existing knowledge on sourcing approach
      • Low usage sourcing methods identified for development
      MaterialsParticipants
      • Workbook
      • Hiring Managers

      Want to learn more?

      Recruit IT Talent

      • Improve candidate experience to hire top IT talent.

      Recruit and Retain More Women in IT

      • Gender diversity is directly correlated to IT performance.

      Recruit and Retain People of Color in IT

      • Good business, not just good philanthropy.

      Enhance Your Recruitment Strategies

      Interviews are the most often used yet poorly executed hiring tool.

      Create a high-quality interview process to improve candidate assessment

      Everyone believes they’re a great interviewer; self-assess your techniques, and “get real” to get better

      If you…

      • Believe everything the candidate says.
      • Ask mostly hypothetical questions: "What would you do in a situation where…"
      • Ask gimmicky questions: "If you were a vegetable, what vegetable would you be?"
      • Ask only traditional interview questions: "What are your top three strengths?”
      • Submit to a first impression bias.
      • Have not defined what you are looking for before the interview.
      • Ignore your gut feeling in an attempt to be objective.
      • Find yourself loving a candidate because they are just like you.
      • Use too few or too many interviewers in the process.
      • Do not ask questions to determine the motivational fit of the candidate.
      • Talk more than the interviewee.
      • Only plan and prepare for the interview immediately before it starts.

      …then stop. Use this research!

      Most interviewers are not effective, resulting in many poor hiring decisions, which is costly and counter-productive

      Most interviewers are not effective…

      • 82% of organizations don’t believe they hire highly talented people (Trost, 2022).
      • Approximately 76% of managers and HR representatives that McLean & Company interviewed agreed that the majority of interviewers are not very effective.
      • 66% of hiring managers come to regret their interview-based hiring decisions (DDI, 2021).

      …because, although everyone knows interviewing is a priority, most don’t make it one.

      • Interviewing is often considered an extra task in addition to an employee’s day-to-day responsibilities, and these other responsibilities take precedence.
      • It takes time to effectively design, prepare for, and conduct an interview.
      • Employees would rather spend this time on tasks they consider to be an immediate priority.

      Even those interviewers who are good at interviewing, may not be good enough.

      • Even a good interviewer can be fooled by a great interviewee.
      • Some interviewees talk the talk, but don’t walk the walk. They have great interviewing abilities but not the skills required to be successful in the specific position for which they are interviewing.
      • Even if the interviewer is well trained and prepared to conduct a strong interview, they can get caught up with an interviewee that seems very impressive on the surface, and end up making a bad hire.

      Preparing the Perfect Interview

      Step 5: Define decision rights

      Establish decision-making authority and veto power to mitigate post-interview conflicts over who has final say over a candidate’s status.

      Follow these steps to create a positive interview experience for all involved.

      Step 1: Define the ideal candidate profile; determine the attributes of the ideal candidate and their relative importance

      Define the attributes of the ideal candidate…

      Ideal candidate = Ability to do the job + Motivation to do the job + Fit

      Competencies

      • Education
      • Credentials
      • Technical skills
      • Career path
      • Salary expectations
      • Passion
      • Potential
      • Personality
      • Managerial style/preference

      Experiences

      • Years of service
      • Specific projects
      • Industry

      Data for these come from:

      • Interviews
      • Personality tests
      • Gut instinct or intuition

      Data for these come from:

      • Resumes
      • Interviews
      • Exercises and tests
      • References

      Caution: Evaluating for “organizational or cultural fit” can lead to interviewers falling into the trap of the “like me” bias, and excluding diverse candidates.

      …then determine the importance of the attributes.

      Non-negotiable = absolutely required for the job!

      Usually attributes that are hard to train, such as writing skills, or expensive to acquire after hire, such as higher education or specific technical skills.

      An Asset

      Usually attributes that can be trained, such as computer skills. It’s a bonus if the new hire has it.

      Nice-to-have

      Attributes that aren’t necessary for the job but beneficial. These could help in breaking final decision ties.

      Deal Breakers: Also discuss and decide on any deal breakers that would automatically exclude a candidate.

      The job description is not enough; meet with stakeholders to define and come to a consensus on the ideal candidate profile

      Definition of the Ideal Candidate

      • The Hiring Manager has a plan for the new hire and knows the criteria that will best fulfill that mandate.
      • The Executive team may have specific directives for what the ideal candidate should look like, depending on the level and critical nature of the position.
      • Industry standards, which are defined by regulatory bodies, are available for some positions. Use these to identify skills and abilities needed for the job.
      • Competitor information such as job descriptions and job reviews could provide useful data about a similar role in other organizations.
      • Exit interviews can offer insight into the most challenging aspects of the job and identify skills or abilities needed for success.
      • Current employees who hold the same or a similar position can explain the nuances of the day-to-day job and what attributes are most needed on the team.

      “The hardest work is accurately defining what kind of person is going to best perform this job. What are their virtues? If you’ve all that defined, the rest is not so tough.”

      – VP, Financial Services

      Use a scorecard to document the ideal candidate profile and help you select a superstar

      1. Download the Workbook and go to tab 6.1.
      2. Document the desired attributes for each category of assessment: Competencies, Experiences, Fit, and Motivation. You can find an Attribute Library on the next tab.
      3. Rank each attribute by level of priority: Required, Asset, or Nice-to-Have.
      4. Identify deal breakers that would automatically disqualify a candidate from moving forward.
      InputOutput
      • Job description
      • Stakeholder input
      • Ideal candidate persona
      MaterialsParticipants
      • Workbook
      • Hiring Managers

      To identify questions for screening interviews, use the Screening Interview Template

      A screening interview conducted by phone should have a set of common questions to identify qualified candidates for in-person interviews.

      The Screening Interview Template will help you develop a screening interview by providing:

      • Common screening questions that can be modified based on organizational needs and interview length.
      • Establishing an interview team.
      • A questionnaire format so that the same questions are asked of all candidates and responses can be recorded.

      Once completed, this template will help you or HR staff conduct candidate screening interviews with ease and consistency. Always do screening interviews over the phone or via video to save time and money.

      Info-Tech Insight

      Determine the goal of the screening interview – do you want to evaluate technical skills, communication skills, attitude, etc.? – and create questions based on this goal. If evaluating technical skill, have someone with technical competency conduct the interview.

      The image contains screenshots of the Screening Interview Template.

      Step 2: Choose interview types and techniques that best assess the ideal candidate attributes listed on the position scorecard

      There is no best interview type or technique for assessing candidates, but there could be a wrong one depending on the organization and job opening.

      • Understanding common interviewing techniques and types will help inform your own interviewing strategy and interview development.
      • Each interview technique and type has its own strengths and weakness and can be better suited for a particular organizational environment, type of job, or characteristic being assessed.
      The image contains a diagram to demonstrate the similarities and differences of Interview Technique and Interview Type. There is a Venn Diagram, the right circle is labelled: Interview Technique, and the right is: Interview Type. There is a double sided arrow below that has the following text: Unstructure, Semi-Structured, and Structured.

      Unstructured: A traditional method of interviewing that involves no constraints on the questions asked, no requirements for standardization, and a subjective assessment of the candidate. This format is the most prone to bias.

      Semi-Structured: A blend of structured and unstructured, where the interviewer will ask a small list of similar questions to all candidates along with some questions pertaining to the resume.

      Structured: An interview consisting of a standardized set of job-relevant questions and a scoring guide. The goal is to reduce interviewer bias and to help make an objective and valid decision about the best candidate.

      No matter which interview types or techniques you use, aim for it to be as structured as possible to increase its validity

      The validity of the interview increases as the degree of interview structure increases.

      Components of a highly structured interview include:

      1. Interview questions are derived from a job analysis (they are job related).
      2. Interview questions are standardized (all applicants are asked the same questions).
      3. Prompting, follow-up questioning, probing, and/or elaboration on questions are limited. Try to identify all prompts, follow-ups, and probes beforehand and include them in the interview guide so that all candidates get the same level of prompting and probing.
      4. Interview questions focus on behaviors or work samples rather than opinions or self-evaluations.
      5. Interviewer access to ancillary information (e.g. resumes, letters of reference, test scores, transcripts) is controlled. Sometimes limiting access to these documents can limit interviewer biases.
      6. Questions from the candidate are not allowed until after the interview. This allows the interviewer to stay on track and not go off the protocol.
      7. Each answer is rated during the interview using a rating scale tailored to the question (this is preferable to rating dimensions at the end of the interview and certainly preferable to just making an overall rating or ranking at the end).
      8. Rating scales are “anchored” with behavioral examples to illustrate scale points (e.g. examples of a “1,” “3,” or “5” answer).
      9. Total interview score is obtained by summing across scores for each of the questions.

      The more of these components your interview has, the more structured it is, and the more valid it will be.

      Step 3: Prepare interview questions to assess the attributes you are looking for in a candidate

      The purpose of interviewing is to assess, not just listen. Questions are what help you do this.

      Preparing questions in advance allows you to:

      • Match each question to a position requirement (included in your scorecard) to ensure that you assess all required attributes. Everything assessed should be job relevant!
      • Determine each question’s weighting, if applicable.
      • Give each candidate a chance to speak to all their job-relevant attributes.
      • Keep records should an unselected candidate decide to contest the decision.

      If you don’t prepare in advance:

      • You’ll be distracted thinking about what you are going to ask next and not be fully listening.
      • You likely won’t ask the same questions of all candidates, which impacts the ability to compare across candidates and doesn’t provide a fair process for everyone.
      • You likely won’t ask the questions you need to elicit the information needed to make the right decision.
      • You could ask illegal questions (see Acquire the Right Hires with Effective Interviewing for a list of questions not to ask in an interview).

      Use the Interview Question Planning Guide tab in the Candidate Interview Strategy and Planning Guide to prepare your interview questions.

      Use these tips to draft interview questions:

      • Use job analysis output, in particular the critical incident technique, to develop structured interview questions.
      • Search online or in books for example interview questions for the target position to inform interview question development. Just remember that candidates access these too, so be sure to ask for specific examples, include probing questions, and adapt or modify questions to change them.
      • Situational questions: The situation should be described in sufficient detail to allow an applicant to visualize it accurately and be followed by “what would you do?” Scoring anchors should reflect effective, typical, and ineffective behaviors.
      • Behavioral questions: Should assess a behavioral dimension (e.g. meeting deadlines) and apply to a variety of situations that share the underlying dimension (e.g. at work or school). Scoring anchors should be applicable to a variety of situations and reflect effective, typical, and ineffective behavior.

      Conduct an effective screening interview by listening to non-verbal cues and probing

      Follow these steps to conduct an effective screening interview:

      Introduce yourself and ask if now is a good time to talk. (Before calling, prepare your sales pitch on the organization and the position.)

      You want to catch candidates off guard so that they don’t have time to prepare scripted answers; however, you must be courteous to their schedule.

      Provide an overview of the position, then start asking pre-set questions. Take a lot of notes.

      It is important to provide candidates with as much information as possible about the position – they are deciding whether they are interested in the role as much as you are deciding whether they are suitable.

      Listen to how the questions are answered. Ask follow-up questions when appropriate and especially if the candidate seems to be holding something back.

      If there are long pauses or the candidate’s voice changes, there may be something they aren’t telling you that you should know.

      Be alert to inconsistencies between the resume and answers to the questions and address them.

      It’s important to get to the bottom of issues before the in-person interview. If dates, titles, responsibilities, etc. seem to be inconsistent, ask more questions.

      Ask candidates about their salary expectations.

      It’s important to ensure alignment of the salary expectations early on. If the expectations are much higher than the range, and the candidate doesn’t seem to be open to the lower range, there is no point interviewing them. This would be a waste of everyone’s time.

      Answer the applicant’s questions and conclude the interview.

      Wait until after the interview to rate the applicant.

      Don’t allow yourself to judge throughout the interview, or it could skew questions. Rate the applicant once the interview is complete.

      When you have a shortlist of candidates to invite to an in-person interview, use the Candidate Communication Template to guide you through proper phone and email communications.

      Don’t just prepare top-level interview questions; also prepare probing questions to probe to gain depth and clarity

      Use probing to drill down on what candidates say as much as possible and go beyond textbook answers.

      Question (traditional): “What would you identify as your greatest strength?”

      Answer: Ability to work on a team.

      Top-level interview questions set the stage for probing.

      Your interview script should contain the top two levels of questions in the pyramid and a few probes that you will likely need to ask. You can then drill down further depending on the candidate’s answers.

      Follow-Up Question:

      “Can you outline a particular example when you were able to exercise your teamwork skills to reach a team goal?”

      Probing questions start with asking what, when, who, why, and how, and gain insight into a candidate’s thought process, experiences, and successes.

      Probing Level 1:

      Probe around the what, how, who, when, and where. “How did you accomplish that?”

      How to develop probes? By anticipating the kinds of responses that candidates from different backgrounds or with different levels of experience are likely to give as a response to an interview question. Probes should provide a clear understanding of the situation, the behavior, and the outcome so that the response can be accurately scored. Common probes include:

      • What did you do? What was the outcome?
      • When did this take place (and how long did it take)?
      • Who was involved?
      • Were you leading or being led?
      • How did you accomplish what you did?
      • Why did you take those steps?

      Tailor probes to the candidate’s answers to evoke meaningful and insightful responses.

      Probing Level 2:

      Allow for some creativity.

      “What would you do differently if you were to do it again?”

      Conduct effective interviews and assessments

      Mitigate inherent biases of assessors by integrating formal assessments with objective anchors and clear criteria to create a more inclusive process.

      Consider leveraging behavioral interview questions in your interview to reduce bias.

      • In the past, companies were pushing the boundaries of the conventional interview, using unconventional questions to find top talent, e.g. “what color is your personality?” The logic was that the best people are the ones who don’t necessarily show perfectly on a resume, and they were intent on finding the best.
      • However, many companies have stopped using these questions after extensive statistical analysis revealed there was no correlation between candidates’ ability to answer them and their future performance on the job.
      • Asking behavioral interview questions based on the competency needs of the role is the best way to uncover if the candidates will be able to execute on the job.

      Assessments are created by people that have biases. This often means that assessments can be biased, especially with preferences towards a Western perspective. Even if the same assessments are administered, the questions will be interpreted differently by candidates with varying cultural backgrounds and lived experiences. If assessments do not account for this, it ultimately leads to favoring the answers of certain demographic groups, often ones similar to those who developed the assessment.

      Creating an interview question scorecard

      Attribute you are evaluating

      Probing questions prepared

      Area to take notes

      The image contains a screenshot of an Interview question scorecard.

      Exact question you will ask

      Place to record score

      Anchored scale with definitions of a poor, ok and great answer

      Step 4: Assemble an interview team

      HR and the direct reporting supervisor should always be part of the interview. Make a good impression with a good interview team.

      The must-haves:

      • The Future Manager should always be involved in the process. They should be comfortable with the new hire’s competencies and fit.
      • Human Resources should always be involved in the process – they maintain consistency, legality, and standardization. It’s their job to know the rules and follow them. HR may coordinate and maintain policy standards and/or join in assessing the candidate.
      • There should always be more than just one interviewer, even if it is not at the same time. This helps keep the process objective, allows for different opinions, and gives the interviewee exposure to multiple individuals in the company. But, try to limit the number of panel members to four or less.

      “At the end of the day, it’s the supervisor that has to live with the person, so any decision that does not involve the supervisor is a very flawed process.” – VP, Financial Services

      The nice-to-haves:

      • Future colleagues can offer benefits to both the interviewee and the colleague by:
        • Giving the candidate some insight into what their day-to-day job would be.
        • Relaxing the candidate; allowing for a less formal, less intimidating conversation.
        • Introducing potential teammates for a position that is highly collaborative.
        • Offering the interviewer an excellent professional development opportunity – a chance to present their understanding of what they do.
      • Executives should take part in interviewing for executive hiring, individuals that will report to an executive, or for positions that are extremely important. Executive time is scarce and expensive, so only use it when absolutely necessary.

      Record the interview team details in the Candidate Interview Strategy and Planning Guide template.

      Assign interviewers roles inside and outside the actual interview

      Define Interview Process Roles

      Who Should… Contact candidates to schedule interviews or communicate decisions?

      Who Should… Be responsible for candidate welcomes, walk-outs, and hand-offs between interviews?

      Who Should… Define and communicate each stakeholder’s role?

      Who Should… Chair the preparation and debrief meetings and play the role of the referee when trying to reach a consensus?

      Define Interview Roles

      • Set a role for each interviewer so they know what to focus on and where they fit into the process (e.g. Interviewer A will assess fit). Don’t ad hoc the process and allow everyone to interview based on their own ideas.
      • Consider interviewer qualifications and the impact of the new employee on each interviewer, when deciding the roles of each interviewer (i.e. who will interview for competency and who will interview for fit).
        • For example, managers may be most impacted by technical competencies and should be the interviewer to evaluate the candidate for technical competency.

      “Unless you’ve got roles within the panel really detailed and agreed upon, for example, who is going to take the lead on what area of questions, you end up with a situation where nobody is in charge or accountable for the final interview assessment." – VP, Financial Services

      Info-Tech Insight

      Try a Two Lens Assessment: One interviewer assesses the candidate as a project leader while another assesses them as a people leader for a question such as “Give me an example of when you exercised your leadership skills with a junior team member.”

      Step 5: Set decision rights in stone and communicate them in advance to manage stakeholder expectations and limit conflict

      All interviewers must understand their decision-making authority prior to the interview. Misunderstandings can lead to resentment and conflict.

      It is typical and acceptable that you, as the direct reporting manager, should have veto power, as do some executives.

      Veto Power

      Direct Supervisor or Manager

      Decision Makers: Must Have Consensus

      Other Stakeholders

      Direct Supervisor’s Boss

      Direct Supervisor

      Contributes Opinion

      HR Representative

      Peer

      After the preliminary interview, HR should not be involved in making the decision unless they have a solid understanding of the position.

      Peers can make an unfair assessment due to perceived competition with a candidate. Additionally, if a peer doesn’t want a candidate to be hired and the direct supervisor does hire the candidate, the peer may hold resentment against that candidate and set the team up for conflict.

      The decision should rest on those who will interact with the candidate on a daily basis and who manage the team or department that the candidate will be joining.

      The decisions being made can include whether or not to move a candidate onto the next phase of the hiring process or a final hiring decision. Deciding decision rights in advance defines accountability for an effective interview process.

      Create your interview team, assessments, and objective anchor scale

      1. Download the Behavioral Interview Question Library as a reference.
      2. On tab 9 of your workbook, document all the members of the team and their respective roles in the interview process. Fill in the decision-making authority section to ensure every team member is held accountable to their assigned tasks and understands how their input will be used.
      3. For each required attribute in the Ideal Candidate Scorecard, chose one to two questions from the library that can properly evaluate that attribute.
      4. Copy and paste the questions and probing questions into the Interview Guide Template.
      5. Create an objective anchor scale and clearly define what a poor, ok, and great answer to each question is.

      Download the Behavioral Interview Question Library

      Input Output
      • List of possible team members
      • Ideal Candidate Scorecard
      • Finalized hiring panel
      • Finalized interview and assessment process
      Materials Participants
      • IT Behavioral Interview Question Library
      • Workbook
      • Interview Guide Template
      • IT leadership team
      • IT staff members

      Conduct an effective, professional, and organized in-person interview

      Give candidates a warm, genuine greeting. Introduce them to other interviewers present. Offer a drink. Make small talk.

      “There are some real advantages to creating a comfortable climate for the candidate; the obvious respect for the individual, but people really let their guard down.”

      – HR Director, Financial Services

      Give the candidate an overview of the process, length, and what to expect of the interview. Indicate to the candidate that notes will be taken during the interview.

      If shorter than an hour, you probably aren’t probing enough or even asking the right questions. It also looks bad to candidates if the interview is over quickly.

      Start with the first question in the interview guide and make notes directly on the interview guide (written or typed) for each question.

      Take lots of notes! You think you’ll remember what was said, but you won’t. It also adds transparency and helps with documentation.

      Ask the questions in the order presented for interview consistency. Probe and clarify as needed (see next slide).

      Keep control of the interview by curtailing any irrelevant or long-winded responses.

      After all interview questions are complete, ask candidates if there was anything about their qualifications that was missed that they want to highlight.

      Lets you know they understand the job and gives them the feeling they’ve put everything on the table.

      Ask if the candidate has any questions. Respond to the questions asked.

      Answer candidate questions honestly because fit works both ways. Ensure candidates leave with a better sense of the job, expectations, and organizational culture.

      Review the compensation structure for the position and provide a realistic preview of the job and organization.

      Provide each candidate with a fair chance by maintaining a consistent interview process.

      Tell interviewees what happens next in the process, the expected time frame, and how they will be informed of the outcome. Escort them out and thank them for the interview.

      The subsequent slides provide additional detail on these eight steps to conducting an effective interview.

      Avoid these common biases and mistakes

      Common Biases

      Like-me effect: An often-unconscious preference for, and unfairly positive evaluation of, a candidate based on shared interests, personalities, and experiences, etc.

      Status effect: Overrating candidates based on the prestige of previously held positions, titles, or schools attended.

      Recency bias: Placing greater emphasis on interviews held closer to the decision-making date.

      Contrast effect: Rating candidates relative to those who precede or follow them during the interview process, rather than against previously determined data.

      Solution

      Assess candidates by using existing competency-based criteria.

      Common Mistakes

      Negative tone: Starting the interview on a negative or stressful note may derail an otherwise promising candidate.

      Poor interview management: Letting the candidate digress may leave some questions unanswered and reduce the interview value.

      Reliance of first impressions: Basing decisions on first impressions undermines the objectivity of competency-based selection.

      Failure to ask probing questions: Accepting general answers without asking follow-up questions reduces the evidentiary value of the interview.

      Solution

      Follow the structured interview process you designed and practiced.

      Ask the questions in the order presented in the interview guide, and probe and clarify as needed

      Do...

      Don’t…

      Take control of the interview by politely interrupting to clarify points or keep the interviewee on topic.

      Use probing to drill down on responses and ask for clarification. Ask who, what, when, why, and how.

      Be cognizant of confidentiality issues. Ask for a sample of work from a past position.

      Focus on knowledge or information gaps from previous interviews that need to be addressed in the interview.

      Ensure each member of a panel interview speaks in turn and the lead is given due respect to moderate.

      Be mean when probing. Intimidation actually works against you and is stressful for candidates. When you’re friendly, candidates will actually open up more.

      Interrupt or undermine other panel members. Their comments and questions are just as valid as yours are, and treating others unprofessionally gives a bad impression to the candidate.

      Ask illegal questions. Questions about things like religion, disability, and marital and family status are off limits.

      When listening to candidate responses, watch for tone, body language, and red flags

      Do...

      While listening to responses, also watch out for red and yellow flags.

      Listen to how candidates talk about their previous bosses – you want it to be mainly positive. If their discussion of past bosses reflects a strong sense of self-entitlement or a consistent theme of victimization, this could be a theme in their behavior and make them hard to work with.

      Red Flag

      A concern about something that would keep you from hiring the person.

      Yellow Flag

      A concern that needs to be addressed, but wouldn’t keep you from hiring the person.

      Pay attention to body language and tone. They can tell you a lot about candidate motivation and interest.

      Listen to what candidates want to improve. It’s an opportunity to talk about development and advancement opportunities in the organization.

      Not all candidates have red flags, but it is important to keep them in mind to identify potential issues with the candidate before they are hired.

      Don’t…

      Talk too much! You are there to listen. Candidates should do about 80% of the talking so you can adequately evaluate them. Be friendly, but ensure to spend the time allotted assessing, not chatting.

      If you talk too much, you may end up hiring a weak candidate because you didn’t perceive weaknesses or not hire a strong candidate because you didn’t identify strengths.

      What if you think you sense a red or yellow flag?

      Following the interview, immediately discuss the situation with others involved in the recruitment process or those familiar with the position, such as HR, another hiring manager, or a current employee in the role. They can help evaluate if it’s truly a matter of concern.

      Increase hiring success: Give candidates a positive perception of the organization in the interview

      Great candidates want to work at great organizations.

      When the interviewer makes a positive impression on a candidate and provides a positive impression of the organization it carries forward after they are hired.

      In addition, better candidates can be referred over the course of time due to higher quality networking.

      As much as choosing the right candidate is important to you, make sure the right candidate wants to choose you and work for your organization.

      The image contains a screenshot of a graph to demonstrate the percent of successful hires relates strongly to interviewers giving candidates a positive perception of the organization.

      Interview advice seems like common sense, but it’s often not heeded, resulting in poor interviews

      Don’t…

      Believe everything candidates say. Most candidates embellish and exaggerate to find the answers they think you want. Use probing to drill down to specifics and take them off their game.

      Ask gimmicky questions like “what color is your soul?” Responses to these questions won’t give you any information about the job. Candidates don’t like them either!

      Focus too much on the resume. If the candidate is smart, they’ve tailored it to match the job posting, so of course the person sounds perfect for the job. Read it in advance, highlight specific things you want to ask, then ignore it.

      Oversell the job or organization. Obviously you want to give candidates a positive impression, but don’t go overboard because this could lead to unhappy hires who don’t receive what you sold them. Candidates need to evaluate fit just as much as you.

      Get distracted by a candidate’s qualifications and focus only on their ability to do the job. Just because they are qualified does not mean they have the attitude or personality to fit the job or culture.

      Show emotion at any physical handicap. You can’t discriminate based on physical disability, so protect the organization by not drawing attention to it. Even if you don’t say anything, your facial expression may.

      Bring a bad day or excess baggage into the interview, or be abrupt, rushed, or uninterested in the interview. This is rude behavior and will leave a negative impression with candidates, which could impact your chances of hiring them.

      Submit to first impression bias because you’ll spend the rest of the interview trying to validate your first impression, wasting your time and the candidate’s. Remain as objective as possible and stick to the interview guide to stay focused on the task at hand.

      “To the candidate, if you are meeting person #3 and you’re hearing questions that person #1 and #2 asked, the company doesn’t look too hot or organized.” – President, Recruiting Firm

      Practice behavioral interviews

      1. In groups of at least three:
      • Assign one person to act as the manager conducting the interview, a second person to act as the candidate, and a third to observe.
      • The observer will provide feedback to the manager at the end of the role play based on the information you just learned.
      • Observers – please give feedback on the probing questions and body language.
    • Managers, select an interview question from the list your group put together during the previous exercise. Take a few minutes to think about potential probing questions you could follow up with to dig for more information.
    • Candidates, try to act like a real candidate. Please don’t make it super easy on the managers – but don’t make it impossible either!
    • Once the question has been asked and answered:
      • How did it go?
      • Were you able to get the candidate to speak in specifics rather than generalities? What tips do you have for others?
      • What didn’t go so well? Any surprises?
      • What would you do differently next time?
      • If this was a real hiring situation, would the information you got from just that one question help you make a hiring decision for the role?
    • Now switch roles and select a new interview question to use for this round. Repeat until everyone has had a chance to practice.
    • Input Output
      • Interview questions and scorecard
      • Practice interviews
      Materials Participants
      • IT Behavioral Interview Question Library
      • Workbook
      • Hiring Manager
      • Interview Panel Members

      Download the Behavioral Interview Question Library

      Record best practices, effective questions, and candidate insights for future use and current strategy

      Results and insights gained from evaluations need to be recorded and assessed to gain value from them going forward.

      • To optimize evaluation, all feedback should be forwarded to a central point so that the information can be shared with all stakeholders. HR can serve in this role.
      • Peer evaluations should be shared shortly after the interview. Immediate feedback that represents all the positive and negative responses is instructional for interviewers to consider right away.
      • HR can take a proactive approach to sharing information and analyzing and improving the interview process in order to collaborate with hiring departments for better talent management.
      • Collecting information about effective and ineffective interview questions will guide future interview revision and development efforts.

      Evaluations Can Inform Strategic Planning and Professional Development

      Strategic Planning

      • Survey data can be used to inform strategic planning initiatives in recruiting.
      • Use the information to build a case to the executive team for training, public relations initiatives, or better candidate management systems.

      Professional Development

      • Survey data from all evaluations should be used to inform future professional development initiatives.
      • Interview areas where all team members show weaknesses should be training priorities.
      • Individual weaknesses should be integrated into each professional development plan.

      Want to learn more?

      Recruit IT Talent

      • Improve candidate experience to hire top IT talent.

      Recruit and Retain More Women in IT

      • Gender diversity is directly correlated to IT performance.

      Recruit and Retain People of Color in IT

      • Good business, not just good philanthropy.

      Develop a Comprehensive Onboarding Plan

      Drive employee engagement and retention with a robust program that acclimates, guides, and develops new hires.

      Onboarding should pick up where candidate experience leaves off

      Do not confuse onboarding with orientation

      Onboarding ≠ Orientation

      Onboarding is more than just orientation. Orientation is typically a few days of completing paperwork, reading manuals, and learning about the company’s history, strategic goals, and culture. By contrast, onboarding is three to twelve months dedicated to welcoming, acclimating, guiding, and developing new employees – with the ideal duration reflecting the time to productivity for the role.

      A traditional orientation approach provides insufficient focus on the organizational identification, socialization, and job clarity that a new hire requires. This is a missed opportunity to build engagement, drive productivity, and increase organizational commitment. This can result in early disengagement and premature departure.

      Effective onboarding positively impacts the organization and bottom line

      Over the long term, effective onboarding has a positive impact on revenue and decreases costs.

      The benefits of onboarding:

      • Save money and frustration
        • Shorten processing time, reduce administrative costs, and improve compliance.
      • Boost revenue
        • Help new employees become productive faster – also reduce the strain on existing employees who would normally be overseeing them or covering a performance shortfall.
      • Drive engagement and reduce turnover
        • Quickly acclimate new hires to your organization’s environment, culture, and values.
      • Reinforce culture and employer brand
        • Ensure that new hires feel a connection to the organization’s culture.

      Onboarding drives new hire engagement from day one

      The image contains a graph to demonstrate the increase in overall engagement in relation to onboarding.

      When building an onboarding program, retain the core aims: acclimate, guide, and develop

      The image contains a picture of a circle with a smaller circle inside it, and a smaller circle inside that one. The smallest circle is labelled Acclimate, the medium sized circle is labelled Guide, and the biggest circle is labelled Develop.

      Help new hires feel connected to the organization by clearly articulating the mission, vision, values, and what the company does. Help them understand the business model, the industry, and who their competitors are. Help them feel connected to their new team members by providing opportunities for socialization and a support network.

      Help put new hires on the path to high performance by clearly outlining their role in the organization and how their performance will be evaluated.

      Help new hires receive the experience and training they require to become high performers by helping them build needed competencies.

      We recommend a three-to-twelve-month onboarding program, with the performance management aspect of onboarding extending out to meet the standard organizational performance management cycle.

      Info-Tech Insight

      The length of the onboarding program should align with the average time to productivity for the role(s). Consider the complexity of the role, the industry, and the level of the new hire when determining program length.

      For example, call center workers who are selling a straight-forward product may only require a three-month onboarding, while senior leaders may require a year-long program.

      Watch for signs that you aren’t effectively acclimating, guiding, and developing new hires

      Our primary and secondary research identified the following as the most commonly stated reasons why employees leave organizations prematurely. These issues will be addressed throughout the next section.

      Acclimate

      Guide

      Develop

      • Onboarding experience is misaligned from the employer’s brand.
      • Socialization and/or integration into the existing culture is left to the employee.
      • Key role expectations or role usefulness is not clearly communicated.
      • Company strategy is unclear.
      • Opportunities for advancement are unclear.
      • Coaching, counseling, and/or support from co-workers and/or management is lacking.
      • The organization fails to demonstrate that it cares about the new employee’s needs.

      “Onboarding is often seen as an entry-level HR function. It needs to rise in importance because it’s the first impression of the organization and can be much more powerful than we sometimes give it credit for. It should be a culture building and branding program.” – Doris Sims, SPHR, The Succession Consultant, and Author, Creative Onboarding Programs

      Use the onboarding tabs in the workbook to evaluate and redesign the onboarding program

      1. On tab 10, brainstorm challenges that face the organization's current onboarding program. Identify if they fall into the "acclimate," "guide," or "develop" category. Next, record the potential impact of this challenge on the overall effectiveness of the onboarding program.
      2. On tab 11, record each existing onboarding activity. Then, identify if that activity will be kept or if it should be retired. Next, document if the activity fell into the "acclimate," "guide," or "develop" category.
      3. On tab 12, document gaps that currently exist in the onboarding program. Modify the timeline along the side of the tab to ensure it reflects the timeline you have identified.
      4. On tab 13, document the activities that will occur in the new onboarding program. This should be a combination of current activities that you want to retain and new activities that will be added to address the gaps noted on tab 12. For each activity, identify if it will fall in the acclimate, guide, or develop section. Add any additional notes. Before moving on, make sure that there are no categories that have no activities (e.g. no guide activities).
      Input Output
      • Existing onboarding activities
      • Determine new onboarding activities
      • Map out onboarding responsibilities
      Materials Participants
      • Workbook
      • Hiring Managers
      • HR

      Review the administrative aspects of onboarding and determine how to address the challenges

      The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

      Sample challenges

      Potential solutions

      Some paperwork cannot be completed digitally (e.g. I-9 form in the US).

      Where possible, complete forms with digital signatures (e.g. DocuSign). Where not possible, begin the process earlier and mail required forms to employees to sign and return, or scan and email for the employee to print and return.

      Required compliance training material is not available virtually.

      Seek online training options where possible. Determine the most-critical training needs and prioritize the replication of materials in audio/video format (e.g. recorded lecture) and distribute virtually.

      Employees may not have access to their equipment immediately due to shipping or supply issues.

      Delay employee start dates until you can set them up with the proper equipment and access needed to do their job.

      New hires can’t get answers to their questions about benefits information and setup.

      Schedule a meeting with an HR representative or benefits vendor to explain how benefits will work and how to navigate employee self-service or other tools and resources related to their benefits.

      Info-Tech Insight

      One of the biggest challenges for remote new hires is the inability to casually ask questions or have conversations without feeling like they’re interrupting. Until they have a chance to get settled, providing formal opportunities for questions can help address this.

      Review how company information is shared during onboarding and how to address the challenges

      The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

      Sample challenges

      Potential solutions

      Key company information such as organizational history, charts, or the vision, mission, and values cannot be clearly learned by employees on their own.

      Have the new hire’s manager call to walk through the important company information to provide a personal touch and allow the new hire to ask questions and get to know their new manager.

      Keeping new hires up to date on crisis communications is important, but too much information may overwhelm them or cause unnecessary stress.

      Sharing the future of the organization is a critical part of the company information stage of onboarding and the ever-changing nature of the COVID-19 crisis is informing many organizations’ future right now. Be honest but avoid over-sharing plans that may change.

      New hires can’t get answers to their questions about benefits information and setup.

      Schedule a meeting with an HR representative or benefits vendor to explain how benefits will work and how to navigate employee self-service or other tools and resources related to their benefits.

      Review the socialization aspects of onboarding and determine how to address the challenges

      The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

      Sample challenges

      Potential solutions

      Team introductions via a team lunch or welcome event are typically done in person.

      Provide managers with a calendar of typical socialization events in the first few weeks of onboarding and provide instructions and ideas for how to schedule replacement events over videoconferencing.

      New hires may not have a point of contact for informal questions or needs if their peers aren’t around them to help.

      If it doesn’t already exist, create a virtual buddy program and provide instructions for managers to select a buddy from the new hire’s team. Explain that their role is to field informal questions about the company, team, and anything else and that they should book weekly meetings with the new hire to stay in touch.

      New hires will not have an opportunity to learn or become a part of the informal decision-making networks at the organization.

      Hiring managers should consider key network connections that new hires will need by going through their own internal network and asking other team members for recommendations.

      New hires will not be able to casually meet people around the office.

      Provide the employee with a list of key contacts for them to reach out to and book informal virtual coffee chats to introduce themselves.

      Adapt the Guide phase of onboarding to a virtual environment

      The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

      Sample challenges

      Potential solutions

      Performance management (PM) processes have been paused given the current crisis.

      Communicate to managers that new hires still need to be onboarded to the organization’s performance management process and that goals and feedback need to be introduced and the review process outlined even if it’s not currently happening.

      Goals and expectations differ or have been reprioritized during the crisis.

      Ask managers to explain the current situation at the organization and any temporary changes to goals and expectations as a result of new hires.

      Remote workers often require more-frequent feedback than is mandated in current PM processes.

      Revamp PM processes to include daily or bi-weekly touchpoints for managers to provide feedback and coaching for new hires for at least their first six months.

      Managers will not be able to monitor new hire work as effectively as usual.

      Ensure there is a formal approach for how employees will keep their managers updated on what they're working on and how it's going, for example, daily scrums or task-tracking software.

      For more information on adapting performance management to a virtual environment, see Info-Tech’s Performance Management for Emergency Work-From-Home research.

      Take an inventory of training and development in the onboarding process and select critical activities

      The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

      Categorize the different types of formal and informal training in the onboarding process into the following three categories. For departmental and individual training, speak to managers to understand what is required on a department and role basis:

      Organizational

      Departmental

      Individual

      For example:

      • Employee self-service overview
      • Health and safety/compliance training
      • Core competencies

      For example:

      • Software training (e.g. Salesforce)
      • Job shadowing to learn how to work equipment or to learn processes

      For example:

      • Mentoring
      • External courses
      • Support to work toward a certification

      In a crisis, not every training can be translated to a virtual environment in the short term. It’s also important to focus on critical learning activities versus the non-critical. Prioritize the training activities by examining the learning outcomes of each and asking:

      • What organizational training does every employee need to be a productive member of the organization?
      • What departmental or individual training do new hires need to be successful in their role?

      Lower priority or non-critical activities can be used to fill gaps in onboarding schedules or as extra activities to be completed if the new hire finds themselves with unexpected downtime to fill.

      Determine how onboarding training will be delivered virtually

      The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

      Who will facilitate virtual training sessions?

      • For large onboarding cohorts, consider live delivery via web conferencing where possible. This will create a more engaging training program and will allow new hires to interact with and ask questions of the presenter.
      • For individual new hires or small cohorts, have senior leaders or key personnel from across the organization record different trainings that are relevant for their role.
        • For example, training sessions about organizational culture can be delivered by the CEO or other senior leader, while sales training could be delivered by a sales executive.

        If there is a lack of resources, expertise, or time, outsource digital training to a content provider or through your LMS.

      What existing or free tools can be leveraged to immediately support digital training?

      • Laptops and PowerPoint to record training sessions that are typically delivered in-person
      • YouTube/Vimeo to host recorded lecture-format training
      • Company intranet to host links and files needed to complete training
      • Web conferencing software to host live training/orientation sessions (e.g. Webex)
      • LMS to host and track completion of learning content

      Want to learn more?

      Recruit IT Talent

      • Improve candidate experience to hire top IT talent.

      Recruit and Retain More Women in IT

      • Gender diversity is directly correlated to IT performance.

      Recruit and Retain People of Color in IT

      • Good business, not just good philanthropy.

      Adapt Your Onboarding Process to a Virtual Environment

      • Develop short-term solutions with a long-term outlook to quickly bring in new talent.

      Bibliography

      2021 Recruiter Nation Report. Survey Analysis, Jobvite, 2021. Web.

      “5 Global Stats Shaping Recruiting Trends.” The Undercover Recruiter, 2022. Web.

      Barr, Tavis, Raicho Bojilov, and Lalith Munasinghe. "Referrals and Search Efficiency: Who Learns What and When?" The University of Chicago Press, Journal of Labor Economics, vol. 37, no. 4, Oct. 2019. Web.

      “How to grow your team better, faster with an employee referral program.” Betterup, 10 Jan. 2022. Web.

      “Employee Value Proposition: How 25 Companies Define Their EVP.” Built In, 2021. Web.

      Global Leadership Forecast 2021. Survey Report, DDI World, 2021. Web.

      “Connecting Unemployed Youth with Organizations That Need Talent.” Harvard Business Review, 3 November 2016. Web.

      Ku, Daniel. “Social Recruiting: Everything You Need To Know for 2022.” PostBeyond, 26 November 2021. Web.

      Ladders Staff. “Shedding light on the job search.” Ladders, 20 May 2013. Web.

      Merin. “Campus Recruitment – Meaning, Benefits & Challenges.” HR Shelf, 1 February 2022. Web.

      Mobile Recruiting. Smart Recruiters, 2020. Accessed March 2022.

      Roddy, Seamus. “5 Employee Referral Program Strategies to Hire Top Talent.” Clutch, 22 April 2020. Web.

      Sinclair, James. “What The F*dge: That's Your Stranger Recruiting Budget?” LinkedIn, 11 November 2019. Web.

      “Ten Employer Examples of EVPs.” Workology, 2022. Web

      “The Higher Cost of a Bad Hire.” Robert Half, 15 March 2021. Accessed March 2022.

      Trost, Katy. “Hiring with a 90% Success Rate.” Katy Trost, Medium, 8 August 2022. Web.

      “Using Social Media for Talent Acquisition.” SHRM, 20 Sept. 2017. Web.

      The Accessibility Business Case for IT

      • Buy Link or Shortcode: {j2store}519|cart{/j2store}
      • member rating overall impact (scale of 10): N/A
      • member rating average dollars saved: N/A
      • member rating average days saved: N/A
      • Parent Category Name: Lead
      • Parent Category Link: /lead
      • Laws requiring digital accessibility are changing and differ by location.
      • You need to make sure your digital assets, products, and services (internal and external) are accessible to everyone, but getting buy-in is difficult.
      • You may not know where your gaps in understanding are because conventional thinking is driven by compliance and risk mitigation.

      Our Advice

      Critical Insight

      • The longer you put off accessibility, the more tech debt you accumulate and the more you risk losing access to new and existing markets. The longer you wait to adopt standards and best practices, the more interest you’ll accumulate on accessibility barriers and costs for remediation.
      • Implementing accessibility feels counterintuitive to IT departments. IT always wants to optimize and move forward, but with accessibility you may stay at one level for what feels like an uncomfortably long period. Don’t worry; building consistency and shifting culture takes time.
      • Accessibility goes beyond compliance, which should be an outcome, not the objective. With 1 billion people worldwide with some form of disability, nearly everyone likely has a connection to disability, whether it be in themselves, family, or colleagues. The market of people with disabilities has a spending power of more than $6 trillion (WAI, 2018).

      Impact and Result

      • Take away the overwhelm that many feel when they hear “accessibility” and make the steps for your organization approachable.
      • Clearly communicate why accessibility is critical and how it supports the organization’s key objectives and initiatives.
      • Understand your current state related to accessibility and identify areas for key initiatives to become part of the IT strategic roadmap.

      The Accessibility Business Case for IT Research & Tools

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. The Accessibility Business Case for IT – Clearly communicate why accessibility is critical and how it supports the organization’s key objectives and initiatives.

      A step-by-step approach to walk you through understanding your current state related to accessibility maturity, identifying your desired future state, and building your business case to seek buy-in. This storyboard will help you figure out what’s right for your organization and build the accessibility business case for IT.

      • The Accessibility Business Case for IT – Phases 1-3

      2. Accessibility Business Case Template – A clear, concise, and compelling business case template to communicate the criticality of accessibility.

      The business case for accessibility is strong. Use this template to communicate to senior leaders the benefits, challenges, and risks of inaction.

      • Accessibility Business Case Template

      3. Accessibility Maturity Assessment – A structured tool to help you identify your current accessibility maturity level and identify opportunities to ensure progress.

      This tool uses a capability maturity model framework to evaluate your current state of accessibility. Maturity level is assessed on three interconnected aspects (people, process, and technology) across six dimensions proven to impact accessibility. Complete the assessment to get recommendations based on where you’re at.

      • Accessibility Maturity Assessment

      Infographic

      Further reading

      The Accessibility Business Case for IT

      Accessibility goes beyond compliance

      Analyst Perspective

      Avoid tech debt related to accessibility barriers

      Accessibility is important for individuals, businesses, and society. Diverse populations need diverse access, and it’s essential to provide access and opportunity to everyone, including people with diverse abilities. In fact, access to information and communications technologies (ICT) is a basic human right according to the United Nations.

      The benefits of ICT accessibility go beyond compliance. Many innovations that we use in everyday life, such as voice activation, began as accessibility initiatives and ended up creating a better lived experience for everyone. Accessibility can improve user experience and satisfaction, and it can enhance your brand, drive innovation, and extend your market reach (WAI, 2022).

      Although your organization might be required by law to ensure accessibility, understanding your users’ needs and incorporating them into your processes early will determine success beyond just compliance.

      Heather Leier-Murray, Senior Research Analyst, People and Leadership

      Heather Leier-Murray
      Senior Research Analyst, People and Leadership
      Info-Tech Research Group

      Executive Summary

      Your Challenge Common Obstacles Info-Tech’s Approach

      Global IT and business leaders are challenged to make digital products and services accessible because inaccessibility comes with increasing risk to brand reputation, legal ramifications, and constrained market reach.

      • Laws requiring digital accessibility are changing and differ by location.
      • You need to make sure your digital assets, products, and services (internal and external) are accessible to everyone.
      • The cost of inaction is rising.

      Understanding where to start, where accessibility lives, and if or when you’re done can be overwhelmingly difficult.

      • Executive leadership buy-in is difficult to get.
      • Conventional thinking is driven by compliance and risk mitigation.
      • You don’t know where your gaps in understanding are.

      Conventional approaches to accessibility often fail because users are expected to do the hard work. You have to be doing 80% of the hard work.1

      Use Info-Tech’s research and resources to do what’s right for your organization. This framework takes away the overwhelm that many feel when they hear “accessibility” and makes the steps for your organization approachable.

      • Clearly communicate why accessibility is critical and how it supports the organization’s key objectives and initiatives.
      • Understand your current state related to accessibility and identify areas for key initiatives to become part of the IT strategic roadmap.

      1. Harvard Business Review, 2021

      Info-Tech Insight
      The longer you put off accessibility, the more tech debt you accumulate and the more you risk losing access to new and existing markets. The longer you wait to adopt standards and best practices, the more interest you’ll accumulate on accessibility barriers and costs for remediation.

      Your challenge

      This research is designed to help organizations who are looking to:

      • Build a business case for accessibility.
      • Ensure that digital assets, products, and services are accessible to everyone, internally and externally.
      • Support staff and build skills to support the organization with accessibility and accommodation.
      • Get assistance figuring out where to start on the road to accessibility compliance and beyond.

      The cost of inaction related to accessibility is rising. Preparing for accessibility earlier helps prevent tech debt; the longer you wait to address your accessibility obligations, the more costly it gets.

      More than 3,500 digital accessibility lawsuits were filed in the US in 2020, up more than 50% from 2018.

      Source: UsableNet. Inc.

      Common obstacles

      These barriers make accessibility difficult to address for many organizations:

      • You don’t know where your gaps in understanding are. Recognizing the importance of accessibility and how it fits into the bigger picture is key to developing buy-in.
      • Too often organizations focus on mitigating risk by being compliance driven. Shifting focus to the user experience, internally and externally, will realize better results.
      • Conventional approaches to accessibility often fail because the expectation is for users to do the hard work. One in five people have a permanent disability, but it’s likely everyone will be faced with some sort of disability at some point in their lives.1 Your organization has to be doing at least 80% of the hard work.2
      • Other types of compliance reside clearly with one area of the organization. Accessibility, however, has many homes: IT, user experience (UX), customer experience (CX), and even HR.

      1. Smashing Magazine

      2. Harvard Business Review, 2021

      90% of companies claim to prioritize diversity.

      Source: Harvard Business Review, 2020

      Only 4% of those that claim to prioritize diversity consider disability in those initiatives.

      Source: Harvard Business Review, 2020

      The four principles of accessibility

      WCAG (Web Content Accessibility Guidelines) identifies four principles of accessibility. WCAG is the most referenced standard in website accessibility lawsuits.

      The four principles of accessibility

      Source: eSSENTIAL Accessibility, 2022

      Why organizations address accessibility

      Top three reasons:

      61% 62% 78%
      To comply with laws To provide the best UX To include people with disabilities

      Source: Level Access

      Still, most businesses aren’t meeting compliance standards. Even though legislation has been in place for over 30 years, a 2022 study by WebAIM of 1,000,000 homepages returned a 96.8% WCAG 2.0 failure rate.

      Source: Institute for Disability Research, Policy, and Practice

      How organizations prioritize digital accessibility

      43% rated it as a top priority.

      36% rated it as important.

      Fewer than 5% rated as either low priority or not even on the radar.

      More than 65% agreed or strongly agreed it’s a higher priority than last year.

      Source: Angel Business Communications

      Organizations expect consumers to do more online

      The pandemic led to many businesses going digital and more people doing things online.

      Chart of activities performed more often compared to before COVID-19

      Chart of activities performed for the first time during COVID-19

      Source: Statistics Canada

      Disability is part of being human

      Merriam-Webster defines disability as a “physical, mental, cognitive, or developmental condition that impairs, interferes with, or limits a person’s ability to engage in certain tasks or actions or participate in typical daily activities and interactions.”1

      The World Health Organization (WHO) points out that a crucial part of the definition of disability is that it’s not just a health problem, but the environment impacts the experience and extent of disability. Inaccessibility creates barriers for full participation in society.2

      The likelihood of you experiencing a disability at some point in your life is very high, whether a physical or mental disability, seen or unseen, temporary or permanent, severe or mild.2

      Many people acquire disabilities as they age yet may not identify as “a person with a disability.”3 Where life expectancies are over 70 years of age, 11.5% of life is spent living with a disability. 4

      “Extreme personalization is becoming the primary difference in business success, and everyone wants to be a stakeholder in a company that provides processes, products, and services to employees and customers with equitable, person-centered experiences and allows for full participation where no one is left out.”
      – Paudie Healy, CEO, Universal Access

      1. Merriam-Webster
      2. World Health Organization
      3. Digital Leaders, as cited in WAI, 2018
      4. Disabled World, as cited in WAI, 2018

      Untapped talent resource

      Common myths about people with disabilities:

      • They can’t work.
      • They need more time off or are absent more often.
      • Only basic, unskilled work is appropriate for them.
      • Their productivity is lower than that of coworkers.
      • They cost more to recruit, train, and employ.
      • They decrease others’ productivity.
      • They’re not eligible for governmental financial incentives (e.g. apprentices).
      • They don’t fit in.

      These assumptions prevent organizations from hiring valuable people into the workforce and retaining them.

      Source: Forbes

      50% to 70% of people with disabilities are unemployed in industrialized countries. In the US alone, 61 million adults have a disability.

      Source: United Nations, as cited in Forbes

      Thought Model

      Info-Tech’s methodology for the accessibility business case for IT

      1. Understand Current State 2. Plan for Buy-in 3. Prepare Your Business Case
      Phase Steps
      1. Understand standards and legislation
      2. Build awareness
      3. Understand current accessibility maturity level Define desired future state
      1. Define desired future state
      2. Define goals and objectives
      3. Document roles and responsibilities
      1. Customize and populate the Accessibility Business Case Template and gain approval
      2. Validate post-approval steps and establish timelines
      Phase Outcomes
      • Accessibility maturity assessment
      • Accessibility drivers determined
      • Goals defined
      • Objectives identified
      • Roles and responsibilities documented
      • Business case drafted
      • Approval to move forward with implementing your accessibility program
      • Next steps and timelines

      Insight Summary

      Insight 1 The longer you put off accessibility, the more tech debt you accumulate and the more you risk losing access to new and existing markets. The longer you wait to adopt standards and best practices, the more interest you’ll accumulate on accessibility barriers and costs for remediation.
      Insight 2 Implementing accessibility feels counterintuitive to IT departments. IT always wants to optimize and move forward, but with accessibility you may stay at one level for what feels like an uncomfortably long period. Don’t worry; building consistency and shifting culture takes time.
      Insight 3 Accessibility goes beyond compliance, which should be an outcome, not the objective. With 1 billion people worldwide with some form of disability, nearly everyone likely has a connection to disability, whether it be in themselves, family, or colleagues. The market of people with disabilities has a spending power of more than $6 trillion.1

      1. WAI, 2018

      Blueprint deliverables

      This blueprint is accompanied by supporting deliverables to help you accomplish your goals.

      Accessibility Business Case Template

      The business case for accessibility is strong. Use this template to communicate to senior leaders the benefits and challenges of accessibility and the risks of inaction.

      Accessibility Maturity Assessment

      Use this assessment to understand your current accessibility maturity.

      Blueprint benefits

      Business Benefits IT Benefits
      • Don’t lose out on a 6-trillion-dollar market.
      • Don’t miss opportunities to work with organizations because you’re not accessible.
      • Enable and empower current employees with disabilities.
      • Minimize potential for negative brand reputation due to a lack of consideration for people with disabilities.
      • Decrease the risk of legal action being brought upon the organization.
      • Understand accessibility and know your role in it for your organization and your team members.
      • Be prepared and able to provide the user experience you want.
      • Decrease tech debt – start early to ensure accessibility for everyone.
      • Access an untapped labor market.
      • Mitigate IT retention challenges.

      Measure the value of this blueprint

      Improve stakeholder satisfaction and engagement

      • Tracking measures to understand the value of this blueprint is a critical part of the process.
      • Monitor employee engagement, overall stakeholder satisfaction with IT, and the overall end-customer satisfaction.
      • Remember, accessibility is not a one-and-done project – just because measures are positive does not mean your work is done.

      In phase 2 of this blueprint, we will help you establish current-state and target-state metrics for your organization.

      Suggested Metrics
      Overall end-customer satisfaction
      Monies saved through cost optimization efforts
      Employee engagement
      Monies save through application rationalization and standardization

      For more metrics ideas, see the Info-Tech IT Metrics Library.

      Executive Brief Case Study

      INDUSTRY
      Technology

      SOURCE
      W3C Web Accessibility Initiative (WAI), 2018

      Google

      Investing in accessibility
      With an innovative edge, Google invests in accessibility with the objective of making life easier for everyone. Google has created a broad array of accessibility innovations in its products and services so that people with disabilities get as much out of them as anyone else.

      Part of Google’s core mission, accessibility means more to Google than implementing fixes. It is viewed positively by the organization and drives it to be more innovative to make information available to everyone. Google approaches accessibility problems not as barriers but as ways to innovate and discover breakthroughs that will become mainstream in the future.

      Results
      Among Google’s innovations are contrast minimums, auto-complete, voice-control, AI advances, and machine learning auto-captioning. All of these were created for accessibility purposes but have positively impacted the user experience in general for Google.

      Info-Tech offers various levels of support to best suit your needs

      DIY Toolkit Guided Implementation Workshop Consulting
      "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

      Diagnostics and consistent frameworks are used throughout all four options.

      Guided Implementation

      A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

      A typical GI is 4 to 6 calls over the course of 2 to 4 months.

      What does a typical GI on this topic look like?

      Phase 1 Phase 2 Phase 3

      Call #1: Discuss motivation for the initiative and foundational knowledge requirements.

      Call #2: Discuss next steps to assess current accessibility maturity.

      Call #3: Discuss stakeholder engagement and future-state analysis.

      Call #4: Discuss defining goals and objectives, along with roles and responsibilities.

      Call #5: Review draft business case presentation.

      Call #6: Discuss post-approval steps and timelines.

      Phase 1

      Understand Your Current State

      Phase 1
      1.1 Understand standards and legislation
      1.2 Build awareness
      1.3 Understand maturity level

      Phase 2
      2.1 Define desired future state
      2.2 Define goals and objectives
      2.3 Document roles and responsibilities

      Phase 3
      3.1 Prepare business case template for presentation and approval
      3.2 Validate post-approval steps and establish timelines

      The Accessibility Business Case for IT

      This phase will walk you through the following activities:

      • Identifying and understanding accessibility and compliance requirements and the ramifications of noncompliance.
      • Defining accessibility, disability, and disability inclusion and building awareness of these with senior leaders.
      • Completing the Accessibility Maturity Assessment to help you understand your current state.

      Step 1.1

      Understand standards and legislation

      Activities

      1.1.1 Make a list of the legislation you need to comply with

      1.1.2 Seek legal and/or professional services’ input on compliance

      1.1.3 Detail the risks of inaction for your organization

      Understand Your Current State

      Outcomes of this step
      You will gain foundational understanding of the breadth of the regulation requirements for your organization. You will have reviewed and understand what is applicable to your organization.

      The regulatory landscape is evolving

      Canada

      • Canadian Human Rights Act
      • Policy on Communications and Federal Identity
      • Canadian Charter of Rights and Freedoms
      • Accessibility for Ontarians with Disabilities Act
      • Accessible Canada Act of 2019 (ACA)

      Europe

      • UK Equality Act 2010
      • EU Web and Mobile Accessibility Directive (2016)
      • EN 301 549 European Standard – Accessibility requirements for public procurement of ICT products and services

      United States

      • Section 508 of the US Rehabilitation Act of 1973
      • Americans with Disabilities Act of 1990 (ADA)
      • Section 255 of the Telecommunications Act of 1996
      • Air Carrier Access Act of 1986
      • 21st Century Communications and Video Accessibility Act of 2010 (CVAA)

      New Zealand

      • Human Rights Act 1993
      • Online Practice Guidelines for Government

      Australia

      • Disability Discrimination Act 1992 (DDA)

      Regulatory systems are moving toward an international standard.

      1.1.1 Make a list of the legislation you need to comply with

      1. Download the Accessibility Business Case Template.
      2. Conduct research and investigate what legislation and standards are applicable to your organization.
      3. a) Start by looking at your local legislation.
        b) Then consider any other regions you conduct business in.
        c) Also account for the various industries you are in.
      4. While researching, build a list of legislation requirements. Document these in your Accessibility Business Case Template as part of the Project Context section.
      Input Output
      • Research
      • Websites
      • Articles
      • List of legislation that applies to the organization related to accessibility
      Materials Participants
      • Accessibility Business Case Template
      • Project leader/initiator

      Download the Accessibility Business Case Template

      1.1.2 Seek professional advice on compliance

      1. Have general counsel review your list of regulations and standards related to accessibility or seek legal and/or professional support to review your list.
      2. Review or research further the implications of any suggestions from legal counsel.
      3. Make any updates to the Legal Landscape slide in the Accessibility Business Case Template.
      Input Output
      • Compiled list of applicable legislation and standards
      • Confirmed list of regulations that are applicable to your organization related to accessibility
      Materials Participants
      • Accessibility Business Case Template
      • Project leader/initiator
      • General counsel/professional services

      Download the Accessibility Business Case Template

      Ramifications of noncompliance

      Go beyond financial consequences

      Beyond the costs resulting from a claim, noncompliance can damage your organization in several ways.

      Financial Impact

      ADA Warning Shot: A complaint often indicates pending legal action to come. Addressing issues on a reactive, ad hoc basis can be quite expensive. It can cost almost $10,000 to address a single complaint, and chances are if you have one complaint, you have many.

      Lawsuit Costs: In the US, 265,000 demand letters were sent in 2020 under the ADA for inaccessible websites. On average, a demand letter could cost the company $25,000 (conservatively). These are low-end numbers; another estimate is that a small, quickly settled digital accessibility lawsuit could cost upwards of $350,000 for the defendant.

      Non-Financial Impact

      Reputational Impact: Claims brought upon a company can bring negative publicity with them. In contrast, having a clear commitment to accessibility demonstrates inclusion and can enhance brand image and reputation. Stakeholder expectations are changing, and consumers, investors, and employees alike want to support businesses with a purpose.

      Technology Resource Strains: Costly workarounds and ad hoc accommodation processes take away from efficiency and effectiveness. Updates and redesigns for accessibility and best practices will reduce costs associated with maintenance and service, including overall stakeholder satisfaction improvements.

      Access to Talent: 2022 saw a record high number of job openings, over 11.4 million in the US alone. Ongoing labor shortages require eliminating bias and keeping an open mind about who is qualified.

      Source: May Hopewell

      In the last four years, 83% of the retail 500 have been sued. Since 2018, 417 of the top 500 have received ADA-based digital lawsuits.

      Source: UsableNet

      1.1.3 Detail the risks of inaction for your organization

      1. Using the information that you’ve gathered through your research and legal/professional advice, detail the risks of inaction for your organization.
      2. a) Consider legal risks, consumer risks, brand risks, and employee risks. (Remember, risks aren’t just monetary.)
      3. Document the risks in your Accessibility Business Case Template.
      InputOutput
      • List of applicable legislation and standards
      • Information about risks
      • Identified accessibility maturity level
      MaterialsParticipants
      • Accessibility Business Case Template
      • Project leader/initiator

      Download the Accessibility Business Case Template

      Step 1.2

      Build awareness of accessibility and disability inclusion

      Activities

      1.2.1 Identify gaps in understanding

      1.2.2 Brainstorm how to reframe accessibility positively

      Understand Your Current State

      Outcomes of this step
      You’ll have a better understanding of accessibility so that you can effectively implement and promote it.

      Where to look for understanding

      First-hand experience of how people with disabilities interact with your organization is often eye-opening. It will help you understand the benefits and value of accessibility.

      Where to look for understanding

      • Talk with people you know with disabilities that are willing to share.*
      • Find role-specific training that’s appropriate.
      • Research. Articles and videos are easy to find.
      • Set up assistive technology trials.
      • Seek out first-hand experience from people with disabilities and how they work and use digital assets.

      Source: WAI, 2016

      * Remember, people with disabilities aren't obligated to discuss or explain their disabilities and may not be comfortable sharing. If you're asking for their time, be respectful, only ask if appropriate, and accept a "no" answer if the person doesn't wish to assist.

      1.2.1 Identify gaps in understanding

      Find out what accessibility is and why it is important. Learn the basics.

      1. Using the information that you’ve gathered through your research and legal counsel, conduct further research to understand the importance of accessibility.
      2. Answer these questions:
      3. a) What is accessibility? Why is it important?
        b) From the legislation and standards identified in step 1.1, what gaps exist?
        c) What is the definition of disability?
        d) How does your organization currently address accessibility?
        e) What are your risks?
        f) Do you have any current employees who have disabilities?
      4. Review the previous slide for suggestions on where to find more information to answer the above questions.
      5. Document any changes to the risks in your Accessibility Business Case Template.
      InputOutput
      • Articles
      • Interviews
      • Websites
      • Greater understanding of the lived experience of people with disabilities
      MaterialsParticipants
      • Articles
      • Websites
      • Accessibility Business Case Template
      • Project leader/initiator

      Download the Accessibility Business Case Template

      Reframe accessibility as a benefit, not a burden

      A clear understanding of accessibility and the related standards and regulations can turn accessibility from something big and scary to an achievable part of the business.

      The benefits of accessibility are:

      Market Reach Minimized Legal Risks Innovation Retention
      Over 1 billion people with a spending power of $6 trillion make up the global market of people with disabilities.1 Accessibility improves the experience for all users. In addition, many organizations require you to provide proof you meet accessibility standards during the RFP process. Accessibility regulations are changing, and claims are rising. Costs associated with legal proceedings can be more than just financial. Many countries have laws you need to follow. People with disabilities bring diversity of thought, have different lived experiences, and benefit inclusivity, which helps drive engagement. Plus accessibility features often solve unanticipated problems. Employing and supporting people with disabilities can reduce turnover and improve retention, reliability, company image, employee loyalty, ability awareness, and more.

      Source 1: WAI, 2018

      1.2.2 Brainstorm ways to reframe accessibility positively

      1. Using the information that you’ve gathered through your research, brainstorm additional positives of accessibility for your organization.
      2. Clearly identify the problem you want to solve (e.g., reframing accessibility positively in your organization).
      3. Collect any tools you want to use to during brainstorming (e.g., whiteboard, markers, sticky notes)
      4. Write down all the ideas that come to mind.
      5. Review all the points and group them into themes.
      6. Update the Accessibility Business Case Template with your findings.
      InputOutput
      • Research you have gathered
      • List of ways to positively reframe accessibility for your organization
      MaterialsParticipants
      • Sticky notes, whiteboard, pens, paper, markers.
      • Accessibility Business Case Template
      • Project leader/initiator

      Download the Accessibility Business Case Template

      Make it part of the conversation

      A first step to disability and accessibility awareness is to talk about it. When it is talked about as freely as other things are in the workplace, this can create a more welcoming workplace.

      Accessibility goes beyond physical access and includes technological access and support as well as our attitudes.

      Accessibility is making sure everyone (disabled or abled) can access the workplace equally.

      Adjustments in the workplace are necessary to create an accessible and welcoming environment. Understanding the three dimensions of accessibility in the workplace is a good place to start.

      Source: May Hopewell

      Three dimensions of accessibility in the workplace

      Three dimensions of accessibility in the workplace

      Case Study

      INDUSTRY
      Professional Services

      SOURCE
      Accenture

      Accenture takes an inclusive approach to increase accessibility.

      Accessibility is more than tools

      Employee experience was the focus of embarking on the accessibility journey, ensuring inclusivity was built in and every employee was able to use the tools they needed and could achieve their goals.

      "We are removing barriers in technology to make all of our employees, regardless of their ability, more productive.”
      — Melissa Summers, Managing Director – Global IT, Corporate Technology, Accenture

      Accessibility is inclusive

      The journey began with formalizing a Global IT Accessibility practice and defining an accessibility program charter. This provided direction and underpinned the strategy used to create a virtual Accessibility Center of Excellence and map out a multiyear plan of initiatives.

      The team then identified all the technologies they wanted to enhance by prioritizing ones that were high use and high impact. Involving disability champions gave insight into focus areas.

      Accessibility is innovation

      Working with partners like Microsoft and over 100 employees, Accenture continues toward the goal of 75% accessibility for all its global high-traffic internal platforms.

      Achievements thus far include:

      • 100% of new Accenture video and broadcast content is automatically captioned.
      • Accenture received a perfect Disability Equality Index (US) score of 100 out of 100 for 2017, 2018, and 2019.

      Step 1.3

      Understand your current accessibility maturity level

      Activities

      1.3.1 Complete the Accessibility Maturity Assessment

      Understand Your Current State

      Outcomes of this step
      Completed Accessibility Maturity Assessment to inform planning for and building your business case in Phases 2 and 3.

      Know where you are to know where to go

      Consider accessibility improvements from three interconnected aspects to determine current maturity level

      Accessibility Maturity

      People

      • Consider employee, customer, and user experience.

      Process

      • Review processes to ensure accessibility is considered early.

      Technology

      • Whether it’s new or existing, technology is an important tool to increase accessibility.

      Accessibility maturity levels

      INITIAL DEVELOPING DEFINED MANAGED OPTIMIZE
      At this level, accessibility processes are mostly undocumented, if they exist. Accessibility is most likely happening on a reactive, ad hoc basis. No one understands who is responsible for accessibility or what their role is. At this stage the organization is driven by the need for compliance. At the developing level, the organization is taking steps to increase accessibility but still has a lot of opportunity for improvements. The organization is defining and refining processes and is working toward building a library of assistive tools. At this level, processes related to accessibility are repeatable. However, there’s a tendency to resort to old habits under stress. The organization has tools in place to facilitate accommodation requests and technology is compatible with assistive technologies. Accessibility initiatives are driven by the desire to make the user experience better. The managed level is defined by its effective accessibility controls, processes, and metrics. The organization can mostly anticipate preferences of customers, employees, and users. The roles and responsibilities are defined, and disability is included as part of the organization’s diversity, equity, and inclusion (DEI) initiatives. This level is not the goal for all organizations. At this level there is a shift in the organization’s culture to a feeling of belonging. The organization also demonstrates ongoing process improvements. Everyone can experience a seamless interaction with the organization. The focus is on continuous improvement and using feedback to inform future initiatives.

      Determine your level of maturity

      Use Info-Tech’s Accessibility Maturity Assessment

      • On the accessibility questionnaire, tab 2, choose how much the statements apply to your organization. Answer the questions based on your knowledge of your current state organizationally.
      • Once you’ve answered all the questions, see the results on the tab 3, Accessibility Results. You can see your overall maturity level and the maturity level for each of six dimensions that are necessary to increase the success of an accessibility program.
      • Click through to tab 4, Recommendations, to see specific recommendations based on your results and proven research to progress through the maturity levels. Keep in mind that not all organizations will or should aspire to the “Optimize” maturity level.

      1.3.1 Complete the Accessibility Maturity Assessment

      1. Download the Accessibility Maturity Assessment and save it with the date so that as you work on your accessibility program, you can reassess later and track your progress.
      2. Once you have saved the assessment, select the appropriate answer for each statement on tab 2, Accessibility Questions, based on your knowledge of the organization’s approach.
      3. After reviewing all the accessibility statements, see your maturity level results on tab 3, Accessibility Results. Then see tab 4, Recommendations, for suggestions based on your answers.
      4. Document your accessibility maturity results in your Accessibility Business Case Template.
      Input Output
      • Assess your current state of accessibility by choosing all the statements that apply to your organization
      • Identified accessibility maturity level
      Materials Participants
      • Accessibility Maturity Assessment
      • Accessibility Business Case Template
      • Project leader/sponsor
      • IT leadership team

      Download the Accessibility Business Case Template

      Phase 2

      Plan for Senior Leader Buy-In

      Phase 1
      1.1 Understand standards and legislation
      1.2 Build awareness
      1.3 Understand maturity level

      Phase 2
      2.1 Define desired future state
      2.2 Define goals and objectives
      2.3 Document roles and responsibilities

      Phase 3
      3.1 Prepare business case template for presentation and approval
      3.2 Validate post-approval steps and establish timelines

      The Accessibility Business Case for IT

      This phase will walk you through the following activities:

      • Defining your desired future state.
      • Determining your accessibility program goals and objectives.
      • Clarifying and documenting roles and responsibilities related to accessibility in IT.

      This phase involves the following participants:

      • Project lead/sponsor
      • IT leadership team
      • Senior leaders/decision makers

      Step 2.1

      Define the desired future state of accessibility

      Activities

      2.1.1 Identify key stakeholders

      2.1.2 Hold a key stakeholder focus group

      2.1.3 Conduct a future-state analysis

      Outcomes of this step
      Following this step, you will have identified your aspirational maturity level and what your accessibility future state looks like for your organization.

      Plan for Senior Leader Buy-In

      Cheat sheet: Identify stakeholders

      Ask stakeholders, “Who else should I be talking to?” to discover additional stakeholders and ensure you don’t miss anyone.

      Identify stakeholders through the following questions:
      • Who in areas of influence will be adversely affected by potential environmental and social impacts of what you are doing?
      • At which stage will stakeholders be most affected (e.g. procurement, implementation, operations, decommissioning)?
      • Will other stakeholders emerge as the phases are started and completed?
      • Who is sponsoring the initiative?
      • Who benefits from the initiative?
      • Who is negatively impacted by the initiative?
      • Who can make approvals?
      • Who controls resources?
      • Who has specialist skills?
      • Who implements the changes?
      • Who are the owners, governors, customers, and suppliers of impacted capabilities or functions?
      Take a 360-degree view of potential internal and external stakeholders who might be impacted by the initiative.
      • Executives
      • Peers
      • Direct reports
      • Partners
      • Customers
      • Subcontractors
      • Subcontractors
      • Contractors
      • Lobby groups
      • Regulatory agencies

      Categorize your stakeholders with a stakeholder prioritization map

      A stakeholder prioritization map helps teams categorize their stakeholders by their level of influence and ownership.

      There are four areas in the map, and the stakeholders within each area should be treated differently.

      Players – Players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.

      Mediators – Mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.

      Noisemakers – Noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.

      Spectators – Generally, spectators are apathetic and have little influence over or interest in the initiative.

      Stakeholder prioritization map

      Define strategies for engaging stakeholders by type

      Each group of stakeholders draws attention and resources away from critical tasks.

      By properly identifying your stakeholder groups, you can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers while ensuring the needs of the Mediators and Players are met.

      Type Quadrant Actions
      Players High influence, high interest Actively Engage
      Keep them engaged through continuous involvement. Maintain their interest by demonstrating their value to its success.
      Mediators High influence, low interest Keep Satisfied
      They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust, and include them in important decision-making steps. In turn, they can help you influence other stakeholders.
      Noisemakers Low influence, high interest Keep Informed
      Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.
      Spectators Low influence, low interest Monitor
      They are followers. Keep them in the loop by providing clarity on objectives and status updates.

      2.1.1 Identify key stakeholders

      Collect this information by:

      1. List direct stakeholders for your area. Include stakeholders across the organization (both IT and business units) and externally.
      2. Create a stakeholder map to capture your stakeholders’ interest in and influence on digital accessibility.
      3. Shortlist stakeholders to invite as focus group participants in activity 2.1.2.
        • Aim for a combination of Players, Mediators, and Noisemakers.
      Input Output
      • List of stakeholders
      • Stakeholder requirements
      • A stakeholder map
      • List of stakeholders to include in the focus group in step 2.1.2
      Materials Participants
      • Sticky notes, pens, whiteboard, markers (optional)
      • Project leader/sponsor

      Hold a focus group to initiate planning

      Involve key stakeholders to determine the organizational drivers of accessibility, identify target maturity and key performance indicators (KPIs), and ultimately build the project charter.

      Building the project charter as a group will help you to clarify your key messages and secure buy-in from critical stakeholders up-front, which is key.

      Executing the business case for accessibility requires significant involvement from your IT leadership team. The challenge is that accessibility can be overwhelming because of inherent bias. Members of your IT leadership team will also need to participate in knowledge transfer, so get them involved up-front. The focus group will help stakeholders feel more engaged in the project, which is pivotal for success.

      You may feel like a full project charter isn’t necessary, and depending on your organizational size, it might not be. However, the exercise of building the charter is important regardless. No matter your current climate, some level of socializing the value of and plans for accessibility will be necessary.

      Meeting Agenda

      1. Short introduction
        Led by: Project Sponsor
        • Why the initiative is being considered.
      2. Make the case for the project
        Led by: Project Manager
        • Current state: What does the initiative address?
        • Future state: What is our target state of maturity?
      3. Success criteria
        Led by: Project Manager
        • How will success be measured?
      4. Define the project team
        Led by: Project Manager
        • Description of planned approach.
        • Stakeholder assessment.
        • What is required of the sponsor and stakeholders?
      5. Determine next steps
        Led by: Project Manager

      2.1.2 Hold a stakeholder focus group

      Identify the pain points you want to resolve and some of the benefits that you’d like to see from a program. By doing so, you’ll get a holistic view of what you need to achieve and what your drivers are.

      1. Ask the working group participants (as a whole or in smaller groups) to discuss pain points created by inaccessibility.
        • Challenges related to stakeholders.
        • Challenges created by process issues.
        • Difficulties improving accessibility practices.
      2. Discuss opportunities to be gained from improving these practices.
      3. Have participants write these down on sticky notes and place them on a whiteboard or flip chart.
      4. Review all the points as a group. Group challenges and benefits into themes.
      5. Have the group prioritize the risks and benefits in terms of what the solution must have, should have, could have, and won’t have.
      Input Output
      • Reasons for the project
      • Stakeholder requirements
      • Pain points and risks
      • A prioritized list of risks and benefits of the solution
      Materials Participants
      • Agenda (see previous slide)
      • Sticky notes, pens, whiteboard, markers (optional)
      • IT leadership
      • Other key stakeholders

      While defining future state, consider your drivers

      The Info-Tech Accessibility Maturity Framework identifies three key strategic drivers: compliance, experience, and incorporation.

      • Over 30% of organizations are focused on compliance, according to a 2022 survey by Harvard Business Review and Slack’s Future Forum. The survey asked more than 10,000 workers in six countries about their organizations’ approach to DEI.2

      Even though 90% of companies claim to prioritize diversity,1 over 30% are focused on compliance.2

      1. Harvard Business Review, 2020
      2. Harvard Business Review, 2022

      31.6% of companies remain in the Compliant stage, where they are focused on DEI compliance and not on integrating DEI throughout the organization or on creating continual improvement.

      Source: Harvard Business Review, 2022

      Align the benefits of program drivers to organizational goals or outcomes

      Although there will be various motivating factors, aligning the drivers of your accessibility program provides direction to the program. Connecting the advantages of program drivers to organizational goals builds the confidence of senior leaders and decision makers, increasing the continued commitment to invest in accessibility programming.

      Drivers Compliance Experience Incorporation
      Maturity level Initial Developing Defined Managed Optimized
      Description Any accessibility initiative is to comply with the minimum legislated requirement. Desire to avoid/decrease legal risk. Accessibility initiatives are focused on improving the experience of everyone from the start. Most organizations will be experience driven. Desire to increase accessibility and engagement. Accessibility is a seamless part of the whole organization and initiatives are focused on impacting social issues.
      Advantages Compliance is a good starting place for accessibility. It will reduce legal risk. Being people focused from the start of processes enables the organization to reduce tech debt, provide the best user experience, and realize other benefits of accessibility. There is a sense of belonging in the organization. The entire organization experiences the benefits of accessibility.
      Disadvantages Accessibility is about more than just compliance. Being compliance driven won’t give you the full benefits of accessibility. This can mean a culture change for the organization, which can take a long time. IT is used to moving quickly – it might feel counterintuitive to slow down and take time. It takes much longer to reach the associated level of maturity. Not possible for all organizations.

      Info-Tech Accessibility Maturity Framework

      Info-Tech Accessibility Maturity Framework

      After initially ensuring your organization is compliant with regulations and standards, you will progress to building disciplined process and consistent standardized processes. Eventually you will build the ability for predictable process, and lastly, you’ll optimize by continuously improving.

      Depending on the level of maturity you are trying to achieve, it could take months or even years to implement. The important thing to understand, however, is that accessibility work is never done.

      At all levels of the maturity framework, you must consider the interconnected aspects of people, process, and technology. However, as the organization progresses, the impact will shift from largely being focused on process and technology improvement to being focused on people.

      Info-Tech Insight
      IT typically works through maturity frameworks from the bottom to the top, progressing at each level until they reach the end. When it comes to digital accessibility initiatives, being especially thorough, thoughtful, and collaborative is critical to success. This will mean spending more time in the Developing, Defined, and Managed levels of maturity rather than trying to reach Optimized as quickly as you can. This may feel contrary to what IT historically considers as a successful implementation.

      Accessibility maturity levels

      Driver Description Benefits
      Initial Compliance
      • Accessibility processes are mostly undocumented.
      • Accessibility happens mostly on a reactive or ad hoc basis.
      • No one is aware of who is responsible for accessibility or what role they play.
      • Heavily focused on complying with regulations and standards to decrease legal risk.
      • The organization is aware of the need for accessibility.
      • Legal risk is decreased.
      Developing Experience
      • The organization is starting to take steps to increase accessibility beyond compliance.
      • Lots of opportunity for improvement.
      • Defining and refining processes.
      • Working toward building a library of assistive tools.
      • Awareness of the need for accessibility is growing.
      • Process review for accessibility increases process efficiency through avoiding rework.
      Defined Experience
      • Accessibility processes are repeatable.
      • There is a tendency to resort to old habits under stress.
      • Tools are in place to facilitate accommodation.
      • Employees know accommodations are available to them.
      • Accessibility is becoming part of daily work.
      Managed Experience
      • Defined by effective accessibility controls, processes, and metrics.
      • Mostly anticipating preferences.
      • Roles and responsibilities are defined.
      • Disability is included as part of DEI.
      • Employees understand their role in accessibility.
      • Engagement is positively impacted.
      • Attraction and retention are positively impacted.
      Optimized Incorporation
      • Not the goal for every organization.
      • Characterized by a dramatic shift in organizational culture and a feeling of belonging.
      • Ongoing continuous improvement.
      • Seamless interactions with the organization for everyone.
      • Using feedback to inform future initiatives.
      • More likely to be innovative and inclusive, reach more people positively, and meet emerging global legal requirements.
      • Better equipped for success.

      2.1.3 Conduct future-state analysis

      Identify your target state of maturity

      1. Provide the group with your maturity assessment results to review as well as the slides on the maturity levels, framework, and drivers.
      2. Compare the benefits listed on the Accessibility maturity levels slide to those that you named in the previous exercise and determine which maturity level best describes your target state.
      3. Discuss as a group and agree on one desired maturity level to reach.
      4. Review the other levels of maturity and determine what is in and out of scope for the project (higher-level benefits would be considered out of scope).
      5. Document your target state of maturity in your Accessibility Business Case Template.
      Input Output
      • Accessibility maturity levels chart on previous slide
      • Maturity level assessment results
      • Target maturity level documented
      Materials Participants
      • Paper and pens
      • Handouts of maturity levels
      • Accessibility Business Case Template
      • IT leadership team

      Download the Accessibility Business Case Template

      Case Study

      Accessibility as a differentiator

      INDUSTRY
      Financial

      SOURCE
      WAI-Engage

      Accessibility inside and out

      As a financial provider, Barclays embarked on the accessibility journey to engage customers and employees with the goal of equal access for all. One key statement that provided focus was “Essential for some, easier for all. ”

      “It's about helping everyone to work, bank and live their lives regardless of their age, situation, abilities or circumstances.”

      Embedding into experiences

      “The Barclays Accessibility team [supports] digital teams to embed accessibility into our services and culture through effective governance, partnering, training and tools. Establishing an enterprise-wide accessibility strategy, standards and programmes coupled with senior sponsorship helps support our publicly stated ambition of becoming the most accessible and inclusive FTSE company.”

      – Paul Smyth, Head of Digital Accessibility, Barclays

      It’s a circle, not a roadmap

      • Barclays continues the journey through partnerships with disability charities and accessibility experts and through regularly engaging with customers and colleagues with disabilities directly.
      • More accessible, inclusive products and services engage and attract more people with disabilities. This translates to a more diverse workforce that identifies opportunities for innovation. This leads to being attractive to diverse talent, and the circle continues.
      • Barclays’ mobile banking app was first to be accredited by accessibility consultants AbilityNet.

      Step 2.2

      Define your accessibility program goals and objectives

      Activities

      2.2.1 Create a list of goals and objectives

      2.2.2 Finalize key metrics

      Plan for Senior Leader Buy-In

      Outcomes of this step
      You will have clear measurable goals and objectives to respond to identified accessibility issues and organizational goals.

      What does a good goal look like?

      Use the SMART framework to build effective goals.

      S Specific: Is the goal clear, concrete, and well defined?
      M Measurable: How will you know when the goal is met?
      A Achievable: Is the goal possible to achieve in a reasonable time?
      R Relevant: Does this goal align with your responsibilities and with departmental and organizational goals?
      T Time-based: Have you specified a time frame in which you aim to achieve the goal?

      SMART is a common framework for setting effective goals. Make sure your goals satisfy these criteria to ensure you can achieve real results.

      2.2.1 Create a list of goals and objectives

      Use the outcomes from activity 2.1.2.

      1. Using the prioritized list of what your solution must have, should have, could have, and won’t have from activity 2.1.2, develop goals.
      2. Remember to use the SMART goal framework to build out each goal (see the previous slide for more information on SMART goals).
      3. Ensure each goal supports departmental and organizational goals to ensure it is meaningful.
      4. Document your goals and objectives in your Accessibility Business Case Template.
      InputOutput
      • Outcomes of activity 2.1.2
      • Organizational and departmental goals
      • Goals and objectives added to your Accessibility Business Case Template
      MaterialsParticipants
      • Accessibility Business Case Template
      • IT leadership team

      Download the Accessibility Business Case Template

      2.2.1 Create a list of goals and objectives

      Use the outcomes from activity 2.1.2.

      1. Using the prioritized list of what your solution must have, should have, could have, and won’t have from activity 2.1.2, develop goals.
      2. Remember to use the SMART goal framework to build out each goal (see the previous slide for more information on SMART goals).
      3. Ensure each goal supports departmental and organizational goals to ensure it is meaningful.
      4. Document your goals and objectives in your Accessibility Business Case Template.

      Establish Baseline Metrics

      Baseline metrics will be improved through:

      1. Progressing through the accessibility maturity model.
      2. Addressing accessibility earlier in processes to avoid tech debt and rework late in projects or releases.
      3. Making accessibility part of the procurement process as a scoring consideration and vendor choice.
      4. Ensuring compliance with regulations and standards.
      Metric Current Goal
      Overall end-customer satisfaction 90 120
      Monies saved through cost optimization efforts
      Employee engagement
      Monies save through application rationalization and standardization

      For more metrics ideas, see the Info-Tech IT Metrics Library.

      2.2.2 Finalize key metrics

      Finalize key metrics the organization will use to measure accessibility success

      1. Brainstorm how you would measure the success of each goal based on the benefits, challenges, and risks you previously identified.
      2. Write each of the metric ideas down and finalize three to five key metrics which you will track. The metrics you choose should relate to the key challenges or risks you have identified and match your desired maturity level and driver.
      3. Document your key metrics in the Accessibility Business Case Template.
      InputOutput
      • Accessibility challenges and benefits
      • Goals from activity 2.2.1
      • Three to five key metrics to track
      MaterialsParticipants
      • Accessibility Business Case Template
      • IT leadership team
      • Project lead/sponsor

      Download the Accessibility Business Case Template

      Step 2.3

      Document accessibility program roles and responsibilities

      Activities

      2.3.1 Populate a RACI chart

      Plan for Senior Leader Buy-In

      Outcomes of this step
      At the end of this step, you will have a completed RACI chart documenting the roles and responsibilities related to accessibility for your accessibility business case.

      2.3.1 Populate a RACI

      Populate a RACI chart to identify who should be responsible, accountable, consulted, and informed for each key activity.

      Define who is responsible, accountable, consulted, and informed for the project team:

      1. Write out the list of all stakeholders along the top of a whiteboard. Write out the key project steps along the left-hand side.
      2. For each initiative, identify each team member’s role. Are they:
        Responsible: The one responsible for getting the job done.
        Accountable: Only one person can be accountable for each task.
        Consulted: Are involved by providing knowledge.
        Informed: Receive information about execution and quality.
      3. As you proceed, continue to add tasks and assign responsibility to the RACI chart in the appendix of the Accessibility Business Case Template.
      InputOutput
      • Stakeholder list
      • Key project steps
      • Project RACI chart
      MaterialsParticipants
      • Whiteboard
      • Accessibility Business Case Template
      • IT leadership team

      Download the Accessibility Business Case Template

      Phase 3

      Prepare your business case and get approval

      Phase 1
      1.1 Understand standards and legislation
      1.2 Build awareness
      1.3 Understand maturity level

      Phase 2
      2.1 Define desired future state
      2.2 Define goals and objectives
      2.3 Document roles and responsibilities

      Phase 3
      3.1 Prepare business case template for presentation and approval
      3.2 Validate post-approval steps and establish timelines

      The Accessibility Business Case for IT

      This phase will walk you through the following activities:

      • Compiling the work and learning you’ve done so far into a business case presentation.

      This phase involves the following participants:

      • Project lead/sponsor
      • Senior leaders/approval authority

      There is a business case for accessibility

      • When planning for initiatives, a business case is a necessary tool. Although it can feel like an administrative exercise, it helps create a compelling argument to senior leaders about the benefits and necessity of building an accessibility program.
      • No matter the industry, you need to justify how the budget and effort you require for the initiative support organizational goals. However, senior leaders of different industries might be motivated by different reasons. For example, government is strongly motivated by legal and equity aspects, commercial companies may be attracted to the increase in innovation or market reach, and educational and nonprofit companies are likely motivated by brand enhancement.
      • The organizational focus and goals will guide your business case for accessibility. Highlight the most relevant benefits to your operational landscape and the risk of inaction.

      Source: WAI, 2018

      “Many organizations are waking up to the fact that embracing accessibility leads to multiple benefits – reducing legal risks, strengthening brand presence, improving customer experience and colleague productivity.”
      – Paul Smyth, Head of Digital Accessibility, Barclays
      Source: WAI, 2018

      Step 3.1

      Customize and populate the Accessibility Business Case Template

      Activities

      3.1.1 Prepare your business case template for presentation and approval

      Build Your Business Case

      Outcomes of this step
      Following this step, you will have a customized business case presentation that you can present to senior leaders.

      Use Info-Tech’s template to communicate with stakeholders

      Obtain approval for your accessibility program by customizing Info-Tech’s Accessibility Business Case Template, which is designed to effectively convey your key messages. Tailor the template to suit your needs.

      It includes:

      • Project context
      • Project scope and objectives
      • Knowledge transfer roadmap
      • Next steps

      Info-Tech Insight
      The support of senior leaders is critical to the success of your accessibility program development. Remind them of the benefits and impact and the risks associated with inaction.

      Download the Accessibility Business Case Template

      3.1.1 Prepare a presentation for senior leaders to gain approval

      Now that you understand your current and desired accessibility maturity, the next step is to get sign-off to begin planning your initiatives.

      Know your audience:

      1. Consider who will be included in your presentation audience.
      2. You want your presentation to be succinct and hard-hitting. Management’s time is tight, and they will lose interest if you drag out the delivery. Impact them hard and fast with the challenges, benefits, and risks of inaction.
      3. Contain the presentation to no more than an hour. Depending on your audience, the actual presentation delivery could be quite short. You want to ensure adequate time for questions and answers.
      4. Schedule a meeting with the key decision makers who will need to approve the initiatives (IT leadership team, executive team, the board, etc.) and present your business case.
      InputOutput
      • Activity results
      • Accessibility Maturity Assessment results
      • A completed presentation to communicate your accessibility business case
      MaterialsParticipants
      • Accessibility Business Case Template
      • IT leadership team
      • Project sponsor
      • Project stakeholders
      • Senior leaders

      Download the Accessibility Business Case Template

      Step 3.2

      Validate post-approval steps and establish timelines

      Activities

      3.2.1 Prepare for implementation: Complete the implementation prep to-do list and assign proposed timelines

      Build Your Business Case

      Outcomes of this step
      This step will help you gain leadership’s approval to move forward with building and implementing the accessibility program.

      Prepare to implement your program

      Complete the to-do list to ensure you are ready to move your accessibility program forward.

      To Do Proposed Timeline
      Reach out to your change management team for assistance.
      Discuss your plan with HR.
      Build a project team.
      Incorporate any necessary changes from senior leaders into your business case.
      [insert your own addition here]
      [insert your own addition here]
      [insert your own addition here]
      [insert your own addition here]

      3.2.1 Prep for implementation (action planning)

      Use the implementation prep to-do list to make sure you have gathered relevant information and completed critical steps to be ready for success.

      Use the list on the previous slide to make sure you are set up for implementation success and that you’re ready to move your accessibility program forward.

      1. Assign proposed timelines to each of the items.
      2. Work through the list, collecting or completing each item.
      3. As you proceed, keep your identified drivers, current state, desired future state, goals, and objectives in mind.
      Input Output
      • Accessibility Maturity Assessment
      • Business case presentation and any feedback from senior leaders
      • Goals, objectives, identified drivers, and desired future state
      • High-level action plan
      Materials Participants
      • Previous slide containing the checklist
      • Project lead

      Related Info-Tech Research

      Implement and Mature Your User Experience Design Practice

      • Create a practice that is focused on human outcomes; it starts and ends with the people you are designing for. This includes:
        • Establishing a practice with a common vision.
        • Enhancing the practice through four design factors.
        • Communicating a roadmap to improve your business through design.

      Modernize Your Corporate Website to Drive Business Value

      • Users are demanding more valuable web functionalities and improved access to your website services.
      • The criteria of user acceptance and satisfaction involves more than an aesthetically pleasing user interface (UI). It also includes how emotionally attached the user is to the website and how it accommodates user behaviors.

      IT Diversity & Inclusion Tactics

      • Although inclusion is key to the success of a diversity and inclusion (D&I) strategy, the complexity of the concept makes it a daunting pursuit.
      • This is further complicated by the fact that creating inclusion is not a one-and-done exercise. Rather, it requires the ongoing commitment of employees and managers to reassess their own behaviors and to drive a cultural shift.

      Fix Your IT Culture

      • Go beyond value statements to create a culture that enables the departmental strategy.
      • There is confusion about how to translate culture from an abstract concept to something that is measurable, actionable, and process driven.
      • Organizations lack clarity about who is accountable and responsible for culture, with groups often pointing fingers at each other.

      Works cited

      “2021 State of Digital Accessibility.” Level Access, n.d. Accessed 10 Aug. 2022

      ”2022 Midyear Report: ADA Digital Accessibility Lawsuits.” UsableNet, 2022. Accessed 9 Nov. 2022

      “Barclay’s Bank Case Study.” WAI-Engage, 12 Sept. 2018. Accessed 7 Nov. 2022.

      Bilodeau, Howard, et al. “StatCan COVID-19 Data to Insights for a Better Canada.” Statistics Canada, 24 June 2021. Accessed 10 Aug. 2022.

      Casey, Caroline. “Do Your D&I Efforts Include People With Disabilities?” Harvard Business Review, 19 March 2020. Accessed 28 July 2022.

      Digitalisation World. “Organisations failing to meet digital accessibility standards.” Angel Business Communications, 19 May 2022. Accessed Oct. 2022.

      “disability.” Merriam-Webster.com Dictionary, Merriam-Webster, https://www.merriam-webster.com/dictionary/disability. Accessed 10 Aug. 2022.

      “Disability.” World Health Organization, 2022. Accessed 10 Aug 2022.

      “Driving the Accessibility Advantage at Accenture.” Accenture, 2022. Accessed 7 Oct. 2022.

      eSSENTIAL Accessibility. The Must-Have WCAG 2.1 Checklist. 2022

      Hopewell, May. Accessibility in the Workplace. 2022.

      “Initiate.” W3C Web Accessibility Initiative (WAI), 31 March 2016. Accessed 18 Aug. 2022.

      Kalcevich, Kate, and Mike Gifford. “How to Bake Layers of Accessibility Testing Into Your Process.” Smashing Magazine, 26 April 2021. Accessed 31 Aug. 2022.

      Noone, Cat. “4 Common Ways Companies Alienate People with Disabilities.” Harvard Business Review, 29 Nov. 2021. Accessed Jul. 2022.

      Taylor, Jason. “A Record-Breaking Year for ADA Digital Accessibility Lawsuits.” UsableNet, 21 December 2020. Accessed Jul. 2022.

      “The Business Case for Digital Accessibility.” W3C Web Accessibility Initiative (WAI), 9 Nov. 2018. Accessed 4 Aug. 2022.

      “The WebAIM Million.” Web AIM, 31 March 2022. Accessed 28 Jul. 2022.

      Washington, Ella F. “The Five Stages of DEI Maturity.” Harvard Business Review, November - December 2022. Accessed 7 Nov. 2022.

      Wyman, Nicholas. “An Untapped Talent Resource: People With Disabilities.” Forbes, 25 Feb. 2021. Accessed 14 Sep. 2022.

      Modernize Your SDLC

      • Buy Link or Shortcode: {j2store}148|cart{/j2store}
      • member rating overall impact (scale of 10): 9.5/10 Overall Impact
      • member rating average dollars saved: $30,263 Average $ Saved
      • member rating average days saved: 39 Average Days Saved
      • Parent Category Name: Development
      • Parent Category Link: /development
      • Today’s rapidly scaling and increasingly complex products create mounting pressure on delivery teams to release new features and changes quickly and with sufficient quality.
      • Many organizations lack the critical capabilities and resources needed to satisfy their growing backlog, jeopardizing product success.

      Our Advice

      Critical Insight

      • Delivery quality and throughput go hand in hand. Focus on meeting minimum process and product quality standards first. Improved throughput will eventually follow.
      • Business integration is not optional. The business must be involved in guiding delivery efforts, and ongoing validation and verification product changes.
      • The software development lifecycle (SDLC) must deliver more than software. Business value is generated through the products and services delivered by your SDLC. Teams must provide the required product support and stakeholders must be willing to participate in the product’s delivery.

      Impact and Result

      • Standardize your definition of a successful product. Come to an organizational agreement of what defines a high-quality and successful product. Accommodate both business and IT perspectives in your definition.
      • Clarify the roles, processes, and tools to support business value delivery and satisfy stakeholder expectations. Indicate where and how key roles are involved throughout product delivery to validate and verify work items and artifacts. Describe how specific techniques and tools are employed to meet stakeholder requirements.
      • Focus optimization efforts on most affected stages. Reveal the health of your SDLC from the value delivery, business and technical practice quality standards, discipline, throughput, and governance perspectives with a diagnostic. Identify and roadmap the solutions to overcome the root causes of your diagnostic results.

      Modernize Your SDLC Research & Tools

      Start here – read the Executive Brief

      Read our concise Executive Brief to find out why you should modernize your SDLC, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Set your SDLC context

      State the success criteria of your SDLC practice through the definition of product quality and organizational priorities. Define your SDLC current state.

      • Modernize Your SDLC – Phase 1: Set Your SDLC Context
      • SDLC Strategy Template

      2. Diagnose your SDLC

      Build your SDLC diagnostic framework based on your practice’s product and process objectives. Root cause your improvement opportunities.

      • Modernize Your SDLC – Phase 2: Diagnose Your SDLC
      • SDLC Diagnostic Tool

      3. Modernize your SDLC

      Learn of today’s good SDLC practices and use them to address the root causes revealed in your SDLC diagnostic results.

      • Modernize Your SDLC – Phase 3: Modernize Your SDLC
      [infographic]

      Workshop: Modernize Your SDLC

      Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

      1 Set Your SDLC Context

      The Purpose

      Discuss your quality and product definitions and how quality is interpreted from both business and IT perspectives.

      Review your case for strengthening your SDLC practice.

      Review the current state of your roles, processes, and tools in your organization.

      Key Benefits Achieved

      Grounded understanding of products and quality that is accepted across the organization.

      Clear business and IT objectives and metrics that dictate your SDLC practice’s success.

      Defined SDLC current state people, process, and technologies.

      Activities

      1.1 Define your products and quality.

      1.2 Define your SDLC objectives.

      1.3 Measure your SDLC effectiveness.

      1.4 Define your current SDLC state.

      Outputs

      Product and quality definitions.

      SDLC business and technical objectives and vision.

      SDLC metrics.

      SDLC capabilities, processes, roles and responsibilities, resourcing model, and tools and technologies.

      2 Diagnose Your SDLC

      The Purpose

      Discuss the components of your diagnostic framework.

      Review the results of your SDLC diagnostic.

      Key Benefits Achieved

      SDLC diagnostic framework tied to your SDLC objectives and definitions.

      Root causes to your SDLC issues and optimization opportunities.

      Activities

      2.1 Build your diagnostic framework.

      2.2 Diagnose your SDLC.

      Outputs

      SDLC diagnostic framework.

      Root causes to SDLC issues and optimization opportunities.

      3 Modernize Your SDLC

      The Purpose

      Discuss the SDLC practices used in the industry.

      Review the scope and achievability of your SDLC optimization initiatives.

      Key Benefits Achieved

      Knowledge of good practices that can improve the effectiveness and efficiency of your SDLC.

      Realistic and achievable SDLC optimization roadmap.

      Activities

      3.1 Learn and adopt SDLC good practices.

      3.2 Build your optimization roadmap.

      Outputs

      Optimization initiatives and target state SDLC practice.

      SDLC optimization roadmap, risks and mitigations, and stakeholder communication flow.

      Mergers & Acquisitions: The Buy Blueprint

      • Buy Link or Shortcode: {j2store}325|cart{/j2store}
      • member rating overall impact (scale of 10): 9.0/10 Overall Impact
      • member rating average dollars saved: 5 Average Days Saved
      • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
      • Parent Category Name: IT Strategy
      • Parent Category Link: /it-strategy

      There are four key scenarios or entry points for IT as the acquiring organization in M&As:

      • IT can suggest an acquisition to meet the business objectives of the organization.
      • IT is brought in to strategy plan the acquisition from both the business’ and IT’s perspectives.
      • IT participates in due diligence activities and valuates the organization potentially being acquired.
      • IT needs to reactively prepare its environment to enable the integration.

      Consider the ideal scenario for your IT organization.

      Our Advice

      Critical Insight

      Acquisitions are inevitable in modern business, and IT’s involvement in the process should be too. This progression is inspired by:

      • The growing trend for organizations to increase, decrease, or evolve through these types of transactions.
      • A maturing business perspective of IT, preventing the difficulty that IT is faced with when invited into the transaction process late.
      • Transactions that are driven by digital motivations, requiring IT’s expertise.
      • There never being such a thing as a true merger, making the majority of M&A activity either acquisitions or divestitures.

      Impact and Result

      Prepare for a growth/integration transaction by:

      • Recognizing the trend for organizations to engage in M&A activity and the increased likelihood that, as an IT leader, you will be involved in a transaction in your career.
      • Creating a standard strategy that will enable strong program management.
      • Properly considering all the critical components of the transaction and integration by prioritizing tasks that will reduce risk, deliver value, and meet stakeholder expectations.

      Mergers & Acquisitions: The Buy Blueprint Research & Tools

      Start here – read the Executive Brief

      Read our concise Executive Brief to find out how your organization can excel its growth strategy by engaging in M&A transactions. Review Info-Tech’s methodology and understand the four ways we can support you in completing this project.

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Proactive Phase

      Be an innovative IT leader by suggesting how and why the business should engage in an acquisition or divestiture.

      • One-Pager: M&A Proactive
      • Case Study: M&A Proactive
      • Information Asset Audit Tool
      • Data Valuation Tool
      • Enterprise Integration Process Mapping Tool
      • Risk Register Tool
      • Security M&A Due Diligence Tool

      2. Discovery & Strategy

      Create a standardized approach for how your IT organization should address acquisitions.

      • One-Pager: M&A Discovery & Strategy – Buy
      • Case Study: M&A Discovery & Strategy – Buy

      3. Due Diligence & Preparation

      Evaluate the target organizations to minimize risk and have an established integration project plan.

      • One-Pager: M&A Due Diligence & Preparation – Buy
      • Case Study: M&A Due Diligence & Preparation – Buy
      • IT Due Diligence Charter
      • Technical Debt Business Impact Analysis Tool
      • IT Culture Diagnostic
      • M&A Integration Project Management Tool (SharePoint)
      • SharePoint Template: Step-by-Step Deployment Guide
      • M&A Integration Project Management Tool (Excel)
      • Resource Management Supply-Demand Calculator

      4. Execution & Value Realization

      Deliver on the integration project plan successfully and communicate IT’s transaction value to the business.

      • One-Pager: M&A Execution & Value Realization – Buy
      • Case Study: M&A Execution & Value Realization – Buy

      Infographic

      Workshop: Mergers & Acquisitions: The Buy Blueprint

      Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

      1 Pre-Transaction Discovery & Strategy

      The Purpose

      Establish the transaction foundation.

      Discover the motivation for acquiring.

      Formalize the program plan.

      Create the valuation framework.

      Strategize the transaction and finalize the M&A strategy and approach.

      Key Benefits Achieved

      All major stakeholders are on the same page.

      Set up crucial elements to facilitate the success of the transaction.

      Have a repeatable transaction strategy that can be reused for multiple organizations.

      Activities

      1.1 Conduct the CIO Business Vision and CEO-CIO Alignment Diagnostics.

      1.2 Identify key stakeholders and outline their relationship to the M&A process.

      1.3 Identify the rationale for the company's decision to pursue an acquisition.

      1.4 Assess the IT/digital strategy.

      1.5 Identify pain points and opportunities tied to the acquisition.

      1.6 Create the IT vision and mission statements and identify IT guiding principles and the transition team.

      1.7 Document the M&A governance.

      1.8 Establish program metrics.

      1.9 Create the valuation framework.

      1.10 Establish the integration strategy.

      1.11 Conduct a RACI.

      1.12 Create the communication plan.

      1.13 Prepare to assess target organization(s).

      Outputs

      Business perspectives of IT

      Stakeholder network map for M&A transactions

      Business context implications for IT

      IT’s acquiring strategic direction

      Governance structure

      M&A program metrics

      IT valuation framework

      Integration strategy

      RACI

      Communication plan

      Prepared to assess target organization(s)

      2 Mid-Transaction Due Diligence & Preparation

      The Purpose

      Establish the transaction foundation.

      Discover the motivation for integration.

      Assess the target organization(s).

      Create the valuation framework.

      Plan the integration roadmap.

      Key Benefits Achieved

      All major stakeholders are on the same page.

      Methodology identified to assess organizations during due diligence.

      Methodology can be reused for multiple organizations.

      Integration activities are planned and assigned.

      Activities

      2.1 Gather and evaluate the stakeholders involved, M&A strategy, future-state operating model, and governance.

      2.2 Review the business rationale for the acquisition.

      2.3 Establish the integration strategy.

      2.4 Create the due diligence charter.

      2.5 Create a list of IT artifacts to be reviewed in the data room.

      2.6 Conduct a technical debt assessment.

      2.7 Assess the current culture and identify the goal culture.

      2.8 Identify the needed workforce supply.

      2.9 Create the valuation framework.

      2.10 Establish the integration roadmap.

      2.11 Establish and align project metrics with identified tasks.

      2.12 Estimate integration costs.

      Outputs

      Stakeholder map

      IT strategy assessment

      IT operating model and IT governance structure defined

      Business context implications for IT

      Integration strategy

      Due diligence charter

      Data room artifacts

      Technical debt assessment

      Culture assessment

      Workforce supply identified

      IT valuation framework

      Integration roadmap and associated resourcing

      3 Post-Transaction Execution & Value Realization

      The Purpose

      Establish the transaction foundation.

      Discover the motivation for integration.

      Plan the integration roadmap.

      Prepare employees for the transition.

      Engage in integration.

      Assess the transaction outcomes.

      Key Benefits Achieved

      All major stakeholders are on the same page.

      Integration activities are planned and assigned.

      Employees are set up for a smooth and successful transition.

      Integration strategy and roadmap executed to benefit the organization.

      Review what went well and identify improvements to be made in future transactions.

      Activities

      3.1 Identify key stakeholders and determine IT transaction team.

      3.2 Gather and evaluate the M&A strategy, future-state operating model, and governance.

      3.3 Review the business rationale for the acquisition.

      3.4 Establish the integration strategy.

      3.5 Prioritize integration tasks.

      3.6 Establish the integration roadmap.

      3.7 Establish and align project metrics with identified tasks.

      3.8 Estimate integration costs.

      3.9 Assess the current culture and identify the goal culture.

      3.10 Identify the needed workforce supply.

      3.11 Create an employee transition plan.

      3.12 Create functional workplans for employees.

      3.13 Complete the integration by regularly updating the project plan.

      3.14 Begin to rationalize the IT environment where possible and necessary.

      3.15 Confirm integration costs.

      3.16 Review IT’s transaction value.

      3.17 Conduct a transaction and integration SWOT.

      3.18 Review the playbook and prepare for future transactions.

      Outputs

      M&A transaction team

      Stakeholder map

      IT strategy assessed

      IT operating model and IT governance structure defined

      Business context implications for IT

      Integration strategy

      Integration roadmap and associated resourcing

      Culture assessment

      Workforce supply identified

      Employee transition plan

      Employee functional workplans

      Updated integration project plan

      Rationalized IT environment

      SWOT of transaction

      M&A Buy Playbook refined for future transactions

      Further reading

      Mergers & Acquisitions: The Buy Blueprint

      For IT leaders who want to have a role in the transaction process when their business is engaging in an M&A purchase.

      EXECUTIVE BRIEF

      Analyst Perspective

      Don’t wait to be invited to the M&A table, make it.

      Photo of Brittany Lutes, Research Analyst, CIO Practice, Info-Tech Research Group.
      Brittany Lutes
      Research Analyst,
      CIO Practice
      Info-Tech Research Group
      Photo of Ibrahim Abdel-Kader, Research Analyst, CIO Practice, Info-Tech Research Group.
      Ibrahim Abdel-Kader
      Research Analyst,
      CIO Practice
      Info-Tech Research Group

      IT has always been an afterthought in the M&A process, often brought in last minute once the deal is nearly, if not completely, solidified. This is a mistake. When IT is brought into the process late, the business misses opportunities to generate value related to the transaction and has less awareness of critical risks or inaccuracies.

      To prevent this mistake, IT leadership needs to develop strong business relationships and gain respect for their innovative suggestions. In fact, when it comes to modern M&A activity, IT should be the ones suggesting potential transactions to meet business needs, specifically when it comes to modernizing the business or adopting digital capabilities.

      IT needs to stop waiting to be invited to the acquisition or divestiture table. IT needs to suggest that the table be constructed and actively work toward achieving the strategic objectives of the business.

      Executive Summary

      Your Challenge

      There are four key scenarios or entry points for IT as the acquiring organization in M&As:

      • IT can suggest an acquisition to meet the business objectives of the organization.
      • IT is brought in to strategy plan the acquisition from both the business’ and IT’s perspectives.
      • IT participates in due diligence activities and valuates the organization potentially being acquired.
      • IT needs to reactively prepare its environment to enable the integration.

      Consider the ideal scenario for your IT organization.

      Common Obstacles

      Some of the obstacles IT faces include:

      • IT is often told about the transaction once the deal has already been solidified and is now forced to meet unrealistic business demands.
      • The business does not trust IT and therefore does not approach IT to define value or reduce risks to the transaction process.
      • The people and culture element are forgotten or not given adequate priority.

      These obstacles often arise when IT waits to be invited into the transaction process and misses critical opportunities.

      Info-Tech's Approach

      Prepare for a growth/integration transaction by:

      • Recognizing the trend for organizations to engage in M&A activity and the increased likelihood that, as an IT leader, you will be involved in a transaction in your career.
      • Creating a standard strategy that will enable strong program management.
      • Properly considering all the critical components of the transaction and integration by prioritizing tasks that will reduce risk, deliver value, and meet stakeholder expectations.

      Info-Tech Insight

      As the number of merger, acquisition, and divestiture transactions continues to increase, so too does IT’s opportunity to leverage the growing digital nature of these transactions and get involved at the onset.

      The changing M&A landscape

      Businesses will embrace more digital M&A transactions in the post-pandemic world

      • When the pandemic occurred, businesses reacted by either pausing (61%) or completely cancelling (46%) deals that were in the mid-transaction state (Deloitte, 2020). The uncertainty made many organizations consider whether the risks would be worth the potential benefits.
      • However, many organizations quickly realized the pandemic is not a hindrance to M&A transactions but an opportunity. Over 16,000 American companies were involved in M&A transactions in the first six months of 2021 (The Economist). For reference, this had been averaging around 10,000 per six months from 2016 to 2020.
      • In addition to this transaction growth, organizations have increasingly been embracing digital. These trends increase the likelihood that, as an IT leader, you will engage in an M&A transaction. However, it is up to you when you get involved in the transactions.

      The total value of transactions in the year after the pandemic started was $1.3 billion – a 93% increase in value compared to before the pandemic. (Nasdaq)

      Virtual deal-making will be the preferred method of 55% of organizations in the post-pandemic world. (Wall Street Journal, 2020)

      Your challenge

      IT is often not involved in the M&A transaction process. When it is, it’s often too late.

      • The most important driver of an acquisition is the ability to access new technology (DLA Piper), and yet 50% of the time, IT isn’t involved in the M&A transaction at all (IMAA Institute, 2017).
      • Additionally, IT’s lack of involvement in the process negatively impacts the business:
        • Most organizations (60%) do not have a standardized approach to integration (Steeves and Associates).
        • Weak integration teams contribute to the failure of 70% of M&A integrations (The Wall Street Journal, 2019).
        • Less than half (47%) of organizations actually experience the positive results sought by the M&A transaction (Steeves and Associates).
      • Organizations pursuing M&A and not involving IT are setting themselves up for failure.

      Only half of M&A deals involve IT (Source: IMAA Institute, 2017)

      Common Obstacles

      These barriers make this challenge difficult to address for many organizations:

      • IT is rarely afforded the opportunity to participate in the transaction deal. When IT is invited, this often happens later in the process where integration will be critical to business continuity.
      • IT has not had the opportunity to demonstrate that it is a valuable business partner in other business initiatives.
      • One of the most critical elements that IT often doesn’t take the time or doesn’t have the time to focus on is the people and leadership component.
      • IT waits to be invited to the process rather then actively involving themselves and suggesting how value can be added to the process.

      In hindsight, it’s clear to see: Involving IT is just good business.

      47% of senior leaders wish they would have spent more time on IT due diligence to prevent value erosion. (Source: IMAA Institute, 2017)

      40% of acquiring businesses discovered a cybersecurity problem at an acquisition.” (Source: Okta)

      Info-Tech's approach

      Acquisitions & Divestitures Framework

      Acquisitions and divestitures are inevitable in modern business, and IT’s involvement in the process should be too. This progression is inspired by:

      1. The growing trend for organizations to increase, decrease, or evolve through these types of transactions.
      2. Transactions that are driven by digital motivations, requiring IT’s expertise.
      3. A maturing business perspective of IT, preventing the difficulty that IT is faced with when invited into the transaction process late.
      4. There never being such a thing as a true merger, making the majority of M&A activity either acquisitions or divestitures.
      A diagram highlighting the 'IT Executives' Role in Acquisitions and Divestitures' when they are integrated at different points in the 'Core Business Timeline'. There are four main entry points 'Proactive', 'Discovery and Strategy', 'Due Diligence and Preparation', and 'Execution and Value Realized'. It is highlighted that IT can and should start at 'Proactive', but most organizations start at 'Execution and Value Realized'. 'Proactive': suggest opportunities to evolve the organization; prove IT's value and engage in growth opportunities early. Innovators start here. Steps of the business timeline in 'Proactive' are 'Organization strategies are defined' and 'M and A is considered to enable strategy'. After a buy or sell transaction is initiated is 'Discovery and Strategy': pre-transaction state. If it is a Buy transaction, 'Establish IT's involvement and approach'. If it is a Sell transaction, 'Prepare to engage in negotiations'. Business Partners start here. Steps of the business timeline in 'Discovery and Strategy' are 'Searching criteria is set', 'Potential candidates are considered', and 'LOI is sent/received'. 'Due Diligence and Preparation': mid-transaction state. If it is a Buy transaction, 'Identify potential transaction benefits and risks'. If it is a Sell transaction, 'Comply, communicate, and collaborate in transaction'. Trusted Operators start here. Steps of the business timeline in 'Due Diligence and Preparation' are 'Due diligence engagement occurs', 'Final agreement is reached', and 'Preparation for transaction execution occurs'. 'Execution and Value Realization': post-transaction state. If it is a Buy transaction, 'Integrate the IT environments and achieve business value'. If it is a Sell transaction, 'Separate the IT environment and deliver on transaction terms'. Firefighters start here. Steps of the business timeline in 'Execution and Value Realization' are 'Staff and operations are addressed appropriately', 'Day 1 of implementation and integration activities occurs', '1st 100 days of new entity state occur' and 'Ongoing risk mitigating and value creating activities occur'.

      The business’ view of IT will impact how soon IT can get involved

      There are four key entry points for IT

      A colorful visualization of the four key entry points for IT and a fifth not-so-key entry point. Starting from the top: 'Innovator', Information and Technology as a Competitive Advantage, 90% Satisfaction; 'Business Partner', Effective Delivery of Strategic Business Projects, 80% Satisfaction; 'Trusted Operator', Enablement of Business Through Application and Work Orders, 70% Satisfaction; 'Firefighter', Reliable Infrastructure and IT Service Desk, 60% Satisfaction; and then 'Unstable', Inability to Consistently Deliver Basic Services, <60% Satisfaction.
      1. Innovator: IT suggests an acquisition to meet the business objectives of the organization.
      2. Business Partner: IT is brought in to strategy plan the acquisition from both the business’ and IT’s perspective.
      3. Trusted Operator: IT participates in due diligence activities and valuates the organization potentially being acquired.
      4. Firefighter: IT reactively engages in the integration with little time to prepare.

      Merger, acquisition, and divestiture defined

      Merger

      A merger looks at the equal combination of two entities or organizations. Mergers are rare in the M&A space, as the organizations will combine assets and services in a completely equal 50/50 split. Two organizations may also choose to divest business entities and merge as a new company.

      Acquisition

      The most common transaction in the M&A space, where an organization will acquire or purchase another organization or entities of another organization. This type of transaction has a clear owner who will be able to make legal decisions regarding the acquired organization.

      Divestiture

      An organization may decide to sell partial elements of a business to an acquiring organization. They will separate this business entity from the rest of the organization and continue to operate the other components of the business.

      Info-Tech Insight

      A true merger does not exist, as there is always someone initiating the discussion. As a result, most M&A activity falls into acquisition or divestiture categories.

      Buying vs. selling

      The M&A process approach differs depending on whether you are the executive IT leader on the buy side or sell side

      This blueprint is only focused on the buy side:

      • More than two organizations could be involved in a transaction.
      • Examples of buy-related scenarios include:
        • Your organization is buying another organization with the intent of having the purchased organization keep its regular staff, operations, and location. This could mean minimal integration is required.
        • Your organization is buying another organization in its entirety with the intent of integrating it into your original company.
        • Your organization is buying components of another organization with the intent of integrating them into your original company.
      • As the purchasing organization, you will probably be initiating the purchase and thus will be valuating the selling organization during due diligence and leading the execution plan.

      The sell side is focused on:

      • Examples of sell-related scenarios include:
        • Your organization is selling to another organization with the intent of keeping its regular staff, operations, and location. This could mean minimal separation is required.
        • Your organization is selling to another organization with the intent of separating to be a part of the purchasing organization.
        • Your organization is engaging in a divestiture with the intent of:
          • Separating components to be part of the purchasing organization permanently.
          • Separating components to be part of a spinoff and establish a unit as a standalone new company.
      • As the selling organization, you could proactively seek out suitors to purchase all or components of your organization, or you could be approached by an organization.

      For more information on divestitures or selling your entire organization, check out Info-Tech’s Mergers & Acquisitions: The Sell Blueprint.

      Core business timeline

      For IT to be valuable in M&As, you need to align your deliverables and your support to the key activities the business and investors are working on.

      Info-Tech’s methodology for Buying Organizations in Mergers, Acquisitions, or Divestitures

      1. Proactive

      2. Discovery & Strategy

      3. Due Diligence & Preparation

      4. Execution & Value Realization

      Phase Steps

      1. Identify Stakeholders and Their Perspective of IT
      2. Assess IT’s Current Value and Future State
      3. Drive Innovation and Suggest Growth Opportunities
      1. Establish the M&A Program Plan
      2. Prepare IT to Engage in the Acquisition
      1. Assess the Target Organization
      2. Prepare to Integrate
      1. Execute the Transaction
      2. Reflection and Value Realization

      Phase Outcomes

      Be an innovative IT leader by suggesting how and why the business should engage in an acquisition or divestiture.

      Create a standardized approach for how your IT organization should address acquisitions.

      Evaluate the target organizations successfully and establish an integration project plan.

      Deliver on the integration project plan successfully and communicate IT’s transaction value to the business.

      Potential metrics for each phase

      1. Proactive

      2. Discovery & Strategy

      3. Due Diligence & Preparation

      4. Execution & Value Realization

      • % Share of business innovation spend from overall IT budget
      • % Critical processes with approved performance goals and metrics
      • % IT initiatives that meet or exceed value expectation defined in business case
      • % IT initiatives aligned with organizational strategic direction
      • % Satisfaction with IT's strategic decision-making abilities
      • $ Estimated business value added through IT-enabled innovation
      • % Overall stakeholder satisfaction with IT
      • % Percent of business leaders that view IT as an Innovator
      • % IT budget as a percent of revenue
      • % Assets that are not allocated
      • % Unallocated software licenses
      • # Obsolete assets
      • % IT spend that can be attributed to the business (chargeback or showback)
      • % Share of CapEx of overall IT budget
      • % Prospective organizations that meet the search criteria
      • $ Total IT cost of ownership (before and after M&A, before and after rationalization)
      • % Business leaders that view IT as a Business Partner
      • % Defects discovered in production
      • $ Cost per user for enterprise applications
      • % In-house-built applications vs. enterprise applications
      • % Owners identified for all data domains
      • # IT staff asked to participate in due diligence
      • Change to due diligence
      • IT budget variance
      • Synergy target
      • % Satisfaction with the effectiveness of IT capabilities
      • % Overall end-customer satisfaction
      • $ Impact of vendor SLA breaches
      • $ Savings through cost-optimization efforts
      • $ Savings through application rationalization and technology standardization
      • # Key positions empty
      • % Frequency of staff turnover
      • % Emergency changes
      • # Hours of unplanned downtime
      • % Releases that cause downtime
      • % Incidents with identified problem record
      • % Problems with identified root cause
      • # Days from problem identification to root cause fix
      • % Projects that consider IT risk
      • % Incidents due to issues not addressed in the security plan
      • # Average vulnerability remediation time
      • % Application budget spent on new build/buy vs. maintenance (deferred feature implementation, enhancements, bug fixes)
      • # Time (days) to value realization
      • % Projects that realized planned benefits
      • $ IT operational savings and cost reductions that are related to synergies/divestitures
      • % IT staff–related expenses/redundancies
      • # Days spent on IT integration
      • $ Accurate IT budget estimates
      • % Revenue growth directly tied to IT delivery
      • % Profit margin growth

      The IT executive’s role in the buying transaction is critical

      And IT leaders have a greater likelihood than ever of needing to support a merger, acquisition, or divestiture.

      1. Reduced Risk

        IT can identify risks that may go unnoticed when IT is not involved.
      2. Increased Accuracy

        The business can make accurate predictions around the costs, timelines, and needs of IT.
      3. Faster Integration

        Faster integration means faster value realization for the business.
      4. Informed Decision Making

        IT leaders hold critical information that can support the business in moving the transaction forward.
      5. Innovation

        IT can suggest new opportunities to generate revenue, optimize processes, or reduce inefficiencies.

      The IT executive’s critical role is demonstrated by:

      • Reduced Risk

        47% of senior leaders wish they would have spent more time on IT due diligence to prevent value erosion (IMAA Institute, 2017).
      • Increased Accuracy

        87% of respondents to a Deloitte survey effectively conducted a virtual deal, with a focus on cybersecurity and integration (Deloitte, 2020).
      • Faster Integration

        Integration costs range from as low as $4 million to as high as $3.8 billion, making the process an investment for the organization (CIO Dive).
      • Informed Decision Making

        Only 38% of corporate and 22% of private equity firms include IT as a significant aspect in their transaction approach (IMAA Institute, 2017).
      • Innovation

        Successful CIOs involved in M&As can spend 70% of their time on aspects outside of IT and 30% of their time on technology and delivery (CIO).

      Playbook benefits

      IT Benefits

      • IT will be seen as an innovative partner to the business, and its suggestions and involvement in the organization will lead to benefits, not hindrances.
      • Develop a streamlined method to valuate the potential organization being purchased and ensure risk management concerns are brought to the business’ attention immediately.
      • Create a comprehensive list of items that IT needs to do during the integration that can be prioritized and actioned.

      Business Benefits

      • The business will get accurate and relevant information about the organization being acquired, ensuring that the anticipated value of the transaction is correctly planned for.
      • Fewer business interruptions will happen, because IT can accurately plan for and execute the high-priority integration tasks.
      • The business can make a fair offer to the purchased organization, having properly valuated all aspects being bought, including the IT environment.

      Insight summary

      Overarching Insight

      As an IT executive, take control of when you get involved in a growth transaction. Do this by proactively identifying acquisition targets, demonstrating the value of IT, and ensuring that integration of IT environments does not lead to unnecessary and costly decisions.

      Proactive Insight

      CIOs on the forefront of digital transformation need to actively look for and suggest opportunities to acquire or partner on new digital capabilities to respond to rapidly changing business needs.

      Discovery & Strategy Insight

      IT organizations that have an effective M&A program plan are more prepared for the buying transaction, enabling a successful outcome. A structured strategy is particularly necessary for organizations expected to deliver M&As rapidly and frequently.

      Due Diligence & Preparation Insight

      Most IT synergies can be realized in due diligence. It is more impactful to consider IT processes and practices (e.g. contracts and culture) in due diligence rather than later in the integration.

      Execution & Value Realization Insight

      IT needs to realize synergies within the first 100 days of integration. The most successful transactions are when IT continuously realizes synergies a year after the transaction and beyond.

      Blueprint deliverables

      Key Deliverable: M&A Buy Playbook

      The M&A Buy Playbook should be a reusable document that enables your IT organization to successfully deliver on any acquisition transaction.

      Screenshots of the 'M and A Buy Playbook' deliverable.

      M&A Buy One-Pager

      See a one-page overview of each phase of the transaction.

      Screenshots of the 'M and A Buy One-Pagers' deliverable.

      M&A Buy Case Studies

      Read a one-page case study for each phase of the transaction.

      Screenshots of the 'M and A Buy Case Studies' deliverable.

      M&A Integration Project Management Tool (SharePoint)

      Manage the integration process of the acquisition using this SharePoint template.

      Screenshots of the 'M and A Integration Project Management Tool (SharePoint)' deliverable.

      M&A Integration Project Management Tool (Excel)

      Manage the integration process of the acquisition using this Excel tool if you can’t or don’t want to use SharePoint.

      Screenshots of the 'M and A Integration Project Management Tool (Excel)' deliverable.

      Info-Tech offers various levels of support to best suit your needs

      DIY Toolkit

      Guided Implementation

      Workshop

      Consulting

      "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

      Diagnostics and consistent frameworks used throughout all four options

      Guided Implementation

      What does a typical GI on this topic look like?

      A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

      A typical GI is between 6 to 10 calls over the course of 2 to 4 months.

        Proactive Phase

      • Call #1: Scope requirements, objectives, and your specific challenges.
      • Discovery & Strategy Phase

      • Call #2: Determine stakeholders and their perspectives of IT.
      • Call #3: Identify how M&A could support business strategy and how to communicate.
      • Due Diligence & Preparation Phase

      • Call #4: Establish a transaction team and acquisition strategic direction.
      • Call #5: Create program metrics and identify a standard integration strategy.
      • Call #6: Assess the potential organization(s).
      • Call #7: Identify the integration program plan.
      • Execution & Value Realization Phase

      • Call #8: Establish employee transitions to retain key staff.
      • Call #9: Assess IT’s ability to deliver on the acquisition transaction.

      The Buy Blueprint

      Phase 1

      Proactive

      Phase 1

      Phase 2 Phase 3 Phase 4
      • 1.1 Identify Stakeholders and Their Perspective of IT
      • 1.2 Assess IT’s Current Value and Future State
      • 1.3 Drive Innovation and Suggest Growth Opportunities
      • 2.1 Establish the M&A Program Plan
      • 2.2 Prepare IT to Engage in the Acquisition
      • 3.1 Assess the Target Organization
      • 3.2 Prepare to Integrate
      • 4.1 Execute the Transaction
      • 4.2 Reflection and Value Realization

      This phase will walk you through the following activities:

      • Conduct the CEO-CIO Alignment diagnostic
      • Conduct the CIO Business Vision diagnostic
      • Visualize relationships among stakeholders to identify key influencers
      • Group stakeholders into categories
      • Prioritize your stakeholders
      • Plan to communicate
      • Valuate IT
      • Assess the IT/digital strategy
      • Determine pain points and opportunities
      • Align goals to opportunities
      • Recommend growth opportunities

      This phase involves the following participants:

      • IT and business leadership

      What is the Proactive phase?

      Embracing the digital drivers

      As the number of merger, acquisition, or divestiture transactions driven by digital means continues to increase, IT has an opportunity to not just be involved in a transaction but actively seek out potential deals.

      In the Proactive phase, the business is not currently considering a transaction. However, the business could consider one to reach its strategic goals. IT organizations that have developed respected relationships with the business leaders can suggest these potential transactions.

      Understand the business’ perspective of IT, determine who the critical M&A stakeholders are, valuate the IT environment, and examine how it supports the business goals in order to suggest an M&A transaction.

      In doing so, IT isn’t waiting to be invited to the transaction table – it’s creating it.

      Goal: To support the organization in reaching its strategic goals by suggesting M&A activities that will enable the organization to reach its objectives faster and with greater-value outcomes.

      Proactive Prerequisite Checklist

      Before coming into the Proactive phase, you should have addressed the following:

      • Understand what mergers, acquisitions, and divestitures are.
      • Understand what mergers, acquisitions, and divestitures mean for the business.
      • Understand what mergers, acquisitions, and divestitures mean for IT.

      Review the Executive Brief for more information on mergers, acquisitions, and divestitures for purchasing organizations.

      Proactive

      Step 1.1

      Identify M&A Stakeholders and Their Perspective of IT

      Activities

      • 1.1.1 Conduct the CEO-CIO Alignment diagnostic
      • 1.1.2 Conduct the CIO Business Vision diagnostic
      • 1.1.3 Visualize relationships among stakeholders to identify key influencers
      • 1.1.4 Group stakeholders into categories
      • 1.1.5 Prioritize your stakeholders
      • 1.16 Plan to communicate

      This step involves the following participants:

      • IT executive leader
      • IT leadership
      • Critical M&A stakeholders

      Outcomes of Step

      Understand how the business perceives IT and establish strong relationships with critical M&A stakeholders.

      Business executives' perspectives of IT

      Leverage diagnostics and gain alignment on IT’s role in the organization

      • To suggest or get involved with a merger, acquisition, or divestiture, the IT executive leader needs to be well respected by other members of the executive leadership team and the business.
      • Specifically, the Proactive phase relies on the IT organization being viewed as an Innovator within the business.
      • Identify how the CEO/business executive currently views IT and where they would like IT to move within the Maturity Ladder.
      • Additionally, understand how other critical department leaders view IT and how they view the partnership with IT.
      A colorful visualization titled 'Maturity Ladder' detailing levels of IT function that a business may choose from based on the business executives' perspectives of IT. Starting from the bottom: 'Struggle', Does not embarrass, Does not crash; 'Support', Keeps business happy, Keeps costs low; 'Optimize', Increases efficiency, Decreases costs; 'Expand', Extends into new business, Generates revenue; 'Transform', Creates new industry.

      Misalignment in target state requires further communication between the CIO and CEO to ensure IT is striving toward an agreed-upon direction.

      Info-Tech’s CIO Business Vision (CIO BV) diagnostic measures a variety of high-value metrics to provide a well-rounded understanding of stakeholder satisfaction with IT.

      Sample of Info-Tech's CIO Business Vision diagnostic measuring percentages of high-value metrics like 'IT Satisfaction' and 'IT Value' regarding business leader satisfaction. A note for these two reads 'Evaluate business leader satisfaction with IT this year and last year'. A section titled 'Relationship' has metrics such as 'Understands Needs' and 'Trains Effectively'. A note for this section reads 'Examine indicators of the relationship between IT and the business'. A section titled 'Security Friction' has metrics such as 'Regulatory Compliance-Driven' and 'Office/Desktop Security'.

      Business Satisfaction and Importance for Core Services

      The core services of IT are important when determining what IT should focus on. The most important services with the lowest satisfaction offer the largest area of improvement for IT to drive business value.

      Sample of Info-Tech's CIO Business Vision diagnostic specifically comparing the business satisfaction of 12 core services with their importance. Services listed include 'Service Desk', 'IT Security', 'Requirements Gathering', 'Business Apps', 'Data Quality', and more. There is a short description of the services, a percentage for the business satisfaction with the service, a percentage comparing it to last year, and a numbered ranking of importance for each service. A note reads 'Assess satisfaction and importance across 12 core IT capabilities'.

      1.1.1 Conduct the CEO-CIO Alignment diagnostic

      2 weeks

      Input: IT organization expertise and the CEO-CIO Alignment diagnostic

      Output: An understanding of an executive business stakeholder’s perception of IT

      Materials: CEO-CIO Alignment diagnostic, M&A Buy Playbook

      Participants: IT executive/CIO, Business executive/CEO

      1. The CEO-CIO Alignment diagnostic can be a powerful input. Speak with your Info-Tech account representative to conduct the diagnostic. Use the results to inform current IT capabilities.
      2. You may choose to debrief the results of your diagnostic with an Info-Tech analyst. We recommend this to help your team understand how to interpret and draw conclusions from the results.
      3. Examine the results of the survey and note where there might be specific capabilities that could be improved.
      4. Determine whether there are any areas of significant disagreement between the you and the CEO. Mark down those areas for further conversations. Additionally, take note of areas that could be leveraged to support growth transactions or support your rationale in recommending growth transactions.

      Download the sample report.

      Record the results in the M&A Buy Playbook.

      1.1.2 Conduct the CIO Business Vision diagnostic

      2 weeks

      Input: IT organization expertise, CIO BV diagnostic

      Output: An understanding of business stakeholder perception of certain IT capabilities and services

      Materials: CIO Business Vision diagnostic, Computer, Whiteboard and markers, M&A Buy Playbook

      Participants: IT executive/CIO, Senior business leaders

      1. The CIO Business Vision (CIO BV) diagnostic can be a powerful tool for identifying IT capability focus areas. Speak with your account representative to conduct the CIO BV diagnostic. Use the results to inform current IT capabilities.
      2. You may choose to debrief the results of your diagnostic with an Info-Tech analyst. We recommend this to help your team understand how to interpret the results and draw conclusions from the diagnostic.
      3. Examine the results of the survey and take note of any IT services that have low scores.
      4. Read through the diagnostic comments and note any common themes. Especially note which stakeholders identified they have a favorable relationship with IT and which stakeholders identified they have an unfavorable relationship. For those who have an unfavorable relationship, identify if they will have a critical role in a growth transaction.

      Download the sample report.

      Record the results in the M&A Buy Playbook.

      Create a stakeholder network map for M&A transactions

      Follow the trail of breadcrumbs from your direct stakeholders to their influencers to uncover hidden stakeholders.

      Example:

      Diagram of stakeholders and their relationships with other stakeholders, such as 'Board Members', 'CFO/Finance', 'Compliance', etc. with 'CIO/IT Leader' highlighted in the middle. There are unidirectional black arrows and bi-directional green arrows indicating each connection.

        Legend
      • Black arrows indicate the direction of professional influence
      • Dashed green arrows indicate bidirectional, informal influence relationships

      Info-Tech Insight

      Your stakeholder map defines the influence landscape that the M&A transaction will occur within. This will identify who holds various levels of accountability and decision-making authority when a transaction does take place.

      Use connectors to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have informal yet substantial relationships with your stakeholders.

      1.1.3 Visualize relationships among stakeholders to identify key influencers

      1-3 hours

      Input: List of M&A stakeholders

      Output: Relationships among M&A stakeholders and influencers

      Materials: M&A Buy Playbook

      Participants: IT executive leadership

      1. The purpose of this activity is to list all the stakeholders within your organization that will have a direct or indirect impact on the M&A transaction.
      2. Determine the critical stakeholders, and then determine the stakeholders of your stakeholders and consider adding each of them to the stakeholder list.
      3. Assess who has either formal or informal influence over your stakeholders; add these influencers to your stakeholder list.
      4. Construct a diagram linking stakeholders and their influencers together.
        • Use black arrows to indicate the direction of professional influence.
        • Use dashed green arrows to indicate bidirectional, informal influence relationships.

      Record the results in the M&A Buy Playbook.

      Categorize your stakeholders with a prioritization map

      A stakeholder prioritization map helps IT leaders categorize their stakeholders by their level of influence and ownership in the merger, acquisition, or divestiture process.

      A prioritization map of stakeholder categories split into four quadrants. The vertical axis is 'Influence', from low on the bottom to high on top. The horizontal axis is 'Ownership/Interest', from low on the left to high on the right. 'Spectators' are low influence, low ownership/interest. 'Mediators' are high influence, low ownership/interest. 'Noisemakers' are low influence, high ownership/interest. 'Players' are high influence, high ownership/interest.

      There are four areas in the map, and the stakeholders within each area should be treated differently.

      Players – players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.

      Mediators – mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.

      Noisemakers – noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.

      Spectators – generally, spectators are apathetic and have little influence over or interest in the initiative.

      1.1.4 Group stakeholders into categories

      30 minutes

      Input: Stakeholder map, Stakeholder list

      Output: Categorization of stakeholders and influencers

      Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook

      Participants: IT executive leadership, Stakeholders

      1. Identify your stakeholders’ interest in and influence on the M&A process as high, medium, or low by rating the attributes below.
      2. Map your results to the model to the right to determine each stakeholder’s category.

      Same prioritization map of stakeholder categories as before. This one has specific stakeholders mapped onto it. 'CFO' is mapped as low interest and middling influence, between 'Mediator' and 'Spectator'. 'CIO' is mapped as higher than average interest and high influence, a 'Player'. 'Board Member' is mapped as high interest and high influence, a 'Player'.

      Level of Influence
      • Power: Ability of a stakeholder to effect change.
      • Urgency: Degree of immediacy demanded.
      • Legitimacy: Perceived validity of stakeholder’s claim.
      • Volume: How loud their “voice” is or could become.
      • Contribution: What they have that is of value to you.
      Level of Interest

      How much are the stakeholder’s individual performance and goals directly tied to the success or failure of the product?

      Record the results in the M&A Buy Playbook.

      Prioritize your stakeholders

      There may be too many stakeholders to be able to manage them all. Focus your attention on the stakeholders that matter most.

      Level of Support

      Supporter

      Evangelist

      Neutral

      Blocker

      Stakeholder Category Player Critical High High Critical
      Mediator Medium Low Low Medium
      Noisemaker High Medium Medium High
      Spectator Low Irrelevant Irrelevant Low

      Consider the three dimensions for stakeholder prioritization: influence, interest, and support. Support can be determined by answering the following question: How significant is that stakeholder to the M&A or divestiture process?

      These parameters are used to prioritize which stakeholders are most important and should receive your focused attention.

      1.1.5 Prioritize your stakeholders

      30 minutes

      Input: Stakeholder matrix

      Output: Stakeholder and influencer prioritization

      Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook

      Participants: IT executive leadership, M&A/divestiture stakeholders

      1. Identify the level of support of each stakeholder by answering the following question: How significant is that stakeholder to the M&A transaction process?
      2. Prioritize your stakeholders using the prioritization scheme on the previous slide.

      Stakeholder

      Category

      Level of Support

      Prioritization

      CMO Spectator Neutral Irrelevant
      CIO Player Supporter Critical

      Record the results in the M&A Buy Playbook.

      Define strategies for engaging stakeholders by type

      A revisit to the map of stakeholder categories, but with strategies listed for each one, and arrows on the side instead of an axis. The vertical arrow is 'Authority', which increases upward, and the horizontal axis is Ownership/Interest which increases as it moves to the right. The strategy for 'Players' is 'Engage', for 'Mediators' is 'Satisfy', for 'Noisemakers' is 'Inform', and for 'Spectators' is 'Monitor'.

      Type

      Quadrant

      Actions

      Players High influence, high interest – actively engage Keep them updated on the progress of the project. Continuously involve Players in the process and maintain their engagement and interest by demonstrating their value to its success.
      Mediators High influence, low interest – keep satisfied They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders.
      Noisemakers Low influence, high interest – keep informed Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.
      Spectators Low influence, low interest – monitor They are followers. Keep them in the loop by providing clarity on objectives and status updates.

      Info-Tech Insight

      Each group of stakeholders draws attention and resources away from critical tasks. By properly identifying stakeholder groups, the IT executive leader can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers while ensuring the needs of Mediators and Players are met.

      1.1.6 Plan to communicate

      30 minutes

      Input: Stakeholder priority, Stakeholder categorization, Stakeholder influence

      Output: Stakeholder communication plan

      Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook

      Participants: IT executive leadership, M&A/divestiture stakeholders

      The purpose of this activity is to make a communication plan for each of the stakeholders identified in the previous activities, especially those who will have a critical role in the M&A transaction process.

      1. In the M&A Buy Playbook, input the type of influence each stakeholder has on IT, how they would be categorized in the M&A process, and their level of priority. Use this information to create a communication plan.
      2. Determine the methods and frequency of communication to keep the necessary stakeholder satisfied and maintain or enhance IT’s profile within the organization.

      Record the results in the M&A Buy Playbook.

      Proactive

      Step 1.2

      Assess IT’s Current Value and Method to Achieve a Future State

      Activities

      • 1.2.1 Valuate IT
      • 1.2.2 Assess the IT/digital strategy

      This step involves the following participants:

      • IT executive leader
      • IT leadership
      • Critical stakeholders to M&A

      Outcomes of Step

      Identify critical opportunities to optimize IT and meet strategic business goals through a merger, acquisition, or divestiture.

      How to valuate your IT environment

      And why it matters so much

      • Valuating your current organization’s IT environment is a critical step that all IT organizations should take, whether involved in an M&A or not, to fully understand what it might be worth.
      • The business investments in IT can be directly translated into a value amount. For every $1 invested in IT, the business might be gaining $100 in value back or possibly even loosing $100.
      • Determining, documenting, and communicating this information ensures that the business takes IT’s suggestions seriously and recognizes why investing in IT is so critical.
      • There are three ways a business or asset can be valuated:
        • Cost Approach: Look at the costs associated with building, purchasing, replacing, and maintaining a given aspect of the business.
        • Market Approach: Look at the relative value of a particular aspect of the business. Relative value can fluctuate and depends on what the markets and consequently society believe that particular element is worth.
        • Discounted Cash Flow Approach: Focus on what the potential value of the business could be or the intrinsic value anticipated due to future profitability.
      • (Source: “Valuation Methods,” Corporate Finance Institute)

      Four ways to create value through digital

      1. Reduced costs
      2. Improved customer experience
      3. New revenue sources
      4. Better decision making
      5. (Source: McKinsey & Company)

      1.2.1 Valuate IT

      1 day

      Input: Valuation of data, Valuation of applications, Valuation of infrastructure and operations, Valuation of security and risk

      Output: Valuation of IT

      Materials: Relevant templates/tools listed on the following slides, Capital budget, Operating budget, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership

      The purpose of this activity is to demonstrate that IT is not simply an operational functional area that diminishes business resources. Rather, IT contributes significant value to the business.

      1. Review each of the following slides to valuate IT’s data, applications, infrastructure and operations, and security and risk. These valuations consider several tangible and intangible factors and result in a final dollar amount.
      2. Input the financial amounts identified for each critical area into a summary slide. Use this information to determine where IT is delivering value to the organization.

      Info-Tech Insight

      Consistency is key when valuating your IT organization as well as other IT organizations throughout the transaction process.

      Record the results in the M&A Buy Playbook.

      Data valuation

      Data valuation identifies how you monetize the information that your organization owns.

      Create a data value chain for your organization

      When valuating the information and data that exists in an organization, there are many things to consider.

      Info-Tech has two tools that can support this process:

      1. Information Asset Audit Tool: Use this tool first to take inventory of the different information assets that exist in your organization.
      2. Data Valuation Tool: Once information assets have been accounted for, valuate the data that exists within those information assets.

      Data Collection

      Insight Creation

      Value Creation

      Data Valuation

      01 Data Source
      02 Data Collection Method
      03 Data
      04 Data Analysis
      05 Insight
      06 Insight Delivery
      07 Consumer
      08 Value in Data
      09 Value Dimension
      10 Value Metrics Group
      11 Value Metrics
      Screenshots of Tab 2 of Info-Tech's Data Valuation Tool.

      Instructions

      1. Using the Data Valuation Tool, start gathering information based on the eight steps above to understand your organization’s journey from data to value.
      2. Identify the data value spectrum. (For example: customer sales service, citizen licensing service, etc.)
      3. Fill out the columns for data sources, data collection, and data first.
      4. Capture data analysis and related information.
      5. Then capture the value in data.
      6. Add value dimensions such as usage, quality, and economic dimensions.
        • Remember that economic value is not the only dimension, and usage/quality has a significant impact on economic value.
      7. Collect evidence to justify your data valuation calculator (market research, internal metrics, etc.).
      8. Finally, calculate the value that has a direct correlation with underlying value metrics.

      Application valuation

      Calculate the value of your IT applications

      When valuating the applications and their users in an organization, consider using a business process map. This shows how business is transacted in the company by identifying which IT applications support these processes and which business groups have access to them. Info-Tech has a business process mapping tool that can support this process:

      • Enterprise Integration Process Mapping Tool: Complete this tool first to map the different business processes to the supporting applications in your organization.

      Instructions

      1. Start by calculating user costs. This is the product of the (# of users) × (% of time spent using IT) × (fully burdened salary).
      2. Identify the revenue per employee and divide that by the average cost per employee to calculate the derived productivity ratio (DPR).
      3. Once you have calculated the user costs and DPR, multiply those total values together to get the application value.
      4. User Costs

        Total User Costs

        Derived Productivity Ratio (DPR)

        Total DPR

        Application Value

        # of users % time spent using IT Fully burdened salary Multiply values from the 3 user costs columns Revenue per employee Average cost per employee (Revenue P.E) ÷ (Average cost P.E) (User costs) X (DPR)

      5. Once the total application value is established, calculate the combined IT and business costs of delivering that value. IT and business costs include inflexibility (application maintenance), unavailability (downtime costs, including disaster exposure), IT costs (common costs statistically allocated to applications), and fully loaded cost of active (full-time equivalent [FTE]) users.
      6. Calculate the net value of applications by subtracting the total IT and business costs from the total application value calculated in step 3.
      7. IT and Business Costs

        Total IT and Business Costs

        Net Value of Applications

        Application maintenance Downtime costs (include disaster exposure) Common costs allocated to applications Fully loaded costs of active (FTE) users Sum of values from the four IT and business costs columns (Application value) – (IT and business costs)

      (Source: CSO)

      Infrastructure valuation

      Assess the foundational elements of the business’ information technology

      The purpose of this exercise is to provide a high-level infrastructure valuation that will contribute to valuating your IT environment.

      Calculating the value of the infrastructure will require different methods depending on the environment. For example, a fully cloud-hosted organization will have different costs than a fully on-premises IT environment.

      Instructions:

      1. Start by listing all of the infrastructure-related items that are relevant to your organization.
      2. Once you have finalized your items column, identify the total costs/value of each item.
        • For example, total software costs would include servers and storage.
      3. Calculate the total cost/value of your IT infrastructure by adding all of values in the right column.

      Item

      Costs/Value

      Hardware Assets Total Value +$3.2 million
      Hardware Leased/Service Agreement -$
      Software Purchased +$
      Software Leased/Service Agreement -$
      Operational Tools
      Network
      Disaster Recovery
      Antivirus
      Data Centers
      Service Desk
      Other Licenses
      Total:

      For additional support, download the M&A Runbook for Infrastructure and Operations.

      Risk and security

      Assess risk responses and calculate residual risk

      The purpose of this exercise is to provide a high-level risk assessment that will contribute to valuating your IT environment. For a more in-depth risk assessment, please refer to the Info-Tech tools below:

      1. Risk Register Tool
      2. Security M&A Due Diligence Tool

      Instructions

      1. Review the probability and impact scales below and ensure you have the appropriate criteria that align to your organization before you conduct a risk assessment.
      2. Identify the probability of occurrence and estimated financial impact for each risk category detail and fill out the table on the right. Customize the table as needed so it aligns to your organization.
      3. Probability of Risk Occurrence

        Occurrence Criteria
        (Classification; Probability of Risk Event Within One Year)

        Negligible Very Unlikely; ‹20%
        Very Low Unlikely; 20 to 40%
        Low Possible; 40 to 60%
        Moderately Low Likely; 60 to 80%
        Moderate Almost Certain; ›80%

      Note: If needed, you can customize this scale with the severity designations that you prefer. However, make sure you are always consistent with it when conducting a risk assessment.

      Financial & Reputational Impact

      Budgetary and Reputational Implications
      (Financial Impact; Reputational Impact)

      Negligible (‹$10,000; Internal IT stakeholders aware of risk event occurrence)
      Very Low ($10,000 to $25,000; Business customers aware of risk event occurrence)
      Low ($25,000 to $50,000; Board of directors aware of risk event occurrence)
      Moderately Low ($50,000 to $100,000; External customers aware of risk event occurrence)
      Moderate (›$100,000; Media coverage or regulatory body aware of risk event occurrence)

      Risk Category Details

      Probability of Occurrence

      Estimated Financial Impact

      Estimated Severity (Probability X Impact)

      Capacity Planning
      Enterprise Architecture
      Externally Originated Attack
      Hardware Configuration Errors
      Hardware Performance
      Internally Originated Attack
      IT Staffing
      Project Scoping
      Software Implementation Errors
      Technology Evaluation and Selection
      Physical Threats
      Resource Threats
      Personnel Threats
      Technical Threats
      Total:

      1.2.2 Assess the IT/digital strategy

      4 hours

      Input: IT strategy, Digital strategy, Business strategy

      Output: An understanding of an executive business stakeholder’s perception of IT, Alignment of IT/digital strategy and overall organization strategy

      Materials: Computer, Whiteboard and markers, M&A Buy Playbook

      Participants: IT executive/CIO, Business executive/CEO

      The purpose of this activity is to review the business and IT strategies that exist to determine if there are critical capabilities that are not being supported.

      Ideally, the IT and digital strategies would have been created following development of the business strategy. However, sometimes the business strategy does not directly call out the capabilities it requires IT to support.

      1. On the left half of the corresponding slide in the M&A Buy Playbook, document the business goals, initiatives, and capabilities. Input this information from the business or digital strategies. (If more space for goals, initiatives, or capabilities is needed, duplicate the slide).
      2. On the other half of the slide, document the IT goals, initiatives, and capabilities. Input this information from the IT strategy and digital strategy.

      For additional support, see Build a Business-Aligned IT Strategy.

      Record the results in the M&A Buy Playbook.

      Proactive

      Step 1.3

      Drive Innovation and Suggest Growth Opportunities

      Activities

      • 1.3.1 Determine pain points and opportunities
      • 1.3.2 Align goals with opportunities
      • 1.3.3 Recommend growth opportunities

      This step involves the following participants:

      • IT executive leader
      • IT leadership
      • Critical M&A stakeholders

      Outcomes of Step

      Establish strong relationships with critical M&A stakeholders and position IT as an innovative business partner that can suggest growth opportunities.

      1.3.1 Determine pain points and opportunities

      1-2 hours

      Input: CEO-CIO Alignment diagnostic, CIO Business Vision diagnostic, Valuation of IT environment, IT-business goals cascade

      Output: List of pain points or opportunities that IT can address

      Materials: Computer, Whiteboard and markers, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Business stakeholders

      The purpose of this activity is to determine the pain points and opportunities that exist for the organization. These can be external or internal to the organization.

      1. Identify what opportunities exist for your organization. Opportunities are the potential positives that the organization would want to leverage.
      2. Next, identify pain points, which are the potential negatives that the organization would want to alleviate.
      3. Spend time considering all the options that might exist, and keep in mind what has been identified previously.

      Opportunities and pain points can be trends, other departments’ initiatives, business perspectives of IT, etc.

      Record the results in the M&A Buy Playbook.

      1.3.2 Align goals with opportunities

      1-2 hours

      Input: CEO-CIO Alignment diagnostic, CIO Business Vision diagnostic, Valuation of IT environment, IT-business goals cascade, List of pain points and opportunities

      Output: An understanding of an executive business stakeholder’s perception of IT, Foundations for growth strategy

      Materials: Computer, Whiteboard and markers, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Business stakeholders

      The purpose of this activity is to determine whether a growth or separation strategy might be a good suggestion to the business in order to meet its business objectives.

      1. For the top three to five business goals, consider:
        1. Underlying drivers
        2. Digital opportunities
        3. Whether a growth or reduction strategy is the solution
      2. Just because a growth or reduction strategy is a solution for a business goal does not necessarily indicate M&A is the way to go. However, it is important to consider before you pursue suggesting M&A.

      Record the results in the M&A Buy Playbook.

      1.3.3 Recommend growth opportunities

      1-2 hours

      Input: Growth or separation strategy opportunities to support business goals, Stakeholder communication plan, Rationale for the suggestion

      Output: M&A transaction opportunities suggested

      Materials: M&A Buy Playbook

      Participants: IT executive/CIO, Business executive/CEO

      The purpose of this activity is to recommend a merger, acquisition, or divestiture to the business.

      1. Identify which of the business goals the transaction would help solve and why IT is the one to suggest such a goal.
      2. Leverage the stakeholder communication plan identified previously to give insight into stakeholders who would have a significant level of interest, influence, or support in the process.

      Info-Tech Insight

      With technology and digital driving many transactions, leverage this opening and begin the discussions with your business on how and why an acquisition would be a great opportunity.

      Record the results in the M&A Buy Playbook.

      By the end of this Proactive phase, you should:

      Be prepared to suggest M&A opportunities to support your company’s goals through growth or acquisition transactions

      Key outcome from the Proactive phase

      Develop progressive relationships and strong communication with key stakeholders to suggest or be aware of transformational opportunities that can be achieved through growth or reduction strategies such as mergers, acquisitions, or divestitures.

      Key deliverables from the Proactive phase
      • Business perspective of IT examined
      • Key stakeholders identified and relationship to the M&A process outlined
      • Ability to valuate the IT environment and communicate IT’s value to the business
      • Assessment of the business, digital, and IT strategies and how M&As could support those strategies
      • Pain points and opportunities that could be alleviated or supported through an M&A transaction
      • Acquisition or buying recommendations

      The Buy Blueprint

      Phase 2

      Discovery & Strategy

      Phase 1

      Phase 2

      Phase 3Phase 4
      • 1.1 Identify Stakeholders and Their Perspective of IT
      • 1.2 Assess IT’s Current Value and Future State
      • 1.3 Drive Innovation and Suggest Growth Opportunities
      • 2.1 Establish the M&A Program Plan
      • 2.2 Prepare IT to Engage in the Acquisition
      • 3.1 Assess the Target Organization
      • 3.2 Prepare to Integrate
      • 4.1 Execute the Transaction
      • 4.2 Reflection and Value Realization

      This phase will walk you through the following activities:

      • Create the mission and vision
      • Identify the guiding principles
      • Create the future-state operating model
      • Determine the transition team
      • Document the M&A governance
      • Create program metrics
      • Establish the integration strategy
      • Conduct a RACI
      • Create the communication plan
      • Assess the potential organization(s)

      This phase involves the following participants:

      • IT executive/CIO
      • IT senior leadership
      • Company M&A team

      Workshop Overview

      Contact your account representative for more information.
      workshops@infotech.com 1-888-670-8889

      Pre-Work

      Day 1

      Day 2

      Day 3

      Day 4

      Day 5

      Establish the Transaction FoundationDiscover the Motivation for AcquiringFormalize the Program PlanCreate the Valuation FrameworkStrategize the TransactionNext Steps and Wrap-Up (offsite)

      Activities

      • 0.1 Conduct the CIO Business Vision and CEO-CIO Alignment diagnostics
      • 0.2 Identify key stakeholders and outline their relationship to the M&A process
      • 0.3 Identify the rationale for the company's decisions to pursue an acquisition
      • 1.1 Review the business rationale for the acquisition
      • 1.2 Assess the IT/digital strategy
      • 1.3 Identify pain points and opportunities tied to the acquisition
      • 1.4 Create the IT vision statement, create the IT mission statement, and identify IT guiding principles
      • 2.1 Create the future-state operating model
      • 2.2 Determine the transition team
      • 2.3 Document the M&A governance
      • 2.4 Establish program metrics
      • 3.1 Valuate your data
      • 3.2 Valuate your applications
      • 3.3 Valuate your infrastructure
      • 3.4 Valuate your risk and security
      • 3.5 Combine individual valuations to make a single framework
      • 4.1 Establish the integration strategy
      • 4.2 Conduct a RACI
      • 4.3 Review best practices for assessing target organizations
      • 4.4 Create the communication plan
      • 5.1 Complete in-progress deliverables from previous four days
      • 5.2 Set up review time for workshop deliverables and to discuss next steps

      Deliverables

      1. Business perspectives of IT
      2. Stakeholder network map for M&A transactions
      1. Business context implications for IT
      2. IT’s acquisition strategic direction
      1. Operating model for future state
      2. Transition team
      3. Governance structure
      4. M&A program metrics
      1. IT valuation framework
      1. Integration strategy
      2. RACI
      3. Communication plan
      1. Completed M&A program plan and strategy
      2. Prepared to assess target organization(s)

      What is the Discovery & Strategy phase?

      Pre-transaction state

      The Discovery & Strategy phase during an acquisition is a unique opportunity for many IT organizations. IT organizations that can participate in the acquisition transaction at this stage are likely considered a strategic partner of the business.

      For one-off acquisitions, IT being invited during this stage of the process is rare. However, for organizations that are preparing to engage in many acquisitions over the coming years, this type of strategy will greatly benefit from IT involvement. Again, the likelihood of participating in an M&A transaction is increasing, making it a smart IT leadership decision to, at the very least, loosely prepare a program plan that can act as a strategic pillar throughout the transaction.

      During this phase of the pre-transaction state, IT will also be asked to participate in ensuring that the potential organization being sought will be able to meet any IT-specific search criteria that was set when the transaction was put into motion.

      Goal: To identify a repeatable program plan that IT can leverage when acquiring all or parts of another organization’s IT environment, ensuring customer satisfaction and business continuity

      Discovery & Strategy Prerequisite Checklist

      Before coming into the Discovery & Strategy phase, you should have addressed the following:

      • Understand the business perspective of IT.
      • Know the key stakeholders and have outlined their relationships to the M&A process.
      • Be able to valuate the IT environment and communicate IT's value to the business.
      • Understand the rationale for the company's decisions to pursue an acquisition and the opportunities or pain points the acquisition should address.

      Discovery & Strategy

      Step 2.1

      Establish the M&A Program Plan

      Activities

      • 2.1.1 Create the mission and vision
      • 2.1.2 Identify the guiding principles
      • 2.1.3 Create the future-state operating model
      • 2.1.4 Determine the transition team
      • 2.1.5 Document the M&A governance
      • 2.1.6 Create program metrics

      This step involves the following participants:

      • IT executive/CIO
      • IT senior leadership
      • Company M&A team

      Outcomes of Step

      Establish an M&A program plan that can be repeated across acquisitions.

      The vision and mission statements clearly articulate IT’s aspirations and purpose

      The IT vision statement communicates a desired future state of the IT organization, whereas the IT mission statement portrays the organization’s reason for being. While each serves its own purpose, they should both be derived from the business context implications for IT.

      Vision Statements

      Mission Statements

      Characteristics

      • Describe a desired future
      • Focus on ends, not means
      • Concise
      • Aspirational
      • Memorable
      • Articulate a reason for existence
      • Focus on how to achieve the vision
      • Concise
      • Easy to grasp
      • Sharply focused
      • Inspirational

      Samples

      To be a trusted advisor and partner in enabling business innovation and growth through an engaged IT workforce. (Source: Business News Daily) IT is a cohesive, proactive, and disciplined team that delivers innovative technology solutions while demonstrating a strong customer-oriented mindset. (Source: Forbes, 2013)

      2.1.1 Create the mission and vision statements

      2 hours

      Input: Business objectives, IT capabilities, Rationale for the transaction

      Output: IT’s mission and vision statements for growth strategies tied to mergers, acquisitions, and divestitures

      Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Company M&A team

      The purpose of this activity is to create mission and vision statements that reflect IT’s intent and method to support the organization as it pursues a growth strategy.

      1. Review the definitions and characteristics of mission and vision statements.
      2. Brainstorm different versions of the mission and vision statements.
      3. Edit the statements until you get to a single version of each that accurately reflects IT’s role in the growth process.

      Record the results in the M&A Buy Playbook.

      Guiding principles provide a sense of direction

      IT guiding principles are shared, long-lasting beliefs that guide the use of IT in constructing, transforming, and operating the enterprise by informing and restricting IT investment portfolio management, solution development, and procurement decisions.

      A diagram illustrating the place of 'IT guiding principles' in the process of making 'Decisions on the use of IT'. There are four main items, connecting lines naming the type of process in getting from one step to the next, and a line underneath clarifying the questions asked at each step. On the far left, over the question 'What decisions should be made?', is 'Business context and IT implications'. This flows forward to 'IT guiding principles', and they are connected by 'Influence'. Next, over the question 'How should decisions be made?', is the main highlighted section. 'IT guiding principles' flows forward to 'Decisions on the use of IT', and they are connected by 'Guide and inform'. On the far right, over the question 'Who has the accountability and authority to make decisions?', is 'IT policies'. This flows back to 'Decisions on the use of IT', and they are connected by 'Direct and control'.

      IT principles must be carefully constructed to make sure they are adhered to and relevant

      Info-Tech has identified a set of characteristics that IT principles should possess. These characteristics ensure the IT principles are relevant and followed in the organization.

      Approach focused. IT principles should be focused on the approach – how the organization is built, transformed, and operated – as opposed to what needs to be built, which is defined by both functional and non-functional requirements.

      Business relevant. Create IT principles that are specific to the organization. Tie IT principles to the organization’s priorities and strategic aspirations.

      Long lasting. Build IT principles that will withstand the test of time.

      Prescriptive. Inform and direct decision making with actionable IT principles. Avoid truisms, general statements, and observations.

      Verifiable. If compliance can’t be verified, people are less likely to follow the principle.

      Easily Digestible. IT principles must be clearly understood by everyone in IT and by business stakeholders. IT principles aren’t a secret manuscript of the IT team. IT principles should be succinct; wordy principles are hard to understand and remember.

      Followed. Successful IT principles represent a collection of beliefs shared among enterprise stakeholders. IT principles must be continuously communicated to all stakeholders to achieve and maintain buy-in.

      In organizations where formal policy enforcement works well, IT principles should be enforced through appropriate governance processes.

      Consider the example principles below

      IT Principle Name

      IT Principle Statement

      1. Risk Management We will ensure that the organization’s IT Risk Management Register is properly updated to reflect all potential risks and that a plan of action against those risks has been identified.
      2. Transparent Communication We will ensure employees are spoken to with respect and transparency throughout the transaction process.
      3. Integration for Success We will create an integration strategy that enables the organization and clearly communicates the resources required to succeed.
      4. Managed Data We will handle data creation, modification, integration, and use across the enterprise in compliance with our data governance policy.
      5. Establish a single IT Environment We will identify, prioritize, and manage the applications and services that IT provides in order to eliminate redundant technology and maximize the value that users and customers experience.
      6. Compliance With Laws and Regulations We will operate in compliance with all applicable laws and regulations for both our organization and the potentially purchased organization.
      7. Defined Value We will create a plan of action that aligns with the organization’s defined value expectations.
      8. Network Readiness We will ensure that employees and customers have immediate access to the network with minimal or no outages.
      9. Operating to Succeed We will bring all of IT into a central operating model within two years of the transaction.

      2.1.2 Identify the guiding principles

      2 hours

      Input: Business objectives, IT capabilities, Rationale for the transaction, Mission and vision statements

      Output: IT’s guiding principles for growth strategies tied to mergers, acquisitions, and divestitures

      Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Company M&A team

      The purpose of this activity is to create the guiding principles that will direct the IT organization throughout the growth strategy process.

      1. Review the role of guiding principles and the examples of guiding principles that organizations have used.
      2. Brainstorm different versions of the guiding principles. Each guiding principle should start with the phrase “We will…”
      3. Edit and consolidate the statements until you have a list of approximately eight to ten statements that accurately reflect IT’s role in the growth process.
      4. Review the guiding principles every six months to ensure they continue to support the delivery of the business’ growth strategy goals.

      Record the results in the M&A Buy Playbook.

      Create two IT teams to support the transaction

      IT M&A Transaction Team

      • The IT M&A Transaction Team should consist of the strongest members of the IT team who can be expected to deliver on unusual or additional tasks not asked of them in normal day-to-day operations.
      • The roles selected for this team will have very specific skills sets or deliver on critical integration capabilities, making their involvement in the combination of two or more IT environments paramount.
      • These individuals need to have a history of proving themselves very trustworthy, as they will likely be required to sign an NDA as well.
      • Expect to have to certain duplicate capabilities or roles across the M&A transaction team and operational team.

      IT Operational Team

      • This group is responsible for ensuring the business operations continue.
      • These employees might be those who are newer to the organization but can be counted on to deliver consistent IT services and products.
      • The roles of this team should ensure that end users or external customers remain satisfied.

      Key capabilities to support M&A

      Consider the following capabilities when looking at who should be a part of the M&A transaction team.

      Employees who have a significant role in ensuring that these capabilities are being delivered will be a top priority.

      Infrastructure

      • Systems Integration
      • Data Management

      Business Focus

      • Service-Level Management
      • Enterprise Architecture
      • Stakeholder Management
      • Project Management

      Risk & Security

      • Privacy Management
      • Security Management
      • Risk & Compliance Management

      Build a lasting and scalable operating model

      An operating model is an abstract visualization, used like an architect’s blueprint, that depicts how structures and resources are aligned and integrated to deliver on the organization’s strategy.

      It ensures consistency of all elements in the organizational structure through a clear and coherent blueprint before embarking on detailed organizational design.

      The visual should highlight which capabilities are critical to attaining strategic goals and clearly show the flow of work so that key stakeholders can understand where inputs flow in and outputs flow out of the IT organization.

      As you assess the current operating model, consider the following:

      • Does the operating model contain all the necessary capabilities your IT organization requires to be successful?
      • What capabilities should be duplicated?
      • Are there individuals with the skill set to support those roles? If not, is there a plan to acquire or develop those skills?
      • A dedicated project team strictly focused on M&A is great. However, is it feasible for your organization? If not, what blockers exist?
      A diagram with 'Initiatives' and 'Solutions' on the left and right of an area chart, 'Customer' at the top, the area between them labelled 'Functional Area n', and six horizontal bars labelled 'IT Capability' stacked on top of each other. The 'IT Capability' bars are slightly skewed to the 'Solutions' side of the chart.

      Info-Tech Insight

      Investing time up-front getting the operating model right is critical. This will give you a framework to rationalize future organizational changes, allowing you to be more iterative and allowing your model to change as the business changes.

      2.1.3 Create the future-state operating model

      4 hours

      Input: Current operating model, IT strategy, IT capabilities, M&A-specific IT capabilities, Business objectives, Rationale for the transaction, Mission and vision statements

      Output: Future-state operating model

      Materials: Operating model, Capability overlay, Flip charts/whiteboard, Markers, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Company M&A team

      The purpose of this activity is to establish what the future-state operating model will be if your organization needs to adjust to support a growth transaction.

      1. Ensuring that all the IT capabilities are identified by the business and IT strategy, document your organization’s current operating model.
      2. Identify what core capabilities would be critical to the buying transaction process and integration. Highlight and make copies of those capabilities in the M&A Buy Playbook.
      3. Arrange the capabilities to clearly show the flow of inputs and outputs. Identify critical stakeholders of the process (such as customers or end users) if that will help the flow.
      4. Ensure the capabilities that will be decentralized are clearly identified. Decentralized capabilities do not exist within the central IT organization but rather in specific lines of businesses or products to better understand needs and deliver on the capability.

      An example operating model is included in the M&A Buy Playbook. This process benefits from strong reference architecture and capability mapping ahead of time.

      Record the results in the M&A Buy Playbook.

      2.1.4 Determine the transition team

      3 hours

      Input: IT capabilities, Future-state operating model, M&A-specific IT capabilities, Business objectives, Rationale for the transaction, Mission and vision statements

      Output: Transition team

      Materials: Reference architecture, Organizational structure, Flip charts/whiteboard, Markers

      Participants: IT executive/CIO, IT senior leadership, Company M&A team

      The purpose of this activity is to create a team that will support your IT organization throughout the transaction. Determining which capabilities and therefore which roles will be required ensures that the business will continue to get the operational support it needs.

      1. Based on the outcome of activity 2.1.3, review the capabilities that your organization will require on the transition team. Group capabilities into functional groups containing capabilities that are aligned well with one another because they have similar responsibilities and functionalities.
      2. Replace the capabilities with roles. For example, stakeholder management, requirements gathering, and project management might be one functional group. Project management and stakeholder management might combine to create a project manager role.
      3. Review the examples in the M&A Buy Playbook and identify which roles will be a part of the transition team.

      For more information, see Redesign Your Organizational Structure

      What is governance?

      And why does it matter so much to IT and the M&A process?

      • Governance is the method in which decisions get made, specifically as they impact various resources (time, money, and people).
      • Because M&A is such a highly governed transaction, it is important to document the governance bodies that exist in your organization.
      • This will give insight into what types of governing bodies there are, what decisions they make, and how that will impact IT.
      • For example, funds to support integration need to be discussed, approved, and supplied to IT from a governing body overseeing the acquisition.
      • A highly mature IT organization will have automated governance, while a seemingly non-existent governance process will be considered ad hoc.
      A pyramid with four levels representing the types of governing bodies that are available with differing levels of IT maturity. An arrow beside the pyramid points upward. The bottom of the arrow is labelled 'Traditional (People and document centric)' and the top is labelled 'Adaptive (Data centric)'. Starting at the bottom of the pyramid is level 1 'Ad Hoc Governance', 'Governance that is not well defined or understood within the organization. It occurs out of necessity but often not by the right people'. Level 2 is 'Controlled Governance', 'Governance focused on compliance and decisions driven by hierarchical authority. Levels of authority are defined and often driven by regulatory'. Level 3 is 'Agile Governance', 'Governance that is flexible to support different needs and quick response in the organization. Driven by principles and delegated throughout the company'. At the top of the pyramid is level 4 'Automated Governance', 'Governance that is entrenched and automated into organizational processes and product/service design. Empowered and fully delegated governance to maintain fit and drive organizational success and survival'.

      2.1.5 Document M&A governance

      1-2 hours

      Input: List of governing bodies, Governing body committee profiles, Governance structure

      Output: Documented method on how decisions are made as it relates to the M&A transaction

      Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Company M&A team

      The purpose of this activity is to determine the method in which decisions are made throughout the M&A transaction as it relates to IT. This will require understanding both governing bodies internal to IT and those external to IT.

      1. First, determine the other governance structures within the organization that will impact the decisions made about M&A. List out these bodies or committees.
      2. Create a profile for each committee that looks at the membership, purpose of the committee, decision areas (authority), and the process of inputs and outputs. Ensure IT committees that will have a role in this process are also documented. Consider the benefits realized, risks, and resources required for each.
      3. Organize the committees into a structure, identifying the committees that have a role in defining the strategy, designing and building, and running.

      Record the results in the M&A Buy Playbook.

      Current-state structure map – definitions of tiers

      Strategy: These groups will focus on decisions that directly connect to the strategic direction of the organization.

      Design & Build: The second tier of groups will oversee prioritization of a certain area of governance as well as design and build decisions that feed into strategic decisions.

      Run: The lowest level of governance will be oversight of more-specific initiatives and capabilities within IT.

      Expect tier overlap. Some committees will operate in areas that cover two or three of these governance tiers.

      Measure the IT program’s success in terms of its ability to support the business’ M&A goals

      Upper management will measure IT’s success based on your ability to support the underlying reasons for the M&A. Using business metrics will help assure business stakeholders that IT understands their needs and is working with the business to achieve them.

      Business-Specific Metrics

      • Revenue Growth: Increase in the top line as seen by market expansion, product expansion, etc. by percentage/time.
      • Synergy Extraction: Reduction in costs as determined by the ability to identify and eliminate redundancies over time.
      • Profit Margin Growth: Increase in the bottom line as a result of increased revenue growth and/or decreased costs over time.

      IT-Specific Metrics

      • IT operational savings and cost reductions due to synergies: Operating expenses, capital expenditures, licenses, contracts, applications, infrastructure over time.
      • Reduction in IT staff expense and headcount: Decreased budget allocated to IT staff, and ability to identify and remove redundancies in staff.
      • Meeting or improving on IT budget estimates: Delivering successful IT integration on a budget that is the same or lower than the budget estimated during due diligence.
      • Meeting or improving on IT time-to-integration estimates: Delivering successful IT integration on a timeline that is the same or shorter than the timeline estimated during due diligence.
      • Business capability support: Delivering the end state of IT that supports the expected business capabilities and growth.

      Establish your own metrics to gauge the success of IT

      Establish SMART M&A Success Metrics

      S pecific Make sure the objective is clear and detailed.
      M easurable Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective.
      A ctionable Objectives become actionable when specific initiatives designed to achieve the objective are identified.
      R ealistic Objectives must be achievable given your current resources or known available resources.
      T ime-Bound An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline.
      • What should IT consider when looking to identify potential additions, deletions, or modifications that will either add value to the organization or reduce costs/risks?
      • Provide a definition of synergies.
      • IT operational savings and cost reductions due to synergies: Operating expenses, capital expenditures, licenses, contracts, applications, infrastructure.
      • Reduction in IT staff expense and headcount: Decreased budget allocated to IT staff, and ability to identify and remove redundancies in staff.
      • Meeting or improving on IT budget estimates: Delivering successful IT integration on a budget that is the same or lower than the budget estimated during due diligence.
      • Meeting or improving on IT time-to-integration estimates: Delivering successful IT integration on a timeline that is the same or shorter than the timeline estimated during due diligence.
      • Revenue growth: Increase in the top line as a result, as seen by market expansion, product expansion, etc.
      • Synergy extraction: Reduction in costs, as determined by the ability to identify and eliminate redundancies.
      • Profit margin growth: Increase in the bottom line as a result of increased revenue growth and/or decreased costs.

      Metrics for each phase

      1. Proactive

      2. Discovery & Strategy

      3. Valuation & Due Diligence

      4. Execution & Value Realization

      • % Share of business innovation spend from overall IT budget
      • % Critical processes with approved performance goals and metrics
      • % IT initiatives that meet or exceed value expectation defined in business case
      • % IT initiatives aligned with organizational strategic direction
      • % Satisfaction with IT's strategic decision-making abilities
      • $ Estimated business value added through IT-enabled innovation
      • % Overall stakeholder satisfaction with IT
      • % Percent of business leaders that view IT as an Innovator
      • % IT budget as a percent of revenue
      • % Assets that are not allocated
      • % Unallocated software licenses
      • # Obsolete assets
      • % IT spend that can be attributed to the business (chargeback or showback)
      • % Share of CapEx of overall IT budget
      • % Prospective organizations that meet the search criteria
      • $ Total IT cost of ownership (before and after M&A, before and after rationalization)
      • % Business leaders that view IT as a Business Partner
      • % Defects discovered in production
      • $ Cost per user for enterprise applications
      • % In-house-built applications vs. enterprise applications
      • % Owners identified for all data domains
      • # IT staff asked to participate in due diligence
      • Change to due diligence
      • IT budget variance
      • Synergy target
      • % Satisfaction with the effectiveness of IT capabilities
      • % Overall end-customer satisfaction
      • $ Impact of vendor SLA breaches
      • $ Savings through cost-optimization efforts
      • $ Savings through application rationalization and technology standardization
      • # Key positions empty
      • % Frequency of staff turnover
      • % Emergency changes
      • # Hours of unplanned downtime
      • % Releases that cause downtime
      • % Incidents with identified problem record
      • % Problems with identified root cause
      • # Days from problem identification to root cause fix
      • % Projects that consider IT risk
      • % Incidents due to issues not addressed in the security plan
      • # Average vulnerability remediation time
      • % Application budget spent on new build/buy vs. maintenance (deferred feature implementation, enhancements, bug fixes)
      • # Time (days) to value realization
      • % Projects that realized planned benefits
      • $ IT operational savings and cost reductions that are related to synergies/divestitures
      • % IT staff–related expenses/redundancies
      • # Days spent on IT integration
      • $ Accurate IT budget estimates
      • % Revenue growth directly tied to IT delivery
      • % Profit margin growth

      2.1.6 Create program metrics

      1-2 hours

      Input: IT capabilities, Mission, vision, and guiding principles, Rationale for the acquisition

      Output: Program metrics to support IT throughout the M&A process

      Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Company M&A team

      The purpose of this activity is to determine how IT’s success throughout a growth transaction will be measured and determined.

      1. Document a list of appropriate metrics on the whiteboard. Remember to include metrics that demonstrate the business impact. You can use the sample metrics listed on the previous slide as a starting point.
      2. Set a target and deadline for each metric. This will help the group determine when it is time to evaluate progression.
      3. Establish a baseline for each metric based on information collected within your organization.
      4. Assign an owner for tracking each metric as well as someone to be accountable for performance.

      Record the results in the M&A Buy Playbook.

      Discovery & Strategy

      Step 2.2

      Prepare IT to Engage in the Acquisition

      Activities

      • 2.2.1 Establish the integration strategy
      • 2.2.2 Conduct a RACI
      • 2.2.3 Create the communication plan
      • 2.2.4 Assess the potential organization(s)

      This step involves the following participants:

      • IT executive/CIO
      • IT senior leadership
      • Company M&A team

      Outcomes of Step

      Identify IT’s plan of action when it comes to the acquisition and align IT’s integration strategy with the business’ M&A strategy.

      Integration strategies

      There are several IT integration strategies that will help you achieve your target technology environment.

      IT Integration Strategies
      • Absorption. Convert the target organization’s strategy, structure, processes, and/or systems to that of the acquiring organization.
      • Best-of-Breed. Pick and choose the most effective people, processes, and technologies to form an efficient operating model.
      • Transformation Retire systems from both organizations and use collective capabilities, data, and processes to create something entirely new.
      • Preservation Retain individual business units that will operate within their own capability. People, processes, and technologies are unchanged.

      The approach IT takes will depend on the business objectives for the M&A.

      • Generally speaking, the integration strategy is well understood and influenced by the frequency of and rationale for acquiring.
      • Based on the initiatives generated by each business process owner, you need to determine the IT integration strategy that will best support the desired target technology environment.

      Key considerations when choosing an IT integration strategy include:

      • What are the main business objectives of the M&A?
      • What are the key synergies expected from the transaction?
      • What IT integration best helps obtain these benefits?
      • What opportunities exist to position the business for sustainable growth?

      Absorption and best-of-breed

      Review highlights and drawbacks of absorption and best-of-breed integration strategies

      Absorption
        Highlights
      • Recommended for businesses striving to reduce costs and drive efficiency gains.
      • Economies of scale realized through consolidation and elimination of redundant applications.
      • Quickest path to a single company operation and systems as well as lower overall IT cost.
        Drawbacks
      • Potential for disruption of the target company’s business operations.
      • Requires significant business process changes.
      • Disregarding the target offerings altogether may lead to inferior system decisions that do not yield sustainable results.
      Best-of-Breed
        Highlights
      • Recommended for businesses looking to expand their market presence or acquire new products. Essentially aligning the two organizations in the same market.
      • Each side has a unique offering but complementing capabilities.
      • Potential for better buy-in from the target because some of their systems are kept, resulting in willingness to
        Drawbacks
      • May take longer to integrate because it tends to present increased complexity that results in higher costs and risks.
      • Requires major integration efforts from both sides of the company. If the target organization is uncooperative, creating the desired technology environment will be difficult.

      Transformation and preservation

      Review highlights and drawbacks of transformation and preservation integration strategies

      Transformation
        Highlights
      • This is the most customized approach, although it is rarely used.
      • It is essential to have an established long-term vision of business capabilities when choosing this path.
      • When executed correctly, this approach presents potential for significant upside and creation of sustainable competitive advantages.
        Drawbacks
      • This approach requires extensive time to implement, and the cost of integration work may be significant.
      • If a new system is created without strategic capabilities, the organizations will not realize long-term benefits.
      • The cost of correcting complexities at later stages in the integration effort may be drastic.
      Preservation
        Highlights
      • This approach is appropriate if the merging organizations will remain fairly independent, if there will be limited or no communication between companies, and if the companies’ market strategies, products, and channels are entirely distinct.
      • Environment can be accomplished quickly and at a low cost.
        Drawbacks
      • Impact to each business is minimal, but there is potential for lost synergies and higher operational costs. This may be uncontrollable if the natures of the two businesses are too different to integrate.
      • Reduced benefits and limited opportunities for IT integration.

      2.2.1 Establish the integration strategy

      1-2 hours

      Input: Business integration strategy, Guiding principles, M&A governance

      Output: IT’s integration strategy

      Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Company M&A team

      The purpose of this activity is to determine IT’s approach to integration. The approach might differ slightly from transaction to transaction. However, the business’ approach to transactions should give insight into the general integration strategy IT should adopt.

      1. Make sure you have clearly articulated the business objectives for the M&A, the technology end state for IT, and the magnitude of the overall integration.
      2. Review and discuss the highlights and drawbacks of each type of integration.
      3. Use Info-Tech’s Integration Posture Selection Framework on the next slide to select the integration posture that will appropriately enable the business. Consider these questions during your discussion:
        1. What are the main business objectives of the M&A? What key IT capabilities will need to support business objectives?
        2. What key synergies are expected from the transaction? What opportunities exist to position the business for sustainable growth?
        3. What IT integration best helps obtain these benefits?

      Record the results in the M&A Buy Playbook.

      Integration Posture Selection Framework

      Business M&A Strategy

      Resultant Technology Strategy

      M&A Magnitude (% of Acquirer Assets, Income, or Market Value)

      IT Integration Posture

      A. Horizontal Adopt One Model ‹10% Absorption
      10 to 75% Absorption or Best-of-Breed
      ›75% Best-of-Breed
      B. Vertical Create Links Between Critical Systems Any
      • Preservation (Differentiated Functions)
      • Absorption or Best-of-Breed (Non-Differentiated Functions)
      C. Conglomerate Independent Model Any Preservation
      D. Hybrid: Horizontal & Conglomerate Independent Model Any Preservation

      2.2.2 Conduct a RACI

      1-2 hours

      Input: IT capabilities, Transition team, Integration strategy

      Output: Completed RACI for transition team

      Materials: Reference architecture, Organizational structure, Flip charts/whiteboard, Markers, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Company M&A team

      The purpose of this activity is to identify the core accountabilities and responsibilities for the roles identified as critical to your transition team. While there might be slight variation from transaction to transaction, ideally each role should be performing certain tasks.

      1. First, identify a list of critical tasks that need to be completed to support the purchase or acquisition. For example:
        • Communicate with the company M&A team.
        • Identify critical IT risks that could impact the organization after the transaction.
        • Identify key artifacts to collect and review during due diligence.
      2. Next, identify at the activity level which role is accountable or responsible for each activity. Enter an A for accountable, R for responsible, or A/R for both.

      Record the results in the M&A Buy Playbook.

      Communication and change

      Prepare key stakeholders for the potential changes

      • Anytime you are starting a project or program that will depend on users and stakeholders to give up their old way of doing things, change will force people to become novices again, leading to lost productivity and added stress.
      • Change management can improve outcomes for any project where you need people to adopt new tools and procedures, comply with new policies, learn new skills and behaviors, or understand and support new processes.
      • M&As move very quickly, and it can be very difficult to keep track of which stakeholders you need to be communicating with and what you should be communicating.
      • Not all organizations embrace or resist change in the same ways. Base your change communications on your organization’s cultural appetite for change in general.
        • Organizations with a low appetite for change will require more direct, assertive communications.
        • Organizations with a high appetite for change are more suited to more open, participatory approaches.

      Three key dimensions determine the appetite for cultural change:

      • Power Distance. Refers to the acceptance that power is distributed unequally throughout the organization.
        In organizations with a high power distance, the unequal power distribution is accepted by the less powerful employees.
      • Individualism. Organizations that score high in individualism have employees who are more independent. Those who score low in individualism fall into the collectivism side, where employees are strongly tied to one another or their groups.
      • Uncertainty Avoidance. Describes the level of acceptance that an organization has toward uncertainty. Those who score high in this area find that their employees do not favor uncertain situations, while those that score low in this area find that their employees are comfortable with change and uncertainty.

      2.2.3 Create the communication plan

      1-2 hours

      Input: IT’s M&A mission, vision, and guiding principles, M&A transition team, IT integration strategy, RACI

      Output: IT’s M&A communication plan

      Materials: Flip charts/whiteboard, Markers, RACI, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Company M&A team

      The purpose of this activity is to create a communication plan that IT can leverage throughout the initiative.

      1. Create a structured communication plan that allows for continuous communication with the integration management office, senior management, and the business functional heads.
      2. Outline key topics of communication, with stakeholders, inputs, and outputs for each topic.
      3. Review Info-Tech’s example communication plan in the M&A Buy Playbook and update it with relevant information.
      4. Does this communication plan make sense for your organization? What doesn’t make sense? Adjust the communication guide to suit your organization.

      Record the results in the M&A Buy Playbook.

      Assessing potential organizations

      As soon as you have identified organizations to consider, it’s imperative to assess critical risks. Most IT leaders can attest that they will receive little to no notice when they have to assess the IT organization of a potential purchase. As a result, having a standardized template to quickly gauge the value of the business can be critical.

      Ways to Assess

      1. News: Assess what sort of news has been announced in relation to the organization. Have they had any risk incidents? Has a critical vendor announced working with them?
      2. LinkedIn: Scan through the LinkedIn profiles of employees. This will give you a sense of what platforms they have based on their employees.
      3. Trends: Some industries will have specific solutions that are relevant and popular. Assess what the key players are (if you don’t already know) to determine the solution.
      4. Business Architecture: While this assessment won’t perfect, try to understand the business’ value streams and the critical business and IT capabilities that would be needed to support them.

      2.2.4 Assess the potential organization(s)

      1-2 hours

      Input: Publicized historical risk events, Solutions and vendor contracts likely in the works, Trends

      Output: IT’s valuation of the potential organization(s) for acquisition

      Materials: M&A Buy Playbook

      Participants: IT executive/CIO

      The purpose of this activity is to assess the organization(s) that your organization is considering purchasing.

      1. Complete the Historical Valuation Worksheet in the M&A Buy Playbook to understand the type of IT organization that your company may inherit and need to integrate with.
        • The business likely isn’t looking for in-depth details at this time. However, as the IT leader, it is your responsibility to ensure critical risks are identified and communicated to the business.
      2. Use the information identified to help the business narrow down which organizations should be targeted for the acquisition.

      Record the results in the M&A Buy Playbook.

      By the end of this pre-transaction phase you should:

      Have a program plan for M&As and a repeatable M&A strategy for IT when engaging in growth transactions

      Key outcomes from the Discovery & Strategy phase
      • Be prepared to analyze and recommend potential organizations that the business can acquire or merge with, using a strong program plan that can be repeated across transactions.
      • Create a M&A strategy that accounts for all the necessary elements of a transaction and ensures sufficient governance, capabilities, and metrics exist.
      Key deliverables from the Discovery & Strategy phase
      • Create vision and mission statements
      • Establish guiding principles
      • Create a future-state operating model
      • Identify the key roles for the transaction team
      • Identify and communicate the M&A governance
      • Determine target metrics
      • Identify the M&A operating model
      • Select the integration strategy framework
      • Conduct a RACI for key transaction tasks for the transaction team
      • Document the communication plan

      M&A Buy Blueprint

      Phase 3

      Due Diligence & Preparation

      Phase 1Phase 2

      Phase 3

      Phase 4
      • 1.1 Identify Stakeholders and Their Perspective of IT
      • 1.2 Assess IT’s Current Value and Future State
      • 1.3 Drive Innovation and Suggest Growth Opportunities
      • 2.1 Establish the M&A Program Plan
      • 2.2 Prepare IT to Engage in the Acquisition
      • 3.1 Assess the Target Organization
      • 3.2 Prepare to Integrate
      • 4.1 Execute the Transaction
      • 4.2 Reflection and Value Realization

      This phase will walk you through the following activities:

      • Drive value with a due diligence charter
      • Identify data room artifacts
      • Assess technical debt
      • Valuate the target IT organization
      • Assess culture
      • Prioritize integration tasks
      • Establish the integration roadmap
      • Identify the needed workforce supply
      • Estimate integration costs
      • Create an employee transition plan
      • Create functional workplans for employees
      • Align project metrics with identified tasks

      This phase involves the following participants:

      • IT executive/CIO
      • IT senior leadership
      • Company M&A team
      • Business leaders
      • Prospective IT organization
      • Transition team

      Workshop Overview

      Contact your account representative for more information.
      workshops@infotech.com 1-888-670-8889

      Pre-Work

      Day 1

      Day 2

      Day 3

      Day 4

      Day 5

      Establish the Transaction FoundationDiscover the Motivation for IntegrationAssess the Target Organization(s)Create the Valuation FrameworkPlan the Integration RoadmapNext Steps and Wrap-Up (offsite)

      Activities

      • 0.1 Identify the rationale for the company's decisions to pursue an acquisition.
      • 0.2 Identify key stakeholders and determine the IT transaction team.
      • 0.3 Gather and evaluate the M&A strategy, future-state operating model, and governance.
      • 1.1 Review the business rationale for the acquisition.
      • 1.2 Identify pain points and opportunities tied to the acquisition.
      • 1.3 Establish the integration strategy.
      • 1.4 Create the due diligence charter.
      • 2.1 Create a list of IT artifacts to be reviewed in the data room.
      • 2.2 Conduct a technical debt assessment.
      • 2.3 Assess the current culture and identify the goal culture.
      • 2.4 Identify the needed workforce supply.
      • 3.1 Valuate the target organization’s data.
      • 3.2 Valuate the target organization’s applications.
      • 3.3 Valuate the target organization’s infrastructure.
      • 3.4 Valuate the target organization’s risk and security.
      • 3.5 Combine individual valuations to make a single framework.
      • 4.1 Prioritize integration tasks.
      • 4.2 Establish the integration roadmap.
      • 4.3 Establish and align project metrics with identified tasks.
      • 4.4 Estimate integration costs.
      • 5.1 Complete in-progress deliverables from previous four days.
      • 5.2 Set up review time for workshop deliverables and to discuss next steps.

      Deliverables

      1. IT strategy
      2. IT operating model
      3. IT governance structure
      4. M&A transaction team
      1. Business context implications for IT
      2. Integration strategy
      3. Due diligence charter
      1. Data room artifacts
      2. Technical debt assessment
      3. Culture assessment
      4. Workforce supply identified
      1. IT valuation framework to assess target organization(s)
      1. Integration roadmap and associated resourcing
      1. Acquisition integration strategy for IT

      What is the Due Diligence & Preparation phase?

      Mid-transaction state

      The Due Diligence & Preparation phase during an acquisition is a critical time for IT. If IT fails to proactively participate in this phase, IT will have to merely react to integration expectations set by the business.

      While not all IT organizations are able to participate in this phase, the evolving nature of M&As to be driven by digital and technological capabilities increases the rationale for IT being at the table. Identifying critical IT risks, which will inevitably be business risks, begins during the due diligence phase.

      This is also the opportunity for IT to plan how it will execute the planned integration strategy. Having access to critical information only available in data rooms will further enable IT to successfully plan and execute the acquisition to deliver the value the business is seeking through a growth transaction.

      Goal: To thoroughly evaluate all potential risks associated with the organization(s) being pursued and create a detailed plan for integrating the IT environments

      Due Diligence Prerequisite Checklist

      Before coming into the Due Diligence & Preparation phase, you must have addressed the following:

      • Understand the rationale for the company's decisions to pursue an acquisition and what opportunities or pain points the acquisition should alleviate.
      • Identify the key roles for the transaction team.
      • Identify the M&A governance.
      • Determine target metrics.
      • Select an integration strategy framework.
      • Conduct a RACI for key transaction tasks for the transaction team.

      Before coming into the Due Diligence & Preparation phase, we recommend addressing the following:

      • Create vision and mission statements.
      • Establish guiding principles.
      • Create a future-state operating model.
      • Identify the M&A operating model.
      • Document the communication plan.
      • Examine the business perspective of IT.
      • Identify key stakeholders and outline their relationship to the M&A process.
      • Be able to valuate the IT environment and communicate IT’s value to the business.

      The Technology Value Trinity

      Delivery of Business Value & Strategic Needs

      • Digital & Technology Strategy
        The identification of objectives and initiatives necessary to achieve business goals.
      • IT Operating Model
        The model for how IT is organized to deliver on business needs and strategies.
      • Information & Technology Governance
        The governance to ensure the organization and its customers get maximum value from the use of information and technology.

      All three elements of the Technology Value Trinity work in harmony to deliver business value and achieve strategic needs. As one changes, the others need to change as well.

      • Digital and IT Strategy tells you what you need to achieve to be successful.
      • IT Operating Model and Organizational Design is the alignment of resources to deliver on your strategy and priorities.
      • Information & Technology Governance is the confirmation of IT’s goals and strategy, which ensures the alignment of IT and business strategy. It’s the mechanism by which you continuously prioritize work to ensure that what is delivered is in line with the strategy. This oversight evaluates, directs, and monitors the delivery of outcomes to ensure that the use of resources results in the achieving the organization’s goals.

      Too often strategy, operating model and organizational design, and governance are considered separate practices. As a result, “strategic documents” end up being wish lists, and projects continue to be prioritized based on who shouts the loudest – not based on what is in the best interest of the organization.

      Due Diligence & Preparation

      Step 3.1

      Assess the Target Organization

      Activities

      • 3.1.1 Drive value with a due diligence charter
      • 3.1.2 Identify data room artifacts
      • 3.1.3 Assess technical debt
      • 3.1.4 Valuate the target IT organization
      • 3.1.5 Assess culture

      This step involves the following participants:

      • IT executive/CIO
      • IT senior leadership
      • Company M&A team
      • Business leaders
      • Prospective IT organization
      • Transition team

      Outcomes of Step

      This step of the process is when IT should actively evaluate the target organization being pursued for acquisition.

      3.1.1 Drive value with a due diligence charter

      1-2 hours

      Input: Key roles for the transaction team, M&A governance, Target metrics, Selected integration strategy framework, RACI of key transaction tasks for the transaction team

      Output: IT Due Diligence Charter

      Materials: M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Company M&A team

      The purpose of this activity is to create a charter leveraging the items completed in the previous phase, as listed on the Due Diligence Prerequisite Checklist slide, to gain executive sign-off.

      1. In the IT Due Diligence Charter in the M&A Buy Playbook, complete the aspects of the charter that are relevant for you and your organization.
      2. We recommend including these items in the charter:
        • Communication plan
        • Transition team roles
        • Goals and metrics for the transaction
        • Integration strategy
        • Acquisition RACI
      3. Once the charter has been completed, ensure that business executives agree to the charter and sign off on the plan of action.

      Record the results in the M&A Buy Playbook.

      3.1.2 Identify data room artifacts

      4 hours

      Input: Future-state operating model, M&A governance, Target metrics, Selected integration strategy framework, RACI of key transaction tasks for the transaction team

      Output: List of items to acquire and review in the data room

      Materials: Critical domain lists on following slides, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team

      The purpose of this activity is to create a list of the key artifacts that should be asked for and reviewed during the due diligence process.

      1. Review the lists on the following pages as a starting point. Identify which domains, stakeholders, artifacts, and information should be requested for the data room. This information should be directed to the target organization.
      2. IT leadership may or may not be asked to enter the data room directly. Therefore, it’s important that you clearly identify these artifacts.
      3. List each question or concern, select the associated workstream in the M&A Buy Playbook, and update the status of the information retrieval.
      4. Use the comments section to document your discoveries or concerns.

      Record the results in the M&A Buy Playbook.

      Critical domains

      Understand the key stakeholders and outputs for each domain

      Each critical domain will likely have different stakeholders who know that domain best. Communicate with these stakeholders throughout the M&A process to make sure you are getting accurate information and interpreting it correctly.

      Domain

      Stakeholders

      Key Artifacts

      Key Information to request

      Business
      • Enterprise Architecture
      • Business Relationship Manager
      • Business Process Owners
      • Business capability map
      • Capability map (the M&A team should be taking care of this, but make sure it exists)
      • Business satisfaction with various IT systems and services
      Leadership/IT Executive
      • CIO
      • CTO
      • CISO
      • IT budgets
      • IT capital and operating budgets (from current year and previous year)
      Data & Analytics
      • Chief Data Officer
      • Data Architect
      • Enterprise Architect
      • Master data domains, system of record for each
      • Unstructured data retention requirements
      • Data architecture
      • Master data domains, sources, and storage
      • Data retention requirements
      Applications
      • Applications Manager
      • Application Portfolio Manager
      • Application Architect
      • Applications map
      • Applications inventory
      • Applications architecture
      • Copy of all software license agreements
      • Copy of all software maintenance agreements
      Infrastructure
      • Head of Infrastructure
      • Enterprise Architect
      • Infrastructure Architect
      • Infrastructure Manager
      • Infrastructure map
      • Infrastructure inventory
      • Network architecture (including which data centers host which infrastructure and applications)
      • Inventory (including integration capabilities of vendors, versions, switches, and routers)
      • Copy of all hardware lease or purchase agreements
      • Copy of all hardware maintenance agreements
      • Copy of all outsourcing/external service provider agreements
      • Copy of all service-level agreements for centrally provided, shared services and systems
      Products and Services
      • Product Manager
      • Head of Customer Interactions
      • Product lifecycle
      • Product inventory
      • Customer market strategy

      Critical domains (continued)

      Understand the key stakeholders and outputs for each domain

      Domain

      Stakeholders

      Key Artifacts

      Key Information to request

      Operations
      • Head of Operations
      • Service catalog
      • Service overview
      • Service owners
      • Access policies and procedures
      • Availability and service levels
      • Support policies and procedures
      • Costs and approvals (internal and customer costs)
      IT Processes
      • CIO
      • IT Management
      • VP of IT Governance
      • VP of IT Strategy
      • IT process flow diagram
      • Processes in place and productivity levels (capacity)
      • Critical processes/processes the organization feels they do particularly well
      IT People
      • CIO
      • VP of Human Resources
      • IT organizational chart
      • Competency & capacity assessment
      • IT organizational structure (including resources from external service providers such as contractors) with appropriate job descriptions or roles and responsibilities
      • IT headcount and location
      Security
      • CISO
      • Security Architect
      • Security posture
      • Information security staff
      • Information security service providers
      • Information security tools
      • In-flight information security projects
      Projects
      • Head of Projects
      • Project portfolio
      • List of all future, ongoing, and recently completed projects
      Vendors
      • Head of Vendor Management
      • License inventory
      • Inventory (including what will and will not be transitioning, vendors, versions, number of licenses)

      Assess the target organization’s technical debt

      The other organization could be costly to purchase if not yet modernizing.

      • Consider the potential costs that your business will have to spend to get the other IT organization modernized or even digital.
      • This will be highly affected by your planned integration strategy.
      • A best-of-breed strategy might simply mean there's little to bring over from the other organization’s environment.
      • It’s often challenging to identify a direct financial cost for technical debt. Consider direct costs but also assess categories of impact that can have a long-term effect on your business: lost customer, staff, or business partner goodwill; limited flexibility and resilience; and health, safety, and compliance impacts.
      • Use more objective measures to track subjective impact. For example, consider the number of customers who could be significantly affected by each tech debt in the next quarter.

      Focus on solving the problems you need to address.

      Analyzing technical debt has value in that the analysis can help your organization make better risk management and resource allocation decisions.

      Review these examples of technical debt

      Do you have any of these challenges?

      Applications
      • Inefficient or incomplete code
      • Fragile or obsolete systems of record that limit the implementation of new functionality
      • Out-of-date IDEs or compilers
      • Unsupported applications
      Data & Analytics
      • Data presented via API that does not conform to chosen standards (EDI, NRF-ARTS, etc.)
      • Poor data governance
      • No transformation between OLTP and the data warehouse
      • Heavy use of OLTP for reporting
      • Lack of AI model and decision governance, maintenance
      End-User Computing
      • Aging and slow equipment
      • No configuration management
      • No MDM/UEM
      Security
      • Unpatched/unpatchable systems
      • Legacy firewalls
      • No data classification system
      • “Perimeter” security architecture
      • No documented security incident response
      • No policies, or unenforced policies
      Operations
      • Incomplete, ineffective, or undocumented business continuity and disaster recovery plans
      • Insufficient backups or archiving
      • Inefficient MACD processes
      • Application sprawl with no record of installed applications or licenses
      • No ticketing or ITSM system
      • No change management process
      • No problem management process
      • No event/alert management
      Infrastructure
      • End-of-life/unsupported equipment
      • Aging power or cooling systems
      • Water- or halon-based data center fire suppression systems
      • Out-of-date firmware
      • No DR site
      • Damaged or messy cabling
      • Lack of system redundancy
      • Integrated computers on business equipment (e.g. shop floor equipment, medical equipment) running out-of-date OS/software
      Project & Portfolio Management
      • No project closure process
      • Ineffective project intake process
      • No resource management practices

      “This isn’t a philosophical exercise. Knowing what you want to get out of this analysis informs the type of technical debt you will calculate and the approach you will take.” (Scott Buchholz, CTO, Deloitte Government & Public Services Practice, The Wall Street Journal, 2015)

      3.1.3 Assess technical debt

      1-2 hours

      Input: Participant views on organizational tech debt, Five to ten key technical debts, Business impact scoring scales, Reasonable next-quarter scenarios for each technical debt, Technical debt business impact analysis

      Output: Initial list of tech debt for the target organization

      Materials: Whiteboard, Sticky notes, Technical Debt Business Impact Analysis Tool, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Business leaders, Transition team

      The purpose of this activity is to assess the technical debt of the other IT organization. Taking on unnecessary technical debt is one of the biggest risks to the IT environment

      1. This activity can be completed by leveraging the blueprint Manage Your Technical Debt, specifically the Technical Debt Business Impact Analysis Tool. Complete the following activities in the blueprint:
        • 1.2.1 Identify your technical debt
        • 1.2.2 Select tech debt for your impact analysis
        • 2.2.2 Estimate tech debt impact
        • 2.2.3 Identify the most-critical technical debts
      2. Review examples of technical debt in the previous slide to assist you with this activity.
      3. Document the results from tab 3, Impact Analysis, in the M&A Buy Playbook if you are trying to record all artifacts related to the transaction in one place.

      Record the results in the M&A Buy Playbook.

      How to valuate an IT environment

      And why it matters so much

      • Valuating the target organization’s IT environment is a critical step to fully understand what it might be worth. Business partners are often not in the position to valuate the IT aspects to the degree that you would be.
      • The business investments in IT can be directly translated to a value amount. Meaning for every $1 invested in IT, the business might be gaining $100 in value back or possibly even loosing $100.
      • Determining, documenting, and communicating this information ensures that the business takes IT’s suggestions seriously and recognizes why investing in IT can be so critical.
      • There are three ways a business or asset can be valuated:
        • Cost Approach: Look at the costs associated with building, purchasing, replacing, and maintaining a given aspect of the business.
        • Market Approach: Look at the relative value of a particular aspect of the business. Relative value can fluctuate and depends on what the markets and consequently society believe that particular element is worth.
        • Discounted Cash Flow Approach: Focus on what the potential value of the business could be or the intrinsic value anticipated due to future profitability.

      The IT valuation conducted during due diligence can have a significant impact on the final financials of the transaction for the business.

      3.1.4 Valuate the target IT organization

      1 day

      Input: Valuation of data, Valuation of applications, Valuation of infrastructure and operations, Valuation of security and risk

      Output: Valuation of target organization’s IT

      Materials: Relevant templates/tools, Capital budget, Operating budget, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Prospective IT organization

      The purpose of this activity is to valuate the other IT organization.

      1. Review each of slides 42 to 45 to generate a valuation of IT’s data, applications, infrastructure, and security and risk. These valuations consider several tangible and intangible factors and result in a final dollar amount. For more information on this activity, review Activity 1.2.1 from the Proactive phase.
      2. Identify financial amounts for each critical area and add the financial output to the summary slide in the M&A Buy Playbook.
      3. Compare this information against your own IT organization’s valuation.
        1. Does it add value to your IT organization?
        2. Is there too much risk to accept if this transaction goes through?

      Info-Tech Insight

      Consistency is key when valuating your IT organization as well as other IT organizations throughout the transaction process.

      Record the results in the M&A Buy Playbook.

      Culture should not be overlooked, especially as it relates to the integration of IT environments

      • There are three types of culture that need to be considered.
      • Most importantly, this transition is an opportunity to change the culture that might exist in your organization’s IT environment.
      • Make a decision on which type of culture you’d like IT to have post-transition.

      Target Organization’s Culture

      The culture that the target organization is currently embracing. Their established and undefined governance practices will lend insight into this.

      Your Organization’s Culture

      The culture that your organization is currently embracing. Examine people’s attitudes and behaviors within IT toward their jobs and the organization.

      Ideal Culture

      What will the future culture of the IT organization be once integration is complete? Are there aspects that your current organization and the target organization embrace that are worth considering?

      Culture categories

      Map the results of the IT Culture Diagnostic to an existing framework

      Competitive
      • Autonomy
      • Confront conflict directly
      • Decisive
      • Competitive
      • Achievement oriented
      • Results oriented
      • High performance expectations
      • Aggressive
      • High pay for good performance
      • Working long hours
      • Having a good reputation
      • Being distinctive/different
      Innovative
      • Adaptable
      • Innovative
      • Quick to take advantage of opportunities
      • Risk taking
      • Opportunities for professional growth
      • Not constrained by rules
      • Tolerant
      • Informal
      • Enthusiastic
      Traditional
      • Stability
      • Reflective
      • Rule oriented
      • Analytical
      • High attention to detail
      • Organized
      • Clear guiding philosophy
      • Security of employment
      • Emphasis on quality
      • Focus on safety
      Cooperative
      • Team oriented
      • Fair
      • Praise for good performance
      • Supportive
      • Calm
      • Developing friends at work
      • Socially responsible

      Culture Considerations

      • What culture category was dominant for each IT organization?
      • Do you share the same dominant category?
      • Is your current dominant culture category the most ideal to have post-integration?

      3.1.5 Assess Culture

      3-4 hours

      Input: Cultural assessments for current IT organization, Cultural assessment for target IT organization

      Output: Goal for IT culture

      Materials: IT Culture Diagnostic, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, IT employees of current organization, IT employees of target organization, Company M&A team

      The purpose of this activity is to assess the different cultures that might exist within the IT environments of both organizations. More importantly, your IT organization can select its desired IT culture for the long term if it does not already exist.

      1. Complete this activity by leveraging the blueprint Fix Your IT Culture, specifically the IT Culture Diagnostic. Fill out the diagnostic for the IT department in your organization:
        1. Answer the 16 questions in tab 2, Diagnostic.
        2. Find out your dominant culture and review recommendations in tab 3, Results.
      2. Document the results from tab 3, Results, in the M&A Buy Playbook if you are trying to record all artifacts related to the transaction in one place.
      3. Repeat the activity for the target organization.
      4. Leverage the information to determine what the goal for the culture of IT will be post-integration if it will differ from the current culture.

      Record the results in the M&A Buy Playbook.

      Due Diligence & Preparation

      Step 3.2

      Prepare to Integrate

      Activities

      • 3.2.1 Prioritize integration tasks
      • 3.2.2 Establish the integration roadmap
      • 3.2.3 Identify the needed workforce supply
      • 3.2.4 Estimate integration costs
      • 3.2.5 Create an employee transition plan
      • 3.2.6 Create functional workplans for employees
      • 3.2.7 Align project metrics with identified tasks

      This step involves the following participants:

      • IT executive/CIO
      • IT senior leadership
      • Transition team
      • Company M&A team

      Outcomes of Step

      Have an established plan of action toward integration across all domains and a strategy toward resources.

      Don’t underestimate the importance of integration preparation

      Integration is the process of combining the various components of one or more organizations into a single organization.

      80% of integration should happen within the first two years. (Source: CIO Dive)

      70% of M&A IT integrations fail due to components that could and should be addressed at the beginning. (Source: The Wall Street Journal, 2019)

      Info-Tech Insight

      Integration is not rationalization. Once the organization has integrated, it can prepare to rationalize the IT environment.

      Integration needs

      Identify your domain needs to support the target technology environment

      Set up a meeting with your IT due diligence team to:

      • Address data, applications, infrastructure, and other domain gaps.
      • Discuss the people and processes necessary to achieve the target technology environment and support M&A business objectives.

      Use this opportunity to:

      • Identify data and application complexities between your organization and the target organization.
      • Identify the IT people and process gaps, redundancies, and initiatives.
      • Determine your infrastructure needs and identify redundancies.
        • Does IT have the infrastructure to support the applications and business capabilities of the resultant enterprise?
        • Identify any gaps between the current infrastructure in both organizations and the infrastructure required in the resultant enterprise.
        • Identify any redundancies.
        • Determine the appropriate IT integration strategies.
      • Document your gaps, redundancies, initiatives, and assumptions to help you track and justify the initiatives that must be undertaken and help estimate the cost of integration.

      Integration implications

      Understand the implications for integration with respect to each target technology environment

      Domain

      Independent Models

      Create Links Between Critical Systems

      Move Key Capabilities to Common Systems

      Adopt One Model

      Data & Analytics

      • Consider data sources that might need to be combined (e.g. financials, email lists, internet).
      • Understand where each organization will warehouse its data and how it will be managed in a cost-effective manner.
      • Consider your reporting and transactional needs. Initially systems may remain separate, but eventually they will need to be merged.
      • Analyze whether or not the data types are compatible between companies.
      • Understand the critical data needs and the complexity of integration activities.
      • Consider your reporting and transactional needs. Initially systems may remain separate, but eventually they will need to be merged.
      • Focus on the master data domains that represent the core of your business.
      • Assess the value, size, location, and cleanliness of the target organization’s data sets.
      • Determine the data sets that will be migrated to capture expected synergies and drive core capabilities while addressing how other data sets will be maintained and managed.
      • Decide which applications to keep and which to terminate. This includes setting timelines for application retirement.
      • Establish interim linkages and common interfaces for applications while major migrations occur.

      Applications

      • Establish whether or not there are certain critical applications that still need to be linked (e.g. email, financials).
      • Leverage the unique strengths and functionalities provided by the applications used by each organization.
      • Confirm that adequate documentation and licensing exists.
      • Decide which critical applications need to be linked versus which need to be kept separate to drive synergies. For example, financial, email, and CRM may need to be linked, while certain applications may remain distinct.
      • Pay particular attention to the extent to which systems relating to customers, products, orders, and shipments need to be integrated.
      • Determine the key capabilities that require support from the applications identified by business process owners.
      • Assess which major applications need to be adopted by both organizations, based on the M&A goals.
      • Establish interim linkages and common interfaces for applications while major migrations occur.
      • Decide which applications to keep and which to terminate. This includes setting timelines for application retirement.
      • Establish interim linkages and common interfaces for applications while major migrations occur.

      Integration implications (continued)

      Understand the implications for integration with respect to each target technology environment

      Domain

      Independent Models

      Create Links Between Critical Systems

      Move Key Capabilities to Common Systems

      Adopt One Model

      Infrastructure

      • Assess the infrastructure demands created by retaining separate models (e.g. separate domains, voice, network integration).
      • Evaluate whether or not there are redundant data centers that could be consolidated to reduce costs.
      • Assess the infrastructure demands created by retaining separate models (e.g. separate domains, voice, network integration).
      • Evaluate whether or not there are redundant data centers that could be consolidated to reduce costs.
      • Evaluate whether certain infrastructure components, such as data centers, can be consolidated to support the new model while also eliminating redundancies. This will help reduce costs.
      • Assess which infrastructure components need to be kept versus which need to be terminated to support the new application portfolio. Keep in mind that increasing the transaction volume on a particular application increases the infrastructure capacity that is required for that application.
      • Extend the network to integrate additional locations.

      IT People & Processes

      • Retain workers from each IT department who possess knowledge of key products, services, and legacy systems.
      • Consider whether there are redundancies in staffing that could be eliminated.
      • The IT processes of each organization will most likely remain separate.
      • Consider the impact of the target organization on your IT processes.
      • Retain workers from each IT department who possess knowledge of key products, services, and legacy systems.
      • Consider whether there are redundancies in staffing that could be eliminated.
      • Consider how critical IT processes of the target organization fit with your current IT processes.
      • Identify which redundant staff members should be terminated by focusing on the key skills that will be necessary to support the common systems.
      • If there is overlap with the IT processes in both organizations, you may wish to map out both processes to get a sense for how they might work together.
      • Assess what processes will be prioritized to support IT strategies.
      • Identify which redundant staff members should be terminated by focusing on the key skills that will be necessary to support the prioritized IT processes.

      Integration implications (continued)

      Understand the implications for integration with respect to each target technology environment

      Domain

      Independent Models

      Create Links Between Critical Systems

      Move Key Capabilities to Common Systems

      Adopt One Model

      Leadership/IT Executive

      • Have insight into the goals and direction of the organization’s leadership. Make sure that a communication path has been established to receive information and provide feedback.
      • The decentralized model will require some form of centralization and strong governance processes to enable informed decisions.
      • Ensure that each area can deliver on its needs while not overstepping the goals and direction of the organization.
      • This will help with integration in the sense that front-line employees can see a single organization beginning to form.
      • In this model, there is the opportunity to select elements of each leadership style and strategy that will work for the larger organization.
      • Leadership can provide a single and unified approach to how the strategic goals will be executed.
      • More often than not, this would be the acquiring organization’s strategic direction.

      Vendors

      • Determine which contracts the target organization currently has in place.
      • Having different vendors in place will not be a bad model if it makes sense.
      • Spend time reviewing the contracts and ensuring that each organization has the right contracts to succeed.
      • Identify what redundancies might exist (ERPs, for example) and determine if the vendor would be willing to terminate one contract or another.
      • Through integration, it might be possible to engage in one set of contract negotiations for a single application or technology.
      • Identify whether there are opportunities to combine contracts or if they must remain completely separated until the end of the term.
      • In an effort to capitalize on the contracts working well, reduce the contracts that might be hindering the organization.
      • Speak to the vendor offering the contract.
      • Going forward, ensure the contracts are negotiated to include clauses to allow for easier and more cost-effective integration.

      Integration implications (continued)

      Understand the implications for integration with respect to each target technology environment

      Domain

      Independent Models

      Create Links Between Critical Systems

      Move Key Capabilities to Common Systems

      Adopt One Model

      Security

      • Both organizations would need to have a process for securing their organization.
      • Sharing and accessing information might be more difficult, as each organization would need to keep the other organization separate to ensure the organization remains secure.
      • Creating standard policies and procedures that each organization must adhere to would be critical here (for example, multifactor authentication).
      • Establish a single path of communication between the two organizations, ensuring reliable and secure data and information sharing.
      • Leverage the same solutions to protect the business as a whole from internal and external threats.
      • Identify opportunities where there might be user points of failure that could be addressed early in the process.
      • Determine what method of threat detection and response will best support the business and select that method to apply to the entire organization, both original and newly acquired.

      Projects

      • Projects remain ongoing as they were prior to the integration.
      • Some projects might be made redundant after the initial integration is over.
      • Re-evaluate the projects after integration to ensure they continue to deliver on the business’ strategic direction.
      • Determine which projects are similar to one another and identify opportunities to leverage business needs and solutions for each organization where possible.
      • Review project histories to determine the rationale for and success of projects that could be reused in either organization going forward.
      • Determine which projects should remain ongoing and which projects could wait to be implemented or could be completely stopped.
      • There might be certain modernization projects ongoing that cannot be stopped.
      • However, for all other projects, embrace a single portfolio.
      • Completely reduce or remove all ongoing projects from the one organization and continue with only the projects of the other organization.
      • Add in new projects when they arise as needed.

      3.2.1 Prioritize integration tasks

      2 hours

      Input: Integration tasks, Transition team, M&A RACI

      Output: Prioritized integration list

      Materials: Integration task checklist, Integration roadmap

      Participants: IT executive/CIO, IT senior leadership, Company M&A team

      The purpose of this activity is to prioritize the different integration tasks that your organization has identified as necessary to this transaction. Some tasks might not be relevant for this particular transaction, and others might be critical.

      1. Download the SharePoint or Excel version of the M&A Integration Project Management Tool. Identify which integration tasks you want as part of your project plan. Alter or remove any tasks that are irrelevant to your organization. Add in tasks you think are missing.
      2. When deciding criticality of the task, consider the effect on stakeholders, those who are impacted or influenced in the process of the task, and dependencies (e.g. data strategy needs to be addressed first before you can tackle its dependencies, like data quality).
      3. Feel free to edit the way you measure criticality. The standard tool leverages a three-point scale. At the end, you should have a list of tasks in priority order based on criticality.

      Record the updates in the M&A Integration Project Management Tool (SharePoint).

      Record the updates in the M&A Integration Project Management Tool (Excel).

      Integration checklists

      Prerequisite Checklist
      • Build the project plan for integration and prioritize activities
        • Plan first day
        • Plan first 30/100 days
        • Plan first year
      • Create an organization-aligned IT strategy
      • Identify critical stakeholders
      • Create a communication strategy
      • Understand the rationale for the acquisition or purchase
      • Develop IT's purchasing strategy
      • Determine goal opportunities
      • Create the mission and vision statements
      • Create the guiding principles
      • Create program metrics
      • Consolidate reports from due diligence/data room
      • Conduct culture assessment
      • Create a transaction team
      • Assess workforce demand and supply
      • Plan and communicate potential layoffs
      • Create an employee transition plan
      • Identify the IT investment
      Business
      • Design an enterprise architecture
      • Document your business architecture
      • Identify and assess all of IT's risks
      Leadership/IT Executive
      • Build an IT budget
      • Structure operating budget
      • Structure capital budget
      • Identify the needed workforce demand vs. capacity
      • Establish and monitor key metrics
      • Communicate value realized/cost savings
      Data
      • Confirm data strategy
      • Confirm data governance
      • Data architecture
      • Data sources
      • Data storage (on-premises vs. cloud)
      • Enterprise content management
      • Compatibility of data types between organizations
      • Cleanliness/usability of target organization data sets
      • Identify data sets that need to be combined to capture synergies/drive core capabilities
      • Reporting and analytics capabilities
      Applications
      • Prioritize and address critical applications
        • ERP
        • CRM
        • Email
        • HRIS
        • Financial
        • Sales
        • Risk
        • Security
      • Leverage application rationalization framework to determine applications to keep, terminate, or create
      • Develop method of integrating applications
      • Model critical applications that have dependencies on one another
      • Identify the infrastructure capacity required to support critical applications
      Operations
      • Communicate helpdesk/service desk information
      • Manage sales access to customer data
      • Determine locations and hours of operation
      • Consolidate phone lists and extensions
      • Synchronize email address books

      Integration checklists (continued)

      Infrastructure
      • Determine single network access
      • Manage organization domains
      • Consolidate data centers
      • Compile inventory of vendors, versions, switches, and routers
      • Review hardware lease or purchase agreements
      • Review outsourcing/service provider agreements
      • Review service-level agreements
      • Assess connectivity linkages between locations
      • Plan to migrate to a single email system if necessary
      Vendors
      • Establish a sustainable vendor management office
      • Review vendor landscape
      • Identify warranty options
      • Rationalize vendor services and solutions
      • Identify opportunities to mature the security architecture
      People
      • Design an IT operating model
      • Redesign your IT organizational structure
      • Conduct a RACI
      • Conduct a culture assessment and identify goal IT culture
      • Build an IT employee engagement program
      • Determine critical roles and systems/process/products they support
      • Create a list of employees to be terminated
      • Create employee transition plans
      • Create functional workplans
      Projects
      • Stop duplicate or unnecessary target organization projects
      • Communicate project intake process
      • Prioritize projects
      Products & Services
      • Ensure customer services requirements are met
      • Ensure customer interaction requirements are met
      • Select a solution for product lifecycle management
      Security
      • Conduct a security assessment of target organization
      • Develop accessibility prioritization and schedule
      • Establish an information security strategy
      • Develop a security awareness and training program
      • Develop and manage security governance, risk, and compliance
      • Identify security budget
      • Build a data privacy and classification program
      IT Processes
      • Evaluate current process models
      • Determine productivity/capacity levels of processes
      • Identify processes to be terminated
      • Identify process expectations from target organization
      • Establish a communication plan
      • Develop a change management process
      • Establish/review IT policies

      3.2.2 Establish the integration roadmap

      2 hours

      Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners

      Output: Integration roadmap

      Materials: M&A Integration Project Plan Tool (SharePoint), M&A Integration Project Plan Tool (Excel)

      Participants: IT executive/CIO, IT senior leadership, Transition team, Company M&A team

      The purpose of this activity is to create a roadmap to support IT throughout the integration process. Using the information gathered in previous activities, you can create a roadmap that will ensure a smooth integration.

      1. Leverage our M&A Integration Project Management Tool to track critical elements of the integration project. There are a few options available:
        1. Follow the instructions on the next slide if you are looking to upload our SharePoint project template.
        2. If you cannot or do not want to use SharePoint as your project management solution, download our Excel version of the tool.
          **Remember that this your tool, so customize to your liking.
      2. Identify who will own or be accountable for each of the integration tasks and establish the time frame for when each project should begin and end. This will confirm which tasks should be prioritized.

      Record the updates in the M&A Integration Project Management Tool (SharePoint).

      Record the updates in the M&A Integration Project Management Tool (Excel).

      Integration Project Management Tool (SharePoint Template)

      Follow these instructions to upload our template to your SharePoint environment

      1. Create or use an existing SP site.
      2. Download the M&A Integration Project Plan Tool (SharePoint) .wsp file from the Mergers & Acquisitions: The Buy Blueprint landing page.
      3. To import a template into your SharePoint environment, do the following:
        1. Open PowerShell.
        2. Connect-SPO Service (need to install PowerShell module).
        3. Enter in your tenant admin URL.
        4. Enter in your admin credentials.
        5. Set-SPO Site https://YourDomain.sharepoint.com/sites/YourSiteHe... -DenyAddAndCustomizePages 0
        OR
        1. Turn on both custom script features to allow users to run custom
      4. Screenshot of the 'Custom Script' option for importing a template into your SharePoint environment. Feature description reads 'Control whether users can run custom script on personal sites and self-service created sites. Note: changes to this setting might take up to 24 hours to take effect. For more information, see http://go.microsoft.com/fwlink/?LinkIn=397546'. There are options to prevent or allow users from running custom script on personal/self-service created sites.
      5. Enable the SharePoint Server Standard Site Collection features.
      6. Upload the .wsp file in Solutions Gallery.
      7. Deploy by creating a subsite and select from custom options.
        • Allow or prevent custom script
        • Security considerations of allowing custom script
        • Save, download, and upload a SharePoint site as a template
      8. Refer to Microsoft documentation to understand security considerations and what is and isn’t supported:

      For more information, check out the SharePoint Template: Step-by-Step Deployment Guide.

      Participate in active workforce planning to transition employees

      The chosen IT operating model, primary M&A goals, and any planned changes to business strategy will dramatically impact IT staffing and workforce planning efforts.

      Visualization of the three aspects of 'IT workforce planning', as listed below.

      IT workforce planning

      • Primary M&A goals
        If the goal of the M&A is cost cutting, then workforce planning will be necessary to identify labor redundancies.
      • Changes to business strategy
        If business strategy will change after the merger, then workforce planning will typically be more involved than if business strategy will not change.
      • Integration strategy
        For independent models, workforce planning will typically be unnecessary.
        For connection of essential systems or absorption, workforce planning will likely be an involved, time-consuming process.
      1. Estimate the headcount you will need through the end of the M&A transition period.
      2. Outline the process you will use to assess staff for roles that have more than one candidate.
      3. Review employees in each department to determine the best fit for each role.
      4. Determine whether terminations will happen all together or in waves.

      Info-Tech Insight

      Don’t be a short-term thinker when it comes to workforce planning! IT teams that only consider the headcount needed on day one of the new entity will end up scrambling to find skilled resources to fill workforce gaps later in the transition period.

      3.2.3 Identify the needed workforce supply

      3-4 hours

      Input: IT strategy, Prioritized integration tasks

      Output: A clear indication of how many resources are required for each role and the number of resources that the organization actually has

      Materials: Resource Management Supply-Demand Calculator

      Participants: IT executive/CIO, IT senior leadership, Target organization employees, Company M&A team, Transition team

      The purpose of this activity is to determine the anticipated amount of work that will be required to support projects (like integration), administrative, and keep-the-lights-on activities.

      1. Download the Resource Management Supply-Demand Calculator.
      2. The calculator requires minimal up-front staff participation: You can obtain meaningful results with participation from as few as one person with insight on the distribution of your resources and their average work week or month.
      3. The calculator will yield a report that shows a breakdown of your annual resource supply and demand, as well as the gap between the supply and demand. Further insight on project and non-project supply and demand are provided.
      4. Repeat the tool several times to identify the needs of your IT environment for day one, day 30/100, and year one. Anticipate that these will change over time. Also, do not forget to obtain this information from the target organization. Given that you will be integrating, it’s important to know how many staff they have in which roles.
      5. **For additional information, please review slides starting from slide 44 in Establish Realistic IT Resource Management Practices to see how to use the tool.

      Record the results in the Resource Management Supply-Demand Calculator.

      Resource Supply-Demand Calculator Output Example

      Example of a 'Resource Management Supply-Demand Analysis Report' with charts and tables measuring Annualized Resource Supply and Demand, Resource Capacity Confidence, Project Capacity, and combinations of those metrics.

      Resource Capacity Confidence. This figure is based on your confidence in supply confidence, demand stability, and the supply-demand ratio.

      Importance of estimating integration costs

      Change is the key driver of integration costs

      Integration costs are dependent on the following:
      • Meeting synergy targets – whether that be cost saving or growth related.
        • Employee-related costs, licensing, and reconfiguration fees play a huge part in meeting synergy targets.
      • Adjustments related to compliance or regulations – especially if there are changes to legal entities, reporting requirements, or risk-mitigation standards.
      • Governance or third party–related support required to ensure timelines are met and the integration is a success.
      Integration costs vary by industry type.
      • Certain industries may have integration costs made up of mostly one type, differing from other industries, due to the complexity and different demands of the transaction. For example:
        • Healthcare integration costs are mostly driven by regulatory, safety, and quality standards, as well as consolidation of the research and development function.
        • Energy and Utilities tend to have the lowest integration costs due to most transactions occurring within the same sector rather than as a cross-sector investment. For example, oil and gas acquisitions tend to be for oil fields and rigs (strategic fixed assets), which can easily be added to the buyer’s portfolio.

      Integration costs are more related to the degree of change required than the size of the transaction.

      3.2.4 Estimate integration costs

      3-4 hours

      Input: Integration tasks, Transition team, Valuation of current IT environment, Valuation of target IT environment, Outputs from data room, Technical debt, Employees

      Output: List of anticipated costs required to support IT integration

      Materials: Integration task checklist, Integration roadmap, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team

      The purpose of this activity is to estimate the costs that will be associated with the integration. It’s important to ensure a realistic figure is identified and communicated to the larger M&A team within your company as early in the process as possible. This ensures that the funding required for the transaction is secured and budgeted for in the overarching transaction.

      1. On the associated slide in the M&A Buy Playbook, input:
        • Task
        • Domain
        • Cost type
        • Total cost amount
        • Level of certainty around the cost
      2. Provide a copy of the estimated costs to the company’s M&A team. Also provide any additional information identified earlier to help them understand the importance of those costs.

      Record the results in the M&A Buy Playbook.

      Employee transition planning

      Considering employee impact will be a huge component to ensure successful integration

      • Meet With Leadership
      • Plan Individual and Department Redeployment
      • Plan Individual and Department Layoffs
      • Monitor and Manage Departmental Effectiveness
      • For employees, the transition could mean:
        • Changing from their current role to a new role to meet requirements and expectations throughout the transition.
        • Being laid off because the role they are currently occupying has been made redundant.
      • It is important to plan for what the M&A integration needs will be and what the IT operational needs will be.
      • A lack of foresight into this long-term plan could lead to undue costs and headaches trying to retain critical staff, rehiring positions that were already let go, and keeping redundant employees longer then necessary.

      Info-Tech Insight

      Being transparent throughout the process is critical. Do not hesitate to tell employees the likelihood that their job may be made redundant. This will ensure a high level of trust and credibility for those who remain with the organization after the transaction.

      3.2.5 Create an employee transition plan

      3-4 hours

      Input: IT strategy, IT organizational design, Resource Supply-Demand Calculator output

      Output: Employee transition plans

      Materials: M&A Buy Playbook, Whiteboard, Sticky notes, Markers

      Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team

      The purpose of this activity is to create a transition plan for employees.

      1. Transition planning can be done at specific individual levels or more broadly to reflect a single role. Consider these four items in the transition plan:
        • Understand the direction of the employee transitions.
        • Identify employees that will be involved in the transition (moved or laid off).
        • Prepare to meet with employees.
        • Meet with employees.
      2. For each employee that will be facing some sort of change in their regular role, permanent or temporary, create a transition plan.
      3. For additional information on transitioning employees, review the blueprint Streamline Your Workforce During a Pandemic.

      **Note that if someone’s future role is a layoff, then there is no need to record anything for skills needed or method for skill development.

      Record the results in the M&A Buy Playbook.

      3.2.6 Create functional workplans for employees

      3-4 hours

      Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners

      Output: Employee functional workplans

      Materials: M&A Buy Playbook, Learning and development tools

      Participants: IT executive/CIO, IT senior leadership, IT management team, Company M&A team, Transition team

      The purpose of this activity is to create a functional workplan for the different employees so that they know what their key role and responsibilities are once the transaction occurs.

      1. First complete the transition plan from the previous activity (3.2.5) and the separation roadmap. Have these documents ready to review throughout this process.
      2. Identify the employees who will be transitioning to a new role permanently or temporarily. Creating a functional workplan is especially important for these employees.
      3. Identify the skills these employees need to have to support the separation. Record this in the corresponding slide in the M&A Buy Playbook.
      4. For each employee, identify someone who will be a point of contact for them throughout the transition.

      It is recommended that each employee have a functional workplan. Leverage the IT managers to support this task.

      Record the results in the M&A Buy Playbook.

      Metrics for integration

      Valuation & Due Diligence

      • % Defects discovered in production
      • $ Cost per user for enterprise applications
      • % In-house-built applications vs. enterprise applications
      • % Owners identified for all data domains
      • # IT staff asked to participate in due diligence
      • Change to due diligence
      • IT budget variance
      • Synergy target

      Execution & Value Realization

      • % Satisfaction with the effectiveness of IT capabilities
      • % Overall end-customer satisfaction
      • $ Impact of vendor SLA breaches
      • $ Savings through cost-optimization efforts
      • $ Savings through application rationalization and technology standardization
      • # Key positions empty
      • % Frequency of staff turnover
      • % Emergency changes
      • # Hours of unplanned downtime
      • % Releases that cause downtime
      • % Incidents with identified problem record
      • % Problems with identified root cause
      • # Days from problem identification to root cause fix
      • % Projects that consider IT risk
      • % Incidents due to issues not addressed in the security plan
      • # Average vulnerability remediation time
      • % Application budget spent on new build/buy vs. maintenance (deferred feature implementation, enhancements, bug fixes)
      • # Time (days) to value realization
      • % Projects that realized planned benefits
      • $ IT operational savings and cost reductions that are related to synergies/divestitures
      • % IT staff–related expenses/redundancies
      • # Days spent on IT integration
      • $ Accurate IT budget estimates
      • % Revenue growth directly tied to IT delivery
      • % Profit margin growth

      3.2.7 Align project metrics with identified tasks

      3-4 hours

      Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners, M&A goals

      Output: Integration-specific metrics to measure success

      Materials: Roadmap template, M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Transition team

      The purpose of this activity is to understand how to measure the success of the integration project by aligning metrics to each identified task.

      1. Review the M&A goals identified by the business. Your metrics will need to tie back to those business goals.
      2. Identify metrics that align to identified tasks and measure achievement of those goals. For each metric you consider, ask the following questions:
        • What is the main goal or objective that this metric is trying to solve?
        • What does success look like?
        • Does the metric promote the right behavior?
        • Is the metric actionable? What is the story you are trying to tell with this metric?
        • How often will this get measured?
        • Are there any metrics it supports or is supported by?

      Record the results in the M&A Buy Playbook.

      By the end of this mid-transaction phase you should:

      Have successfully evaluated the target organization’s IT environment, escalated the acquisition risks and benefits, and prepared IT for integration.

      Key outcomes from the Due Diligence & Preparation phase
      • Participate in due diligence activities to accurately valuate the target organization(s) and determine if there are critical risks or benefits the current organization should be aware of.
      • Create an integration roadmap that considers the tasks that will need to be completed and the resources required to support integration.
      Key deliverables from the Due Diligence & Preparation phase
      • Establish a due diligence charter
      • Create a list of data room artifacts and engage in due diligence
      • Assess the target organization’s technical debt
      • Valuate the target IT organization
      • Assess and plan for culture
      • Prioritize integration tasks
      • Establish the integration roadmap
      • Identify the needed workforce supply
      • Estimate integration costs
      • Create employee transition plans
      • Create functional workplans for employees
      • Align project metrics with identified tasks

      M&A Buy Blueprint

      Phase 4

      Execution & Value Realization

      Phase 1Phase 2Phase 3

      Phase 4

      • 1.1 Identify Stakeholders and Their Perspective of IT
      • 1.2 Assess IT’s Current Value and Future State
      • 1.3 Drive Innovation and Suggest Growth Opportunities
      • 2.1 Establish the M&A Program Plan
      • 2.2 Prepare IT to Engage in the Acquisition
      • 3.1 Assess the Target Organization
      • 3.2 Prepare to Integrate
      • 4.1 Execute the Transaction
      • 4.2 Reflection and Value Realization

      This phase will walk you through the following activities:

      • Rationalize the IT environment
      • Continually update the project plan
      • Confirm integration costs
      • Review IT’s transaction value
      • Conduct a transaction and integration SWOT
      • Review the playbook and prepare for future transactions

      This phase involves the following participants:

      • IT executive/CIO
      • IT senior leadership
      • Vendor management team
      • IT transaction team
      • Company M&A team

      Workshop Overview

      Contact your account representative for more information.
      workshops@infotech.com 1-888-670-8889

      Pre-Work

      Day 1

      Day 2

      Day 3

      Engage in Integration

      Day 4

      Establish the Transaction FoundationDiscover the Motivation for IntegrationPlan the Integration RoadmapPrepare Employees for the TransitionEngage in IntegrationAssess the Transaction Outcomes (Must be within 30 days of transaction date)

      Activities

      • 0.1 Understand the rationale for the company's decisions to pursue an acquisition.
      • 0.2 Identify key stakeholders and determine the IT transaction team.
      • 0.3 Gather and evaluate the M&A strategy, future-state operating model, and governance.
      • 1.1 Review the business rationale for the acquisition.
      • 1.2 Identify pain points and opportunities tied to the acquisition.
      • 1.3 Establish the integration strategy.
      • 1.4 Prioritize Integration tasks.
      • 2.1 Establish the integration roadmap.
      • 2.2 Establish and align project metrics with identified tasks.
      • 2.3 Estimate integration costs.
      • 3.1 Assess the current culture and identify the goal culture.
      • 3.2 Identify the needed workforce supply.
      • 3.3 Create an employee transition plan.
      • 3.4 Create functional workplans for employees.
      • I.1 Complete the integration by regularly updating the project plan.
      • I.2 Begin to rationalize the IT environment where possible and necessary.
      • 4.1 Confirm integration costs.
      • 4.2 Review IT’s transaction value.
      • 4.3 Conduct a transaction and integration SWOT.
      • 4.4 Review the playbook and prepare for future transactions.

      Deliverables

      1. IT strategy
      2. IT operating model
      3. IT governance structure
      4. M&A transaction team
      1. Business context implications for IT
      2. Integration strategy
      1. Integration roadmap and associated resourcing
      1. Culture assessment
      2. Workforce supply identified
      3. Employee transition plan
      1. Rationalized IT environment
      2. Updated integration project plan
      1. SWOT of transaction
      2. M&A Buy Playbook refined for future transactions

      What is the Execution & Value Realization phase?

      Post-transaction state

      Once the transaction comes to a close, it’s time for IT to deliver on the critical integration tasks. Set the organization up for success by having an integration roadmap. Retaining critical IT staff throughout this process will also be imperative to the overall transaction success.

      Throughout the integration process, roadblocks will arise and need to be addressed. However, by ensuring that employees, technology, and processes are planned for ahead of the transaction, you as IT will be able to weather those unexpected concerns with greater ease.

      Now that you as an IT leader have engaged in an acquisition, demonstrating the value IT was able to provide to the process is critical to establishing a positive and respected relationship with other senior leaders in the business. Be prepared to identify the positives and communicate this value to advance the business’ perception of IT.

      Goal: To carry out the planned integration activities and deliver the intended value to the business

      Execution Prerequisite Checklist

      Before coming into the Execution & Value Realization phase, you must have addressed the following:

      • Understand the rationale for the company's decisions to pursue an acquisition and what opportunities or pain points the acquisition should alleviate.
      • Identify the key roles for the transaction team.
      • Identify the M&A governance.
      • Determine target metrics and align to project tasks.
      • Select an integration strategy framework.
      • Conduct a RACI for key transaction tasks for the transaction team.
      • Create a list of data room artifacts and engage in due diligence (directly or indirectly).
      • Prioritize integration tasks.
      • Establish the integration roadmap.
      • Identify the needed workforce supply.
      • Create employee transition plans.

      Before coming into the Execution & Value Realization phase, we recommend addressing the following:

      • Create vision and mission statements.
      • Establish guiding principles.
      • Create a future-state operating model.
      • Identify the M&A operating model.
      • Document the communication plan.
      • Examine the business perspective of IT.
      • Identify key stakeholders and outline their relationship to the M&A process.
      • Be able to valuate the IT environment and communicate IT's value to the business.
      • Establish a due diligence charter.
      • Assess the target organization’s technical debt.
      • Valuate the target IT organization.
      • Assess and plan for culture.
      • Estimate integration costs.
      • Create functional workplans for employees.

      Integration checklists

      Prerequisite Checklist
      • Build the project plan for integration and prioritize activities
        • Plan first day
        • Plan first 30/100 days
        • Plan first year
      • Create an organization-aligned IT strategy
      • Identify critical stakeholders
      • Create a communication strategy
      • Understand the rationale for the acquisition or purchase
      • Develop IT's purchasing strategy
      • Determine goal opportunities
      • Create the mission and vision statements
      • Create the guiding principles
      • Create program metrics
      • Consolidate reports from due diligence/data room
      • Conduct culture assessment
      • Create a transaction team
      • Assess workforce demand and supply
      • Plan and communicate potential layoffs
      • Create an employee transition plan
      • Identify the IT investment
      Business
      • Design an enterprise architecture
      • Document your business architecture
      • Identify and assess all of IT's risks
      Leadership/IT Executive
      • Build an IT budget
      • Structure operating budget
      • Structure capital budget
      • Identify the needed workforce demand vs. capacity
      • Establish and monitor key metrics
      • Communicate value realized/cost savings
      Data
      • Confirm data strategy
      • Confirm data governance
      • Data architecture
      • Data sources
      • Data storage (on-premises vs. cloud)
      • Enterprise content management
      • Compatibility of data types between organizations
      • Cleanliness/usability of target organization data sets
      • Identify data sets that need to be combined to capture synergies/drive core capabilities
      • Reporting and analytics capabilities
      Applications
      • Prioritize and address critical applications
        • ERP
        • CRM
        • Email
        • HRIS
        • Financial
        • Sales
        • Risk
        • Security
      • Leverage application rationalization framework to determine applications to keep, terminate, or create
      • Develop method of integrating applications
      • Model critical applications that have dependencies on one another
      • Identify the infrastructure capacity required to support critical applications
      Operations
      • Communicate helpdesk/service desk information
      • Manage sales access to customer data
      • Determine locations and hours of operation
      • Consolidate phone lists and extensions
      • Synchronize email address books

      Integration checklists (continued)

      Infrastructure
      • Determine single network access
      • Manage organization domains
      • Consolidate data centers
      • Compile inventory of vendors, versions, switches, and routers
      • Review hardware lease or purchase agreements
      • Review outsourcing/service provider agreements
      • Review service-level agreements
      • Assess connectivity linkages between locations
      • Plan to migrate to a single email system if necessary
      Vendors
      • Establish a sustainable vendor management office
      • Review vendor landscape
      • Identify warranty options
      • Rationalize vendor services and solutions
      • Identify opportunities to mature the security architecture
      People
      • Design an IT operating model
      • Redesign your IT organizational structure
      • Conduct a RACI
      • Conduct a culture assessment and identify goal IT culture
      • Build an IT employee engagement program
      • Determine critical roles and systems/process/products they support
      • Create a list of employees to be terminated
      • Create employee transition plans
      • Create functional workplans
      Projects
      • Stop duplicate or unnecessary target organization projects
      • Communicate project intake process
      • Prioritize projects
      Products & Services
      • Ensure customer services requirements are met
      • Ensure customer interaction requirements are met
      • Select a solution for product lifecycle management
      Security
      • Conduct a security assessment of target organization
      • Develop accessibility prioritization and schedule
      • Establish an information security strategy
      • Develop a security awareness and training program
      • Develop and manage security governance, risk, and compliance
      • Identify security budget
      • Build a data privacy and classification program
      IT Processes
      • Evaluate current process models
      • Determine productivity/capacity levels of processes
      • Identify processes to be terminated
      • Identify process expectations from target organization
      • Establish a communication plan
      • Develop a change management process
      • Establish/review IT policies

      Execution & Value Realization

      Step 4.1

      Execute the Transaction

      Activities

      • 4.1.1 Rationalize the IT environment
      • 4.1.2 Continually update the project plan

      This step involves the following participants:

      • IT executive/CIO
      • IT senior leadership
      • Vendor management team
      • IT transaction team
      • Company M&A team

      Outcomes of Step

      Successfully execute on the integration and strategize how to rationalize the two (or more) IT environments and update the project plan, strategizing against any roadblocks as they might come.

      Compile –› Assess –› Rationalize

      Access to critical information often does not happen until day one

      • As the transaction comes to a close and the target organization becomes the acquired organization, it’s important to start working on the rationalization of your organization.
      • One of the most important elements will be to have a complete understanding of the acquired organization’s IT environment. Specifically, assess the technology, people, and processes that might exist.
      • This rationalization will be heavily dependent on your planned integration strategy determined in the Discovery & Strategy phase of the process.
      • If your IT organization was not involved until after that phase, then determine whether your organization plans on remaining in its original state, taking on the acquired organization’s state, or forming a best-of-breed state by combining elements.
      • To execute on this, however, a holistic understanding of the new IT environment is required.

      Some Info-Tech resources to support this initiative:

      • Reduce and Manage Your Organization’s Insider Threat Risk
      • Build an Application Rationalization Framework
      • Rationalize Your Collaboration Tools
      • Consolidate IT Asset Management
      • Build Effective Enterprise Integration on the Back of Business Process
      • Consolidate Your Data Centers

      4.1.1 Rationalize the IT environment

      6-12 months

      Input: RACI chart, List of critical applications, List of vendor contracts, List of infrastructure assets, List of data assets

      Output: Rationalized IT environment

      Materials: Software Terms & Conditions Evaluation Tool

      Participants: IT executive/CIO, IT senior leadership, Vendor management

      The purpose of this activity is to rationalize the IT environment to reduce and eliminate redundant technology.

      1. Compile a list of the various applications and vendor contracts from the acquired organization and the original organization.
      2. Determine where there is repetition. Have a member of the vendor management team review those contracts and identify cost-saving opportunities.

      This will not be a quick and easy activity to complete. It will require strong negotiation on the behalf of the vendor management team.

      For additional information and support for this activity, see the blueprint Master Contract Review and Negotiations for Software Agreements.

      4.1.2 Continually update the project plan

      Reoccurring basis following transition

      Input: Prioritized integration tasks, Integration RACI, Activity owners

      Output: Updated integration project plan

      Materials: M&A Integration Project Management Tool

      Participants: IT executive/CIO, IT senior leadership, IT transaction team, Company M&A team

      The purpose of this activity is to ensure that the project plan is continuously updated as your transaction team continues to execute on the various components outlined in the project plan.

      1. Set a regular cadence for the transaction team to meet, update and review the status of the various integration task items, and strategize how to overcome any roadblocks.
      2. Employ governance best practices in these meetings to ensure decisions can be made effectively and resources allocated strategically.

      Record the updates in the M&A Integration Project Management Tool (SharePoint).

      Record the updates in the M&A Integration Project Management Tool (Excel).

      Execution & Value Realization

      Step 4.2

      Reflection and Value Realization

      Activities

      • 4.2.1 Confirm integration costs
      • 4.2.2 Review IT’s transaction value
      • 4.2.3 Conduct a transaction and integration SWOT
      • 4.2.4 Review the playbook and prepare for future transactions

      This step involves the following participants:

      • IT executive/CIO
      • IT senior leadership
      • Transition team
      • Company M&A team

      Outcomes of Step

      Review the value that IT was able to generate around the transaction and strategize on how to improve future acquisition transactions.

      4.2.1 Confirm integration costs

      3-4 hours

      Input: Integration tasks, Transition team, Previous RACI, Estimated costs

      Output: Actual integration costs

      Materials: M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, IT transaction team, Company M&A team

      The purpose of this activity is to confirm the associated costs around integration. While the integration costs would have been estimated previously, it’s important to confirm the costs that were associated with the integration in order to provide an accurate and up-to-date report to the company’s M&A team.

      1. Taking all the original items identified previously in activity 3.2.4, identify if there were changes in the estimated costs. This can be an increase or a decrease.
      2. Ensure that each cost has a justification for why the cost changed from the original estimation.

      Record the results in the M&A Buy Playbook.

      Track synergy capture through the IT integration

      The ultimate goal of the M&A is to achieve and deliver deal objectives. Early in the M&A, IT must identify, prioritize, and execute upon synergies that deliver value to the business and its shareholders. Continue to measure IT’s contribution toward achieving the organization’s M&A goals throughout the integration by keeping track of cost savings and synergies that have been achieved. When these achievements happen, communicate them and celebrate success.

      1. Define Synergy Metrics: Select metrics to track synergies through the integration.
        1. You can track value by looking at percentages of improvement in process-level metrics depending on the synergies being pursued.
        2. For example, if the synergy being pursued is increasing asset utilization, metrics could range from capacity to revenue generated through increased capacity.
      2. Prioritize Synergistic Initiatives: Estimate the cost and benefit of each initiative's implementation to compare the amount of business value to the cost. The benefits and costs should be illustrated at a high level. Estimating the exact dollar value of fulfilling a synergy can be difficult and misleading.
          Steps
        • Determine the benefits that each initiative is expected to deliver.
        • Determine the high-level costs of implementation (capacity, time, resources, effort).
      3. Track Synergy Captures: Develop a detailed workplan to resource the roadmap and track synergy captures as the initiatives are undertaken.

      Once 80% of the necessary synergies are realized, executive pressure will diminish. However, IT must continue to work toward the technology end state to avoid delayed progression.

      4.2.2 Review IT’s transaction value

      3-4 hours

      Input: Prioritized integration tasks, Integration RACI, Activity owners, M&A company goals

      Output: Transaction value

      Materials: M&A Buy Playbook

      Participants: IT executive/CIO, IT senior leadership, Company's M&A team

      The purpose of this activity is to track how your IT organization performed against the originally identified metrics.

      1. If your organization did not have the opportunity to identify metrics earlier, determine from the company M&A team what those metrics might be. Review activity 3.2.7 for more information on metrics.
      2. Identify whether the metric (which should be used to support a goal) was at, below, or above the original target metric. This is a very critical task for IT to complete because it allows IT to confirm that they were successful engaging in the transaction and that the business can count on them in future transactions.
      3. Be sure to record accurate and relevant information on why the outcomes (good or bad) are supporting the M&A goals that were set out by the business.

      Record the results in the M&A Buy Playbook.

      4.2.3 Conduct a transaction and integration SWOT

      2 hours

      Input: Integration costs, Retention rates, Value IT contributed to the transaction

      Output: Strengths, weaknesses, opportunities, and threats

      Materials: Flip charts, Markers, Sticky notes

      Participants: IT executive/CIO, IT senior leadership, Business transaction team

      The purpose of this activity is to assess the positive and negative elements of the transaction.

      1. Consider the various internal and external elements that could have impacted the outcome of the transaction.
        • Strengths. Internal characteristics that are favorable as they relate to your development environment.
        • Weaknesses Internal characteristics that are unfavorable or need improvement.
        • Opportunities External characteristics that you may use to your advantage.
        • Threats External characteristics that may be potential sources of failure or risk.

      Record the results in the M&A Buy Playbook.

      M&A Buy Playbook review

      With an acquisition complete, your IT organization is now more prepared then ever to support the business through future M&As

      • Now that the transaction is more than 80% complete, take the opportunity to review the key elements that worked well and the opportunities for improvement in future transactions.
      • Critically examine the M&A Buy Playbook your IT organization created and identify what worked well to help the transaction and where your organization could adjust to do better in future transactions.
      • If your organization were to engage in another acquisition under your IT leadership, how would you go about the transaction to make sure the company meets its goals?

      4.2.4 Review the playbook and prepare for future transactions

      4 hours

      Input: Transaction and integration SWOT

      Output: Refined M&A playbook

      Materials: M&A Buy Playbook

      Participants: IT executive/CIO

      The purpose of this activity is to revise the playbook and ensure it is ready to go for future transactions.

      1. Using the outputs from the previous activity, 4.2.3, determine what strengths and opportunities there were that should be leveraged in the next transaction.
      2. Likewise, determine which threats and weaknesses could be avoided in the future transactions.
        Remember, this is your M&A Buy Playbook, and it should reflect the most successful outcome for you in your organization.

      Record the results in the M&A Buy Playbook.

      By the end of this post-transaction phase you should:

      Have completed the integration post-transaction and be fluidly delivering the critical value that the business expected of IT.

      Key outcomes from the Execution & Value Realization phase
      • Ensure the integration tasks are being completed and that any blockers related to the transaction are being removed.
      • Determine where IT was able to realize value for the business and demonstrate IT’s involvement in meeting target goals.
      Key deliverables from the Execution & Value Realization phase
      • Rationalize the IT environment
      • Continually update the project plan for completion
      • Confirm integration costs
      • Review IT’s transaction value
      • Conduct a transaction and integration SWOT
      • Review the playbook and prepare for future transactions

      Summary of Accomplishment

      Problem Solved

      Congratulations, you have completed the M&A Buy Blueprint!

      Rather than reacting to a transaction, you have been proactive in tackling this initiative. You now have a process to fall back on in which you can be an innovative IT leader by suggesting how and why the business should engage in an acquisition. You now have:

      • Created a standardized approach for how your IT organization should address acquisitions.
      • Evaluated the target organizations successfully and established an integration project plan.
      • Delivered on the integration project plan successfully and communicated IT’s transaction value to the business.

      Now that you have done all of this, reflect on what went well and what can be improved in case if you have to do this all again in a future transaction.

      If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

      Contact your account representative for more information
      workshops@infotech.com 1-888-670-8899

      Research Contributors and Experts

      Ibrahim Abdel-Kader
      Research Analyst | CIO
      Info-Tech Research Group
      Brittany Lutes
      Senior Research Analyst | CIO
      Info-Tech Research Group
      John Annand
      Principal Research Director | Infrastructure
      Info-Tech Research Group
      Scott Bickley
      Principal Research Director | Vendor Management
      Info-Tech Research Group
      Cole Cioran
      Practice Lead | Applications
      Info-Tech Research Group
      Dana Daher
      Research Analyst | Strategy & Innovation
      Info-Tech Research Group
      Eric Dolinar
      Manager | M&A Consulting
      Deloitte Canada
      Christoph Egel
      Director, Solution Design & Deliver
      Cooper Tire & Rubber Company
      Nora Fisher
      Vice President | Executive Services Advisory
      Info-Tech Research Group
      Larry Fretz
      Vice President | Industry
      Info-Tech Research Group

      Research Contributors and Experts

      David Glazer
      Vice President of Analytics
      Kroll
      Jack Hakimian
      Senior Vice President | Workshops and Delivery
      Info-Tech Research Group
      Gord Harrison
      Senior Vice President | Research & Advisory
      Info-Tech Research Group
      Valence Howden
      Principal Research Director | CIO
      Info-Tech Research Group
      Jennifer Jones
      Research Director | Industry
      Info-Tech Research Group
      Nancy McCuaig
      Senior Vice President | Chief Technology and Data Office
      IGM Financial Inc.
      Carlene McCubbin
      Practice Lead | CIO
      Info-Tech Research Group
      Kenneth McGee
      Research Fellow | Strategy & Innovation
      Info-Tech Research Group
      Nayma Naser
      Associate
      Deloitte
      Andy Neill
      Practice Lead | Data & Analytics, Enterprise Architecture
      Info-Tech Research Group

      Research Contributors and Experts

      Rick Pittman
      Vice President | Research
      Info-Tech Research Group
      Rocco Rao
      Research Director | Industry
      Info-Tech Research Group
      Mark Rosa
      Senior Vice President & Chief Information Officer
      Mohegan Gaming and Entertainment
      Tracy-Lynn Reid
      Research Lead | People & Leadership
      Info-Tech Research Group
      Jim Robson
      Senior Vice President | Shared Enterprise Services (retired)
      Great-West Life
      Steven Schmidt
      Senior Managing Partner Advisory | Executive Services
      Info-Tech Research Group
      Nikki Seventikidis
      Senior Manager | Finance Initiative & Continuous Improvement
      CST Consultants Inc.
      Allison Straker
      Research Director | CIO
      Info-Tech Research Group
      Justin Waelz
      Senior Network & Systems Administrator
      Info-Tech Research Group
      Sallie Wright
      Executive Counselor
      Info-Tech Research Group

      Bibliography

      “5 Ways for CIOs to Accelerate Value During Mergers and Acquisitions.” Okta, n.d. Web.

      Altintepe, Hakan. “Mergers and acquisitions speed up digital transformation.” CIO.com, 27 July 2018. Web.

      “America’s elite law firms are booming.” The Economist, 15 July 2021. Web.

      Barbaglia, Pamela, and Joshua Franklin. “Global M&A sets Q1 record as dealmakers shape post-COVID world.” Nasdaq, 1 April 2021. Web.

      Boyce, Paul. “Mergers and Acquisitions Definition: Types, Advantages, and Disadvantages.” BoyceWire, 8 Oct. 2020. Web.

      Bradt, George. “83% Of Mergers Fail -- Leverage A 100-Day Action Plan For Success Instead.” Forbes, 27 Jan. 2015. Web.

      Capgemini. “Mergers and Acquisitions: Get CIOs, IT Leaders Involved Early.” Channel e2e, 19 June 2020. Web.

      Chandra, Sumit, et al. “Make Or Break: The Critical Role Of IT In Post-Merger Integration.” IMAA Institute, 2016. Web.

      Deloitte. “How to Calculate Technical Debt.” The Wall Street Journal, 21 Jan. 2015. Web.

      Ernst & Young. “IT As A Driver Of M&A Success.” IMAA Institute, 2017. Web.

      Fernandes, Nuno. “M&As In 2021: How To Improve The Odds Of A Successful Deal.” Forbes, 23 March 2021. Web.

      “Five steps to a better 'technology fit' in mergers and acquisitions.” BCS, 7 Nov. 2019. Web.

      Fricke, Pierre. “The Biggest Opportunity You’re Missing During an M&Aamp; IT Integration.” Rackspace, 4 Nov. 2020. Web.

      Garrison, David W. “Most Mergers Fail Because People Aren't Boxes.” Forbes, 24 June 2019. Web.

      Harroch, Richard. “What You Need To Know About Mergers & Acquisitions: 12 Key Considerations When Selling Your Company.” Forbes, 27 Aug. 2018. Web.

      Hope, Michele. “M&A Integration: New Ways To Contain The IT Cost Of Mergers, Acquisitions And Migrations.” Iron Mountain, n.d. Web.

      “How Agile Project Management Principles Can Modernize M&A.” Business.com, 13 April 2020. Web.

      Hull, Patrick. “Answer 4 Questions to Get a Great Mission Statement.” Forbes, 10 Jan. 2013. Web.

      Kanter, Rosabeth Moss. “What We Can Learn About Unity from Hostile Takeovers.” Harvard Business Review, 12 Nov. 2020. Web.

      Koller, Tim, et al. “Valuation: Measuring and Managing the Value of Companies, 7th edition.” McKinsey & Company, 2020. Web.

      Labate, John. “M&A Alternatives Take Center Stage: Survey.” The Wall Street Journal, 30 Oct. 2020. Web.

      Lerner, Maya Ber. “How to Calculate ROI on Infrastructure Automation.” DevOps.com, 1 July 2020. Web.

      Loten, Angus. “Companies Without a Tech Plan in M&A Deals Face Higher IT Costs.” The Wall Street Journal, 18 June 2019. Web.

      Low, Jia Jen. “Tackling the tech integration challenge of mergers today” Tech HQ, 6 Jan. 2020. Web.

      Lucas, Suzanne. “5 Reasons Turnover Should Scare You.” Inc. 22 March 2013. Web.

      “M&A Trends Survey: The future of M&A. Deal trends in a changing world.” Deloitte, Oct. 2020. Web.

      Maheshwari, Adi, and Manish Dabas. “Six strategies tech companies are using for successful divesting.” EY, 1 Aug. 2020. Web.

      Majaski, Christina. “Mergers and Acquisitions: What's the Difference?” Investopedia, 30 Apr. 2021.

      “Mergers & Acquisitions: Top 5 Technology Considerations.” Teksetra, 21 Jul. 2020. Web.

      “Mergers Acquisitions M&A Process.” Corporate Finance Institute, n.d. Web.

      “Mergers and acquisitions: A means to gain technology and expertise.” DLA Piper, 2020. Web.

      Nash, Kim S. “CIOs Take Larger Role in Pre-IPO Prep Work.” The Wall Street Journal, 5 March 2015. Web.

      Paszti, Laila. “Canada: Emerging Trends In Information Technology (IT) Mergers And Acquisitions.” Mondaq, 24 Oct. 2019. Web.

      Patel, Kiison. “The 8 Biggest M&A Failures of All Time” Deal Room, 9 Sept. 2021. Web.

      Peek, Sean, and Paula Fernandes. “What Is a Vision Statement?” Business News Daily, 7 May 2020. Web.

      Ravid, Barak. “Tech execs focus on growth amid increasingly competitive M&A market.” EY, 28 April 2021. Web.

      Resch, Scott. “5 Questions with a Mergers & Acquisitions Expert.” CIO, 25 June 2019. Web.

      Salsberg, Brian. “Four tips for estimating one-time M&A integration costs.” EY, 17 Oct. 2019. Web.

      Samuels, Mark. “Mergers and acquisitions: Five ways tech can smooth the way.” ZDNet, 15 Aug. 2018. Web.

      “SAP Divestiture Projects: Options, Approach and Challenges.” Cognizant, May, 2014. Web.

      Steeves, Dave. “7 Rules for Surviving a Merger & Acquisition Technology Integration.” Steeves and Associates, 5 Feb. 2020. Web.

      Tanaszi, Margaret. “Calculating IT Value in Business Terms.” CSO, 27 May 2004. Web.

      “The CIO Playbook. Nine Steps CIOs Must Take For Successful Divestitures.” SNP, 2016. Web.

      “The Role of IT in Supporting Mergers and Acquisitions.” Cognizant, Feb. 2015. Web.

      Torres, Roberto. “M&A playbook: How to prepare for the cost, staff and tech hurdles.” CIO Dive, 14 Nov. 2019. Web.

      “Valuation Methods.” Corporate Finance Institute, n.d. Web.

      Weller, Joe. “The Ultimate Guide to the M&A Process for Buyers and Sellers.” Smartsheet, 16 May 2019. Web.

      Create a Right-Sized Disaster Recovery Plan

      • Buy Link or Shortcode: {j2store}410|cart{/j2store}
      • member rating overall impact (scale of 10): 9.6/10 Overall Impact
      • member rating average dollars saved: $83,037 Average $ Saved
      • member rating average days saved: 32 Average Days Saved
      • Parent Category Name: DR and Business Continuity
      • Parent Category Link: /business-continuity
      • Any time a natural disaster or major IT outage occurs, it increases executive awareness and internal pressure to create a disaster recovery plan (DRP).
      • Traditional DRP templates are onerous and result in a lengthy, dense plan that might satisfy auditors but will not be effective in a crisis.
      • The myth that a DRP is only for major disasters leaves organizations vulnerable to more common incidents.
      • The growing use of outsourced infrastructure services has increased reliance on vendors to meet recovery timeline objectives.

      Our Advice

      Critical Insight

      • At its core, disaster recovery (DR) is about ensuring service continuity. Create a plan that can be leveraged for both isolated and catastrophic events.
      • Remember Murphy’s Law. Failure happens. Focus on improving overall resiliency and recovery, rather than basing DR on risk probability analysis.
      • Cost-effective DR and service continuity starts with identifying what is truly mission critical so you can focus resources accordingly. Not all services require fast failover.

      Impact and Result

      • Define appropriate objectives for service downtime and data loss based on business impact.
      • Document an incident response plan that captures all of the steps from event detection to data center recovery.
      • Create a DR roadmap to close gaps between current DR capabilities and recovery objectives.

      Create a Right-Sized Disaster Recovery Plan Research & Tools

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Disaster Recovery Plan (DRP) Research – A step-by-step document that helps streamline your DR planning process and build a plan that's concise, usable, and maintainable.

      Any time a major IT outage occurs, it increases executive awareness and internal pressure to create an IT DRP. This blueprint will help you develop an actionable DRP by following our four-phase methodology to define scope, current status, and dependencies; conduct a business impact analysis; identify and address gaps in the recovery workflow; and complete, extend, and maintain your DRP.

      • Create a Right-Sized Disaster Recovery Plan – Phases 1-4

      2. DRP Case Studies – Examples to help you understand the governance and incident response components of a DRP and to show that your DRP project does not need to be as onerous as imagined.

      These examples include a client who leveraged the DRP blueprint to create practical, concise, and easy-to-maintain DRP governance and incident response plans and a case study based on a hospital providing a wide range of healthcare services.

      • Case Study: Practical, Right-Sized DRP
      • Case Study: Practical, Right-Sized DRP – Healthcare Example

      3. DRP Maturity Scorecard – An assessment tool to evaluate the current state of your DRP.

      Use this tool to measure your current DRP maturity and identify gaps to address. It includes a comprehensive list of requirements for your DRP program, including core and industry requirements.

      • DRP Maturity Scorecard

      4. DRP Project Charter Template – A template to communicate important details on the project purpose, scope, and parameters.

      The project charter template includes details on the project overview (description, background, drivers, and objectives); governance and management (project stakeholders/roles, budget, and dependencies); and risks, assumptions, and constraints (known and potential risks and mitigation strategy).

      • DRP Project Charter Template

      5. DRP Business Impact Analysis Tool – An evaluation tool to estimate the impact of downtime to determine appropriate, acceptable recovery time objectives (RTOs) and recovery point objectives (RPOs) and to review gaps between objectives and actuals.

      This tool enables you to identify critical applications/systems; identify dependencies; define objective scoring criteria to evaluate the impact of application/system downtime; determine the impact of downtime and establish criticality tiers; set recovery objectives (RTO/RPO) based on the impact of downtime; record recovery actuals (RTA/RPA) and identify any gaps between objectives and actuals; and identify dependencies that regularly fail (and have a significant impact when they fail) to prioritize efforts to improve resiliency.

      • DRP Business Impact Analysis Tool
      • Legacy DRP Business Impact Analysis Tool

      6. DRP BIA Scoring Context Example – A tool to record assumptions you made in the DRP Business Impact Analysis Tool to explain the results and drive business engagement and feedback.

      Use this tool to specifically record assumptions made about who and what are impacted by system downtime and record assumptions made about impact severity.

      • DRP BIA Scoring Context Example

      7. DRP Recovery Workflow Template – A flowchart template to provide an at-a-glance view of the recovery workflow.

      This simple format is ideal during crisis situations, easier to maintain, and often quicker to create. Use this template to document the Notify - Assess - Declare disaster workflow, document current and planned future state recovery workflows, including gaps and risks, and review an example recovery workflow.

      • DRP Recovery Workflow Template (PDF)
      • DRP Recovery Workflow Template (Visio)

      8. DRP Roadmap Tool – A visual roadmapping tool that will help you plan, communicate, and track progress for your DRP initiatives.

      Improving DR capabilities is a marathon, not a sprint. You likely can't fund and resource all the measures for risk mitigation at once. Instead, use this tool to create a roadmap for actions, tasks, projects, and initiatives to complete in the short, medium, and long term. Prioritize high-benefit, low-cost mitigations.

      • DRP Roadmap Tool

      9. DRP Recap and Results Template – A template to summarize and present key findings from your DR planning exercises and documents.

      Use this template to present your results from the DRP Maturity Scorecard, BCP-DRP Fitness Assessment, DRP Business Impact Analysis Tool, tabletop planning exercises, DRP Recovery Workflow Template, and DRP Roadmap Tool.

      • DRP Recap and Results Template

      10. DRP Workbook – A comprehensive tool that enables you to organize information to support DR planning.

      Leverage this tool to document information regarding DRP resources (list the documents/information sources that support DR planning and where they are located) and DR teams and contacts (list the DR teams, SMEs critical to DR, and key contacts, including business continuity management team leads that would be involved in declaring a disaster and coordinating response at an organizational level).

      • DRP Workbook

      11. Appendix

      The following tools and templates are also included as part of this blueprint to use as needed to supplement the core steps above:

      • DRP Incident Response Management Tool
      • DRP Vendor Evaluation Questionnaire
      • DRP Vendor Evaluation Tool
      • Severity Definitions and Escalation Rules Template
      • BCP-DRP Fitness Assessment
      [infographic]

      Workshop: Create a Right-Sized Disaster Recovery Plan

      Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

      1 Define Parameters for Your DRP

      The Purpose

      Identify key applications and dependencies based on business needs.

      Key Benefits Achieved

      Understand the entire IT “footprint” that needs to be recovered for key applications. 

      Activities

      1.1 Assess current DR maturity.

      1.2 Determine critical business operations.

      1.3 Identify key applications and dependencies.

      Outputs

      Current challenges identified through a DRP Maturity Scorecard.

      Key applications and dependencies documented in the Business Impact Analysis (BIA) Tool.

      2 Determine the Desired Recovery Timeline

      The Purpose

      Quantify application criticality based on business impact.

      Key Benefits Achieved

      Appropriate recovery time and recovery point objectives defined (RTOs/RPOs).

      Activities

      2.1 Define an objective scoring scale to indicate different levels of impact.

      2.2 Estimate the impact of downtime.

      2.3 Determine desired RTO/RPO targets for applications based on business impact.

      Outputs

      Business impact analysis scoring criteria defined.

      Application criticality validated.

      RTOs/RPOs defined for applications and dependencies.

      3 Determine the Current Recovery Timeline and DR Gaps

      The Purpose

      Determine your baseline DR capabilities (your current state).

      Key Benefits Achieved

      Gaps between current and desired DR capability are quantified.

      Activities

      3.1 Conduct a tabletop exercise to determine current recovery procedures.

      3.2 Identify gaps between current and desired capabilities.

      3.3 Estimate likelihood and impact of failure of individual dependencies.

      Outputs

      Current achievable recovery timeline defined (i.e. the current state).

      RTO/RPO gaps identified.

      Critical single points of failure identified.

      4 Create a Project Roadmap to Close DR Gaps

      The Purpose

      Identify and prioritize projects to close DR gaps.

      Key Benefits Achieved

      DRP project roadmap defined that will reduce downtime and data loss to acceptable levels.

      Activities

      4.1 Determine what projects are required to close the gap between current and desired DR capability.

      4.2 Prioritize projects based on cost, effort, and impact on RTO/RPO reduction.

      4.3 Validate that the suggested projects will achieve the desired DR capability.

      Outputs

      Potential DR projects identified.

      DRP project roadmap defined.

      Desired-state incident response plan defined, and project roadmap validated.

      5 Establish a Framework for Documenting Your DRP, and Summarize Next Steps

      The Purpose

      Outline how to create concise, usable DRP documentation.

      Summarize workshop results. 

      Key Benefits Achieved

      A realistic and practical approach to documenting your DRP.

      Next steps documented. 

      Activities

      5.1 Outline a strategy for using flowcharts and checklists to create concise, usable documentation.

      5.2 Review Info-Tech’s DRP templates for creating system recovery procedures and a DRP summary document.

      5.3 Summarize the workshop results, including current potential downtime and action items to close gaps.

      Outputs

      Current-state and desired-state incident response plan flowcharts.

      Templates to create more detailed documentation where necessary.

      Executive communication deck that outlines current DR gaps, how to close those gaps, and recommended next steps.

      Further reading

      Create a Right-Sized Disaster Recovery Plan

      Close the gap between your DR capabilities and service continuity requirements.

      ANALYST PERSPECTIVE

      An effective disaster recovery plan (DRP) is not just an insurance policy.

      "An effective DRP addresses common outages such as hardware and software failures, as well as regional events, to provide day-to-day service continuity. It’s not just insurance you might never cash in. Customers are also demanding evidence of an effective DRP, so organizations without a DRP risk business impact not only from extended outages but also from lost sales. If you are fortunate enough to have executive buy-in, whether it’s due to customer pressure or concern over potential downtime, you still have the challenge of limited time to dedicate to disaster recovery (DR) planning. Organizations need a practical but structured approach that enables IT leaders to create a DRP without it becoming their full-time job."

      Frank Trovato,

      Research Director, Infrastructure

      Info-Tech Research Group

      Is this research for you?

      This Research Is Designed For:

      • Senior IT management responsible for executing DR.
      • Organizations seeking to formalize, optimize, or validate an existing DRP.
      • Business continuity management (BCM) professionals leading DRP development.

      This Research Will Help You:

      • Create a DRP that is aligned with business requirements.
      • Prioritize technology enhancements based on DR requirements and risk-impact analysis.
      • Identify and address process and technology gaps that impact DR capabilities and day-to-day service continuity.

      This Research Will Also Assist:

      • Executives who want to understand the time and resource commitment required for DRP.
      • Members of BCM and crisis management teams who need to understand the key elements of an IT DRP.

      This Research Will Help Them:

      • Scope the time and effort required to develop a DRP.
      • Align business continuity, DR, and crisis management plans.

      Executive summary

      Situation

      • Any time a natural disaster or major IT outage occurs, it increases executive awareness and internal pressure to create a DRP.
      • Industry standards and government regulations are driving external pressure to develop business continuity and IT DR plans.
      • Customers are asking suppliers and partners to provide evidence that they have a workable DRP before agreeing to do business.

      Complication

      • Traditional DRP templates are onerous and result in a lengthy, dense plan that might satisfy auditors, but will not be effective in a crisis.
      • The myth that a DRP is only for major disasters leaves organizations vulnerable to more common incidents.
      • The growing use of outsourced infrastructure services has increased reliance on vendors to meet recovery timeline objectives.

      Resolution

      • Create an effective DRP by following a structured process to discover current capabilities and define business requirements for continuity:
        • Define appropriate objectives for service downtime and data loss based on business impact.
        • Document an incident response plan that captures all of the steps from event detection to data center recovery.
        • Create a DR roadmap to close gaps between current DR capabilities and recovery objectives.

      Info-Tech Insight

      1. At its core, DR is about ensuring service continuity. Create a plan that can be leveraged for both isolated and catastrophic events.
      2. Remember Murphy’s Law. Failure happens. Focus on improving overall resiliency and recovery, rather than basing DR on risk probability analysis.
      3. Cost-effective DR and service continuity starts with identifying what is truly mission critical so you can focus resources accordingly. Not all services require fast failover.

      An effective DRP is critical to reducing the cost of downtime

      If you don’t have an effective DRP when failure occurs, expect to face extended downtime and exponentially rising costs due to confusion and lack of documented processes.

      Image displayed is a graph that shows that delay in recovery causes exponential revenue loss.

      Potential Lost Revenue

      The impact of downtime tends to increase exponentially as systems remain unavailable (graph at left). A current, tested DRP will significantly improve your ability to execute systems recovery, minimizing downtime and business impact. Without a DRP, IT is gambling on its ability to define and implement a recovery strategy during a time of crisis. At the very least, this means extended downtime – potentially weeks or months – and substantial business impact.

      Adapted from: Philip Jan Rothstein, 2007

      Cost of Downtime for the Fortune 1000

      Cost of unplanned apps downtime per year: $1.25B to $2.5B.

      Cost of critical apps failure per hour: $500,000 to $1M.

      Cost of infrastructure failure per hour: $100,000.

      35% reported to have recovered within 12 hours.

      17% of infrastructure failures took more than 24 hours to recover.

      13% of application failures took more than 24 hours to recover.

      Source: Stephen Elliot, 2015

      Info-Tech Insight

      The cost of downtime is rising across the board, and not just for organizations that traditionally depend on IT (e.g. e-commerce). Downtime cost increase since 2010:

      Hospitality: 129% increase

      Transportation: 108% increase

      Media organizations: 104% increase

      An effective DRP also sets clear recovery objectives that align with system criticality to optimize spend

      The image displays a disaster recovery plan example, where different tiers are in place to support recovery in relation to time.

      Take a practical approach that creates a more concise and actionable DRP

      DR planning is not your full-time job, so it can’t be a resource- and time-intensive process.

      The Traditional Approach Info-Tech’s Approach

      Start with extensive risk and probability analysis.

      Challenge: You can’t predict every event that can occur, and this delays work on your actual recovery procedures.

      Focus on how to recover regardless of the incident.

      We know failure will happen. Focus on improving your ability to failover to a DR environment so you are protected regardless of what causes primary site failure.

      Build a plan for major events such as natural disasters.

      Challenge: Major destructive events only account for 12% of incidents while software/hardware issues account for 45%. The vast majority of incidents are isolated local events.

      An effective DRP improves day-to-day service continuity, and is not just for major events.

      Leverage DR planning to address both common (e.g. power/network outage or hardware failure) as well as major events. It must be documentation you can use, not shelfware.

      Create a DRP manual that provides step-by-step instructions that anyone could follow.

      Challenge: The result is lengthy, dense manuals that are difficult to maintain and hard to use in a crisis. The usability of DR documents has a direct impact on DR success.

      Create concise documentation written for technical experts.

      Use flowcharts, checklists, and diagrams. They are more usable in a crisis and easier to maintain. You aren’t going to ask a business user to recover your SQL Server databases, so you can afford to be concise.

      DR must be integrated with day-to-day incident management to ensure service continuity

      When a tornado takes out your data center, it’s an obvious DR scenario and the escalation towards declaring a disaster is straightforward.

      The challenge is to be just as decisive in less-obvious (and more common) DR scenarios such as a critical system hardware/software failure, and knowing when to move from incident management to DR. Don’t get stuck troubleshooting for days when you could have failed over in hours.

      Bridge the gap with clearly-defined escalation rules and criteria for when to treat an incident as a disaster.

      Image displays two graphs. The graph on the left measures the extent that service management processes account for disasters by the success meeting RTO and RPO. The graph on the right is a double bar graph that shows DRP being integrated and not integrated in the following categories: Incident Classifications, Severity Definitions, Incident Models, Escalation Procedures. These are measured based on the success meeting RTO and RPO.

      Source: Info-Tech Research Group; N=92

      Myth busted: The DRP is separate from day-to-day ops and incident management.

      The most common threats to service continuity are hardware and software failures, network outages, and power outages

      The image displayed is a bar graph that shows the common threats to service continuity. There are two areas of interest that have labels. The first is: 45% of service interruptions that went beyond maximum downtime guidelines set by the business were caused by software and hardware issues. The second label is: Only 12% of incidents were caused by major destructive events.

      Source: Info-Tech Research Group; N=87

      Info-Tech Insight

      Does this mean I don’t need to worry about natural disasters? No. It means DR planning needs to focus on overall service continuity, not just major disasters. If you ignore the more common but less dramatic causes of service interruptions, you are diminishing the business value of a DRP.

      Myth busted: DRPs are just for destructive events – fires, floods, and natural disasters.

      DR isn’t about identifying risks; it’s about ensuring service continuity

      The traditional approach to DR starts with an in-depth exercise to identify risks to IT service continuity and the probability that those risks will occur.

      Here’s why starting with a risk register is ineffective:

      • Odds are, you won’t think of every incident that might occur. If you think of twenty risks, it’ll be the twenty-first that gets you. If you try to guard against that twenty-first risk, you can quickly get into cartoonish scenarios and much more costly solutions.
      • The ability to failover to another site mitigates the risk of most (if not all) incidents (fire, flood, hardware failure, tornado, etc.). A risk and probability analysis doesn’t change the need for a plan that includes a failover procedure.

      Where risk is incorporated in this methodology:

      • Use known risks to further refine your strategy (e.g. if you are prone to hurricanes, plan for greater geographic separation between sites; ensure you have backups, in addition to replication, to mitigate the risk of ransomware).
      • Identify risks to your ability to execute DR (e.g. lack of cross-training, backups that are not tested) and take steps to mitigate those risks.

      Myth busted: A risk register is the critical first step to creating an effective DR plan.

      You can’t outsource accountability and you can’t assume your vendor’s DR capabilities meet your needs

      Outsourcing infrastructure services – to a cloud provider, co-location provider, or managed service provider (MSP) – can improve your DR and service continuity capabilities. For example, a large public cloud provider will generally have:

      • Redundant telecoms service providers, network infrastructure, power feeds, and standby power.
      • Round-the-clock infrastructure and security monitoring.
      • Multiple data centers in a given region, and options to replicate data and services across regions.

      Still, failure is inevitable – it’s been demonstrated multiple times1 through high-profile outages. When you surrender direct control of the systems themselves, it’s your responsibility to ensure the vendor can meet your DR requirements, including:

      • A DR site and acceptable recovery times for systems at that site.
      • An acceptable replication/backup schedule.

      Sources: Kyle York, 2016; Shaun Nichols, 2017; Stephen Burke, 2017

      Myth busted: I outsource infrastructure services so I don’t have to worry about DR. That’s my vendor’s responsibility.

      Choose flowcharts over process guides, checklists over procedures, and diagrams over descriptions

      IT DR is not an airplane disaster movie. You aren’t going to ask a business user to execute a system recovery, just like you wouldn’t really want a passenger with no flying experience to land a plane.

      In reality, you write a DR plan for knowledgeable technical staff, which allows you to summarize key details your staff already know. Concise, visual documentation is:

      • Quicker to create.
      • Easier to use.
      • Simpler to maintain.

      "Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow."

      – Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management

      A graph is displayed. It shows a line graph where the DR success is higher by using flowcharts, checklists, and diagrams.

      Source: Info-Tech Research Group; N=95

      *DR Success is based on stated ability to meet recovery time objectives (RTOs) and recovery point objectives (RPOs), and reported confidence in ability to consistently meet targets.

      Myth busted: A DRP must include every detail so anyone can execute recovery.

      A DRP is part of an overall business continuity plan

      A DRP is the set of procedures and supporting documentation that enables an organization to restore its core IT services (i.e. applications and infrastructure) as part of an overall business continuity plan (BCP), as described below. Use the templates, tools, and activities in this blueprint to create your DRP.

      Overall BCP
      IT DRP BCP for Each Business Unit Crisis Management Plan
      A plan to restore IT services (e.g. applications and infrastructure) following a disruption. This includes:
      • Identifying critical applications and dependencies.
      • Defining an appropriate (desired) recovery timeline based on a business impact analysis (BIA).
      • Creating a step-by-step incident response plan.
      A set of plans to resume business processes for each business unit. Info-Tech’s Develop a Business Continuity Plan blueprint provides a methodology for creating business unit BCPs as part of an overall BCP for the organization. A set of processes to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage. This includes emergency response plans, crisis communication plans, and the steps to invoke BC/DR plans when applicable. Info-Tech’s Implement Crisis Management Best Practices blueprint provides a structured approach to develop a crisis management process.

      Note: For DRP, we focus on business-facing IT services (as opposed to the underlying infrastructure), and then identify required infrastructure as dependencies (e.g. servers, databases, network).

      Take a practical but structured approach to creating a concise and effective DRP

      Image displayed shows the structure of this blueprint. It shows the structure of phases 1-4 and the related tools and templates for each phase.

      Info-Tech offers various levels of support to best suit your needs

      DIY Toolkit

      "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

      Guided Implementation

      “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

      Workshop

      “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

      Consulting

      “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

      Diagnostics and consistent frameworks used throughout all four options

      Info-Tech advisory services deliver measurable value

      Info-Tech members save an average of $22,983 and 22 days by working with an Info-Tech analyst on DRP (based on client response data from Info-Tech Research Group’s Measured Value Survey, following analyst advisory on this blueprint).

      Why do members report value from analyst engagement?

      1. Expert advice on your specific situation to overcome obstacles and speed bumps.
      2. Structured project and guidance to stay on track.
      3. Project deliverables review to ensure the process is applied properly.

      Guided implementation overview

      Your trusted advisor is just a call away.

      Define DRP scope (Call 1)

      Scope requirements, objectives, and your specific challenges. Identify applications/ systems to focus on first.

      Define current status and system dependencies (Calls 2-3)

      Assess current DRP maturity. Identify system dependencies.

      Conduct a BIA (Calls 4-6)

      Create an impact scoring scale and conduct a BIA. Identify RTO and RPO for each system.

      Recovery workflow (Calls 7-8)

      Create a recovery workflow based on tabletop planning. Identify gaps in recovery capabilities.

      Projects and action items (Calls 9-10)

      Identify and prioritize improvements. Summarize results and plan next steps.

      Your guided implementations will pair you with an advisor from our analyst team for the duration of your DRP project.

      Workshop overview

      Contact your account representative or email Workshops@InfoTech.com for more information.

      Image displays the workshop overview for this blueprint. It is a workshop that runs for 4 days and covers various activities and produces many deliverables.

      End-user complaints distract from serious IT-based risks to business continuity

      Case Study

      Industry: Manufacturing
      Source: Info-Tech Research Group Client Engagement

      A global manufacturer with annual sales over $1B worked with Info-Tech to improve DR capabilities.

      DRP BIA

      Conversations with the IT team and business units identified the following impact of downtime over 24 hours:

      • Email: Direct Cost: $100k; Goodwill Impact Score: 8.5/16
      • ERP: Direct Cost: $1.35mm; Goodwill Impact Score: 12.5/16

      Tabletop Testing and Recovery Capabilities

      Reviewing the organization’s current systems recovery workflow identified the following capabilities:

      • Email: RTO: minutes, RPO: minutes
      • ERP: RTO: 14 hours, RPO: 24 hours

      Findings

      Because of end-user complaints, IT had invested heavily in email resiliency though email downtime had a relatively minimal impact on the business. After working through the methodology, it was clear that the business needed to provide additional support for critical systems.

      Insights at each step:

      Identify DR Maturity and System Dependencies

      Conduct a BIA

      Outline Incident Response and Recovery Workflow With Tabletop Exercises

      Mitigate Gaps and Risks

      Create a Right-Sized Disaster Recovery Plan

      Phase 1

      Define DRP Scope, Current Status, and Dependencies

      Step 1.1: Set Scope, Kick-Off the DRP Project, and Create a Charter

      This step will walk you through the following activities:

      • Establish a team for DR planning.
      • Retrieve and review existing, relevant documentation.
      • Create a project charter.

      This step involves the following participants:

      • DRP Coordinator
      • DRP Team (Key IT SMEs)
      • IT Managers

      Results and Insights

      • Set scope for the first iteration of the DRP methodology.
      • Don’t try to complete your DR and BCPs all at once.
      • Don’t bite off too much at once.

      Kick-off your DRP project

      You’re ready to start your DR project.

      This could be an annual review – but more likely, this is the first time you’ve reviewed the DR plan in years.* Maybe a failed audit might have provided a mandate for DR planning, or a real disaster might have highlighted gaps in DR capabilities. First, set appropriate expectations for what the project is and isn’t, in terms of scope, outputs, and resource commitments. Very few organizations can afford to hire a full-time DR planner, so it’s likely this won’t be your full-time job. Set objectives and timelines accordingly.

      Gather a team

      • Often, DR efforts are led by the infrastructure and operations leader. This person can act as the DRP coordinator or may delegate this role.
      • Key infrastructure subject-matter experts (SMEs) are usually part of the team and involved through the project.

      Find and review existing documentation

      • An existing DRP may have information you can re-purpose rather than re-create.
      • High-level architecture diagrams and network diagrams can help set scope (and will become part of your DR kit).
      • Current business-centric continuity of operations plans (COOPs) or BCPs are important to understand.

      Set specific, realistic objectives

      • Create a project charter (see next slide) to record objectives, timelines, and assumptions.
      *Only 20% of respondents to an Info-Tech Research Group survey (N=165) had a complete DRP; only 38% of respondents with a complete or mostly complete DRP felt it would be effective in a crisis.

      List DRP drivers and challenges

      1(a) Drivers and roadblocks

      Estimated Time: 30 minutes

      Identify the drivers and challenges to completing a functional DRP plan with the core DR team.

      DRP Drivers

      • Past outages (be specific):
        • Hardware and software failures
        • External network and power outages
        • Building damage
        • Natural disaster(s)
      • Audit findings
      • Events in the news
      • Other?

      DRP Challenges

      • Lack of time
      • Insufficient DR budget
      • Lack of executive support
      • No internal DRP expertise
      • Challenges making the case for DRP
      • Other?

      Write down insights from the meeting on flip-chart paper or a whiteboard and use the findings to inform your DRP project (e.g. challenges to address).

      Clarify expectations with a project charter

      1(b) DRP Project Charter Template

      DRP Project Charter Template components:

      Define project parameters, roles, and objectives, and clarify expectations with the executive team. Specific subsections are listed below and described in more detail in the remainder of this phase.

      • Project Overview: Includes objectives, deliverables, and scope. Leverage relevant notes from the “Project Drivers” brainstorming exercise (e.g. past outages and near misses which help make the case).
      • Governance and Management: Includes roles, responsibilities, and resource requirements.
      • Project Risks, Assumptions, and Constraints: Includes risks and mitigation strategies, as well as any assumptions and constraints.
      • Project Sign-Off: Includes IT and executive sign-off (if required).

      Note: Identify the initial team roles and responsibilities first so they can assist in defining the project charter.

      The image is a screenshot of the first page of the DRP Project Charter Template.

      Step 1.2: Assess Current State DRP Maturity

      This step will walk you through the following activities:

      • Complete Info-Tech’s DRP Maturity Scorecard.

      This step involves the following participants:

      • DRP Coordinator
      • IT SMEs

      Results and Insights

      • Identify the current state of the organization’s DRP and continuity management. Set a baseline for improvement.
      • Discover where improvement is most needed to create an effective plan.

      Only 38% of IT departments believe their DRPs would be effective in a real crisis

      Even organizations with documented DRPs struggle to make them actionable.

      • Even when a DRP does become a priority (e.g. due to regulatory or customer drivers), the challenge is knowing where to start and having a methodical step-by-step process for doing the work. With no guide to plan and resource the project, it becomes work that you complete piecemeal when you aren’t working on other projects, or at night after the kids go to bed.
      • Far too many organizations create a document to satisfy auditors rather than creating a usable plan. People in this group often just want a fill-in-the-blanks template. What they will typically find is a template for the traditional 300-page manual that goes in a binder that sits on a shelf, is difficult to maintain, and is not effective in a crisis.
      Two bar graphs are displayed. The graph on the left shows that only 20% of survey respondents indicate they have a complete DRP. The graph on the right shows that 38% of those who have a mostly completed or full DRP actually feel it would be effective in a crisis.

      Use the DRP Maturity Scorecard to assess the current state of your DRP and identify areas to improve

      1(c) DRP Maturity Scorecard

      Info-Tech’s DRP Maturity Scorecard evaluates completion status and process maturity for a comprehensive yet practical assessment across three aspects of an effective DRP program – Defining Requirements, Implementation, and Maintenance.

      Image has three boxes. One is labelled Completion status, another below it is labelled Process Maturity. There is an addition sign in between them. With an arrow leading from both boxes is another box that is labelled DRP Maturity Assessment

      Completion Status: Reflects the progress made with each component of your DRP Program.

      Process Maturity: Reflects the consistency and quality of the steps executed to achieve your completion status.

      DRP Maturity Assessment: Each component (e.g. BIA) of your DRP Program is evaluated based on completion status and process maturity to provide an accurate holistic assessment. For example, if your BIA completion status is 4 out of 5, but process maturity is a 2, then requirements were not derived from a consistent defined process. The risk is inconsistent application prioritization and misalignment with actual business requirements.

      Step 1.3: Identify Applications, Systems, and Dependencies

      This step will walk you through the following activities:

      • Identify systems, applications, and services, and the business units that use them.
      • Document applications, systems, and their dependencies in the DRP Business Impact Analysis Tool.

      This step involves the following participants:

      • DRP Coordinator
      • DRP Team

      Results and Insights

      • Identify core services and the applications that depend on them.
      • Add applications and dependencies to the DRP Business Impact Analysis Tool.

      Select 5-10 services to get started on the DRP methodology

      1(d) High-level prioritization

      Estimated Time: 30 minutes

      Working through the planning process the first time can be challenging. If losing momentum is a concern, limit the BIA to a few critical systems to start.

      Run this exercise if you need a structured exercise to decide where to focus first and identify the business users you should ask for input on the impact of system downtime.

      1. On a whiteboard or flip-chart paper, list business units in a column on the left. List key applications/systems in a row at the top. Draw a grid.
      2. At a high level, review how applications are used by each unit. Take notes to keep track of any assumptions you make.
        • Add a ✓ if members of the unit use the application or system.
        • Add an ✱ if members of the unit are heavy users of the application or system and/or use it for time sensitive tasks.
        • Leave the box blank if the app isn’t used by this unit.
      3. Use the chart to prioritize systems to include in the BIA (e.g. systems marked with an *) but also include a few less-critical systems to illustrate DRP requirements for a range of systems.

      Image is an example of what one could complete from step 1(d). There is a table shown. In the column on the left lists sales, marketing, R&D, and Finance. In the top row, there is listed: dialer, ERP. CRM, Internet, analytics, intranet

      Application Notes
      CRM
      • Supports time-critical sales and billing processes.
      Dialer
      • Used for driving the sales-call queue, integration with CRM.

      Draw a high-level sketch of your environment

      1(e) Sketch your environment

      Estimated Time: 1-2 hours

      A high-level topology or architectural diagram is an effective way to identify dependencies, application ownership, outsourced services, hardware redundancies, and more.

      Note:

      • Network diagrams or high-level architecture diagrams help to identify dependencies and redundancies. Even a rough sketch is a useful reference tool for participants, and will be valuable documentation in the final DR plan.
      • Keep the drawings tidy. Visualize the final diagram before you start to draw on the whiteboard to help with spacing and placement.
      • Collaborate with relevant SMEs to identify dependencies. Keep the drawing high-level.
      • Illustrate connections between applications or components with lines. Use color coding to illustrate where applications are hosted (e.g. in-house, at a co-lo, in a cloud or MSP environment).
      Example of a high-level topology or architectural diagram

      Document systems and dependencies

      Collaborate with system SMEs to identify dependencies for each application or system. Document the dependencies in the DRP Business Impact Analysis Tool (see image below)

      • When listing applications, focus on business-facing systems or services that business users will recognize and use terminology they’ll understand.
      • Group infrastructure components that support all other services as a single core infrastructure service to simplify dependency mapping (e.g. core router, virtual hosts, ID management, and DNS).
      • In general, each data center will have its own core infrastructure components. List each data center separately – especially if different services are hosted at each data center.
      • Be specific when documenting dependencies. Use existing asset tracking tables, discovery tools, asset management records, or configuration management tools to identify specific server names.
      • Core infrastructure dependencies, such as the network infrastructure, power supply, and centralized storage, will be a common set of dependencies for most applications, so group these into a separate category called “Core Infrastructure” to minimize repetition in your DR planning.
      • Document production components in the BIA tool. Capture in-production, redundant components performing the same work on a single dependency line. List standby systems in the notes.

      Info-Tech Best Practice

      In general, visual documentation is easier to use in a crisis and easier to maintain over time. Use Info-Tech’s research to help build your own visual SOPs.

      Document systems and dependencies

      1(f) DRP Business Impact Analysis Tool – Record systems and dependencies

      A screenshot of Info-Tech's DRP Business Impact Analysis Tool.

      Stories from the field: Info-Tech clients find value in Phase 1 in the following ways

      An organization uncovers a key dependency that needed to be treated as a Tier 1 system

      Reviewing the entire ecosystem for applications identified key dependencies that were previously considered non-critical. For example, a system used to facilitate secure data transfers was identified as a key dependency for payroll and other critical business processes, and elevated to Tier 1.

      A picture’s worth a thousand words (and 1600 servers)

      Drawing a simple architectural diagram was an invaluable tool to identify key dependencies and critical systems, and to understand how systems and dependencies were interconnected. The drawing was an aha moment for IT and business stakeholders trying to make sense of their 1600-server environment.

      Make the case for DRP

      A member of the S&P 500 used Info-Tech’s DRP Maturity Scorecard to provide a reliable objective assessment and make the case for improvements to the board of directors.

      State government agency initiates a DRP project to complement an existing COOP

      Info-Tech's DRP Project Charter enabled the CIO to clarify their DRP project scope and where it fit into their overall COOP. The project charter example provided much of the standard copy – objectives, scope, project roles, methodology, etc. – required to outline the project.

      Phase 1: Insights and accomplishments

      Image has two screenshots from Info-Tech's Phase 1 tools and templates.

      Created a charter and identified current maturity

      Image has two screenshots. One is from Info-Tech's DRP Business Impact Analysis Tool and the other is from the example in step 1(d).

      Identified systems and dependencies for the BIA

      Summary of Accomplishments:

      • Created a DRP project charter.
      • Completed the DRP Maturity Scorecard and identified current DRP maturity.
      • Prioritized applications/systems for a first pass through DR planning.
      • Identified dependencies for each application and system.

      Up Next: Conduct a BIA to establish recovery requirements

      Create a Right-Sized Disaster Recovery Plan

      Phase 2

      Conduct a BIA to Determine Acceptable RTOs and RPOs

      Step 2.1: Define an Objective Impact Scoring Scale

      This step will walk you through the following activities:

      • Create a scoring scale to measure the business impact of application and system downtime.

      This step involves the following participants:

      • DRP Coordinator
      • DRP Team

      Results and Insights

      • Use a scoring scale tied to multiple categories of real business impact to develop a more objective assessment of application and system criticality.

      Align capabilities to appropriate and acceptable RTOs and RPOs with a BIA

      Too many organizations avoid a BIA because they perceive it as onerous or unneeded. A well-managed BIA is straightforward and the benefits are tangible.

      A BIA enables you to identify appropriate spend levels, maintain executive support, and prioritize DR planning for a more successful outcome. Info-Tech has found that a BIA has a measurable impact on the organization’s ability to set appropriate objectives and investment goals.

      Two bar graphs are depicted. The one on the left shows 93% BIA impact on appropriate RTOs. The graph on the right shows that with BIA, there is 86% on BIA impact on appropriate spending.

      Info-Tech Insight

      Business input is important, but don’t let a lack of it delay a draft BIA. Complete a draft based on your knowledge of the business. Create a draft within IT, and use it to get input from business leaders. It’s easier to edit estimates than to start from scratch; even weak estimates are far better than a blank sheet.

      Pick impact categories that are relevant to your business to develop a holistic view of business impact

      Direct Cost Impact Categories

      • Revenue: permanently lost revenue.
        • Example: one third of daily sales are lost due to a website failure.
      • Productivity: lost productivity.
        • Example: finance staff can’t work without the accounting system.
      • Operating costs: additional operating costs.
        • Example: temporary staff are needed to re-key data.
      • Financial penalties: fines/penalties that could be incurred due to downtime.
        • Example: failure to meet contractual service-level agreements (SLAs) for uptime results in financial penalties.

      Goodwill, Compliance, and Health and Safety Categories

      • Stakeholder goodwill: lost customer, staff, or business partner goodwill due to harm, frustration, etc.
        • Example: customers can’t access needed services because the website is down.
        • Example: a payroll system outage delays paychecks for all staff.
        • Example: suppliers are paid late because the purchasing system is down.
      • Compliance, health, and safety:
        • Example: financial system downtime results in a missed tax filing.
        • Example: network downtime disconnects security cameras.

      Info-Tech Insight

      You don’t have to include every impact category in your BIA. Include categories that could affect your business. Defer or exclude other categories. For example, the bulk of revenue for governmental organizations comes from taxes, which won’t be permanently lost if IT systems fail.

      Modify scoring criteria to help you measure the impact of downtime

      The scoring scales define different types of business impact (e.g. costs, lost goodwill) using a common four-point scale and 24-hour timeframe to simplify BIA exercises and documentation.

      Use the suggestions below as a guide as you modify scoring criteria in the DRP Business Impact Analysis Tool:

      • All the direct cost categories (revenue, productivity, operating costs, financial penalties) require the user to define only a maximum value; the tool will populate the rest of the criteria for that category. Use the suggestions below to find the maximum scores for each of the direct cost categories:
        • Revenue: Divide total revenue for the previous year by 365 to estimate daily revenue. Assume this is the most revenue you could lose in a day, and use this number as the top score.
        • Loss of Productivity: Divide fully-loaded labor costs for the organization by 365 to estimate daily productivity costs. Use this as a proxy measure for the work lost if all business stopped for one day.
        • Increased Operating Costs: Isolate this to known additional costs that result from a disruption (e.g. costs for overtime or temporary staff). Estimate the maximum cost for the organization.
        • Financial Penalties: Isolate this to known financial penalties (e.g. due to failure to meet SLAs or compliance requirements). Use the estimated maximum penalty as the highest value on the scale.
      • Impact on Goodwill: Use an estimate of the percentage of all stakeholders impacted to assess goodwill impact.
      • Impact on Compliance; Impact on Health and Safety: The BIA tool contains default scoring criteria that account for the severity of the impact, the likelihood of occurrence, and in the case of compliance, whether a grace period is available. Use this scale as-is, or adapt this scale to suit your needs.

      Modify the default scoring scale in the DRP Business Impact Analysis Tool to reflect your organization

      2(a) DRP Business Impact Analysis Tool – Scoring criteria


      A screenshot of Info-Tech's DRP Business Impact Analysis Tool's scoring criteria

      Step 2.2: Estimate the Impact of Downtime

      This step will walk you through the following activities:

      • Identify the business impact of service/system/application downtime.

      This step involves the following participants:

      • DRP Coordinator
      • DRP Team
      • IT Service SMEs
      • Business-Side Technology Owners (optional)

      Results and Insights

      • Apply the scoring scale to develop a more objective assessment of the business impact of downtime.
      • Create criticality tiers based on the business impact of downtime.

      Estimate the impact of downtime for each system and application

      2(b) Estimate the impact of systems downtime

      Estimated Time: 3 hours

      On tab 3 of the DRP Business Impact Analysis Tool indicate the costs of downtime, as described below:

      1. Have a copy of the “Scoring Criteria” tab available to use as a reference (e.g. printed or on a second display). In tab 3 use the drop-down menu to assign a score of 0 to 4 based on levels of impact defined in the “Scoring Criteria” tab.
      2. Work horizontally across all categories for a single system or application. This will familiarize you with your scoring scales for all impact categories, and allow you to modify the scoring scales if needed before you proceed much further.
      3. For example, if a core call center phone system was down:

      • Loss of Revenue would be the portion of sales revenue generated through the call center. This might score a 1 or 2 depending on the percent of sales that are processed by the call center.
      • The Impact on Customers might be a 2 or 3 depending on the extent that some customers might be using the call center to receive support or purchase new products or services.
      • The Legal/Regulatory Compliance and Health or Safety Risk might be a 0, as the call center has no impact in either area.
    • Next, work vertically across all applications or systems within a single impact category. This will allow you to compare scores within the category as you create them to ensure internal consistency.
    • Add impact scores to the DRP Business Impact Analysis Tool

      2(c) DRP Business Impact Analysis Tool

      Screenshot of Info-Tech's DRP Business Impact Analysis Tool

      Record business reasons and assumptions that drive BIA scores

      2(d) DRP BIA Scoring Context Example

      Info-Tech suggests that IT leadership and staff identify the impact of downtime first to create a version that you can then validate with relevant business owners. As you work through the BIA as a team, have a notetaker record assumptions you make to help you explain the results and drive business engagement and feedback.

      Some common assumptions:

      • You can’t schedule a disaster, so Info-Tech suggests you assume the worst possible timing for downtime. Base the impact of downtime on the worst day for a disaster (e.g. year-end close, payroll run).
      • Record assumptions made about who and what are impacted by system downtime.
      • Record assumptions made about impact severity.
      • If you deviate from the scoring scale, or if a particular impact doesn’t fit well into the defined scoring scale, document the exception.

      Screenshot of Info-Tech's DRP BIA Scoring Context Example

      Use Info-Tech’s DRP BIA Scoring Context Example as a note-taking template.

      Info-Tech Insight

      You can’t build a perfect scoring scale. It’s fine to make reasonable assumptions based on your judgment and knowledge of the business. Just write down your assumptions. If you don’t write them down, you’ll forget how you arrived at that conclusion.

      Assign a criticality rating based on total direct and indirect costs of downtime

      2(e) DRP Business Impact Analysis Tool – Assign criticality tiers

      Once you’ve finished estimating the impact of downtime, use the following rough guideline to create an initial sort of applications into Tiers 1, 2, and 3.

      1. In general, sort applications based on the Total Impact on Goodwill, Compliance, and Safety first.
        • An effective tactic for a quick sort: assign a Tier 1 rating where scores are 50% or more of the highest total score, Tier 2 where scores are between 25% and 50%, and Tier 3 where scores are below 25%. Some organizations will also include a Tier 0 for the highest-scoring systems.
        • Then review and validate these scores and assignments.
      2. Next, consider the Total Cost of Downtime.
        • The Total Cost is calculated by the tool based on the Scoring Criteria in tab 2 and the impact scores on tab 3.
        • Decide if the total cost impact justifies increasing the criticality rating (e.g. from Tier 2 to Tier 1 due to high cost impact).
      3. Review the assigned impact scores and tiers to check that they’re in alignment. If you need to make an exception, document why. Keep exceptions to a minimum.

      Example: Highest total score is 12

      Screenshot of Info-Tech's DRP Business Impact Analysis Tool

      Step 2.3: Determine Acceptable RTO/RPO Targets

      This step will walk you through the following activities:

      • Review the “Debate Space” approach to setting RTO and RPO (recovery targets).
      • Set preliminary RTOs and RPOs by criticality tier.

      This step involves the following participants:

      • DRP Coordinator
      • DRP Team

      Results and Insights

      • Align recovery targets with the business impact of downtime and data loss.

      Use the “Debate Space” approach to align RTOs and RPOs with the impact of downtime

      The business must validate acceptable and appropriate RTOs and RPOs, but IT can use the guidelines below to set an initial estimate.

      Right-size recovery.

      A shorter RTO typically requires higher investment. If a short period of downtime has minimal impact, setting a low RTO may not be justifiable. As downtime continues, impact begins to increase exponentially to a point where downtime is intolerable – an acceptable RTO must be shorter than this. Apply the same thinking to RPOs – how much data loss is unnoticeable? How much is intolerable?

      A diagram to show the debate space in relation to RTOs and RPOs

      The “Debate Space” is between minimal impact and maximum tolerance for downtime.

      Estimate appropriate, acceptable RTOs and RPOs for each tier

      2(f) Set recovery targets

      Estimated Time: 30 minutes

      RTO and RPO tiers simplify management by setting similar recovery goals for systems and applications with similar criticality.

      Use the “Debate Space” approach to set appropriate and acceptable targets.

      1. For RTO, establish a recovery time range that is appropriate based on impact.
        • Overall, the RTO tiers might be 0-4 hours for gold, 4-24 hours for silver, and 24-48 hours for bronze.
      2. RPOs reflect target data protection measures.
        • Identify the lowest RPO within a tier and make that the standard.
        • For example, RPO for gold data might be five minutes, silver might be four hours, and bronze might be one day.
        • Use this as a guideline. RPO doesn’t always align perfectly with RTO tiers.
      3. Review RTOs and RPOs and make sure they accurately reflect criticality.

      Info-Tech Insight

      In general, the more critical the system, the shorter the RPO. But that’s not always the case. For example, a service bus might be Tier 1, but if it doesn’t store any data, RPO might be longer than other Tier 1 systems. Some systems may have a different RPO than most other systems in that tier. As long as the targets are acceptable to the business and appropriate given the impact, that’s okay.

      Add recovery targets to the DRP Business Impact Analysis Tool

      2(g) DRP Business Impact Analysis Tool – Document recovery objectives

      A screenshot of Info-Tech's DRP Business Impact Analysis Tool – Document recovery objectives

      Stories from the field: Info-Tech clients find value in Phase 2 in the following ways

      Most organizations discover something new about key applications, or the way stakeholders use them, when they work through the BIA and review the results with stakeholders. For example:

      Why complete a BIA? There could be a million reasons

      • A global manufacturer completed the DRP BIA exercise. When email went down, Service Desk phones lit up until it was resolved. That grief led to a high availability implementation for email. However, the BIA illustrated that ERP downtime was far more impactful.
      • ERP downtime would stop production lines, delay customer orders, and ultimately cost the business a million dollars a day.
      • The BIA results clearly showed that the ERP needed to be prioritized higher, and required business support for investment.

      Move from airing grievances to making informed decisions

      The DRP Business Impact Analysis Tool helped structure stakeholder consultations on DR requirements for a large university IT department. Past consultations had become an airing of grievances. Using objective impact scores helped stakeholders stay focused and make informed decisions around appropriate RTOs and RPOs.

      Phase 2: Insights and accomplishments

      Screenshots of the tools and templates from this phase.

      Estimated the business impact of downtime

      Screenshot of a tools from this phase

      Set recovery targets

      Summary of Accomplishments

      • Created a scoring scale tied to different categories of business impact.
      • Applied the scoring scale to estimate the business impact of system downtime.
      • Identified appropriate, acceptable RTOs and RPOs.

      Up Next:Conduct a tabletop planning exercise to establish current recovery capabilities

      Create a Right-Sized Disaster Recovery Plan

      Phase 3

      Identify and Address Gaps in the Recovery Workflow

      Step 3.1: Determine Current Recovery Workflow

      This step will walk you through the following activities:

      • Run a tabletop exercise.
      • Outline the steps for the initial response (notification, assessment, disaster declaration) and systems recovery (i.e. document your recovery workflow).
      • Identify any gaps and risks in your initial response and systems recovery.

      This step involves the following participants:

      • DRP Coordinator
      • IT Infrastructure SMEs (for systems in scope)
      • Application SMEs (for systems in scope)

      Results and Insights

      • Use a repeatable practical exercise to outline and document the steps you would use to recover systems in the event of a disaster, as well as identify gaps and risks to address.
      • This is also a knowledge-sharing opportunity for your team, and a practical means to get their insights, suggestions, and recovery knowledge down on paper.

      Tabletop planning: an effective way to test and document your recovery workflow

      In a tabletop planning exercise, the DRP team walks through a disaster scenario to map out what should happen at each stage, and effectively defines a high-level incident response plan (i.e. recovery workflow).

      Tabletop planning had the greatest impact on meeting recovery objectives (RTOs/RPOs) among survey respondents.

      A bar graph is displayed that shows that tabletop planning has the greatest impact on meeting recovery objectives (RTOs/RPOs) among survey respondents.

      *Note: Relative importance indicates the contribution an individual testing methodology, conducted at least annually, had on predicting success meeting recovery objectives, when controlling for all other types of tests in a regression model. The relative-importance values have been standardized to sum to 100%.

      Success was based on the following items:

      • RTOs are consistently met.
      • IT has confidence in the ongoing ability to meet RTOs.
      • RPOs are consistently met.
      • IT has confidence in the ongoing ability to meet RPOs.

      Why is tabletop planning so effective?

      • It enables you to play out a wider range of scenarios than technology-based testing (e.g. full-scale, parallel) due to cost and complexity factors.
      • It is non-intrusive, so it can be executed more frequently than other testing methodologies.
      • It easily translates into the backbone of your recovery documentation, as it allows you to review all aspects of your recovery plan.

      Focus first on IT DR

      Your DRP is IT contingency planning. It is not crisis management or BCP.

      The goal is to define a plan to restore applications and systems following a disruption. For your first tabletop exercise, Info-Tech recommends you use a non-life-threatening scenario that requires at least a temporary relocation of your data center (i.e. failing over to a DR site/environment). Assume a gas leak or burst water pipe renders the data center inaccessible. Power is shut off and IT must failover systems to another location. Once you create the master procedure, review the plan to ensure it addresses other scenarios.

      Info-Tech Insight

      When systems fail, you are faced with two high-level options: failover or recover in place. If you document the plan to failover systems to another location, you’ll have documented the core of your DR procedures. This differs from traditional scenario planning where you define separate plans for different what-if scenarios. The goal is one plan that can be adapted to different scenarios, which reduces the effort to build and maintain your DRP.

      Conduct a tabletop planning exercise to outline DR procedures in your current environment

      3(a) Tabletop planning

      Estimated Time: 2-3 hours

      For each high-level recovery step, do the following:

      1. On white cue cards:
        • Record the step.
        • Indicate the task owner (if required for clarity).
        • Note time required to complete the step. After the exercise, use this to build a running recovery time where 00:00 is when the incident occurred.
      2. On yellow cue cards, document gaps in people, process, and technology requirements to complete the step.
      3. On red cue cards, indicate risks (e.g. no backup person for a key staff member).
      An example is shown on what can be done during step 3(a). Three cue cards are showing in white, yellow, and red.

      Do:

      • Review the complete workflow from notification all the way to user acceptance testing.
      • Keep focused; stay on task and on time.
      • Revisit each step and record gaps and risks (and known solutions, but don’t dwell on this).
      • Revise and improve the plan with task owners.

      Don't:

      • Get weighed down by tools.
      • Document the details right away – stick to the high-level plan for the first exercise.
      • Try to find solutions to every gap/risk as you go. Save in-depth research/discussion for later.

      Flowchart the current-state incident response plan (i.e. document the recovery workflow)

      3(b) DRP Recovery Workflow Template and Case Study: Practical, Right-Sized DRP

      Why use flowcharts?

      • Flowcharts provide an at-a-glance view, ideal for disaster scenarios where pressure is high and quick upward communication is necessary.
      • For experienced staff, a high-level reminder of key steps is sufficient.

      Use the completed tabletop planning exercise results to build this workflow.

      "We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management." – Assistant Director, IT Operations, Healthcare Industry

      Source: Info-Tech Research Group Interview

      Screenshot of Info-Tech's DRP Recovery Workflow Template

      For a formatted template you can use to capture your plan, see Info-Tech’s DRP Recovery Workflow Template.

      For a completed example of tabletop planning results, review Info-Tech’s Case Study: Practical, Right-Sized DRP.

      Identify RPA

      What’s my RPA? Consider the following case:

      • Once a week, a full backup is taken of the complete ERP system and is transferred over the WAN to a secondary site 250 miles away, where it is stored on disk.
      • Overnight, an incremental backup is taken of the day’s changes, and is transferred to the same secondary site, and also stored on disk.
      • During office hours, the SAN takes a snapshot of changes which are kept on local storage (information on the accounting system usually only changes during office hours).
      • So what’s the RPA? One hour (snapshots), one day (incrementals), or one week (full backups)?

      When identifying RPA, remember the following:

      You are planning for a disaster scenario, where on-site systems may be inaccessible and any copies of data taken during the disaster may fail, be corrupt, or never make it out of the data center (e.g. if the network fails before the backup file ships). In the scenario above, it seems likely that off-site incremental backups could be restored, leading to a 24-hour RPA. However, if there were serious concerns about the reliability of the daily incrementals, the RPA could arguably be based on the weekly full backups.

      Info-Tech Best Practice

      The RPA is a commitment to the maximum data you would lose in a DR scenario with current capabilities (people, process, and technology). Pick a number you can likely achieve. List any situations where you couldn’t meet this RPA, and identify those for a risk tolerance discussion. In the example above, complete loss of the primary SAN would also mean losing the snapshots, so the last good copy of the data could be up to 24-hours old.

      Add recovery actuals (RTA/RPA) to your copy of the BIA

      3(c) DRP Business Impact Analysis Tool– Recovery actuals

      On the “Impact Analysis” tab in the DRP Business Impact Analysis Tool, enter the estimated maximum downtime and data loss in the RTA and RPA columns.

      1. Estimate the RTA based on the required time for complete recovery. Review your recovery workflow to identify this timeline. For example, if the notification, assessment, and declaration process takes two hours, and systems recovery requires most of a day, the estimated RTA could be 24 hours.
      2. Estimate the RPA based on the longest interval between copies of the data being shipped offsite. For example, if data on a particular system is backed up offsite once per day, and the onsite system was destroyed just before that backup began, the entire day’s data could be lost and estimated RPA could be 24 hours. Note: Enter 9999 to indicate that data is unrecoverable.

      A screenshot of Info-Tech's DRP Business Impact Analysis Tool – Recovery actuals

      Info-Tech Best Practice

      It’s okay to round numbers to the nearest shift, day, or week for simplicity (e.g. 24 hours rather than 22.5 hours, or 8 hours rather than 7.25 hours).

      Test the recovery workflow against additional scenarios

      3(d) Workflow review

      Estimated Time: 1 hour

      Review your recovery workflow with a different scenario in mind.

      • Work from and update the soft copy of your recovery workflow.
      • Would any steps be different if the scenario changes? If yes, capture the different flow with a decision diamond. Identify any new gaps or risks you encounter with red and yellow cards. Use as few decision diamonds as possible.

      Screenshot of testing the workflow against the additional scenarios

      Info-Tech Best Practice

      As you start to consider scenarios where injuries or loss of life are a possibility, remember that health and safety risks are the top priority in a crisis. If there’s a fire in the data center, evacuating the building is the first priority, even if that means foregoing a graceful shut down. For more details on emergency response and crisis management, see Implement Crisis Management Best Practices.

      Consider additional IT disaster scenarios

      3(e) Thought experiment – Review additional scenarios

      Walk through your recovery workflow in the context of additional, different scenarios to ensure there are no gaps. Collaborate with your DR team to identify changes that might be required, and incorporate these changes in the plan.

      Scenario Type Considerations
      Isolated hardware/software failure
      • Failover to the DR site may not be necessary (or only for affected systems).
      Power outage or network outage
      • Do you have standby power? Do you have network redundancy?
      Local hazard (e.g. chemical leak, police incident)
      • Systems might be accessible remotely, but hands-on maintenance will be required eventually.
      • An alternate site is required for service continuity.
      Equipment/building damage (e.g. fire, roof collapse)
      • Staff injuries or loss of life are a possibility.
      • Equipment may need repair or replacement (vendor involvement).
      • An alternate site is required for service continuity.
      Regional natural disasters
      • Staff injuries or loss of life are a possibility.
      • Utilities may be affected (power, running water, etc.).
      • Expect staff to take care of their families first before work.
      • A geographically distant alternate site may be required for service continuity.

      Step 3.2: Identify and Prioritize Projects to Close Gaps

      This step will walk you through the following activities:

      • Analyze the gaps that were identified from the maturity scorecard, tabletop planning exercise, and the RTO/RPO gaps analysis.
      • Brainstorm solutions to close gaps and mitigate risks.
      • Determine a course of action to close these gaps. Prioritize each project. Create a project implementation timeline.

      This step involves the following participants:

      • DRP Coordinator
      • IT Infrastructure SMEs

      Results and Insights

      • Prioritized list of projects and action items that can improve DR capabilities.
      • Often low-cost, low-effort quick wins are identified to mitigate at least some gaps/risks. Higher-cost, higher-effort projects can be part of a longer-term IT strategy. Improving service continuity is an ongoing commitment.

      Brainstorm solutions to address gaps and risk

      3(f) Solutioning

      Estimated Time: 1.5 hours

      1. Review each of the risk and gap cards from the tabletop exercise.
      2. As a group, brainstorm ideas to address gaps, mitigate risks, and improve resiliency. Write the list of ideas on a whiteboard or flip-chart paper. The solutions can range from quick-wins and action items to major capital investments.
      3. Try to avoid debates about feasibility at this point – that should happen later. The goal is to get all ideas on the board.

      An example of how to complete Activity 3(f). Three cue cards showing various steps are attached by arrows to steps on a whiteboard.

      Info-Tech Best Practice

      It’s about finding ways to solve the problem, not about solving the problem. When you’re brainstorming solutions to problems, don’t stop with the first idea, even if the solution seems obvious. The first idea isn’t always the best or only solution; other ideas can expand on and improve that first idea.

      Select an optimal DR deployment model from a world of choice

      There are many options for a DR deployment. What makes sense for you?

      • Sifting through the options for a DR site can be overwhelming. Simplify by eliminating deployment models that aren’t a good fit for your requirements or organization using Info-Tech’s research.
      • Someone will ask you about DR in the cloud. Cut to the chase and evaluate cloud for fit with your organization’s current capabilities and requirements. Read about the 10 Secrets for Successful DR in the Cloud.
      • Selecting and deploying a DR site is an exercise in risk mitigation. IT’s role is to advise the business on options to address the risk of not having a DR site, including cost and effort estimates. The business must then decide how to manage risk. Build total cost of ownership (TCO) estimates and evaluate possible challenges and risks for each option.

      Is it practical to invest in greater geo-redundancy that meets RTOs and RPOs during a widespread event?

      Info-Tech suggests you consider events that impact both sites, and your risk tolerance for that impact. Outline the impact of downtime at a high level if both the primary and secondary site were affected. Research how often events severe enough to have impacted both your primary and secondary sites have occurred in the past. What’s the business tolerance for this type of event?

      A common strategy: have a primary and DR site that are close enough to support low RPO/RTO, but far enough away to mitigate the impact of known regional events. Back up data to a remote third location as protection against a catastrophic event.

      Info-Tech Insight

      Approach site selection as a project. Leverage Select an Optimal Disaster Recovery Deployment Model to structure your own site-selection project.

      Set up the DRP Roadmap Tool

      3(g) DRP Roadmap Tool – Set up tool

      Use the DRP Roadmap Tool to create a high-level roadmap to plan and communicate DR action items and initiatives. Determine the data you’ll use to define roadmap items.

      Screenshot of Info-Tech's DRP Roadmap Tool

      Plan next steps by estimating timeline, effort, priority, and more

      3(h) DRP Roadmap Tool – Describe roadmap items

      A screenshot of Info-Tech's DRP Roadmap Tool to show how to describe roadmap items

      Review and communicate the DRP Roadmap Tool

      3(i) DRP Roadmap Tool – View roadmap chart

      A screenshot of Info-Tech's DRP Roadmap Tool's Roadmap tab

      Step 3.3: Review the Future State Recovery Process

      This step will walk you through the following activities:

      • Update the recovery workflow to outline your future recovery procedure.
      • Summarize findings from DR exercises and present the results to the project sponsor and other interested executives.

      This step involves the following participants:

      • DRP Coordinator
      • IT SMEs (Future State Recovery Flow)
      • DR Project Sponsor

      Results and Insights

      • Summarize results from DR planning exercises to make the case for needed DR investment.

      Outline your future state recovery flow

      3(j) Update the recovery workflow to outline response and recovery in the future

      Estimated Time: 30 minutes

      Outline your expected future state recovery flow to demonstrate improvements once projects and action items have been completed.

      1. Create a copy of your DRP recovery workflow in a new tab in Visio.
      2. Delete gap and risk cards that are addressed by proposed projects. Consolidate or eliminate steps that would be simplified or streamlined in the future if projects are implemented.
      3. Create a short-, medium-, and long-term review of changes to illustrate improvements over time to the project roadmap.
      4. Update this workflow as you implement and improve DR capabilities.

      Screenshot of the recovery workflow

      Validate recovery targets and communicate actual recovery capabilities

      3(k) Validate findings, present recommendations, secure budget

      Estimated Time: time required will vary

      1. Interview managers or process owners to validate RTO, RPO, and business impact scores.Use your assessment of “heavy users” of particular applications (picture at right) to remind you which business users you should include in the interview process.
      2. Present an overview of your findings to the management team.Use Info-Tech’s DRP Recap and Results Template to summarize your findings.
      3. Take projects into the budget process.With the management team aware of the rationale for investment in DRP, build the business case and secure budget where needed.

      Present DRP findings and make the case for needed investment

      3(I) DRP Recap and Results Template

      Create a communication deck to recap key findings for stakeholders.

      • Write a clear problem statement. Identify why you did this project (what problem you’re solving).
      • Clearly state key findings, insights, and recommendations.
      • Leverage the completed tools and templates to populate the deck. Callouts throughout the template presentation will direct you to take and populate screenshots throughout the document.
      • Use the presentation to communicate key findings to, and gather feedback from, business unit managers, executives, and IT staff.
      Screenshots of Info-Tech's DRP Recap and Results Template

      Stories from the field: Info-Tech clients find value in Phase 3 in the following ways

      Tabletop planning is an effective way to discover gaps in recovery capabilities. Identify issues in the tabletop exercise so you can manage them before disaster strikes. For example:

      Back up a second…

      A client started to back up application data offsite. To minimize data transfer and storage costs, the systems themselves weren’t backed up. Working through the restore process at the DR site, the DBA realized 30 years of COBOL and SQR code – critical business functionality – wasn’t backed up offsite.

      Net… work?

      A 500-employee professional services firm realized its internet connection could be a significant roadblock to recovery. Without internet, no one at head office could access critical cloud systems. The tabletop exercise identified this recovery bottleneck and helped prioritize the fix on the roadmap.

      Someone call a doctor!

      Hospitals rely on their phone systems for system downtime procedures. A tabletop exercise with a hospital client highlighted that if the data center were damaged, the phone system would likely be damaged as well. Identifying this provided more urgency to the ongoing VOIP migration.

      The test of time

      A small municipality relied on a local MSP to perform systems restore, but realized it had never tested the restore procedure to identify RTA. Contacting the MSP to review capabilities became a roadmap item to address this risk.

      Phase 3: Insights and accomplishments

      Screenshot of Info-Tech's DRP recovery workflow template

      Outlined the DRP response and risks to recovery

      Screenshots of activities completed related to brainstorming risk mitigation measures.

      Brainstormed risk mitigation measures

      Summary of Accomplishments

      • Planned and documented your DR incident response and systems recovery workflow.
      • Identified gaps and risks to recovery and incident management.
      • Brainstormed and identified projects and action items to mitigate risks and close gaps.

      Up Next: Leverage the core deliverables to complete, extend, and maintain your DRP

      Create a Right-Sized Disaster Recovery Plan

      Phase 4

      Complete, Extend, and Maintain Your DRP

      Phase 4: Complete, Extend, and Maintain Your DRP

      This phase will walk you through the following activities:

      • Identify progress made on your DRP by reassessing your DRP maturity.
      • Prioritize the highest value major initiatives to complete, extend, and maintain your DRP.

      This phase involves the following participants:

      • DRP Coordinator
      • Executive Sponsor

      Results and Insights

      • Communicate the value of your DRP by demonstrating progress against items in the DRP Maturity Scorecard.
      • Identify and prioritize future major initiatives to support the DRP, and the larger BCP.

      Celebrate accomplishments, plan for the future

      Congratulations! You’ve completed the core DRP deliverables and made the case for investment in DR capabilities. Take a moment to celebrate your accomplishments.

      This milestone is an opportunity to look back and look forward.

      • Look back: measure your progress since you started to build your DRP. Revisit the assessments completed in phase 1, and assess the change in your overall DRP maturity.
      • Look forward: prioritize future initiatives to complete, extend, and maintain your DRP. Prioritize initiatives that are the highest impact for the least requirement of effort and resources.

      We have completed the core DRP methodology for key systems:

      • BIA, recovery objectives, high-level recovery workflow, and recovery actuals.
      • Identify key tasks to meet recovery objectives.

      What could we do next?

      • Repeat the core methodology for additional systems.
      • Identify a DR site to meet recovery requirements, and review vendor DR capabilities.
      • Create a summary DRP document including requirements, capabilities, and change procedures.
      • Create a test plan and detailed recovery documentation.
      • Coordinate the creation of BCPs.
      • Integrate DR in other key operational processes.

      Revisit the DRP Maturity Scorecard to measure progress and identify remaining areas to improve

      4(a) DRP Maturity Scorecard – Reassess your DRP program maturity

      1. Find the copy of the DRP Maturity Scorecard you completed previously. Save a second copy of the completed scorecard in the same folder.
      2. Update scoring where you have improved your DRP documentation or capabilities.
      3. Review the new scores on tab 3. Compare the new scores to the original scores.

      Screenshot of DRP Maturity Assessment Results

      Info-Tech Best Practice

      Use the completed, updated DRP Maturity Scorecard to demonstrate the value of your continuity program, and to help you decide where to focus next.

      Prioritize major initiatives to complete, extend, and maintain the DRP

      4(b) Prioritize major initiatives

      Estimated Time: 2 hours

      Prioritize major initiatives that mitigate significant risk with the least cost and effort.

      1. Use the scoring criteria below to evaluate risk, effort, and cost for potential initiatives. Modify the criteria if required for your organization. Write this out on a whiteboard or flip-chart paper.
      2. Assign a score from 1 to 3. Multiply the scores for each initiative together for an aggregate score. In general, prioritize initiatives with higher scores.
      Score A: How significant are the risks this initiative will mitigate? B: How easily can we complete this initiative? C: How cost-effective is this initiative?
      3: High Critical impact on +50% of stakeholders, or major impact to compliance posture, or significant health/safety risk. One sprint, can be completed by a few individuals with minor supervision. Within the IT discretionary budget.
      2: Medium Impacts <50% of stakeholders, or minor impact on compliance, or degradation to health or safety controls. One quarter, and/or some increased effort required, some risk to completion. Requires budget approval from finance.
      1: Low Impacts limited to <25% of stakeholders, no impact on compliance posture or health/safety. One year, and/or major vendor or organizational challenges. Requires budget approval from the board of directors.

      Info-Tech Best Practice

      You can use a similar scoring exercise to prioritize and schedule high-benefit, low-effort, low-cost items identified in the roadmap in phase 3.

      Example: Prioritize major initiatives

      4(b) Prioritize major initiatives continued

      Write out the table on a whiteboard (record the results in a spreadsheet for reference). In the case below, IT might decide to work on repeating the core methodology first as they create the active testing plans, and tackle process changes later.

      Initiative A: How significant are the risks this initiative will mitigate? B: How easily can we complete this initiative? C: How cost-effective is this initiative? Aggregate score (A x B x C)
      Repeat the core methodology for all systems 2 – will impact some stakeholders, no compliance or safety impact. 2 – will require about 3 months, no significant complications. 3 – No cost. 12
      Add DR to project mgmt. and change mgmt. 1 – Mitigates some recovery risks over the long term. 1 – Requires extensive consultation and process review. 3 – No cost. 3
      Active failover testing on plan 2 – Mitigates some risks; documentation and cross training is already in place. 2 – Requires 3-4 months of occasional effort to prepare for test. 2 – May need to purchase some equipment before testing. 8

      Info-Tech Best Practice

      Find a pace that allows you to keep momentum going, but also leaves enough time to act on the initial findings, projects, and action items identified in the DRP Roadmap Tool. Include these initiatives in the Roadmap tool to visualize how identified initiatives fit with other tasks identified to improve your recovery capabilities.

      Repeat the core DR methodology for additional systems and applications


      You have created a DR plan for your most critical systems. Now, add the rest:

      • Build on the work you’ve already done. Re-use the BIA scoring scale. Update your existing recovery workflows, rather than creating and formatting an entirely new document. A number of steps in the recovery will be shared with, or similar to, the recovery procedures for your Tier 1 systems.

      Risks and Challenges Mitigated

      • DR requirements and capabilities for less-critical systems have not been evaluated.
      • Gaps in the recovery process for less critical systems have not been evaluated or addressed.
      • DR capabilities for less critical systems may not meet business requirements.
      Sample Outputs
      Add Tier 2 & 3 systems to the BIA.
      Complete another tabletop exercise for Tier 2 & 3 systems recovery, and add the results to the recovery workflow.
      Identify projects to close additional gaps in the recovery process. Add projects to the project roadmap.

      Info-Tech Best Practice

      Use this example of a complete, practical, right-size DR plan to drive and guide your efforts.

      Extend your core DRP deliverables

      You’ve completed the core DRP deliverables. Continue to create DRP documentation to support recovery procedures and governance processes:

      • DR documentation efforts fail when organizations try to boil the ocean with an all-in-one plan aimed at auditors, business leaders, and IT. It’s long, hard to maintain, and ends up as shelfware.
      • Create documentation in layers to keep it manageable. Build supporting documentation over time to support your high-level recovery workflow.

      Risks and Challenges Mitigated

      • Key contact information, escalation, and disaster declaration responsibilities are not identified or formalized.
      • DRP requirements and capabilities aren’t centralized. Key DRP findings are in multiple documents, complicating governance and oversight by auditors, executives, and board members.
      • Detailed recovery procedures and peripheral information (e.g. network diagrams) are not documented.
      Sample Outputs
      Three to five detailed systems recovery flowcharts/checklists.
      Documented team roles, succession plans, and contact information.
      Notification, assessment, and disaster declaration plan.
      DRP summary.
      Layer 1, 2 & 3 network diagrams.

      Info-Tech Best Practice

      Use this example of a complete, practical, right-size DR plan to drive and guide your efforts.

      Select an optimal DR deployment model and deployment site

      Your DR site has been identified as inadequate:

      • Begin with the end in mind. Commit to mastering the selected model and leverage your vendor relationship for effective DR.
      • Cut to the chase and evaluate the feasibility of cloud first. Gauge your organization’s current capabilities for DR in the cloud before becoming infatuated with the idea.
      • A mixed model gives you the best of both worlds. Diversify your strategy by identifying fit for purpose and balancing the work required to maintain various models.

      Risks and Challenges Mitigated

      • Without an identified DR site, you’ll be scrambling when a disaster hits to find and contract for a location to restore IT services.
      • Without systems and application data backed up offsite, you stand to lose critical business data and logic if all copies of the data at your primary site were lost.
      Sample Outputs
      Application assessment for cloud DR.
      TCO tool for different environments.
      Solution decision and executive presentation.

      Info-Tech Best Practice

      Use Info-Tech’s blueprint, Select the Optimal Disaster Recovery Deployment Model, to help you make sense of a world of choice for your DR site.

      Extend DRP findings to business process resiliency with a BCP pilot

      Integrate your findings from DRP into the overall BCP:

      • As an IT leader you have the skillset and organizational knowledge to lead a BCP project, but ultimately business leaders need to own the BCP – they know their processes and requirements to resume business operations better than anyone else.
      • The traditional approach to BCP is a massive project that most organizations can’t execute without hiring a consultant. To execute BCP in-house, carve up the task into manageable pieces.

      Risks and Challenges Mitigated

      • No formal plan exists to recover from a disruption to critical business processes.
      • Business requirements for IT systems recovery may change following a comprehensive review of business continuity requirements.
      • Outside of core systems recovery, IT could be involved in relocating staff, imaging and issuing new end-user equipment, etc. Identifying these requirements is part of BCP.
      Sample Outputs
      Business process-focused BIA for one business unit.
      Recovery workflows for one business unit.
      Provisioning list for one business unit.
      BCP project roadmap.

      Info-Tech Best Practice

      Use Info-Tech’s blueprint, Develop a Business Continuity Plan, to develop and deploy a repeatable BCP methodology.

      Test the plan to validate capabilities and cross-train staff on recovery procedures

      You don’t have a program to regularly test the DR plan:

      • Most DR tests are focused solely on the technology and not the DR management process – which is where most plans fail.
      • Be proactive – establish an annual test cycle and identify and coordinate resources well in advance.
      • Update DRP documentation with findings from the plan, and track the changes you make over time.

      Risks and Challenges Mitigated

      • Gaps likely still exist in the plan that are hard to find without some form of testing.
      • Customers and auditors may ask for some form of DR testing.
      • Staff may not be familiar with DR documentation or how they can use it.
      • No formal cycle to validate and update the DRP.
      Sample Outputs
      DR testing readiness assessment.
      Testing handbooks.
      Test plan summary template.
      DR test issue log and analysis tool.

      Info-Tech Best Practice

      Uncover deficiencies in your recovery procedures by using Info-Tech’s blueprint Reduce Costly Downtime Through DR Testing.

      “Operationalize” DRP management

      Inject DR planning in key operational processes to support plan maintenance:

      • Major changes, or multiple routine changes, can materially alter DR capabilities and requirements. It’s not feasible to update the DR plan after every routine change, so leverage criticality tiers in the BIA to focus your change management efforts. Critical systems require more rigorous change procedures.
      • Likewise, you can build criticality tiers into more focused project management and performance measurement processes.
      • Schedule regular tasks in your ticketing system to verify capabilities and cross-train staff on key recovery procedures (e.g. backup and restore).

      Risks and Challenges Mitigated

      • DRP is not updated “as needed” – as requirements and capabilities change due to business and technology changes.
      • The DRP is disconnected from day-to-day operations.
      Sample Outputs
      Reviewed and updated change, project, and performance management processes.
      Reviewed and updated internal SLAs.
      Reviewed and updated data protection and backup procedures.

      Review infrastructure service provider DR capabilities

      Insert DR planning in key operational processes to support plan maintenance:

      • Reviewing vendor DR capabilities is a core IT vendor management competency.
      • As your DR requirements change year-to-year, ensure your vendors’ service commitments still meet your DR requirements.
      • Identify changes in the vendor’s service offerings and DR capabilities, e.g. higher costs for additional DR support, new offerings to reduce potential downtime, or conversely, a degradation in DR capabilities.

      Risks and Challenges Mitigated

      • Vendor capabilities haven’t been measured against business requirements.
      • No internal capability exists currently to assess vendor ability to meet promised SLAs.
      • No internal capability exists to track vendor performance on recoverability.
      Sample Outputs
      A customized vendor DRP questionnaire.
      Reviewed vendor SLAs.
      Choose to keep or change service levels or vendor offerings based on findings.

      Phase 4: Insights and accomplishments

      Screenshot of DRP Maturity Assessment Results

      Identified progress against targets

      Screenshot of prioritized further initiatives.

      Prioritized further initiatives

      Screenshot of DRP Planning Roadmap

      Added initiatives to the roadmap

      Summary of Accomplishments

      • Developed a list of high-priority initiatives that can support the extension and maintenance of the DR plan over the long term.
      • Reviewed and update maturity assessments to establish progress and communicate the value of the DR program.

      Summary of accomplishment

      Knowledge Gained

      • Conduct a BIA to determine appropriate targets for RTOs and RPOs.
      • Identify DR projects required to close RTO/RPO gaps and mitigate risks.
      • Use tabletop planning to create and validate an incident response plan.

      Processes Optimized

      • Your DRP process was optimized, from BIA to documenting an incident response plan.
      • Your vendor evaluation process was optimized to identify and assess a vendor’s ability to meet your DR requirements, and to repeat this evaluation on an annual basis.

      Deliverables Completed

      • DRP Maturity Scorecard
      • DRP Business Impact Analysis Tool
      • DRP Roadmap Tool
      • Incident response plan and systems recovery workflow
      • Executive presentation

      Info-Tech’s insights bust the most obstinate myths of DRP

      Myth #1: DRPs need to focus on major events such as natural disasters and other highly destructive incidents such as fire and flood.

      Reality: The most common threats to service continuity are hardware and software failures, network outages, and power outages.

      Myth #2: Effective DRPs start with identifying and evaluating potential risks.

      Reality: DR isn’t about identifying risks; it’s about ensuring service continuity.

      Myth #3: DRPs are separate from day-to-day operations and incident management.

      Reality: DR must be integrated with service management to ensure service continuity.

      Myth #4: I use a co-lo or cloud services so I don’t have to worry about DR. That’s my vendor’s responsibility.

      Reality: You can’t outsource accountability. You can’t just assume your vendor’s DR capabilities will meet your needs.

      Myth #5: A DRP must include every detail so anyone can execute the recovery.

      Reality: IT DR is not an airplane disaster movie. You aren’t going to ask a business user to execute a system recovery, just like you wouldn’t really want a passenger with no flying experience to land a plane.

      Supplement the core documentation with these tools and templates

      • An Excel workbook workbook to track key roles on DR, business continuity, and emergency response teams. Can also track DR documentation location and any hardware purchases required for DR.
      • A questionnaire template and a response tracking tool to structure your investigation of vendor DR capabilities.
      • Integrate escalation with your DR plan by defining incident severity and escalation rules . Use this example as a template or integrate ideas into your own severity definitions and escalation rules in your incident management procedures.
      • A minute-by-minute time-tracking tool to capture progress in a DR or testing scenario. Monitor progress against objectives in real time as recovery tasks are started and completed.

      Next steps: Related Info-Tech research

      Select the Optimal Disaster Recovery Deployment Model Evaluate cloud, co-lo, and on-premises disaster recovery deployment models.

      Develop a Business Continuity Plan Streamline the traditional approach to make BCP development manageable and repeatable.

      Prepare for a DRP Audit Assess your current DRP maturity, identify required improvements, and complete an audit-ready DRP summary document.

      Document and Maintain Your Disaster Recovery Plan Put your DRP on a diet: keep it fit, trim, and ready for action.

      Reduce Costly Downtime Through DR Testing Improve your DR plan and your team’s ability to execute on it.

      Implement Crisis Management Best Practices An effective crisis response minimizes the impact of a crisis on reputation, profitability, and continuity.

      Research contributors and experts

      • Alan Byrum, Director of Business Continuity, Intellitech
      • Bernard Jones (MBCI, CBCP, CORP, ITILv3), Owner/Principal, B Jones BCP Consulting, LLC
      • Paul Beaudry, Assistant Vice-President, Technical Services, MIS, Richardson International Limited
      • Yogi Schulz, President, Corvelle Consulting

      Glossary

      • Business Continuity Management (BCM) Program: Ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management. (Source: ISO 22301:2012)
      • Business Continuity Plan (BCP): Documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption. The BCP is not necessarily one document, but a collection of procedures and information.
      • Crisis: A situation with a high level of uncertainty that disrupts the core activities and/or credibility of an organization and requires urgent action. (Source: ISO 22300)
      • Crisis Management Team (CMT): A group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision makers trained in incident management and prepared to respond to any situation.
      • Disaster Recovery Planning (DRP): The activities associated with the continuing availability and restoration of the IT infrastructure.
      • Incident: An event that has the capacity to lead to loss of, or a disruption to, an organization’s operations, services, or functions – which, if not managed, can escalate into an emergency, crisis, or disaster.
      • BCI Editor’s Note: In most countries “incident” and “crisis” are used interchangeably, but in the UK the term “crisis” has been generally reserved for dealing with wide-area incidents involving Emergency Services. The BCI prefers the use of “incident” for normal BCM purposes. (Source: The Business Continuity Institute)

      • Incident Management Plan: A clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services, and actions needed to implement the incident management process.
      • IT Disaster: A service interruption requiring IT to rebuild a service, restore from backups, or activate redundancy at the backup site.
      • Recovery Point: Time elapsed between the last good copy of the data being taken and failure/corruption on the production environment; think of this as data loss.
      • Recovery Point Actual (RPA): The currently achievable recovery point after a disaster event, given existing people, processes, and technology. This reflects expected maximum data loss that could actually occur in a disaster scenario.
      • Recovery Point Objective (RPO): The target recovery point after a disaster event, usually calculated in hours, on a given system, application, or service. Think of this as acceptable and appropriate data loss. RPO should be based on a business impact analysis (BIA) to identify an acceptable and appropriate recovery target.
      • Recovery Time: Time required to restore a system, application, or service to a functional state; think of this as downtime.
      • Recovery Time Actual (RTA): The currently achievable recovery time after a disaster event, given existing people, processes, and technology. This reflects expected maximum downtime that could actually occur in a disaster scenario.
      • Recovery Time Objective (RTO): The target recovery time after a disaster event for a given system, application, or service. RTO should be based on a business impact analysis (BIA) to identify acceptable and appropriate downtime.

      Bibliography

      BCMpedia. “Recovery Objectives: RTO, RPO, and MTPD.” BCMpedia, n.d. Web.

      Burke, Stephen. “Public Cloud Pitfalls: Microsoft Azure Storage Cluster Loses Power, Puts Spotlight On Private, Hybrid Cloud Advantages.” CRN, 16 Mar. 2017. Web.

      Elliot, Stephen. “DevOps and the Cost of Downtime: Fortune 1000 Best Practice Metrics Quantified.” IDC, 2015. Web.

      FEMA. Planning & Templates. FEMA, 2015. Web.

      FINRA. “Business Continuity Plans and Emergency Contact Information.” FINRA, 2015. Web.

      FINRA. “FINRA, the SEC and CFTC Issue Joint Advisory on Business Continuity Planning.” FINRA, 2013. Web.

      Gosling, Mel, and Andrew Hiles. “Business Continuity Statistics: Where Myth Meets Fact.” Continuity Central, 2009. Web.

      Hanwacker, Linda. “COOP Templates for Success Workbook.” The LSH Group, n.d. Web.

      Homeland Security. Federal Information Security Management Act (FISMA). Homeland Security, 2015. Web.

      Nichols, Shaun. “AWS's S3 Outage Was So Bad Amazon Couldn't Get Into Its Own Dashboard to Warn the World.” The Register, 1 Mar. 2017. Web.

      Potter, Patrick. “BCM Regulatory Alphabet Soup.” RSA Archer Organization, 2012. Web.

      Rothstein, Philip Jan. “Disaster Recovery Testing: Exercising Your Contingency Plan.” Rothstein Associates Inc., 2007. Web.

      The Business Continuity Institute. “The Good Practice Guidelines.” The Business Continuity Institute, 2013. Web.

      The Disaster Recovery Journal. “Disaster Resource Guide.” The Disaster Recovery Journal, 2015. Web.

      The Disaster Recovery Journal. “DR Rules & Regulations.” The Disaster Recovery Journal, 2015. Web.

      The Federal Financial Institution Examination Council (FFIEC). Business Continuity Planning. IT Examination Handbook InfoBase, 2015. Web.

      York, Kyle. “Read Dyn’s Statement on the 10/21/2016 DNS DDoS Attack.” Oracle, 22 Oct. 2016. Web.

      Security Priorities 2023

      • Buy Link or Shortcode: {j2store}254|cart{/j2store}
      • member rating overall impact (scale of 10): 9.0/10 Overall Impact
      • member rating average dollars saved: $909 Average $ Saved
      • member rating average days saved: 1 Average Days Saved
      • Parent Category Name: Security Strategy & Budgeting
      • Parent Category Link: /security-strategy-and-budgeting
      • Most people still want a hybrid work model but there is a shortage in security workforce to maintain secure remote work, which impacts confidence in the security practice.
      • Pressure of operational excellence drives organizational modernization with the consequence of higher risks of security attacks that impact not only cyber but also physical systems.
      • The number of regulations with stricter requirements and reporting is increasing, along with high sanctions for violations.
      • Accurate assessment of readiness and benefits to adopt next-gen cybersecurity technologies can be difficult. Additionally, regulation often faces challenges to keep up with next-gen cybersecurity technologies implications and risks of adoption, which may not always be explicit.
      • Software is usually produced as part of a supply chain instead in a silo. Thus, a vulnerability in any part of the supply chain can become a threat surface.

      Our Advice

      Critical Insight

      • Secure remote work still needs to be maintained to facilitate the hybrid work model post pandemic.
      • Despite all the cybersecurity risks, organizations continue modernization plans due to the long-term overall benefits. Hence, we need to secure organization modernization.
      • Organizations should use regulatory changes to improve security practices, instead of treating them as a compliance burden.
      • Next-gen cybersecurity technologies alone are not the silver bullet. A combination of technologies with skilled talent, useful data, and best practices will give a competitive advantage.

      Impact and Result

      • Use this report to help decide your 2023 security priorities by:
        • Collecting and analyzing your own related data, such as your organization 2022 incident reports. Use Info-Tech’s Security Priorities 2023 material for guidance.
        • Identifying your needs and analyzing your capabilities. Use Info-Tech's template to explain the priorities you need to your stakeholders.
        • Determining the next steps. Refer to Info-Tech's recommendations and related research.

      Security Priorities 2023 Research & Tools

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Security Priorities 2023 Report – A report to help decide your 2023 security priorities.

      Each organization is different, so a generic list of security priorities will not be applicable to every organization. Thus, you need to:

    • Collect and analyze your own related data such as your organization 2022 incident reports. Use Info-Tech’s Security Priorities 2023 material for guidance.
    • Identify your needs and analyze your capabilities. Use Info-Tech's template to explain the priorities you need to your stakeholders.
    • Refer to Info-Tech's recommendations and related research for guidance on the next steps.
      • Security Priorities 2023 Report

      Infographic

      Further reading

      Security Priorities 2023

      How we live post pandemic

      Each organization is different, so a generic list of priorities will not be applicable to every organization.

      During 2022, ransomware campaigns declined from quarter to quarter due to the collapse of experienced groups. Several smaller groups are developing to recapture the lost ransomware market. However, ransomware is still the most worrying cyber threat.

      Also in 2022, people returned to normal activities such as traveling and attending sports or music events but not yet to the office. The reasons behind this trend can be many fold, such as employees perceive that work from home (WFH) has positive productivity effects and time flexibility for employees, especially for those with families with younger children. On the other side of the spectrum, some employers perceive that WFH has negative productivity effects and thus are urging employees to return to the office. However, employers also understand the competition to retain skilled workers is harder. Thus, the trend is to have hybrid work where eligible employees can WFH for a certain portion of their work week.

      Besides ransomware and the hybrid work model, in 2022, we saw an evolving threat landscape, regulatory changes, and the potential for a recession by the end of 2023, which can impact how we prioritize cybersecurity this year. Furthermore, organizations are still facing the ongoing issues of insufficient cybersecurity resources and organization modernization.

      This report will explore important security trends, the security priorities that stem from these trends, and how to customize these priorities for your organization.

      In Q2 2022, the median ransom payment was $36,360 (-51% from Q1 2022), a continuation of a downward trend since Q4 2021 when the ransom payment median was $117,116.
      Source: Coveware, 2022

      From January until October 2022, hybrid work grew in almost all industries in Canada especially finance, insurance, real estate, rental and leasing (+14.7%), public administration and professional services (+11.8%), and scientific and technical services (+10.8%).
      Source: Statistics Canada, Labour Force Survey, October 2022; N=3,701

      Hybrid work changes processes and infrastructure

      Investment on remote work due to changes in processes and infrastructure

      As part of our research process for the 2023 Security Priorities Report, we used the results from our State of Hybrid Work in IT Survey, which collected responses between July 10 and July 29, 2022 (total N=745, with n=518 completed surveys). This survey details what changes in processes and IT infrastructure are likely due to hybrid work.

      Process changes to support hybrid work

      A bar graph is depicted with the following dataset: None of the above - 12%; Change management - 29%; Asset management - 34%; Service request support - 41%; Incident management - 42%

      Survey respondents (n=518) were asked what processes had the highest degree of change in response to supporting hybrid work. Incident management is the #1 result and service request support is #2. This is unsurprising considering that remote work changed how people communicate, how they access company assets, and how they connect to the company network and infrastructure.

      Infrastructure changes to support hybrid work

      A bar graph is depicted with the following dataset: Changed queue management and ticketing system(s) - 11%; Changed incident and service request processes - 23%; Addition of chatbots as part of the Service Desk intake process - 29%; Reduced the need for recovery office spaces and alternative work mitigations - 40%; Structure & day-to-day operation of Service Desk - 41%; Updated network architecture - 44%

      For 2023, we believe that hybrid work will remain. The first driver is that employees still prefer to work remotely for certain days of the week. The second driver is the investment from employers on enabling WFH during the pandemic, such as updated network architecture (44%) and the infrastructure and day-to-day operations (41%) as shown on our survey.

      Top cybersecurity concerns and organizational preparedness for them

      Concerns may correspond to readiness.

      In the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, we asked about cybersecurity concerns and the perception about readiness to meet current and future government legislation regarding cybersecurity requirements.

      Cybersecurity issues

      A bar graph is depicted with the following dataset: Cyber risks are not on the radar of the executive leaders or board of directors - 3.19; Organization is not prepared to respond to a cyber attack - 3.08; Supply chain risks related to cyber threats - 3.18; Talent shortages leading to capacity constraints in cyber security - 3.51; New government or industry-imposed regulations - 3.15

      Survey respondents were asked how concerned they are about certain cybersecurity issues from 1 (not concerned at all) to 5 (very concerned). The #1 concern was talent shortages. Other issues with similar concerns included cyber risks not on leadership's radar, supply chain risks, and new regulations (n=507).

      Cybersecurity legislation readiness

      A bar graph is depicted with the following dataset: 1 (Not confident at all) - 2.4%; 2 - 11.2%; 3 - 39.7%; 4 - 33.3%; 5 (Very confident) - 13.4%

      When asked about how confident organizations are about being prepared to meet current and future government legislation regarding cybersecurity requirements, from 1 (not confident at all) to 5 (very confident), the #1 response was 3 (n=499).

      Unsurprisingly, the ever-changing government legislation environment in a world emerging from a pandemic and ongoing wars may not give us the highest confidence.

      We know the concerns and readiness…

      But what is the overall security maturity?

      As part of our research process for the 2023 Security Priorities Report, we reviewed results of completed Info-Tech Research Group Security Governance and Management Benchmark diagnostics (N=912). This report details what we see in our clients' security governance maturity. Setting aside the perception on readiness – what are their actual security maturity levels?

      A bar graph is depicted with the following dataset: Security Culture - 47%; Policy and Process Governance - 47%; Event and Incident Management - 58%; Vulnerability - 57%; Auditing - 52%; Compliance Management - 58%; Risk Analysis - 52%

      Overall, assessed organizations are still scoring low (47%) on Security Culture and Policy and Process Governance. This justifies why most security incidents are still due to gaps in foundational security and security awareness, not lack of advanced controls such as event and incident management (58%).

      And how will the potential recession impact security?

      Organizations are preparing for recession, but opportunities for growth during recession should be well planned too.

      As part of our research process for the 2023 Security Priorities Report, we reviewed the results of the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, which collected responses between August 9 and September 9, 2022 (total N=813 with n=521 completed surveys).

      Expected organizational spending on cybersecurity compared to the previous fiscal year

      A bar graph is depicted with the following dataset: A decrease of more than 10% - 2.2%; A decrease of between 1-10% - 2.6%; About the same - 41.4%; An increase of between 1-10% - 39.6%; An increase of more than 10% - 14.3%

      Keeping the same spending is the #1 result and #2 is increasing spending up to 10%. This is a surprising finding considering the survey was conducted after the middle of 2022 and a recession has been predicted since early 2022 (n=489).

      An infographic titled Cloudy with a Chance of Recession

      Source: Statista, 2022, CC BY-ND

      US recession forecast

      Contingency planning for recessions normally includes tight budgeting; however, it can also include opportunities for growth such as hiring talent who have been laid off by competitors and are difficult to acquire in normal conditions. This can support our previous findings on increasing cybersecurity spending.

      Five Security Priorities for 2023

      This image describes the Five Security Priorities for 2023.

      Maintain Secure Hybrid Work

      PRIORITY 01

      • HOW TO STRATEGICALLY ACQUIRE, RETAIN, OR UPSKILL TALENT TO MAINTAIN SECURE SYSTEMS.

      Executive summary

      Background

      If anything can be learned from COVID-19 pandemic, it is that humans are resilient. We swiftly changed to remote workplaces and adjusted people, processes, and technologies accordingly. We had some hiccups along the way, but overall, we demonstrated that our ability to adjust is amazing.

      The pandemic changed how people work and how and where they choose to work, and most people still want a hybrid work model. However, the number of days for hybrid work itself varies. For example, from our survey in July 2022 (n=516), 55.8% of employees have the option of 2-3 days per week to work offsite, 21.0% for 1 day per week, and 17.8% for 4 days per week.

      Furthermore, the investment (e.g. on infrastructure and networks) to initiate remote work was huge, and the cost doesn't end there, as we need to maintain the secure remote work infrastructure to facilitate the hybrid work model.

      Current situation

      Remote work: A 2022 survey by WFH Research (N=16,451) reports that ~14% of full-time employees are fully remote and ~29% are in a hybrid arrangement as of Summer-Fall 2022.

      Security workforce shortage: A 2022 survey by Bridewell (N=521) reports that 68% of leaders say it has become harder to recruit the right people, impacting organizational ability to secure and monitor systems.

      Confidence in the security practice: A 2022 diagnostic survey by Info-Tech Research Group (N=55) reports that importance may not correspond to confidence; for example, the most important selected cybersecurity area, namely Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice (80.5%).

      "WFH doubled every 15 years pre-pandemic. The increase in WFH during the pandemic was equal to 30 years of pre-pandemic growth."

      Source: National Bureau of Economic Research, 2021

      Leaders must do more to increase confidence in the security practice

      Importance may not correspond to confidence

      As part of our research process for the 2023 Security Priorities Report, we analyzed results from the Info-Tech Research Group diagnostics. This report details what we see in our clients' perceived importance of security and their confidence in existing security practices.

      Cybersecurity importance

      A bar graph is depicted with the following dataset: Importance to the Organization - 94.3%; Importance to My Department	92.2%

      Cybersecurity importance areas

      A bar graph is depicted with the following dataset: Mobility (Remote & Mobile Access) - 90.2%; Regulatory Compliance - 90.1%; Desktop Computing - 90.9%; Data Access / Integrity - 93.7%

      Confidence in cybersecurity practice

      A bar graph is depicted with the following dataset: Confidence in the Organization's Overall Security - 79.4%; Confidence in Security for My Department - 79.8%

      Confidence in cybersecurity practice areas

      A bar graph is depicted with the following dataset: Mobility (Remote & Mobile Access) - 75.8%; Regulatory Compliance - 81.5%; Desktop Computing - 80.9%; Data Access / Integrity - 80.5%

      Diagnostics respondents (N=55) were asked about how important security is to their organization or department. Importance to the overall organization is 2.1 percentage points (pp) higher, but confidence in the organization's overall security is slightly lower (-0.4 pp).

      If we break down to security areas, we can see that the most important area, Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice: 80.5%. From this data we can conclude that leaders must build a strong cybersecurity workforce to increase confidence in the security practice.

      Use this template to explain the priorities you need your stakeholders to know about.

      Maintain secure hybrid work plan

      Provide a brief value statement for the initiative.

      Build a strong cybersecurity workforce to increase confidence in the security practice to facilitate hybrid work.

      Initiative Description:

      • Description must include what organization will undertake to complete the initiative.
      • Review your security strategy for hybrid work.
      • Identify skills gaps that hinder the successful execution of the hybrid work security strategy.
      • Use the identified skill gaps to define the technical skill requirements for current and future work roles.
      • Conduct a skills assessment on your current workforce to identify employee skill gaps.
      • Decide whether to train, hire, contract, or outsource each skill gap.

      Drivers:

      List initiative drivers.

      • Employees still prefer to WFH for certain days of the week.
      • The investment on WFH during pandemic such as updated network architecture and infrastructure and day-to-day operations.
      • Tech companies' huge layoffs, e.g. Meta laid off more than 11,000 employees.

      Risks:

      List initiative risks and impacts.

      • Unskilled workers lacking certificates or years of experience who are trained and become skilled workers then quit or are hijacked by competitors.
      • Organizational and cultural changes cause friction with work-life balance.
      • Increased attack surface of remote/hybrid workforce.

      Benefits:

      List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

      • Increase perceived productivity by employees and increase retention.
      • Increase job satisfaction and work-life balance.
      • Hiring talent that has been laid off who are difficult to acquire in normal conditions.

      Related Info-Tech Research:

      Recommended Actions

      1. Identify skill requirements to maintain secure hybrid work

      Review your security strategy for hybrid work.

      Determine the skill needs of your security strategy.

      2. Identify skill gaps

      Identify skills gaps that hinder the successful execution of the hybrid work security strategy.

      Use the identified skill gaps to define the technical skill requirements for work roles.

      3. Decide whether to build or buy skills

      Conduct a skills assessment on your current workforce to identify employee skill gaps.

      Decide whether to train, hire, contract, or outsource each skill gap.

      Source: Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan, Info-Tech

      Secure Organization Modernization

      PRIORITY 02

      • TRENDS SUGGEST MODERNIZATION SUCH AS DIGITAL
        TRANSFORMATION TO THE CLOUD, OPERATIONAL TECHNOLOGY (OT),
        AND THE INTERNET OF THINGS (IOT) IS RISING; ADDRESSING THE RISK
        OF CONVERGING ENVIRONMENTS CAN NO LONGER BE DEFERRED.

      Executive summary

      From computerized milk-handling systems in Wisconsin farms, to automated railway systems in Europe, to Ausgrid's Distribution Network Management System (DNMS) in Australia, to smart cities and beyond; system modernization poses unique challenges to cybersecurity.

      The threats can be safety, such as the trains stopped in Denmark during the last weekend of October 2022 for several hours due to an attack on a third-party IT service provider; economics, such as a cream cheese production shutdown that occurred at the peak of cream cheese demand in October 2021 due to hackers compromising a large cheese manufacturer's plants and distribution centers; and reliability, such as the significant loss of communication for the Ukrainian military, which relied on Viasat's services.

      Despite all the cybersecurity risks, organizations continue modernization plans due to the long-term overall benefits.

      Current situation

      • Pressure of operational excellence: Competitive markets cannot keep pace with demand without modernization. For example, in automated milking systems, the labor time saved from milking can be used to focus on other essential tasks such as the decision-making process.
      • Technology offerings: Technologies are available and affordable such as automated equipment, versatile communication systems, high-performance human machine interaction (HMI), IIoT/Edge integration, and big data analytics.
      • Higher risks of cyberattacks: Modernization enlarges attack surfaces, which are not only cyber but also physical systems. Most incidents indicate that attackers gained access through the IT network, which was followed by infiltration into OT networks.

      IIoT market size is USD 323.62 billion in 2022 and projected to be around USD 1 trillion in 2028.

      Source: Statista,
      March 2022

      Modernization brings new opportunities and new threats

      Higher risks of cyberattacks on Industrial Control System (ICS)

      Target: Australian sewage plant.

      Method: Insider attack. Impact: 265,000 gallons of untreated sewage released.

      Target: Middle East energy companies.

      Method: Shamoon.

      Impact: Overwritten Windows-based systems files.

      Target: German Steel Mill

      Method: Spear-phishing

      Impact: Blast furnace control shutdown failure.

      Target: Middle East Safety Instrumented System (SIS).

      Method: TRISIS/TRITON.

      Impact: Modified safety system ladder logic.

      Target: Viasat's KA-SAT Network.

      Method: AcidRain.

      Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat's services.

      A timeline displaying the years 1903; 2000; 2010; 2012; 2013; 2014; 2018; 2019; 2021; 2022 is displayed.

      Target: Marconi wireless telegraphs presentation. Method: Morse code.

      Impact: Fake message sent "Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily."

      Target: Iranian uranium enrichment plant.

      Method: Stuxnet.

      Impact: Compromised programmable logic controllers (PLCs).

      Target: ICS supply chain.

      Method: Havex.

      Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers.

      Target: Ukraine power grid.

      Method: BlackEnergy.

      Impact: Manipulation of HMI View causing 1-6 hour power outages for 230,000 consumers.

      Target: Colonial Pipeline.

      Method: DarkSide ransomware.

      Impact: Compromised billing infrastructure halted the pipeline operation.

      Sources:

      • DOE, 2018
      • CSIS, 2022
      • MIT Technology Review, 2022

      Info-Tech Insight

      Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.

      Use this template to explain the priorities you need your stakeholders to know about.

      Secure organization modernization

      Provide a brief value statement for the initiative.

      The systems (OT, IT, IIoT) are evolving now – ensure your security plan has you covered.

      Initiative Description:

      • Description must include what organization will undertake to complete the initiative.
      • Identify the drivers to align with your organization's business objectives.
      • Build your case by leveraging a cost-benefit analysis and update your security strategy.
      • Identify people, process, and technology gaps that hinder the modernization security strategy.
      • Use the identified skill gaps to update risks, policies and procedures, IR, DR, and BCP.
      • Evaluate and enable modernization technology top focus areas and refine security processes.
      • Decide whether to train, hire, contract, or outsource to fill the security workforce gap.

      Drivers:

      List initiative drivers.

      • Pressure of operational excellence
      • Technology offerings
      • Higher risks of cyberattacks

      Risks:

      List initiative risks and impacts.

      • Complex systems with many components to implement and manage require diligent change management.
      • Organizational and cultural changes cause friction between humans and machines.
      • Increased attack surface of cyber and physical systems.

      Benefits:

      List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

      • Improve service reliability through continuous and real-time operation.
      • Enhance efficiency through operations visibility and transparency.
      • Gain cost savings and efficiency to automate operations of complex and large equipment and instrumentations.

      Related Info-Tech Research:

      Recommended Actions

      1. Identify modernization business cases to secure

      Identify the drivers to align with your organization's business objectives.

      Build your case by leveraging a cost-benefit analysis, and update your security strategy.

      2. Identify gaps

      Identify people, process, and technology gaps that hinder the modernization
      security strategy.

      Use the identified skill gaps to update risks, policies and procedures, IR, DR, and BCP.

      3. Decide whether to build or buy capabilities

      Evaluate and enable modernization technology top focus areas and refine
      security processes.

      Decide whether to train, hire, contract, or outsource to fill the security workforce gap.

      Sources:

      Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech

      Secure IT-OT Convergence, Info-Tech

      Develop a cost-benefit analysis

      Identify a modernization business case for security.

      Benefits

      Metrics

      Operational Efficiency and Cost Savings

      • Reduction in truck rolls and staff time of manual operations of equipment or instrumentation.
      • Cost reduction in energy usage such as substation power voltage level or water treatment chemical level.

      Improve Reliability and Resilience

      • Reduction in field crew time to identify the outage locations by remotely accessing field equipment to narrow down the
        fault areas.
      • Reduction in outage time impacting customers and avoiding financial penalty in service quality metrics.
      • Improve operating reliability through continuous and real-time trend analysis of equipment performance.

      Energy & Capacity Savings

      • Optimize energy usage of operation to reduce overall operating cost and contribution to organizational net-zero targets.

      Customers & Society Benefits

      • Improve customer safety for essential services such as drinkable water consumption.
      • Improve reliability of services and address service equity issues based on data.

      Cost

      Metrics

      Equipment and Infrastructure

      Upgrade existing security equipment or instrumentation or deploy new, e.g. IPS on Enterprise DMZ and Operations DMZ.

      Implement communication network equipment and labor to install and configure.

      Upgrade or construct server room including cooling/heating, power backup, and server and rack hardware.

      Software and Commission

      The SCADA/HMI software and maintenance fee as well as lifecycle upgrade implementation project cost.

      Labor cost of field commissioning and troubleshooting.

      Integration with security systems, e.g. log management and continuous monitoring.

      Support and Resources

      Cost to hire/outsource security FTEs for ongoing managing and operating security devices, e.g. SOC.

      Cost to hire/outsource IT/OT FTEs to support and troubleshoot systems and its integrations with security systems, e.g. MSSP.

      An example of a cost-benefit analysis for ICS modernization

      Sources:

      Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech

      Lawrence Berkeley National Laboratory, 2021

      IT-OT convergence demands new security approach and solutions

      Identify gaps

      Attack Vectors

      IT

      • User's compromised credentials
      • User's access device, e.g. laptop, smartphone
      • Access method, e.g. denial-of-service to modem, session hijacking, bad data injection

      OT

      • Site operations, e.g. SCADA server, engineering workstation, historian
      • Controls, e.g. SCADA Client, HMI, PLCs, RTUs
      • Process devices, e.g. sensors, actuators, field devices

      Defense Strategies

      • Limit exposure of system information
      • Identify and secure remote access points
      • Restrict tools and scripts
      • Conduct regular security audits
      • Implement a dynamic network environment

      (Control System Defense: Know the Opponent, CISA)

      An example of a high-level architecture of an electric utility's control system and its interaction with IT systems.

      An example of a high-level architecture of an electric utility's control system and its interaction with IT systems.

      Source: ISA-99, 2007

      RESPOND TO REGULATORY CHANGES

      PRIORITY 03

      • GOVERNMENT-ENACTED POLICY CHANGES AND INDUSTRY REGULATORY CHANGES COULD BE A COMPLIANCE BURDEN … OR PREVENT YOUR NEXT SECURITY INCIDENT.

      Executive summary

      Background

      Government-enacted regulatory changes are occurring at an ever-increasing rate these days. As one example, on November 10, 2022, the EU Parliament introduced two EU cybersecurity laws: the Network and Information Security (NIS2) Directive (applicable to organizations located within the EU and organizations outside the EU that are essential within an EU country) and the Digital Operational Resilience Act (DORA). There are also industry regulatory changes such as PCI DSS v4.0 for the payment sector and the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) for Bulk Electric Systems (BES).

      Organizations should use regulatory changes as a means to improve security practices, instead of treating them as a compliance burden. As said by lead member of EU Parliament Bart Groothuis on NIS2, "This European directive is going to help around 160,000 entities tighten their grip on security […] It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale."

      Current situation

      Stricter requirements and reporting: Regulations such as NIS2 include provisions for incident response, supply chain security, and encryption and vulnerability disclosure and set tighter cybersecurity obligations for risk management reporting obligations.

      Broader sectors: For example, the original NIS directive covers 19 sectors such as Healthcare, Digital Infrastructure, Transport, and Energy. Meanwhile, the new NIS2 directive increases to 35 sectors by adding other sectors such as providers of public electronic communications networks or services, manufacturing of certain critical products (e.g. pharmaceuticals), food, and digital services.

      High sanctions for violations: For example, Digital Services Act (DSA) includes fines of up to 6% of global turnover and a ban on operating in the EU single market in case of repeated serious breaches.

      Approximately 100 cross-border data flow regulations exist in 2022.

      Source: McKinsey, 2022

      Stricter requirements for payments

      Obligation changes to keep up with emerging threats and technologies

      64 New requirements were added
      A total of 64 requirements have been added to version 4.0 of the PCI DSS.

      13 New requirements become effective March 31, 2024
      The other 51 new requirements are considered best practice until March 31, 2025, at which point they will become effective.

      11 New requirements only for service providers
      11 of the new requirements are applicable only to entities that provide third-party services to merchants.

      Defined roles must be assigned for requirements.

      Focus on periodically assessing and documenting scope.

      Entities may choose a defined approach or a customized approach to requirements.

      An example of new requirements for PCI DSS v4.0

      Source: Prepare for PCI DSS v4.0, Info-Tech

      Use this template to explain the priorities you need your stakeholders to know about.

      Respond to regulatory changes

      Provide a brief value statement for the initiative.

      The compliance obligations are evolving – ensure your security plan has you covered.

      Initiative Description:

      Description must include what organization will undertake to complete the initiative.

      • Identify relevant security and privacy compliance and conformance levels.
      • Identify gaps for updated obligations, and map obligations into control framework.
      • Review, update, and implement policies and strategy.
      • Develop compliance exception process and forms.
      • Develop test scripts.
      • Track status and exceptions

      Drivers:

      List initiative drivers.

      • Pressure of new regulations
      • Governance, risk & compliance (GRC) tool offerings
      • High administrative or criminal penalties of non-compliance

      Risks:

      List initiative risks and impacts.

      • Complex structures and a great number of compliance requirements
      • Restricted budget and lack of skilled workforce for organizations such as local municipalities and small or medium organizations compared to private counterparts
      • Personal liability for some regulations for non-compliance

      Benefits:

      List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

      • Reduces compliance risk.
      • Reduces complexity within the control environment by using a single framework to align multiple compliance regimes.
      • Reduces costs and efforts related to managing IT audits through planning and preparation.

      Related Info-Tech Research:

      Recommended Actions

      1. Identify compliance obligations

      Identify relevant security and privacy obligations and conformance levels.

      Identify gaps for updated obligations, and map obligations into control framework.

      2. Implement compliance strategy

      Review, update, and implement policies and strategy.

      Develop compliance exception process.

      3. Track and report

      Develop test scripts to check your remediations to ensure they are effective.

      Track and report status and exceptions.

      Sources: Build a Security Compliance Program and Prepare for PCI DSS v4.0, Info-Tech

      Identify relevant security and privacy compliance obligations

      Identify obligations

      # Security Jurisdiction
      1 Network and Information Security (NIS2) Directive European Union (EU) and organizations outside the EU that are essential within an EU country
      2 North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) North American electrical utilities
      3 Executive Order (EO) 14028: Improving the Nation's Cybersecurity, The White House, 2021 United States

      #

      Privacy Jurisdiction
      1 General Data Protection Regulation (GDPR) EU and EU citizens
      2 Personal Information Protection and Electronic Documents Act (PIPEDA) Canada
      3 California Consumer Privacy Act (CCPA) California, USA
      4 Personal Information Protection Law of the People’s Republic of China (PIPL) China

      An example of security and privacy compliance obligations

      How much does it cost to become compliant?

      • It is important to understand the various frameworks and to adhere to the appropriate compliance obligations.
      • Many factors influence the cost of compliance, such as the size of organization, the size of network, and current security readiness.
      • To manage compliance obligations, it is important to use a platform that not only performs internal and external monitoring but also provides third-party vendors (if applicable) with visibility into potential threats in their organization.

      Adopt Next-Generation Cybersecurity Technologies

      PRIORITY 04

      • GOVERNMENTS AND HACKERS ARE RECOGNIZING THE IMPORTANCE OF EMERGING TECHNOLOGIES, SUCH AS ZERO TRUST ARCHITECTURE AND AI-BASED CYBERSECURITY. SO SHOULD YOUR ORGANIZATION.

      Executive summary

      Background

      The cat and mouse game between threat actors and defenders is continuing. The looming question "can defenders do better?" has been answered with rapid development of technology. This includes the automation of threat analysis (signature-based, specification-based, anomaly-based, flow-based, content-based, sandboxing) not only on IT but also on other relevant environments, e.g. IoT, IIoT, and OT based on AI/ML.

      More fundamental approaches such as post-quantum cryptography and zero trust (ZT) are also emerging.
      ZT is a principle, a model, and also an architecture focused on resource protection by always verifying transactions using the least privilege principle. Hopefully in 2023, ZT will be more practical and not just a vendor marketing buzzword.

      Next-gen cybersecurity technologies alone are not a silver bullet. A combination of skilled talent, useful data, and best practices will give a competitive advantage. The key concepts are explainable, transparent, and trustworthy. Furthermore, regulation often faces challenges to keep up with next-gen cybersecurity technologies, especially with the implications and risks of adoption, which may not always be explicit.

      Current situation

      ZT: Performing an accurate assessment of readiness and benefits to adopt ZT can be difficult due to ZT's many components. Thus, an organization needs to develop a ZT roadmap that aligns with organizational goals and focuses on access to data, assets, applications, and services; don't select solutions or vendors too early.

      Post-quantum cryptography: Current cryptographic applications, such as RSA for PKI, rely on factorization. However, algorithms such as Shor's show quantum speedup for factorization, which can break current crypto when sufficient quantum computing devices are available. Thus, threat actors can intercept current encrypted information and store it to decrypt in the future.

      AI-based threat management: AI helps in analyzing and correlating data extremely fast compared to humans. Millions of telemetries, malware samples, raw events, and vulnerability data feed into the AI system, which humans cannot process manually. Furthermore, AI does not get tired in processing this big data, thus avoiding human error and negligence.

      Data breach mitigation cost without AI: USD 6.20 million; and with AI: USD 3.15 million

      Source: IBM, 2022

      Traditional security is not working

      Alert Fatigue

      Too many false alarms and too many events to process. Evolving threat landscapes waste your analysts' valuable time on mundane tasks, such as evidence collection. Meanwhile, only limited time is spared for decisions and conclusions, which results in the fear of missing an incident and alert fatigue.

      Lack of Insight

      To report progress, clear metrics are needed. However, cybersecurity still lacks in this area as the system itself is complex and some systems work in silos. Furthermore, lessons learned are not yet distilled into insights for improving future accuracy.

      Lack of Visibility

      System integration is required to create consistent workflows across the organization and to ensure complete visibility of the threat landscape, risks, and assets. Also, the convergence of OT, IoT, and IT enhances this challenge.

      Source: IBM Security Intelligence, 2020

      A business case for AI-based cybersecurity

      Threat management

      Prevention

      Risk scores are generated by machine learning based on variables such as behavioral patterns and geolocation. Zero trust architecture is combined with machine learning. Asset management leverages visibility using machine learning. Comply with regulations by improving discovery, classification, and protection of data using machine learning. Data security and data privacy services use machine learning for data discovery.

      Detection

      AI, advanced machine learning, and static approaches, such as code file analysis, combine to automatically detect and analyze threats and prevent threats from spreading, assisted by threat intelligence.

      Response

      AI helps in orchestrating security technologies for organizations to reduce the number of security agents installed, which may not talk to each other or, worse, may conflict with each other.

      Recovery

      AI continuously tunes based on lessons learned, such as creating security policies for improving future accuracy. AI also does not get fatigue, and it assists humans in a faster recovery.

      Prevention; Detection; Response; Recovery

      AI has been around since the 1940s, but why is it only gaining traction now? Because supporting technologies are only now available, including faster GPUs for complex computations and cheaper storage for massive volumes of data.

      Use this template to explain the priorities you need your stakeholders to know about.

      Adopt next-gen cybersecurity technologies

      Use this template to explain the priorities you need your stakeholders to know about.

      Develop a practical roadmap that shows the business value of next-gen cybersecurity technologies investment.

      Initiative Description:

      Description must include what organization will undertake to complete the initiative.

      • Identify the stakeholders who will be affected by the next-gen cybersecurity technologies implementation and define responsibilities based on skillsets and the degree of support.
      • Adopt well-established data governance practices for cross-functional teams.
      • Conduct a maturity assessment of key processes and highlight interdependencies.
      • Develop a baseline and periodically review risks, policies and procedures, and business plan.
      • Develop a roadmap and deploy next-gen cybersecurity architecture and controls step by step, working with trusted technology partners.
      • Monitor metrics on effectiveness and efficiency.

      Drivers:

      List initiative drivers.

      • Pressure of attacks by sophisticated threat actors
      • Next-gen cybersecurity technologies tool offerings
      • High cost of traditional security, e.g. longer breach lifecycle

      Risks:

      List initiative risks and impacts.

      • Lack of transparency of the model or bias, leading to non-compliance with policies/regulations
      • Risks related with data quality and inadequate data for model training
      • Adversarial attacks, including, but not limited to, adversarial input and model extraction

      Benefits:

      List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

      • Reduces the number of alerts, thus reduces alert fatigue.
      • Increases the identification of unknown threats.
      • Leads to faster detection and response.
      • Closes skills gap and increases productivity.

      Related Info-Tech Research:

      Recommended Actions

      1. People

      Identify the stakeholders who will be affected by the next-gen cybersecurity technologies implementation and define responsibilities based on skillsets and the degree of support.

      Adopt well-established data governance practices for cross-functional teams.

      2. Process

      Conduct a maturity assessment of key processes and highlight interdependencies.

      Develop a baseline and periodically review risks, policies and procedures, and business plan.

      3. Technology

      Develop a roadmap and deploy next-gen cybersecurity architecture and controls step by step, working with trusted technology partners.

      Monitor metrics on effectiveness and efficiency.

      Source: Leverage AI in Threat Management (keynote presentation), Info-Tech

      Secure Services and Applications

      PRIORITY 05

      • APIS ARE STILL THE #1 THREAT TO APPLICATION SECURITY.

      Executive summary

      Background

      Software is usually produced as part of a supply chain instead of in silos. A vulnerability in any part of the supply chain can become a threat surface. We have learned this from recent incidents such as Log4j, SolarWinds, and Kaseya where attackers compromised a Virtual System Administrator tool used by managed service providers to attack around 1,500 organizations.

      DevSecOps is a culture and philosophy that unifies development, security, and operations to answer this challenge. DevSecOps shifts security left by automating, as much as possible, development and testing. DevSecOps provides many benefits such as rapid development of secure software and assurance that, prior to formal release and delivery, tests are reliably performed and passed.

      DevSecOps practices can apply to IT, OT, IoT, and other technology environments, for example, by integrating a Secure Software Development Framework (SSDF).

      Current situation

      Secure Software Supply Chain: Logging is a fundamental feature of most software, and recently the use of software components, especially open source, are based on trust. From the Log4j incident we learned that more could be done to improve the supply chain by adopting ZT to identify related components and data flows between systems and to apply the least privilege principle.

      DevSecOps: A software error wiped out wireless services for thousands of Rogers customers across Canada in 2021. Emergency services were also impacted, even though outgoing 911 calls were always accessible. Losing such services could have been avoided, if tests were reliably performed and passed prior to release.

      OT insecure-by-design: In OT, insecurity-by-design is still a norm, which causes many vulnerabilities such as insecure protocols implementation, weak authentication schemes, or insecure firmware updates. Additional challenges are the lack of CVEs or CVE duplication, the lack of Software Bill of Materials (SBOM), and product supply chains issues such as vulnerable products that are certified because of the scoping limitation and emphasis on functional testing.

      Technical causes of cybersecurity incidents in EU critical service providers in 2019-2021 shows: software bug (12%) and faulty software changes/update (9%).

      Source: CIRAS Incident reporting, ENISA (N=1,239)

      Software development keeps evolving

      DOD Maturation of Software Development Best Practices

      Best Practices 30 Years Ago 15 Years Ago Present Day
      Lifecycle Years or Months Months or Weeks Weeks or Days
      Development Process Waterfall Agile DevSecOps
      Architecture Monolithic N-Tier Microservices
      Deployment & Packaging Physical Virtual Container
      Hosting Infrastructure Server Data Center Cloud
      Cybersecurity Posture Firewall + SIEM + Zero Trust

      Best practices in software development are evolving as shown on the diagram to the left. For example, 30 years ago the lifecycle was "Years or Months," while in the present day it is "Weeks or Days."

      These changes also impact security such as the software architecture, which is no longer "Monolithic" but "Microservices" normally built within the supply chain.

      The software supply chain has known integrity attacks that can happen on each part of it. Starting from bad code submitted by a developer, to compromised source control platform (e.g. PHP git server compromised), to compromised build platform (e.g. malicious behavior injected on SolarWinds build), to a compromised package repository where users are deceived into using the bad package by the similarity between the malicious and the original package name.

      Therefore, we must secure each part of the link to avoid attacks on the weakest link.

      Software supply chain guidance

      Secure each part of the link to avoid attacks on the weakest link.

      Guide for Developers

      Guide for Suppliers

      Guide for Customers

      Secure product criteria and management, develop secure code, verify third-party components, harden build environment, and deliver code.

      Define criteria for software security checks, protect software, produce well-secured software, and respond to vulnerabilities.

      Secure procurement and acquisition, secure deployment, and secure software operations.

      Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022

      "Most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these software components are developed, integrated, and deployed, as well as the practices used to ensure the components' security."

      Source: NIST – NCCoE, 2022

      Use this template to explain the priorities you need your stakeholders to know about.

      Secure services and applications

      Provide a brief value statement for the initiative.

      Adopt recommended practices for securing the software supply chain.

      Initiative Description:

      Description must include what organization will undertake to complete the initiative.

      • Define and keep security requirements and risk assessments up to date.
      • Require visibility into provenance of product, and require suppliers' self-attestation of security hygiene.
      • Verify distribution infrastructure, product and individual components integrity, and SBOM.
      • Use multi-layered defenses, e.g. ZT for integration and control configuration.
      • Train users on how to detect and report anomalies and when to apply updates to a system.
      • Ensure updates from authorized and authenticated sources and verify the integrity of the updated SBOM.

      Drivers:

      List initiative drivers.

      • Cyberattacks exploit the vulnerabilities of weak software supply chain
      • Increased need to enhance software supply chain security, e.g. under the White House Executive Order (EO) 14028
      • OT insecure-by-design hinders OT modernization

      Risks:

      List initiative risks and impacts.

      Only a few developers and suppliers explicitly address software security in detail.

      Time pressure to deliver functionality over security.

      Lack of security awareness and lack of trained workforce.

      Benefits:

      List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

      Customers (acquiring organizations) achieve secure acquisition, deployment, and operation of software.

      Developers and suppliers provide software security with minimal vulnerabilities in its releases.

      Automated processes such as automated testing avoid error-prone and labor-intensive manual test cases.

      Related Info-Tech Research:

      Recommended Actions

      1. Procurement and Acquisition

      Define and keep security requirements and risk assessments up to date.

      Perform analysis on current market and supplier solutions and acquire security evaluation.

      Require visibility into provenance of product, and require suppliers' self-attestation of security hygiene

      2. Deployment

      Verify distribution infrastructure, product and individual components integrity, and SBOM.

      Save and store the tests and test environment and review and verify the
      self-attestation mechanism.

      Use multi-layered defenses, e.g. ZT for integration and control configuration.

      3. Software Operations

      Train users on how to detect and report anomalies and when to apply updates to a system.

      Ensure updates from authorized and authenticated sources and verify the integrity of the updated SBOM.

      Apply supply chain risk management (SCRM) operations.

      Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022

      Bibliography

      Aksoy, Cevat Giray, Jose Maria Barrero, Nicholas Bloom, Steven J. Davis, Mathias Dolls, and Pablo Zarate. "Working from Home Around the World." Brookings Papers on Economic Activity, 2022.
      Barrero, Jose Maria, Nicholas Bloom, and Steven J. Davis. "Why working from home will stick." WFH Research, National Bureau of Economic Research, Working Paper 28731, 2021.
      Boehm, Jim, Dennis Dias, Charlie Lewis, Kathleen Li, and Daniel Wallance. "Cybersecurity trends: Looking over the horizon." McKinsey & Company, March 2022. Accessed
      31 Oct. 2022.
      "China: TC260 issues list of national standards supporting implementation of PIPL." OneTrust, 8 Nov. 2022. Accessed 17 Nov. 2022.
      Chmielewski, Stéphane. "What is the potential of artificial intelligence to improve cybersecurity posture?" before.ai blog, 7 Aug. 2022. Accessed 15 Aug. 2022.
      Conerly, Bill. "The Recession Will Begin Late 2023 Or Early 2024." Forbes, 1 Nov. 2022. Accessed 8 Nov. 2022.
      "Control System Defense: Know the Opponent." CISA, 22 Sep. 2022. Accessed 17 Nov. 2022.
      "Cost of a Data Breach Report 2022." IBM, 2022.
      "Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience." European Parliament News, 10 Nov. 2022. Press Release.
      "Cyber Security in Critical National Infrastructure Organisations: 2022." Bridewell, 2022. Accessed 7 Nov. 2022.
      Davis, Steven. "The Big Shift to Working from Home." NBER Macro Annual Session On
      "The Future of Work," 1 April 2022.
      "Digital Services Act: EU's landmark rules for online platforms enter into force."
      EU Commission, 16 Nov. 2022. Accessed 16 Nov. 2022.
      "DoD Enterprise DevSecOps Fundamentals." DoD CIO, 12 May 2022. Accessed 21 Nov. 2022.
      Elkin, Elizabeth, and Deena Shanker. "That Cream Cheese Shortage You Heard About? Cyberattacks Played a Part." Bloomberg, 09 Dec. 2021. Accessed 27 Oct. 2022.
      Evan, Pete. "What happened at Rogers? Day-long outage is over, but questions remain." CBC News, 21 April 2022. Accessed 15 Nov. 2022.
      "Fewer Ransomware Victims Pay, as Median Ransom Falls in Q2 2022." Coveware,
      28 July 2022. Accessed 18 Nov. 2022.
      "Fighting cybercrime: new EU cybersecurity laws explained." EU Commission, 10 Nov. 2022. Accessed 16 Nov. 2022.
      "Guide to PCI compliance cost." Vanta. Accessed 18 Nov. 2022.
      Hammond, Susannah, and Mike Cowan. "Cost of Compliance 2022: Competing priorities." Thomson Reuters, 2022. Accessed 18 Nov. 2022.
      Hemsley, Kevin, and Ronald Fisher. "History of Industrial Control System Cyber Incidents." Department of Energy (DOE), 2018. Accessed 29 Aug. 2022.
      Hofmann, Sarah. "What Is The NIS2 And How Will It Impact Your Organisation?" CyberPilot,
      5 Aug. 2022. Accessed 16 Nov. 2022.
      "Incident reporting." CIRAS Incident Reporting, ENISA. Accessed 21 Nov. 2022.
      "Introducing SLSA, an End-to-End Framework for Supply Chain Integrity." Google,
      16 June 2021. Accessed 25 Nov. 2022.
      Kovacs, Eduard. "Trains Vulnerable to Hacker Attacks: Researchers." SecurityWeek, 29 Dec. 2015. Accessed 15 Nov. 2022.
      "Labour Force Survey, October 2022." Statistics Canada, 4 Nov. 2022. Accessed 7 Nov. 2022.
      Malacco, Victor. "Promises and potential of automated milking systems." Michigan State University Extension, 28 Feb. 2022. Accessed 15 Nov. 2022.
      Maxim, Merritt, et al. "Planning Guide 2023: Security & Risk." Forrester, 23 Aug. 2022. Accessed 31 Oct. 2022.
      "National Cyber Threat Assessment 2023-2024." Canadian Centre for Cyber Security, 2022. Accessed 18 Nov. 2022.
      Nicaise, Vincent. "EU NIS2 Directive: what's changing?" Stormshield, 20 Oct. 2022. Accessed
      17 Nov. 2022.
      O'Neill, Patrick. "Russia hacked an American satellite company one hour before the Ukraine invasion." MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022.
      "OT ICEFALL: The legacy of 'insecure by design' and its implications for certifications and risk management." Forescout, 2022. Accessed 21 Nov. 2022.
      Palmer, Danny. "Your cybersecurity staff are burned out - and many have thought about quitting." ZDNet, 8 Aug. 2022. Accessed 19 Aug. 2022.
      Placek, Martin. "Industrial Internet of Things (IIoT) market size worldwide from 2020 to 2028 (in billion U.S. dollars)." Statista, 14 March 2022. Accessed 15 Nov. 2022.
      "Revised Proposal Attachment 5.13.N.1 ADMS Business Case PUBLIC." Ausgrid, Jan. 2019. Accessed 15 Nov. 2022.
      Richter, Felix. "Cloudy With a Chance of Recession." Statista, 6 April 2022. Web.
      "Securing the Software Supply Chain: Recommended Practices Guide for Developers." Enduring Security Framework (ESF), Aug. 2022. Accessed 22 Sep. 2022.
      "Securing the Software Supply Chain: Recommended Practices Guide for Suppliers." Enduring Security Framework (ESF), Sep. 2022. Accessed 21 Nov. 2022.
      "Securing the Software Supply Chain: Recommended Practices Guide for Customers." Enduring Security Framework (ESF), Oct. 2022. Accessed 21 Nov. 2022.
      "Security Guidelines for the Electricity Sector: Control System Electronic Connectivity."
      North American Electric Reliability Corporation (NERC), 28 Oct. 2013. Accessed 25 Nov. 2022.
      Shepel, Jan. "Schreiber Foods hit with cyberattack; plants closed." Wisconsin State Farmer,
      26 Oct. 2022. Accessed 15 Nov. 2022.
      "Significant Cyber Incidents." Center for Strategic and International Studies (CSIS). Accessed
      1 Sep. 2022.
      Souppaya, Murugiah, Michael Ogata, Paul Watrobski, and Karen Scarfone. "Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps." NIST - National Cybersecurity Center of Excellence (NCCoE), Nov. 2022. Accessed
      22 Nov. 2022.
      "Ten Things Will Change Cybersecurity in 2023." SOCRadar, 23 Sep. 2022. Accessed
      31 Oct. 2022.
      "The Nature of Cybersecurity Defense: Pentagon To Reveal Updated Zero-Trust Cybersecurity Strategy & Guidelines." Cybersecurity Insiders. Accessed 21 Nov. 2022.
      What Is Threat Management? Common Challenges and Best Practices." IBM Security Intelligence, 2020.
      Woolf, Tim, et al. "Benefit-Cost Analysis for Utility-Facing Grid Modernization Investments: Trends, Challenges, and Considerations." Lawrence Berkeley National Laboratory, Feb. 2021. Accessed 15 Nov. 2022.
      Violino, Bob. "5 key considerations for your 2023 cybersecurity budget planning." CSO Online,
      14 July 2022. Accessed 27 Oct. 2022

      Research Contributors and Experts

      Andrew Reese
      Cybersecurity Practice Lead
      Zones

      Ashok Rutthan
      Chief Information Security Officer (CISO)
      Massmart

      Chris Weedall
      Chief Information Security Officer (CISO)
      Cheshire East Council

      Jeff Kramer
      EVP Digital Transformation and Cybersecurity
      Aprio

      Kris Arthur
      Chief Information Security Officer (CISO)
      SEKO Logistics

      Mike Toland
      Chief Information Security Officer (CISO)
      Mutual Benefit Group

      IT Operations Consulting

      Operations... make sure that the services and products you offer your clients are delivered in the most efficient way possible. IT Operations makes sure that the applications and infrastructure that your delivery depends on is solid.

      Gert Taeymans has over 20 years experience in directing the implementation and management of mission-critical services for businesses in high-volume international markets. Strong track record in risk management, crisis management including disaster recovery, service delivery and change & config management.

      Continue reading

      Integrate Threat Intelligence Into Your Security Operations

      • Buy Link or Shortcode: {j2store}320|cart{/j2store}
      • member rating overall impact (scale of 10): 9.0/10 Overall Impact
      • member rating average dollars saved: 2 Average Days Saved
      • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
      • Parent Category Name: Threat Intelligence & Incident Response
      • Parent Category Link: /threat-intelligence-incident-response
      • Organizations have limited visibility into their threat landscape, and as such are vulnerable to the latest attacks, hindering business practices, workflow, revenue generation, and damaging their public image.
      • Organizations are developing ad hoc intelligence capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of their security technology investments.
      • It is difficult to communicate the value of a threat intelligence solution when trying to secure organizational buy-in and the appropriate resourcing.
      • There is a vast array of “intelligence” in varying formats, often resulting in information overload.

      Our Advice

      Critical Insight

      1. Information alone is not actionable. A successful threat intelligence program contextualizes threat data, aligns intelligence with business objectives, and then builds processes to satisfy those objectives.
      2. Your security controls are diminishing in value (if they haven’t already). As technology in the industry evolves, threat actors will inevitably adopt new tools, tactics, and procedures; a threat intelligence program can provide relevant situational awareness to stay on top of the rapidly-evolving threat landscape.
      3. Your organization might not be the final target, but it could be a primary path for attackers. If you exist as a third-party partner to another organization, your responsibility in your technology ecosystem extends beyond your own product/service offerings. Threat intelligence provides visibility into the latest threats, which can help you avoid becoming a backdoor in the next big data breach.

      Impact and Result

      • Assess the needs and intelligence requirements of key stakeholders.
      • Garner organizational buy-in from senior management.
      • Identify organizational intelligence gaps and structure your efforts accordingly.
      • Understand the different collection solutions to identify which best supports your needs.
      • Optimize the analysis process by leveraging automation and industry best practices.
      • Establish a comprehensive threat knowledge portal.
      • Define critical threat escalation protocol.
      • Produce and share actionable intelligence with your constituency.
      • Create a deployment strategy to roll out the threat intelligence program.
      • Integrate threat intelligence within your security operations.

      Integrate Threat Intelligence Into Your Security Operations Research & Tools

      Start here – read the Executive Brief

      Read our concise Executive Brief to find out why you should implement a threat intelligence program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Plan for a threat intelligence program

      Assess current capabilities and define an ideal target state.

      • Integrate Threat Intelligence Into Your Security Operations – Phase 1: Plan for a Threat Intelligence Program
      • Security Pressure Posture Analysis Tool
      • Threat Intelligence Maturity Assessment Tool
      • Threat Intelligence Project Charter Template
      • Threat Intelligence RACI Tool
      • Threat Intelligence Management Plan Template
      • Threat Intelligence Policy Template

      2. Design an intelligence collection strategy

      Understand the different collection solutions to identify which best supports needs.

      • Integrate Threat Intelligence Into Your Security Operations – Phase 2: Design an Intelligence Collection Strategy
      • Threat Intelligence Prioritization Tool
      • Threat Intelligence RFP MSSP Template

      3. Optimize the intelligence analysis process

      Begin analyzing and acting on gathered intelligence.

      • Integrate Threat Intelligence Into Your Security Operations – Phase 3: Optimize the Intelligence Analysis Process
      • Threat Intelligence Malware Runbook Template

      4. Design a collaboration and feedback program

      Stand up an intelligence dissemination program.

      • Integrate Threat Intelligence Into Your Security Operations – Phase 4: Design a Collaboration and Feedback Program
      • Threat Intelligence Alert Template
      • Threat Intelligence Alert and Briefing Cadence Schedule Template
      [infographic]

      IT Diversity & Inclusion Tactics

      • Buy Link or Shortcode: {j2store}517|cart{/j2store}
      • member rating overall impact (scale of 10): N/A
      • member rating average dollars saved: N/A
      • member rating average days saved: N/A
      • Parent Category Name: Engage
      • Parent Category Link: /engage
      • Although inclusion is key to the success of a diversity and inclusion (D&I) strategy, the complexity of the concept makes it a daunting pursuit.
      • This is further complicated by the fact that creating inclusion is not a one-and-done exercise. Rather, it requires the ongoing commitment of employees and managers to reassess their own behaviors and to drive a cultural shift.

      Our Advice

      Critical Insight

      Realize the benefits of a diverse workforce by embedding inclusion into work practices, behaviors, and values, ensuring accountability throughout the department.

      Impact and Result

      Understand what it means to be inclusive: reassess work practices and learn how to apply leadership behaviors to create an inclusive environment

      IT Diversity & Inclusion Tactics Research & Tools

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Mobilize inclusion efforts

      Learn, evaluate, and understand what it means to be inclusive, examine biases, and apply inclusive leadership behaviors.

      • Diversity & Inclusion Initiatives Catalog
      • Inclusive IT Work Practices Examples
      • Inclusive Work Practices Template
      • Equip Managers to Adopt Inclusive Leadership Behaviors
      • Workbook: Equip Managers to Adopt Inclusive Leadership Behaviors
      • Standard Focus Group Guide
      [infographic]

      Time Study

      • Buy Link or Shortcode: {j2store}260|cart{/j2store}
      • member rating overall impact (scale of 10): N/A
      • member rating average dollars saved: N/A
      • member rating average days saved: N/A
      • Parent Category Name: Governance, Risk & Compliance
      • Parent Category Link: /governance-risk-compliance
      • In ESG’s 2018 report “The Life of Cybersecurity Professionals,” 36% of participants expressed the overwhelming workload was a stressful aspect of their job.
      • Organizations expect a lot from their security specialists. From monitoring the threat environment, protecting business assets, and learning new tools, to keeping up with IT initiatives, cybersecurity teams struggle to balance their responsibilities with the constant emergencies and disruptions that take them away from their primary tasks.
      • Businesses fail to recognize the challenges associated with task prioritization and the time management practices of a security professional.

      Our Advice

      Critical Insight

      • The majority of scheduled calendar meetings include employees and peers.
        • Our research indicates cybersecurity professionals spent the majority of their meetings with employees (28%) and peers (24%). Other stakeholders involved in meetings included by myself (15%), boss (13%), customers (10%), vendors (8%), and board of directors (2%).
      • Calendar meetings are focused on project work, management, and operations.
        • When asked to categorize calendar meetings, the focus was on project work (26%), management (23%), and operations (22%). Other scheduled meetings included ones focused on strategy (15%), innovation (9%), and personal time (5%).
      • Time management scores were influenced by the percentage of time spent with employees and peers.
        • When participants were divided into good and poor time managers, we found good time managers spent less time with their peers and more time with their employees. This may be due to the nature of employee meetings being more directly tied to the project outputs of the manager than their peer meetings. Managers who spend more time in meetings with their employees feel a sense of accomplishment, and hence rate themselves higher in time management.

      Impact and Result

      • Understand how cybersecurity professionals allocate their time.
      • Gain insight on whether perceived time management skills are associated with calendar maintenance factors.
      • Identify common time management pain points among cybersecurity professionals.
      • Identify current strategies cybersecurity professionals use to manage their time.

      Time Study Research & Tools

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Read our Time Study

      Read our Time Study to understand how cybersecurity professionals allocate their time, what pain points they endure, and tactics that can be leveraged to better manage time.

      • Time Study Storyboard
      [infographic]

      Quality Management

      • Buy Link or Shortcode: {j2store}45|cart{/j2store}
      • Related Products: {j2store}45|crosssells{/j2store}
      • member rating overall impact (scale of 10): N/A
      • member rating average dollars saved: N/A
      • member rating average days saved: N/A
      • Parent Category Name: Service Planning and Architecture
      • Parent Category Link: /service-planning-and-architecture
      Drive efficiency and agility with right-sized quality management

      Build a Data Classification MVP for M365

      • Buy Link or Shortcode: {j2store}67|cart{/j2store}
      • member rating overall impact (scale of 10): N/A
      • member rating average dollars saved: N/A
      • member rating average days saved: N/A
      • Parent Category Name: End-User Computing Applications
      • Parent Category Link: /end-user-computing-applications
      • Resources are the primary obstacle to getting a foot hold in O365 governance, whether it is funding or FTE resources.
      • Data is segmented and is difficult to analyze when you can’t see it or manage the relationships between sources.
      • Organizations expect results early and quickly and a common obstacle is that building a proper data classification framework can take more than two years and the business can't wait that long.

      Our Advice

      Critical Insight

      • Data classification is the lynchpin to ANY effective governance of O/M365 and your objective is to navigate through this easily and effectively and build a robust, secure, and viable governance model.
      • Start your journey by identifying what and where your data is and how much data you have. You need to understand what sensitive data you have and where it is stored before you can protect it or govern that data.
      • Ensure there is a high-level leader who is the champion of the governance objective.

      Impact and Result

      • Using least complex sensitivity labels in your classification are your building blocks to compliance and security in your data management schema; they are your foundational steps.

      Build a Data Classification MVP for M365 Research & Tools

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      1. Build a Data Classification MVP for M365 Deck – A guide for how to build a minimum-viable product for data classification that end users will actually use.

      Discover where your data resides, what governance helps you do, and what types of data you're classifying. Then build your data and security protection baselines for your retention policy, sensitivity labels, workload containers, and both forced and unforced policies.

      • Build a Data Classification MVP for M365 Storyboard
      [infographic]

      Further reading

      Build a Data Classification MVP for M365

      Kickstart your governance with data classification users will actually use!

      Executive Summary

      Info-Tech Insight

      • Creating an MVP gets you started in data governance
        Information protection and governance are not something you do once and then you are done. It is a constant process where you start with the basics (a minimum-viable product or MVP) and enhance your schema over time. The objective of the MVP is reducing obstacles to establishing an initial governance position, and then enabling rapid development of the solution to address a variety of real risks, including data loss prevention (DLP), data retention, legal holds, and data labeling.
      • Define your information and protection strategy
        The initial strategy is to start looking across your organization and identifying your customer data, regulatory data, and sensitive information. To have a successful data protection strategy you will include lifecycle management, risk management, data protection policies, and DLP. All key stakeholders need to be kept in the loop. Ensure you keep track of all available data and conduct a risk analysis early. Remember, data is your highest valued intangible asset.
      • Planning and resourcing are central to getting started on MVP
        A governance plan and governance decisions are your initial focus. Create a team of stakeholders that include IT and business leaders (including Legal, Finance, HR, and Risk), and ensure there is a top-level leader who is the champion of the governance objective, which is to ensure your data is safe, secure, and not prone to leakage or theft, and maintain confidentiality where it is warranted.

      Executive Summary

      Your Challenge
      • Today, the amount of data companies are gathering is growing at an explosive rate. New tools are enabling unforeseen channels and ways of collaborating.
      • Combined with increased regulatory oversight and reporting obligations, this makes the discovery and management of data a massive undertaking. IT can’t find and protect the data when the business has difficulty defining its data.
      • The challenge is to build a framework that can easily categorize and classify data yet allows for sufficient regulatory compliance and granularity to be useful. Also, to do it now because tomorrow is too late.
      Common Obstacles

      Data governance has several obstacles that impact a successful launch, especially if governing M365 is not a planned strategy. Below are some of the more common obstacles:

      • Resources are the primary obstacle to starting O365 governance, whether it is funding or people.
      • Data is segmented and is difficult to analyze when you can’t see it or manage the relationships between sources.
      • Organizations expect results early and quickly and a common obstacle is that building a "proper data classification framework” is a 2+ year project and the business can't wait that long.
      Info-Tech’s Approach
      • Start with the basics: build a minimum-viable product (MVP) to get started on the path to sustainable governance.
      • Identify what and where your data resides, how much data you have, and understand what sensitive data needs to be protected.
      • Create your team of stakeholders, including Legal, records managers, and privacy officers. Remember, they own the data and should manage it.
      • Categorization comes before classification, and discovery comes before categorization. Use easy-to-understand terms like high, medium, or low risk.

      Info-Tech Insight

      Data classification is the lynchpin to any effective governance of O/M365 and your objective is to navigate through this easily and effectively and build a robust, secure, and viable governance model. Start your journey by identifying what and where your data is and how much data do you have. You need to understand what sensitive data you have and where it is stored before you can protect or govern it. Ensure there is a high-level leader who is the champion of the governance objectives. Data classification fulfills the governance objectives of risk mitigation, governance and compliance, efficiency and optimization, and analytics.

      Questions you need to ask

      Four key questions to kick off your MVP.

      1

      Know Your Data

      Do you know where your critical and sensitive data resides and what is being done with it?

      Trying to understand where your information is can be a significant project.

      2

      Protect Your Data

      Do you have control of your data as it traverses across the organization and externally to partners?

      You want to protect information wherever it goes through encryption, etc.

      3

      Prevent Data Loss

      Are you able to detect unsafe activities that prevent sharing of sensitive information?

      Data loss prevention (DLP) is the practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data.

      4

      Govern Your Data

      Are you using multiple solutions (or any) to classify, label, and protect sensitive data?

      Many organizations use more than one solution to protect and govern their data, making it difficult to determine if there are any coverage gaps.

      Classification tiers

      Build your schema.

      Pyramid visualization for classification tiers. The top represents 'Simplicity', and the bottom 'Complexity' with the length of the sides at each level representing the '# of policies' and '# of labels'. At the top level is 'MVP (Minimum-Viable Product) - Confidential, Internal (Subcategory: Personal), Public'. At the middle level is 'Regulated - Highly Confidential, Confidential, Sensitive, General, Internal, Restricted, Personal, Sub-Private, Public'. And a the bottom level is 'Government (DOD) - Top Secret (TS), Secret, Confidential, Restricted, Official, Unclassified, Clearance'

      Info-Tech Insight

      Deciding on how granular you go into data classification will chiefly be governed by what industry you are in and your regulatory obligations – the more highly regulated your industry, the more classification levels you will be mandated to enforce. The more complexity you introduce into your organization, the more operational overhead both in cost and resources you will have to endure and build.

      Microsoft MIP Topology

      Microsoft Information Protection (MIP), which is Microsoft’s Data Classification Services, is the key to achieving your governance goals. Without an MVP, data classification will be overwhelming; simplifying is the first step in achieving governance.

      A diagram of multiple offerings all connected to 'MIP Data Classification Service'. Circled is 'Sensitivity Labels' with an arrow pointing back to 'MIP' at the center.
      (Source: Microsoft, “Microsoft Purview compliance portal”)

      Info-Tech Insight

      Using least-complex sensitivity labels in your classification are your building blocks to compliance and security in your data management schema; they are your foundational steps.

      MVP RACI Chart

      Data governance is a "takes a whole village" kind of effort.

      Clarify who is expected to do what with a RACI chart.

      End User M365 Administrator Security/ Compliance Data Owner
      Define classification divisions R A
      Appy classification label to data – at point of creation A R
      Apply classification label to data – legacy items R A
      Map classification divisions to relevant policies R A
      Define governance objectives R A
      Backup R A
      Retention R A
      Establish minimum baseline A R

      What and where your data resides

      Data types that require classification.

      Logos for 'Microsoft', 'Office 365', and icons for each program included in that package.
      M365 Workload Containers
      Icon for MS Exchange. Icon for MS SharePoint.Icon for MS Teams. Icon for MS OneDrive. Icon for MS Project Online.
      Email
      • Attachments
      Site Collections, Sites Sites Project Databases
      Contacts Teams and Group Site Collections, Sites Libraries and Lists Sites
      Metadata Libraries and Lists Documents
      • Versions
      Libraries and Lists
      Teams Conversations Documents
      • Versions
      Metadata Documents
      • Versions
      Teams Chats Metadata Permissions
      • Internal Sharing
      • External Sharing
      Metadata
      Permissions
      • Internal Sharing
      • External Sharing
      Files Shared via Teams Chats Permissions
      • Internal Sharing
      • External Sharing

      Info-Tech Insight

      Knowing where your data resides will ensure you do not miss any applicable data that needs to be classified. These are examples of the workload containers; you may have others.

      Discover and classify on- premises files using AIP

      AIP helps you manage sensitive data prior to migrating to Office 365:
      • Use discover mode to identify and report on files containing sensitive data.
      • Use enforce mode to automatically classify, label, and protect files with sensitive data.
      Can be configured to scan:
      • SMB files
      • SharePoint Server 2016, 2013
      Stock image of a laptop uploading to the cloud with a padlock and key in front of it.
      • Map your network and find over-exposed file shares.
      • Protect files using MIP encryption.
      • Inspect the content in file repositories and discover sensitive information.
      • Classify and label file per MIP policy.
      Azure Information Protection scanner helps discover, classify, label, and protect sensitive information in on-premises file servers. You can run the scanner and get immediate insight into risks with on-premises data. Discover mode helps you identify and report on files containing sensitive data (Microsoft Inside Track and CIAOPS, 2022). Enforce mode automatically classifies, labels, and protects files with sensitive data.

      Info-Tech Insight

      Any asset deployed to the cloud must have approved data classification. Enforcing this policy is a must to control your data.

      Understanding governance

      Microsoft Information Governance

      Information Governance
      • Retention policies for workloads
      • Inactive and archive mailboxes

      Arrow pointing down-right

      Records Management
      • Retention labels for items
      • Disposition review

      Arrow pointing down-left

      Retention and Deletion

      ‹——— Connectors for Third-Party Data ———›

      Information governance manages your content lifecycle using solutions to import, store, and classify business-critical data so you can keep what you need and delete what you do not. Backup should not be used as a retention methodology since information governance is managed as a “living entity” and backup is a stored information block that is “suspended in time.” Records management uses intelligent classification to automate and simplify the retention schedule for regulatory, legal, and business-critical records in your organization. It is for that discrete set of content that needs to be immutable.
      (Source: Microsoft, “Microsoft Purview compliance portal”)

      Retention and backup policy decision

      Retention is not backup.

      Info-Tech Insight

      Retention is not backup. Retention means something different: “the content must be available for discovery and legal document production while being able to defend its provenance, chain of custody, and its deletion or destruction” (AvePoint Blog, 2021).

      Microsoft Responsibility (Microsoft Protection) Weeks to Months Customer Responsibility (DLP, Backup, Retention Policy) Months to Years
      Loss of service due to natural disaster or data center outage Loss of data due to departing employees or deactivated accounts
      Loss of service due to hardware or infrastructure failure Loss of data due to malicious insiders or hackers deleting content
      Short-term (30 days) user error with recycle bin/ version history (including OneDrive “File Restore”) Loss of data due to malware or ransomware
      Short-term (14 days) administrative error with soft- delete for groups, mailboxes, or service-led rollback Recovery from prolonged outages
      Long-term accidental deletion coverage with selective rollback

      Understand retention policy

      What are retention policies used for? Why you need them as part of your MVP?

      Do not confuse retention labels and policies with backup.

      Remember: “retention [policies are] auto-applied whereas retention label policies are only applied if the content is tagged with the associated retention label” (AvePoint Blog, 2021).

      E-discovery tool retention policies are not turned on automatically.

      Retention policies are not a backup tool – when you activate this feature you are unable to delete anyone.

      “Data retention policy tools enable a business to:

      • “Decide proactively whether to retain content, delete content, or retain and then delete the content when needed.
      • “Apply a policy to all content or just content meeting certain conditions, such as items with specific keywords or specific types of sensitive information.
      • “Apply a single policy to the entire organization or specific locations or users.
      • “Maintain discoverability of content for lawyers and auditors, while protecting it from change or access by other users. […] ‘Retention Policies’ are different than ‘Retention Label Policies’ – they do the same thing – but a retention policy is auto-applied, whereas retention label policies are only applied if the content is tagged with the associated retention label.

      “It is also important to remember that ‘Retention Label Policies’ do not move a copy of the content to the ‘Preservation Holds’ folder until the content under policy is changed next.” (Source: AvePoint Blog, 2021)

      Definitions

      Data classification is a focused term used in the fields of cybersecurity and information governance to describe the process of identifying, categorizing, and protecting content according to its sensitivity or impact level. In its most basic form, data classification is a means of protecting your data from unauthorized disclosure, alteration, or destruction based on how sensitive or impactful it is.

      Once data is classified, you can then create policies; sensitive data types, trainable classifiers, and sensitivity labels function as inputs to policies. Policies define behaviors, like if there will be a default label, if labeling is mandatory, what locations the label will be applied to, and under what conditions. A policy is created when you configure Microsoft 365 to publish or automatically apply sensitive information types, trainable classifiers, or labels.

      Sensitivity label policies show one or more labels to Office apps (like Outlook and Word), SharePoint sites, and Office 365 groups. Once published, users can apply the labels to protect their content.

      Data loss prevention (DLP) policies help identify and protect your organization's sensitive info (Microsoft Docs, April 2022). For example, you can set up policies to help make sure information in email and documents is not shared with the wrong people. DLP policies can use sensitive information types and retention labels to identify content containing information that might need protection.

      Retention policies and retention label policies help you keep what you want and get rid of what you do not. They also play a significant role in records management.

      Data examples for MVP classification

      • Examples of the type of data you consider to be Confidential, Internal, or Public.
      • This will help you determine what to classify and where it is.
      Internal Personal, Employment, and Job Performance Data
      • Social Security Number
      • Date of birth
      • Marital status
      • Job application data
      • Mailing address
      • Resume
      • Background checks
      • Interview notes
      • Employment contract
      • Pay rate
      • Bonuses
      • Benefits
      • Performance reviews
      • Disciplinary notes or warnings
      Confidential Information
      • Business and marketing plans
      • Company initiatives
      • Customer information and lists
      • Information relating to intellectual property
      • Invention or patent
      • Research data
      • Passwords and IT-related information
      • Information received from third parties
      • Company financial account information
      • Social Security Number
      • Payroll and personnel records
      • Health information
      • Self-restricted personal data
      • Credit card information
      Internal Data
      • Sales data
      • Website data
      • Customer information
      • Job application data
      • Financial data
      • Marketing data
      • Resource data
      Public Data
      • Press releases
      • Job descriptions
      • Marketing material intended for general public
      • Research publications

      New container sensitivity labels (MIP)

      New container sensitivity labels

      Public Private
      Privacy
      1. Membership to group is open; anyone can join
      2. “Everyone except external guest” ACL onsite; content available in search to all tenants
      1. Only owner can add members
      2. No access beyond the group membership until someone shares it or changes permissions
      Allowed Not Allowed
      External guest policy
      1. Membership to group is open; anyone can join
      2. “Everyone except external guest” ACL onsite; content available in search to all tenants
      1. Only owner can add members
      2. No access beyond the group membership until someone shares it or changes permissions

      What users will see when they create or label a Team/Group/Site

      Table of what users will see when they create or label a team/group/site highlighting 'External guest policy' and 'Privacy policy options' as referenced above.
      (Source: Microsoft, “Microsoft Purview compliance portal”)

      Info-Tech Insights

      Why you need sensitivity container labels:
      • Manage privacy of Teams Sites and M365 Groups
      • Manage external user access to SPO sites and teams
      • Manage external sharing from SPO sites
      • Manage access from unmanaged devices

      Data protection and security baselines

      Data Protection Baseline

      “Microsoft provides a default assessment in Compliance Manager for the Microsoft 365 data protection baseline" (Microsoft Docs, June 2022). This baseline assessment has a set of controls for key regulations and standards for data protection and general data governance. This baseline draws elements primarily from NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and ISO (International Organization for Standardization) as well as from FedRAMP (Federal Risk and Authorization Management Program) and GDPR (General Data Protection Regulation of the European Union).

      Security Baseline

      The final stage in M365 governance is security. You need to implement a governance policy that clearly defines storage locations for certain types of data and who has permission to access it. You need to record and track who accesses content and how they share it externally. “Part of your process should involve monitoring unusual external sharing to ensure staff only share documents that they are allowed to” (Rencore, 2021).

      Info-Tech Insights

      • Controls are already in place to set data protection policy. This assists in the MVP activities.
      • Finally, you need to set your security baseline to ensure proper permissions are in place.

      Prerequisite baseline

      Icon of crosshairs.
      Security

      MFA or SSO to access from anywhere, any device

      Banned password list

      BYOD sync with corporate network

      Icon of a group.
      Users

      Sign out inactive users automatically

      Enable guest users

      External sharing

      Block client forwarding rules

      Icon of a database.
      Resources

      Account lockout threshold

      OneDrive

      SharePoint

      Icon of gears.
      Controls

      Sensitivity labels, retention labels and policies, DLP

      Mobile application management policy

      Building baselines

      Sensitivity Profiles: Public, Internal, Confidential; Subcategory: Highly Confidential

      Microsoft 365 Collaboration Protection Profiles

      Sensitivity Public External Collaboration Internal Highly Confidential
      Description Data that is specifically prepared for public consumption Not approved for public consumption, but OK for external collaboration External collaboration highly discouraged and must be justified Data of the highest sensitivity: avoid oversharing, internal collaboration only
      Label details
      • No content marking
      • No encryption
      • Public site
      • External collaboration allowed
      • Unmanaged devices: allow full access
      • No content marking
      • No encryption
      • Private site
      • External collaboration allowed
      • Unmanaged devices: allow full access
      • Content marking
      • Encryption
      • Private site
      • External collaboration allowed but monitored
      • Unmanaged devices: limited web access
      • Content marking
      • Encryption
      • Private site
      • External collaboration disabled
      • Unmanaged devices: block access
      Teams or Site details Public Team or Site open discovery, guests are allowed Private Team or Site members are invited, guests are allowed Private Team or Site members are invited, guests are not allowed
      DLP None Warn Block

      Please Note: Global/Compliance Admins go to the 365 Groups platform, the compliance center (Purview), and Teams services (Source: Microsoft Documentation, “Microsoft Purview compliance documentation”)

      Info-Tech Insights

      • Building baseline profiles will be a part of your MVP. You will understand what type of information you are addressing and label it accordingly.
      • Sensitivity labels are a way to classify your organization's data in a way that specifies how sensitive the data is. This helps you decrease risks in sharing information that shouldn't be accessible to anyone outside your organization or department. Applying sensitivity labels allows you to protect all your data easily.

      MVP activities

      PRIMARY
      ACTIVITIES
      Define Your Governance
      The objective of the MVP is reducing barriers to establishing an initial governance position, and then enabling rapid progression of the solution to address a variety of tangible risks, including DLP, data retention, legal holds, and labeling.
      Decide on your classification labels early.

      CATEGORIZATION





      CLASSIFICATION

      MVP
      Data Discovery and Management
      AIP (Azure Information Protection) scanner helps discover, classify, label, and protect sensitive information in on-premises file servers. You can run the scanner and get immediate insight into risks with on-premises data.
      Baseline Setup
      Building baseline profiles will be a part of your MVP. You will understand what type of information you are addressing and label it accordingly. Microsoft provides a default assessment in Compliance Manager for the Microsoft 365 data protection baseline.
      Default M365 settings
      Microsoft provides a default assessment in Compliance Manager for the Microsoft 365 data protection baseline. This baseline assessment has a set of controls for key regulations and standards for data protection and general data governance.
      SUPPORT
      ACTIVITIES
      Retention Policy
      Retention policy is auto-applied. Decide whether to retain content, delete content, or retain and then delete the content.
      Sensitivity Labels
      Automatically enforce policies on groups through labels; classify groups.
      Workload Containers
      M365: SharePoint, Teams, OneDrive, and Exchange, where your data is stored for labels and policies.
      Unforced Policies
      Written policies that are not enforceable by controls in Compliance Manager such as acceptable use policy.
      Forced Policies
      Restrict sharing controls to outside organizations. Enforce prefix or suffix to group or team names.

      ACME Company MVP for M/O365

      PRIMARY
      ACTIVITIES
      Define Your Governance


      Focus on ability to use legal hold and GDPR compliance.

      CATEGORIZATION





      CLASSIFICATION

      MVP
      Data Discovery and Management


      Three classification levels (public, internal, confidential), which are applied by the user when data is created. Same three levels are used for AIP to scan legacy sources.

      Baseline Setup


      All data must at least be classified before it is uploaded to an M/O365 cloud service.

      Default M365 settings


      Turn on templates 1 8 the letter q and the number z

      SUPPORT
      ACTIVITIES
      Retention Policy


      Retention policy is auto-applied. Decide whether to retain content, delete content, or retain and then delete the content.

      Sensitivity Labels


      Automatically enforce policies on groups through labels; classify groups.

      Workload Containers


      M365: SharePoint, Teams, OneDrive, and Exchange, where your data is stored for labels and policies.

      Unforced Policies


      Written policies that are not enforceable by controls in Compliance Manager such as acceptable use policy.

      Forced Policies


      Restrict sharing controls to outside organizations. Enforce prefix or suffix to group or team names.

      Related Blueprints

      Govern Office 365

      Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals.

      Map your organizational goals to the administration features available in the Office 365 console. Your governance should reflect your requirements.

      Migrate to Office 365 Now

      Jumping into an Office 365 migration project without careful thought of the risks of a cloud migration will lead to project halt and interruption. Intentionally plan in order to expose risk and to develop project foresight for a smooth migration.

      Microsoft Teams Cookbook

      Remote work calls for leveraging your Office 365 license to use Microsoft Teams – but IT is unsure about best practices for governance and permissions. Moreover, IT has few resources to help train end users with Teams best practices

      IT Governance, Risk & Compliance

      Several blueprints are available on a broader topic of governance, from Make Your IT Governance Adaptable to Improve IT Governance to Drive Business Results and Build an IT Risk Management Program.

      Bibliography

      “Best practices for sharing files and folders with unauthenticated users.” Microsoft Build, 28 April 2022. Accessed 2 April 2022.

      “Build and manage assessments in Compliance Manager.” Microsoft Docs, 15 June 2022. Web.

      “Building a modern workplace with Microsoft 365.” Microsoft Inside Track, n.d. Web.

      Crane, Robert. “June 2020 Microsoft 365 Need to Know Webinar.” CIAOPS, SlideShare, 26 June 2020. Web.

      “Data Classification: Overview, Types, and Examples.” Simplilearn, 27 Dec. 2021. Accessed 11 April 2022.

      “Data loss prevention in Exchange Online.” Microsoft Docs, 19 April 2022. Web.

      Davies, Nahla. “5 Common Data Governance Challenges (and How to Overcome Them).” Dataversity. 25 October 2021. Accessed 5 April 2022.

      “Default labels and policies to protect your data.” Microsoft Build, April 2022. Accessed 3 April 2022.

      M., Peter. "Guide: The difference between Microsoft Backup and Retention." AvePoint Blog, 9 Oct. 2021. Accessed 4 April 2022.

      Meyer, Guillaume. “Sensitivity Labels: What They Are, Why You Need Them, and How to Apply Them.” nBold, 6 October 2021. Accessed 2 April 2022.

      “Microsoft 365 guidance for security & compliance.” Microsoft, 27 April 2022. Accessed 28 April 2022.

      “Microsoft Purview compliance portal.” Microsoft, 19 April 2022. Accessed 22 April 2022.

      “Microsoft Purview compliance documentation.” Microsoft, n.d. Accessed 22 April 2022.

      “Microsoft Trust Center: Products and services that run on trust.” Microsoft, 2022. Accessed 3 April 2022.

      “Protect your sensitive data with Microsoft Purview.” Microsoft Build, April 2022. Accessed 3 April 2022.

      Zimmergren, Tobias. “4 steps to successful cloud governance in Office 365.” Rencore, 9 Sept. 2021. Accessed 5 April 2022.

      Business Intelligence and Reporting

      • Buy Link or Shortcode: {j2store}6|cart{/j2store}
      • Related Products: {j2store}6|crosssells{/j2store}
      • member rating overall impact (scale of 10): 8.9/10
      • member rating average dollars saved: $45,792
      • member rating average days saved: 29
      • Parent Category Name: Data and Business Intelligence
      • Parent Category Link: /improve-your-core-processes/data-and-business-intelligence

      The challenge

      • Your business partners need an environment that facilitates flexible data delivery.
      • Your data and BI strategy must continuously adapt to new business realities and data sources to stay relevant.
      • The pressure to go directly to the solution design is high.  

      Our advice

      Insight

      • A BI initiative is not static. It must be treated as a living platform to adhere to changing business goals and objectives. Only then will it support effective decision-making.
      • Hear the voice of the business; that is the "B" in BI.
      • Boys and their toys... The solution to better intelligence often lies not in the tool but the BI practices.
      • Build a roadmap that starts with quick-wins to establish base support for your initiative.

      Impact and results 

      • Use the business goals and objectives to drive your BI initiatives.
      • Focus first on what you already have in your company's business intelligence landscape before investing in a new tool that will only complicate things.
      • Understand the core of what your users need by leveraging different approaches to pinpointing BI capabilities.
      • Create a roadmap that details the iterative deliveries of your business intelligence initiative. Show both the short and long term.

      The roadmap

      Besides the small introduction, subscribers and consulting clients within this management domain have access to:

      Get started

      Our concise executive brief shows why you should create or refresh your business intelligence (BI) strategy. We'll show you our methodology and the ways we can help you in handling this.

      Upon ordering you receive the complete guide with all files zipped.

      Understand your business context and BI landscape

      Understand critical business information and analyze your current business intelligence landscape.

      • Build a Next-Generation BI with a Game-Changing BI Strategy – Phase 1: Understand the Business Context and BI Landscape (ppt)
      • BI Strategy and Roadmap Template (doc)
      • BI End-User Satisfaction Survey Framework (ppt)

      Evaluate your current business intelligence practices

      Assess your current maturity level and define the future state.

      • Build a Next-Generation BI with a Game-Changing BI Strategy – Phase 2: Evaluate the Current BI Practice (ppt)
      • BI Practice Assessment Tool – Example 1 (xls)
      • BI Practice Assessment Tool – Example 2 (xls)

      Create your BI roadmap

      Create business intelligence focused initiatives for continuous improvement.

      • Build a Next-Generation BI with a Game-Changing BI Strategy – Phase 3: Create a BI Roadmap for Continuous Improvement (ppt)
      • BI Initiatives and Roadmap Tool (xls)
      • BI Strategy and Roadmap Executive Presentation Template (ppt)